DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME

DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME Providing Law Enforcement with the Legal Tools to Prevent, Investigate, and Prosecute Cybercrime

Overview • Balancing Privacy and Public Safety • Limits on Law Enforcement Investigative Authority • Intercepting Electronic Communications • Collecting Traffic Data Real Time • Obtaining Content Stored on a Computer Network • Obtaining Non-Content Information Stored on a Computer Network • Compelling the Target to Disclose Electronic Evidence

Balancing Privacy & Public Safety • Privacy is a basic human right “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence...” -- Art. XII, Universal Declaration of Human Rights • Promotes free thought, free expression, and free association, building blocks of democracy • Supports competitive businesses and markets, cornerstone of a robust economy

Balancing Privacy & Public Safety Privacy of computer networks is important: • Individuals, businesses, and governments increasingly use computers to communicate • Sensitive personal information and business records are stored in electronic form Privacy of computer networks is important for human rights, individual freedoms, and economic efficiency

Balancing Privacy & Public Safety Threats to online privacy: • Industry • Gathering marketing information • Government • Investigating crime, espionage, or terrorism • Misusing legal investigative authorities • Criminals • Stealing government or business secrets or financial information • Obtaining private information from individuals’ computers

Balancing Privacy & Public Safety • Need to investigate all kinds of crimes that involve computer networks • E.g.: communications of terrorists or drug dealers • Need to investigate attempts to damage computer networks • E.g.: “I love you” virus • Need to investigate invasions of privacy • E.g.: hackers working for organized crime stealing credit card numbers

Limited Law Enforcement Authority Striking the Balance: • Government investigative authority subject to appropriate limits and controls in the form of procedural laws will increase privacy and public safety, but . . . • Uncontrolled government authority may diminish privacy and hinder economic development.

Limited Law Enforcement Authority Intrusiveness of the Investigative Power Safeguards to Prevent Governmental Abuse

Limited Law Enforcement Authority Ways to limit law enforcement authorities: • Define specific predicate crimes/classes of crime • Require law enforcement to demonstrate factual basis to independent judicial officer • Limit the breadth and scope, the location, or the duration • Offer only as “last resort” • Prior approval or subsequent review by senior official or politically accountable body

Limited Law Enforcement Authority Penalizing abuse: • Administrative discipline of officer involved • Inability to use evidence in prosecution (“suppression”) • Civil liability for officer involved • Criminal sanction of officer involved

Limited Law Enforcement Authority Limiting Economic Burdens on Third Party Service Providers: • Should laws require providers to have certain technical capabilities? • Who is responsible for costs of collecting data for law enforcement?

Other Policy Considerations • Each country should approach this complex balancing question, taking into consideration: • The scope of its crime and terrorism problem; • Its existing legal structures; • Its historical methods of protecting human rights; and, • the need to assist foreign governments. • Each country should decide the “means” for obtaining electronic evidence within its existing legal framework (e.g., constitutions, statutes, court decisions, rules of procedure)

Information Obtained from Computer Networks in Cybercrime Investigations

Intercepting Electronic Communications on Computer Networks • Obtaining the content of a communication as the communication occurs • Similar to intercepting what’s being said in a phone conversation • E.g.: collect the content of e-mail passing between two terrorists or drug dealers • E.g.: collect the commands sent by a hacker to a victim computer to steal corporate information

Intercepting Electronic Communications on Computer Networks • Many countries use the same (or very similar) rules as phone wiretaps • Authority should include the ability to compel providers to assist law enforcement officials • Sometimes does not require law enforcement expertise • May depend on particular technology and infrastructure • Art. 21, Council of Europe Convention on Cybercrime

Intercepting Electronic Communications on Computer Networks Law enforcement needs this authority because: • Criminals and terrorists increasingly use electronic communications to plan and execute crimes • Many crimes are committed mostly (or entirely) using computer networks • Distribution of child pornography, internet fraud, hacking • Communications may not be stored

Intercepting Electronic Communications on Computer Networks This authority should be limited because: • Interception of communications can be a grave invasion of privacy • Can allow access to the most private thoughts, harming freedoms of speech and association • Fear of overly intrusive interception may stifle competitive markets, economic development, and foreign investment

Independent judicial review Facts in support of an application showing that intercepted communications would “be likely to assist” in an investigation Investigation of a serious crime (generally 7+ years maximum incarceration) 90 day maximum (renewable) Information intercepted unlawfully cannot be used as evidence in court Intercepted information has certain disclosure restrictions and destruction after purpose is complete Judge must balance surrounding circumstances: Whether other investigative techniques would not be just as effective The value of the information Gravity of the conduct The privacy invasion Examples of Limitations on Interception Authorities – Australia

30 day time limit (plus extensions) “Probable cause” to believe a crime is being committed and that the facility is being used in furtherance of that crime All other options have been tried or are unlikely to succeed Independent judicial review Report to intercepted parties (at conclusion of case) Inability to use evidence in court if violate the law Administrative investigation of misuse of the law required Civil and criminal sanctions for violations Approval by high-level official Minimize collection of non-criminal communications Limitations on disclosure of intercepted communications Examples of Limitations on Interception Authorities – the United States

Possible Exceptions to the Rule Might not require legal process if: • The communication is publicly accessible • E.g.: public “chat” rooms • Party/all parties to the communication consent • Actual consent (CI), banner • Emergency involving risk of death • No reason to believe communication is private • Hackers communication with target computer

Intercepting Electronic Communications: Other Considerations • Limits on ISP’s interception • Possible exceptions for consent, interceptions necessary to run or secure a network • Voluntary disclosure of intercepted communication • Only if legal interception (i.e. subject to exception)

Collecting Traffic Data Real Time

Collecting Traffic Data Real Time • Interception of non-content information • Similar to phone number called to/from • E.g.: “To” and “From” on an e-mail • E.g.: Source and destination IP address in a packet header • Less intrusive than intercepting content, so less restrictions on law enforcement use • Art. 20, Council of Europe Convention on Cybercrime

Collecting Traffic Data Real Time Law enforcement needs this authority because: • Criminals and terrorists increasingly use electronic communications to plan and execute serious crimes • Helps locate suspects, identify members of conspiracy • Useful tool to assist foreign investigations where a country is used only as a “pass-though” • Provides a less intrusive and therefore less restricted alternative to content interception

Collecting Traffic Data Real Time This authority should be limited because: • Although less intrusive than content interception, still implicates privacy • Individuals don’t expect government to keep track of who they’re calling, even if government does not listen to what they’re saying • To/From information may be revealing (e.g., repeated e-mails to a psychiatrist; receiving information from a militant organization)

Collecting Traffic Data Real TimeSample Laws – United Kingdom • Information must be “necessary” for the investigation of crime, protection of national security, public health, other specified purposes • Approval by a designated high-level government official, but no independent judicial review • Collection must be “proportionate to what is sought to be achieved” • 30 day time limit

Collecting Traffic Data Real TimeSample Laws – United States • Information collected must be “relevant” to an ongoing criminal investigation • Can only be applied for by an attorney for the government (not a police officer) • Limited to 60 days (plus extensions) • Disciplinary, civil, and criminal penalties for misuse

Possible Exceptions to the Rule Might not require legal process if: • Party/all parties to the communication consent • E.g.: witness cooperating with the government allows officers to determine where conspirators’ e-mail is sent from • No reason to believe communication is private • Hackers communication with target computer • Interception is by provider of computing service in order to run the system or provide security

Obtaining Content Information Stored on a Computer Network

Obtaining the Content of Stored Information on Computer Networks • Information stored on the system of a third-party provider • Computer network not owned by the target of an investigation • E.g.: e-mail sent to an individual that is stored by an Internet service provider • E.g.: calendar kept on a remote service

Obtaining the Content of Stored Information on Computer Networks • Laws may be similar to those for searching or seizing computers in the possession of the target of an investigation • But because the information is held by a neutral third party, physical coerciveness of regular search procedures may not be necessary • Also, because the data is not in the immediate control (e.g. home) of the individual, he or she may have less of a privacy interest in it • Art. 18, Council of Europe Convention on Cybercrime

Obtaining the Content of Stored Information on Computer Networks Law enforcement needs this authority because: • Without it, serious crimes will go unpunished and undeterred • Just as law enforcement has needed coercive power to gather evidence in “real world” contexts, so it must be able to do so in online contexts • For the many crimes committed over the Internet, stored information is the “crime scene”

Obtaining the Content of Stored Information on Computer Networks This authority should be limited because: • As our countries enter the “Information Age,” more and more of the most sensitive data is being stored on computers • Businesses are increasingly using computer networks to store data • Individuals are increasingly storing information and communications remotely on third-party networks

Obtaining Stored ContentSample Laws – United States • To compel disclosure of most kinds of e-mail: • “Probable cause” to believe it contains evidence of a crime (same standard as to search a package or a house) • Review of evidence by an independent judge • Administrative sanctions against officers who abuse the authority • Civil suit against the government for misuse • Disclosure restrictions

Obtaining Stored Content Do some categories of data deserve extra protection? • Greater expectation that data will remain private • Has the user any choice about whether the information is stored on the network? • Example of graduated system of requirements – United States • Unopened e-mail requires a search warrant based upon “probable cause” • E-mail accessed by the user and other information the user chooses to store on a remote server requires a court order with only a showing of “relevance”

Obtaining Stored Content Consider allowing voluntary disclosure to law enforcement under some circumstances: • Unrestricted disclosure by 3rd-party providers may infringe upon privacy and have economic impact, but disclosure may be justified • To protect public health or safety • To allow the provider to protect its property (e.g., by reporting unauthorized use)

Obtaining Non-Content Information Stored on a Computer Network

Obtaining Non-Content Information Stored on a Computer Network • Computers create logs showing where communications came from and where they went • Generally less sensitive than content • E.g.: a list of all of the e-mail addresses to which a user sent e-mail • E.g.: a log showing the phone numbers by which a user accessed an Internet service provider

Obtaining Non-Content Information Stored on a Computer Network Law enforcement needs this authority because: • Logs showing what occurred on a network may be the best evidence of a computer crime; may identify the suspect or reveal criminal conduct This authority should be limited because: • Although less sensitive than content, these records still contain private information

Obtaining Stored Non-Content Information Laws Can Distinguish Between Kinds of Records: • Subscriber information generally less sensitive • Name, street address, user name • Might include method of payment, i.e., credit card or bank account (important because ISPs may not check users’ identities) • Logs showing with whom a user has communicated generally more sensitive

Obtaining Stored Non-Content InformationExamples of Different Standards • Art. 18, Council of Europe Convention on Cybercrime: • Treats “Subscriber Information” differently from other data • United States: • Basic subscriber records require a mere showing of “relevance” to a criminal investigation without prior review by a court (subpoena) • E-mail logs require a prior finding of “specific and articulable facts” that would justify disclosure of the records

Preservation of Evidence • Problem: many stored records last only for weeks or days • Obtaining legal process is often slow • Investigators may not even know the significance of evidence until weeks or days after the commission of a crime • Critical tool: request by law enforcement to preserve evidence (content or non-content) • Request does not compel the disclosure of the records, but freezes them pending legal process

Preservation of Evidence • Must be very fast (not require prior judicial approval or even written process) • Few privacy concerns because no disclosure occurs • COE Convention: does not require dual criminality because of need to preserve data quickly (disclosure, however, requires dual criminality)

DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME

DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME

Presentation Transcript

Legal Framework

Legal Instruments to combat child trafficking

CONTENTS A. LEGAL FRAMEWORK Legal Framework related to Treasury Legal Framework related to CBRT B. METHODS OF DATA CO

Recommendations for developing legal framework for the CDM

SEPA : Legal framework

Developing a Project Tradeoff Framework

CyberCrime

Legal Framework

Cybercrime

CYBERCRIME a true to life story

Developing a framework

Developing a Project Tradeoff Framework

Legal Issues Framework

Legal framework

International Legal Framework

Legal Instruments to combat child trafficking

Context to developing a framework…

Legal Framework

A basic legal framework

Developing a framework

Developing a framework for standardisation

Developing a Reusable Application Framework