Archive for October, 2010

Do Defendants Have to Surrender their Passwords?

Sorry to be a bit behind in posting this, the latest in these blog postings. I’ve been in an airplane and airports so much lately that the last few weeks seem like a big blur. Anyway, a news item related to whether or not defendants must surrender their passwords when law enforcement orders them to do so surfaced last week. Oliver Drage, a UK citizen, received a sentence of four months of detention because he refused to turn the password for decrypting information on his computer to law enforcement officials after he was arrested last year for allegedly having child pornography photos on his computer. He was found guilty of the violation of the Regulation of Investigatory Powers Act (RIPA). Read more…

Categories: Uncategorized Tags:

Legal Risks in the Cloud: Part 3

It would be nice if the set of cloud-related legal risks I described in my previous two blog entries were a complete set. But, alas, they are not even close. Another very serious risk is inability to conduct forensics investigations, or if such investigations can be conducted because of certain provisions in an SLA or SOW with a CSP, diminished ability to conduct thorough and procedurally complete investigations. Investigation of anomalous events is one of the most important functions a security practice can have. But when an organization’s data and applications reside somewhere in the proverbial cloud, the organization is less likely to obtain information that enables its technical staff members to realize that anomalous events have occurred and to investigate them. Even if an organization has arranged to obtain, say, system and network audit data from a CSP, chances are the organization will face hurdles in obtaining access to its data and applications in the CSP’s network. The exception to the rule is when a CSP agrees to allow “delegated authority” to the customer; in this case, the customer can obtain a considerable amount of access to the part of the CSP’s network that contains the customer’s data and applications. But whether or not physical access to the customer is allowed is yet another detail to be negotiated–there is no substitute for physical access to systems and devices when forensics investigations are being conducted. So organizations that take their data and applications to the cloud are at least to some degree inhibiting their own forensics investigation functionality. Read more…

Categories: Uncategorized Tags: