⚖️ THREE LEGAL PATHWAYS FOR CLOUD DATA ACCESS
🔴 FUNDAMENTAL PRINCIPLE:
Cloud data stored by foreign providers requires international legal cooperation
THREE POSSIBILITIES ONLY
(Budapest Convention on Cybercrime)
Cloud data stored by foreign providers requires international legal cooperation
THREE POSSIBILITIES ONLY
(Budapest Convention on Cybercrime)
PATHWAY 1: FREE, FAIR & LEGAL CONSENT - REMOTE ACCESS
Budapest Article 32.b
Account holder provides written voluntary consent
Suspect MUST be present for remote access
NO request to cloud provider
⏱️ Timeline: Immediate / Same day
✅ Result: Full data access (remote download)
🔑 Key: NO foreign authorization, NO provider delay
Account holder provides written voluntary consent
Suspect MUST be present for remote access
NO request to cloud provider
⏱️ Timeline: Immediate / Same day
✅ Result: Full data access (remote download)
🔑 Key: NO foreign authorization, NO provider delay
PATHWAY 2: IMPOSSIBLE TO LOCATE
Search Warrant + Contradictory Procedure
Data found during live computer search
User agreement with live search
⏱️ Timeline: Immediate
⚠️ Limitation: Live demo only
🔑 Key: Cannot compel credentials
Data found during live computer search
User agreement with live search
⏱️ Timeline: Immediate
⚠️ Limitation: Live demo only
🔑 Key: Cannot compel credentials
PATHWAY 3: PRESERVATION + MLAT
Budapest Article 16
Preservation (16.1) + MLAT production (16.2)
⏱️ Timeline: Months to Years
✅ Result: Full data access
🔑 Key: Foreign authorization required
Preservation (16.1) + MLAT production (16.2)
⏱️ Timeline: Months to Years
✅ Result: Full data access
🔑 Key: Foreign authorization required
⚠️ BUDAPEST CONVENTION SECOND PROTOCOL
Second Protocol (adopted 2021) facilitates exchange of:• Subscriber information (account holder name, address, billing)
• Traffic data (login history, IP addresses, access logs)
• NOT content data (emails, files, messages)
Accelerated procedure for vital urgency (kidnapping, imminent threat)
Content data MUST be requested via MLAT (Article 27)
🇪🇺 EU COOPERATION TOOLS (For EU Member States)
1. European Investigation Order (EIO)→ Faster than MLAT (30-90 days) - between EU member states
2. Joint Investigation Teams (JIT)
→ Multi-national investigations with Eurojust funding
3. EMPACT (European Multidisciplinary Platform Against Criminal Threats)
→ Operational actions with Low Value Grants (LVGs)
4. SIRIUS Project (Europol)
→ Direct channel to cloud providers & cryptocurrency exchanges
📊 PATHWAY COMPARISON
| Criteria | PATHWAY 1 Consent (Article 32.b) |
PATHWAY 2 Impossible to Locate (Live Search) |
PATHWAY 3 Preservation + MLAT (Article 16) |
|---|---|---|---|
| Consent Required | ✅ YES Written voluntary consent |
✅ YES Contradictory process |
❌ NO No cooperation |
| Timeline | IMMEDIATE Same day (remote access) |
IMMEDIATE Same day |
VERY SLOW Months to years |
| Full Data Access | ✅ YES Remote download during session |
❌ NO Screenshots/photos only |
✅ YES Provider produces all data |
| Foreign Authorization (MLAT) | ✅ NOT NEEDED Consent sufficient |
✅ NOT NEEDED National warrant covers |
❌ REQUIRED MLAT (slow) |
| National Authorization | ✅ REQUIRED Warrant/Court Order |
✅ REQUIRED Search Warrant |
✅ REQUIRED Warrant/Court Order |
| Best Use Case | Cooperating account holder Full data needed Time-sensitive |
Immediate triage Limited evidence acceptable Cannot wait for MLAT |
Non-cooperating subject Full data needed Time not critical |
⚠️ SECOND PROTOCOL & EU TOOLS ARE ADDITIONAL
Second Protocol: Use alongside Pathway 3 for subscriber/traffic data (faster than MLAT)EIO: Alternative to MLAT for EU-to-EU requests (30-90 days vs. months-years)
JIT: Direct evidence sharing between JIT partners (no MLAT delay)
EMPACT: Funding (LEVGs) for operational costs (forensic tools, travel, etc.)
SIRIUS: Direct channel to providers via Europol (preservation, subscriber/traffic data)
✅ PATHWAY 1: FREE, FAIR & LEGAL CONSENT - REMOTE ACCESS
Pathway 1: Written Voluntary Consent
↓
WHEN TO USE:
• Account holder willing to provide written consent
• Full data extraction needed
• Time-sensitive investigation (faster than MLAT)
• Account holder willing to provide written consent
• Full data extraction needed
• Time-sensitive investigation (faster than MLAT)
↓
STEP 1: Obtain Written Consent
• Account holder is lawful owner (not just password holder)
• Consent is voluntary (FREE - no coercion)
• Consent is informed (FAIR - understands what accessed)
• Person has lawful authority (LEGAL - authorized owner)
• Contradictory procedure (witnesses present)
• Signed consent form
• Account holder is lawful owner (not just password holder)
• Consent is voluntary (FREE - no coercion)
• Consent is informed (FAIR - understands what accessed)
• Person has lawful authority (LEGAL - authorized owner)
• Contradictory procedure (witnesses present)
• Signed consent form
↓
STEP 2: National Authorization
• Obtain warrant/court order (ALWAYS required)
• Budapest addresses foreign authorization, NOT national
• Obtain warrant/court order (ALWAYS required)
• Budapest addresses foreign authorization, NOT national
↓
STEP 3: Remote Access Procedure
• ⚠️ NO REQUEST TO PROVIDER (remote access instead)
• Suspect MUST be present (contradictory procedure)
• Location: Suspect's residence, police station, or court
• Suspect logs in OR provides credentials voluntarily
• Witnesses present
• ⚠️ NO REQUEST TO PROVIDER (remote access instead)
• Suspect MUST be present (contradictory procedure)
• Location: Suspect's residence, police station, or court
• Suspect logs in OR provides credentials voluntarily
• Witnesses present
↓
STEP 4: Systematic Data Download
• Use Google Takeout, Outlook export, Dropbox download, etc.
• Download emails, files, photos, documents
• Suspect observes entire process
• Timeline: Immediate / Same day
• Full data access (all content, metadata, logs)
• Use Google Takeout, Outlook export, Dropbox download, etc.
• Download emails, files, photos, documents
• Suspect observes entire process
• Timeline: Immediate / Same day
• Full data access (all content, metadata, logs)
🔑 KEY ADVANTAGES
✅ Immediate timeline (same day - NO provider delay)✅ NO MLAT delays (NO provider request needed)
✅ NO foreign authorization needed (consent sufficient)
✅ Complete data extraction via remote access
Critical Requirements:
• Lawful account owner (not just someone with password)
• Truly voluntary (FREE, FAIR & LEGAL)
• Suspect MUST be present entire time
• Self-incrimination protection (do NOT use if defendant)
🔍 PATHWAY 2: IMPOSSIBLE TO LOCATE DATA
Pathway 2: Live Search - Impossible to Locate
↓
WHEN TO USE:
• Search warrant authorizes computer search
• Account holder present and agree for live exam
• Immediate evidence needed
• Cannot wait for MLAT
• Search warrant authorizes computer search
• Account holder present and agree for live exam
• Immediate evidence needed
• Cannot wait for MLAT
↓
STEP 1: Search Warrant Authorization
• Warrant explicitly authorizes computer search
• Includes data accessible from devices (cloud data)
• Contradictory procedure (witnesses present and agree)
• Warrant explicitly authorizes computer search
• Includes data accessible from devices (cloud data)
• Contradictory procedure (witnesses present and agree)
↓
STEP 2: User-Assisted Access
• Device already loged in
• CANNOT compel credentials (self-incrimination protection)
• Device already loged in
• CANNOT compel credentials (self-incrimination protection)
↓
STEP 3: Document Data Observed
• Screenshots of visible data
• Photographs of screens
• Notes of data observed
• Witnesses present (contradictory procedure)
• Screenshots of visible data
• Photographs of screens
• Notes of data observed
• Witnesses present (contradictory procedure)
↓
⚠️ LIMITATIONS
• Live demonstration only (NO full extraction)
• Cannot compel credentials
• Cannot access data account holder doesn't show
• Screenshots/photos only (NO provider cooperation)
• Live demonstration only (NO full extraction)
• Cannot compel credentials
• Cannot access data account holder doesn't show
• Screenshots/photos only (NO provider cooperation)
↓
Is live demonstration sufficient?
YES - Sufficient
↓
COMPLETE
Live demonstration evidence obtained
Timeline: Immediate (same day)
Proceed to analysis
Live demonstration evidence obtained
Timeline: Immediate (same day)
Proceed to analysis
NO - Insufficient
↓
USE PATHWAY 3
Full systematic extraction needed
Proceed to Preservation + MLAT
Full systematic extraction needed
Proceed to Preservation + MLAT
⚠️ WHY LIMITED?
Full extraction requires PROVIDER COOPERATIONIn Pathway 2, we only observe what account holder voluntarily shows
Provider is NOT producing data
What we CAN do: Observe and document (screenshots/photos)
What we CANNOT do: Systematic extraction, access hidden data, obtain deleted data
⚖️ PATHWAY 3: PRESERVATION + MLAT
Pathway 3: Legal Process Without Consent
↓
WHEN TO USE:
• NO voluntary consent (Pathway 1 unavailable)
• Account holder NOT connected (Pathway 2 unavailable)
• Standard investigation - full systematic extraction needed
• NO voluntary consent (Pathway 1 unavailable)
• Account holder NOT connected (Pathway 2 unavailable)
• Standard investigation - full systematic extraction needed
↓
⏰ TIMELINE WARNING
Pathway 3 is VERY SLOW
MLAT average: 10-12 months
Can take YEARS
Pathway 3 is VERY SLOW
MLAT average: 10-12 months
Can take YEARS
↓
STEP 1: Emergency Preservation (Article 16.1)
⏰ DO THIS IMMEDIATELY
• Submit preservation request to provider
• Provider HOLDS data temporarily (90-180 days max)
• Preservation ≠ Production (provider does NOT deliver data yet)
⏰ DO THIS IMMEDIATELY
• Submit preservation request to provider
• Provider HOLDS data temporarily (90-180 days max)
• Preservation ≠ Production (provider does NOT deliver data yet)
↓
STEP 2: Obtain National Authorization
• Content data: Search Warrant
• Non-content data: Subpoena/Court Order
• ALWAYS required BEFORE MLAT
• Content data: Search Warrant
• Non-content data: Subpoena/Court Order
• ALWAYS required BEFORE MLAT
↓
STEP 3: MLAT Request (Article 16.2)
• Submit MLAT via competent authority (Ministry of Justice)
• MLAT sent to foreign state (USA for Google, Microsoft, etc.)
• Foreign state processes MLAT under their law
• Foreign court issues authorization
• ⏱️ TIMELINE: MONTHS TO YEARS
• Submit MLAT via competent authority (Ministry of Justice)
• MLAT sent to foreign state (USA for Google, Microsoft, etc.)
• Foreign state processes MLAT under their law
• Foreign court issues authorization
• ⏱️ TIMELINE: MONTHS TO YEARS
↓
⚠️ PRESERVATION MANAGEMENT
• Preservation expires after 90 days (renewable once = max 180 days)
• MUST receive MLAT authorization BEFORE preservation expires
• If preservation expires: Data may be permanently lost
• Request renewal at 80 days
• Preservation expires after 90 days (renewable once = max 180 days)
• MUST receive MLAT authorization BEFORE preservation expires
• If preservation expires: Data may be permanently lost
• Request renewal at 80 days
↓
STEP 4: Foreign Authorization Received
• Foreign state approves MLAT
• Foreign court order issued
• Provider authorized to produce data
• Foreign state approves MLAT
• Foreign court order issued
• Provider authorized to produce data
↓
STEP 5: Provider Produces Data
• Submit production request to provider
• Attach foreign authorization + MLAT reference
• Provider produces data (days to weeks after authorization)
• Timeline: Days to weeks AFTER foreign authorization
• Submit production request to provider
• Attach foreign authorization + MLAT reference
• Provider produces data (days to weeks after authorization)
• Timeline: Days to weeks AFTER foreign authorization
↓
✅ COMPLETE
Full cloud data obtained via MLAT
Timeline: Months to years (but complete forensic copy)
Proceed to analysis
Full cloud data obtained via MLAT
Timeline: Months to years (but complete forensic copy)
Proceed to analysis
⚠️ WHY SO SLOW?
Two levels of authorization required:1. National authorization (your country's warrant) - Days to weeks
2. Foreign authorization (foreign country's review via MLAT) - Months to years
MLAT process:
• Your country submits MLAT via diplomatic channels
• Foreign state reviews under their law
• Foreign state verifies dual criminality
• Foreign state obtains their own court authorization
• Foreign state orders provider to produce data
• Data transmitted back through diplomatic channels
Average: 10-12 months (can be years)
🌐 BUDAPEST CONVENTION SECOND PROTOCOL
Accelerated Exchange of Subscriber & Traffic Data
Second Protocol to Budapest Convention (adopted 2021)
Facilitates international exchange of electronic evidence
⚠️ LIMITED SCOPE
Facilitates international exchange of electronic evidence
⚠️ LIMITED SCOPE
COVERED BY SECOND PROTOCOL
Subscriber Information:
• Account holder name
• Address
• Billing information
• Account creation date
• Payment method
Traffic Data:
• Login history
• IP addresses
• Access logs
• Email headers (NOT content)
• Connection logs
• Account holder name
• Address
• Billing information
• Account creation date
• Payment method
Traffic Data:
• Login history
• IP addresses
• Access logs
• Email headers (NOT content)
• Connection logs
NOT COVERED - REQUIRES MLAT
Content Data:
• Email message content
• Stored files and documents
• Photos, videos
• Message content
• Any user-generated content
⚠️ Content MUST be requested via MLAT
(Article 27 Budapest Convention)
• Email message content
• Stored files and documents
• Photos, videos
• Message content
• Any user-generated content
⚠️ Content MUST be requested via MLAT
(Article 27 Budapest Convention)
↓
ACCELERATED PROCEDURE
Emergency requests for "vital urgency":
• Kidnapping
• Imminent threat to life
• Ongoing child sexual exploitation
• Active terrorist attack
⏱️ Timeline: Hours to days (much faster than MLAT)
Emergency requests for "vital urgency":
• Kidnapping
• Imminent threat to life
• Ongoing child sexual exploitation
• Active terrorist attack
⏱️ Timeline: Hours to days (much faster than MLAT)
💡 HOW TO USE SECOND PROTOCOL
Second Protocol is ADDITIONAL tool (not replacement for Pathways 1-3)Use alongside Pathway 3:
• Use Second Protocol for subscriber/traffic data (faster - hours to days)
• Use MLAT for content data (slower - months to years)
• Can submit both simultaneously
Example: Request subscriber info via Second Protocol while MLAT processes for email content
🇪🇺 EU COOPERATION TOOLS
For EU Member States Only
European Investigation Order (EIO)
Purpose: Streamlined evidence-gathering between EU states
When to Use:
• Requesting state: EU member
• Requested state: EU member
• Alternative to MLAT (faster)
⏱️ Timeline: 30-90 days
(vs. months-years for MLAT)
Use for Cloud:
If provider has EU subsidiary
(Google Ireland, Microsoft Ireland, etc.)
When to Use:
• Requesting state: EU member
• Requested state: EU member
• Alternative to MLAT (faster)
⏱️ Timeline: 30-90 days
(vs. months-years for MLAT)
Use for Cloud:
If provider has EU subsidiary
(Google Ireland, Microsoft Ireland, etc.)
Joint Investigation Teams (JIT)
Purpose: Multi-national investigation framework
When to Use:
• Multi-national investigation
• Complex cross-border case
• Multiple countries investigating same network
Benefits:
• Direct evidence sharing (no MLAT delay)
• Joint operations
• Eurojust funding available
Coordination: Eurojust or Europol
When to Use:
• Multi-national investigation
• Complex cross-border case
• Multiple countries investigating same network
Benefits:
• Direct evidence sharing (no MLAT delay)
• Joint operations
• Eurojust funding available
Coordination: Eurojust or Europol
EMPACT
Purpose: EU operational framework for priority crimes
Priority Areas:
• Cybercrime
• Drug trafficking
• Human trafficking
• Organized crime
• Terrorism
• Others (updated annually)
Benefits:
• Law Enforcement Value Grants (LEVGs)
• Funding for operational costs
• Travel, equipment, forensic tools, training
• Direct coordination via Europol
Priority Areas:
• Cybercrime
• Drug trafficking
• Human trafficking
• Organized crime
• Terrorism
• Others (updated annually)
Benefits:
• Law Enforcement Value Grants (LEVGs)
• Funding for operational costs
• Travel, equipment, forensic tools, training
• Direct coordination via Europol
SIRIUS Project (Europol)
Purpose: Direct channel to online service providers
Covered Providers:
• Cloud providers (Google, Microsoft, Dropbox)
• Cryptocurrency exchanges (Coinbase, Binance, Kraken)
• Social media platforms
Use for:
• Preservation requests (immediate)
• Subscriber/traffic data production
• Emergency requests
⚠️ Limitation:
Content data may still require MLAT
(check provider agreement)
Covered Providers:
• Cloud providers (Google, Microsoft, Dropbox)
• Cryptocurrency exchanges (Coinbase, Binance, Kraken)
• Social media platforms
Use for:
• Preservation requests (immediate)
• Subscriber/traffic data production
• Emergency requests
⚠️ Limitation:
Content data may still require MLAT
(check provider agreement)
💡 HOW TO USE EU TOOLS
EU tools are ADDITIONAL mechanisms (not replacements for Pathways 1-3)Can be used alongside all pathways:
• EIO: Use instead of MLAT for EU-to-EU requests (much faster)
• JIT: Direct evidence sharing between JIT partners (no MLAT for shared data)
• EMPACT: Apply for LEVGs to fund cloud forensic tools and operations
• SIRIUS: Use for preservation and subscriber/traffic data (faster than MLAT)
Example: Use SIRIUS for preservation + EIO for content production (if provider in EU)
🌳 INVESTIGATOR DECISION TREE
START: Cloud Data Required
↓
STEP 1: IMMEDIATE PRESERVATION
Submit emergency preservation request to provider
(Budapest Article 16.1)
⏰ DO THIS FIRST - TIME CRITICAL
Submit emergency preservation request to provider
(Budapest Article 16.1)
⏰ DO THIS FIRST - TIME CRITICAL
↓
Is account holder willing to provide
written voluntary consent?
written voluntary consent?
YES - Consent
↓
USE PATHWAY 1
Free, Fair & Legal Consent - REMOTE ACCESS
(Budapest Article 32.b)
⏱️ Immediate / Same Day
✅ Full data access
⚠️ NO provider request - Remote access only
Free, Fair & Legal Consent - REMOTE ACCESS
(Budapest Article 32.b)
⏱️ Immediate / Same Day
✅ Full data access
⚠️ NO provider request - Remote access only
NO - No Consent
↓
Is account holder willing to
voluntarily show data during search?
voluntarily show data during search?
YES - Will Show
USE PATHWAY 2
Impossible to Locate Data
User written agreement (Live Search)
⏱️ Immediate
⚠️ Limited (live demo only)
Impossible to Locate Data
User written agreement (Live Search)
⏱️ Immediate
⚠️ Limited (live demo only)
NO - Won't Cooperate
USE PATHWAY 3
Preservation + MLAT
(Budapest Article 16)
⏱️ Months to Years
✅ Full data access
Preservation + MLAT
(Budapest Article 16)
⏱️ Months to Years
✅ Full data access
↓
ADDITIONAL TOOLS AVAILABLE:
• Second Protocol: For subscriber/traffic data (hours-days)
• EIO: For EU-to-EU requests (30-90 days)
• JIT: For multi-national cooperation
• EMPACT: For operational funding (LEVGs)
• SIRIUS: For direct channel to providers
• Second Protocol: For subscriber/traffic data (hours-days)
• EIO: For EU-to-EU requests (30-90 days)
• JIT: For multi-national cooperation
• EMPACT: For operational funding (LEVGs)
• SIRIUS: For direct channel to providers