DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME

1
DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME

• Providing Law Enforcement with the Legal Tools to
  Prevent, Investigate, and Prosecute Cybercrime

2
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

3
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

4
Balancing Privacy Public Safety

• Privacy is a basic human right
• No one shall be subjected to arbitrary
  interference with his privacy, family, home
• or correspondence...
• -- Art. XII, Universal Declaration of Human
  Rights
• Promotes free thought, free expression, and free
  association, building blocks of democracy
• Supports competitive businesses and markets,
  cornerstone of a robust economy

5
Balancing Privacy Public Safety

• Privacy of computer networks is important
• Individuals, businesses, and governments
  increasingly use computers to communicate
• Sensitive personal information and business
  records are stored in electronic form
• Privacy of computer networks is important for
  human rights, individual freedoms, and economic
  efficiency

6
Balancing Privacy Public Safety

• Threats to online privacy
• Industry
• Gathering marketing information
• Government
• Investigating crime, espionage, or terrorism
• Misusing legal investigative authorities
• Criminals
• Stealing government or business secrets or
  financial information
• Obtaining private information from individuals
  computers

7
Balancing Privacy Public Safety

• Need to investigate all kinds of crimes that
  involve computer networks
• E.g. communications of terrorists or drug
  dealers
• Need to investigate attempts to damage
  computer networks
• E.g. I love you virus
• Need to investigate invasions of privacy
• E.g. hackers working for organized crime
  stealing credit card numbers

8
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

9
Limited Law Enforcement Authority

• Striking the Balance
• Government investigative authority subject to
  appropriate limits and controls in the form of
  procedural laws will increase privacy and public
  safety, but . . .
• Uncontrolled government authority may diminish
  privacy and hinder economic development.

10
Limited Law Enforcement Authority

Intrusiveness of the Investigative Power
Safeguards to Prevent Governmental Abuse
11
Limited Law Enforcement Authority

• Ways to limit law enforcement authorities
• Define specific predicate crimes/classes of
  crime
• Require law enforcement to demonstrate factual
  basis to independent judicial officer
• Limit the breadth and scope, the location, or
  the duration
• Offer only as last resort
• Prior approval or subsequent review by senior
  official or politically accountable body

12
Limited Law Enforcement Authority

• Penalizing abuse
• Administrative discipline of officer involved
• Inability to use evidence in prosecution
  (suppression)
• Civil liability for officer involved
• Criminal sanction of officer involved

13
Limited Law Enforcement Authority

• Limiting Economic Burdens on Third Party Service
  Providers
• Should laws require providers to have certain
  technical capabilities?
• Who is responsible for costs of collecting data
  for law enforcement?

14
Other Policy Considerations

• Each country should approach this complex
  balancing question, taking into consideration
• The scope of its crime and terrorism problem
• Its existing legal structures
• Its historical methods of protecting human
  rights and,
• the need to assist foreign governments.
• Each country should decide the means for
  obtaining electronic evidence within its
  existing legal framework (e.g., constitutions,
  statutes, court decisions, rules of procedure)

15
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

16
Information Obtained from Computer Networks in
Cybercrime Investigations
17
Information Obtained from Computer Networks in
Cybercrime Investigations
18
Intercepting Electronic Communications on
Computer Networks

• Obtaining the content of a communication as the
  communication occurs
• Similar to intercepting whats being said in a
  phone conversation
• E.g. collect the content of e-mail passing
  between two terrorists or drug dealers
• E.g. collect the commands sent by a hacker to a
  victim computer to steal corporate information

19
Intercepting Electronic Communications on
Computer Networks

• Many countries use the same (or very similar)
  rules as phone wiretaps
• Authority should include the ability to compel
  providers to assist law enforcement officials
• Sometimes does not require law enforcement
  expertise
• May depend on particular technology and
  infrastructure
• Art. 21, Council of Europe Convention on
  Cybercrime

20
Intercepting Electronic Communications on
Computer Networks

• Law enforcement needs this authority because
• Criminals and terrorists increasingly use
  electronic communications to plan and execute
  crimes
• Many crimes are committed mostly (or entirely)
  using computer networks
• Distribution of child pornography, internet
  fraud, hacking
• Communications may not be stored

21
Intercepting Electronic Communications on
Computer Networks

• This authority should be limited because
• Interception of communications can be a grave
  invasion of privacy
• Can allow access to the most private thoughts,
  harming freedoms of speech and association
• Fear of overly intrusive interception may stifle
  competitive markets, economic development, and
  foreign investment

22
Examples of Limitations on Interception
Authorities Australia

• Independent judicial review
• Facts in support of an application showing that
  intercepted communications would be likely to
  assist in an investigation
• Investigation of a serious crime (generally 7
  years maximum incarceration)
• 90 day maximum (renewable)
• Information intercepted unlawfully cannot be used
  as evidence in court

• Intercepted information has certain disclosure
  restrictions and destruction after purpose is
  complete
• Judge must balance surrounding circumstances
• Whether other investigative techniques would not
  be just as effective
• The value of the information
• Gravity of the conduct
• The privacy invasion

23
Examples of Limitations on Interception
Authorities the United States

• Inability to use evidence in court if violate the
  law
• Administrative investigation of misuse of the law
  required
• Civil and criminal sanctions for violations
• Approval by high-level official
• Minimize collection of non-criminal
  communications
• Limitations on disclosure of intercepted
  communications

• 30 day time limit (plus extensions)
• Probable cause to believe a crime is being
  committed and that the facility is being used in
  furtherance of that crime
• All other options have been tried or are unlikely
  to succeed
• Independent judicial review
• Report to intercepted parties (at conclusion of
  case)

24
Possible Exceptions to the Rule

• Might not require legal process if
• The communication is publicly accessible
• E.g. public chat rooms
• Party/all parties to the communication consent
• Actual consent (CI), banner
• Emergency involving risk of death
• No reason to believe communication is private
• Hackers communication with target computer

25
Intercepting Electronic Communications Other
Considerations

• Limits on ISPs interception
• Possible exceptions for consent, interceptions
  necessary to run or secure a network
• Voluntary disclosure of intercepted communication
• Only if legal interception (i.e. subject to
  exception)

26
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

27
Collecting Traffic Data Real Time
28
Collecting Traffic Data Real Time

• Interception of non-content information
• Similar to phone number called to/from
• E.g. To and From on an e-mail
• E.g. Source and destination IP address in a
  packet header
• Less intrusive than intercepting content, so less
  restrictions on law enforcement use
• Art. 20, Council of Europe Convention on
  Cybercrime

29
Collecting Traffic Data Real Time

• Law enforcement needs this authority because
• Criminals and terrorists increasingly use
  electronic communications to plan and execute
  serious crimes
• Helps locate suspects, identify members of
  conspiracy
• Useful tool to assist foreign investigations
  where a country is used only as a pass-though
• Provides a less intrusive and therefore less
  restricted alternative to content interception

30
Collecting Traffic Data Real Time

• This authority should be limited because
• Although less intrusive than content
  interception, still implicates privacy
• Individuals dont expect government to keep track
  of who theyre calling, even if government does
  not listen to what theyre saying
• To/From information may be revealing (e.g.,
  repeated e-mails to a psychiatrist receiving
  information from a militant organization)

31
Collecting Traffic Data Real TimeSample Laws
United Kingdom

• Information must be necessary for the
  investigation of crime, protection of national
  security, public health, other specified
  purposes
• Approval by a designated high-level government
  official, but no independent judicial review
• Collection must be proportionate to what is
  sought to be achieved
• 30 day time limit

32
Collecting Traffic Data Real TimeSample Laws
United States

• Information collected must be relevant to an
  ongoing criminal investigation
• Can only be applied for by an attorney for the
  government (not a police officer)
• Limited to 60 days (plus extensions)
• Disciplinary, civil, and criminal penalties for
  misuse

33
Possible Exceptions to the Rule

• Might not require legal process if
• Party/all parties to the communication consent
• E.g. witness cooperating with the government
  allows officers to determine where conspirators
  e-mail is sent from
• No reason to believe communication is private
• Hackers communication with target computer
• Interception is by provider of computing service
  in order to run the system or provide security

34
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

35
Obtaining Content Information Stored on a
Computer Network
36
Obtaining the Content of Stored Information on
Computer Networks

• Information stored on the system of a third-party
  provider
• Computer network not owned by the target of an
  investigation
• E.g. e-mail sent to an individual that is
  stored by an Internet service provider
• E.g. calendar kept on a remote service

37
Obtaining the Content of Stored Information on
Computer Networks

• Laws may be similar to those for searching or
  seizing computers in the possession of the target
  of an investigation
• But because the information is held by a neutral
  third party, physical coerciveness of regular
  search procedures may not be necessary
• Also, because the data is not in the immediate
  control (e.g. home) of the individual, he or she
  may have less of a privacy interest in it
• Art. 18, Council of Europe Convention on
  Cybercrime

38
Obtaining the Content of Stored Information on
Computer Networks

• Law enforcement needs this authority because
• Without it, serious crimes will go unpunished and
  undeterred
• Just as law enforcement has needed coercive power
  to gather evidence in real world contexts, so
  it must be able to do so in online contexts
• For the many crimes committed over the Internet,
  stored information is the crime scene

39
Obtaining the Content of Stored Information on
Computer Networks

• This authority should be limited because
• As our countries enter the Information Age,
  more and more of the most sensitive data is being
  stored on computers
• Businesses are increasingly using computer
  networks to store data
• Individuals are increasingly storing information
  and communications remotely on third-party
  networks

40
Obtaining Stored ContentSample Laws United
States

• To compel disclosure of most kinds of e-mail
• Probable cause to believe it contains evidence
  of a crime (same standard as to search a package
  or a house)
• Review of evidence by an independent judge
• Administrative sanctions against officers who
  abuse the authority
• Civil suit against the government for misuse
• Disclosure restrictions

41
Obtaining Stored Content

• Do some categories of data deserve extra
  protection?
• Greater expectation that data will remain private
• Has the user any choice about whether the
  information is stored on the network?
• Example of graduated system of requirements
  United States
• Unopened e-mail requires a search warrant based
  upon probable cause
• E-mail accessed by the user and other information
  the user chooses to store on a remote server
  requires a court order with only a showing of
  relevance

42
Obtaining Stored Content

• Consider allowing voluntary disclosure to law
  enforcement under some circumstances
• Unrestricted disclosure by 3rd-party providers
  may infringe upon privacy and have economic
  impact, but disclosure may be justified
• To protect public health or safety
• To allow the provider to protect its property
  (e.g., by reporting unauthorized use)

43
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

44
Obtaining Non-Content Information Stored on a
Computer Network
45
Obtaining Non-Content Information Stored on a
Computer Network

• Computers create logs showing where
  communications came from and where they went
• Generally less sensitive than content
• E.g. a list of all of the e-mail addresses to
  which a user sent e-mail
• E.g. a log showing the phone numbers by which a
  user accessed an Internet service provider

46
Obtaining Non-Content Information Stored on a
Computer Network

• Law enforcement needs this authority because
• Logs showing what occurred on a network may be
  the best evidence of a computer crime may
  identify the suspect or reveal criminal conduct
• This authority should be limited because
• Although less sensitive than content, these
  records still contain private information

47
Obtaining Stored Non-Content Information

• Laws Can Distinguish Between Kinds of Records
• Subscriber information generally less sensitive
• Name, street address, user name
• Might include method of payment, i.e., credit
  card or bank account (important because ISPs may
  not check users identities)
• Logs showing with whom a user has communicated
  generally more sensitive

48
Obtaining Stored Non-Content InformationExamples
of Different Standards

• Art. 18, Council of Europe Convention on
  Cybercrime
• Treats Subscriber Information differently from
  other data
• United States
• Basic subscriber records require a mere showing
  of relevance to a criminal investigation
  without prior review by a court (subpoena)
• E-mail logs require a prior finding of specific
  and articulable facts that would justify
  disclosure of the records

49
Preservation of Evidence

• Problem many stored records last only for weeks
  or days
• Obtaining legal process is often slow
• Investigators may not even know the significance
  of evidence until weeks or days after the
  commission of a crime
• Critical tool request by law enforcement to
  preserve evidence (content or non-content)
• Request does not compel the disclosure of the
  records, but freezes them pending legal process

50
Preservation of Evidence

• Must be very fast (not require prior judicial
  approval or even written process)
• Few privacy concerns because no disclosure occurs
• COE Convention does not require dual criminality
  because of need to preserve data quickly
  (disclosure, however, requires dual criminality)

51
Preservation of EvidenceSample Laws United
States

• A provider of communication services, upon the
  request of a government entity, shall take all
  necessary steps to preserve records or other
  evidence in its possession pending the issuance
  of a court order or other process.
• Lasts for 90 days and can be renewed

52
Overview

• Balancing Privacy and Public Safety
• Limits on Law Enforcement Investigative Authority
• Intercepting Electronic Communications
• Collecting Traffic Data Real Time
• Obtaining Content Stored on a Computer Network
• Obtaining Non-Content Information Stored on a
  Computer Network
• Compelling the Target to Disclose Electronic
  Evidence

53
Compelling Disclosure of Electronic Evidence in
the Possession of the Target

• Generally rules that pertain to search of a home
  or office apply
• Have to assure that the law is broad enough to
  cover collection of intangible data and not just
  physical items
• Compare
• E.g. Computer used to store child pornography
  or other evidence
• E.g. Computer used to break into bank to steal
  account information or move funds from one
  account to another

54
Seizing Computer Hardware

• Council of Europe Convention, Article 19
• Often investigators need to seize the computer
  itself
• Easy to apply traditional rules for objects
• Not clear why a computer should get greater or
  lesser protection than a filing cabinet

55
Searches and Seizures of Stored Data and
Intangible Evidence

• Investigators could simply copy computer files
  after entering an individuals home
• Data stored at home can be extremely sensitive
  (e.g., a diary, a will)
• Recommendation treat data as a thing to be
  seized, even if only a copy is made
• But imaging a drive should be a permissible
  search technique
• Technical considerations, e.g., OS
• Slack space and deleted files

56
Considerations for Searches and Seizures of
Intangible Evidence

• Applying the traditional rules provides balance
  and certainty
• Unwise not to protect that data from
  over-intrusive governmental searches
• Also unwise not to give law enforcement the power
  to obtain that evidence
• Easier for investigators to learn
• Use existing exceptions as well
• E.g. consent, emergency circumstances

57
Considerations for Searches and Seizures of
Intangible Evidence

• Why computer searches are different
• Computers hold huge amounts of data
• 10 gigabyte drive 5 million pages
• Requires expertise and tools, e.g. deleted files,
  familiarity with Operating System
• Information can be stored remotely
• Computers are multi-functional intermingling of
  innocent and privileged information

58
Conclusion

• Countries must have laws that allow law
  enforcement to compel disclosure of evidence of
  crime
• These powers in part enhance privacy by deterring
  criminal invasions of privacy
• Overly intrusive powers can harm the privacy of
  citizens and chill economic development
• Law makers must consider many factors when
  deciding what is appropriate for them
• Models from other jurisdictions can assist
  countries in designing appropriate laws

59
Questions?
60

• Todd M. Hinnen
• Department of Justice
• Computer Crime Intellectual Property Section
• Phone (202) 305-7747
• E-mail todd.m.hinnen_at_usdoj.gov