1.1 Introduction

1.2 Existing Regional legislative measures

1.3 Existing United Nations International Provisions

1.4 Critical Information Infrastructure Protection (CIIP)

1.5 Definitions/Terminology

1.6 Substantive Criminal Law

1.7 Measures in Procedural Law

1.8 Law Enforcement and Investigation

1.9 Prosecution

1.10 Responsibility of Internet Providers

1.11 Privacy and Human Rights

1.12 Civil Matters: Contractual Service Agreements, Federations & Other Civil Law Measures

1.13 Civil Matters: Regulatory and Administrative Law

1.14 Civil Matters: Conflict of Laws

1.15 References

Appendix 1: Inventory

 

1.1. Introduction

Cyberspace is one of the great legal frontiers of our time. From 2000 to 2008, the Internet has expanded at an average annual rate of 290% on a global level, and currently an estimated 1.4 billion people are “on the Net.”[1] The impact of the Internet on societies has been so fast and far-reaching, that codes of ethics, common sense of justice, and penal legislation have all been stretched to keep pace. In order to establish ethical standards in cyberspace, penal legislation must be enacted with clarity and specificity, rather than relying on extensions and vague interpretations of existing legislation. Perpetrators and offenders can then be justly convicted for their explicit acts and not by existing provisions stretched in interpretation, or by provisions enacted for other purposes, covering cybercrimes only incidentally or peripherally.

Currently, the question of how to address the evolving challenges posed by cybercrime and other information security and network security issues to legal systems is being actively discussed.[2] There are two distinct levels at which to answer these challenges - general solutions or international approaches through international organizations; and individual solutions, either by single countries (national approaches) or by groups of countries from a geographic region (regional approaches). Both approaches have advantages and disadvantages.

Cybercrime is truly borderless and, potentially, transnational.[3] Offenders can, in general, target users in any country in the world, so international cooperation of law enforcement agencies is essential for international cybercrime investigations.[4] International investigations depend on reliable means of cooperation and effective harmonization of laws. Based on the common principle of dual criminality,[5] effective cooperation firstly requires a harmonization of substantive criminal law provisions to prevent safe havens.[6] Furthermore, it is necessary to harmonize investigation instruments to ensure that all countries involved in international investigations have the necessary instruments in place to carry out their investigations. Finally, the effective cooperation of law enforcement agencies requires effective practical procedures (e.g. effective requests for evidence and investigation and extradition procedures).[7] The importance of harmonization reflects the need for a national strategy on cybercrime and other information security and network security issues to participate in the global harmonization process.

The importance of achieving a single standard should not necessitate the creation of further model laws, if strategies are developed to prevent conflict between the different approaches. In order to ensure compliance with international standards, the following section introduces the legal standards defined by the Council of Europe’s Convention on Cybercrime, recognized by the WSIS as a regional initiative,[8] as well as areas of law not included in the Convention on Cybercrime.

A fundamental role of ITU, following the World Summit on the Information Society (WSIS) and the 2006 ITU Plenipotentiary Conference is to build confidence and security in the use of ICTs. At the WSIS, world leaders and governments designated ITU to facilitate the implementation of WSIS Action Line C5, “Building confidence and security in the use of ICTs”. In this capacity, ITU is seeking consensus on a framework for international cooperation in cybersecurity to reach a common understanding of cybersecurity threats among countries at all stages of economic development.

The GCA and the HLEG should adhere to the goals adopted by the Tunis Agenda for the Information Society. The Tunis Agenda (paragraphs 40 and 42), reads as follows:

“We call upon governments in cooperation with other stakeholders to develop necessary legislation for the investigation and prosecution of cybercrime, noting existing frameworks, for example, UNGA Resolutions 55/63 and 56/121 on “Combating the criminal misuse of information technologies” and regional initiatives including, but not limited to, the Council of Europe’s Convention on Cybercrime”(Paragraph 40).

“We affirm that measures undertaken to ensure Internet stability and security, to fight cybercrime and to counter spam, must protect and respect the provisions for privacy and freedom of expression as contained in the relevant parts of the Universal Declaration of Human Rights and the Geneva Declaration of Principles” (Paragraph 42).

 

1.2. Existing regional legislative measures

1.2.1. The Council of Europe’s Convention on Cybercrime

The 2001 Council of Europe’s Convention on Cybercrime[9] was a historic milestone in the fight against cybercrime. It entered into force on 1 July 2004. By January 2008, twenty-one states had ratified the Convention, while twenty-two states had signed, but not yet ratified, the Convention. In the WSIS Tunis Agenda for the Information Society, governments recognized the Convention as a regional initiative.[10] The Convention consists of four chapters:

1) Chapter I on the use of terms includes definitions on computer systems, computer data, service providers and traffic data;

2) Chapter II on measures to be taken at the national level includes sections on substantive criminal law, procedural law and jurisdiction. The section on substantive criminal law identifies offences against the confidentiality, integrity and availability of computer data and systems (such as illegal access, illegal interception, data interference, system interference and misuse of devices). Computer-related offences include forgery and fraud. Content-related offences are offences related to child pornography, and offences related to infringements of copyright and related rights. The section on procedural law includes common provisions that apply to the Convention’s articles on substantive criminal law, and to other criminal offences committed by means of a computer system, and to the collection of evidence in electronic form relating to criminal offences. There is a provision on expedited preservation of stored computer data, covering expedited preservation and partial disclosure of traffic data. The section includes also provisions on production order, search and seizure of stored computer data, real-time collection of traffic data, and interception of content data. Provisions on jurisdiction are dealt with in a separate section.

3) Chapter III on international cooperation includes general principles relating to international cooperation, extradition, mutual assistance and spontaneous information. The chapter contains procedures pertaining to requests for mutual assistance in the absence of applicable international agreements, and to confidentiality and limitation on use, including specific provisions on mutual assistance regarding provisional measures, mutual assistance regarding investigative powers, and a provision for a 24/7 network.

4) Chapter IV on final provisions contains the final clauses, mainly in accordance with standard provisions in Council of Europe treaties. In accordance with Article 40, any State may declare that it avails itself of the possibility of requiring additional elements, as provided for under certain articles. In accordance with Article 42, any State may declare that it avails itself of the reservations provided for in certain articles.

By ratifying or acceding to the Convention, countries agree to ensure that their domestic laws criminalize the conducts described in the section on substantive criminal law, and establish the procedural tools necessary to investigate and prosecute such crimes. The Convention on Cybercrime uses technology-neutral language, so that it applies and covers both current and future technologies. States may exclude petty or insignificant misconduct from the offences it defines. Offences must be committed intentionally for criminal liability to arise. Intention may be understood as willfully and/or knowingly, but this is left to national interpretation. Additional specific intentional elements only apply to certain offences - for instance, to computer-related fraud, with the requirement of fraudulent or dishonest intent of procuring economic benefit.

International coordination and cooperation are necessary for the prosecution of cybercrime and other information security and network security issues and governments must take innovative steps to curb this serious threat. Offences must be committed ‘without right’, referring to conduct undertaken without authority or conduct not covered by established legal defenses, excuses, justifications or relevant principles under domestic law. These definitions are not intended to criminalize legitimate and common activities inherent in the design of systems and networks, or legitimate operating or commercial practices.

1.2.2. G8 Group of States

The G8 Group of States[11] established the Subgroup of High-Tech Crime (the Leon Group) in 1997. At a meeting in Washington D.C. in that year, the G8 countries adopted Ten Principles to combat computer crime to ensure that there were no “safe havens” for criminals anywhere in the world.

At a meeting of the G8 Justice and Home Affairs Ministers in Washington D.C. on 10-11 May 2004, the G8 Ministers issued a joint communiqué stating that, with the Council of Europe Convention of Cybercrime coming into force, the states should take steps to encourage the adoption of the legal standards contained within it on a broad basis. Another statement from a G8 Meeting in 2005 emphasized the following goal, “to ensure that law enforcement agencies can quickly respond to serious cyber-threats and incidents”.

At their 2006 Moscow Meeting, the G8 Justice and Home Affairs Ministers held further discussions on combating terrorism and cybercrime and other information security and network security issues and the necessity of improving effective counter-measures.[12] They issued the following statement:

“We also discussed issues related to sharing accumulated international experience in combating terrorism, as well as a comparative analysis of relevant pieces of legislation on that score. We discussed the necessity of improving effective countermeasures that will prevent IT terrorism and terrorist acts in this sphere of high technologies. For that, it is necessary to devise a set of measures to prevent such possible criminal acts, including in the sphere of telecommunication. That includes work against the selling of private data, counterfeit information and application of viruses and other harmful computer programs. We will instruct our experts to generate unified approaches to fighting cyber criminality, and we will need an international legal base for this particular work, and we will apply all of that to prevent terrorists from using computer and Internet sites for hiring new terrorists and the recruitment of other illegal actors”.

The G8 Summit in 2006 was held in St. Petersburg and culminated in a Summit Declaration on Counter-Terrorism, including the following statement:

“We reaffirm our commitment to collaborative work, with our international partners, to combat the terrorist threat, including:

Implementing and improving the international legal framework on counter-terrorism;

Effectively countering attempts to misuse cyberspace for terrorist purposes, including incitement to commit terrorist acts, to communicate and plan terrorist acts, as well as recruitment and training of terrorists;”

At the Meeting of the G8 Justice and Interior Ministers in Munich on 23-25 May 2007, Ministers also agreed “to work towards criminalizing, within national legal frameworks, specific forms of misusing the Internet for terrorist purposes”.


1.2.3. The European Union (EU)
[13]

The Council of the European Union adopted a proposal in 2003 for a Council Framework Decision on attacks against information systems, which entered into force in 2005. The European Union Framework Decision supplements the Convention on Cybercrime and includes articles on illegal access to information systems, illegal system interference and illegal data interference.

In the latest development, the EU Commission considered an initiative in May 2007 regarding European legislation against identity theft, called “Towards a general policy on the fight against cybercrime”. The Commission organized an EU Expert Meeting on Cybercrime in November 2007, which represented an important next step for the EU in implementing the general policy outlined by the Commission. Delegates issued the following statement:

“The increasing prevalence of cybercrime across Europe, spanning large-scale attacks in Estonia, identity theft in Spain, illegal content and high-profile online child abuse incidents in Austria, Germany, Italy and the UK, highlights the need for concerted action. Indeed successful operations such as “Operation Koala” and the global hunt for the “Vico” paedophile depends on regional and international cooperation. The conclusions of today’s meeting represent an important step by the EU to establish the cooperative links upon which such success is built.”



1.2.4. Asian Pacific Economic Cooperation (APEC)

At a meeting in Mexico in 2002, the leaders of the Asian Pacific Economic Cooperation (APEC)[14] committed to: “Endeavour to enact a comprehensive set of laws relating to cybersecurity and cybercrime”. Similar statements were made at Ministerial Meetings in 2002 and 2005, when the Ministers renewed their commitment, stating that they encourage all economies to study the Convention on Cybercrime and endeavor to enact a comprehensive set of laws relating to cybersecurity and cybercrime that are consistent with international legal instruments, including the United Nations General Assembly Resolution 55/63 (2000) and the Convention on Cybercrime.

APEC’s Telecommunications and Information Working Group (TEL WG) continues its work to address cybersecurity and cybercrime. TEL WG adopted the APEC Cybersecurity Strategy in 2002 to implement the objectives set by leaders and Ministers on cybercrime and critical infrastructure protection. In response to this call from leaders, the Security and Prosperity Steering Group (SPSG) under TELWG sponsored three consecutive conferences of experts in Bangkok, Hanoi, and Seoul in 2003, 2004 and 2005, focusing on capacity-building and legislative drafting of comprehensive cybercrime laws. Building on the success of these conferences, follow-up assistance was provided to individual economies to address their specific issues and needs in establishing comprehensive legal frameworks and developing effective law enforcement and cybercrime investigative units. A Judge and Prosecutor Cybercrime Enforcement Capacity Building Project is also underway for APEC economies to assist with capacity-building in legal expertise on cybercrime.

The legal development section of the APEC Cybersecurity Strategy has also stressed the importance of a legal framework on cybercrime and recognized the Convention on Cybercrime as the first multilateral legal instrument. It has encouraged APEC economies to adopt, facilitate the efforts to develop and report on their comprehensive substantive, procedural and mutual assistance laws and policies. Complementary to the strategy, TELWG adopted the APEC Strategy to Ensure A Trusted, Secure and Sustainable Online Environment in 2005. This strategy lists seven action item areas to promote close cooperation among all stakeholders in APEC economies to promote online security. From the legal perspective, strategic actions have been taken to “address the threat posed by the misuse, malicious use and criminal use of the online environment by ensuring that legal and policy frameworks address substantive, procedural and mutual legal assistance arrangements”.

TELWG has hosted many workshops to implement UN General Assembly Resolution 55/63 (“Combating the criminal misuse of information”) and combat emerging cyberthreats and crime on topics as diverse as spam, wireless security, malware, cybersecurity exercise, botnets, hand-held mobile device security and ICT products/services security, among others. Some workshops were co-organized in conjunction with other international organizations (including ASEAN, ITU and OECD). The consistency of legal frameworks and mutual assistance between law enforcement authorities are major recurring issues. A joint APEC-ASEAN workshop on network security was held in Manila in 2007 to share knowledge and experiences in capacity-building in cybersecurity and cybercrime. The Convention on Cybercrime was introduced as a reference legal model for APEC and ASEAN members. Discussions were also held on legislation, building technical expertise in CSIRTs and digital forensics.

1.2.5. Organization of American States (OAS)

The Ministers of Justice or Ministers or Attorneys General of the Americas in the Organization of American States (OAS)[15] recommended the establishment of a group of governmental experts on cybercrime in Peru in 1999. In 2004, the Fifth Meeting of Ministers of Justice or Ministers or Attorneys General of the Americas (REMJA) in Washington D.C. approved conclusions and recommendations including:

“Member States should evaluate the advisability of implementing the principles of the Council of Europe’s Convention on Cybercrime (2001), and consider the possibility of acceding to that convention”.

In cooperation with the Council of Europe and Spain, OAS organized a conference in Madrid in December 2005, which culminated in the following conference statement:

“Strongly encourage States to consider the possibility of becoming Parties to this Convention in order to make use of effective and compatible laws and tools to fight cybercrime, at domestic level and on behalf of international cooperation”.

The Sixth Meeting of Ministers of Justice (REMJA) in June 2006 issued the following statement:

“…continue to strengthen cooperation with the Council of Europe so that the OAS Member States can give consideration to applying the principles of the Council of Europe’s Convention on Cybercrime and to acceding thereto, and to adopting the legal and other measures required for its implementation. Similarly, that efforts continue to strengthen mechanisms for the exchange of information and cooperation with other international organizations and agencies in the area of cybercrime, such as the United Nations, the European Union, the Asia Pacific Economic Co-operation Forum, the Organisation for Economic Cooperation and Development (OECD), the G-8, the Commonwealth, and Interpol, in order for the OAS Member States to take advantage of progress in those forums”.

The conclusions and recommendations of the Meeting were followed up at a plenary session in June 2007 and a resolution was adopted.[16]

1.2.6. The Commonwealth

In an effort to harmonize computer-related criminal law in the Commonwealth countries,[17] experts gathered to present a model law to the Commonwealth Conference of Ministers in 2002. The law, entitled the Computer and Computer Related Crimes Act, shares the same framework as the Convention on Cybercrime to limit conflicting guidance. The model law serves as an example of common principles each country can use to adapt framework legislation compatible with other Commonwealth countries. A further Meeting of Senior Officials of Commonwealth Law Ministers was held in October 2007 to address laws to combat terrorism and money-laundering.

1.2.7. Association of South East Asian Nations (ASEAN)

The Association of South East Asian Nations (ASEAN)[18] agreed with China in 2003 to implement an ASEAN-China Strategic Partnership for Peace and Prosperity, with a declaration that expressed their joint intent:

“to formulate cooperative and emergency response procedures for purposes of maintaining and enhancing cybersecurity, and preventing and combating cybercrime.”

A Ministerial Meeting in 2004 in Bangkok issued a statement on cybercrime that recognized the need for effective legal cooperation to fight transnational crime.

A statement from the ASEAN Regional Forum (ARF) in July 2006 emphasized that:

“Believing that an effective fight against cyber-attacks and terrorist misuse of cyberspace requires increased, rapid and well functioning legal and other forms of cooperation, ARF participating states

and organizations endeavor to enact, if they have not yet done so, and implement cybercrime and cybersecurity laws in accordance with their national conditions and by referring to relevant international instruments and recommendations/guidelines for the prevention, detection, reduction, and mitigation of attacks to which they are party, including the ten recommendations in the UN General Assembly Resolution 55/63 on ‘Combating the Criminal Misuse of Information Technologies’.

ARF participating countries and organization acknowledge the importance of a national framework for cooperation and collaboration in addressing criminal, including terrorist, misuse of cyber space and encourage the formulation of such a framework”.

Ministers of ASEAN member countries with responsibility for cooperation in combating transnational crime met, together with China, in Brunei Darussalam in November 2007. They agreed that, given the emerging challenges and increasing scope of transnational crime, the ASEAN-China Memorandum of Understanding needed to be reviewed and revised. A Joint Communiqué from China, Japan and the Republic of Korea made the following statement:

“We held a retreat to exchange views on strengthening ASEAN + 3 cooperation in combating transnational crime focusing on the emerging challenges of cybercrime and its strong linkages to other transnational crime: for example, terrorism and trafficking-in persons”.

1.2.8. The Arab League[19]

Several countries in the region have adopted cybercrime legislation, such as Pakistan, Saudi Arabia and United Arabic Emirates (UAE). UAE was the first country in the region to adopt legislation, with its Cybercrime Law No.2, enacted in February 2006. The Gulf Cooperation Council (GCC) (which includes Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the UAE) ,recommended at a conference in June 2007 that the GCC countries draft a treaty on cybercrime.


An ITU Regional Workshop for Cybersecurity and Critical Infrastructure Protection (CIIP) and Cybersecurity Forensics was held in Doha in February 2008 and stressed the importance of reviewing national cybercrime legislation to address threats in cyberspace and develop appropriate tools to combat cyber-attacks.

1.2.9. The African Union[20]

The Southern African Development Community (SADC) (including Zambia, Zimbabwe, South Africa, Malawi and Mozambique) initiated efforts to harmonize cybercrime laws in 2005. Progress in adopting cybercrime legislation has generally been slower in the East Africa region (including Tanzania, Kenya and Uganda), although Uganda has drafted a Computer Misuse Bill and its legislative process has started. East African states are trying to coordinate their efforts, so that their legislation should be similar to the cybercrime laws in the Southern African region. The Connect Africa Summit was held in Kigali, Rwanda, in October 2007,I to launch a global multi-stakeholder partnership aimed at promoting the development of secure and reliable high-quality ICT infrastructure in Africa.

Some individual African countries have taken the initiative and forged ahead with legislation to address cybercrime - Mauritius, South Africa and Zambia have all adopted such cybercrime legislation. A Cybercrime Bill passed its Second Reading in the Parliament of Botswana in December 2007, and is expected to go for a Third Reading in the near future, before it is signed into law.

1.2.10. The Organisation for Economic Cooperation and Development (OECD)

The Organisation for Economic Cooperation and Development (OECD)[21] adopted new guidelines in 2002 on the Security of Information Systems and Networks: Towards a Culture of Security. These guidelines on critical information infrastructure protection are not binding for Member States.

The OECD has held numerous meetings and workshops on different aspects of cybersecurity and computer crime, including an OECD Global Forum on Information Systems and Network Security and Workshop on Cybercrime held in Oslo, Norway, in 2003. The OECD Task Force on Spam was established in 2004 and delivered its report in 2006. A joint APEC-OECD workshop on Security of Information was held in Seoul in 2005. Several topics were discussed, including promoting global governmental incidents response. In April 2007 an APEC-OECD Malware Workshop was held in Manila.


The OECD was the first international organization to initiate guidelines for computer crime,
[22] but it does not work today directly on cybercrime as such. Rather, it focuses more on cybersecurity, and promotes a global coordinated policy approach building trust and confidence. The OECD Working Party on Information and Privacy (WPISP) has developed international guidelines to promote cybersecurity.[23]

1.2.11. The Shanghai Cooperation Organization (SCO)

The Shanghai Cooperation Organization (SCO)[24] was established by the People’s Republic of China, the Russian Federation, Kazakhstan, the Kyrgyz Republic, the Republic of Tajikistan and the Republic of Uzbekistan on 15 June 2001 by the Declaration of Shanghai Cooperation Organization. The Shanghai Convention on Combating Terrorism, Separatism and Extremism states that member states are:

“firmly convinced that terrorism, separatism and extremism, as defined in this Convention, regardless of their motives, cannot be justified under any circumstances, and that the perpetrators of such acts should be prosecuted under the law”.

For the purposes of the Convention, “terrorism” is defined as including:

“a. any act recognized as an offence in one of the treaties listed in the Annex to this Convention (hereinafter referred to as “the Annex”) and as defined in this Treaty;
b. other acts intended…, as well as to organize, plan, aid and abet such act”.

The Seventh Council Meeting of SCO Heads of State was held on 16 August 2007, in the capital city of Kyrgyz. At the meeting, Russia, Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan and China signed a series of important documents, among which the document, “SCO member countries action plan to safeguard international information security”, is devoted to information security. Facing new challenges and threats in the field of information security, SCO members will work together to jointly address growing network and information security threats.

 

1.3. Existing United Nations International Provisions

1.3.1. The United Nations Convention against Transnational Organized Crime (TOC)

The United Nations Convention against Transnational Organized Crime was adopted by General Assembly Resolution 55/25 in 15 November 2000. It is the main international instrument in the fight against transnational organized crime, and seeks to promote international cooperation to prevent and combat transnational organized crime more effectively.

Although the Convention does not provide a single, agreed definition of organized crime per se, its provisions do provide elements of a concept of organized crime. For instance:

• An organized criminal group is defined as three or more persons working together to commit one or more serious crimes in order to obtain financial or other material benefit.

• Transnational crimes are defined as:
- offences committed in more than one State;
- offences committed in one State, but a substantial part of preparation, planning, direction or control takes place in another;
- offences committed in one State, but involving an organized criminal group that engages in criminal activities in more than one State;
- offences committed in one State, but having substantial effects in another State.

• Serious crime is defined as conduct constituting an offence punishable by a maximum deprivation of liberty of at least four years or a more serious penalty.

Scope of application

The Convention applies to the prevention, investigation and prosecution of:

a) Offences established in accordance with Articles 5 (criminalization of participation in an organized crime group), 6 (criminalization of the laundering of the proceeds of crime); 8 (criminalization of corruption) and 23 (criminalization of obstruction of justice);

b) Serious crime (article 2 - see definition above). States’ Parties shall be able to rely on one another in investigating, prosecuting and punishing crimes committed by organized criminal groups where either the crimes or the groups who commit them have some element of transnational involvement.

1.3.2. United Nations system decisions, resolutions and recommendations
Some relevant United Nations system decisions, resolutions and recommendations include (in a non-exhaustive list):

• CCPCJ 2007 Resolution 16/2 of April 2007 on “Effective crime prevention and criminal justice responses to combat sexual exploitation of children” (notably, paragraphs 7 & 16).

• ECOSOC Resolution E/2007/20 of 26 July 2007 on “International cooperation in the prevention, investigation, prosecution and punishment of economic fraud and identity-related crime (E/2007/30 and E/2007/SR.45)”.

• ECOSOC Resolution 2004/26 of 21 July 2004 on “International cooperation in the prevention, investigation, prosecution and punishment of fraud, the criminal misuse and falsification of identity and related crimes”.

• The “Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-first century” (paragraph 18), endorsed by General Assembly Resolution 55/59 of 4 December 2000 and paragraph 36 of “Plan of action for the implementation of the Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-first century” annexed to, and noted by, General Assembly Resolution 56/261 of 31 January 2002.

• The Bangkok Declaration on “Synergies and Responses: Strategic Alliances in Crime Prevention and Criminal Justice” (paragraphs 15 and 16), endorsed by General Assembly Resolution 60/177 of 16 December 2005.

• Recommendations of an ad hoc Congress Workshop on “Measures to Combat Computer-Related Crime”. Paragraph 2 of General Assembly Resolution 60/177 invited Governments to implement all the recommendations adopted by the Eleventh Congress.

• General Assembly Resolutions 55/63 of 4 December 2000 and 56/121 of 19 December 2001 on “Combating the criminal misuse of information technologies”. This latter resolution invites Member States, when developing national law, policy and practice, to combat the criminal misuse of information technologies and to take into account, inter alia, the work and achievements of the Commission on Crime Prevention and Criminal Justice.

• Various resolutions by the Commission on Narcotic Drugs, including Resolution 48/5 on “Strengthening international cooperation in order to prevent the use of the Internet to commit drug-related crime” and Commission on Narcotic Drugs Resolution 43/8 of 15 March 2000 on the Internet. ECOSOC Resolution 2004/42 also addresses the “Sale of internationally controlled licit drugs to individuals via the Internet”.

• Paragraph 17 of the General Assembly Resolution 60/178 of 16 December 2005 on “International cooperation against the world drug problem”.

• ECOSOC Resolution 2004/42 on the “Sale of internationally controlled licit drugs to individuals via the Internet”.

Subsidiary bodies of the Commission on Narcotic Drugs (e.g., the Sub-commission on Illicit Drug Traffic and Related Matters in the Near and Middle East and regional HONLEA meetings) have also published relevant conclusions and recommendations. Additionally, the International Narcotics Control Board (INCB) published recommendations in its annual report for 2005 to curb the spread of illicit sales of controlled substances over the Internet, particularly pharmaceutical preparations. The Board is also finalizing a set of guidelines on this matter.

1.3.3. The International Telecommunication Union (ITU)

Held in conjunction with other partners, tThe ITU took the leading role in organizing the World Summit on the Information Society (WSIS) held with other partners in two phases, in Geneva in 2003 and Tunis in 2005. Governments, policy-makers and experts from around the world shared ideas and experiences about how best to address the emerging issues associated with of the development of a global information society, including the development compatible standards and laws. The outputs of the Summit are contained in the Geneva Declaration of Principles, the Geneva Plan of Action; the Tunis Commitment and the Tunis Agenda for the Information Society. Under the Tunis Agenda for the Information Society, ITU was entrusted to take the lead as the sole facilitator for WSIS Action Line C5: “Building confidence and security in the use of information and communication technologies (ICTs)”.

The ITU Secretary General launched the Global Cybersecurity Agenda (GCA) in May 2007 by as a global framework for dialogue and international cooperation aimed at proposing strategies to enhance security in the Information Society.

 

1.4. Critical Information Infrastructure Protection (CIIP)

1.4.1. Principles for protecting critical information infrastructure

Principles for Critical Information Infrastructure Protection (CIIP) have been developed by the G8 Group of countries. In 2003, the G8 Ministers of Justice and Interior adopted 11 principles[25], which also formed the basis for the UN principles adopted in 2004 on the “creation of a global culture of cybersecurity and the protection of critical information infrastructure”. The coordinated cyber-attacks in Estonia in April/May 2007 clearly demonstrated the need for implementing such principles. Principles for protecting critical information infrastructure are a vital part of society’s protection against cybercrime and cyberterrorism, as well as national security strategies.

1.4.2. Cyberterrorism and terrorist use of the Internet[26]

Terrorism has been used to describe criminal conduct long before computer communication and network technologies were developed. International organizations have been involved in the prevention of such acts for a long time, but global society has not yet agreed upon a universal definition for terrorism. During the final United Nations diplomatic conference of plenipotentiaries on the establishment of an International Criminal Court,[27] serious crimes such as terrorism were discussed, but the conference regretted that no generally acceptable definition could be agreed upon.


In Europe, a Council of Europe treaty, “The European Convention on the Suppression of Terrorism”, was adopted in 1977 as a multilateral treaty. The treaty was in 2005 supplemented by the Council of Europe’s Convention on the Prevention of Terrorism.
[28] In this Convention, a terrorist offence is defined as any of the offences defined in the attached list of ten treaties contained in Appendix 1. The purpose or intent of terrorist offences are described in the Convention as offences that aim:

“by their nature or context to seriously intimidate a population or unduly compel a government or an international organization to perform or abstain from performing any act or seriously destabilize or destroy the fundamental political, constitutional, economic or social structures of a country or an international organization.”

Terrorism in cyberspace comprises both cybercrime and terrorism. Terrorist attacks in cyberspace represent a category of cybercrime and a criminal misuse of information technologies.[29] The term “cyberterrorism” is often used to describe this phenomenon.[30] However, in using such a term, it is important to understand that this is not a new category of crime.

Cyberterrorism has been defined as unlawful attacks and threats of attack against computers, networks, and stored information to intimidate or coerce a government or its people in furtherance of specific political or social objectives. An attack should result in damage to persons or property or cause sufficient harm to generate fear. Serious attacks against critical infrastructures could constitute acts of cyberterrorism, depending on their impact.[31]

The US Federal Bureau of Investigation has considered cyberterrorism as criminal acts perpetrated by the use of computers and telecommunications capabilities causing violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty in a population, with the goal of influencing a government or population to conform to a certain political, social or ideological agenda.[32] Cyberterrorism has also been defined as attacks or a series of attacks on critical information infrastructures carried out by terrorists, instilling fear by effects that are destructive or disruptive, with a political, religious or ideological motivation.[33]

These definitions have several common aspects: terrorist conducts are acts designed to spread public fear and they must be made with terrorist intent or motivation. Terrorism in cyberspace includes the use of IT systems designed or intended to destroy or disrupt critical information infrastructure of vital importance to the society. These elements are also the targets of the attack.[34] Recent technological developments in computer systems and networks are further blurring the differences between cybercrime and cyberterrorism.[35]

1.4.2.1. Terrorist acts in cyberspace

Serious hindrance or disruption of the functioning of computer systems and networks of the critical information infrastructure of a State or government are the most likely targets of cyberterrorist acts. Attacks against critical information infrastructures can cause massive damage and represent a significant threat with serious consequences to the society.


Potential targets include government systems and networks, telecommunication networks, navigation systems for shipping and air traffic, water management systems, energy supplies, financial systems and other key systems. Computer systems can be closed down for short or extended periods of time, made to run at slower speeds, or without memory, or made to function or process data incorrectly or by omitting correct processing. It does not matter if the hindrance to their efficient operation is temporary, permanent, partial or total. Currently, the most common cyberterrorist attacks are flooding computer systems and networks with millions of messages from networks of hundreds of thousands of compromised computers from all over the world in coordinated Denial of Service (DoS) cyberattacks. Such attacks have the potential to crash or disrupt a significant part of the national information infrastructure.

1.4.2.2. Preparatory criminal conducts

According to the Convention on the Prevention of Terrorism (Articles 5-7), parties to the Convention are required to adopt as criminal offences certain preparatory conducts with the potential to lead to terrorist acts.[36] Public provocation to commit a terrorist offence is a criminal offence, if the distribution of a message to the public, “whether or not directly advocating terrorist offences, causes a danger that one or more such offences may be committed” (Article 5). Presenting a terrorist offence as necessary and justified is a criminal offence.[37] Specific intent is required to incite the commission of a terrorist offence, while provocation must be committed unlawfully and intentionally.

Recruitment for terrorism is also a criminal offence if people are solicited “to commit or participate in a commission of a terrorist offence, or to join an association or group, for the purpose of contributing to the commission of one or more terrorist offences by the association or the group” (Article 6). Recruitment for terrorism may be carried out using the Internet, but it is required that the recruiter successfully approach the person. The recruitment must be unlawful and intentional.

Training for terrorism is defined as the provision of instruction in the “making or use of explosives, firearms or other weapons or noxious or hazardous substances, or in other specific methods or techniques, for the purpose of carrying out or contributing to the commission of a terrorist offence, knowing that the skills provided are intended to be used for this purpose” (Article 7). The purpose must be to execute the terrorist offence or contribute to it. The trainer must have knowledge of skills or “know-how” which is intended to be used for the carrying out of the terrorist offence or for contributing to it.[38] Training must be unlawful and intentional.

Public provocation, recruitment or training for coordinated cyber-attacks with terrorist intent to destroy or seriously disrupt IT systems or networks of vital importance to the society may constitute a criminal offence. In one of the first convictions in this category, a man was sentenced in København Byret (Copenhagen District Court)[39] in Denmark on 11 April 2007, to imprisonment for three years and six months for a violation of the Danish Penal Code. He had encouraged terrorist acts by collecting terrorist material. His acts were not connected to any specific terrorist acts, but the court stated:

“The defendant’s activity may be described as professional general advices to terrorist groups that are intended to commit terrorist acts and that the defendant knew that, including that the spreading of his materials were suitable for recruiting new members to the groups, and suitable for the members of the groups to be strengthened in their intent to commit terrorist acts”.

 

1.5. Definitions/Terminology

1.5.1. Definitions of cybersecurity and cybercrime

1.5.1.1. Cybersecurity

Cybersecurity is the collection of tools, policies, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber-environment and organization, as well as user’s, assets.

1.5.1.2. Cybercrime

As technology has developed, so have definitions of computer crime or cybercrime. Historically, it has been argued that computer crimes may involve all categories of crimes, so a definition must emphasize the particularity, the knowledge or the use of computer technology.

Today, the Convention on Cybercrime defines cybercrime in Articles 2-10 on substantive criminal law in four different categories:

(1) offences against the confidentiality, integrity and availability of computer data and systems;

(2) computer-related offences;

(3) content-related offences;

(4) offences related to infringements of copyright and related rights.

This is a minimum consensus list, tha does not exclude extended definitions in domestic law. Recent technological developments may result in the addition of further commonly used categories, including identity theft, spam, phishing and other criminalization of preparatory acts and terrorist misuse of Internet.

1.5.2. Other Definitions

1.5.2.1. Computer system

A computer system is defined by the Convention on Cybercrime in Article 1(a) as:

“Any device or group of interconnected or related devices, one or more of that, pursuant to a program, performs automatic processing of data”.

At a Cybercrime Convention Meeting in March 2006, it was agreed that the definition of a “computer system” in Article 1(a) includes:

“Modern mobile telephones which are multifunctional and have among their functions the capacity to produce, process and transmit data, such as accessing the Internet, sending emails, transmitting attachments such as photographs, and downloading documents.

Similarly it was recognized that the personal digital assistants, with or without wireless functionality, also produce, process and transmit data”.

1.5.2.2 Computer data

Computer data is defined by the Convention of Cybercrime in Article 1(b) as:

“Any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function”.

At the Cybercrime Convention Meeting in June 2007, it was agreed that the definition of computer data in Article 1(b) includes:

“Pin codes for electronic use were computer data when input into a computer device”.

1.5.2.3. Service provider

Service providers are defined by the Convention of Cybercrime in Article 1(c) as:

i “Any public or private entity that provides to users of its service the ability to communicate by means of a computer system, and

ii any other entity that processes or stores computer data on behalf of such communication service or users of such service”;

For the purposes of this Chapter, the definition of service provider adopted by the Convention on Cybercrime is used. Currently, the need for a broader definition which would cover the new services on offer is under discussion.

1.5.2.4 Traffic data

Traffic data is defined by the Convention of Cybercrime in Article 1d as:

“Any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”.

 

1.6. Substantial Criminal Law[40]

1.6.1. Offences against the confidentiality, integrity and availability of data and computer systems

1.6.1.1. Illegal access[41]

Illegal access or “hacking” refers to unlawful access to a computer system[42], one of the oldest computer-related crimes.[43] Following the development of computer networks (especially the Internet), this crime has become a mass phenomenon. Famous targets of hacking attacks include NASA, the US Airforce, the Pentagon, Yahoo, Google, ebay and the Estonian and German Governments.[44] One of the main challenges related to hacking attacks is the availability of software tools designed to automate attacks.[45] With the help of software and preinstalled attacks, a single offender can attack thousands of computer systems in a single day using one computer.[46] If the offender has access to more computers – for example, through a botnet[47] - s/he can increase the scale of the attack still further.

Legal solutions

Illegal access to computer systems can prevent computer operators from managing, operating and controlling their systems in an undisturbed and uninhibited manner.[48] Protection aims to maintain the integrity of computer systems.[49] It is vital to distinguish between illegal access and subsequent offences (such as data espionage), as the legal provisions dealing with them have a different focus of protection. In this context, one question that is intensively discussed is whether the act of illegal access should be criminalized, in addition to subsequent offences.[50] Review of the various approaches to the criminalization of illegal computer access at the national level shows that enacted provisions sometimes confuse illegal access with subsequent offences, or seek to limit the criminalization of the illegal access to serious violations only.[51] Some countries criminalize mere access, while others limit criminalization to offences only in cases where the accessed system is protected by security measures, or where the perpetrator has harmful intentions, or where data was obtained, modified or damaged.[52] Other countries do not criminalize the access itself, but only subsequent offences.

The Convention on Cybercrime includes a provision on illegal access protecting the integrity of the computer systems by criminalizing unauthorized access to a system. Noting inconsistent approaches at the national level,[53] the Convention offers the possibility of limitations that – at least, in most cases – enable countries without legislation to retain more liberal laws on illegal access:[54]

Article 2 – Illegal access

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.


1.6.1.2. Illegal interception
[55]

Most data transfer processes among Internet Infrastructure Providers or Internet Service Providers (ISPs) are well-protected and difficult to intercept. However, offenders search for weak points in their systems. Wireless technologies are enjoying greater popularity and have historically proved vulnerable.[56] Nowadays, hotels, restaurants and bars offer customers Internet access through wireless access points. However, the signals in the data exchanges between the computer and the access point can be received within a radius of up to 100 meters.[57] Offenders that are able to receive the wireless signal can try to intercept the communication in order to obtain information transferred.

Legal solutions

In the past, perpetrators concentrated mainly on business networks for illegal interceptions. Interception of corporate communications was more likely to yield valuable information, than data transferred within private networks. As a result, a number of countries have designed their criminal law provisions to address these threats. The rising number of identity thefts of private personal data suggests that the focus of perpetrators may have changed[58], and private data (including credit card numbers, social security numbers,[59] passwords and bank account information) are now of greater interest to offenders.[60]


The Convention on Cybercrime includes a provision protecting the integrity of non-public transmissions by criminalizing their unauthorized interception. This provision essentially equates the protection of electronic transfers with the protection of voice conversations against illegal tapping and/or recording that already exists in most legal systems.[61]

Article 3 – Illegal interception

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

1.6.1.3. Data espionage[62]

Sensitive information is often stored in computer systems. If the computer system is connected to the Internet, offenders can try to access this information via the Internet from almost any place in the world.[63] The Internet is increasingly used to obtain trade secrets[64], as the value of sensitive information and the possibility of remote access makes data espionage highly interesting.

The techniques used to access information vary. “Social engineering” is highly effective for attacks on well-protected computer systems and describes the manipulation of human beings with the intention of gaining access to computer systems.[65] Social engineering is usually very successful, because the weakest link in computer security is often the user operating the computer system. For example, “phishing” has recently become a major cybercrime[66] and describes attempts to fraudulently acquire sensitive information (such as passwords) by masquerading as a trustworthy person or business (e.g. financial institution) through a seemingly official electronic communication. Offenders can also make use of software tools designed to automate attacks in order to access victims’ computer systems.[67]


Legal solutions

The Convention on Cybercrime provides various legal solutions for illegal access (Article 2) and illegal interception (Article 3) only.[68] It is questionable whether Article 3 applies to other cases than those where offences are carried out by intercepting data transfer processes. The question of whether illegal access to information stored on a hard disk is covered by the Convention is of great interest.[69] Since a transfer process is needed, it is likely that Article 3 of the Convention on Cybercrime does not cover forms of data espionage other than the interception of transfer processes.[70]

Some countries have decided to extend the protection that is available through technical measures by criminalizing data espionage. There are two main approaches:

(1) Some countries follow a narrow approach and criminalize data espionage, only where specific secret information is obtained - an example is 18 U.S.C. § 1831, that criminalize economic espionage. This provision not only covers data espionage, but other ways of obtaining secret information as well.

(2) Other countries have adopted a broader approach and criminalized the act of obtaining stored computer data, even if they do not contain economic secrets. An example is the previous version of § 202(a) of the German Penal Code.[71]

The implementation of such provisions is especially relevant in cases where offenders were authorized to access a computer system (e.g., because s/he was ordered to fix a computer problem) and then abused the authorization to illegally obtain information stored on the computer system.[72] Since permission has been given for access to the computer system, it is in general not possible to deal with such cases through provisions criminalizing the illegal access.

1.6.1.4. Data interference[73]

Computer data are vital for private users, businesses and administrations, which all depend on the integrity and availability of data. Lack of access to data can result in considerable (often financial) damage. One common example of data interference is a computer virus.[74] Ever since computer technology was first developed, computer viruses have threatened users who failed to install proper protection.[75] The number of computer viruses has recently risen significantly.[76] While in the early days, computer viruses were distributed through storage devices such as floppy disks, today, most viruses are distributed over the Internet, often in attachments to emails or as files that users download from the Internet.[77] These efficient new methods of distribution have massively accelerated virus infection and vastly increased the number of infected computer systems. The computer worm SQL Slammer[78] was estimated to have infected 75,000 computer systems within the first 10 minutes of its distribution.[79] The financial damage caused by virus attacks in the year 2000 alone was estimated to amount to some US$ 17 billion.[80]

Legal solutions

In Article 4, the Convention on Cybercrime includes a provision that protects the integrity of data against unauthorized interference.[81] This provision aims to fill gaps existing in some national penal laws and to provide computer data and computer programmes with protection similar to those enjoyed by tangible objects against intentional damage.[82]

Article 4 – Data interference

(1) Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.

(2) A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.


1.6.1.5. System interference
[83]

The same concerns over attacks against computer data apply to attacks against computer systems. More businesses have incorporated Internet services into their production processes, to reap the benefits of 24-hour availability and worldwide accessibility. If offenders succeed in preventing computer systems from operating smoothly, this can result in great financial loss for victims.[84] One example of such attacks is Denial of Service (DoS) attacks. A DoS attack makes computer resources unavailable to their intended users.[85] By targeting a computer system with more requests than the computer system can handle, offenders can close down the computer system and prevent users from accessing it, checking emails, reading the news, booking flights or downloading files. In 2000, within a short time, several DoS attacks were launched against well-known companies, including CNN, ebay and Amazon.[86]

Legal Solutions

Attacks like these can cause serious financial losses and affect even powerful systems.[87] Businesses are not the only targets. Experts around the world are currently discussing possible “cyber terrorism” scenarios taking into account attacks against critical infrastructures such as power supplies and telecommunication services.[88] To protect access of operators and users to ICTs, the Convention on Cybercrime includes a provision in Article 5 criminalizing the intentional hindering of the lawful use of computer systems.[89]

Article 5 – System interference

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

1.6.1.6. Attacks against critical information infrastructure (Aggravation or separate offence)

The potential threat of massive and coordinated attacks in cyberspace may focus on systems and networks that contain critical information infrastructure. From 27 April 27 to 18 May 2007, massive coordinated cyber-attacks were launched against websites of the government, banks, telecommunication companies, ISPs and news organizations in Estonia. The attacks were targeted and organized from outside Estonia, as attacks on the public and private critical information infrastructure of a State.[90]

1.6.2. Content-related offences

1.6.2.1. Child Pornography[91]

In contrast to widely differing views on what constitutes illegal content, child pornography is broadly condemned and offences related to child pornography are widely recognized as criminal acts. International organizations have been engaged in the fight against online child pornography for some time,[92] with several international legal initiatives including:

- the 1989 UN Optional Protocol to the Convention on the Rights of the Child on the Sale of Children, Child Prostitution, and Child Pornography[93];

- the 2003 EU Council Framework Decision on combating the sexual exploitation of children and child pornography[94];

- and the 2007 Council of Europe Convention on the protection of children against sexual exploitation and sexual abuse, among others.[95]

The Internet is used by the offenders to communicate and exchange child pornography.[96] An increase in bandwidth has supported the exchange of movies and picture archives. Research into the behavior of child pornography offenders shows that 15% of arrested people with Internet-related child pornography in their possession had more than 1,000 pictures on their computer; 80% had pictures of children aged between 6-12 years on their computer[97]; 19% had pictures of children younger than the age of 3[98]; and 21% had pictures depicting violence.[99]

Legal solutions

In order to further improve and harmonize the legal framework with regard to the protection of children against sexual exploitation,[100] the Convention on Cybercrime includes an article addressing child pornography.

Article 9 – Offences related to child pornography

(1) Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct:

a) producing child pornography for the purpose of its distribution through a computer system;

b) offering or making available child pornography through a computer system;

c) distributing or transmitting child pornography through a computer system;

d) procuring child pornography through a computer system for oneself or for another person;

e) possessing child pornography in a computer system or on a computer-data storage medium.

(2) For the purpose of paragraph 1 above, the term “child pornography” shall include pornographic material that visually depicts:

a) a minor engaged in sexually explicit conduct;

b) a person appearing to be a minor engaged in sexually explicit conduct;

c) realistic images representing a minor engaged in sexually explicit conduct.

3) For the purpose of paragraph 2 above, the term “minor” shall include all persons less than 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.

4) Each Party may reserve the right not to apply, in whole or in part, paragraphs 1, sub-paragraphs d. and e, and 2, sub-paragraphs b. and c.

16.2.2. Making pornography unavailable to minors[101]

Sexually-related content was among the first content to be commercially distributed over the Internet. Recent research has identified as many as 4.2 million pornographic websites that may be available over the Internet at any time.[102] Besides websites, pornographic material can for example be distributed through file-sharing systems[103] and chat-rooms.

Legal solutions

Different countries criminalize erotic and pornographic material to different extents. Some countries permit the exchange of pornographic material among adults and limit criminalization to cases where minors seek access to this kind of material,[104] seeking to protect minors. For these countries, “adult verification systems” are useful.[105] Other countries criminalize any exchange of pornographic material even among adults,[106] without focusing on specific groups (such as minors). The Convention on Cybercrime does not contain a provision criminalizing the distribution of pornographic material, except for the provision relating to child pornography.

1.6.2.3. Spam[107]

“Spam” describes the emission of unsolicited bulk messages.[108] Although various scams exist, the most common one is email spam. Offenders send out millions of emails to users, often containing advertisements for products and services, but frequently also malicious software. Since the first spam email was sent in 1978,[109] the tide of spam emails has increased dramatically.[110] Today, email provider organizations report that as many as 85-90 per cent of all emails are spam.[111] The main sources of spam emails in 2007 were: the US (19.6 per cent of the recorded total); China (8.4 per cent); and the Rep. of Korea (6.5 per cent).[112]

Legal Solutions

The Convention on Cybercrime does not explicitly criminalize spam. The drafters suggested that the criminalization of these acts should be limited to serious and intentional hindering of communication.[113] This approach does not focus on unsolicited emails, but on the effects on a computer system or network. Based on the legal approach of the Convention on Cybercrime, the fight against spam could be based on unlawful interference with computer networks and systems only, which would limit the criminalization of spam to those cases where the spam emails have a serious influence on the processing power of computer systems. Spam emails influencing the effectiveness of commerce, but not necessarily the computer system, could not be prosecuted. A number of countries therefore follow a different approach – one example is 18 U.S.C. § 1037.

1.6.2.4. Online games

Online games are currently very popular. Registered users can create a virtual 3D-character[114] and use this character to move through a virtual world, communicate with other users or create virtual objects. Virtual currencies can support the development of an economy and businesses offering virtual objects for sale.[115] The revenues from those activities do not necessary need to remain virtual – it is possible to exchange the virtual currency to any real-world currency.[116] Recent reports show that some games have been used to commit crimes including[117]:

• Exchange and presentation of child pornography;[118]

• Copyright and Trademark violations;[119]

• Obtaining virtual objects without right;

• Fraud;[120]

• Gambling in online casinos;[121]

Legal Solutions

Discussions on how to address criminal activities related to online games have only just started. Currently, most states are focusing on the application of existing provisions, instead of developing a new legal framework for activities in virtual worlds. Depending on the status of their cybercrime-related legislation, most offences can be covered this way. Exchange of files containing child pornography in those online games is for example covered by the Convention on Cybercrime, Article 9. Article 9, paragraph 2(c) even enables the prosecution of users that animate 3D characters representing minors in a sexually-related way (as virtual child pornography).

The criminalization of the act of illegally obtaining virtual objects is more difficult, based on the classic cybercrime-related legislation. Obtaining a virtual object without right in general requires the manipulation of information describing the object. These acts can in general be covered by the Convention on Cybercrime, Article 4. In addition copyright laws may be applicable in some cases.

1.6.3. Criminalization of preparatory acts

1.6.3.1. Misuse of devises[122]

Cybercrime can be committed using only fairly basic equipment. Committing offences such as libel or online fraud needs nothing more than a computer and Internet access and can be carried out from a public Internet café. More sophisticated offences can be committed using specialist software tools. The tools needed to commit complex offences are widely available over the Internet,[123] often without charge. More sophisticated tools cost several thousand dollars.[124] Using these software tools, offenders can attack other computer systems at the press of a button.

Legal solutions

Most national criminal law systems have some provisions criminalizing the preparation and production of these tools, in addition to the “attempt of an offence”. In general, this criminalization – which usually accompanies extensive forward displacement of criminal liability – is limited only to the most serious crimes. In EU legislation, however, there are tendencies to extend the criminalization for preparatory acts to less serious offences. [125]

Taking into account other Council of Europe initiatives, the drafters of the Convention on Cybercrime established an independent criminal offence for specific illegal acts regarding certain devices or access to data to be misused for the purposes of committing offences against the confidentiality, integrity and availability of computer systems or data in Article 6:[126]

Article 6 – Misuse of Devices

(1) Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

(a) the production, sale, procurement for use, import, distribution or otherwise making available of:

(i) a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with the above Articles 2 through 5;

(ii) a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

(b) the possession of an item referred to in paragraphs a) i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

(2) This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorized testing or protection of a computer system.

(3) Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1(a)(ii) of this article.

1.6.3.2. Identity theft[127]

Identity theft describes the act of gathering personal information from targets enabling offenders to commit crimes such as fraud[128] (for example, credit card information, passport or ID numbers, bank account information, tax or social security numbers). Identity theft can be carried out in different ways, but the basic elements are similar[129] - offenders first gather personal information using malicious software (for example, keyloggers distributed by spam emails and installed on victims’ computers). After they have got personal data, offenders can purchase goods with credit card information, register for services using victims’ passport information, make online transfers from victims’ accounts or open new accounts using victims’ social security numbers.

Identity theft is a serious and growing problem.[130] Recent figures show that, in the first half of 2004, 3 % of US households fell victim to identity theft.[131] Identity theft fraud causes losses in the region of billions of dollars.[132] Losses may be not only financial, but may also include damage to reputations.[133] In reality, many victims may not report such crimes, while financial institutions often do not wish to publicize customers’ bad experiences.

Legal solutions

The Commission of the European Union recently stated that identity theft has not yet been criminalized in all EU Member States.[134] The Commission expressed its view “that EU law enforcement cooperation would be better served, were identity theft criminalized in all Member States” and announced that it will shortly commence consultations to assess whether such legislation is appropriate.[135] The Convention on Cybercrime does not contain a provision criminalizing all aspects of identity theft.

Identify theft is often used in the preparation and perpetration of further criminal acts such as computer fraud.[136] Even if identity theft is not criminalized in all countries, law enforcement agencies can prosecute some acts (e.g., computer fraud). Nevertheless, some countries have criminalized identity theft as a specific individual offence,[137] since it is often easier to prove the crime of identity theft than the crimes that follow it. Offenders can use the identities thus obtained to hide their own identity. Prosecution of the initial act (identity theft) could avoid difficulties in identifying offenders, if they go on to carry out later offences. Approaches to the criminalization of identity theft can be found in 18 U.S.C. § 1028 and 18 U.S.C. § 1028A.

1.6.3.3. Phishing and other preparatory acts

In cyberspace, phishing is one of the main methods of illegally obtaining sensitive information (including usernames, passwords, personal or financial information). The main methods include:

1. One phishing method is based on the transmission of false email messages, pretending to originate from a legitimate organization or company. Victims may be lured to counterfeit or fake websites that look identical to the legitimate websites maintained by banks, insurance company or government agencies. The email or websites are designed to impersonate well-known institutions, often using spam techniques in order to appear to be legal. Company logos and identification information, website text and graphics are accurately copied, possibly making the conduct criminal as forgery. Emails may appear to be from the “billing center” or “account department”. The text may often contain warnings that if the consumer does not respond, the account would be cancelled. A link in the email may take the victim to what appears to be the Billing Center, with a logo and live links to real company websites. The victim may then be lured to provide the phisher with “updated” personal and financial information, that later will be used to fraudulently obtain money, goods or services. When phishing is carried out through spamming, it may also be a criminal conduct as a violation of special anti-spam legislations.

2. Phishing may also be achieved by deceiving the victim into unwittingly downloading malicious software onto their computer, that allows the perpetrator subsequent access to the computer and to the victim’s personal and financial information. This type of phishing may be carried out through the use of botnets. It is estimated that at least 75% of phishing incidents are carried out through botnets. Individual access is normally considered as illegal access to computer systems and illegally obtaining information.

3. Perpetrators may also purchase, sell or transfer the illegally obtained information to other criminals. The trafficking of stolen personal or financial information could be provided to third parties through a website or a closed web forum and be used to obtain money, credit, goods and services. In such cases, the perpetrators openly engage in the sale of information. It may be a criminal offence, especially if the information is illegally obtained access codes. In other cases, it may not be covered by criminal codes.

4. The criminalization of preparatory acts in computer systems and networks is covered by the Convention on Cybercrime’s Article 6. However, interpretation may be limited to preparatory acts of offences involving a device, including a computer program to be used for the purpose of committing any of the offences established in Articles 2-5, or only involving access data in Article 6 (1)(ii). Other categories of cybercrime may not be covered, and establishing independent separate provisions focusing on preparatory acts with regard to all categories of criminal offences, or only cybercrime, or only certain new categories of cybercrime, or other separate solutions, may also be needed.

The Penal Code of China (Section 22) on preparatory crime may be used as an example of making the following acts a criminal offence:

“The preparation of tools to commit a crime; or creation of conditions to commit a crime”

In Sweden, an article on preparatory acts was adopted in 2001, in conjunction with other amendments in the penal code. It was especially emphasized that the introduction of a specific article on preparatory acts was directed not only at ordinary crimes, but also at problems with computer viruses and other computer programs solely created for the purpose of obtaining illegal access to data or other computer crimes. Chapter 23 § 2 on preparation for crime includes:

“Other involvement with anything that is especially suitable to be used as a tool in a crime.”

Making the preparatory acts separate criminal offences in themselves may be achieved as follows:

“The production, possession, sale, distribution or otherwise making available of computer data primarily as a tool for the purpose of committing a criminal offence in a computer system or network, when committed intentionally, shall be punished as a preparatory act to criminal offences.”

Another alternative could be the expansion of the traditional concept of “attempting to commit an offence” to include all categories of intentional preparatory acts.

Where preparatory acts are related to identity theft, 18 U.S.C. § 1028 could be used as an example of potential legal provisions. This section criminalizes eight categories of conducts involving fraudulent identification documents or the unlawful use of identification information. § 1028 (a)(7) was adopted in 1998 and amended in 2004, and states:

“Whoever, in a circumstance described in subsection (c) of this section (7) knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable, shall be punished as provided in subsection (b) of this section.”

“Means of identification” is defined as any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual. This section applies to both online and manual crime cases.

1.6.4. Computer-related offences

1.6.4.1. Computer-related forgery[138]

Computer-related forgery describes the manipulation of digital documents - for example, by creating a document that seems to originate from a reliable institution or manipulating email. The falsification of emails includes “phishing”[139], which seeks to make targets disclose personal/secret information.[140] Often, offenders send out emails that look like communications from legitimate financial institutions used by the target.[141] The emails are designed in a way that it is difficult for targets to identify them as fake emails. The email asks recipient to disclose and/or verify certain sensitive information. Many victims follow the advice and disclose information enabling offenders to make online transfers etc.[142] Previously, prosecutions involving computer-related forgery have been rare, because most legal documents were tangible documents. However, digital documents play an ever more important role and are used more often in prosecutions. The substitution of classic documents by digital documents is supported by legal means for their use – for example, by legislation recognizing digital signatures.

Legal solutions

Most criminal law systems criminalize the forgery of tangible documents. By protecting the security and reliability of electronic data, the Convention on Cybercrime creates a parallel offence to the traditional forgery of tangible documents to fill gaps in criminal law that might not apply to electronically stored data.[143]

Article 7 – Computer-related forgery

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.

1.6.4.2. Computer-related fraud[144]

Computer-related fraud is one of the most popular crimes over the Internet,[145] as it uses automation and software tools to mask criminals’ identities. Automation enables offenders to make large profits from a number of small acts. [146] One strategy used by offenders is to ensure that each victim’s financial loss is below a certain limit. With a ‘small’ loss, victims are less likely to invest time and energy in reporting and investigating such crimes. The most common fraud scams include Online Auction Fraud[147] and Advance Fee Fraud.[148]

Legal solutions

Most national laws contain provisions criminalizing fraud offences. However, the application of existing provisions to Internet-related cases can be difficult, especially where traditional national criminal law provisions are based on the falsity of a person.[149] In many cases of fraud committed over the Internet, it is in fact a computer system that responds to an act of the offender. If traditional criminal provisions addressing fraud do not cover computer systems, an update of the national law is necessary.

The Convention on Cybercrime seeks to criminalize any undue manipulation in the course of data processing which seeks to effect an illegal transfer of property by providing an Article regarding computer-related fraud:[150]

Article 8 – Computer-related fraud

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by:

a) any input, alteration, deletion or suppression of computer data;

b) any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

1.7. Measures in Procedural Law[151]

1.7.1. General principles

Adopting procedural laws for the prosecution of criminal conduct against information infrastructure is essential for the investigation and prosecution of cybercrime. Such powers and procedures are also necessary for the prosecution of other criminal offences committed using computer systems, and should apply to the collection of electronic evidence relating to all forms of criminal offences (Convention on Cybercrime, Article 14).

Common provisions on rules for procedural powers, and procedures for collecting, preserving and presenting electronic evidence should be established to enable efficient cross-border investigation and prosecution. The establishment, implementation and application of the powers and procedures provided for in the section on procedural law in Article 15 require States to provide for the adequate protection of human rights and liberties. Some common standards and minimum safeguards are required, including instruments on international human rights. The principle of proportionality should be incorporated, whereby the power or procedure should be proportional to the nature and circumstances of the offence. Each State should also consider the impact of the powers and procedures described in this section upon the rights, responsibilities and legitimate interests of third parties.

1.7.2. Expedited preservation of stored computer data[152]

The identification of offenders who have committed cybercrimes often requires the analysis of traffic data,[153] especially the IP addresses used by offenders, which can help law enforcement agencies to trace them. As long as law enforcement agencies have access to the relevant traffic data, it may even prove possible to identify offenders that have used public Internet terminals that do not require an identification. Law enforcement agencies need to able to carry out investigations very rapidly.

One approach is data preservation (the “quick freeze procedure”) to ensure that cybercrime prosecutions do not fail, simply because traffic data was deleted during the lengthy and complex investigation process. Based on data preservation legislation, law enforcement agencies can order service providers to prevent the deletion of certain data. The expedited preservation of computer data enables law enforcement agencies to react quickly to avoid electronic evidence being deleted during lengthy investigations.[154] Such regulation can be found in Article 16 of the Convention on Cybercrime:

Article 16 – Expedited preservation of stored computer data

1. Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification.

2. Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed.

3. Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law.

4. The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

1.7.3. Expedited preservation and partial disclosure of traffic data[155]

Where law enforcement agencies need immediate access to identify communication paths to trace offenders, Article 17 enables authorities to order the expedited partial disclosure of traffic data. Article 17 renounces a clear classification, as it includes an obligation to ensure the preservation of traffic data in cases where a number of service providers have been involved, with the obligation to disclose the information necessary to identify the communication path. Without such partial disclosure, law enforcement agencies might not be able to trace offenders, where more than one provider is involved.[156]

Article 17 – Expedited preservation and partial disclosure of traffic data

1. Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to:

a. ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and

b. ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.

2. The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

1.7.4. Production order[157]

Article 16 of the Convention on Cybercrime does not oblige providers to transfer the relevant data to the authorities. The provision only authorizes law enforcement agencies to prevent the deletion of the relevant data, but does not commit providers to transfer the data. The obligation to transfer is regulated in Article 18 of the Convention. The advantage of separate obligations to preserve data and disclose data is that it is possible to specify different conditions for the obligations to apply. This enable the competent authorities to react faster. The protection of the rights of suspects can be maintained by requiring an order for the disclosure of data,[158] which is among other aspects regulated in Article 18 of the Convention:

Article 18 – Production order

1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:

a. a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium; and

b. a service provider offering its services in the territory of the Party to submit subscriber information relating to such services in that service provider’s possession or control.

2. The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

3. For the purpose of this article, the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

a. the type of communication service used, the technical provisions taken thereto and the period of service;

b. the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

c. any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.

1.7.5. Search and seizure of stored computer data[159]

Although new investigation instruments such as the real-time collection of content data or the use of remote forensic software to identify offenders are under discussion and have already been implemented by some countries, search and seizure procedures remain a key investigative tool.[160] Most national criminal procedural laws contain provisions that enable law enforcement agencies to search and seize objects[161], but drafters of the Convention on Cybercrime included a provision dealing with search and seizure, as national laws often do not cover data-related search and seizure procedures.[162]

Article 19 – Search and seizure of stored computer data

1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:

a. a computer system or part of it and computer data stored therein; and

b. a computer-data storage medium in which computer data may be stored in its territory.

2. Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1.a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.

3. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to:

a. seize or similarly secure a computer system or part of it or a computer-data storage medium;

b. make and retain a copy of those computer data;

c. maintain the integrity of the relevant stored computer data;

d. render inaccessible or remove those computer data in the accessed computer system.

4. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2.

1.7.6. Real-time collection of traffic data[163]

Telephone surveillance is an instrument used in capital crime investigations in many countries.[164] Today, the exchange of data replaces the classic phone conversations. The exchange of data is not limited to emails and file-transfers - a growing amount of voice communications is carried over technology based on Internet Protocols (IP), such as Voice over IP or VoIP. From a technical point of view, a VoIP call is more comparable to an exchange of emails than to a classic PSTN phonecall.[165] Traffic data now plays a growing role in the investigation of cybercrime.[166] While access to data content enables law enforcement agencies to analyze the nature of files exchanged, traffic data can also help identify offenders. By monitoring the traffic data generated during the use of Internet services, law enforcement agencies are able to identify the IP address of the server and can then determine its physical location. The real-time collection of traffic data is regulated by Article 20 of the Convention:

Article 20 – Real-time collection of traffic data

1. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to:

a. collect or record through the application of technical means on the territory of that Party, and

b. compel a service provider, within its existing technical capability:

i. to collect or record through the application of technical means on the territory of that Party; or

ii. to co-operate and assist the competent authorities in the collection or recording of, traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system.

2. Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of traffic data associated with specified communications transmitted in its territory, through the application of technical means on that territory.

3. Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4. The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

1.7.7. Interception of content data[167]

The opportunity to intercept data exchange processes can be important in cases where law enforcement agencies already know the communication partner, but have no information about the type of information exchanged. Article 21 of the Convention gives them the possibility to intercept content data to record data communication and analyze its content.[168]

Article 21 – Interception of content data

1. Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to:

a. collect or record through the application of technical means on the territory of that Party, and

b. compel a service provider, within its existing technical capability:

i. to collect or record through the application of technical means on the territory of that Party, or

ii. to co-operate and assist the competent authorities in the collection or recording of, content data, in real-time, of specified communications in its territory transmitted by means of a computer system.

2. Where a Party, due to the established principles of its domestic legal system, cannot adopt the measures referred to in paragraph 1.a, it may instead adopt legislative and other measures as may be necessary to ensure the real-time collection or recording of content data on specified communications in its territory through the application of technical means on that territory.

3. Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it.

4. The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

1.7.8. Voice over IP (VoIP)

Voice over Internet Protocol (“VoIP”) is increasingly gaining ground in the market for voice communications. The ever-greater capability of VoIP solutions suggests that, in the not too distant future, users will dispense with traditional voice telephony services in favor of VoIP. Anyone with a broadband connection can now subscribe to a VoIP provider and make phone calls to anywhere in the world at near zero cost. Incumbent backbone providers cannot recognize VoIP traffic in its circuit-switched network, making VoIP technically difficult to regulate . Further, unlicensed VoIP operators are piping millions of dollars of VoIP into regulated countries, bypassing regulators and licensed operators, effectively diverting these revenues from licensed operators. Voice regulations have previously been drafted according to the underlying technology over which the data is carried, rather than the type of information being sent. The danger is that as information (including voice) is increasingly transmitted as data and voice telephony migrates naturally to IP systems, regulation cannot keep up. In designing new regulatory systems, legislatures must consider the type of information being sent, rather than the mechanism by which it is sent, especially where the transmission of human voice is concerned. The challenges arising from unregulated VoIP are far-reaching. The need for regulation can be categorized into several general areas:

1) revenue collection - taxes, fees and rates are needed to maintain and grow a sustainable communications infrastructure, and

2) public safety - the ability to guarantee 24/7 access to emergency services, and law enforcements ability to track, trace, intercept and interpret communications used for criminal activity over any network.

3) other issues, such as pro-competitive practices to ensure the smooth and efficient operation of the market and other issues, including billing and interconnection issues.

Governments and regulators also face concerns to ensure public safety where VoIP is concerned. VoIP providers may not offer emergencyservice access to cut costs. Another public safety issue is lawful intercept, and law enforcement’s surveillance capabilities, as criminals flock to VoIP as a form of secure communications that is difficult for law enforcements to track and trace. Even where law enforcement authorities can track VoIP calls, data encryption is making it more difficult for law enforcement to conduct surveillance. Although surveillance may be allowed by the courts, encryption means law enforcement cannot monitor VoIP calls in the same way they can in the circuit-switched world.

Without being able to require VoIP operators to decrypt, law enforcement agencies cannot monitor terrorist communications or prevent attacks. Instead, law enforcement agencies are limited to using intercepted transmissions to make arrests, when they finally decrypt them, potentialy weeks after the event. Clearly, governments and the VoIP industry need to work together to ensure that law enforcement agencies have the tools they need to protect the public from criminal activity.

1.7.9. Use of key loggers and other software tools[169]

To avoid the detection of ongoing investigations, law enforcement agencies need tools that allow them to access to computer data stored on suspects’ computers that can be used secretly. These tools enable law enforcement agencies to access suspects’ computers remotely and search for information. Currently, the question of whether such instruments are necessary is being intensely debated.[170] Various concepts for “remote forensic software” and its possible functions are discussed. Among them are functions to carry out remote search procedures, the recording of VoIP services, the logging of keystrokes, the identification of the IP address used by offenders.

1.7.10. Data retention[171]

An obligation for data retention forces the ISPs to retain traffic data for a certain period of time.[172] The implementation of a data retention obligation is one approach to obtain access to traffic data before it is deleted. An example of such an approach is the EU Directive on Data Retention.[173] The fact that key information about Internet communications are covered by the Directive has resulted in some intense criticism from human rights organizations.[174]

1.7.11. Order to disclose key used for encryption[175]

Various software products are available that enable users to protect files, as well as data transfer processes against unauthorized access. If suspects use such a product and investigative authorities do not have access to the key that was used to encrypt the files, decryption could take decades.[176] One legal approach to address this challenge is the production order - the obligation to disclose the key used to encrypt data. The implementation of such an instrument was discussed at the 1997 G8 Meeting in Denver.[177] One example for a national implementation is Section 69 of India’s Information Technology Act 2000.[178] Another example for such obligation is Section 49 of the UK Investigatory Powers Act 2000.[179] A general concern relating to this approach is that the obligation could result in a potential conflict with the fundamental right of a suspect against self-incrimination. Instead of leaving the investigation to the competent authorities, suspects need to actively support the investigation. The strong protection against self-incrimination in many countries raises doubts as to whether such regulation could become a model solution to address the challenge of encryption technology.

1.7.12. Jurisdiction

Each State should adopt measures to include jurisdictional provisions in criminal law. Jurisdiction should be established over cybercrime offences, where offences are committed on its territory, on board a ship flying the flag of that State, on board an aircraft registered under the laws of the State, or by one of its nationals, if the offence is punishable under criminal law, where it was committed or if the offence is committed outside the territorial jurisdiction of any State. States may enter a reservation not to apply or to apply only in specific cases or conditions in the jurisdiction rules. States should be able prosecute cases, where alleged offenders are present in its territory and the State does not extradite them to another State, solely on the basis of the persons nationality, after a request for extradition. When more than one State claims jurisdiction over an alleged cybercrime, the States involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution (Article 22 of the Convention on Cybercrime).

 

1.8. Law Enforcement and Investigation

Around the world, police are tasked with the investigation of crimes against property and persons. While law enforcement organizations enjoy some success in combating traditional forms of crime, rapid developments in ICTs pose new challenges to police. In contrast, criminal offenders have been quick to adapt and exploit new opportunities created by these technologies. The advent of the Internet and its associated technologies, have greatly complicated law enforcement today.

1.8.1. The Move from Physical to Electronic Evidence

Policing and the investigation of cybercrimes and other information security and network security issues are different from traditional forms of investigation in several key ways. Police officers and prosecutors are used to handling traditional low-tech crimes, such as burglaries, homicides and car thefts, which usually leave some form of “real-world” tangible evidence. How then do these professionals respond to a situation where much of the evidence is electronic and stored in “data trails”?

The investigative steps remain the same - identify the victim, locate physical evidence, determine the identity of the perpetrators, and arrest them. In the case of a traditional burglary, the victim almost always alerts police who look for a point of entry, a method of entry, and attempt to determine what has been stolen. Any physical evidence are analyzed and carefully documented for use in the prosecution.

Of course, the same crime can be committed “virtually” with a computer. The thief can break into a computer system, steal computer files and copy or transport the stolen items. The basic investigative steps remain the same, but the methods and means of proceeding are not so clear. Firstly, the victim may have no idea that his computer files have been stolen. Even if the intrusion is noted, victims may be reluctant to report the matter to the authorities – individuals may not know how or to whom to report cybercrimes, while commercial firms may fear the loss of customers’ confidence. Locating the evidence is no easy task - digital evidence is much harder to locate and trace. The theft, transportation, and storage of electronically stolen money (or other goods) is greatly facilitated by the fact that digitized money and assets are without mass. A billion dollars-worth of electronic assets weighs no more and is just as easy to transport as ten dollars. Thus, the potential for the theft and loss of huge amounts of cash and other assets is enormous.

1.8.2. Encryption Challenges

The introduction of widely-available sophisticated computer-based encryption programmes means that incriminating electronic evidence important for police may be unavailable or difficult to access. Encryption is based on mathematical algorithms that convert digital information into a different format so that it cannot be decoded without a password. In the past few years, digital encryption techniques have become so advanced that there is only a minute chance of deciphering encrypted contents without the password.

Encryption is used legitimately to encode email and computer files on their journey over multiple computer networks between sender and recipient to prevent them being copied or viewed along their intended (or unintended) route. The military, government, banking institutions and other businesses and individuals have legitimate reasons for using encryption. However, encryption can also be used for illicit purposes. Cyber-criminals seek to cover up their electronic tracks to prevent arrest and prosecution. Police agencies must deal with these fundamental changes in evidence collection and preservation. Officers must be trained to follow the digital equivalent of a “blood trail” if they wish to be able to investigate and prosecute the avalanche of criminal offenders.

The problem of encryption cannot be solved by police alone. Recent trends in computer security suggest that the public will also use encryption more often. Software and hardware manufacturers are now beginning to include encryption technology in hard drives, central processing units and software operating systems. These developments suggest that law enforcement will be increasingly afflicted by encryption problems in the future. Already, many police agencies have had to seize and analyze electronic evidence containing encrypted files. Since data at rest is increasingly encrypted, police have to by-pass encryption—either by legally compelling suspects to reveal their passwords, or by conducting a live data seizure of a computer system. The latter is more complex and, under the laws of many countries, amounts to data interception—often requiring higher legal authority than the police.

1.8.3. Costs of High-Technology Crime Investigation

High-tech crime investigations are expensive, as they need highly-trained investigators. Given the pace of technological change, officers must be kept uptodate and undergo ongoing training, which is no easy task. Furthermore, expensive specialist computer hardware and software is needed to conduct forensic examinations of digital evidence. As with training, this equipment must also be constantly updated. The physical distance between perpetrators and victims also poses problems for cybercrime investigations, which can stretch around the world and across borders, needing expensive and significant coordination between international Police Departments – e.g., between police officials in Bangalore in India and Paris in France. The legal issues involved can include extradition treaties, letters rogatory and mutual legal assistance treaties, each of which can add a heavy financial burden even for a large investigative branch.

1.8.4. Counting Cybercrime — How Much Is There?

Crime statistics play a very important role in law enforcement by allowing limited resources to be allocated to the most urgent needs, based on benchmarking and analysis of crime trends. Crime analysts use criminal statistics to spot new trends and criminals’ modus operandi. However, to monitor trends in cybercrime over time, there has to be agreement on consistent definitions of what constitutes a computer crime. Although a few agreed definitions have emerged (e.g., in the Council of Europe’s Convention on Cybercrime), it is difficult to accurately record the number of these offenses and presently, there are few reliable cybercrime statistics due to different definitions, varied sources and uncertainty about the extent of cybercrime reporting.

Computer crime statistics may be kept separately by different units within a police department, For example, online child pornography arrest data may be maintained by the child abuse unit and classified as the crime of “sexual exploitation of a minor”. A police department’s economic crimes unit might include an Internet fraud scam as a fraud case and an online stalking case might be counted by an agency’s assault unit as a “criminal threat”. Since there are no agreed overall definitions or classifications, accurate statistics are extremely difficult to obtain.

1.8.5. The Underreporting Problem

Generally speaking, crime statistics can provide good approximations for criminal activity - for example, homicide, armed robbery, car theft and assaults tend to be accurately reported to the police. Other criminal offenses, however, are significantly underreported, as in the case of sexual assault and rape. This incidence of unreported criminal activity has been called the “dark figure” by criminologists.[180]


Recent evidence suggests that computer crime may be the most under-reported form of criminal behavior. Often, the victims of computer crime are unaware that an offense has even taken place. Sophisticated technologies, the size and storage capacity of computer networks, and the global distribution of an organization’s informational assets mean that computer crime is very difficult to detect. The vast majority of individuals and organizations remain unaware when they suffer a computer intrusion or loss of data. Another major hurdle is convincing victims who have suffered a loss to come forward and report the crime. Many individuals, network administrators and corporate managers may not recognize that attacks against their networks constitute a crime.

Worse still, many victims who understand that a crime has taken place may deliberately not report it to the police. Computer crimes may not be reported due to doubts about the capacity of the police to handle computer crime incidents in an efficient, timely, and confidential manner. [181] Individuals may feel that their loss is too small to report or may not wish to look foolish. Large corporations may fear damage to their reputation or their profits, if forced to compensate customers who have fallen victim to theft of data or money. This is especially true in the banking and financial sectors, where reputation is everything. Rumours that a bank’s computers and accounts have been compromised could drive thousands of customers to its competitors.

In order to make progress, law enforcement personnel have to work closely with other government organizations, the private sector and public to increase their awareness of cybercrime, as well as encourage them to report the incidents to police personnel.

1.8.6. Patrolling cyberspace

Unlike traditional police districts, precincts and areas, the Internet remains under-policed. It is common for police forces to carve up their geographic territory into districts, with allocated resources and clearly defined responsibilities. For the Internet, however, no single law enforcement jurisdiction prevails and the Internet is ‘patrolled’ by all manner of law enforcement and government agencies. From national police services, to other government authorities (including tax, child protection, censorship, national security) –these organizations have all staked out their perceived territory in cyberspace.

This approach has both advantages and disadvantages. Many civil libertarians and human rights activists take comfort from the fact that there is no “global Internet police”” force. Law enforcement personnel have however run into difficulties in gathering evidence, coordinating their response and locating criminal offenders. Sometimes, undercover police personnel in one jurisdiction have encountered their colleagues (unintentionally) half a world away. For example, grown police investigators may pose as children when policing child sex offenders on the Internet. Two police officers, half a world apart, each investigating the same offense, might waste dozens of hours engaging with each other, with neither knowing that the other is an actual police officer.

1.8.7. International law enforcement cooperation

Police services around the world are now cooperating more effectively in the fight against cybercrime. Their cooperation has been boosted significantly by the establishment of a number of fora and legal instruments, enabling police forces to work with their counterparts around the world on criminal offenses involving computer networks. While police officials from certain regions of the world have been meeting since the early 1990s to discuss computer criminality, in other regions, cybercrime is only given a low priority or is not discussed at all. Several international organizations - notably Interpol (the International Criminal Police Organization) and the G8 - have worked to unite police officials from around the world to provide assistance in international cybercrime matters.

One of Interpol’s core functions is to enable the world’s police to exchange information securely and rapidly. The organization’s I-24/7 global police communications system connects law enforcement officials in all 186 member countries and provides them with the means of sharing crucial information on criminals and criminal activities. As criminals and criminal organizations are typically involved in multiple activities, I-24/7 has fundamentally changed the way law enforcement authorities work together. Pieces of seemingly unrelated information can be linked to help create a pattern and solve transnational criminal investigations. Using I-24/7, National Central Bureaus (NCBs) can search and cross-check data in a matter of seconds, with direct access to databases containing information on suspected terrorists, wanted persons, fingerprints, DNA profiles, lost or stolen travel documents, stolen cars and works of art, etc. These resources give police instant access to important information and help facilitate criminal investigations.

Interpol has been actively involved in combating Information Technology Crime (ITC) since 1990. Rather than ‘re-inventing the wheel’, the Interpol General Secretariat has harnessed the expertise of its members in the field of ITC through ‘working parties’, which consist of the heads or experienced members of national computer crime units. These working parties exist worldwide and reflect regional expertise.

1.8.8. Law enforcement capacity-building

Interpol has worked diligently to improve the investigative capacity of law enforcement organizations around the world to respond to emerging cybercrime threats. To date, Interpol has established a number of expert working parties around the world, including in Europe, Asia-South Pacific, Latin America, Africa and the Middle East. Each of these groups brings together regional exports and provides training and a forum for expert discussion on the latest emerging threats in cyberspace. In addition, each working party conducts research on particular aspects of cyber-criminality and prepares reports for law enforcement personnel on many different topics, ranging from computer intrusions, Internet investigations, mobile phone forensics and live data forensics, to name a few.

1.8.9. 24/7 Points of contact “Interpol”/G8

Cybercrime investigations are time-sensitive i.e., evidence can disappear quickly. To be effective, police need to rapidly and securely with each other in international cybercrime investigations. Often, traditional legal methods for obtaining cross-border evidence (such as mutual legal assistance treaties and letters rogatory) cannot keep up with the need for a rapid cybercrime investigations. To this end, 24/7 contact points have been established to enable countries to network with authorities in other countries and request immediate assistance in computer-related investigations and evidence collection. Currently, both Interpol and the G8 have such networks.

In 1997, the G8 created a new mechanism to expedite contacts between countries - a network which supplements, but does not replace, traditional methods of assistance in cases involving telecommunication networks. This network was always intended to include countries beyond the G8 and today, about 50 countries have joined this network. These contacts are available at all hours, 7 days a week, to receive information and/or requests for cooperation in cases involving electronic evidence. According to Article 35 of the Convention on Cybercrime, parties must provide a 24/7 reference point with equipped and trained personal. The G8 network and the Convention on Cybercrime network are now being consolidated.

Interpol has developed a global police communications system known as I-24/7 to allow police to communicate securely throughout the world. Today, all Interpol member countries are connected to the system and Interpol encourages member countries to use the I-24/7 message system in international cybercrime investigations. To ensure that the information exchanged through the appropriate Interpol channels reaches the specialized police units as fast as possible, a list of National Central Reference Points (NCRPs) for computer-related crime has been compiled. To date, 121 Contact Points have designated as National Central Reference Points. Messages will be forwarded through the appropriate National Central Bureaus with the indication of the unit to be informed in each rceiving country.

Both the G8 and the Interpol networks have been successfully used in many instances to investigate threats and other crimes in a number of countries. For example, the G8 network was used to secure the conviction of a murderer in the United Kingdom by facilitating the preservation and disclosure of Internet records in the United States. The network has also been used on several occasions to avert hacking attacks, including attacks on banks in the United States, Germany and Mexico.

1.8.10. Law enforcement needs assessment and emerging trends

To date, no global law enforcement needs assessment has been completed in order to determine exactly what police agencies need to be more effective in their global fight against cybercrime. However, many local and regional studies have been undertaken. From these regional studies, additional training, funding, public awareness and equipment are all needed. In addition, police agencies constitute only one part of the criminal justice system in the fight against and investigation of cyber-offenses. For example, police only have authority to investigate violations of law, yet in many parts of the world, cybercrimes are not clearly delineated in the national criminal code. This lack of legislation poses a major problem to police, particularly when conducting cross-border investigations.

Given the ever-changing nature of technology, it is virtually impossible for police in most parts of the world to keep up with criminals in their constant efforts to exploit ICTs and networked technologies for their personal and illegal gain. It is critical that police work closely with other elements of the criminal justice system, the public at-large, the private sector and non-governmental organizations to ensure a comprehensive approach to resolving this problem.

1.9. Prosecution

1.9.1 Challenges in Prosecuting Cybercrime

One of the main challenges states face in the prosecution of cybercrime is that the medium over which cybercrimes are committed permits a cybercriminal to be located anywhere in the world. Cybercrime, like the borderless Internet itself, is transnational. However, criminal investigation and prosecution are traditionally based on territorial jurisdictions, handled on a local, regional, or national basis.[182] For law enforcement to be effective against transnational cybercrime, effective coordination and cooperation between states is essential.[183]

Prosecutors today face numerous challenges in their efforts to hold cybercriminals responsible for their criminal acts, including (among others):

1) the implementation of relevant substantive and procedural cybercrime legislation;

2) understanding technical evidence;

3) collecting evidence abroad; and

4) extradition of suspects located abroad.

The first challenge facing law enforcement agencies is the need for appropriate legal tools to investigate and prosecute cybercrime in their own jurisdictions, including new forms of online offences. The use of ‘new’ technologies to commit ‘old’ traditional crimes may not need new legislation - e.g., bank thefts committed using computers may already be covered by traditional law. Sometimes, however, prosecutors need substantive cybercrime laws covering unlawful conduct that does not have a traditional crime equivalent – e.g., when an offender uses a computer to knock a company’s website offline. Prosecutors need substantive laws covering these new types of offences. Similarly, technical procedural laws for detecting and investigating cybercrime and traditional crimes are also needed to collect the electronic evidence required for prosecution.

Many states need to adopt new substantive laws that cover new types of crimes and electronic evidence collection procedures.[184] As discussed in detail in the Substantive Law section (Section 1.6), there are a numerous substantive cybercrime laws and procedural measures that apply to cybercrimes and the collection of electronic evidence - for example, where offenders gain unauthorized access to a company’s computer and steal valuable data (such as customer lists). A state may not have a substantive criminal offense to charge these offenders or even have the procedural laws in place to engage in real-time tracing of online communications or obtain stored electronic evidence of Internet use. The Convention of Cybercrime contains key substantive and procedural cybercrime provisions that can serve as models for states interested in adopting cybercrime laws (see the Substantive Law section in Section 1.6).

It is also vital in the global battle against cybercrime that states harmonize their definition of substantive offenses. Where one state has laws criminalizing cybercrime and others do not, cooperation to solve the crime is unlikely. Such discrepancies in law may shield cybercriminals from law enforcement aythorities, as offenders can go unpunished in one country, while thwarting the law enforcement efforts of other countries. International organizations (including the G8 Group, OAS, APEC and the Council of Europe) have taken steps to ensure the harmonization of legal provisions across countries. Providing dual criminality is fulfilled, the global prosecution of cybercrimes may become more efficient. Such an approach is especially vital in the investigation and prosecution of attacks against the infrastructure of computer systems and networks.[185]

Another challenge facing prosecutors is gaining the technical knowledge to understand the crimes and nature of the evidence. Most prosecutors need a lengthy and intense training as part of their legal training, so it is not surprising that they may not be comfortable with technical evidence.[186] During the course of a criminal prosecution, prosecutors may have to explain to a judge or jury technical evidence – for example, how Internet Protocol (IP) addresses are assigned. The technical evidence and nature of cybercrime may be new to prosecutors. Several governments and organizations hat offer cybercrime technology training. It may be helpful for ITU to work with other organizations to develop and deliver quality technology training for prosecutors and judges.

Another issue facing prosecutors is the collection of evidence abroad rapidly and in a way that meets the procedural requirements for admission in the prosecutor’s jurisdiction. As discussed in Section 1.8 on the Law Enforcement and Investigation, solving cybercrime needs immediate action to locate and identify the responsible person or persons.[187] For example, in the U.S., service providers must keep records relating to the IP address of their customers 90 days. If prosecutors outside the U.S. want such evidence, they must send a preservation request to the service provider pursuant to U.S. law 18 U.S.C. § 2703(f). The prosecutors must comply with international law concerning legal assistance to obtain the evidence in such a way that the evidence can be used in a criminal proceeding, through a Mutual Legal Assistance Treaty (MLAT), a multilateral convention or a letter rogatory. These methods for obtaining evidence can take time - sometimes months or even years, which can derail an investigation.

Prosecutors wishing to obtain evidence from another state should consult with the Central Authority for mutual legal assistance about the appropriate procedure and information required, so their request can be executed. When making a request for evidence from abroad, prosecutors have to provide sufficient information to meet the evidentiary requirements imposed by the requesting state. Failure to provide sufficient information that meets the evidentiary standard can slow down the process considerably.

Since cybercrime prosecutions are often based on obtaining electronic data or traffic data to identify suspects, routes or pass-through points, it is vital that service providers retain the data for a sufficient period of time so law enforcement can access the data, before it is destroyed. This is especially challenging when law enforcement and prosecutors must comply with international rules on mutual legal assistance and obtain the evidence quickly, as discussed in Section 1.7.10 on Data Retention.

Due to the fleeting nature of electronic evidence, it is important for countries to enact measures that permit law enforcement to obtain expedited preservation of stored computer data and partial disclosure of traffic data.[188] Electronic evidence may move through a number of states and can be easily altered or deleted. For states to be able to investigate and prosecute cybercrimes effectively, states must have laws to preserve and obtain stored computer and traffic data.

Another challenge in the prosecution of cybercrime is the prosecution of suspects located abroad. Extradition can be especially challenging, even where extradition treaties exist between countries. The process of extradition usually involves filing a request for extradition, with a number of evidentiary and process requirements.[189] Extradition treaties take one of two approaches for the types of crimes that are extraditable:

(1) The first approach is based on the doctrine of dual criminality –extradition is only permitted for persons charged with criminal conduct, if both states have criminalized the conduct and the crimes are punishable by more than one year of imprisonment.

(2) The second approach is that extradition is permitted for a list of crimes contained in, or attached to the extradition treaty.

Meeting either of these requirements ,may be difficult for cybercrime, as many states lack substantive cybercrime laws, so the principle of dual criminality may not be fulfilled. Where a state does have substantive cybercrime laws, it may not have updated all of its extradition treaties to cover the new offenses. This is not surprising, given that many states entered into the extradition treaties a long time before cybercrime developed.

However, traditional offenses involving new technology may be covered in most extradition treaties. Multilateral treaties can also be used as a basis for extradition requests, including the 1957 Council of Europe Convention on Extradition (which does not operate on a list basis, but mainly on the basis of applicable penalties), and the Convention on Cybercrime. Other possibilities include the use of the UN Transnational Organized Crime Convention (UNTOC) as a basis for extradition, and the EU Framework Decision on the European Arrest Warrant, which cites computer-related crime in the list of 32 offences for which surrender can be granted in the absence of dual criminality, providing that the other conditions in Article 2 of the Framework Decision are met.

In summary, the global prosecution of cybercriminals presents real challenges to law enforcement authorities around the world. Prosecutors need to collect electronic evidence and need legal tools to file charges for unlawful conduct that may not have an offline equivalent. Often, the evidence and/or suspects are located outside the prosecutors’ jurisdiction. Cybercrime investigations are also complicated by the use of multiple proxies or pass-through points by sophisticated suspects, and often require investigating agencies to obtain evidence of who was assigned an Internet Protocol address at a specific date and time. The mechanisms in place for obtaining evidence outside a law enforcement agency jurisdiction and extraditing charged suspects are vital in thesuccessful investigation and prosecution of cybercrime.

1.9.2 Letter Rogatory

International legal assistance can be requested and provided through several means. Where there are no agreements in place between two states, international legal assistance is governed by domestic mutual legal assistance laws, including letters rogatory, the customary method of obtaining assistance and evidence from other states, in the absence of a treaty. A letter rogatory is a formal request for assistance from a court in one state to “the appropriate judicial authorities” in another state, requesting compulsion of testimony or documentary or other evidence or effect service of process.[190]

The execution of a request for judicial assistance by the foreign court is based on comity between nations, such as the Hague Evidence Convention or Mutual Legal Assistance in Criminal Matters (MLAT) treaties. Letters rogatory are usually transmitted via diplomatic channels, a time-consuming process.[191] Also, the diplomatic corps is generally considered free to refuse to act on a letter rogatory, if they feel the assistance sought would be inconsistent with the requested state’s public policy. If the request is accepted by the other state, it is transmitted to a judge for execution. The judge is under no obligation to execute the request, and if it is executed, it is done so in strict compliance with the law of the requested state. This can add another level of uncertainty to the process, because the law of the requested state may be very different from that of the requesting state (on matters such as the authentication of evidence, the manner in which evidence is taken or preserved, the privileges that witnesses may invoke). After this time-consuming process and once the request has been executed (or execution has been denied), the results are sent back to the requesting judge, again usually through diplomatic channels.

1.9.3 Multilateral Treaties on Crime

There are a growing number of multilateral conventions calling for cooperation in combating certain crimes.[192] Many of these include mutual legal assistance components, more extensive in some conventions than others. Given that many cybercrimes are transnational in nature, prosecutors can consider using the UN Convention on Transnational Organized Crime (UNTOC) as a basis for mutual legal assistance. In accordance with Article 18 UNTOC, State Parties are required to afford one another the “widest measure of assistance in investigations, prosecutions, judicial proceedings” in relation to specific offences covered by the Convention, being transnational in nature and involving an organized criminal group (set out in Article 3 UNTOC).

Although cybercrime offences are not specified in Article 3, depending on their nature, such offences may be included under “serious crime” as defined in UNTOC. Other examples of UN conventions which provide a basis for mutual legal assistance in relation to their convention offences include the UN Convention Against Terrorist Financing, the UN Convention Against Terrorist Bombing, the 1988 UN Convention Against Illicit Trafficking in Narcotic Drugs and Psychotropic Substances (these conventions are cited merely as examples of conventions providing a basis for mutual legal assistance).

There are also various regional crime and mutual assistance conventions, such as the Council of Europe’s Convention on Money Laundering and Convention on Cybercrime. Both these conventions contain provisions obliging the contracting parties to provide mutual legal assistance to one another in connection with offences defined under the relevant Convention. Additionally, the Council of Europe 1959 Convention and protocols on Mutual Assistance in Criminal Matters serve as a wide basis for mutual assistance in criminal matters between contracting parties. There are also relevant European Union instruments such as the EU 2000 Convention on Mutual Assistance in Criminal Matters. In selecting the most appropriate basis for mutual legal assistance, prosecutors have to consider the nature of the offence, the nature of the assistance sought and whether the state from which assistance is to be sought has signed and ratified an appropriate instrument.

1.9.4 Bilateral Mutual Legal Assistance Treaties

A Mutual Legal Assistance Treaty (MLAT) is an agreement between two countries, for the purpose of providing assistance in the gathering of evidence relating to a criminal investigation or prosecution. A MLAT places an unambiguous obligation on each state to provide specific forms assistance in connection with criminal investigations to the other state. Typically, a MLAT entitles the requesting state to: assistance in acquiring bank records and other financial information; questioning witnesses and taking statements or testimony; obtaining copies of government records, including police reports; serving documents; transferring persons in custody for purposes of cooperation; conducting searches and seizures; and repatriating stolen property or proceeds of crime.[193]

A MLAT seeks to improve the effectiveness of judicial assistance between two countries and to regularize and facilitate their procedures.  Each state designates a competent central authority responsible for the transmission and execution of requests for mutual legal assistance (usually a Ministry of Justice, Attorney General’s Office or Prosecutor General’s Office). These treaties include the power to summon witnesses, to require the production of documents and other tangible evidence, to issue search warrants, and to observe due process. Generally, the remedies offered by the treaties are only available in criminal matters. A MLAT may also allow any other form of assistance not prohibited under the law of the requested state. This broad language has enabled MLATs to adapt over time in a way other arrangements do not.[194]

Although MLATs and multilateral conventions are different instruments, there are a number of key components common to both:

(1) Firstly, the scope of the obligation to provide assistance has to be specified, including the requirement for assistance to be provided at the earliest stage of the investigation.

(2) The grounds upon which assistance can be denied should also be specified. Typical grounds for refusal allow the denial of requests that may constitute a political offence or a military offence not recognized under the ordinary criminal law, or if the request would violate the constitution or be contrary to the legal system of the requested state. Denial of requests are also permitted where the essential interests of the requested state would be violated (e.g. national security or basic public policy). By specifying the grounds on which requests can be denied, MLATs and multilateral conventions bring clarity and predictability to international mutual legal assistance. Further, most MLATs today state that dual criminality may not serve as a basis for denying assistance and recent UN instruments on organized crime and corruption have sought to limit its application.

(3) Most MLATs forbid the requesting state from using information or evidence supplied under the MLAT for any investigation other than that for which the information or evidence was requested (although it should be noted that this has recently been qualified in UN instruments where the material is exculpatory to the accused). This kind of provision is similar to the rule of specialty in extradition matters, and helps reassure the requested state that the information it provides will be used only for proper purposes.

(4) Each state must designate a Central Authority, responsible for transmission of requests and prompt execution requests from the other party.

(5) Most MLATs and the most recent UN instruments on organized crime and corruption make provisions for cooperation in cases in which crime proceeds are located in the requested state. Many MLATs (as well as the UN conventions on drug trafficking, organized crime and corruption) also provide for the sharing of confiscated assets between the State Parties. In certain circumstances, the UN Convention against Corruption obliges State Parties to return assets to the requesting state.[195]

In summary, there is a growing need for multilateral and bilateral agreements to develop, in order to can prosecute cybercrime more effectively around the globe. Where states do not have these types of agreements in place, prosecutors may have to look to traditional crimes and law in order to purse cybercrime cases.

 

1.10. Responsibility of Internet Providers[196]

1.10.1. Introduction

Committing a cybercrime automatically involves a number of people and businesses, even where offenders acted alone. The architecture of the Internet means that the transmission of a simple email requires the service of a number of providers.[197] Cybercrime cannot be committed without the involvement of service providers. However, providers may have no ability to prevent these crimes, leading to questions whether the responsibility of Internet service providers needs to be limited.[198] There are different approaches to balancing the need of involving providers in investigations on one hand and limiting the risks of criminal liability for third parties on the other hand.[199] An example of a legislative approach can be found in 17 U.S.C. §§ 517(a) and (b), based on the Digital Millennium Copyright Act (DMCA) from 1998. By creating a safe harbor regime, the DMCA excluded the liability of providers of certain services for copyright violations from third parties.[200]

§ 512. Limitations on liability relating to material online

(a) Transitory Digital Network Communications

A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the provider’s transmitting, routing, or providing connections for, material through a system or network controlled or operated by or for the service provider, or by reason of the intermediate and transient storage of that material in the course of such transmitting, routing, or providing connections, if—

(1) the transmission of the material was initiated by or at the direction of a person other than the service provider;

(2) the transmission, routing, provision of connections, or storage is carried out through an automatic technical process without selection of the material by the service provider;

(3) the service provider does not select the recipients of the material except as an automatic response to the request of another person;

(4) no copy of the material made by the service provider in the course of such intermediate or transient storage is maintained on the system or network in a manner ordinarily accessible to anyone other than anticipated recipients, and no such copy is maintained on the system or network in a manner ordinarily accessible to such anticipated recipients for a longer period than is reasonably necessary for the transmission, routing, or provision of connections; and

(5) the material is transmitted through the system or network without modification of its content.

(b) System Caching

(1) Limitation on liability.— A service provider shall not be liable for monetary relief, or, except as provided in subsection (j), for injunctive or other equitable relief, for infringement of copyright by reason of the intermediate and temporary storage of material on a system or network controlled or operated by or for the service provider in a case in which—

(A) the material is made available online by a person other than the service provider;

(B) the material is transmitted from the person described in subparagraph (A) through the system or network to a person other than the person described in subparagraph (A) at the direction of that other person; and

(C) the storage is carried out through an automatic technical process for the purpose of making the material available to users of the system or network who, after the material is transmitted as described in subparagraph (B), request access to the material from the person described in subparagraph (A), if the conditions set forth in paragraph (2) are met.

Another example for a limitation of the responsibility of Internet providers can be found in 47 U.S.C. § 230(c) that is based on the Communications Decency Act:

§ 230. Protection for private blocking and screening of offensive material

(c) Protection for “Good Samaritan” blocking and screening of offensive material

(1) Treatment of publisher or speaker

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

(2) Civil liability

No provider or user of an interactive computer service shall be held liable on account of—

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).

Both approaches (17 U.S.C. § 517(a) as well 47 U.S.C. § 230(c)) share the common focus on liability with regard to special groups of providers and special areas of law.

Another example of a legislative approach to regulate the liability of Internet service providers is the EU E-Commerce Directive.[201] Based on the international nature of the Internet, the drafters of the Directive decided to develop legal standards to provide a legal framework for the development of e-commerce, as well as the work of law enforcement agencies. [202] The regulation regarding the liability is based on the principle of graduated responsibility. The Directive contains a number of provisions that limit the liability of certain providers,[203] linked to the different categories of services operated by the provider.

1.10.2. Legal Measures for Trusted Service Provider Identity

The legacy service provider identity and trust models for public telecommunication and radio infrastructures both relied on “strong” regulatory regimes based on licensing and reporting, combined with the publication of information. These regimes worked well for many decades, until the “perfect storm” of the 1990s that diminished the use and feasibility of legacy service provider trust models.

Tools for Service Provider Identity and trust for open ICT internetworking environments were developed by the ITU-T and ISO, together with regional and national industry standards bodies, in the 1980s. These tools relied on governments playing a modest role in establishing authoritative, hierarchical name registries, combined with the issuance of public digital certificates. Although governments engaged in this activity, it was only partially implemented and important network-based query capabilities were lacking. The lack of these capabilities substantially contributed to the modern challenges to cybersecurity today.

A growing number of government agencies and industry credential vendors already require some form of registration for nearly all Service Providers to meet the needs of other service providers, consumers, and government described in part in the various legal measures sections above. However, registration schemes differ widely, few registration schemes are compatible and none facilitate automatic instantaneous lookups that could enable trust assessments in today’s highly-distributed, constantly-evolving infrastructure and ICT services environment.

Governmental and intergovernmental bodies are working with industry to introduce an infrastructure-based means for universal, global Trusted Service Provider Identity, where providers would register with Registration Authorities and notify them with network-based evidence of their “identity resources” that would then be available for anyone to look up using the Service Provider’s globally unique Service Provider Identifier in any transaction context. The implementation of these steps represent some of the most significant measures to enhance cybersecurity. The legal measures for Trusted Service Provider Identity consist of:

1) implementation of a legal requirement for service provider registration with designated Registration Authorities domestically and internationally; and

2) maintenance of the requisite technical capabilities, in accordance with the applicable ITU-T Recommendations.

1.11. Privacy and Human Rights[204]

1.11.1. The Principles[205]

Security and freedom are both important principles for the growth and development of states - how governments balance these two interests is at the center of many debates regarding cyberspace. These fundamental individual rights are enshrined in the Universal Declaration on Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), and the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms. These documents support the right of every person to exercise the freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media regardless of frontiers, as set out in Article 19 of the Universal Declaration of Human Rights.

In conducting cybercrime investigations, states must ensure that the procedural elements include measures that preserve these rights. One means to ensure proper procedural safeguards is to require judicial review of intrusions into individual’s personal information or independent oversight of investigations. A second method is to limit the access of personal information to that which is reasonable or necessary in scope or duration of an investigation. Article 15 of the Convention on Cybercrime addresses the requirements for safeguards on individual rights and provides categories where procedural protections are most necessary.

1.11.2. Prosecution[206]

The Ninth Annual Eurojustice Conference[207] was held in Oslo on 27-29 September 2006, when Attorney Generals or General Prosecutors from thirty states discussed the challenges of terrorism and the fight against this crime. The conference stressed the importance of cooperation and coordination in the fight against terrorism and pointed out that all authorities and institutions of a society have a vital role to play in this fight. Success can only be achieved by cooperation and by the exchange of information. The conference stated that acts of terrorism may take place anywhere in the world, so responses must be global with cross-border cooperation. The conference especially emphasized that there is no war against terrorism, other than the regular fight against serious crime. The fight must be founded on the rule of law under judicial control and based on principles recognized by international Human Rights Conventions. Threats of or use of torture, or use of evidence stemming from threats or torture, must never be accepted.

1.11.3. Judicial Courts[208]

The national Court of Justice is the main legal guarantee on promoting the national rule of law on criminal conducts in cyberspace. The role of judges in protecting the rule of law and human rights in the context of cyber-terrorism should also apply to all categories of cybercrime. The Consultative Council of European Judges (CCJD) has in 2006 adopted the following principles:[209]

While terrorism creates a special situation justifying temporary and specific measures that limit certain rights because of the exceptional danger it poses, these measures must be determined by the law, be necessary and be proportionate to the aims of a democratic society.

Terrorism cases should not be referred to special courts or heard under conditions that infringe individual’s right to a fair trial.

The courts should, at all stages of investigations, ensure that restrictions of individual rights are limited to those strictly necessary for the protection of the interests of society, reject evidence obtained under torture or through inhuman or degrading treatment and be able to refuse other evidence obtained illegally.

Detention measures must be provided for by law and be subject to judicial supervision, and judges should declare unlawful any detention measure that are secret, unlimited in duration or do not involve appearance before established according to the law, and make sure that those detained are not subjected to torture or other inhuman or degrading treatment.

Judges must also ensure that a balance is struck between the need to protect the witnesses and victims of acts of terrorism and the rights of those charged with the relevant offences.

While states may take administrative measures to prevent acts of terrorism, a balance must be struck between the obligation to protect people against terrorist acts and the obligation to safeguard human rights, in particular through effective access to judicial review of the administrative measures.

 

1.12. Civil Matters: Contractual Service Agreements, Federations and other Civil Law measures

Alongside the regulatory and administrative measures detailed in Section 7, agreements among providers, equipment suppliers, and end-users and civil remedies (e.g., judicial orders for compensation) are also important legal measures to protect cybersecurity. Contractual agreements often anticipate damages and default of obligations, and limit or define the consequences for parties in advance. Businesses typically assess and allocate risk for cybersecurity failures, omissions, or misconduct by their employees, suppliers, partners, and customers. They may deal with these risk using negligence and tort law (i.e., as a civil wrong). Such civil wrongs include personal injury, medical malpractice (in IdM eHealth), product liability, intellectual property infringements, defamation, intentional acts against persons, property, or other business or invasion of privacy. Negligence is an important body of law that establishes standards (or indeed, obligations) of reasonable care and the allocation of risk, where loss, injury or damage occurs.

1.12.1. Cybersecurity obligations undertaken by the parties

Cybersecurity obligations undertaken by parties include obligations, such as applicable standards with respect to infrastructure resiliency; network/application integrity, maintenance and testing; encryption and VPNs (especially with respect to signaling); Identity Management; routing and resource constraints; data retention and auditing; real-time data availability; and subsequent forensic analysis for security investigatory or evidentiary purposes, including corrective measures and thwarting.

1.12.2. Intentional harm

Civil actions could be one approach that could be adopted to seek damages against a party caused by cybersecurity negligence that results in harm to another person or property, where there is intentional harm.

1.12.3. Civil remedies and damages

Civil remedies can take the form of orders and assessment of damages resulting from cybersecurity negligence.

 

1.13. Civil Matters: Regulatory and Administrative Law

Among the most important cybersecurity legal measures are requirements enacted by government authorities in the form of infrastructure-based and operational requirements imposed on network infrastructure operators and service providers, or suppliers of equipment and software or end-users. Relevant governmental authorities include international, regional, national, and local jurisdictions, as well as legislative, executive, and judicial bodies. They also include specialized government agencies, consumer protection authorities, homeland security, law enforcement, and national defense and security.

The rapid evolution of ICTs has resulted in a general trend away from specification of detailed technical requirements and homologation (type-acceptance) testing. The imposition of generic “capability requirements” is increasingly essential, as highly competitive marketplaces may not produce adequate or sufficient global public ICT security capabilities.

1.13.1. Critical Information Infrastructure protection; National Security/Emergency Preparedness/Emergency Telecommunication Service Requirements

1.13.1.1. Public communications and SCADA infrastructure protection capabilities

National or regional telecommunications legal regimes, and ITU’s treaty instruments, aim to make public communications infrastructure available and protect it from harm. These objectives also apply to Supervisory Control & Data Acquisition (SCADA) systems and networks supporting critical public infrastructures and services for government, transportation, utilities, finance, and health systems. There are many legal and regulatory provisions that require providers to protect their networks and control devices attached to the networks and criminalize damaging behavior that disrupts the smooth and efficient operation of the networks.

1.13.1.2. Incident response and reporting capabilities

When network use occurs that accidentally or deliberately harms public or SCADA networks, a variety of regulatory, criminal, or industry normative requirements and practices may be invoked which are designed to respond to, analyze, and report the incident forensics. Increasingly, these requirements are international in nature and may be subject to international multilateral or bilateral treaty provisions or agreements.

1.13.1.3. Priority access during major emergencies capabilities

During major emergencies or disasters, public communication infrastructures may experience diminished capacity due to damage to the infrastructure or massive public use. The ITU-T has instituted these requirements internationally as the Emergency Telecommunications Service. Legal and regulatory provisions exist that mandate providers, institute architectures and require practices to allow designated persons to obtain secure priority access to networks and resources.

1.13.1.4. Service restoration after major disasters

During a major disaster, identity management systems can be damaged or disrupted and may need to be subsequently restored. National or local authorities can impose architectures, practices and reporting requirements for the secure restoration of the destroyed network capabilities.

1.13.1.5. Security-related service provisioning constraint capabilities

Concerns often arise about the potential vulnerabilities of national ICT resources maintained by foreign providers. National authorities may impose requirements to constrain security and network management capabilities.

1.13.1.6. Public Safety capabilities

Citizen emergency calls/messages: Citizens often depend on public and private communication infrastructure to call for emergency assistance (often using well-known routing identifiers such as 112, 911 or 999). During the set-up of these communications, public safety officials depend substantially on diverse security and network management capabilities to protect public safety capabilities and obtain the identity and location of callers automatically. Emergency service requirements often exist designed to assist emergency responders.

Authority emergency alert messages. Governments often depend on public communication infrastructure to notify citizens of emergencies or impending disasters. Emergency service requirements often exist, designed to notify and monitor the situation in emergencies.

1.13.2. Assistance to Lawful Authority Requirements

1.13.2.1 Lawful Interception capabilities

Governments may impose capability requirements on public and private operators and service providers to monitor, capture and share specific communications or signaling information associated with identified parties or for described behavior for national security needs. Public network operators or owners of private networks may also need such capabilities in responding to attacks on their networks.

1.13.2.2 Retained data capabilities

Governments may impose capability requirements on all public and private infrastructure operators and service providers to extract and store signaling information for criminal forensics or national security needs. In some cases, the requirement may be limited to a specific party or behavior (known as “preservation”), or in other cases a general “data retention” requirement is imposed. Public network operators or owners of private networks may also need such capabilities in responding to attacks on their networks.

1.13.2.3 Cybercrime forensics capabilities

In addition to the lawful interception and retained data capabilities described above, government officials and network operators may need identity management capabilities for the analysis of evidence for prosecution. Identity management is often critical to maintaining confidence in a chain of custody and prevention of tampering. The application of accurate or even certified timestamps is often vital for analyzing evidence.

1.13.2.4 Anonymity or false identity capabilities

Governments may impose capability requirements on all public communication infrastructures to protect the identity information of authorities and specific users (such as investigatory personnel or witnesses or other persons subject to harm, shoulf their true identity become known). This may also occur when a party is provided the right to remain anonymous in the course of setting up a communication.

1.13.3 Identifier Resource Management Requirements

1.13.3.1 Trusted identifier/numbering allocation and assignment capabilities

A range of global treaties and other intergovernmental agreements have established governmental entities as significant communication network Identity Providers. These provisions include critical public identifier resources such as ICT, network, object, security, and radiocommunications identifiers (ranging from E.164 telecommunication/telephone numbers, to public network provider identifiers, to device identifiers, to all-encompassing ICT domain name systems like OIDs). These resources are maintained at the global level within the bureaus of international organizations, and increasingly include server-based query-response capabilities. Governmental agencies are then in turn responsible for resource management at the regional or national level and may allocate responsibilities to local governmental or private sector authorities. At the regional and national level, most countries enact statutory legal provisions for identifier resource management providing for the allocation of these identifiers.

1.13.3.2 Administrative support capabilities

Authorities may impose a broad range of Identity Management requirements (including authentication, identifier resolver support, and accurate attribute data associated with end-user and terminal equipment). These requirements can help ensure the integrity of Identity Management systems. They may also include legal and regulatory requirements concerning the allocation of identifiers to certain classes of users (e.g., geographic requirements where the identifier has a geographic context within a country or calling area).

1.13.3.3 Management of Identifier assignments and trusted query capabilities (other than Service Provider Identifiers)

The importance of Trusted Service Provider Identity is discussed in chapter 10. In the course of providing network and ICT services, serviceand Identity Providers assign differect identifiers (such as telephone numbers, IP addresses, Object Identifiers (OIDs), TCP/IP domain names, etc). In many jurisdictions, the assignor registration authority has to maintain related sets of global Identity Management capabilities for trust and interoperability – especially identity proofing and the support of global discovery and accessibility for identity queries. Ref. ITU-T draft Rec. X.idmreq.

1.13.4 Consumer-Related Requirements

Consumer-related cybersecurity requirements typically seek to prevent harm to end-users of ICT infrastructure capabilities and services. Privacy may be especially important - however, the term “privacy” has different legal meanings among jurisdictions, with significant implications reflected in criminal or civil causes of action, and regulatory mandates. Among other aspects, this concept can encompass:

1) the ability to control or prevent unwanted intrusions in different contexts;

2) the ability to protect personally identifiable information; and

3) the ability to remain anonymous or pseudonymous to others.

1.13.4.1 Preventing unwanted intrusion capabilities

There are at least five types of regulatory requirements that may seek to prevent unwanted intrusions:

(1) DoNotCall; Opt-Out: DoNotCall requirements pertain to identifier lists or attribute flags that indicate that consumers do not want certain kinds of communications, e.g. sales and marketing calls.

(2) Trusted CallerID: CallerID is a service whereby the authoritative attributes of a calling party identifier are obtained and provided to the called party - usually as part of the call set-up (‘authoritative’ means a real-time query to the Identity provider that assigned the identifier to the calling party). In some jurisdictions, non-profit solicitors are obliged to use CallerID in conjunction with the call. CallerID allows customers to make an informed choice regarding the communication. It may be enhanced through the use of distinctive ringtones or automated call diversion capabilities. In some jurisdictions, it is a criminal offense to deliberately alter the authoritative CallerID identifier attributes.

(3) Prevention of SPAM: SPAM is large-scale consumer unwanted messaging (often based on stolen consumers’ addresses and identity attributes renders the sender of unwanted messages liable to civil or criminal penalties). Prevention of SPAM requires an array of IdM support capabilities including authentication of the messaging servers, white lists, black lists, and reputational or other signature analysis techniques.

(4) Preventing Cyberstalking: Cyberstalking is a form of targeted intrusion by an anonymous party - often against single people or women - with the intent to intimidate. In some jurisdictions, it is a prohibited act to “make a telephone call or utilize a telecommunications device or the Internet, whether or not conversation or communication ensues, without disclosing identity and with intent to annoy, abuse, threaten, or harass any person at the called number or who receives the communications”.

(5) Preventing Cyberpredators: Cyberpredation is a form of targeted intrusion usually by an anonymous adult against a minor for the purposes of encouraging or engaging in illicit sexual activity. In many jurisdictions, the age of the respective parties can make it a serious criminal offense.

1.13.4.2 Protection of Personally Identifiable Information (PPII) capabilities

In many jurisdictions, PPII capabilities involve the ability of end-users to control or prevent use of their identity information. They are reflected in criminal or civil cause of action, and regulatory mandates that are implemented as identity attribute systems. In some jurisdictions (notably the USA), this right is described as Customer Proprietary Network Information (CPNI)– which refers to subscriber identity information including namely usage information.

1.13.4.3 User anonymity capabilities

Another aspect of privacy includes the ability of customers to engage in communications without disclosing their true identity. Anonymity is also linked with rights to free expression and, in some jurisdictions, viewed as an enhancement of those rights. However, achieving anonymity is both costly and often at odds with a host of other legal and regulatory requirements, including consumer privacy requirements. In addition, investigations in civil litigation, as well as potential culpability in criminal proceedings, have dissuaded providers from supporting full anonymity capabilities for consumers.

1.13.4.4 Prevention of identity theft capabilities

Identity theft is a crime where an imposter obtains key pieces of personal information in order to impersonate another person. These crimes may use “pretexting,” i.e., pretending to be the victim in communication with Identity Providers. The information is then used to obtain credit, merchandise, and services in the name of the victim, or to provide the thief with false credentials. In addition to running up debts, imposters can provide false identification to police, creating a criminal record or leaving outstanding arrest warrants for the person whose identity has been stolen. The prevention of identity theft is the aim of many broad-based cybersecurity and cybercrime provisions making “pretexting” a serious crime and mandating additional IdM measures by providers.

1.13.4.5 Identifier revocation/repudiation capabilities

As identity theft has grown, the ability of users and Identity Providers to revoke credentials or repudiate false identity information becomes more important as a consumer requirement. This need has already resulted in improved national and industry IdM practices, such as automatic verification that a credential has not been revoked. Such capabilities are basic requirements for maintaining cybersecurity.

1.13.4.6 Disability assistance security capabilities

Most jurisdictions require providers to accommodate users with hearing, sight, and other physical or mental disabilities. In many cases, these requirements take into account the cybersecurity needs of the disabled and also require infrastructure and service providers to prevent abuse.

1.13.5. Provider-Related Requirements

1.13.5.1 Network management, intercarrier compensation, and security interoperability capabilities

Intercarrier compensation: Network interoperability is based on the availability and substantial use of a provider’s network resources by other providers, often around the world. Compensation for the use and availability of infrastructure among providers is based on some form of accounting and billing regime. Different levels of accounting granularity and toll charges may exist - typically on the basis of calls, packets, available routes or bandwidth. Various laws and regulations exist, combined with industry standards and practices, that govern network interoperability.

Network interoperability: Public (and most private) ICT network and service providers collectively manage a global network of distributed, autonomous infrastructures at different layers (physical, transport, network, etc.) that must be able to exchange and route traffic to addresses. There are multiple network-centric needs for trusted, current object, userand provider identifiers, their correlation, and availability among providers. Time-limited performance requirements are also significant for network interoperability. There are various diverse laws and regulations, combined with industry standards and practices, governing network interoperability.

1.13.5.2 Secure roaming capabilities

There are multiple bilateral and multilateral (federation) agreements exist among network operators to allow access to and use of network resources while roaming. These agreements are usually classified as automatic and manual (i.e., temporary ad hoc agreements). The unbundling of network layers and elements, as well as the growing numbers of service providers and network operators, complicates roaming security and introduces constrained time dynamics. Various laws, regulations and industry practices,govern network interoperability and roaming.

1.13.5.3 Preventing and minimizing fraud and identity theft capabilities

Operators of ICT networks and providers of services depend on basic cybersecurity capabilities to prevent and minimize fraud in the use of their network resources and services, as well as theft of their own identity. Identity theft is important and relevant for businesses as well as consumers. There are various laws and regulations addressing fraudulent abuse and identity theft.

1.13.5.4 Digital Rights Management

One of the largest classes of digital assets are written materials, images, films, and audio recordings and other bodies of work in which authors and publishers have vested ownership rights arising under copyright, patent and trademarks. Digital rights management seeks to control the distribution of these assets and intellectual property, including their associated usage rights and means of compensation.

1.13.5.5 Protection of privileged or sensitive information and processes

Organizations and individuals have recognized rights or powers to designate information as privileged or sensitive for a wide variety of reasons, including government secrets, integrity of processes (especially security trading), trade secrets, privacy, or diverse forms of confidentiality. Various network security-related laws, regulation, standards and normative practices govern the use, communication and storage of sensitive information.

 

1.14. Civil Matters: Conflict of laws

Conflict of laws is referred to as the branch of international law that determines which state’s laws apply in resolving a lawsuit or governing a transaction involving a “foreign” element, called “private international law”. In essence, private international law regulates private relationships across state borders based upon a body of conventions, state laws, and other documents and instruments. There are number of international organizations involved in private international law, including the Hague Conference on Private International Law, which addresses topics including choice of law rules, jurisdiction rules, inter-country adoption and child abduction. The Conventions developed by the Hague Conference include:

• The Convention Abolishing the Requirement of Legislation for Foreign Public Documents;

• The Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters;

• The Convention on the Taking of Evidence Abroad in Civil or Commercial Matters;

• The Convention on the Civil Aspects of International Child Abduction; and

• The Convention on Protection of Children and Co-operation in Respect of Intercountry Adoption.

The Hague Conference also maintains a list of Central Authorities designated under a number of conventions.[210]

The United Nations Commission for International Trade Law (UNCITRAL) was established by a resolution of the UN General Assembly in 1966 and is active in harmonizing private international law. It has also developed several conventions impacting on private international law, including:

• The United Nations Convention on Contracts for the International Sale of Goods;

• The Convention on the Limitation Period in the International Sale of Goods; and

• The 1958 “New York” Convention on the Recognition and Enforcement of Foreign Arbitral Awards.

UNCITRAL has also promoted the harmonization of international trade law through the creation of model laws and legal guides, including the UNCITRAL Model Law on the Procurement of Goods, Construction and Services with Guides to Enactment, UNCITRAL Arbitration Rules and the recent UNCITRAL Notes on Organizing Arbitral Proceedings.[211]

Another significant international organization in this area is the International Institute for the Unification of Private Law (UNIDROIT). UNIDROIT has also developed several Conventions, including:

• The Convention on International Financial Leasing;

• The UNIDROIT Convention on Stolen or Illegally Exported Cultural Objects;

• The Cape Town Convention on International Interests in Mobile Equipment; and

• The Cape Town Protocol on the Convention on International Interests in Mobile Equipment on Matters Specific to Aircraft Equipment.

It also created the UNIDROIT Principles of International Commercial Contracts, which represent general rules of commercial contract law derived from a number of legal systems and is often used by private parties as the governing law in international contracts.[212]

In the area of International Commercial Arbitration, there are several significant bodies. Typically, international arbitration may either be “ad hoc” pursuant to the UNCITRAL Arbitration rules or “institutional” following the rules of arbitration developed by private organizations such as the International Chamber of Commerce (ICC), the American Arbitration Association (AAA) or the London Court of International Arbitration. The International Court of Arbitration of the ICC is a major source of expertise in international commercial arbitration.

The European Union (EU) seeks to harmonize private international law though the development of conventions, directives and regulations, as well as through the development of European Civil Code. Significant instruments and efforts developed by the EU in this area include:[213]

• The Brussels Convention and the Lugano Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters;

• Convention on the Law Applicable to Contractual Obligations (Rome Convention);

• Study Group on a European Civil Code;

• Commission on European Contract Law; and

• Principles of European Contract Law.

Another international organization active in private international law is the Inter-American Specialized Conferences on Private International Law, organized under the Organization of American States. This group plays a major role in the harmonization and codification of Private International Law in the Western hemisphere. Since 1975, this organization has held six conferences and has adopted a number of instruments touching upon applicable law, enforcement and procedural law, family law and commercial law. Significant Conventions developed by this group include:[214]

• Inter-American Convention on General Rules of Private International Law;

• Inter-American Convention on Conflicts of Laws concerning Commercial Companies;

• Inter-American Convention on Conflict of Laws concerning the Adoption of Minors; and

• Inter-American Convention on Conflict of Laws concerning Bills of Exchange, Promissory Notes and Invoices.

The Organisation pour l‘Harmonisation en Afrique du Droit des Affaires (OHADA) started legal unification process in Africa in October 1992 with the cooperation of the head of states of sixteen OHADA countries.  The first OHADA treaty - Treaty on the Harmonization of Business Law in Africa was signed in Mauritius in October 1993.  In addition to treaty-making, OHADA is also creating uniform acts such as the Uniform Act Relating to General Commercial Law.[215] 

In the United States, the State Department, Office of the Assistant Legal Adviser for Private International Law, has the responsibility for coordinating US efforts in the development private international law. A number of practitioners, corporate counsel, scholars and government attorneys provide advice to the Secretary of State in this area through an Advisory Committee on Private International Law.[216]

For a more extensive discussion of private international law, in addition to the websites cited in this section, also see the following:

http://www.asil.org/resource/pil1.htm#Research%20Guides;

http://www.oas.org/dil/private_international_law.htm;

http://www.state.gov/s/l/index.cfm?id=3452;

http://www.law.pitt.edu/library/international/privatelaw; and

http://en.wikipedia.org/wiki/International_law.

 

1.15. References

Gercke, Marco: National, Regional and International Approaches in the Fight

against Cybercrime, CRi 2008

Gercke, Marco: The Convention on Cybercrime, MMR (2004)

Gercke, Marco: Internet-related Identity Theft (2007)

Gercke, Marco: Preservation of User Data, DUD (2002)

Schjolberg and Hubbard: Harmonizing National Legal Approaches on Cybercrime (2005)

Schjolberg, Stein: Terrorism in Cyberspace – Myth or Reality? (2007) www.cybercrimelaw.net

Schjolberg, Stein: Global Legal Framework – www.cybercrimelaw.net

Schjolberg, Stein: Global Supreme Court decisions – www.globalcourts.com

Sieber, Ulrich: Council of Europe Organized Crime Report (2004)

Sieber and Brunst: Cyberterrorism and Other Use of the Internet for Terrorist Purposes – Threat Analysis and Evaluation of International Conventions (2007)

Sieber, Ulrich: Cybercrime and Jurisdiction in Germany. The Present Situation and the Need for New Solutions, (2006)

Sofaer and Goodman: Cyber Crime and Security - The Transnational Dimension of Cyber Crime and Security (2008)

Viira, Toomas: Meridian, Vol.2 No 1 (January 2008)

Wilson, Clay: Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, CRS Report for US Congress (November 2007)

Additional resources:

Westby, Jody R.: Electronic downloads of the following publications are offered free to anyone in developing countries. To obtain links to downloads, send an email with full contact information to Jody Westby at westby@mindspring.com

Westby, Jody R. (ed.): International Guide to Combating Cybercrime, American Bar Association (2003)

Westby, Jody R. (ed): International Guide to Privacy, American Bar Association (2004)

Westby, Jody R. (ed.): International Guide to Cyber Security, American Bar Association (2004)

Westby, Jody R. (ed.): Roadmap to an Enterprise Security Program, American Bar Association (2005)

Appendix 1:


Inventory of relevant instruments

1. United Nations Office on Drugs and Crime

www.unodc.org

2. Council of Europe

www.conventions.coe.int

3. G8 Group of States

www.g7.utoronto.ca 4. European Union

www.europa.eu

www.ec.europa.eu

5. Asia Pacific Economic Cooperation (APEC)

www.apectelwg.org

6. Organization of American States

www.oas.org/juridico/english/cyber.htm

7. The Commonwealth

www.thecommonwealth.org

8. Association of South Asian Nations (ASEAN)

www.aseansec.org

9. Organization of Economic Cooperation (OECD)

www.oecd.org

10. The Arab League

www.arableagueonline.org

11. The African Union

www.africa-union.org 

[1] ITU World ICT/Telecommunication Indicators Database.

[2] For an overview about the discussion see: Gercke, National, Regional and International Legal Approaches in the Fight against Cybercrime, CRi 2008, Issue 1, page 7-13.

[3] Regarding the extent of transnational attacks in the most damaging cyber attacks see: Sofaer/Goodman, Cyber Crime and Security – The Transnational Dimension in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001, page 7 – available at: http://media.hoover.org/documents/0817999825_1.pdf  (last visited: January 2008).

[4] Regarding the need for international cooperation in the fight against Cybercrime see: Putnam/Elliott, International Responses to Cyber Crime, in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001, page 35 et seq. – available at: http://media.hoover.org/documents/0817999825_35.pdf  (last visited: January 2008); Sofaer/Goodman, Cyber Crime and Security – The Transnational Dimension in Sofaer/Goodman, The Transnational Dimension of Cyber Crime and Terrorism, 2001, page 1 et seq. – available at: http://media.hoover.org/documents/0817999825_1.pdf  (last visited: January 2008).

[5] Dual criminality exists if the offence is a crime under both the requestor and requesting party’s laws. The difficulties the dual criminality principle can cause within international investigations are currently addressed in a number of international conventions and treaties. One example is Art. 2 of the EU Framework Decision of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (2002/584/JHA).

[6] Regarding the dual criminality principle in international investigations see: United Nations Manual on the Prevention and Control of Computer-Related Crime, 269 – available at http://www.uncjin.org/Documents/EighthCongress.html (last visited: January 2008); Schjolberg/Hubbard, Harmonizing National Legal Approaches on Cybercrime, 2005, page 5 – available at: www.itu.int/osg/spu/cybersecurity/ presentations/session12_schjolberg.pdf (last visited: January 2008).

[7] See the Council of Europe Convention on Cybercrime, Art. 23 – Art. 35.

[8]Tunis Agenda for the Information Society, available from www.itu.int/wsis/index.html

[10]Tunis Agenda for the Information Society, available from www.itu.int/wsis/index.html.  

[12] G8 Information Centre, University of Toronto, Canada, see www.g7.utoronto.ca.

[16] See Resolution (AG/RES. 2266 (XXXVII-o/07)).

[17] See www.thecommonwealth.org.

[21] See www.oecd.org.

[22] See Computer-related Criminality: Analysis of Legal Politics in the OECD-Area (1986).

[24] See www.sectsco.org.

[25] See www.g7.utoronto.ca , see also Dunn and Mauer: International CIIP Handbook 2006 Vol. I, page 358-360.

[26]Source: Stein Schjolberg: “Terrorism in Cyberspace - Myth or Reality?” (2007), available from: www.cybercrimelaw.net.

[27] Final Act of the United Nations diplomatic conference of plenipotentiaries on the establishment of an International Criminal Court, Rome July 17, 1998 (U.N. Doc. A/CONF.183/10).

[28] The Council of Europe Convention on the Prevention of Terrorism will enter into force June 1, 2007.

[29] See ASEAN Regional Forum Statement on cooperation in fighting cyber attack and terrorist misuse of cyberspace (June 2006).

[30] John Malcolm, Deputy Assistant Attorney General, US Department of Justice: Virtual Threat, Real Terror: Cyberterrorism in the 21st Century; Testimony before the US Senate Committee on the Judiciary, 24 February 2004.

[31] Dorothy E. Denning, Professor, Naval Postgraduate School, USA: Testimony before the Special Oversight Panel on Terrorism, Committee on Armed Services, U.S. House of Representatives, May 2000.

[32] Keith Lourdeau, Deputy Assistant Director, Cyber Division, US Federal Bureau of Investigation (FBI): Terrorism, Technology, and Homeland Security. Testimony before the Senate Judiciary Subcommittee, 24 February 2004.

[33] See the International Handbook on Critical Information Infrastructure Protection (CIIP) 2006 Vol. II, page 14.

[34] See also Kathryn Kerr, Australia: Putting cyberterrorism into context (2003).

[35] Clay Wilson: CRS Report for Congress – Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress (November 2007).

[36] See the Convention on the Prevention of Terrorism at http://conventions.coe.int/Treaty/en/Treaties/Html/196.htm

[37] See Explanatory Report note 98.

[38] See Explanatory Report note 122.

[40] For more details, see the Convention on Cybercrime, Explanatory Report no 16-106, www.conventions.coe.int.

[41] For more information, see thethe forthcoming Guide to Understanding Cybercrime, to be published by ITU-D.

[42] In the early years of IT development, the term “hacking” was used to describe the attempt to get more out of a system (software or hardware) than it was designed for. Within this context, the term “hacking” was often used to describe a constructive activity.

[43] Regarding related cases, see Sieber, Council of Europe Organised Crime Report 2004, page 65.

[44] For an overview of victims of hacking attacks, see: http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history; Joyner/Lotrionte,    Information Warfare as International Coercion: Elements of a Legal Framework, EJIL 2002, No5 – page 825 et seq.

[45] Regarding threats from Cybercrime toolkits, see Opening Remarks by ITU Secretary-General, 2nd Facilitation Meeting for WSIS Action Line C5, available at: http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/sg-opening-remarks-14-may-2007.pdf.

[46] For an overview of the tools used, see Ealy, A New Evolution in Hack Attacks: A General Overview of Types, Methods, Tools, and Prevention – available at: http://www.212cafe.com/download/e-book/A.pdf.

[47] Botnets is a short term for a group of compromised computers running programmes that are under external control. For more details, see Ianelli/Hackworth, “Botnets as a Vehicle for Online Crime”, 2005, page 3, available at: http://www.cert.org/archive/pdf/Botnets.pdf; Barford/Yegneswaran, “An Inside Look at Botnets”, available at: http://pages.cs.wisc.edu/~pb/botnets_final.pdf; Jones, “BotNets: Detection and Mitigation”.

[48] Gercke: The Convention on Cybercrime, MMR 2004, Page 729.

[49]Explanatory Report to the Council of Europe Convention on Cybercrime, No. 44: “The need for protection reflects the interests of organisations and individuals to manage, operate and control their systems in an undisturbed and uninhibited manner”.

[50]Sieber, Informationstechnologie und Strafrechtsreform, Page 49 et seq.

[51] For an overview of the various legal approaches towards criminalising illegal access to computer systems, see Schjolberg, “The Legal Framework ”, available at: http://www.cybercrimelaw.net.

[52] Art. 2 Convention on Cybercrime enables member states to keep those existing limitations that are mentioned in Art. 2, sentence 2 Convention on Cybercrime. Regarding the possibility to limit criminalization, see also: Explanatory Report to the Council of Europe Convention on Cybercrime, No. 40.

[53] For an overview of the various legal approaches in criminalising illegal access to computer systems, see Schjolberg, “Cybercrime Law – Law survey, available at: www.cybercrimelaw.net.

[54] Regarding the system of reservations and restrictions, see Gercke, “The Convention on Cybercrime”, CRi, 2006, 144.

[55] For more information, see the forthcoming Guide to Understanding Cybercrime, to be published by ITU-D.-

[56]Kang, “Wireless Network Security – Yet another hurdle in fighting Cybercrime”; page 6 et seqq.

[57] The radius depends on the transmitting power of the wireless access point. See: http://de.wikipedia.org/wiki/WLAN

[58] Regarding Identity Theft, see Javelin Strategy & Research 2006 Identity Fraud Survey, Consumer Report – available at: http://www.javelinstrategy.com/products/99DEBA/27/delivery.pdf (last visited: Nov. 2007). For further information on other surveys see Chawki/Abdel Wahab, Identity Theft in Cyberspace: Issues and Solutions, page 9, Lex Electronica, Vol. 11, No. 1, 2006 – available at: http://www.lex-electronica.org/articles/v11-1/ chawki_abdel-wahab.pdf (last visited: Nov. 2007). Lee, Identity Theft Complaints Double in ‘02, New York Times, Jan. 22, 2003; Gercke, Internet-related Identity Theft, 2007 – available at: http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_crime/3_Technical_cooperation/CYBER/567%20port%20id-d-identity%20theft%20paper%2022%20nov%2007.pdf;  For an approach to divide between four phases see: Mitchison/Wilikens/Breitenbach/Urry/Portesi – Identity Theft – A discussion paper, page 21 et. seqq. – available at: https://www.prime-project.eu/community/furtherreading/studies/IDTheftFIN.pdf;  (last visited: Nov. 2007).

[59] In the US, the SSN was created to keep an accurate record of earnings. Contrary to its original intentions, the SSN is today widely used for identification purposes. Regarding offences related to social security numbers see: Givens, Identity Theft: How It Happens, Its Impact on Victims, and Legislative Solutions, 2000 – available at: http://www.privacyrights.org/ar/id_theft.htm  (last visited: Nov. 2007); Sobel, The Demeaning of Identity and personhood in National Identification Systems, Harvard Journal of Law & Technology, Vol. 15, Nr. 2, 2002, page 350.

[60] See: Hopkins, “Cybercrime Convention: A Positive Beginning to a Long Road Ahead”, Journal of High Technology Law, 2003, Vol. II, No. 1; Page 112.

[61] Explanatory Report to the Council of Europe Convention on Cybercrime No. 51.

[62] For more information, see the forthcoming Guide to Understanding Cybercrime, to be published by ITU-D.,thepublished -D

[63] For the modus operandi, see Sieber, Council of Europe Organised Crime Report 2004, page 102 et seqq.

[64] Annual Report to Congress on Foreign Economic Collection and Industrial Espionage — 2003, page 1, available at: http://www.ncix.gov/publications/reports/fecie_all/fecie_2003/fecie_2003.pdf.

[65] For more information, see Mitnick/Simon/Wozniak, The Art of Deception: Controlling the Human Element of Security.

[66] See the information offered by anti-phishing working group – available at: www.antiphishing.org;  Jakobsson, The Human Factor in Phishing – available at: http://www.informatics.indiana.edu/markus/papers/aci.pdf;  Gercke, CR 2005, 606.

[67] Regarding threats from Cybercrime toolkits, see Opening Remarks by ITU Secretary-General, 2nd Facilitation Meeting for WSIS Action Line C5, available at: http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/sg-opening-remarks-14-may-2007.pdf.

[68] The Explanatory Report points out, that the provision intends to criminalise violations of the right of privacy of data communication. See the Explanatory Report to the Council of Europe Convention on Cybercrime No. 51.

[69] See Gercke, “The Convention on Cybercrime”, MMR 2004, page 730.

[70] One key indication of the limitation of the application is the fact that the Explanatory Report compares the solution in Art. 3 to traditional violations of the privacy of communication beyond the Internet that do not cover any form of data espionage. “The offence represents the same violation of the privacy of communications as traditional tapping and recording of oral telephone conversations between persons. The right to privacy of correspondence is enshrined in Article 8 of the European Convention on Human Rights.“ See Explanatory Report to the Council of Europe Convention on Cybercrime, No. 51.

[71] Section 202a. Data Espionage:

(1) Any person who obtains without authorization, for himself or for another, data which are not meant for him and which are specially protected against unauthorized access, shall be liable to imprisonment for a term not exceeding three years or to a fine (2) Data within the meaning of subsection 1 are only such as are stored or transmitted electronically or magnetically or in any form not directly visible.

This provision has recently been modified and now even criminalises illegal access to data. The previous version of the provision was used, because it is suitable to demonstrate the dogmatic structure in a better way.

[72] See in this context for example recent cases in Hong Kong.

[73] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.

[74] A computer virus is software that is able to replicate itself and infect a computer, without the permission of the user to harm the computer system. See Spafford, “The Internet Worm Program: An Analysis”, page 3; Cohen, “Computer Viruses - Theory and Experiments” – available at: http://all.net/books/virus/index.html. Cohen, “Computer Viruses”; Adleman, “An Abstract Theory of Computer Viruses”. Regarding the economic impact of computer viruses, see Cashell/Jackson/Jickling/Webel, “The Economic Impact of Cyber-Attacks”, page 12; Symantec “Internet Security Threat Report”, Trends for July-December 2006 – available at: http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xi_03_2007.en-us.pdf

[75] One of the first computer virus was called (c) Brain and was created by Basit and Amjad Farooq Alvi. For further details, see: http://en.wikipedia.org/wiki/Computer_virus.

[76]White/Kephart/Chess, Computer Viruses: A Global Perspective – available at: http://www.research.ibm.com/antivirus/SciPapers/White/VB95/vb95.distrib.html.

[77] Regarding the various installation processes, see: “The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond”, page 21 et seqq. - available at: http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf.

[78] See BBC News, “Virus-like attack hits web traffic”, 25.01.2003, available at: http://news.bbc.co.uk/2/hi/technology/2693925.stm

[80]Cashell/Jackson/Jickling/Webel, “The Economic Impact of Cyber-Attacks”, page 12.

[81] A similar approach to Art. 4 Convention on Cybercrime is found in the EU Framework Decision on Attacks against Information Systems: Article 4 - Illegal data interference: “Each Member State shall take the necessary measures to ensure that the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer data on an information system is punishable as a criminal offence when committed without right, at least for cases which are not minor”.

[82] Explanatory Report to the Council of Europe Convention on Cybercrime No. 60.

[83] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.

[84] Re the possible financial consequences, see: Campbell/Gordon/Loeb/Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence From the Stock Market”, Journal of Computer Security, Vol. 11, page 431-448.

[85] For more information, see: US-CERT, “Understanding Denial-of-Service Attacks”, available at: http://www.us-cert.gov/cas/tips/ST04-015.html;  Paxson, “An Analysis of Using Reflectors 
for Distributed Denial-of-Service Attacks”, available at: http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html;  Schuba/Krsul/Kuhn/Spafford/Sundaram/Zamboni, “Analysis of a Denial of Service Attack on TCP”.

[86] See Sofaer/Goodman, “Cyber Crime and Security – The Transnational Dimension”, in Sofaer/Goodman, “The Transnational Dimension of Cyber Crime and Terrorism”, 2001, page 14, available at: http://media.hoover.org/documents/0817999825_1.pdf.  The attacks took place between 07.02.2000 and 09.02.2000. For a full list of attacked companies and the dates of the attacks, see: Yurcik, “Information Warfare Survivability: Is the Best Defense a Good Offence?”, page 4, available at: http://www.projects.ncassr.org/hackback/ethics00.pdf.

[87] Regarding the possible financial consequences of lack of availability of Internet services due to attack, see: Campbell/Gordon/Loeb/Zhou, “The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence From the Stock Market”, Journal of Computer Security, Vol. 11, page 431-448.

[88] Related to Cyberterrorism see below: xxx and Lewis, “The Internet and Terrorism”, available at: http://www.csis.org/media/csis/pubs/050401_internetandterrorism.pdf; Lewis, “Cyber-terrorism and Cybersecurity”; http://www.csis.org/media/csis/pubs/020106_cyberterror_cybersecurity.pdf; Denning, “Activism, hacktivism, and cyberterrorism: the Internet as a tool for influencing foreign policy“, in Arquilla/Ronfeldt, Networks & Netwars: The Future of Terror, Crime, and Militancy, page 239 et seqq., available at: http://www.rand.org/pubs/monograph_reports/MR1382/MR1382.ch8.pdf; Embar-Seddon, “Cyberterrorism, Are We Under Siege?”, American Behavioral Scientist, Vol. 45 page 1033 et seqq; US Department of State, “Pattern of Global Terrorism, 2000”, in: Prados, America Confronts Terrorism, 2002, 111 et seqq.; Lake, 6 Nightmares, 2000, page 33 et seqq; Gordon, “Cyberterrorism”, available at: http://www.symantec.com/avcenter/reference/cyberterrorism.pdf;  US-National Research Council, “Information Technology for Counterterrorism: Immediate Actions and Future Possibilities”, 2003, page 11 et seqq. OSCE/ODIHR Comments on legislative treatment of “cyberterror” in domestic law of individual states, 2007, available at: www.legislationline.org/upload/lawreviews/93/60/7b15d8093cbebb505ecc3b4ef976.pdf. Sofaer, The Transnational Dimension of Cybercrime and Terrorism, Page 221 – 249.

[89] The protected legal interest is the interest of operators as well as users of computer or communication systems being able to have them function properly. See the Explanatory Report to the Council of Europe Convention on Cybercrime, No. 65.

[90]The attacks against Estonia were described by Toomas Viira, from the Estonian Informatics Center as follows: “In phase I, most of the attacks were relatively simple DoS attacks against government organizations web servers and Estonian news portals. In phase II, much more sophisticated, massive (use of larger botnets) and coordinated attacks appeared. Most dangerous were DDoS attacks against some of the critical infrastructure components – against data communication network backbone routers and attacks against DNS servers. Some of these DDoS attacks were successful for a very short time – less than 5 minutes - of interruptions in the data communication backbone network. Cyber-attacks (mostly DDoS) continued also against government organizations web servers. From 10 May 2007, DDoS attacks against two of Estonia’s biggest banks started. For one of them the attack lasted for almost two days and Internet banking services were unavailable for one hour and thirty minutes. For several days, restrictions were applied for accessing Internet banking services from foreign countries. Several attacks were also undertaken against media company websites, e.g. DDoS against web servers and comment spam against media portals. There were periods were media companies limited the commenting in media portals and when it was not possible to access web pages from foreign countries”. Source: http://meridian2006.org/downloads/newsletter_vol2_no1.pdf.  

[91] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,the published -

[92] See, for example, the “G8 Communiqué”, Genoa Summit, 2001, available at: http://www.g8.gc.ca/genoa/july-22-01-1-e.asp.

[93] UN Convention on the Right of the Child, A/RES/44/25 – available at: http://www.hrweb.org/legal/child.html.

[94] Council Framework Decision on combating the sexual exploitation of children and child pornography, 2004/68/JHA, available at: http://eur-lex.europa.eu/LexUriServ/site/en/oj/2004/l_013/l_01320040120en00440048.pdf.

[95] Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse, CETS No: 201, available at: http://conventions.coe.int.

[96]Sieber, “Council of Europe Organised Crime Report 2004”, page 135. Regarding the means of distribution, see: Wortley/Smallbone, Child Pornography on the Internet, page 10 et. seqq. - available at: http://www.cops.usdoj.gov/mime/open.pdf?Item=1729.

[97] See: Wolak/ Finkelhor/ Mitchell, “Child-Pornography Possessors Arrested in Internet-Related Crimes: Findings From the National Juvenile Online Victimization Study”, 2005, page 5, available at: http://www.missingkids.com/en_US/publications/NC144.pdf.

[98] See: Wolak/ Finkelhor/ Mitchell, “Child-Pornography Possessors Arrested in Internet-Related Crimes: Findings From the National Juvenile Online Victimization Study”, 2005, page 5 – available at: http://www.missingkids.com/en_US/publications/NC144.pdf.

[99] For more information, see “Child Pornography: Model Legislation & Global Review”, 2006, page 2, available at: http://www.icmec.org/en_X1/pdf/ModelLegislationFINAL.pdf.

[100] Explanatory Report to the Council of Europe Convention on Cybercrime No. 91.

[101] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,thepublished -D

[103] About a third of all files downloaded in file-sharing systems contained pornography. Ropelato, “Internet Pornography Statistics”, http://internet-filter-review.toptenreviews.com/internet-pornography-statistics.html.

[104] One example of this approach can be found in Sec. 184 German Criminal Code (Strafgesetzbuch): Section 184 Dissemination of Pornographic Writings:

(1) Whoever, in relation to pornographic writings (Section 11 subsection (3)):

1. offers, gives or makes them accessible to a person under eighteen years of age; […].

[105] See Sieber, “Protecting Minors on the Internet: An Example from Germany”, in “Governing the Internet Freedom and Regulation in the OSCE Region”, page 150, available at: http://www.osce.org/publications/rfm/2007/07/25667_918_en.pdf.

[106] One example is the 2006 Draft Law, “Regulating the protection of Electronic Data and Information and Combating Crimes of Information” (Egypt):

Sec. 37: Whoever makes, imitates, obtains, or possesses, for the purpose of distribution, publishing, or trade, electronically processed pictures or drawings that are publicly immoral, shall be punished with detention for a period not less than six months, and a fine not less than five hundred thousand Egyptian pounds, and not exceeding seven hundred thousand Egyptian pounds, or either penalty.

[107] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,thepublished -D

[108] For a more precise definition, see: ITU Survey on Anti-Spam legislation worldwide 2005, page 5, available at: http://www.itu.int/osg/spu/spam/legislation/Background_Paper_ITU_Bueti_Survey.pdf.

[109]Tempelton, “Reaction to the DEC Spam of 1978”, available at: http://www.templetons.com/brad/spamreact.html.

[110] Regarding the development of spam emails, see: Sunner, “Security Landscape Update 2007”, page 3, available at: http://www.itu.int/osg/spu/cybersecurity/pgc/2007/events/presentations/session2-sunner-C5-meeting-14-may-2007.pdf

[111] The Messaging Anti-Abuse Working Group reported in 2005 that up to 85 per cent of all emails were spam. See: http://www.maawg.org/about/FINAL_4Q2005_Metrics_Report.pdf. The provider postini published a report in 2007 that identifies up to 75 percent spam email – see http://www.postini.com/stats/. The Spam-Filter-Review identifies up to 40% spam emails – see http://spam-filter-review.toptenreviews.com/spam-statistics.html.
Article in The Sydney Morning Herald, “2006: The year we were spammed a lot”, 16 December 2006; http://www.smh.com.au/news/security/2006-the-year-we-were-spammed-a-lot/2006/12/18/1166290467781.htm  http://www.smh.com.au/news/security/2006-the-year-we-were-spammed-a-lot/2006/12/18/1166290467781.htm1  available April 2007.

[112] “2007 Sophos Report on Spam-relaying countries”, available at: http://www.sophos.com/pressoffice/news/articles/2007/07/dirtydozjul07.html.

[113] Explanatory Report to the Council of Europe Convention on Cybercrime No. 69: “The sending of unsolicited email, for commercial or other purposes, may cause nuisance to its recipient, in particular when such messages are sent in large quantities or with a high frequency (“spamming”). In the opinion of the drafters, such conduct should only be criminalised where the communication is intentionally and seriously hindered. Nevertheless, Parties may have a different approach to hindrance under their law, e.g. by making particular acts of interference administrative offences or otherwise subject to sanction. The text leaves it to the Parties to determine the extent to which the functioning of the system should be hindered – partially or totally, temporarily or permanently – to reach the threshold of harm that justifies sanction, administrative or criminal, under their law”.

[114] The characters are called avatar.

[115] Those objects range from clothes for the avatars to entire virtual buildings.

[116]See Second Life – Brand Promotion and Unauthorised Trademark Use in Virtual Worlds, WIPO magazine, 2007, No. 6, page 12 – available online: http://www.wipo.int/wipo_magazine/en/pdf/2007/wipo_pub_121_2007_06.pdf.

[117] See Heise News, 15.11.2006, - available at:  http://www.heise.de/newsticker/meldung/81088 ; DIE ZEIT, 04.01.2007, page 19.

[118] See for example BBC News, 09.05.2007 Second Life ‘child abuse’ claim,available at: http://news.bbc.co.uk/1/hi/technology/6638331.stm ; DW-World News, German prosecutor pursue child pornography in second life, 08.05.2007 – available at: http://www.dw-world.de/dw/article/0,2144,2481582,00.html.

[119] See Second Life – Brand Promotion and Unauthorised Trademark Use in Virtual Worlds, WIPO magazine, 2007, No. 6, page 13 – available online: http://www.wipo.int/wipo_magazine/en/pdf/2007/wipo_pub_121_2007_06.pdf.

[120] See Leapman, “Second Life world may be haven for terrorists”, Sunday Telegraph, 14.05.2007, – available at: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/05/13/nternet13.xml;  Reuters, “UK panel urges real-life treatment for virtual cash”, 14.05.2007, – available at: http://secondlife.reuters.com/stories/2007/05/14/uk-panel-urges-real-life-treatment-for-virtual-cash/.

[121] See: Tamage, Criminality on the Internet, 2007, available at: http://ssrn.com/abstract=996556

[123] “Websense Security Trends Report 2004”, page 11, available at: http://www.websense.com/securitylabs/resource/WebsenseSecurityLabs20042H_Report.pdf;  “Information Security - Computer Controls over Key Treasury Internet Payment System”, GAO 2003, page 3, available at: http://www.globalsecurity.org/security/library/report/gao/d03837.pdf. Sieber, Council of Europe “Organised Crime Report 2004”, page 143.

[124] For an overview about the tools used, see Ealy, “A New Evolution in Hack Attacks: A General Overview of Types, Methods, Tools, and Prevention”, available at: http://www.212cafe.com/download/e-book/A.pdf.

[125] One example is the EU Framework Decision ABl. EG Nr. L 149, 2.6.2001.

[126] Explanatory Report to the Council of Europe Convention on Cybercrime No. 71: “To combat such dangers more effectively, the criminal law should prohibit specific potentially dangerous acts at the source, preceding the commission of offences under Articles 2 – 5. In this respect the provision builds upon recent developments inside the Council of Europe (European Convention on the legal protection of services based on, or consisting of, conditional access – ETS N° 178) and the European Union (Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, or consisting of, conditional access) and relevant provisions in some countries”.

[127] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.

[128] Regarding the various definitions, see: “Putting an End to Account-Hijacking Identity Theft”, Federal Deposit Insurance Corporation, 2004, page 4 – available at: http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_theft.pdf; Hoar, „“Identity Theft: The Crime of the New Millennium”, 2001, available at: http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm.

[129] See Koops, Leenes, Identity Theft, “Identity Fraud and/or Identity-related Crime”, DUD 2006, 553 et seqq.

[130] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.

[131] US Bureau of Justice Statistics, 2004, available at http://www.ojp.usdoj.gov/bjs/pub/pdf/it04.pdf.

[132] The President’s Identity Theft Task Force, “Combating Identity Theft”, 2007, Page 11, available at: http://www.idtheft.gov/reports/StrategicPlan.pdf.

[133] See: Mitchison/Wilikens/Breitenbach/Urry/Poresi, “Identity Theft – A discussion paper”, 2004, page 5, available at: https://www.prime-project.eu/community/furtherreading/studies/IDTheftFIN.pdf.

[134] Communication from the Commission to the European Parliament, the Council and the Committee of the Regions towards a general policy on the fight against cybercrime, COM (2007) 267.

[135] Communication from the Commission to the European Parliament, the Council and the Committee of the Regions towards a general policy on the fight against cyber crime, COM (2007) 267.

[136] See Hoar, “Identity Theft, The Crime of the New Millennium, 2001”, available at: http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm.

[137] For an overview of identity theft legislation in Europe, see: Mitchison/Wilikens/Breitenbach/Urry/Portesi, “Identity Theft – A discussion paper”, page 23 et. seqq., available at: https://www.prime-project.eu/community/furtherreading/studies/IDTheftFIN.pdf; “Legislative Approaches To Identity Theft: An Overview”, CIPPIC Working Paper No.3, 2007.

[138] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,thepublished -D

[139] Regarding phishing, see Dhamija/Tygar/Hearst, “Why Phishing Works”, available at: http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf; “Report on Phishing”, A Report to the Minister of Public Safety and Emergency Preparedness Canada and the Attorney General of the United States, 2006, available at: http://www.usdoj.gov/opa/report_on_phishing.pdf.

[140] The term “phishing” originally described the use of emails to “phish” for passwords and financial data from a sea of Internet users. The use of “ph” linked to popular hacker naming conventions. See Gercke, CR, 2005, 606; Ollmann, “The Phishing Guide Understanding & Preventing Phishing Attacks”, available at: http://www.nextgenss.com/papers/NISR-WP-Phishing.pdf.

 [141] “Phishing” scams show a number of similarities to spam emails. It is likely that those organised crime groups that are involved in spam are also involved in phishing scams, as they have access to spam databases. Regarding spam, see Section 1.6.2.3.

[142] For more information, about phishing scams see The Phishing Guide Understanding & Preventing Phishing Attacks.

[143]Explanatory Report to the Council of Europe Convention on Cybercrime No 81: “The purpose of this article is to create a parallel offence to the forgery of tangible documents. It aims at filling gaps in criminal law related to traditional forgery, which requires visual readability of statements, or declarations embodied in a document and which does not apply to electronically stored data. Manipulations of such data with evidentiary value may have the same serious consequences as traditional acts of forgery if a third party is thereby misled. Computer-related forgery involves unauthorised creating or altering stored data so that they acquire a different evidentiary value in the course of legal transactions, which relies on the authenticity of information contained in the data, is subject to a deception.”

[144] For more information, see theof the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.

[145] In 2006, the US Federal Trade Commission received nearly 205,000 Internet-related fraud complaints. See Consumer Fraud and Identity Theft Complaint Data, January – December 2006, Federal Trade Commission, available at: http://www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf.

[146] In 2006, nearly 50% of all fraud complaints reported to the US Federal Trade Commission were related to amounts paid between 0-25 US Dollars See Consumer Fraud and Identity Theft Complaint Data, January – December 2006, Federal Trade Commission, available at: http://www.consumer.gov/sentinel/pubs/Top10Fraud2006.pdf.

[147] The term auction fraud describes fraudulent activities involving electronic auction platforms over the Internet.

[148] The term “advance fee fraud” describes offences in which offenders seek to convince targets to advance a small sum of money in the hope of receiving a much larger sum afterwards. For more information, see: Reich, Advance Fee Fraud Scams in-country and across borders, Cybercrime & Security, IF-1, page 1. For more information, see: Reich, Advance Fee Fraud Scams in-country and across borders, Cybercrime & Security, IF-1, page 1; Smith/Holmes/Kaufmann, Nigerian Advance Fee Fraud, “Trends & Issues in Crime and Criminal Justice”, No. 121, available at: http://www.aic.gov.au/publications/tandi/ti121.pdf; Oriola, “Advance fee fraud on the Internet: Nigeria’s regulatory response”, “Computer Law & Security Report”, Volume 21, Issue 3, 237.

[149] One example of this is Section 263 of the German Penal Code that requires the falsity of a person (mistake). The provision does not therefore cover the majority of computer-related fraud cases:

Section 263 Fraud

(1) Whoever, with the intent of obtaining for himself or a third person an unlawful material benefit, damages the assets of another, by provoking or affirming a mistake by pretending that

false facts exist or by distorting or suppressing true facts, shall be punished with imprisonment for not more than five years or a fine.

[150] Explanatory Report to the Council of Europe Convention on Cybercrime No 86.

[151] For more details, see the Convention on Cybercrime, Explanatory Report no. 128-144, and 149-239, see www.conventions.coe.int.

[152] For more information, see theof the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.

[153] “Determining the source or destination of these past communications can assist in identifying the identity of the perpetrators. In order to trace these communications so as to determine their source or destination, traffic data regarding these past communications is required”, See: Explanatory Report to the Council of Europe Convention on Cybercrime No. 155. Regarding the identification of suspects by IP-based investigations, see: Gercke, Preservation of User Data, DUD 2002, 577 et seq.

[154] However, it is recommended that States consider the establishment of powers and procedures to actually order the recipient of the order to preserve the data, as quick action by this person can result in the more expeditious implementation of the preservation measures in particular cases. See the Explanatory Report to the Convention on Cybercrime, No. 160.

[155] For more information, see thethe forthcoming Guide to Understanding Cybercrime to be published by ITU-D.

[156] “Often, however, no single service provider possesses enough of the crucial traffic data to be able to determine the actual source or destination of the communication. Each possesses one part of the puzzle, and each of these parts needs to be examined in order to identify the source or destination”. See the Explanatory Report to the Convention on Cybercrime, No. 167.

[157] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,thepublished -D

[158] The drafters of the Convention on Cybercrime tried to resolve problems related to the need of immediate action from law enforcement agencies on the one hand and the importance of ensuring safeguards on the other hand in a number of ways. One example of their approach is the production order (Art. 18). The drafters suggested that the requirements for the handout of data to law enforcement agencies could be adjusted in relation to categories of data. See the Explanatory Report to the Convention on Cybercrime No. 174: “The conditions and safeguards referred to in paragraph 2 of the article, depending on the domestic law of each Party, may exclude privileged data or information. A Party may wish to prescribe different terms, different competent authorities and different safeguards concerning the submission of particular types of computer data or subscriber information held by particular categories of persons or service providers. For example, with respect to some types of data, such as publicly available subscriber information, a Party might permit law enforcement agents to issue such an order where in other situations a court order could be required. On the other hand, in some situations a Party might require, or be mandated by human rights safeguards to require that a production order be issued only by judicial authorities in order to be able to obtain certain types of data. Parties may wish to limit the disclosure of this data for law enforcement purposes to situations where a production order to disclose such information has been issued by judicial authorities. The proportionality principle also provides some flexibility in relation to the application of the measure, for instance, in many States in order to exclude its application in minor cases”.

[159] For more information, see of the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,thepublished -

[160] A detailed overview of the elements of search procedures is provided by the ABA International Guide to Combating Cybercrime, 123 et seq. For more information on Computer-related Search and Seizure, see: Winick, Searches and Seizures of Computers and Computer Data, Harvard Journal of Law & Technology, 1994, Vol. 8, page 75 et seqq.; Rhoden, Challenging searches and seizures of computers at home or in the office: From a reasonable expectation of privacy to fruit of the poisonous tree and beyond, American Journal of Criminal Law, 2002, 107 et seq.

[161] See the Explanatory Report to the Convention on Cybercrime, No. 184.

[162] “However, in a number of jurisdictions stored computer data per se will not be considered as a tangible object and therefore cannot be secured on behalf of criminal investigations and proceedings in a parallel manner as tangible objects, other than by securing the data medium upon which it is stored. The aim of Article 19 of this Convention is to establish an equivalent power relating to stored data”. Explanatory Report to the Convention on Cybercrime, No. 184.

[163] For more information, see the forthcoming Guide to Understanding Cybercrime Guideto be published by ITU-D.

[164] Regarding the legislation on legal interception in Great Britain, Canada, South Africa, United States (New York) and Israel, see the Legal Opinion on Intercept Communication, 2006, available at: http://www.law.ox.ac.uk/opbp/OPBP%20Intercept%20Evidence%20Report.pdf.

[165] Regarding the interception of VoIP to assist law enforcement agencies, see Bellovin and others, Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP – available at http://www.itaa.org/news/docs/CALEAVOIPreport.pdf; Simon/Slay, Voice over IP: Forensic Computing Implications, 2006, available at: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Simon%20Slay%20-%20Voice%20over%20IP-%20Forensic%20Computing%20Implications.pdf.

[166] “In case of an investigation of a criminal offence committed in relation to a computer system, traffic data is needed to trace the source of a communication as a starting point for collecting further evidence or as part of the evidence of the offence. Traffic data might last only ephemerally, which makes it necessary to order its expeditious preservation. Consequently, its rapid disclosure may be necessary to discern the communication’s route in order to collect further evidence before it is deleted or to identify a suspect. The ordinary procedure for the collection and disclosure of computer data might therefore be insufficient. Moreover, the collection of this data is regarded in principle to be less intrusive since as such it doesn’t reveal the content of the communication which is regarded to be more sensitive”. See: Explanatory Report to the Convention on Cybercrime, No. 29. Regarding the importance of traffic data in Cybercrime investigations see as well: ABA International Guide to Combating Cybercrime, page 125; Gercke, Preservation of User Data, DUD 2002, 577 et seq.

[167] For more information, see the forthcoming Guide to Understanding Cybercrime Guideto be published by ITU-D.

[168] One possibility to prevent law enforcement agencies to analyse the content exchanged between two suspects is the use of encryption technology. Regarding the functioning of encryption procedures, see: Singh; The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, 2006; D’Agapeyen, Codes and Ciphers – A History of Cryptography, 2006; An Overview of the History of Cryptology, available at: http://www.cse-cst.gc.ca/documents/about-cse/museum.pdf.

 [169] For more information, see the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,thepublished -D

[170] Regarding the plans of German law enforcement agencies to develop a software to remotely access a suspects computer and perform search procedures, see: Blau, Debate rages over German government spyware plan, 05.09.2007, Computerworld Security, available at: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9034459;Broache, Germany wants to sic spyware on terror suspects, 31.08.2007, CNet News – available at: http://www.news.com/8301-10784_3-9769886-7.html.

[171] For more information, see the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.For more information, see the Cybercrime Guide published by the ITU-D.

[172] For an introduction to data retention, see: Breyer, Telecommunications Data Retention and Human Rights: The Compatibility of Blanket Traffic Data Retention with the ECHR, European Law Journal, 2005, page 365 et seq; Blanchette/Johnson, Data retention and the panoptic society: The social benefits of forgetfulness – available at: http://polaris.gseis.ucla.edu/blanchette/papers/is.pdf

[173] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

[174] See for example: Briefing for the Members of the European Parliament on Data Retention – available at: http://www.edri.org/docs/retentionletterformeps.pdf; CMBA, Position on Data retention: GILC, Opposition to data retention continues to grow – available at: http://www.vibe.at/aktionen/200205/data_retention_30may2002.pdf; Regarding the concerns related to a violation of the European Convention on Human Rights see: Breyer, Telecommunications Data Retention and Human Rights: The Compatibility of Blanket Traffic Data Retention with the ECHR, European Law Journal, 2005, page 365 et. seqq.

[175] For more information, see the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,thepublished -D

[176] Schneier, Applied Cryptography, Page 185.

[177] Lawful government access to prevent and investigate acts of terrorism and to find a mechanism to cooperate internationally in implementing such policies.

[178] An example can be found in Sec. 69 of the Indian Information Technology Act 2000: “Directions of Controller to a subscriber to extend facilities to decrypt information.
(1) If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign Stales or public order or for preventing incitement to the commission of any cognizable offence, for reasons to be recorded in writing, by order, direct any agency of the Government to intercept any information transmitted through any computer resource. (2) The subscriber or any person in-charge of the computer resource shall, when called upon by any agency which has been directed under sub-section (1), extend all facilities and technical assistance to decrypt the information”. For more information about India’s Information Technology Act 2000, see Duggal, India’s Information Technology Act 2000, available under: http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan002090.pdf

[179] For general information on the Act, see: Brown/Gladman, The Regulation of Investigatory Powers Bill - Technically inept: ineffective against criminals while undermining the privacy, safety and security of honest citizens and businesses – available at: http://www.fipr.org/rip/RIPcountermeasures.htm; Ward, Campaigners hit by decryption law, BBC News, 20.11.2007 – available at: http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/7102180.stm; ABA International Guide to Combating Cybercrime, page 32.

[180] International Review of Criminal Policy - United Nations Manual on the Prevention and Control of Computer-related Crime.

[181] Collier and Spaul, p. 310.

[182] See, e.g. Council of Europe, Draft Explanatory Memorandum to the Draft Convention on Cybercrime, n. 6 (February 14, 2001).

[183] See, e.g. Council of Europe, Draft Explanatory Memorandum to the Draft Convention on Cybercrime, n. 6 (February 14, 2001).

[184] See Brenner, Cybercrime Investigation and Prosecution: The Role of Penal and Procedural, Comment 2, Murdoch University Electronic Journal of Law, Vol. 8, Number 2 (June 2001).

[185] Schjolberg, Hubbard, Harmonizing National Legal Approaches to Cybercrime, ITU (2005), located at http://www.itu.int/osg/spu/cybersecurity//docs/Background_Paper_Harmonizing_National_and_Legal_Approaches_on_Cybercrime.pdf.

[186] According to a report by the U.S. President’s Working Group on Unlawful Conduct, it is recognized that law enforcement faces significant needs in the areas of resources, training and the need for new investigative tools and capabilities. A Report of the President’s Working Group on Unlawful Conduct on the Internet, March 2000, located at http://www.usdoj.gov/criminal/cybercrime/unlawful.htm.

[187] A Report of the President’s Working Group on Unlawful Conduct on the Internet, March 2000, located at http://www.usdoj.gov/criminal/cybercrime/unlawful.htm.

[188] See the Statement of Bruce Swartz, Deputy Assistant Attorney General Criminal Division, before the Senate Foreign Relations Committee on Multilateral Law Enforcement Treaties, July 13, 2004, located at http://www.usdoj.gov/criminal/cybercrime/swartzTestimony061704.htm.

[189] See U.S. Department of Justice, United States Attorney’s Manual, Title 9-15.000, International Extradition and Related Matters, located at http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title9/15mcrm.htm.

[190] Epstein & Snyder, International Litigation: A Guide to Jurisdiction, Practice & Strategy, 2nd. Sec. 10.09 (1998).

[191] U.S. Department of Justice, U.S. Attorneys Manual, Title 9, available at http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title9/crm00275.htm.

[192] See Prost, Senior Counsel, Director, International Assistance group, Department of Justice, Canada, located at http://www.oas.org/juridico/MLA/en/can/en_can_prost.en.html (1994).

[193] OECD Preliminary draft issues paper on Frameworks for Extradition and Mutual Legal Assistance in Corruption matters, located at http://www.oecd.org/dataoecd/28/11/39200781.pdf (2006).

[194] See U.S. Department of State, Bureau of Consular Affairs, Mutual Legal Assistance (MLAT) and Other Agreements, located at http://travel.state.gov/law/info/judicial/judicial_690.html.

[195] Harris, Mutual Legal Assistance Treaties: Necessity, Merits and Problems Arising in the Negotiation Process, Asia Crime Prevention Foundation (ACPF) Lecture, 2000, which can be found at http://travel.state.gov/law/info/judicial/judicial_690.html.

[196] For more information, see the forthcoming Guide to Understanding Cybercrime to be published by ITU-D.,published -

[197] Regarding the network architecture and the consequences with regard to the involvement of service providers, see: Black, Internet Architecture: An Introduction to IP Protocols, 2000; Zuckerman/McLaughlin, Introduction to Internet Architecture and Institutions, 2003 – available at: http://cyber.law.harvard.edu/digitaldemocracy/internetarchitecture.html.

[198] For an introduction into the discussion, see: Elkin-Koren, Making Technology Visible: Liability of Internet Service Providers for Peer-to-Peer Traffic, Journal of Legislation and Public Policy, Volume 9, 2005, page 15 et. seqq. - available at http://www.law.nyu.edu/journals/legislation/articles/current_issue/NYL102.pdf.

[199] In the decision Recording Industry Association Of America v. Charter Communications, Inc. the United States Court of Appeals for the eighth circuit described (by referring to House Report No. 105-551(II) at 23 (1998)) the function of the US DMCA by pointing out the balance. In the opinion of the court the DMCA has “two important priorities: promoting the continued growth and development of electronic commerce and protecting intellectual property rights.”

[200] Regarding the DMCA impact on the liability of Internet Service Provider, see: Unni, Internet Service Provider’s Liability for Copyright Infringement - How to Clear the Misty Indian Perspective, 8 RICH. J.L. & TECH. 13, 2001 - available at: http://www.richmond.edu/jolt/v8i2/article1.html; Manekshaw, Liability of ISPs: Immunity from Liability under the Digital Millennium Copyright Act and the Communications Decency Act, Computer Law Review and Technology Journal, Vol. 10, 2005, page 101 et seqq. – available at: http://www.smu.edu/csr/articles/2005/Fall/SMC103.pdf; Elkin-Koren, Making Technology Visible: Liability of Internet Service Providers for Peer-to-Peer Traffic, Journal of Legislation and Public Policy, Volume 9, 2005, page 15 et seq - available at http://www.law.nyu.edu/journals/legislation/articles/current_issue/NYL102.pdf.

[201] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) Official Journal L 178 , 17/07/2000 P. 0001 – 0016. For a comparative law analysis of the US and EU Ecommerce Regulations (including the EU E-Commerce Directive) see: Pappas, Comparative U.S. & EU Approaches To E-Commerce Regulation: Jurisdiction, Electronic Contracts, Electronic Signatures And Taxation, Denver Journal of International Law and Policy, Vol 31, 2003, pae 325 et seqq. – available at: http://www.law.du.edu/ilj/online_issues_folder/pappas.7.15.03.pdf.

[202] See Lindholm/Maennel, CRi 2000, 65.

[203] Art. 12 – Art. 15 EU E-Commerce Directive.

[204] For more details, see the Convention on Cybercrime, Explanatory Report no 145-148, see www.conventions.coe.int.

[205] Schjolberg and Hubbard: Harmonizing National Legal Approaches on Cybercrime – A presentation at the ITU, Geneva (2005).

[206] Schjolberg, Stein: Terrorism in Cyberspace - Myth or Reality? See www.cybercrimelaw.net.

[207] See www.eurojustice.org.

[208] Schjolberg, Stein: Terrorism in Cyberspace – Myth or Reality? See www.cybercrimelaw.net.

[209] Adopted November 11, 2006 by the Consultative Council of European Judges (CCJE), a Council of Europe advisory body.

[210] For more information about the Hague Conference, see http://www.hcch.net

[211] For more information about UNCITRAL, see www.uncitral.org.

[212] For more information about UNIDROIT, see www.unidroit.info.

[213] For more information about the EU’s efforts in private international law, see www.europa.eu.

[214] For more information about the Inter-American Specialized Conferences, see http://www.oas.org/dil/privateintlaw_interamericanconferences.htm.

[215] For more information on OHADA, see http://www.ohada.org.

[216] For more information, see www.state.gov/s/l/c3452.htm.