- Paul Jackson
LA4049: The Internet Jurisdiction Puzzle: Obtaining Digital Evidence from Outside Australia
It is one thing to have the rules of evidence, it is another thing to get that evidence. Technical and jurisdictional impediments, together with the self interest of corporations that operate across sovereign borders presents Australian courts with multiple challenges.
This essay assessment grade: High Distinction.
Paul's LA4049 course grade: High Distinction.
United States v Microsoft Corp
Date of judgement: 17 April 2018
Supreme Court of the United States
Summary of facts:
The United States v Microsoft Corp judgement[1] (“Microsoft Ireland Case”) ended almost five years of legal action between Microsoft Corporation (“Microsoft”), and the Government of the United States of America (“USA”). The central issue for proceedings was essentially Microsoft’s refusal to deliver up emails requested under a federal warrant, because the emails were stored on servers located in Ireland and, Microsoft contended, outside the territorial jurisdiction of the USA. The USA made the request under §2703 of the Stored Communications Act (1986). Several contempt cases were upheld against Microsoft before a Court of Appeals decision vacated the contempt finding because “requiring Microsoft to disclose the electronic communications in question would be an unauthorized extraterritorial application of §2703.”[2]
The case became moot[3] because of the passage of the Clarifying Lawful Overseas Use of Data Act (H.R.4943) (“CLOUD Act”), which amended the Stored Communications Act (1986) as follows:
“A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located and The Cloud Act enabled the USA to formally request the information regardless of whether such communication, record, or other information is located within or outside of the United States: CLOUD Act §103(a)(1)”.[4]
The CLOUD Act enabled the USA to formally request the information from Microsoft regardless of whether such communication, record, or other information was located within or outside of the United States.[5]
Observations of case:
The Microsoft Ireland Case shows the extraterritoriality challenges in attempting to enforce domestic laws in foreign jurisdictions. The CLOUD Act is one jurisdiction’s attempt to reach into the heart of another sovereign nation. The CLOUD Act is a demonstration of the highest court in the USA interpreting instruments of its legislature which attempt to compel a corporation to provide digital evidence.
The USA impliedly notes, in a government summary of the CLOUD Act, the CLOUD Act is not a paramount mechanism.[6] The assistance of foreign governments and mutual assistance treaties also operate in the same space. Additionally, the CLOUD Act provides a mechanism for a corporation to challenge an order if the order requires the corporation to “violate the laws of a foreign government”.[7] These jurisdictional challenges are but one fetter on a government’s ability to obtain digital evidence like emails, phone messages, or metadata from a foreign country. The essay which accompanies this case note looks closer at this process, and at four pieces of the internet jurisdiction puzzle in Australia.
END
[1] United States v Microsoft Corp., No. 17-2, 584 U.S. ___ (2018). Separate case to anti -trust lawsuit.
[2] Ibid 2.
[3] ‘H.R.4943 – CLOUD Act’, Congress.gov, (webpage 2017-2018. Accessed 2 October 2019) <https://www.congress.gov/bill/115th-congress/house-bill/4943>.
[4] Above n1 pages 2-3.
[5] See above n1 at 3.
[6] See above n 3.
[7] Ibid.
I INTRODUCTION
Several legislative instruments assist the formal process for Australian authorities to seek evidence from international digital sources. These include the Mutual Assistance in Criminal Matters Act 1987 (Cth) ('MACMA')[1] and Foreign Evidence Act 1994 (Cth) ('FEA'). Note that the expanding powers of Australian authorities to request or compel delivery up of digital evidence from within Australia is not within the scope of this essay. The focus of this short essay is to outline four simple pieces of the internet jurisdiction puzzle, and Australia’s options to formally request digital evidence from outside of Australia.
The first puzzle piece is the challenge to preserve and obtain digital evidence. Digital evidence like emails, data on USBs and smart phones must be preserved in such a way that it will satisfy the rules of evidence in Australia.[2]
The second piece is the formal MACMA process and physical spread of sovereign nations across the globe. Requesting and obtaining digital evidence from international police or agencies under mutual assistance schemes can be a slow process.[3] The third piece is the informal processes which often helps commence the formal approach.[4]
The fourth and final puzzle piece for this essay is the globalisation of mega corporations and internet intermediaries like Facebook, Google, Microsoft, Apple and large ISPs. The 2018 United States v Microsoft Corp[5] ('Microsoft Ireland Case') judgement 18 months ago exposed one of the first continuing hurdles to obtaining evidence from international digital sources. That is the mere existence of Australian domestic legislation or an international treaty formalising or compelling a request cannot, of itself, overcome simple jurisdictional fetters upon actually obtaining the evidence. Perhaps a corporation registered in one sovereign nation simply says no to a request by another sovereign nation for digital evidence stored by the corporation within yet another sovereign nation.[6] Perhaps the corporation simply does not submit to the authority of the Australian court.[7] All these considerations are moot until the actual evidence is understood.
II DISCUSSION AND CRITICAL ANALYSIS:
A Digital Forensics, Sources of Digital Evidence
ASIC estimates it will receive 425 terabytes of data per year by 2020.[8] These massive volumes of data require more than keyword searches or manual review,[9] and so ASIC is investing in software, training people, and working with other agencies towards best digital forensic procedures. The digital forensics process involves the identification; collection; analysis and evaluation; and reporting of data. Digital evidence may be on servers, computers, USBs, in emails, on smartphones, ISP metadata logs, website audit logs, social media accounts, electronic access into buildings, cars or fridges. It could be the recordings held by Google from a Google Home Mini. Digital evidence can be proof of any type of electronic process that can log use. Obtaining this data must be approached in a scientific manner so that the results can either be replicated or proved at a later date. There must be no corruption of the data. The International Organization on Computer Evidence has issued a set of guidelines for the collection of evidence.[10] These include applying the general rules of evidence to digital evidence; preserving the data so that it is not corrupted; proper training of individuals when dealing with original evidence; the documentation of the entire retrieval process; and responsibility for stewardship of the information as demonstrated by user logs. After gaining an understanding of digital evidence and forensic procedure, the next puzzle piece is to obtain the evidence.
B Domestic Legislation, International Treaties, MACMA Formal Process
MACMA is the important legislative instrument and second puzzle piece, which provides the formalised process for Australia to request digital evidence from foreign jurisdictions. Australia’s International Crime Cooperation Central Authority (‘ICCCA’) and the Australian Federal Police (‘AFP’) are relevant authorities. ICCCA is also the competent Australian authority for the belated ratification (by accession, and with reservations)[11] of the 2001 Budapest Convention on Cybercrime.[12] This convention entered into force domestically on 1 March 2013 by way of the Cybercrime Legislation Amendment Act 2012 ('CLAA').[13] The Convention on Cybercrime facilitates the sharing of information, with obligations of reciprocity. The passage of the CLAA was not without detractors. Greens Senator Scott Ludlum expressed concern at the time that Australia’s reciprocal obligations to provide evidence may facilitate the sharing of information with countries where the death penalty may be imposed.[14] That concern is specifically addressed in s 8(1A)(b) of MACMA.[15]
MACMA s 5(c) states the second object of the Act is to “facilitate the obtaining by Australia of international assistance in criminal matters”.[16] MACMA does not prevent other means of obtaining international assistance for criminal matters,[17] and MACMA generally applies internationally and is subject to mutual assistance treaties.[18] MACMA s 10(1) specifically provides that only Australia’s Attorney-General’s Department (‘AGD’) may make requests related to criminal matters.
FEA is relevant in that in addition to discretionary provisions within MACMA,[19] FEA allows discretion not to admit foreign evidence if “justice would be better served if the foreign material were not adduced as evidence”.[20] Very quickly it is possible to see that within the official framework of formal digital evidence requests to outside of Australia, there are discretionary and jurisdictional filters or roadblocks, as the next example shows.
El Khouri v Attorney-General [2018] FCA 1488 (“El Khouri”)[21] is both an example of the MACMA s 10 formal request in action, and a legal jurisdictional roadblock between the request and the evidence. In El Khouri two Samsung phones were formally requested by Australia to be confiscated from Milled El Khouri after his arrest in Singapore. These phones were taken from the applicant, and held on trust by the Singapore Prison. This confiscation was done according to an Australian MACMA s 10 request, and the corresponding Singaporean mutual assistance legislation.[22] Prior to his extradition to Australia El Khouri argued against the Commonwealth taking possession of the phones. The Federal Court dismissed the appeal, but also found it had no jurisdiction. This was because the application made by the applicant was about a ‘related criminal justice process decision’,[23] and according to the relevant sections and definitions of the Judiciary Act 1903 (Cth)[24] the Court lacked jurisdiction. Simply put: the decision concerned extradition and phone seizure by foreign authorities, which brought it outside the ordinary application of s39B(1C).[25]
C Processes Outside MACMA, Practical Challenges, Informal Processes
The third puzzle piece is that prior to the MACMA regime, which carries with it an obligation of reciprocity, mutual assistance requests were made informally via Interpol or agreements with other nations.[26] The evolution to MACMA though has not ensured the formal mutual assistance process is any quicker. MACMA has been observed as a slow process with some requests taking 18 months depending on complexity.[27] This means evidence received in Australia may be received too late to be useful in court, or the delay impinges on a defendant’s ‘right’ to a speedy trial.[28] There is also the “sheer quantity”[29] of information along with problems identifying the suspects; physical search and seizure; and encryption.[30] Practically speaking, other avenues like ‘police-to-police’ and ‘agency-to-agency’[31] have subsisted outside the formal MACMA processes. These direct yet informal approaches appear to be a sensible first step in ascertaining the existence of material for police about criminal matters before a formal MACMA request. The AGD notes that Australia maintains a global network of Australian police in other jurisdictions that can practically assist this network.[32] Continued use of informal processes will help facilitate the formal process.
As a midpoint summary: three pieces of the puzzle have been laid out. Piece one is digital evidence and digital forensic procedure. Piece two the formal MACMA process; piece three the informal direct police-to-police, or agency-to-agency approach. These pieces of the puzzle generally relate to criminal matters.[33] This is all very well and good, but as the Microsoft Ireland Case showed 18 months ago, there is another puzzle piece to lay on the table. The fourth piece is the issue of dealing with giant corporations that operate across sovereign borders.
D Corporations, Internet Intermediaries, Compulsion, Persuasion
The Microsoft Ireland Case showed that while domestic legislation may require a corporation to provide digital evidence, the corporation may rely on gaps within domestic legislation, and a corresponding lack of legal authority to compel delivery up of ‘documents’.[34] A corporation may simply rebut the jurisdiction’s authority and not show up in court.[35] One question is why a corporation would ignore or rebut what would otherwise appear to be a legitimate request by a sovereign nation investigating a potentially criminal matter. Another question is whether corporations help or hinder legislative processes? What are the options failing successful legislative compulsion? This author suggests the answer lies in a corporation’s core focus: profit, and brand integrity.
As a marketing student many years ago this author learned that consumers purchase an idea. When people purchase a can of Coke, they are not simply purchasing a sugary drink, they are purchasing the ideals and marketing images promulgated by the corporation. People gain status and identity by the products they consume. Corporations need their customers to believe in their products, and value their products. When that belief or value collapses, so could the corporation. The FBI-Apple dispute in 2015 is a good example. Apple essentially rebutted the US Government’s request to unlock the phone of an alleged terrorist.[36] Apple issued a letter to its customers stating the reasons.[37] Apple stated that there was no precedent for such a request, and that weaker encryption laws would weaken society as a whole. However, remember this author’s point about corporations: profit, and brand integrity. A profoundly important issue for Apple was that, should they have acquiesced to the US government’s request to write new code to unlock a phone or provide a key to unlock a phone, Apple would have shot themselves commercially. What consumer in the all-important US market, where the first amendment of free speech[38] reigns supreme, would purchase a product from a business that willingly provides their phone data to the Government? Here then is the point of this author regarding corporations, and the suggested reason why corporations may continue to resist legislative requirements or expose or challenge weaknesses within legislation: profit and brand integrity.
Profit and brand integrity is a corporation’s raison d'être, and Achilles heel. This is useful to understand, because Australia (and any government) has an ability to legislate the behaviour of corporations within the jurisdiction over issues like tax rates[39] or access to the domestic market.[40] Australia’s sovereign power to legislate is a useful instrument. There are legislative options available to the government. Huawei is a good example. That company hit an Australian wall because of Huawei’s obligations to offer up data from its business to the Chinese government.[41] Thus the Australian government has proven to be active in the national interest,[42] and not allow a corporation’s profit to potentially impede or generate Australian investigation into criminal matters. This shows the Microsoft Ireland Case is not a template, or the only pathway to compelling a corporation to act. There is a fine balancing act at play with modern corporations and governments. In a way corporations are playing a role in helping ensure correct legislative procedures are followed, however they are doing it for their own purpose: profit and brand integrity.
III CONCLUSION
While formal request procedures are in place to secure digital evidence, these procedures can be slow. Practical measures should not be overlooked by the Australian government when requesting digital evidence from large internet intermediaries, both in compulsion, and physical retrieval. Future issues may not turn on whether the digital forensic processes are in place, but rather who asserts the ultimate power to approve or deny a request. On one hand a large corporation driven by profit and brand; on the other hand the Australian government driven by sovereign right. What happens when a corporation is larger and more powerful than some sovereign nations?[43] Perhaps a truly uniform global enforcement standard is needed, but that is a bigger question for another essay.
END
2459 words total.
[1] Mutual Assistance in Criminal Matters Act 1987 (Cth) (“MACMA”) s 10.
[2] Evidence Act 1995 (Cth); Evidence Act 1977 (Qld).
[3] Standing Committee on Communications, Parliament of Australia, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime (Report, 21 June 2010) Chapter 6, 6.45 <https://www.aph.gov.au/parliamentary_Business/Committees/House_of_Representatives_Committees?url=coms/cybercrime/report.htm>.
[4] Ibid.
[5] United States v Microsoft Corp., No. 17-2, 584 U.S. ___ (2018).
[6] Ibid.
[7] X v Y & Z [2017] NSWSC 2014 [10] which also confirmed application of an injunction to the world at large at [22]: “There are many cases where parties out of the jurisdiction have been subjected to an injunction regarding their conduct abroad”.
[8] Australian Securities & Investments Commission, ‘Report 476: ASIC enforcement outcomes: July to December 2015’ (PDF March 2016) [28] <https://download.asic.gov.au/media/4156870/rep476-published-17-february-2017.pdf>.
[9] Ibid [29].
[10] Working Group Forensic IT, ‘Guidelines for Best Practice in the Forensic Examination of Digital Technology’ (PDF accessed 28 September 2019) page 18 <https://cryptome.org/2014/03/forensic-digital-best-practice.pdf>.
[11] Reservations and Declarations for Treaty No.185 - Convention on Cybercrime, Australia <https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/declarations?p_auth=H14ZeLVw&_coeconventions_WAR_coeconventionsportlet_enVigueur=false&_coeconventions_WAR_coeconventionsportlet_searchBy=state&_coeconventions_WAR_coeconventionsportlet_codePays=AUT&_coeconventions_WAR_coeconventionsportlet_codeNature=2>.
[12] Convention on Cybercrime, Opened for signature 23 November 2001, European Treaty Series No.185 (entered into force 1 July 2004) <https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185>.
[13] Cybercrime Legislation Amendment Act 2012 amended MACMA and other relevant instruments.
[14] Computerworld.com.au, “Australia signs up to Europe Convention on Cybercrime” (webpage, 5 March 2013) <https://www.computerworld.com.au/article/455433/australia_signs_up_europe_convention_cybercrime_/>.
[15] MACMA s 8 allows for refusal by the AGD on a number of grounds.
[16] MACMA s 10.
[17] MACMA s 6. Note s 10(2) seems to mirror s 6 in that requests for assistance are not limited to those provided under the Act. The drafting is slightly unclear.
[18] MACMA s 7.
[19] MACMA ss 8, 98,15B.
[20] Foreign Evidence Act 1994 (Cth) (“FEA”) s 25; see application in R v Yau [2017] SASCFC 4.
[21] El Khouri v Attorney-General [2018] FCA 1488 <http://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA/2018/1488.html?context=1;query=%22%20maicma1987384%22;mask_path=>.
[22] Mutual Assistance in Criminal Matters Act (2000) Singapore, Chapter 190A <https://sso.agc.gov.sg/Act/MACMA2000>.
[23] Judiciary Act 1903 (Cth) ss 3, 39B(1C)(c), 39B(1D).
[24] Judiciary Act 1903 (Cth) ss 39B(1C)(a), 39B(1C)(c).
[25] El Khouri v Attorney-General [2018] FCA 1488 [36]-[38].
[26] Bruce Bannerman, AGD, ‘International Aspects of Investigating Complex Commercial Frauds’ (webpage, undated; accessed 15 September 2019) <https://aic.gov.au/sites/default/files/publications/proceedings/downloads/10-bannerman.pdf>.
[27] See above n 10.
[28] Jago v District Court (NSW) (1989) 168 CLR 23 found there is no right to a speedy trial in Australia. However, this author observes the reasons for delay, length of delay, prejudice from delay or public interest about the delay may take on greater importance with the anticipated commencement on 1 January 2020 of the Human Rights Act 2019 (Qld) ss 29(5)(b), 29(7)(a), 32(2)(c.
[29] Russell G. Smith, Australian Institute of Criminology, Impediments to the Successful Investigation of Transnational High Tech Crime (October 2004) 285 <file:///C:/Users/Paul/Downloads/tandi285%20(1).pdf>.
[30] Ibid.
[31] Attorney-General’s Department, Australian Government, ‘Mutual Assistance’ (webpage accessed 15 September 2019) <https://www.ag.gov.au/Internationalrelations/Internationalcrimecooperationarrangements/MutualAssistance/Pages/default.aspx>.
[32] Ibid.
[33] Attorney-General’s Department, Australian Government, ‘Australian requests to foreign countries’ (webpage accessed 18 September 2019) <https://www.ag.gov.au/Internationalrelations/Internationalcrimecooperationarrangements/MutualAssistance/Pages/Mutualassistancerequeststoforeigncountries.aspx>.
[34] Evidence Act 1995 (Cth) Part 1 Definitions: document meaning (a) anything in writing, (b) anything with marks, figures, symbols or perforations …for persons qualified to interpret, (c) …sounds, images.. and see also cl 8 Part 2 Other Expressions; Evidence Act 1977 (Qld) Schedule 3 Dictionary especially (e) disc, tape, soundtrack or other device…, (f) any film, negative, tape or other device in which 1 or more visual images are embodied…and (g) any other record of information whatever.
[35] See above n 14.
[36] Alan Z. Rozenshtein, ‘Surveillance Intermediaries’ (2018) 70 Sanford Law Review 99 https://review.law.stanford.edu/wp-content/uploads/sites/3/2018/01/70-Stan.-L.-Rev.-99.pdf>.
[37] Apple, ‘A Message to Our Customers’ (webpage 16 February 2016) <https://www.apple.com/customer-letter/>.
[38] FindLaw, ‘First Amendment – U.S. Constitution’ (webpage accessed 27 September 2019) <https://constitution.findlaw.com/amendment1.html>.
[39] The Guardian, ‘GST extended to all goods bough overseas from July 2018’ (webpage 19 June 2017) <https://www.theguardian.com/australia-news/2017/jun/19/gst-extended-to-all-goods-bought-overseas-from-july-2018>.
[40] Minister for Communications and the Arts, ‘Government Provides 5G Security Guidance To Australian Carriers’ (webpage, 27 August 2018) “The Government considers that the involvement of vendors who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law, may risk failure by the carrier to adequately protect a 5G network from unauthorised access or interference”.<https://www.minister.communications.gov.au/minister/mitch-fifield/news/government-provides-5g-security-guidance-australian-carriers>.
[41] Ibid.
[42] Vivienne Bath ‘Foreign Investment, the National Interest and National Security – Foreign Direct Investment in Australia and China’ (2012) 34(5) Sydney Law Review 6, 12.
[43] ABC News, ‘Facebook can be forced to police and remove illegal content worldwide, Europe’s top court says’ (webpage 4 October 2019) <https://www.abc.net.au/news/2019-10-04/facebook-can-be-forced-to-remove-illegal-content/11572794>.