Credit: ambercoin/Pixabay

Government is now analysing feedback on plans to update legislation on how police and the security services can access data stored in cloud environments.

The proposed amendments would introduce explicit guidance advising investigators that warrants should not typically be served on cloud services providers in relation to the data of their customers.

The Home Office has now concluded a consultation process in which responses were invited on a planned update to the Code of Practice for the Interception of Communications. The code is one of six sets of statutory guidelines intended to dictate how authorities should exercise the powers invested in them by the Investigatory Powers Act – known to its critics as the Snoopers’ Charter.

The interception code sets out the processes and practices that officers should follow when using legal powers to access the private communications of individuals and businesses. Such communications are now often conducted digitally, via email and other electronic messaging methods.

Moreover, records of these messages are, in many cases, stored by a third-party cloud provider – rather than solely on personal devices and organisations’ in-house IT infrastructure.  

Government intends to add to the interception code a new section that provides clarity for officers planning to serve a warrant to gain access to digital records that a business, public body, or charity has stored in a cloud environment.

The additional text – which runs to 548 words – states that authorities “can often obtain the same data from both the cloud service provider and the enterprise” in question.

Related content

• EXCL: Wall of silence surrounds plan for nationwide collection of citizens’ internet records
• New investigatory powers commissioner to oversee all forms of government surveillance
• Ofcom to probe dominance of big three public-cloud players

In such cases, officers should serve warrants on the organisation under investigation – and not the IT firm paid to store or process their data.

The planned update says: “Although the [Investigatory Powers] Act allows the intercepting authority to serve the warrant on either the cloud-service provider or the enterprise, the intercepting authority should, where it is reasonable to do so, always serve a copy of the warrant on the enterprise rather than the cloud service provider.”

The revised code adds, however, that there will be “exceptions to this general rule”. 

This includes instances where an organisation does not have the technical capability to provide the data sought by officers.  Authorities are also given latitude to seek data from cloud providers if there are “reasonable grounds” to believe that serving the warrant directly to a business or government body could “result in the person under investigation becoming aware of the investigation” – leading to possible destruction of data or other forms of “interference”.

The consultation – which was launched by former home secretary Priti Patel – lasted for a little less than two months and has now closed. The online process did not specify any particular respondents that should take part, or any questions that they might wish to consider. 

“Prior to issuing any code, the secretary of state must prepare and publish a draft of it,” the Home Office said in the consultation documents. “The secretary of state must also consider any representations made about the draft revised code and may modify the draft accordingly. This consultation fulfils that requirement.”

Any such representations received by the department will now be considered by officials before the planned law change is put into effect.

“Following the consultation period, responses will be analysed and the draft code revised as necessary. It will then be laid before parliament for approval,” the Home Office said.