DEVELOPING A LEGAL
FRAMEWORK TO COMBAT
CYBERCRIME
Providing Law Enforcement with the Legal Tools
to Prevent, Investigate, and Prosecute Cybercrime
1
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
2
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
3
Balancing Privacy & Public Safety
Privacy is a basic human right
“No one shall be subjected to arbitrary
interference with his privacy, family, home
or correspondence...”
-- Art. XII, Universal Declaration of Human Rights
Promotes free thought, free expression, and
free association, building blocks of democracy
Supports competitive businesses and markets,
cornerstone of a robust economy
4
Balancing Privacy & Public Safety
Privacy of computer networks is important:
Individuals, businesses, and governments increasingly
use computers to communicate
Sensitive personal information and business records are
stored in electronic form
Privacy of computer networks is important
for human rights, individual freedoms, and
economic efficiency
5
Balancing Privacy & Public Safety
Threats to online privacy:
Industry
Gathering marketing information
Government
Investigating crime, espionage, or terrorism
Misusing legal investigative authorities
Criminals
Stealing government or business secrets or financial
information
Obtaining private information from individuals’ computers
6
Balancing Privacy & Public Safety
Need to investigate all kinds of crimes that
involve computer networks
E.g.: communications of terrorists or drug dealers
Need to investigate attempts to damage
computer networks
E.g.: “I love you” virus
Need to investigate invasions of privacy
E.g.: hackers working for organized crime stealing
credit card numbers
7
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
8
Limited Law Enforcement Authority
Striking the Balance:
Government investigative authority subject to
appropriate limits and controls in the form of
procedural laws will increase privacy and public
safety, but . . .
Uncontrolled government authority may
diminish privacy and hinder economic
development.
9
Limited Law Enforcement Authority
Intrusiveness
of the
Investigative
Power
Safeguards to Prevent Governmental Abuse
10
Limited Law Enforcement Authority
Ways to limit law enforcement authorities:
Define specific predicate crimes/classes of crime
Require law enforcement to demonstrate factual
basis to independent judicial officer
Limit the breadth and scope, the location, or the
duration
Offer only as “last resort”
Prior approval or subsequent review by senior
official or politically accountable body
11
Limited Law Enforcement Authority
Penalizing abuse:
Administrative discipline of officer involved
Inability to use evidence in prosecution
(“suppression”)
Civil liability for officer involved
Criminal sanction of officer involved
12
Limited Law Enforcement Authority
Limiting Economic Burdens on Third Party
Service Providers:
Should laws require providers to have certain
technical capabilities?
Who is responsible for costs of collecting data
for law enforcement?
13
Other Policy Considerations
Each country should approach this complex balancing
question, taking into consideration:
The scope of its crime and terrorism problem;
Its existing legal structures;
Its historical methods of protecting human rights; and,
the need to assist foreign governments.
Each country should decide the “means” for
obtaining
electronic evidence within its existing legal
framework (e.g., constitutions, statutes, court
decisions, rules of procedure)
14
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
15
Information Obtained from Computer
Networks in Cybercrime Investigations
Content
Non-Content
Real-Time
Communications
1
2
Information Stored
on a Computer
Network
3
4
16
Information Obtained from Computer
Networks in Cybercrime Investigations
Content
Non-Content
Real-Time
Communications
1
2
Information Stored
on a Computer
Network
3
4
17
Intercepting Electronic Communications on
Computer Networks
Obtaining the content of a communication as the
communication occurs
Similar to intercepting what’s being said in a phone
conversation
E.g.: collect the content of e-mail passing between two
terrorists or drug dealers
E.g.: collect the commands sent by a hacker to a victim
computer to steal corporate information
18
Intercepting Electronic Communications on
Computer Networks
Many countries use the same (or very similar) rules as
phone wiretaps
Authority should include the ability to compel providers
to assist law enforcement officials
Sometimes does not require law enforcement expertise
May depend on particular technology and infrastructure
Art. 21, Council of Europe Convention on Cybercrime
19
Intercepting Electronic Communications on
Computer Networks
Law enforcement needs this authority because:
Criminals and terrorists increasingly use electronic
communications to plan and execute crimes
Many crimes are committed mostly (or entirely) using
computer networks
Distribution of child pornography, internet fraud, hacking
Communications may not be stored
20
Intercepting Electronic Communications on
Computer Networks
This authority should be limited because:
Interception of communications can be a grave invasion
of privacy
Can allow access to the most private thoughts, harming
freedoms of speech and association
Fear of overly intrusive interception may stifle
competitive markets, economic development, and
foreign investment
21
Examples of Limitations on Interception
Authorities – Australia
Independent judicial review
Facts in support of an
application showing that
intercepted communications
would “be likely to assist” in
an investigation
Investigation of a serious
crime (generally 7+ years
maximum incarceration)
90 day maximum (renewable)
Information intercepted
unlawfully cannot be used as
evidence in court
Intercepted information has
certain disclosure restrictions
and destruction after purpose is
complete
Judge must balance surrounding
circumstances:
Whether other investigative
techniques would not be just
as effective
The value of the information
Gravity of the conduct
The privacy invasion
22
Examples of Limitations on Interception
Authorities – the United States
30 day time limit (plus
extensions)
“Probable cause” to believe a
crime is being committed and
that the facility is being used
in furtherance of that crime
All other options have been
tried or are unlikely to
succeed
Independent judicial review
Report to intercepted parties
(at conclusion of case)
Inability to use evidence in
court if violate the law
Administrative investigation
of misuse of the law
required
Civil and criminal sanctions
for violations
Approval by high-level
official
Minimize collection of noncriminal communications
Limitations on disclosure of
intercepted communications
23
Possible Exceptions to the Rule
Might not require legal process if:
The communication is publicly accessible
E.g.: public “chat” rooms
Party/all parties to the communication consent
Actual consent (CI), banner
Emergency involving risk of death
No reason to believe communication is private
Hackers communication with target computer
24
Intercepting Electronic Communications:
Other Considerations
Limits on ISP’s interception
Possible exceptions for consent, interceptions necessary
to run or secure a network
Voluntary disclosure of intercepted communication
Only if legal interception (i.e. subject to exception)
25
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
26
Collecting Traffic Data Real Time
Content
Non-Content
Real-Time
Communications
1
2
Stored Information
on a Network
3
4
27
Collecting Traffic Data Real Time
Interception of non-content information
Similar to phone number called to/from
E.g.: “To” and “From” on an e-mail
E.g.: Source and destination IP address in a packet header
Less intrusive than intercepting content, so less
restrictions on law enforcement use
Art. 20, Council of Europe Convention on Cybercrime
28
Collecting Traffic Data Real Time
Law enforcement needs this authority because:
Criminals and terrorists increasingly use electronic
communications to plan and execute serious crimes
Helps locate suspects, identify members of conspiracy
Useful tool to assist foreign investigations where a
country is used only as a “pass-though”
Provides a less intrusive and therefore less restricted
alternative to content interception
29
Collecting Traffic Data Real Time
This authority should be limited because:
Although less intrusive than content interception, still
implicates privacy
Individuals don’t expect government to keep track of who
they’re calling, even if government does not listen to what
they’re saying
To/From information may be revealing (e.g., repeated emails to a psychiatrist; receiving information from a militant
organization)
30
Collecting Traffic Data Real Time
Sample Laws – United Kingdom
Information must be “necessary” for the
investigation of crime, protection of national
security, public health, other specified purposes
Approval by a designated high-level government
official, but no independent judicial review
Collection must be “proportionate to what is
sought to be achieved”
30 day time limit
31
Collecting Traffic Data Real Time
Sample Laws – United States
Information collected must be “relevant” to an
ongoing criminal investigation
Can only be applied for by an attorney for the
government (not a police officer)
Limited to 60 days (plus extensions)
Disciplinary, civil, and criminal penalties for
misuse
32
Possible Exceptions to the Rule
Might not require legal process if:
Party/all parties to the communication consent
E.g.: witness cooperating with the government
allows officers to determine where conspirators’ email is sent from
No reason to believe communication is private
Hackers communication with target computer
Interception is by provider of computing
service in order to run the system or provide
security
33
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
34
Obtaining Content Information
Stored on a Computer Network
Content
Non-Content
Real-Time
Communications
1
2
Information Stored
on a Computer
Network
3
4
35
Obtaining the Content of Stored
Information on Computer Networks
Information stored on the system of a third-party
provider
Computer network not owned by the target of an
investigation
E.g.: e-mail sent to an individual that is stored by an
Internet service provider
E.g.: calendar kept on a remote service
36
Obtaining the Content of Stored
Information on Computer Networks
Laws may be similar to those for searching or seizing
computers in the possession of the target of an
investigation
But because the information is held by a neutral third
party, physical coerciveness of regular search procedures
may not be necessary
Also, because the data is not in the immediate control (e.g.
home) of the individual, he or she may have less of a
privacy interest in it
Art. 18, Council of Europe Convention on Cybercrime
37
Obtaining the Content of Stored
Information on Computer Networks
Law enforcement needs this authority because:
Without it, serious crimes will go unpunished and
undeterred
Just as law enforcement has needed coercive power to
gather evidence in “real world” contexts, so it must be
able to do so in online contexts
For the many crimes committed over the Internet,
stored information is the “crime scene”
38
Obtaining the Content of Stored
Information on Computer Networks
This authority should be limited because:
As our countries enter the “Information Age,”
more and more of the most sensitive data is being
stored on computers
Businesses are increasingly using computer networks to
store data
Individuals are increasingly storing information and
communications remotely on third-party networks
39
Obtaining Stored Content
Sample Laws – United States
To compel disclosure of most kinds of e-mail:
“Probable cause” to believe it contains evidence of a
crime (same standard as to search a package or a house)
Review of evidence by an independent judge
Administrative sanctions against officers who abuse the
authority
Civil suit against the government for misuse
Disclosure restrictions
40
Obtaining Stored Content
Do some categories of data deserve extra
protection?
Greater expectation that data will remain private
Has the user any choice about whether the
information is stored on the network?
Example of graduated system of requirements –
United States
Unopened e-mail requires a search warrant based upon
“probable cause”
E-mail accessed by the user and other information the user
chooses to store on a remote server requires a court order
41
with only a showing of “relevance”
Obtaining Stored Content
Consider allowing voluntary disclosure to law
enforcement under some circumstances:
Unrestricted disclosure by 3rd-party providers may
infringe upon privacy and have economic impact,
but disclosure may be justified
To protect public health or safety
To allow the provider to protect its property (e.g., by
reporting unauthorized use)
42
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
43
Obtaining Non-Content Information
Stored on a Computer Network
Content
Non-Content
Real-Time
Communications
1
2
Information Stored
on a Computer
Network
3
4
44
Obtaining Non-Content Information Stored
on a Computer Network
Computers create logs showing where
communications came from and where they went
Generally less sensitive than content
E.g.: a list of all of the e-mail addresses to which
a user sent e-mail
E.g.: a log showing the phone numbers by which
a user accessed an Internet service provider
45
Obtaining Non-Content Information Stored
on a Computer Network
Law enforcement needs this authority because:

Logs showing what occurred on a network may
be the best evidence of a computer crime; may
identify the suspect or reveal criminal conduct
This authority should be limited because:

Although less sensitive than content, these
records still contain private information
46
Obtaining Stored Non-Content Information
Laws Can Distinguish Between Kinds of Records:
Subscriber information generally less sensitive
Name, street address, user name
Might include method of payment, i.e., credit card or
bank account (important because ISPs may not check
users’ identities)
Logs showing with whom a user has
communicated generally more sensitive
47
Obtaining Stored Non-Content Information
Examples of Different Standards
Art. 18, Council of Europe Convention on Cybercrime:
Treats “Subscriber Information” differently from other data

United States:


Basic subscriber records require a mere showing of
“relevance” to a criminal investigation without prior review by
a court (subpoena)
E-mail logs require a prior finding of “specific and articulable
facts” that would justify disclosure of the records
48
Preservation of Evidence
Problem: many stored records last only for weeks or
days
Obtaining legal process is often slow
Investigators may not even know the significance of evidence
until weeks or days after the commission of a crime
Critical tool: request by law enforcement to preserve
evidence (content or non-content)
Request does not compel the disclosure of the records,
but freezes them pending legal process
49
Preservation of Evidence
Must be very fast (not require prior judicial
approval or even written process)
Few privacy concerns because no disclosure
occurs
COE Convention: does not require dual
criminality because of need to preserve data
quickly (disclosure, however, requires dual
criminality)
50
Preservation of Evidence
Sample Laws – United States
A provider of … communication services,
upon the request of a government entity, shall
take all necessary steps to preserve records or
other evidence in its possession pending the
issuance of a court order or other process.”
 Lasts
for 90 days and can be renewed
51
Overview
I.
Balancing Privacy and Public Safety
II.
Limits on Law Enforcement Investigative Authority
III. Intercepting Electronic Communications
IV. Collecting Traffic Data Real Time
V.
Obtaining Content Stored on a Computer Network
VI. Obtaining Non-Content Information Stored on a
Computer Network
VII. Compelling the Target to Disclose Electronic
Evidence
52
Compelling Disclosure of Electronic
Evidence in the Possession of the Target
Generally rules that pertain to search of a home or
office apply
Have to assure that the law is broad enough to cover
collection of intangible data and not just physical items
Compare:
E.g.: Computer used to store child pornography or other
evidence
E.g.: Computer used to break into bank to steal account
information or move funds from one account to another
53
Seizing Computer Hardware
Council of Europe Convention, Article 19
Often investigators need to seize the computer
itself
Easy to apply traditional rules for objects
Not clear why a computer should get greater or
lesser protection than a filing cabinet
54
Searches and Seizures of Stored Data
and Intangible Evidence
Investigators could simply copy computer files
after entering an individual’s home
Data stored at home can be extremely sensitive (e.g.,
a diary, a will)
Recommendation: treat data as a “thing” to be
seized, even if only a copy is made
But: “imaging” a drive should be a permissible
search technique
Technical considerations, e.g., OS
Slack space and deleted files
55
Considerations for Searches and
Seizures of Intangible Evidence
Applying the traditional rules provides balance
and certainty
Unwise not to protect that data from over-intrusive
governmental searches
Also unwise not to give law enforcement the power
to obtain that evidence
Easier for investigators to learn
Use existing exceptions as well
E.g.: consent, emergency circumstances
56
Considerations for Searches and
Seizures of Intangible Evidence
Why computer searches are different:
Computers hold huge amounts of data
10 gigabyte drive = 5 million pages
Requires expertise and tools, e.g. deleted files,
familiarity with Operating System
Information can be stored remotely
Computers are multi-functional – intermingling
of innocent and privileged information
57
Conclusion
Countries must have laws that allow law
enforcement to compel disclosure of evidence of
crime
These powers in part enhance privacy by deterring
criminal invasions of privacy
Overly intrusive powers can harm the privacy of
citizens and chill economic development
Law makers must consider many factors when
deciding what is appropriate for them
Models from other jurisdictions can assist
countries in designing appropriate laws
58
Questions?
59
Todd M. Hinnen
Department of Justice
Computer Crime & Intellectual Property
Section
Phone: (202) 305-7747
E-mail: todd.m.hinnen@usdoj.gov
60