Combatting Cybercrime Tools and Capacity Building for Emerging Economies Page 1 | Chapter 1 | §  Table of Contents Combatting Cybercrime Tools and Capacity Building for Emerging Economies Some Rights Reserved This work is a co-publication of The World Bank and the United Nations. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent, or those of the United Nations. The World Bank and the United Nations do not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank or the United Nations concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of The World Bank or the United Nations, all of which are specifically reserved. Rights & Permission This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http://creativecommons.org/licenses/by/3.0/igo. Under the Creative Commons Attribution license, you are free to copy, distribute, transmit, and adapt this work, including for commercial purposes, under the following conditions: Attribution — Please cite the work as follows: World Bank and United Nations. 2017. Combatting Cybercrime: Tools and Capacity Building for Emerging Economies, Washington, DC: World Bank License: Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO). Translations — If you create a translation of this work, please add the following disclaimer along with the attribution: This translation was not created by the World Bank the United Nations and should not be considered an official World Bank or United Nations translation. Neither the World Bank nor the United Nations shall be liable for any content or error in this translation. Adaptations — If you create an adaptation of this work, please add the following disclaimer along with the attribution: This is an adaptation of an original work by The World Bank. Views and opinions expressed in the adaptation are the sole responsibility of the author or authors of the adaptation and are not endorsed by The World Bank. Third Party Content — The World Bank and/or the United Nations do not necessarily own each component of the content contained within the work. The World Bank and the United Nations therefore do not warrant that the use of any third-party-owned individual component or part contained in the work will not infringe on the rights of those third parties. The risk of claims resulting from such infringement rests solely with you. If you wish to re-use a component of the work, it is your responsibility to determine whether permission is needed for that re-use and to obtain permission from the copyright owner. Examples of components can include, but are not limited to, tables, figures, or images. All queries on rights and licenses should be addressed to the World Bank Publications, The World Bank, 1818 H Street, NW, Washington, DC, 20433; USA; email: pubrights@worldbank.org. © 2017 United Nations and International Bank for Reconstitution and Development/The World Bank 1818 H Street, NW, Washington, D.C., 20433 Telephone: 202-473-1000; Internet: www.worldbank.org Acknowledgments This Toolkit was developed under a project, Combating Cybercrime: Tools and Capacity Building for Emerging Economies (Project), financed by a grant from the Korean Ministry of Strategy and Finance under the Korea- World Bank Group Partnership Facility (KWPF) Trust Fund. The team gratefully acknowledges financial support from the Korean Ministry of Strategy and Finance that made this Project possible. The Project team was headquartered in the World Bank, and Marco Obiso, Preetam Maloor and Rosheen Awotar-Mauree included the following participating organizations: the Council of ITU; Francesca Bosco and Arthur Brocato of UNICRI; Sadie of Europe (CoE), the International Association of Penal Law Creese, Eva Ignatuschtschenko and Lara Pace of Oxford; Cecile (AIDP), the International Telecommunication Union (ITU), the Barayre of UNCTAD; Alexander Seger and Betty Shave of CoE; Korea Supreme Prosecutors Office (KSPO), the Oxford Cyber- and Neil Walsh, Dimosthenis Chrysikos and Bilal Sen of security Capacity Building Centre (Oxford), the United Nations UNODC. Conference on Trade & Development (UNCTAD), the United The Team would also like to express its gratitude to peer Nations Interregional Crime and Justice Research Institute reviewers, Professor Ian Walden, Queen Mary University of (UNICRI) and the United Nations Office on Drugs & Crime London, and Steven Malby of the Commonwealth. The team (UNODC). is also grateful for the time, consultations and valuable inputs The Project team at the World Bank was led by David Satola received from staff at INTERPOL’s Global Complex for and included Seunghyun Bahn, Evarist Baimu, Nigel Marc Innovation in Singapore including Madan Oberoi, Mustafa Bartlett, Jinyong Chung, Conrad C. Daly, Heike Gramckow, Erten, Steve Honiss, Silvino Schlickmann and Tomas Herko. Theodore Christopher Kouts, Clay Lin, Rishabh Malhotra, James The Toolkit and Assessment Tool were also the subject of several Neumann, Marco Nicoli, Diana Norman, Elizabeth Anne Norton, consultation events, conferences and workshops held at or with Seunghwan Park, Sandra Sargent, Dolie Schein, Hyunji Song, the sponsorship of the CoE, Europol, INTERPOL, ITU, the Korea Emilio C. Viano, Georgina Weise, Christiaan van der Does de Institute of Criminology, UNCTAD, UN and Central Bank of Willebois, Stuart Yikona, Keong Min Yoon and Tamika Zaun. Qatar. The team thanks the participants in all of these events The Team owes a special debt of gratitude to Hyunji Song, for and at these organizations for the opportunities to raise her unflagging commitment and contributions to this project awareness of this Project and for helpful comments and too numerous to mention here. Without her research and suggestions. organizational skills, initial drafting efforts and intellectual The team apologizes to any individuals or organizations guidance, this Project could not have been realized. inadvertently omitted from this list. The contributions of the following people from the participating The Toolkit, Assessment Tool, and Website designed and organizations are recognized. From KSPO, Youngdae Kim, developed by Informatics Studio: www.informatics-studio.com. Seokjo Yang, Heesuk Lee and Seungjin Choi. Luc Dandurand, Foreword Advances in technologies over the last 20 years have affected virtually every aspect of the way we live and conduct our daily lives. While these technologies have been a source of good and enabled social and economic progress around the world, hardly a day goes by without news of yet another cyberattack, or the use of technology in the commission of crime. Here, at the World Bank, we know that in order for technologies, including the internet, to continue to be used as a force for economic growth and development, measures must be taken to ensure the security of the internet and the data and communications that flow over it. This book, Combatting Cybercrime: Tools and Capacity Building for Emerging Economies, is an important contribution to the global effort for a safe, secure and equitable internet. It focuses on building the human capacity of policy-makers, legislators, judges, lawyers, prosecutors, investigators and civil society on the various legal issues that comprise the fight against cybercrime. Though focusing on legal matters, Combatting Cybercrime recognizes that the challenge is much larger, and, accordingly, builds from the perspective that an effective response to ever-more sophisticated cybercrime requires a multidisciplinary, multi-stakeholder, public-private approach. In addition to serving as a resource in the traditional sense, Combatting Cybercrime includes an online Assessment Tool that enables countries to more accurately identify priority areas, that facilitates a focused and targeted allocation of scarce, capacity-building resources. Much like the collective approach that is required to fight cybercrime, Combatting Cybercrime is also the result of a collective effort among some of the key global and regional organizations, both public and private, whose expertise and experience are synthesized in this book. I would like to thank the organizations and their staff who contributed to this important work, as well as the Government of Korea for its generous funding and leadership in this area that made Combatting Cybercrime possible. It is our collective hope that Combatting Cybercrime will be a useful resource in building capacity on these key legal issues in the global fight against cybercrime, and would invite readers to consult the project website for updates. The Toolkit, the Assessment Tool and a library of pertinent sources can be found and freely accessed at www.combattingcybercrime.org. Sandie Okoro Senior Vice President and General Counsel The World Bank Table of Contents 1. Introductory Part 10 6. Capacity-Building 225 An overall introduction to the Toolkit, View An overview of capacity-building issues   View highlighting some of the main the issues around for policy makers and legislators, law Print  Print cybercrime and describing some of the main enforcement, consumers and cooperation challenges to fighting cybercrime. with the private sector. 2. Foundational Considerations 64 7. In-country Assessment Tool 268 An overview describing what is meant by   View An overview of various existing tools to assess   View “cybercrime” and the discusses what “basics” cybercrime preparedness and an introduction of  Print  Print regarding procedural, evidentiary, jurisdictional the Assessment Tool enabling users to determine and institutional issues. gaps in capacity and highlight priority areas to direct capacity-building resources. 3. National Legal Frameworks 157 8. Analysis & Conclusion 276 An overview of substantive criminal aspects   View Concluding thoughts on evolving good   View of cybercrime and how they are expressed in practices in combatting cybercrime.  Print  Print national legal frameworks. 4. Safeguards 170 9. Appendices 282 An overview examining procedural   View   View “safeguards” of due process, data protection/  Print  Print privacy and freedom of expression as they relate to cybercrime. 5. International Cooperation 193 10. Bibliography 407 An introduction to both formal and informal   View   View aspects of international cooperation to  Print  Print combat cybercrime. Abbreviations & Acronyms ACHPR African Commission on Human and Peoples’ Rights EAC East African Community ACHR American Convention on Human Rights EaP EU Eastern Partnership AI Artificial Intelligence EC3 European Cybercrime Centre ALADI Asociación Latinoamericana de Integración ECHR European Convention on Human Rights AML Anti-money Laundering ECJ European Court of Justice AP-CERT Asia Pacific Computer Emergency Response Team ECtHR European Court of Human Rights APEC Asia-Pacific Economic Cooperation ECOWAS Economic Community of West African States ASEAN Association of Southeast Asian Nations ECTF US Secret Service Electronic Crimes Task Force ATM Automated Teller Machine EJN European Judicial Network BEC Business Email Compromise ENISA European Network and Information Security Agency CCI Commonwealth Cybercrime Initiative EU European Union CCIPS Computer Crime and Intellectual Property Section EUISS EU Institute for Security Studies CCPCJ Commission on Crime Prevention and Criminal EUROJUST EU Judicial Cooperation Unit Justice EUROPOL European Police Office CERT Computer Emergency Response Team (or FBI US Federal Bureau of Investigation Computer Emergency Readiness Team) FOI Freedom of Information CETS Child Exploitation Tracking System G8 Group of Eight CFTT Computer Forensics Tool Testing GCA ITU Global Cybersecurity Agenda CIRT Computer Incidence Response Team GCI ITU Global Cybersecurity Index CIS Commonwealth of Independent States GCSCC Global Cyber Security Capacity Centre (Oxford CJEU Court of Justice of the European Union University’s Martin School) COMESA Common Market for Eastern and Southern Africa GLACY Global Action on Cybercrime (CoE & EU) CoE Council of Europe GLACY+ Global Action on Cybercrime Extended (CoE & COMSEC Commonwealth Secretariat EU) cPPP Contractual Public-Private Partnership GPEN Global Prosecutors E-crime Network C-PROC CoE Cybercrime Programme Office GPS Global Positioning System CSIRT Computer Security Incident Response Team HIPCAR Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean CSIS Center for Strategic and International Studies HIPSSA Harmonization of ICT Policies in Sub-saharan Africa CTO Commonwealth Telecommunications Organisation IADB Inter-American Development Bank DC3 US Defense Cyber Crime Center IAP International Association of Prosecutors DDBMS Distributed Database Management System IAPL International Association of Penal Law DDoS Distributed Denial of Service IBRD International Bank for Reconstruction and DEA US Drug Enforcement Agency Development DHS US Department of Homeland Security IC3 Internet Crime Complaint Center DNS Domain Name System ICB4PAC Information and Communications Capacity DoD US Department of Defense Building for Pacific Island Countries DoJ US Department of Justice ICCPR International Covenant on Civil and Political Rights DoS Denial of Service ICT Information and Communication Technology E2EE End-to-end Encryption IDCC INTERPOL Digital Crime Centre IoE Internet of Everything PPP Public-Private Partnership IGCI INTERPOL Global Complex for Innovation R&I Research and Innovation IGO Intergovernmental Organization RTI Right to information INTERPOL International Criminal Police Organization RICO US Racketeer Influenced Corrupt Practices Act IOSCO  International Organization of Securities SADC Southern African Development Community Commissions SAR Suspicious Activity Reporting IoT Internet of Things SCO Shanghai Cooperation Organization IP Internet Protocol SDG Sustainable Development Goa iPROCEEDS  ooperation on Cybercrime under the Instrument C SELA  El Sistema Económico Latinoamericano y del of Pre-accession (IPA) Caribe ISAC Intelligence Sharing and Analysis Center SIM Subscriber Identification Modulel ISP Internet Service Provider SME Small & Medium Sized Enterprise IT Information Technology SMS Short Message Service ITU International Telecommunication Union SNS Social Networking Service J-CAT Joint Cybercrime Action Taskforce SQL Structured Query Language JIT Joint Investigation Team SQLi Structured Query Language Injection JPIIT  KSPO’s Joint Personal Information Investigation SWIFT  Society for Worldwide Interbank Financial Team Telecommunication KSPO Korean Supreme Prosecutor’s Office T-CY CoE Cybercrime Convention Committee MA Mutual Assistance Tor The Onion Router MLA Mutual Legal Assistance UDHR Universal Declaration of Human Rights MLAT Mutual Legal Assistance Treaty UK-CERT UK Computer Emergency Response Team MSN Microsoft Service Network UN United Nations NCA UK National Crime Agency UNAFEI  UN Asia and Far East Institute for the Prevention NCB National Central Bureau of Crime and the Treatment of Offenders NCCIC U  S National Cybersecurity and Communications UNCITRAL UN Commission on International Trade Law Integration Center UNCTAD UN Conference on Trade and Development NCFTA National Cyber-Forensics & Training Alliance UNESCO  UN Educational, Scientific and Cultural NCIJTF  FBI’s National Cyber Investigative Joint Task Force Organization NCRP National Central Reference Points UNHRC UN Human Rights Council NCS National Cybercrime Strategy UNICRI  UN Interregional Crime and Justice Research Institute NIST  US National Institute of Standards and Technology UNODC UN Office on Drugs and Crime NSA US National Security Agency USB Universal Serial Bus OAS Organization of American States US-CERT US Computer Emergency Response Team OCSI UK Office of Cyber Security and Information USSS US Secret Service OECD  Organization for Economic Co-operation and Development VoIP Voice-over Internet Protocol OECS Organization of Eastern Caribbean States VPN Virtual Private Network OSCE Organization for Security and Co-operation in VR Virtual Reality Europe WDR  World Bank World Development Report: Digital OTP One-time Pad Dividends (2016) P2P Peer-to-peer WEF World Economic Forum PIN Personal Identification Number WSIS World Summit on Information Society CHAPTER 1 Introductory Part This chapter sets the stage for the rest of the Toolkit. It provides an overall introduction to the Toolkit, highlights some of the main the issues around cybercrime and describes some of the main challenges to fighting cybercrime. In this Chapter A. Purpose of Toolkit 11 B. Phenomenon & Dimensions of Cybercrime 15 C. Challenges to Fighting Cybercrime 27 D. Framework for a Capacity-building Program 45 Page 10 | Chapter 1 | Introductory Part CHAPTER 1 A. Purpose of Toolkit Table of Contents I. Background 11 II. The Toolkit 12 III. The Assessment Tool 13 IV. The Broader Context 13 V. Participating Organizations 14 I. Background Hardly a day goes by without the press disclosing some major cyber-incident. The past year alone has witnessed a proliferation of cyberthreats, breaches of corporate and governmental networks, major thefts from banks, malware, ransomware, etc. Here are a few notable incidents: McAfee reports 316 threats every second1 Theft of US$81 million from account of Bangladesh at New York Federal Reserve Bank resulting from alleged compromise of SWIFT network2 1 billion hacked Yahoo! accounts3 But cybercrime is not limited to major breaches. Individuals also suffer from threats, exploitation and harassment, or worse. The internet, which has enriched peoples’ lives and made the world a “smaller” place, also enables a range of criminal activity. One recent study4 finds that, while cyberthreats mainly consisted of viruses, worms and Trojans, over time cybercriminals have begun to take advantage of techniques related to social engineering— such as phishing—that target employees having direct access to databases containing confidential business information, as well as pharming, credit card fraud, dedicated denial-of-service (DDoS) attacks, identity theft and data theft. According to a Special Eurobarometer commissioned by the European Union (EU), the majority of internet users across the EU do not feel that making online purchases or doing online banking is secure, and have no idea how to navigate the internet safely.5 Many respondents claim to know about cybercrime from newspapers or television, but do not feel informed about the risks that may be experienced. Cybercriminals exploit this lack of awareness. The same study found that more than a third of internet users claim to have received at least one email scam and feel concerned about their sensitive data online.6 Considering the increasing number of people in possession of at least one smart device, and the increasing use of such Page 11  |  Chapter 1  |  § A. Purpose of Toolkit Table of Contents devices as business tools, it is easy to see that there is plenty of fertile ground in which cybercrime can operate and grow. As cyberspace is rapidly evolving, the cyberthreats of the recent past also have also changed. They have not only multiplied with respect to the means through which they are perpetrated, but also have evolved into cybercrime, cyberterrorism, cyberespionage, cyberwarfare and hacktivism.7 The universe of cybercrime is huge and includes different types of attacks and attackers, risks and threats. The challenge, therefore, is how to combat such diverse criminal activity and yet to preserve the many positive aspects of our interconnected world. II. The Toolkit This Toolkit, Combating Cybercrime: Tools and Capacity Building for Emerging Economies, aims at building capacity to combat cybercrime among policy-makers, legislators, public prosecutors and investigators, as well as among individuals and in civil society at large in developing countries by providing a synthesis of good practices in the policy, legal and criminal-justice aspects of the enabling environment necessary to combat cybercrime. Included in this Toolkit is an Assessment Tool that enables countries to assess their current capacity to combat cybercrime and identify capacity-building priorities (discussed in more detail in chapter 7, and included in appendix 9 E). The Toolkit is also accompanied by a Virtual Library, with materials provided by participating organizations and others.8 There are no shortages of resources regarding combatting cybercrime. An overriding ethos of the organizations (listed below) participating in the development of this Toolkit was to avoid repeating or replicating existing resources. However, it was felt that there was merit to producing a synthetic reference on combatting cybercrime, taking best practices and packaging them in a new, holistic fashion. In that sense, the Toolkit can be viewed as a kind of “portal”, overview or one-stop shop that directs users who want to learn more or to go deeper into a particular topic, as well as developing a framework to better understand how seemingly disparate issues interrelate and providing some direction on how to get to primary resources. The Toolkit is arranged along the following lines. In the introductory chapter, the Toolkit examines the current landscape of cybercrime and some of the challenges are to combatting cybercrime. In chapter 2, the Toolkit then looks at some foundational issues including what is meant by and what constitutes cybercrime, and then looks at procedural, evidentiary, jurisdictional and institutional issues. The Toolkit goes on to consider formal and informal measures of international cooperation in chapter 3. In chapter 4, the Toolkit explores national legal frameworks. Chapter 5 examines in detail at due process, data protection and freedom of expression safeguards. Chapter 6 looks at different aspects of capacity-building. Chapter 7 explores various assessment tools, including Page 12  |  Chapter 1  |  § A. Purpose of Toolkit Table of Contents the Assessment Tool developed under this Project. Some concluding observations can be found in chapter 8. The Toolkit also contains appendices regarding cybercrime cases, multilateral instruments, national legal frameworks and the various assessment tools. III. The Assessment Tool The Toolkit, a reference resource on its own, provides a broad contextual background to the Assessment Tool. The Toolkit and Assessment Tool should be read together. The Assessment Tool follows the same general organization as the Toolkit and assesses capacity readiness using some 115 indicators and is organized along the following nine dimensions: 1  Policy Framework 6  Jurisdiction 2  Legal Framework 7  Safeguards Substantive Criminal Law 3   8  International Cooperation Procedural Criminal Law 4   9  Capacity-building 5  e-Evidence IV. The Broader Context While this Toolkit and the Assessment Tool look at capacity building to combat cybercrime primarily from a legal perspective, it is recognized that combatting cybercrime is a part of a broader effort to ensure cybersecurity. Accordingly, this Toolkit puts cybercrime in a broader cybersecurity context. And while it is primarily legal, it also looks at the role of the private sector and technical community, including CIRTs and the like,9 in combatting cybercrime. But because the Toolkit mainly approaches combatting cybercrime from a legal perspective, every effort has been made to illustrate the various aspects of cybercrime through the use of court cases. Almost by definition, if a case ends up in the courts, it is because there is a disputed issue of law. These cases are referred to and highlighted as “cases” in the text of the Toolkit. These cases are used throughout the Toolkit but are also aggregated in appendix 9 A. Of course, not all issues, even if they involve criminal activity, end up in the courts. Accordingly, not every aspect of combatting cybercrime is supported by a case. However, the Toolkit also uses case studies to illustrate some aspects of combatting cybercrime. These are referred to and included in “boxes” throughout the Toolkit. In its synthetic approach, the Toolkit also attempts to include different legal systems. As discussed above, and explored in more depth in sections 2 A and 2 B, the Toolkit has attempted to include not only more “traditional” cybercrimes, but also “new” kinds of crime committed on or Page 13  |  Chapter 1  |  § A. Purpose of Toolkit Table of Contents using the internet. Importantly, and for the reasons described herein, the Toolkit adopts a definition of “cybercrime” (see section 2 A, below) for the purposes of this Toolkit that attempts to be “future proof”—that is, a definition that is broad enough to encompass already well-known types of crimes, but also new and evolving areas, such as risk posed by cloud and quantum computing, blockchain technologies and digital currencies, the internet of things (IoT), etc. The Toolkit also places emphasis on the safeguards accompanying cybersecurity (considerations of “due process” and ensuring freedom of expression and privacy/data protection). As a general proposition, the “balance” to be achieved between security and preservation of basic rights was recently given prominence of place in the World Bank’s World Development Report 2016: Digital Dividends (WDR).10 At the same time, the Toolkit is about cybercrime and not cyberterrorism or cyberwar. Admittedly, it is becoming increasingly difficult to distinguish between acts that might first appear to be “mere” cybercrime perpetrated by civilian actors, but that may emerge with the passage of time and further investigation to be acts by states against states (or their proxies).11 Indeed, cyberspace has been recognized as a sovereign domain, akin to air, land and sea.12 That relationship and blurring of lines between cybercrime and cyberwar is beyond the scope of this work and will have to be the subject of another work. It is axiomatic to say that cybercrime is continually evolving. Accordingly, the Toolkit captures information as of 1 January 2017 and will be periodically updated. It should also go without saying that nothing in this Toolkit constitutes legal advice and no inference should be drawn as to the completeness, adequacy, accuracy or suitability of any of the analyses or recommendations in it to any particular circumstance. All information contained in the Toolkit may be updated, modified or amended at any time. V. Participating Organizations ƒƒ Association Internationale de Droit Pénal This work has been ƒƒ Council of Europe (CoE) funded by the ƒƒ International Telecommunication Union (ITU) Government of Korea ƒƒ Supreme Prosecutors’ Office of Republic of Korea (KSPO) through a grant ƒƒ Global Cyber Security Capacity Building Centre located at the provided by the Martin School at Oxford University (Oxford) Korea-World Bank ƒƒ United Nations Conference on Trade and Development Group Partnership (UNCTAD) Facility. ƒƒ United Nations Interregional Crime and Justice Research Institute (UNICRI) ƒƒ United Nations Office on Drugs and Crime (UNODC) Page 14  |  Chapter 1  |  § A. Purpose of Toolkit Table of Contents CHAPTER 1 B. Phenomenon & Dimensions of Cybercrime1 Table of Contents Introduction 15 I. Situating Cyberspace 15 A. “A Brave New World”3 16 B. Maintaining Public Confidence 18 C. Cybercrime’s Physical & Virtual Nature 18 D. Innovative Criminal Prohibitions 20 E. Technological Innovations 21 II. Private Sector Cooperation 22 Conclusion 25 Introduction Having set forth the purpose of the Toolkit in section 1 A, we now look at some of the particular features of cybercrime in its evolving context. This section begins by (I) talking about the place of cyberspace in today’s world and the place of the law therein, going on to (II) drawing attention to the important role of private sector engagement. I. Situating Cyberspace Law, as a reflection of public policy, is intended to provide a predictable, fair and transparent basis for ordering society, and for offering objective means for dispute resolution. With (A) the society’s expansion into “cyberspace”2 ushering in a brave new world, it is fundamental that (B) public confidence in law and order also extends into cyberspace in order for that space to continue to be a place where economic, political and social discourse flourish. But because (C) cybercrime is not entirely virtual or physical, (D) innovative public policy and legal approaches addressing cybercrime—balancing security with human right—are imperative. Page 15  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents A. “A Brave New World”3 Cyberspace is a nebulous digital or electronic realm characterized by the use of electronics and electromagnetics to store, modify and exchange data via networked systems and associated physical infrastructures. Not a “place” per se, it has been defined as “the online world of computer networks”,4 but has been more aptly likened to the “human psyche translated to the internet”.5 However it is understood, cyberspace has transformed the world and our way of being. It has created a “virtual” space parallel to the “real”, physical world. And, although not actually real, that revolutionary world is itself about to be revolutionized as virtual reality (VR) prepares to render further transformations, no doubt with great implications for the “real” world,6 and, indeed, for what “real” means.7 Information and communications technologies (ICTs) allow for information to be accessed, business conducted, professional and personal connections grown and maintained, and governments engaged and governance expanded. Cyberspace and ICTs hold out huge growth potential in practically every walk of life.8 With this greater openness, interconnectedness and dependency also comes greater risk: while ICT has created new and legitimate opportunities, spaces and markets, those very same opportunities, spaces and markets are rife for criminal exploitation. Individual cybercriminals and organized criminal groups are increasingly using digital technologies to facilitate their illegal activities, be they the enabling of traditional crimes, such as theft and fraud, or the rendering of new crimes, such as attacks on computer hardware and software. Even in countries characterized by high rates of unemployment, wage inequality and poverty, cybercrime is accessible, easy and cheap. Essentially, anyone with access to the internet can become a cybercriminal. Moreover, with the emergence of hacking tools, such as exploit-kits, neither computer expertise nor technological knowledge is longer necessary.9 People in developing countries, often unable to find legitimate work in their domestic market, see cyberspace, with more than 3.488 billion internet users worldwide,10 as a market ripe for exploitation.11 Governments are coming to recognize both the harm that has been caused, as well as the ever-growing gravity of the threat cybercrime, and are working on forming a collaborative response at both the domestic and international levels. That collaborative, international response to cybercrime cannot come soon enough: cybercrime is on the rise, and the opportunities and gains are increasingly alluring. In 2014, more than 348 million identities were exposed When identity thieves hacked several trusted institutions, and 594 million persons are affected by cybercrime globally.12 US$1 trillion in the United States Estimates of losses from intellectual property and data theft go as high as US$1 trillion in the United States alone.13 Page 16  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents 170 million credit and debit card numbers stolen In 2010, a hacker was sentenced to twenty years in prison for stealing more than 170 million credit and debit card numbers, making it the largest single-identity theft case that the US Department of Justice (DoJ) has ever prosecuted.14 Case 1.1: FBI Hacks “Playpen” Child Pornography Site on Tor Network (USA)15 In a massive sting operation, FBI agents infiltrated “Playpen”, one of the largest ever child pornography networks, by infecting websites with malware that bypassed user’s security systems.16 The FBI continued to operate the site for thirteen days after it had secured control of it, subsequently identifying hundreds of users. Tor—an abbreviation for “The Onion Router”—is a free software that allows anonymous internet communication, preventing localization of users or monitoring of browsing habits, by bouncing users’ internet traffic from one computer to another to make it largely untraceable.17 Operating through the special-use, top level domain suffix “.onion”,18 Tor addresses are not actual names in the domain name system (DNS)—the hierarchical, decentralized naming system for computers, services or any resource connected to the internet or a private network. Initially developed with the US Navy, today it is a nonprofit organization; the, Tor network is a group of volunteer-operated servers. Tor’s popularity recently increased with its launch of a hidden chat tool that not only hides message contents from everyone except participants, as well as hiding the location of those participants, but which also operates with platforms such as Facebook Chat, Google Talk, Twitter and Yahoo!, even in countries where those platforms are banned.19 Rather than rely on the “dark web”, a collection of hidden websites and services of which Tor forms a prominent part, the Tor Messenger operates by sending messages across a series of internet relays (or routers), known as “bridges”, thereby masking the messages’ origins.20 Because the services operate through a collection of relays that are not publicly listed, blocking access to the Tor network would not affect the Tor Messenger.21 Furthermore, just as with services such as WhatsApp (see section 1 B, case 1.3, below), end-to-end message encryption may be offered. Although concern exists that the services might be used for more nefarious purposes, there is public interest in having such a tool—for instance, for whistleblowers and others needing anonymity. While banning Tor might well be both infeasible and unwise,22 this case indicates that Tor is not a perfect blanket of anonymity. Page 17  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents B. Maintaining Public Confidence One of the principal purposes of the law is to provide an objective, predictable, transparent and universally-applicable set of rules that governs conduct and maintains order.23 A key element to order is public confidence,24 which is bolstered through laws supported by principles of transparency, accountability and participation. It is well understood that “trust” in the use of the internet and ICTs will engender use, and that part of building this trust environment in cyberspace involves striking a balance between establishing the security of networks, devices and data, and ensuring that fundamental rights such as privacy (including data protection) and freedom of expression are observed.25 The evolution of cyberspace, and the ever-increasingly easy means of accessing it, have resulted in a new range of living and coexisting, which society—and the law—are grappling to understand.26 These new, exciting possibilities should not be either unnecessarily or disproportionately stifled in the name of security and combating criminality. Nature abhorring a vacuum,27 and the path of least resistance being preferred,28 society at large— individuals, financial institutions, private industry and governments—have increasingly exploited, and subsequently come to rely on technology in order to function: cyber networks have become essential to everyday operations, with power grids, air traffic control, urban utilities and much more dependent upon cyber technology.29 Consequentially, the potential threat posed by cybercriminals has grown dramatically and afforded significant opportunities for terrorist groups and extremist organizations. Public confidence in the secure functioning of ICT systems and of cyberspace has become necessary to maintaining social order.30 Several legal systems stress the need to protect the functioning of ICT systems through criminal laws.31 The principal protected interests are the confidentiality, integrity and availability of information systems and electronic data.32 In pursuit of the urgency to criminalize certain behavior, the challenge in terms of law reform is to avoid overreaching in order not to violate fundamental rights.33 C. Cybercrime’s Physical & Virtual Nature While this Toolkit expands in more detail in subsequent chapters both the working definition of cybercrime (see section 2 A, below) as well as what sort of acts constitute cybercrime (see section 2 B, below), in many cases, cybercrime can be understood as digital versions of well-known, “traditional” offenses only with a virtual or cyberspatial dimension in addition or in lieu of.34 For instance, identity theft, which can happen in both the physical and electronic worlds, fits an adaptive conception of cybercrime perfectly well. The factor differentiating identity theft in the physical and virtual worlds is the crime’s “how”. In both instances, the criminal intent (namely, to obtain a benefit) and the result (namely, fraudulent misrepresentation) are the same.35 The “how” differs in that, in the physical version, the impersonation is done with a physical item (e.g., a stolen identity card, mail, statement), while, in the virtual version, the crime is committed through the Page 18  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents presentation, usually to some remote, automated interface, of identifying information (e.g., a password). In the virtual setting, the cybercriminal may fraudulently induce someone to voluntarily reveal that information or use automated “keystroke logging” software to record an electronic copy of that information and relay it to the cybercriminal. While the two paradigms are relatively comparable, transitional difficulties arise at the level of law enforcement.36 For instance, police, frequently accustomed to building a physical record—a physical “paper trail”—, often have difficulty transposing that record to the electronic world and investigating on purely electronic grounds.37 Problems in conceptualization are often complicated or reinforced by laws that remain outpaced by technological developments.38 As a result, law enforcement often lags far behind the pioneers of organized crime.39 For example, in the United States, computer fraud (criminalized in 18 USC § 1030) is not yet classified as a predicate offense for racketeering under the Racketeer Influenced Corrupt Practices (RICO) Act.40 One of the most important tools to combat organized crime,41 RICO, which allows for leaders of crime syndicates to be targeted, came to prominence in the 1980s when its provisions began to be applied to combat the mafia.42 Cyberspace has allowed criminals to more “efficiently” commit crimes.43 Electronic tools and equipment, many of which are freely available on the internet, can be ordered and distributed with just one mouse-click, yet frequently affecting millions. Examples of “computerized” or “electronic” versions of traditional crimes include ICT-mediated fraud, revelation of electronically-stored secrets, forging digitally-stored data, defamation, cyberstalking, copyright violation and cyber-bullying.44 In such instances, the affected interests remain the same, with only the modus operandi differing from the traditional form.45 In many cases, cyberspace has made committing crimes so much simpler that the use of the electronic medium has eclipsed using traditional ones. For instance, today, pornography (including child pornography) is principally transmitted and distributed electronically. Indeed, such behavior has even led some legal systems to introduce special criminal prohibitions against cyber pornography, with nuanced aspects unique to cyberspace being addressed—for instance, “grooming” of children for potential sexual abuse through electronic communications has also been defined as a criminal offense in many jurisdictions.46 Where perpetrators use virtual social networks to initiate and establish physical contact in order to commit sexual offenses, they cross the line between the “traditional” crime type and the type of crime that depends on the existence of the internet. Case 1.2: State of Tamil Nadu vs. Suhas Katti (India)47 Complainant, a divorced woman, was the subject of obscene, defamatory and harassing messages that were both posted online and which were sent to her from an email account falsely opened in Complainant’s name. Defendant’s postings, which released her phone Page 19  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents number without her consent, resulted in telephone calls to Complainant in the belief that she was soliciting sexual favors. Defendant, a purported family friend of Complainant, was apparently motivated by a desire to marry Complainant. When Complainant’s marriage ended in divorce, Defendant resumed contact with her and, on her refusal to marry him, began his cyber harassment. The court, relying on testimony from witnesses at the cyber café where the behavior took place, on experts, and on cyber forensic evidence, convicted Defendant of “transmitting obscene material in electronic form” under Section 67 of Information Technology Act 2000 (§§ 469 & 509, Indian Penal Code). The Act has drawn subsequent controversy as a vaguely worded criminal statute, predicated on the meaning of “obscene” material as one that could be used to curtail any sexually explicit material. While cybercrime has a fairly low conviction rate, this case, the first of its kind, was prosecuted in just seven months. The first case of successful cybercrime conviction in India, and with such rapid conviction, this case represents a significant landmark in the fight against cybercrime. D. Innovative Criminal Prohibitions The relationship between virtual and physical worlds has meant that laws ordained for the physical world and to tangible property have sometimes been applied to cyberspace and to virtual property.48 Applying physical-crime laws to cybercrime has been particularly prevalent with respect to theft and fraud, although doing so has met with varying degrees of success. On the one hand, in 2012, the Dutch Supreme Court confirmed a conviction for theft of electronic goods on the basis of existing, unadapted law.49 Similarly, in the United States illegally acquiring or using another’s “means of identification” with the intent to commit an unlawful act is a crime.50 Elsewhere, computer forgery, fraud by false representation, wrongful impersonation of another person, defamation and dissemination of information violating another’s personal privacy have all been accepted as crimes committed in cyberspace on the basis of physical-world crimes.51 On the other hand, however, other legal systems have not always considered hacking as theft, typically on the basis that hacking normally does not “permanently deprive” the victim of the goods, and, as such, should be understood as a form of involuntary sharing, rather than theft. Regardless of the answer to whether laws written for the physical world should be applied to the electronic world, legal systems have created corresponding categories and definitions of offenses52 aimed specifically at protecting the substantial, new interests and opportunities possible in the cyberworld.53 For example, a virtual version of harassment exists in many legal systems: cyberharassment has been defined as a person’s “use [of] a network or electronic communications service or other electronic means to annoy or cause damage to his correspondent, or to install any device intended to commit the offense and the attempt to commit it”.54 Similarly, because the internet allows for the immediate dissemination of sensitive information and images in the absence Page 20  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents of consent,55 cases of “revenge porn” (where material containing nudity or of sex activities is posted in revenge by erstwhile lovers in order to embarrass, punish or interfere with other relationships of the victim), are increasingly frequent and have received particular legal attention.56 Moreover, although the electronic and physical worlds are distinct from each other, the two are very much interconnected. For instance, regarding property, “cyber goods” have value and their loss can cause just as much harm as the loss of tangible property.57 Moreover, stealing a person’s virtual identity can have very serious repercussions in the physical world, and such identity theft is often a precursor to defrauding the victim in concrete, commercial transactions involving tangible goods.58 For example, a perpetrator may illegally acquire the victim’s access data, gain access to his bank account or, more simply, order and acquire goods, leaving the bill to the victim.59 Still more troubling, the usurpation of a person’s virtual identity can have serious and even irreparable consequences in both professional and personal circles; loss of reputation can be much more damaging than financial loss of online purchases.60 Given the potentially great value of both reputation and integrity of cyber personalities and avatars, the usurpation or falsification of a person’s virtual identity has been criminalized,61 often regardless of whether there is intent to cause material harm.62 E. Technological Innovations Recent technological developments have drawn increased attention on the importance of addressing how the physical and electronic worlds are to interrelate, and how to define the overall landscape of cyberspace. Although discussed in greater depth further on (see sections 1 C and 2 A, below).The most notable of these matters merit mentioning here: These technological advances include developments in FinTech, horizontal data partitioning (“sharding”), blockchain, quantum computing and artificial intelligence: ƒƒReliance on FinTech or financial technology, will continue to grow as the technology-enabled financial solutions facilitated “smart” transactions and help removing transaction costs.63 However, as FinTech continues to permeate everyday activities, it necessarily results in the collecting and agglomerating of sensitive information —notably unique metadata—, inevitably becoming a target for cybercriminals.64 ƒƒVarious techniques are being developed to improve data and systems security. Key among them is the use of the horizontal data partitioning, a technique known as “sharding”, whereby electronic data is stored and spread across multiple databases. Doing so means that unauthorized users will only be able to access a small portion of the data, which may not even be readable on its own, or will have to independently infiltrate several or all of the systems in order to have the full data set. For instance, this technique might separate out credit card numbers, or parts of those numbers, from the corresponding verification numbers.65 ƒƒBlockchain technology is anticipated to change how transactions are done. Blockchain is a distributed, open-source, peer-to-peer, public ledger that records ownership and value. It Page 21  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents removes the need for a third-party verification organization, as transactions recorded on a public ledger and are verified through consensus. It is inexpensive, easy to use and secure; presently, it is the most secure transaction method available.66 Although the technology is perhaps best known for its use in digital currencies,67 its potential utility is endless. Beyond finance, blockchain has the potential to revolutionize all exchanges of information—smart contracts, patent registration, voting, distribution of social benefits, records, etc.68 ƒƒMore dramatic changes are promised by quantum computing. Quantum computing would, in essence, take the present, binary operating form to a multidimensional level (see section 1 C, box 1.2, below), thereby threatening to undermine existing encryption systems and their algorithms.69 Faced with this challenge, new cryptology schemes are looking to quantum mechanics that would use photons, and rely on physics as a means of security.70 ƒƒLastly, the role of artificial intelligence (AI) is a growing prospect. Modern technology such as machine learning and autonomous systems would allow computers to learn, reason and make decisions with minimal human involvement. For example, AI can detect a security breach immediately, whereas, in the past, it would take months. Correspondingly, AI might be used to commit cybercrime, therein presenting unique legal questions (see section 1 C, below). II. Private Sector Cooperation Governments have an obligation to assure public safety and security in the analog world.71 The ease and speed of information-sharing between cybercriminals, and the disparateness of criminal activity, makes it difficult for law enforcement to keep up. However, much of the infrastructure undergirding cyberspace, and many of the means of communications operating in cyberspace, are controlled by nonstate actors. Such being the case, government efforts to combat cybercrime will have to rely on private sector involvement, notably through the use of public-private partnerships (PPPs).72 In order to combat cybercrime, not only are tailor-made tools complementing traditional approaches needed, but so, too, is a unified approach for building collaborative partnerships between law enforcement and the private sector. Gathering and analyzing digital data are key to investigating and prosecuting cybercrime cases. At both the international and national level, entities such as INTERPOL and the KSPO are coordinating with the private sector in the area of digital forensics. These issues are explored in more depth further on (see section 6 C, below). To a large extent, content carriers, notably internet service providers (ISPs), are not subject to prosecution, even though criminal content or criminal activity may be carried out using their services, and even though ISPs often have unique access to essential data regarding criminal content or activity. ISPs also store customer-use data. Moreover, most ISPs are usually private entities. In order to encourage investment in provision of internet services and access to the internet, most jurisdictions afford some limited liability for ISPs on the basis of being “mere conduits” or intermediaries. Once coupled with privacy guarantees,73 the basic and widespread position is that ISPs are unaware of the criminal activity in much the same way that a landlord or a telephone company might be unaware of the natures of activities occurring on the rented premises, Page 22  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents or carried across their telephone lines. By contrast, those arguing for ISPs to assume greater liability from the start prefer to construe ISPs as newspaper publishers who should be responsible for the material on their servers. That said, liability often attaches once ISPs become aware of illicit activity and fail to act accordingly. Similar liability attaches to other service providers, such as bulletin board operators and proprietary information providers. It has been argued that, while many have called for harmonization, “uniformity is both illusory and unnecessary”.74 Cooperation with the private sector, including PPPs play a vital part in the fight against cybercrime, especially, and to reiterate, as the private sector, and not government, either owns or operates so much essential infrastructure and provides essential services. According to INTERPOL, “The complex and ever-changing nature of the cyber threat landscape requires high-level technical expertise, and it is essential that law enforcement collaborates across sectors to effectively combat cybercrime and enhance digital security.”75 In announcing its support for PPP cybersecurity initiatives last year, the US White House observed that “[c]urrent [PPPs] in this space have at best unclear or ill-defined roles and responsibilities for the industry and government partners.”76 The vastness of cybercrime is beyond the means of government: law enforcement is both unprepared and unable to fully scale-up to a fast-growing threat landscape. The greater the communication and coordination between public and private sectors, the greater society’s resilience and ability to evolve to meet cybersecurity threats. However, there is a lack of cooperation between governments and the private sector on matters of cybersecurity. US President Barack Obama highlighted this concern with his Executive Order aiming at encouraging better information sharing between the public and private sectors on cyberattacks.77 President Obama said the following: “[T]he cyber threat is one of the most serious challenges to national and economic security that we face as a nation” and that “the economic prosperity of the United States in the twenty-first century will depend on cyber security”.78 In Europe,79 only a handful of European countries have an established framework for PPPs on cybersecurity.80 Case 1.3: In the matter of the Search of an Apple iPhone (USA)81 Though not technically a “cybercrime” case, the FBI went to court to compel Apple, Inc. to create a software tool that would help the FBI gain access to a locked iPhone that belonged Page 23  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents to an alleged terrorist shooter in San Bernardino, California.82 The suit was eventually dropped after an unidentified third party successfully cracked the 5C iPhone running iOS 9 software, at a cost of US$1.3 million to the FBI.83 This situation demonstrates the diversity of efforts required for combatting cybercrime, and is anecdotal of the technical limitations on a government’s ability to access data to investigate and prosecute acts of terrorism or cybercrime without the input of the private sector. The case raised the debate over whether private technology companies’ encryption technologies protect privacy or endanger the public by preventing law enforcement access to critical information. As cyberspace continues to evolve, innovated investigative tools will also correspondingly be required to enable effective law enforcement investigations. While this particular standoff has come to an end, the tension between a government’s desire to access technology and data necessary to enable effective investigation and the private sector’s legitimate interest in providing secure technology and services to consumers as well as protecting proprietary investments has not. Moreover, while this suit was dropped, the US Government has since initiated other proceedings to compel Apple to assist the FBI in unlocking an iPhone 5s running iOS 7, though this time involving a “routine drug case”.84 This incident also demonstrates that perfectly legitimate products—in this case, an iPhone— have become central to committing cybercrimes. Such technology, although only incidentally being used to support criminal activity, is being developed by a multitude of private actors. The government’s ability to cover the great diversity of fields and spaces is well-beyond present budgetary constraints, illustrating the necessity of public-private cooperation. The public-private problem is only likely to grow, as not only Apple85 but other technology firms, such as WhatsApp,86 extend security and protection with end-to-end encryption (E2EE) and other security measures. Indeed, following the 2017 terrorist attack outside the UK Houses of Parliament in London in March, and again following those in Manchester in June, UK authorities recently advocated that similar access should be granted vis-à-vis instant-messaging services, most notably for WhatsApp.87 While the UK Home Secretary has sought to enlist the support of technology and social media at large,88 the UK Prime Minister having repeated as much,89 it seems unlikely that, even with private-sector cooperation, the problem would ever be resolved: simply put, the technological ease of encrypting communications means that a rival app or process is likely to appear almost immediately should present instant messaging systems be obliged to create such a “back door” for government. Moreover, lowered technological barriers to entry are bolstered by market demand, which, for numerous reasons—many of which are legitimate and legal—incentivizes the development of secure, anonymous communication tools. Creating a strong legal cybersecurity framework is complex. The fundamentals of doing so range from establishing strong legal foundations and a comprehensive and regularly updated cybersecurity strategy, to engendering trust, working in partnership and promoting cybersecurity Page 24  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents education. These building blocks provide valuable guidance for governments that are ultimately responsible for implementing cybersecurity rules and policies.90 Conclusion Although all of the following matters are addressed in greater depth in the Toolkit, a few points bear mentioning given this section’s discussion: ƒƒCyberworld is a burgeoning space: In 2016, over 3.488 billion people, roughly forty percent of the world’s population, used the internet.91 Over sixty percent of all internet users are in developing countries, with forty-five percent of all internet users below the age of twenty-five years. By the end of the year 2017, it is estimated that mobile broadband subscriptions will approach seventy percent of the world’s total population. By 2020, the number of networked devices (the “internet of things” (IoT)) will outnumber people by six to one, completely transforming current conceptions of the internet; moreover, interconnectivity will not be limited to the networking of devices but will also extend to humans, both at the individual and collective level (the “internet of everything” (IoE)).92 In the hyper-connected world of tomorrow, it will become hard to imagine a “computer crime”, and perhaps any crime, that does not involve electronic evidence linked with internet protocol (IP) connectivity. The greatest growth in the internet in the coming years will be the developing world because that is where the world’s next billion people will access the internet for the first time.93 It follows from that that the developing world is also where the greatest need will be to put in place policy and legal approaches for dealing with cybersecurity and cybercrime. ƒƒDefining cybercrime poses difficulties (see section 2 A, below): A limited number of acts against the confidentiality, integrity and availability of computer data or systems represent the core of cybercrime. Beyond this, however, computer-related acts for personal or financial gain or harm, including forms of identity-related crime, and computer content-related acts (all of which fall within a wider meaning of the term “cybercrime”) do not lend themselves easily to efforts to arrive at legal definitions of the aggregate term. Certain definitions are required for the core of cybercrime acts. However, a “definition” of cybercrime is not as relevant for other purposes, such as defining the scope of specialized investigative and international cooperation powers, which are better focused on electronic evidence for any crime, rather than a broad, artificial “cybercrime” construct. ƒƒCybercrime is global and occurs across sectors: Globally, cybercrime is broadly distributed across financially-driven acts, computer-content related acts, and acts against the confidentiality, integrity, and accessibility of computer systems. Perceptions of relative risk and threat vary, however, between governments and private sector enterprises. Currently, crime statistics may not represent a sound basis for cross-national comparisons, although such statistics are often important for policy making at the national level. ƒƒInternational legal instruments have done much to spread increase knowledge sharing (see section 3 A, below): Legal measures play a key role in the prevention and combatting of cybercrime. These are required in all areas, including criminalization, procedural powers, Page 25  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents jurisdiction, international cooperation and ISP responsibility and liability. The last decade has seen significant developments in the promulgation of international and regional instruments aimed at countering cybercrime. These include binding and non-binding instruments. Five clusters can be identified, consisting of instruments developed in the context of, or inspired by: (1) the Council of Europe or the European Union, (2) the Commonwealth of Independent States or the Shanghai Cooperation Organization, (3) intergovernmental African organizations, (4) the League of Arab States, and (5) the United Nations. A significant amount of cross-fertilization exists between all instruments, including, in particular, concepts and approaches developed in the Council of Europe Convention on Cybercrime (the “Budapest Convention”). ƒƒThere is a risk of partition between cooperating with shared cybercrime procedures and non-cooperating states (see section 3 A, below): Current international cooperation risks fall into two country clusters: those states that have implemented reciprocal powers and procedures to cooperate among themselves, and those that have failed to implement those measures, are restricted to “traditional” modes of international cooperation that take no account of the specificities of electronic evidence and the global nature of cybercrime. Such a concern is particularly true of investigative actions. The lack of a common approach, including within current multilateral cybercrime instruments, means that even simple requests for actions, such data preservation, may not be easily fulfilled. ƒƒRegulatory frameworks must maintain data integrity while protecting freedoms: Regulatory frameworks, essential to the fight cybercrime, must be sufficiently bolstered to assure freedom of speech and access to information. Relatedly, while data protection laws generally require personal data to be deleted when no longer required, some states have made exceptions for purposes of criminal investigation, requiring ISPs to store specific types of data for a set period of time. Many developed countries also have rules requiring organizations to notify individuals and regulators of data breaches. Also, while it might be technically possible for ISPs to filter content, any restrictions that they place on internet access are subject to both foreseeability and proportionality requirements under international human rights law protecting rights to seek, receive and impart information. ƒƒThe question of holding ISPs liable: Following directly on from the previous matter is the question of whether, and to what extent, to hold ISPs liable for objectionable content is a vast one. In many legal systems, ISPs may be held liable for failing to control or constrain illegal content or activity crossing their systems. In other systems, however, that liability is limited on the basis that ISPs are “mere conduits” of data. That said, where liability is limited, it can often shift to a requirement to take action if an element of content-awareness becomes apparent—for instance, where the ISP modifies transmitted content or if actual or constructive knowledge of illegal activity or content is shown. ƒƒPPPs are central to cybercrime prevention: PPPs are created as much by informal agreement as by legal basis. Private sector entities tend to be most frequently involved in partnerships, followed by academic institutions, and then by international and regional organizations. PPPs are mostly used to facilitate knowledge sharing, though they have been used, especially by private-sector entities, to prompt investigation and legal actions. Such actions complement those of law enforcement and can help mitigate damage to victims. Academic institutions play a variety of roles in preventing cybercrime, including training, developing law and policy development, and technical standards setting, as well as housing cybercrime experts, computer emergency response teams CIRTs and specialized research centers. Page 26  |  Chapter 1  |  § B. Phenomenon & Dimensions of Cybercrime Table of Contents CHAPTER 1 C. Challenges to Fighting Cybercrime Table of Contents Introduction 27 I. General Challenges 28 II. Challenges to Developing Legal Frameworks 28 A. Adapting Current Legal Frameworks 29 B. Developing Developing Legal Frameworks 30 III. Challenges of Additional Resources 32 A. Additional Legal Tools 32 B. The Consumer’s Role 32 C. Private Sector Cooperation 33 D. Detecting Cybercrime 34 IV. Challenges to International Interoperability 36 A. International Cooperation 37 B. Jurisdictional Challenges 39 V. Safeguards 40 A. Respecting Constitutional Limits 40 B. Balancing Data Collection with Data Protection 41 C. Freedom of Communication 42 1. Freedom of Opinion and Expression 42 2. Freedom of Information 43 Conclusion 44 Introduction Recent ICT developments have not only allowed for the emergence of new types of illegal activities, but have also resulted in novel techniques for evading law enforcement authorities, and, even after having been found out, in hindering investigation and prosecution. At the same time, ICT advancements have strengthened the abilities of law enforcement agencies to investigate and prosecute cybercriminals.1 This section examines challenges in the fight against cybercrime. This section begins by (I) talking of general challenges to cybercrime, goes on to (II) talk about specific challenges of developing legal frameworks, and then (III) highlights that there are other resources that might be brought to bear. The last half of the section Page 27  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents discusses (IV) the various challenges of a lack of international interoperability and (V) the need for appropriate safeguards to be implemented by both national and international authorities. I. General Challenges Challenges to investigating and prosecuting cybercrime arise out of its transnational, and thus multi-jurisdictional, nature, as well as to challenges in detecting these crimes, insufficient legal frameworks and the ever-shifting technological landscape. Technology moves on apace, and usually much more quickly than authorities or, even more so, legislatures do. Bearing such technological evolution in mind, legislatures frequently attempt to account for technological progress that would render the wording of a criminal statute obsolete by, for instance, using relatively generic language and not specifying technology, or by adopting generalizations—for instance, “any electronic communication technology, regardless of its technological format or appearance”.2 Challenges for law enforcement in the fight against cybercrime are manifold. The most common include the following: 1   Growing access to high-speed internet access; 2   Growing availability of hardware and software tools (particularly encryption technologies); 3   Increasing ease of launching automated cyberattacks; 4   Rapid development of novel cybercrime techniques; 5   Rapid nature of cyberattacks; 6   Fragility and temporal nature of electronic data; 7   Lack of investigative capacity devoted to cyberspace; 8   Increasing reliance on (initial) automated investigation processes due to increasing number of internet users; 9   Decentralized nature, architecture, and design of the internet; 10   Multi-jurisdictionally of the crimes; and 11   Anonymous nature of online communications. II. Challenges to Developing Legal Frameworks Page 28  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents Beyond the general challenges faced in combatting cybercrime, there are challenges in (A) adapting current legal frameworks and (B) developing new, cybercrime-specific aspects and legal frameworks, while also (C) respecting constitutional limits. A. Adapting Current Legal Frameworks Developing cybercrime countermeasures requires building a sufficiently robust and flexible legal framework through legislative and regulatory action. That framework needs to provide law enforcement agencies with both procedural means and actual resources to fight cybercrime.3 Adapting pre-existing legislation that has not been specifically intended to deal with cybercrime often may be an option, even if not ideal. For example, in the United States anti-money-laundering (AML) and identity theft laws are being applied to their cyberspace analogs.4 Many other countries have adapted existing legislation by introducing provisions that extend existing laws to include criminal activity conducted on the internet or facilitated by the use of ICT. Short of legislative activity, the application of existing laws5 and concepts6 to cyberspace is dependent upon judicial interpretation of creative prosecutions; just how the prosecutors and the judiciary act, and interact, will be shaped by a country’s legal system, especially whether it is in the civil or common law approach, in the determination of essential values and overall policy.7 Technological developments present perennial challenge for combatting cybercrime. One that, though only nascent at best, deserves raising is the development of AI as combined with the creation of autonomous systems. It is not all that far in the future that one could foresee such systems being on such a level of sophistication that they are less “tools” and more as cognitive “minds”. For the purposes of the Toolkit, such advances have a particular potential bearing on understandings of criminal liability. As discussed further on, criminal liability requires two criminal components be satisfied: first, an objective, fact-based showing of an action, or actus reas, and, second, the accompanying, requisite mental state, or mens rea (“guilty mind”), which requires a subjective determination (see sections 1 D and 4 A, below). It is not inconceivable that AI could “commit” crimes in their own right, therein complicating mens rea assessments.8 Although AI is not presently subject to criminal liability, considering how it might be addressed should be borne in mind by governments—indeed, one model for doing as much might, for instance, be borrowed, from criminal liability of corporations. Case 1.4: United States v. Liberty Reserve (USA)9 Incorporated in 2006 in Costa Rica, Liberty Reserve was a centralized, digital currency service that operated its own currency exchange using a digital currency, commonly called the “LR”. The exchange allowed the anonymous transfer of client funds between third party payment exchange merchants and bank accounts. Liberty Reserve allowed clients to create Page 29  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents layered anonymity because of exceptionally lax identification requirements. Furthermore, they worked with unregulated money service businesses that operated using equally lax identification requirements. In doing so, Liberty Reserve charged fees for services rendered to clients, including currency exchanges and money transfers. Liberty Reserve became an ideal method for laundering and transferring monies internationally, with over US$6 billion were allegedly laundered through its channels. On 28 May 2013, prosecutors in the US Southern District of New York brought charges against seven individuals under the USA PATRIOT Act for money laundering and running an unlicensed financial transaction company. The provisions used to target those at Liberty Reserve were not specifically targeting cybercrime.10 The investigation involved operations in at least seventeen countries. This case is indicative both of the ease with which financial cybercrimes can be committed thanks to the connectivity of cyberspace, as well as the potentially very great financial gains that might be had from such crimes. B. Developing Developing Legal Frameworks Despite a wide range of efforts to create a favorable legal environment to tackle cybercrime, challenges persist to assuring adequate legal frameworks. These challenges include, among others, difficulties in: 1   Drafting new and clear11 cybercrime legislation after the recognition of an abuse of new technology and identification of criminal law gaps; 2   Developing procedures for e-evidence; 3   Ensuring the criminalization of new and developing types of internet crimes; 4   Introducing new investigative instruments in response to offenders’ growing use of ICTs to prepare and execute their offences; 5   Promoting technologically neutral laws12; and 6   Balancing security and rights.13 Box 1.1: Computer-facilitated Fraud Involving Illegally-obtained Online Game Items14 Through mobile phones with a built-in SIM card, and thus access to gamers’ IDs, Defendants would use stored credit to repeatedly and fraudulently purchase game products from the Page 30  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents acquired phones. Thereafter, the game items would be sold for money on an intermediary trading website. The Supreme Court of Korea read “game items” into the Game Industry Promotion Act: the “tangible and intangible results obtained through the use of game products [are] forbidden to make a business of exchanging such items”.15 The Court validated its position by looking to two different Enforcement Decrees for the Game Industry Promotion Act: first, the current Decree reads that “Game money or data, such as items, produced or acquired by using game products with personal information of another person”16; second, the former Decree read, “Game money or data, such as game items, produced or acquired by abnormal use of game products”.17 Thus, Korea has used both amendments and judicial interpretation to ensure that evolving forms of cybercrime remain criminalized. While countries are finding various means to criminalize the growing diversity of cybercrime, doubt has been expressed over the deterrent effect of current regulations.18 Part of the concern is cybercrime’s ubiquity and difficulties in identifying perpetrators and cross-jurisdictional prosecution.19 Additionally, however, is the concern that penalties are not sufficiently severe to deter criminal behavior.20 That said, anecdotal evidence suggests that this situation might be changing. Case 1.5: United States v. Albert Gonzalez (USA)21 On 25 March 2010, Albert Gonzalez, the so-called TJX hacker, was sentenced to twenty years in prison, the longest US prison term in history for hacking.22 Gonzalez engineered what was at the time the largest theft of credit and debit card information in US history (some eighty gigabytes of data), which resulted in the theft of over 130 million card numbers and costing individuals, companies and banks, and which amounted to nearly US$200 million in losses.23 The hacks involved the first known intrusions involving decryption of PIN codes, a key protective feature in bank card security in the United States. The sentence represents one of the toughest verdicts for both financial crimes and cybercrimes to date in the United States.24 Although sentences have been becoming increasingly robust, they have not played a significant role in reducing cybercrime due to difficulties in identifying, arresting and prosecuting offenders. Also, restitution orders are rarely, if ever, fully paid back.25 Page 31  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents III. Challenges of Additional Resources Before defining the term of cybercrime,26 it bears noting that (A) there are additional, noncriminal legal tools in preventing crime, (B) consumer awareness plays a role in preventing crime and (C) government efforts to combat cybercrime will have to involve public-private partnerships due to the important role of nonstate actors in the provision of infrastructure and cyber services Another, separate challenge is faced in (D) developing sufficient capacity to detect cybercriminal activities. A. Additional Legal Tools Criminalization is not the only option to combatting untoward cyber activity. Indeed, pursuant to the ultima ratio principle,27 criminal law should be used only as a last resort for dealing with a social ill. Both administrative and civil measures might be taken to combat errant cyber activity. Administrative measures that might be taken include ordering the removal of certain content, or the “closing down” of offensive websites (for instance, in combatting child pornography).28 Ordering an ISP to block access to the website might also be an option,29 although, as discussed further on, the internet’s transnationality limits the efficacy of such options. Removal of content and closing of websites may also interfere with domestic or foreign criminal investigations (or national security investigations), or such measures may hinder efforts to rescue trafficking victims if carried out without coordination. Additionally, many legal systems allow individual victims redress for damages in civil courts. Due to the cost and complexity, as well as shifting the burden from the state to the victim, civil sanctions are largely unused, except in the case of copyright violations.30 Other tools include the creation of a digital ID—for instance, in South Korea, these IDs, which are visible to law enforcement but not to the public, have helped to reduce incidences of cyberstalking and cyberbullying. B. The Consumer’s Role What roles and responsibilities do individuals have in combatting cybercrime? A growing body of literature recognizes the responsibilities of individuals to ensure they take proper precautions to secure their devices and data.31 As certain cybercrimes could be easily prevented through user caution and awareness, it has been argued that the user ought to be incentivized by the law to do so. Basic steps include using and maintaining up-to-date antiviral software, keeping personal devices clean of malware, maintaining up-to-date antiviral software, being mindful when opening emails and downloading files and being conscious of sharing personal information. Additional techniques include the use of strong passwords, two-step verification, personal identification numbers (PINs), encrypted communications, as well as keeping device Bluetooth and WiFi off when not in use. In many instances, virtual private networks (VPNs), which connect users to Page 32  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents a server, therein giving the appearance that the traffic is coming out of that source rather than from the user, might be used to improve privacy. By failing to take simple security actions, the user not only becomes a vulnerable target but also allows criminals to coopt electronic devices to conduct other malicious and criminal behavior, costs which are potentially both considerable and which are passed on to society.32 However, while many countries encourage the use of appropriate protection, only a few go so far as to sanction failure to use protection.33 Of greater concern than the role of the individual is the role of the private sector companies involved or operating critical infrastructure. Companies—frequently driven almost-exclusively by profit in the age of privatization—have proven themselves slow to invest the necessary resources in many aspects but quite notably in the area of industrial controls and security.34 Indeed, Kaspersky Labs found critical infrastructure companies still running 30-year-oId operating systems.35 In the United States, attempts to legislate requiring companies to maintain better security practices were stymied on the grounds that it would be too costly for businesses.36 Such infrastructural lacks have been aggravated by user apathy, with many companies operating industrial control systems not even changing the default passwords.37 C. Private Sector Cooperation The ease and speed of information-sharing between cybercriminals, and the disparateness of criminal activity, makes it difficult for either law enforcement or targets to keep up. As discussed in the previous section in greater depth (see section 1 B, above), cybercrime cannot be effectively combatted without cooperation between the public and private sectors.38 As cyberspace continues to develop, different investigative tools will be required of law enforcement, as dramatically shown in the FBI’s inability to independently unlock iPhone.39 Only partnerships with the private sector will make such possible. Box 1.2: WannaCry Ransomware Attack In May 2017, a huge cyberattack—described by Europol chief as “unprecedented in its scale”—affected more than 200,000 victims in over 150 countries.40 While the United Kingdom and Russia were the worst affected, the attack was global in nature, with large affected institutions including the UK’s National Health Service, Russia’s Interior Ministry, Germany’s rail network Deutsche Bahn, France’s car manufacturer Renault, Spain’s telecommunications operator Telefonica and US logistics giant FedEx. The virus, a worm-application, was paired with ransomware that takes control of users’ files and demands payments of US$300 in Bitcoin in order to unlock files and return control to users. What made this malware—having permutations on the name WannaCry and WannaCrypt—particularly virulent was its ability to move around a network by itself, Page 33  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents spreading itself within networks without relying on human activity to spread it.41 The attack was indiscriminate rather than targeted, with evidence suggesting a North Korean connection.42 The initial attacks were hindered by a 22-year-old UK security researcher—going by the name of MalwareTech for purposes of anonymity—who discovered an apparently unintentional “kill switch” to the malware.43 However, due to the relative ease of launching cyberattacks, and the great deal of money at stake, concerns persist that either attacks will be relaunched with the coded kill switch removed, or that subsequent attackers will learn from lessons from this experience.44 WannaCry is a weaponization of one of a series of system’s vulnerabilities first identified by the US National Security Agency (NSA),45 and which were stolen when the NSA was hacked46 and then leaked to the public in April 2017.47 Of that cache, it is the tool codenamed “EternalBlue” that appears to have been “the most significant factor” behind the WannaCry attack.48 Among other things, the attacks have reignited the debate over whether governments should disclose web or system vulnerabilities of which they become aware.49 The cyberattacks highlight the importance of user awareness. WannaCry appears to have capitalized upon outdated systems for which patches existed, and even to have targeted systems and sectors that might tend to run on legacy systems, such as healthcare and transport. The attacks emphasize that it is incumbent upon users—individual and institutional—to keep their systems up to date by installing the fixes—so-called “patches”— that developers, such as Microsoft or Apple, make available as they become aware of system weaknesses.51 In this instance, the attacks capitalized vulnerabilities in outdated Microsoft Window software; Microsoft had released security updates to patch this matter in April, and, responding to the attack, did so again on the day of this attack.52 As ransomware attacks grew by fifty-one percent last year,53 the threat seems unlikely to abate. “This [problem] is one in which what’s broken is the system by which we fix”, said Professor Zeynep Tufeki of the University of North Carolina.54 D. Detecting Cybercrime Detecting cybercrimes is challenging because, first, the victim may have no idea that a crime has occurred, and, second, cybercriminals are wont to operate behind multiple layers of fake identities and often operate out of nation-states having either limited cybercrime-fighting capacity, or limited interested in taking on such a fight.54 It is generally difficult to detect system security breaches before any visible damage—such as the fraudulent transferring of a victim’s funds—has been done. Moreover, much of the damage can be done simply by surveilling—for instance, in the collection of personal information or metadata for use in identity theft. Moreover, even where a breach has been identified, hackers often hide their identities through the use of various tools. Further difficulties Page 34  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents arise where “acts that might previously have been considered civilian attacks are […] uncovered as acts of states against states via nonstate actor proxies”.56 Encryption is also an issue. Data can be increasingly stored and sent in an encrypted form. Of particular note is end-to-end encryption (E2EE), which is becoming increasingly common, if not quite (yet) the norm.57 With traditional encryption methods, the facilitator—that is, the company, transmitter or ISP—itself holds the cryptographic key. As a result, anyone compromising the facilitator’s systems has access to the cryptographic key, and thus to the data of all individual users relying on the facilitator’s resources. By contrast, E2EE securitizes communications on an individual basis. E2EE creates two complementary cryptographic keys (rather than one, common key, as is in traditional encryption). Those keys are with the communicating parties and the communicating parties alone58: the decryption key (a “private” or “secret” key) never leaves the user’s device, while the encryption key (a “public” key) can be shared with those sending messages to the user.59 With this protection in place, only those directly communicating can read the messages, thereby preventing even successful eavesdroppers from understanding the message’s garbled contents. Successful eavesdroppers would be forced to independently decrypt the data. However, the possibility of independently decrypting captured E2EE-protected data is increasingly unlikely, as the possible number of decryption combinations has increased exponentially. Indeed, the possibility of cracking an encrypted message—typically done through a cryptanalytic attack, known as a brute- force attack or an exhaustive key search—has become challenging to the point of near-impossibility, even with sophisticated software.60 Although E2EE is still susceptible to so-called man-in-the-middle attacks (whereby the interceptor impersonates the recipient, attempting to encrypt the message with his public key instead of the one intended by the sender), E2EE has substantially reduced the viability of illegally intercepting data.61 Deciphering by interlopers is made more difficult by features such as PFS-perfect forward secrecy, which create new encryption keys for each message sent.62 As a result, intercepting data being sent between devices is generally less valuable than being able to read the data on the device, either before encrypting and sending or after receiving and decrypting. Box 1.3: Understanding Encryption Encryption methods are rendering it increasingly difficult for those intercepting data to decipher the data.63 For instance, the factorization of a 256-bit AES key64—which the NSA requires for data classified up to Top Secret, and which is used by many other third-party providers, including WhatsApp—has 256-bit possible options: that is, any sequence of 256 bits is a potential key, and there is no internal structure to those 256 bits.65 One byte—equivalent to two nibbles or eight bits—can hold 256 different states, possibilities or values. Each bit has one of two values: 0 or 1. The number combination exponentially increases the number of potential sequences. Page 35  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents For example, there are sixteen possible key combinations for a 4-bit sequence: 0000  0, 0100  4, 1000  8, 1100  12, 0001  1, 0101  5, 1001  9, 1101  13, 0010  2, 0110  6, 1010  10, 1110  14, 0011  3, 0110  7, 1011  11, 1111  15. The above assessment is based on a binary computing; however, quantum computing, which uses “quibits” instead of bits, would transform binary form into a multidimensional manner (see section 2 A, below). Steady improvements in computer power have resulted in the periodic increasing in the length of number-based keys, meaning that encryption has a shelf life and is rapidly becoming more vulnerable. Quantum computing is set to disrupt present understandings and significantly complicate matters. Quantum communication embeds the encryption key not in code but in photons (that is, particles of light). In addition to dramatically heightening system security, the so-called “quantum key distribution” means that interception by would-be hackers necessarily alters or destroys the particles of light, making any attempt at hacking immediately noticeable.66 Critics have claimed that E2EE plays potential havoc with investigations by law enforcement, as even third parties involved in transmitting messages—telecom companies, ISPs, the application administrators and the sort—do not have anything more than the garbled, encrypted data, and thus, are no more capable of understanding communications than are any eavesdroppers. Such technological compromises have led law enforcement to press IT companies to design so-called “back doors” that would allow the reading of communications. Many companies boast using E2EE, with WhatsApp perhaps being the most visible of late.67 The flipside of these developments is that governments sometimes restrict the key size that apps may use. For instance, India restricts ISPs and TSPs to 40-bit key length (relatively low security).68 Encryption techniques are becoming increasingly complex. One of particular note is that of the “one-time pad” (OTP), which relies the exchange of a one-time, truly random, never reused (neither in part or in whole) pre-shared key that is at least as long as the message that has been sent.69 It has been argued that such encryption algorithms would create mathematically “unbreakable” ciphertexts. Be that as it may, practical problems and limitations have prevented OTPs from becoming widely used. IV. Challenges to International Interoperability In a world of increasing transnational conduct, improving (A) international cooperation and addressing (B) jurisdictional and conflict of laws issues are paramount to facilitating international interoperability of frameworks developed to combat cybercrime. Page 36  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents A. International Cooperation As cybercrime defies traditional notions of geography and mobility, traditional definitions of jurisdiction have become insufficient. As discussed further on, various efforts have been undertaken to mitigate harder, limiting notions of jurisdiction (see sections 2 E and 3 A, below). Certain international legal instruments have been influential in harmonizing legislation.70 European instruments have been particularly impactful on national legislations, especially the CoE Convention on Cybercrime (commonly known as the “Budapest Convention”),71 which has had an impact on legislation even in those states that have not ratified it; the European Council Framework Decision 2005/222/JHA on attacks against information systems72; and European Council Framework Decision 2004/68/JHA on the sexual exploitation of children and child pornography.73 The EU Data Retention Directive 2006/24/CE74 has also had a great impact; however, on 8 April 2014, the Court of Justice of the European Union (CJEU) declared the Directive invalid in response to a case brought against Irish authorities.75 In general, there has been a remarkable degree of convergence of various multilateral instruments on cybercrime in criminalizing acts against the confidentiality, integrity and availability of computer data and systems. In addition to the aforementioned European measures, multilateral instruments connected with the African Union (AU), the League of Arab States(Arab League), the Economic Community of West African States (ECOWAS), the Common Market for Eastern and Southern Africa (COMESA), the Commonwealth Secretariat (COMSEC) and the International Telecommunications Union (ITU) all criminalize illegal access to: a computer system, illegal interception, illegal computer data and system interference and the misuse of devices.76 On the other hand, other offences, such as illegally remaining in a computer system to date, have received considerably less support. Remarkably, identity theft has not been universally condemned in multilateral instruments, nor have extortion, spam, harassment, stalking or bullying.77 Other areas receiving little demand to be classified as crimes in international treaties include: ƒƒ Violation of data protection measures for personal information; ƒƒ Breach of confidentiality; ƒƒ Use of forged or fraudulently obtained data; ƒƒ Illicit use of electronic payment tools; ƒƒ Acts against privacy; disclosure of details of an investigation; and ƒƒ Failure to permit assistance.78 When it comes to computer-related acts, two categories—forgery and fraud—are widely criminalized, although neither the CIS nor the COMSEC have criminalized such actions. Computer solicitation or grooming of children has been included only in the CoE Convention on Protection of Children against Sexual Exploitation and Sexual Abuse (the “Lanzarote Convention”),79 the first Page 37  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents international treaty that addresses child sexual abuse that occurs within the home or family. As to computer content-related acts, the most frequently criminalized acts are those involving child pornography and, to a lesser extent, dissemination of racist and xenophobic materials and related threats and insults.80 Genocide, terrorism, pornography (including facilitating access of a child to pornography), gambling, money laundering and illicit trafficking using electronic media technologies have been very rarely criminalized as cybercrime to date.81 Addressing a very specific form of crime via a treaty may not, however, be advisable: 1   First, of course, countries are free to criminalize whatever conduct they see fit, whether or not a treaty exists. 2   Second, since treaties are relatively inflexible, countries may wish to wait to see if a crime trend persists and is serious or to discern how best to frame a criminal provision. Importantly, many of the crimes above may be addressed by a non-cybercrime treaty (genocide, terrorism, etc.) or by a cybercrime treaty or domestic statute in a different guise (acts against privacy may be covered by illegal access; extortion may be covered by an ordinary criminal statute; illicit use of electronic payment tools may be covered by misuse or possession of access devices; etc.) 3   Finally, crimes that are defined more generally will often be easier to prosecute and prove because they demand fewer specific elements. International cooperation, essential for effective cybercrime prevention and prosecution, has been largely supported by the international community. One such example is Operation Blue Amber, which, in a series of international actions, tackled organized crime in various locations across the world (see box 1.4, below).82 Having said as much, several individual countries have already criminalized many of the aforementioned behaviors. On the other hand, ratification of treaties is frequently predicated on “Reservations”, whereby ratifying countries decline to accept one or more of the treaty’s clauses, or whereby the treaty’s implementation is subordinated to domestic law.83 Such reservations are most typically used to assert that the treaty is limited to the state’s constitutional interpretation, or for where the treaty will be made subject to domestic enabling legislation that places limits on treaty applicability and enforcement. While the number of ratifications may give the mistaken impression of widespread acceptance and enforcement, Reservations can effectively gut a treaty of its most important provisions. It is for this reason that the Budapest Convention strictly limits the Reservations that may be taken.84 Box 1.4: Operation Blue Amber Police arrested 130 suspects in connection with cyberfraud, including fraudulent online purchases of airline tickets using stolen credit card data at 140 airports around the world in Page 38  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents an international law enforcement operation. The operation was coordinated through Europol in The Hague, the Netherlands, INTERPOL in Singapore and Ameripol in Bogota, Columbia with support from Canadian and US law enforcement authorities. Increased commitment from law enforcement agencies, private sector and international organizations enabled the operation to be conducted at airports in twenty-five countries in Europe and twenty-four other countries in Asia, Australia, America and Africa. The operation against airline fraudsters is part of Operation Blue Amber, a series of international actions tackling organized crime in various locations across the world. Europol said it will continue to support EU Member States, working closely with the private sector and other international organizations, to improve security at the airports by fighting this type of online fraud. B. Jurisdictional Challenges As already mentioned, jurisdictional and cooperation issues frequently hinder investigation and prosecution.85 Law enforcement agencies are usually jurisdictionally restricted and therefore rely on foreign agencies or international agreements to pursue multinational cybercriminals and prosecute them.86 This problem is exacerbated in comparison to traditional crimes largely due to the transnational nature of not just the cyberspace but also of various internet actors, especially ISPs.87 Procedures for international cooperation also create obstacles. Extradition, mutual assistance, mutual assistance for provisional measures, trans-border access to stored computer data and communication networks for investigations are all problematic areas. Non-participation in cross- jurisdictional information sharing agreements has far reaching consequences. For example, not being party to such an agreement may limit the ability of authorities to retrieve information and metadata, such as on cyberattacks their nature, extent and trend. Such difficulties are especially evident when the servers are physically located in foreign jurisdictions with either rigid or nonexistent laws.88 Case 1.6: United States v. Aleksandr Andreevich Panin (“SpyEye”)89 SpyEye is a prolific type of Trojan malware that is estimated to have infected more than 1.4 million computers, resulting in losses of at least US$5 million between 2009 and 2011. SpyEye was developed by Aleksandr Panin, a Russian programmer who was the primary developer and malware distributor, and Hamza Bendelladj, an Algerian hacker. ”One of the most professional and successful malware families”, SpyEye even offered buyers regular version updates and betas.90 The SpyEye code operated by secretly infecting victims’ devices, enabling cybercriminals to remotely control those devices through so-called Page 39  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents command and control (C2) servers.91 SpyEye could be tailored to obtain victims’ personal and financial information, with version of the software being sold—on an invite-only basis—for between $1000 and $8500 to at least 150 clients. Ultimately, Defendants sold SpyEye to an undercover FBI agent.92 US authorities indicted Defendants on the grounds of the impact of SpyEye on US interests and on the presence of a control hub in Georgia, and sought extradition for criminal proceedings. For a period of years, Defendants were tracked by a consortium of law enforcement agencies (UK, US, Thai, Dutch, Dominican, Bulgarian, Australian), as aided by several private sector entities (Trend Micro, Dell Secureworks, Trusteer, Underworld.no), and supported by INTERPOL. Following the arrests of Panin and Bendelladj in the Dominican Republic and Thailand, respectively, Defendants were transported to the United States for trial.93 Both pled guilty and were sentenced to a combined twenty-four years and six months in prison.94 The SpyEye case shows the multinational nature of cybercrime and the barriers hindering prosecution. Notably, the absence of a formal extradition agreement between Russia and the United States, along with jurisdictional issues, caused substantial hindrance. On the other hand, the case also illustrates the potential that cooperation and partnerships—both on the international level and between the public and private sectors—can have.95 V. Safeguards Building cyberspace requires attention to implementing the necessary safeguards. Fundamentally, (A) legal limits, notably constitutional and human rights laws,96 must be respected even as appropriate security is implemented. With that in mind, safeguards can be developed to protect (B) both the environment of cyberspace itself by protecting against excessive data collection, as well as by protecting users and their data. Attention must be given to protecting the basic interests of users as members of society by assuring (C) the constituent parts of freedom of communication, namely, freedom of opinion and expression and freedom of information. A. Respecting Constitutional Limits Although discussed in greater depth in section 4 A, specific mention needs to be made to preserving and respecting constitutional guarantees and limits in this context, namely the challenges of developing legal frameworks.97 Any criminalization of communications in cyberspace is potentially in conflict with freedom of expression, a constitutional right in most countries, as well as being a limit on both the freedoms of Page 40  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents the press and of artistic expression.98 Infringements of these basic rights are permissible only if they are proportionate to the danger that they seek to combat.99 Some countries have constitutionalized the so-called “harm principle”,100 which more generally limits the scope of the criminal law to conduct that is harmful or imminently dangerous to an interest worthy of protection.101 Many of the limits placed on state action to secure cyberspace exist and are supported in international law, which is binding law on States Parties (see section 5 A, below). It should be born in mind that criminal law generally requires not only a guilty act (“actus reus”) but a concurrently guilty mental state (“mens rea”) for culpability to attach (see section 1 D, above),.102 Such elements of the crime also must be respected in cybercriminal prosecutions (see section 2 A, below). B. Balancing Data Collection with Data Protection For cyberspace to remain open and free, the same norms, principles and values that are upheld offline must apply online. Fundamental rights and the rule of law need to be protected in cyberspace. Data protection is about safeguarding the fundamental right to privacy, a right enshrined in numerous international and regional instruments. However, according to the United Nations Conference on Trade and Development (UNCTAD), only 107 countries had privacy laws or bills in place as of 2014.103 Other countries have privacy laws governing select areas—for example, children or financial records—but not a comprehensive law.104 Data collection is commonly understood as securing any personal information that is automatically collected, processed and stored. It is essential that data protection laws restrain and shape data collection, managing and storage activities conducted by both companies and governments. Past behavior shows that, unless restrictive rules are in place, both public and private sector entities will collect, mine and store as much information as possible without necessarily even informing the public of such activities.105 Our freedoms and prosperity increasingly depend on a robust and innovative internet, which will continue to flourish if private sector innovation and civil society drive its growth. But freedom online requires safety and security too. Cyberspace should be protected from incidents, malicious activities and misuse. Governments have several tasks vis-à-vis cyberspace: ƒƒ To safeguard access and openness; ƒƒ To respect and protect fundamental rights online; and ƒƒ To maintain the reliability and interoperability of the internet. As discussed, because the private sector owns and operates significant parts of the infrastructure creating cyberspace, any initiative addressing data collection and protection should engage with the private sector. Page 41  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents C. Freedom of Communication As discussed in greater depth further on (see section 5 A, below), freedom of communication relies on two complementary rights: (1) the freedom of opinion and expression, which is the fundamental right to feel, think and believe and to express oneself, and (2) the freedom of information, which is a fundamental prerequisite to allowing the creation of full and informed opinions and allowing self- expression. 1. Freedom of Opinion and Expression Freedom of opinion and expression is a fundamental right, declared in a number of instruments, including in the Universal Declaration of Human Rights (1948),106 the International Covenant on Civil and Political Rights (1966)107 and the American Convention on Human Rights (1969).108 The internet has been revolutionary in many ways but especially in terms of facilitating communication and freedom of expression. The internet has significantly expanded the meaning of that right, allowing instant, inexpensive communication to almost everyone, dramatically impacting journalism, access to information and knowledge sharing and ideation.109 Nevertheless, freedom of opinion and expression has been suppressed in countries for various reasons including public safety, breach of confidentiality, defamation, threats to person or property, terrorism, incitement to genocide, incitement to religious hatred and child pornography.110 The internet’s configuration and architecture have greatly impacted the flow of information, as well as what level of control can be exerted over it. First developed by the US military as part of the Pentagon’s Advanced Research Projects Agency Network (or “Arpanet”) program to create a command and communication contingency in the midst of war,111 the internet was developed to be flexible, decentralized, open and neutral. That architecture, which has fostered for rapid growth and amazing creativity, should be preserved. As such, any regulations should be designed in dialogue with all stakeholders and, fundamentally, should seek to maintain the basic characteristics of democratization, universality and nondiscriminatory access. Efforts should be made to assure that the special characteristics that have made the internet a rich medium for growing democratic, open, plural and expansive exercising of expression are protected. Such an understanding has been recognized at the international level: jointly, the UN Special Rapporteur on Freedom of Opinion and Expression, the Organization for Security and Cooperation in Europe (OSCE) Representative on Freedom of the Media, the Organization of American States (OAS) Special Rapporteur on Freedom of Expression and the African Commission on Human and Peoples’ Rights (ACHPR) Special Rapporteur on Freedom of Expression and Access to Information have recognized that “[a]pproaches to regulation developed for other means of communication—such as telephony or broadcasting—cannot simply be transferred to the internet but, rather, need to be specifically designed for it”.112 Page 42  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents The UN Human Rights Council in 2012 declared that freedom of expression on the internet is a basic human right and affirmed that people have the same rights online that they have offline.113 That view was reaffirmed in 2016 regarding the importance of promoting, protecting and enjoying human rights on the internet, including privacy and freedom of expression.114 2. Freedom of Information Access to, or freedom of, information (FOI), or the right to information, is a corollary to freedom of expression that looks to inform the citizenry on government action. It is the right to access information held by public bodies, and includes the right to seek, receive and impart information and ideas. The UN General Assembly, in its very first session in 1946, recognized it as essential to the underpinning of democracy, adopting a resolution stating that “Freedom of information is a fundamental human right[, …] the touchstone of all the freedoms to which the United Nations is consecrated.”115 Elaborating on this statement, the UN Special Rapporteur on Freedom of Opinion and Expression had the following to say: “Freedom will be bereft of all effectiveness if the people have no access to information. Access to information is basic to the democratic way of life. The tendency to withhold information from the people at large is therefore to be strongly checked.”116 Functional polities rely on civic participation and on individuals being able access to information held by various public bodies; that information allows individuals to be aware of, involved in and responsive to public activities. Such information ranges from interpretations of applicable laws to details on economic, social, or public concerns. A central tenet to the rule of law117—the notion that all, including the government, are subject to the law118—, access to information makes transparency, accountability and participation—the so-called TAP principles—possible. In addition to being key tools for combatting corruption, the TAP principles increase government efficiency and responsiveness, and build civic trust.119 Accessing public information is not only a right of every person but also necessary to making informed decisions and to living an autonomous life.120 It bears noting that right is not absolute and that freedom of information may need to be limited in certain instances, such the public interest.121 Access to information legislation should reflect the fundamental premise that all information held by governments and governmental institutions is in principle public and may only be exceptionally withheld, such as for reasons of privacy or security. There is a global trend to recognize the right to information, and, since 1990, the number of countries with such legislation has grown from thirteen to ninety-five.122 Page 43  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents Conclusion This subchapter has given an overview of challenges facing law enforcement in combatting cybercrime. Those challenges come in all forms, ranging from the basic and general—yet perfidious—challenges associated with the nature of ICT and the development of cyberspace, to challenges in developing legal frameworks that both respect exist existing legal frameworks and yet which can accommodate the diverse novelties of cyberspace. Public safety and security in the analog world is, as the WDR aptly notes, a public good which governments are obliged to ensure.123 However, while it is a unique public good so much of the analog world—its data, communications and critical infrastructure—is controlled by the private sector or other nonstate actors.124 Thus, beyond taking the traditional tacks of acting through policies, laws and institutions, governments must also seek additional resources, including informing consumers and engaging the private sector. Having appropriately organized themselves, governments then face the challenge of assuring international interoperability. Jurisdictional and international cooperation issues create substantial difficulties to investigating and prosecuting multinational cybercrime cases. Moreover, challenges of certain states operating under insufficiently cybercrime-specific legal frameworks often hinders combatting transnational acts. Page 44  |  Chapter 1  |  § C. Challenges to Fighting Cybercrime Table of Contents CHAPTER 1 D. Framework for a Capacity-building Program Table of Contents Introduction 45 I. Objectives of Cybercrime Capacity-building Programs 46 A. Rationale & Objectives 47 B. Supporting a Process of Change 47 II. Elements of Capacity-building Programs 47 A. Producing an Overarching Cybercrime Policy & Strategy 48 B. Developing Cybercrime-specific Legislation 49 C. Creating Specialized Cybercrime Units 50 Conclusion 50 Introduction Capacity-building programs require resources. Although many sectors are competing for scarce resources, there is increasing recognition that at least some of those resources are urgently needed to combat cybercrime. There are several reasons for building such capacity—and just as many ways that capacity can be built. The Toolkit at large, and its Assessment Tool in particular (see section 7, below), aim to provide evidence and direction for implementing targeted capacity building. At a high level, some of the main reasons for allocating scarce resources to cybercrime capacity-building programs include the following: ƒƒ Societies are increasingly reliant on ICT. As discussed (see sections 1 A and 1 B, above), society writ large is increasingly reliant on ICT for all manner of activities, and ICTs are used in support of all manner of ventures, both public and private. Many have become dependent on the existence of ICT in their day-to-day lives. Every region of the world has experienced massive growth in internet usage,1 largely facilitated by the increased availability of broadband connections and the growing use of internet-enabled mobile phones and related applications.2 That growth has created spaces for all sorts of development—both economic and commercial, as well as individual and social. As such, ensuring the security of, and confidence and trust in, ICTs and ICT systems should be a priority of any government. ƒƒ e-Evidence’s ubiquity in all crime-types. Cybercrime is no longer a peripheral phenomenon. The more ICTs are used, the more criminals seek to exploit corresponding—and ever- developing—vulnerabilities. As the division between crimes occurring in the “cyber” world and those in the “real” one continues to blur,3 ICTs are increasingly holding evidence, direct Page 45  |  Chapter 1  |  § D. Framework for a Capacity-building Program Table of Contents or tangential, that is relevant not only to cybercrime but to any crime.4 Thus, regardless of the matter, law enforcement officers, prosecutors and judges are already frequently confronted with e-evidence; such is the case not only in criminal matters but also in commercial, civil, labor and other matters. Capacity-building programs can help criminal justice authorities to meet these challenges, for example, through training and institution-building and by mainstreaming the issues of cybercrime and e-evidence into law enforcement and judicial training curricula. ƒƒ Cybercrime capacity-building programs improve rule of law and civil and human rights safeguards. Many governments are adopting cybersecurity strategies with the primary purpose of protecting critical information infrastructure. Capacity-building programs on cybercrime can support a crucial element of cybersecurity strategies, especially responding to attacks against the confidentiality and integrity of ICT systems and services. Such programs can also help governments meet their positive obligation to protect people from all types of crime, including murder, human trafficking, sexual violence and other types of violent crime, as well as fraud, corruption, drug trafficking, extortion, stalking or theft (see section 1 B, above). When governments take action against cybercrime they must respect rule of law and civil and human rights requirements. Investigative powers must be limited by conditions and safeguards.5 The preservation, analysis and presentation of e-evidence must follow clear rules to serve as evidence in court. Strengthening the focus on the criminal justice response to cyberattacks may help improve both rule of law and civil and human rights safeguards,6 both at large and with regard to cyberspace. Correspondingly, capacity-building programs should furthermore strengthen regulations and mechanisms for the protection of personal data, a dimension that is particularly important given that much of the most sensitive of personal data is nowadays stored in electronic form (see section 2 D, below). In short, such programs not only protect people against crime but also protect their rights. ƒƒ Cybercrime capacity-building programs facilitate human development and improve governance. ICTs can be “powerful tools for human development and poverty reduction”, something that cybercrime capacity-building programs might help societies realize.7 Relatedly, strengthening confidence, trust, security and reliability of ICT and of ICT systems will facilitate economic development and access to education and sharing of information.8 Effective criminal justice systems enhance the physical security and health of individuals, for example, by protecting children against sexual exploitation and abuse, by preventing the distribution of counterfeit and substandard medicines or by protecting people against crime in general. Increased adherence to rule of law contributes to democratic governance and reduces undue interference in individual rights. I. Objectives of Cybercrime Capacity-building Programs In promoting cybercrime capacity-building programs, it is important to begin by (A) understanding the rationale and objectives of such programs, and (B) using such programs as a “process of change” that may go well beyond cybercrime. Page 46  |  Chapter 1  |  § D. Framework for a Capacity-building Program Table of Contents A. Rationale & Objectives Cybercrime capacity-building programs generally focus on strengthening the response of criminal justice actors to various forms of cybercrime. Once a crime has been committed, ICT-stored- evidence must be preserved and protected (see section 2 C, below). Cybercrime and e-evidence are transversal and transnational challenges requiring cooperation at all levels: interagency, public/ private (in particular law enforcement/internet service provider) and international cooperation. Strengthening these various avenues of cooperation should be reflected in the objectives of any capacity-building program. B. Supporting a Process of Change As with any other capacity-building program requiring technical cooperation, cybercrime capacity- building programs are implemented to support processes of change. To take effect, such processes, as well as their objectives and expected outcomes, must be not only defined but also “owned” by the institution receiving support. Doing so creates an institution-wide “culture”, one which is exemplified by leadership from above and which is implemented at all levels.9 Without commitment from the top to a clearly defined process of change, it will be difficult for the larger institutional “cultural” issues to take root. For example, while ad hoc training courses for judges and prosecutors might well be beneficial to the participants, without a sustained effort, it may have limited impact on the system with temporary results. By contrast, a more holistic, sustained and longer-term approach is preferable. For example, such a sustained effort methodically develops a capacity-building program that begins by training trainers, piloting courses, including standardized training materials and integrating curricula across institutions having shared or related competencies for cybercrime. Additionally, once a defined strategy is in place, donors can better coordinate their inputs in a complementary and more effective manner. II. Elements of Capacity-building Programs As described in sections 1 B and 1 C, above, cybercrime is a large and broad topic. Accordingly, capacity-building programs targeting cybercrime should be likewise encompassing. Areas of focus might include (A) elaborating cybercrime policies and strategies, (B) elaborating effective, cybercrime-specific legislation, (C) creating cybercrime specialized law enforcement units, (D) training government authorities and personnel in cybercrime matters, (E) encouraging cooperation between the public and private sectors and (F) furthering international cooperation. Page 47  |  Chapter 1  |  § D. Framework for a Capacity-building Program Table of Contents A. Producing an Overarching Cybercrime Policy & Strategy The basis for any good approach to cybercrime is the development of effective policies based on stakeholder consultations, and which include comprehensive strategies and actions plans. Such policies, strategies and action plans might include the following elements: Engaged decision-makers. It is essential that decision-makers in government and affected 1   organizations understand both the varied risks and the corresponding options, and that they manage to agree on setting strategic priorities. Synergistic cybersecurity strategies. Cybercrime and cybersecurity strategies are interrelated 2   and mutually reinforcing. As such, synergies and links must be explicitly identified, ensuring coherence. Multi-stakeholder participation in strategy elaboration. As cybercrime and cybersecurity 3   implicate the entirety of society, part of the challenge in developing effective policies and strategies is ensuring the active participation of diverse stakeholders from both the public and private sectors. Approaches support human rights and rule of law requirements. A criminal justice response 4   to cybercrime implies a rule of law rationale; as such, rule of law requirements need to be respected and promoted as do general respect and promotion of human rights. As discussed (see section 4 A and 4 B, below), an appropriate balance between combatting crime and ensuring human-rights safeguards is central to the success of any strategy. Cybercrime strategies require vertical and horizontal management. Once a cybercrime 5   policy has been developed, the implementation of the ensuing cybercrime strategy begins. That implementation process is a complex one, involving many stakeholders and actors. Effective operationalization requires good management, both vertically and horizontally, clear information sharing and extensive coordination. The progress, results and impact must all be assessed in order to for any corrective measures to take effect, as well as to justify the allocation of resources. Concerted alignment of donor contributions and partner cooperation. The development of 6   a clear cybercrime policy, and subsequent implementation of the resulting cybercrime strategy, create a clear path for donors and other partners to provide support. Doing so will increasingly crystalize and clarify the anticipated change process that is desired. Moreover, encouraging such cooperation can lead to faster learning of lessons. Page 48  |  Chapter 1  |  § D. Framework for a Capacity-building Program Table of Contents Many donors require that a policy be in place before approving technical assistance and undertaking capacity-building programs. That said, a program might be structured such that the development of a strategy on cybercrime is a central objective. For instance, CoE considers an official request for accession to the Budapest Convention to represent the government’s commitment that in turn justifies capacity-building activities that would support the treaty’s full implementation.10 B. Developing Cybercrime-specific Legislation While cybercrime policies create the overall story, a central element to fighting any criminal activity must be based in the law. As such, criminal justice measures targeting cybercrime and e-evidence must be enshrined in the law. Also, while the responsibility for creating such legislation lies with public representatives and authorities, they should be supported by other stakeholders, public and private, in the appropriate tailoring, targeting and wording of any such legislation. Such legislation is a central part to furthering interoperability (see section 3 A, below). Domestic cybercrime legislation would address the following areas:11 Substantive law measures. The central plank and basis of the law is the development of, 1   on the one hand, what substantive legal rights and responsibilities surround a matter, and, on the other hand, what actions are disallowed. Substantive legal matters govern society’s behavior, and include, for instance, not only what actions and activities are disallowed, but also what is the requisite mental state, or mens rea, a perpetrator must have in order to be found culpable (see section 1 C, above). While much of criminal law differentiates between “general” intent (that is, the aim to commit a prohibited act) and “specific” intent (that is, the aim to commit both a prohibited act and aim to cause a particular effect resulting from that act),12 cybercrime generally does not, requiring general intent alone.13 Procedural law tools. Having laid out prescribed and prohibited behaviors, the law 2   must carefully discuss and delineate the associate procedural aspects, which include the procedures for investigating crime and enforcing the substantive law. Procedural tools also largely govern what powers lie with the authorities. 3  Safeguards. Due to the increased pervasiveness of the cyberactivity in all areas of the physical world, attempts to regulate a person’s comportment in cyberspace must be careful not to become excessively expansive and infringe on other rights. As such, any law combatting cybercrime must pay careful attention establishing appropriate safeguards and the conditions under and by which investigative powers might be exercised.  nternational cooperation. The developed legislation must not only be inward or domestic- 4  I looking, but should also include provisions for international cooperation. To this end, international conventions, notably the Budapest Convention, offer both substantial guidance and structure.14 Page 49  |  Chapter 1  |  § D. Framework for a Capacity-building Program Table of Contents C. Creating Specialized Cybercrime Units The investigation of cybercrime and forensic analysis of e- evidence and the prosecution of cybercrime require specific skills (see section 2 D, below). Authorities—investigatory, prosecutorial, judicial and advisory—should be supported in the setting up or strengthening of units that offer specialized support. Relatedly, mechanisms for assuring feedback and information sharing among agencies and units must be developed. Particular attention should be paid to assuring that there is sufficient expertise among law enforcement authorities. Particular points of interest include (1) police-type cybercrime or high-tech units with strategic and operational responsibilities, (2) prosecution-type cybercrime units and (3) most generally, developing computer forensic resources for other law enforcement agencies that may not be created with the goal of tackling cybercrime, by either embedding small specialized units within, or by creating separate structures, or, at minimum, by creating focal points and procedures for looping specialized units into matters, wherever appropriate. Because cybercrime is not a “siloed” area of concern, it should be expected that even non-specialized units will have to be able to utilize e-evidence in non-computer crime, physical-world cases. As such, while certain tasks will necessarily require handling by trained specialists, many impediments could be prophylactically overcome by having these specialized units disseminate their knowledge and skills to the entirety of their agencies; indeed, in many case, knowledge dissemination might merely entail spreading awareness. Beyond the law enforcement authorities, the judiciary should also have a place of recourse for matters of cybercrime. However, unlike with law enforcement authorities, setting up specialized cybercrime courts is not a preferable solution because the near-ubiquity of e-evidence means that all judges will have to consider such matters, regardless of the nature of the case in question. Good practices have shown that a better first step is to train some judges, and to use those judges as focal points for acting as a resource and disseminating knowledge more widely. More generally, it is important that interagency cooperation be facilitated and actively encouraged. Such a unifying and integrative element is essential, as, to be effective, cybercrime units must cooperate both with other police services (such as economic crime units, child protection units) and with other institutions (such as financial intelligence units, CIRTs). Conclusion To support cybersecurity is to support and increase society’s ability to grow more robustly and more equitably. Cybercrime capacity-building is an essential element therein. And while resource-scarcity is a concern for all governments and institutions, it is generally—and increasingly—recognized that cybercrime capacity-building programs cannot be left unattended. Reasons for supporting cybercrime capacity-building include the great and growing reliance of society writ large on ICTs, Page 50  |  Chapter 1  |  § D. Framework for a Capacity-building Program Table of Contents and the ubiquity of e-evidence in all crime-types; developing such capacity has the tangential benefits of improving rule of law and human rights safeguards, as well as bolstering civil rights at large, facilitating human development and improving governance. Cybercrime capacity-building programs are intended to support change. To that end, there must be a “culture of change” which, though initiated at certain points, must extend throughout all branches government. It must be owned by those in positions of authority, and administered and implemented in a coherent, holistic manner, as opposed to in a spotty, ad hoc fashion. Producing an effective cybercrime capacity-building program requires a diversity of elements. At a fundamental level, both an overarching cybercrime policy and a strategy for implementation must be developed. Doing so will engage decision-makers, create synergistic cybersecurity strategies, support human rights and rule of law requirements. To be effective, the policy must increase multi- stakeholder participation in strategy elaboration, and that strategy must be effectively managed in both a vertical and horizontal sense. Relatedly, contributions by donors and cooperation with partners must align with that strategy in a concerted manner. That overall cybercrime policy and implementation strategy should be embodied in cybercrime- specific legislation. Although applicable to all aspects of cybersecurity, such is particularly true for the criminal aspects. Doing so requires the development and legislating of substantive law measures, building of procedural law tools, the creation of safeguards for rights and the opening up of a national system into one that not only allows for but which facilitates international cooperation. Lastly, cybercrime capacity-building programs can focus on creating specialized cybercrime units. Such units can, in turn, act to catalysts and educators in their own right, first, by taking on discrete cybersecurity activities, and, second, raising understanding and awareness among their peers and counterparts across all branches of government. Page 51  |  Chapter 1  |  § D. Framework for a Capacity-building Program Table of Contents End Notes Referenced in: § A. Purpose of 12. See, e.g., “Warsaw Summit Communiqué, Toolkit Issued by the Heads of State and Government Participating in the Meeting of the North Atlantic Council in Warsaw 1. ”Infographic: McAfee Labs Threats 8–9 July 2016: Press Release (2016),” Report,” McAfee, (Mar. 2016), at https:// North Atlantic Treaty Organisation www.mcafee.com/us/resources/misc/ (NATO), (9 Jul. 2016) [hereafter, “Warsaw infographic-threats-report-mar-2016.pdf. Summit Communiqué], para. 70, at http:// www.nato.int/cps/en/natohq/official_ 2. Jim Finkle, “SWIFT Discloses More Cyber- texts_133169.htm. Thefts, Pressures Banks on Security,” Reuters, (31 Aug. 2016), at http://www. reuters.com/article/us-cyber-heist-swift- idUSKCN11600C. 3. Vindu Goel & Nicole Perlroth, “Yahoo Says 1 Billion User Accounts Were Hacked,” (14 Dec. 2016), at https://www. nytimes.com/2016/12/14/technology/ yahoo-hack.html?mcubz=0. 4. UN Interregional Crime and Justice Research Institute (UNICRI), Cybercrime: Risks for the Economy and Enterprises at the EU and Italian Level, (Turin: UNICRI, 2014), at http://www.unicri.it/in_focus/ files/Criminalita_informatica_inglese.pdf. 5. Ibid. 6. Ibid. 7. As discussed below, some acts that might otherwise constitute cybercrime, or that with the passage of time are revealed to be acts of states against states, and that might be characterized as cyberterrorism or cyberwarfare, are beyond the scope of this Toolkit. 8. See http://www.combattingcybercrime. org. 9. Unless otherwise indicated, such as in reference to a specific entity, the term “CIRT” will be used generically for all such related terms (e.g., CERT, CSIRT). 10. World Bank, World Development Report 2016: Digital Dividends, (Washington: World Bank, 2016) [hereafter, “WDR”], at p. 222 et seq., at http:// documents.worldbank.org/curated/ en/896971468194972881/pdf/102725- PUB-Replacement-PUBLIC.pdf. 11. See, e.g., Nicole Perlroth, “Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say,” New York Times, (6 Jul. 2017), at https://www. nytimes.com/2017/07/06/technology/ nuclear-plant-hack-report.html?mcubz=0. Page 52 | Chapter 1 | End Notes Table of Contents Referenced in: § B. Phenomenon & 8. See, e.g., WDR, supra § 1 A, note 15. United States v. Steven W. Chase, Dimensions of Cybercrime 10, which lays out a multitude of 5:15-CR-00015-RLV-DCK-1 (W.D.N.C. ways in which the internet and ICTs 2016). To date, reports indicate that (mobile phones, computers and other at least 137 cases have been brought 1. The title of this section owes its technologies and tools) contribute to around the United States following inspiration to ITU’s report, International innovation, economic growth, economic on from the FBI sting operation. See, Telecommunication Union (ITU), and social inclusion and efficiencies, as e.g., “The Playpen Cases: Frequently Understanding Cybercrime: Phenomena, well as attendant risks. Asked Questions The Basics,” Electronic Challenges and Legal Response, (Geneva: Frontier Foundation, at https://www.eff. ITU, 2014) [hereafter, “ITU Understanding 9. Ilia Kolochenko, “Cybercrime: The org/pages/playpen-cases-frequently- Cybercrime”], at http://www.itu.int/ Price of Inequality,” Forbes, (16 Dec. asked-questions#howmanycases. See en/ITU-D/Cybersecurity/Documents/ 2016), at http://www.forbes.com/sites/ also US Dept. of Justice, “Assistant cybercrime2014.pdf. forbestechcouncil/2016/12/19/cybercrime- Attorney General Leslie R. Caldwell the-price-of-inequality/2/#1994040176db. 2. See, e.g., Susan Brenner, “Thoughts, Delivers Remarks Highlighting Witches and Crimes,” CYB3RCRIM3: 10. “Number of Internet Users Worldwide Cybercrime Enforcement at Center for Observations on Technology, Law, and from 2005 to 2016 (in Millions),” Strategic and International Studies,” Lawlessness, (6 May 2009), at http:// Statista, at http://www.statista.com/ Office of Public Affairs, (7 Dec. 2016), at cyb3rcrim3.blogspot.com/2009/05/ statistics/273018/number-of-internet- https://www.justice.gov/opa/speech/ thoughts-witches-and-crimes.html (noting users-worldwide/. assistant-attorney-general-leslie-r- that “cybercrime is merely a method caldwell-delivers-remarks-highlighting- crime, i.e., crime the commission of which 11. See, e.g., Noah Rayman, “The World’s cybercrime. is distinct due to the tool the perpetrator Top 5 Cybercrime Hotspots,” Time, (7 Aug. 2014), at http://time.com/3087768/ 16. See, e.g., Joseph Cox, “The FBI’s uses. […] cybercrime [can be addressed the-worlds-5-cybercrime-hotspots/; ‘Unprecedented’ Hacking Campaign through…] traditional offenses that are Craig Silverman & Lawrence Alexander, Targeted over a Thousand Computers,” revised, as necessary, to encompass the “How Teens in the Balkans Are Duping Motherboard, (5 Jan. 2016), at http:// digital versions of these crimes”). Trump Supporters with Fake News,” motherboard.vice.com/read/the-fbis- 3. From Shakespeare’s “The Tempest,” V.i, BuzzFeed News, (3 Nov. 2016), at https:// unprecedented-hacking-campaign- 186–189 (in which Miranda proclaims, “O www.buzzfeed.com/craigsilverman/ targeted-over-a-thousand-computers. wonder! / How many goodly creatures how-macedonia-became-a-global- 17. “Tor,” Tor Project, at https://torproject. are there here! / How beauteous mankind hub-for-pro-trump-misinfo?utm_term=. org/. is! O brave new world, / That has such eiWv81lZY#.yrrb4qwgD. people in’t.”), and used by Aldous Huxley 18. Duly named because it uses in his 1931 novel by the same name 12. “Norton Cybersecurity Insights Report onion routing, a technique of (“ ‘O brave new world!’ Miranda was 2016,” Symantec, (2016), at https:// layered encryption for anonymous proclaiming the possibility of loveliness, us.norton.com/norton-cybersecurity- communication over a computer network. the possibility of transforming even the insights-report-global?inid=hho_norton. See, e.g., Joan Feigenbaum, Aaron nightmare into something fine and noble. com_cybersecurityinsights_hero_ Johnson & Paul Syverson, “A Model of ‘O brave new world!’ It was a challenge, a seeglobalrpt. Onion Routing with Provable Anonymity,” command.”). Financial Cryptography & Data Security, 13. See also “Cyberspace Policy Review,” 4. Merriam-Webster Dictionary. The White House of President Barack (30 Aug. 2006), pp. 57–71, at http://www. Obama, at https://obamawhitehouse. cs.yale.edu/homes/jf/FJS.pdf. 5. Black’s Law Dictionary, 2d ed. archives.gov/cyberreview/documents/. 19. Chris Baraniuk, “Tor Launches Anti- 6. Maria Konnikova, “Virtual Reality Gets 14. See also “Leader of Hacking Ring Censorship Messenger Service,” BBC Real: The Promises—and Pitfalls—of the Sentenced for Massive Identity Thefts News (30 Oct. 2015), at http://www.bbc. Emerging Technology,” The Atlantic, (Oct. from Payment Processor and US Retail com/news/technology-34677323. 2015), at http://www.theatlantic.com/ Networks,” US Dept. of Justice, (26 Mar. magazine/archive/2015/10/virtual-reality- 20. Ibid. 2010), at https://www.justice.gov/sites/ gets-real/403225/. default/files/usao-nj/legacy/2014/09/02/ 21. Ibid. dojgonzalez0326rel.pdf. 7. For a provocative fictional depiction 22. Parliamentary Office of Science and thereof, and querying of what is “real,” Technology (POST), “The Darknet see Jennifer Haley, “The Nether” and Online Anonymity,” UK Houses (Chicago: Northwestern Univ., 2015). of Parliament, No.488 (9 Mar. 2015), at For a review of the play, see, e.g., Sadie http://researchbriefings.parliament. Dingfelder, “‘The Nether’ at Woolly uk/ResearchBriefing/Summary/POST- Mammoth Is a Creepy Puzzle of a Play,” PN-488. Washington Post, (7 Apr. 2016), at https:// www.washingtonpost.com/express/ 23. See, e.g., “What is the Law?” Information wp/2016/04/07/the-nether-at-woolly- Exchange Network for Mutual Assistance mammoth-is-a-creepy-puzzle-of-a-play/. in Criminal Matters and Extradition (the “Network”), (2007), at https://www.oas. org/juridico/mla/en/can/en_can_mla_ what.html. Page 53 | Chapter 1 | End Notes Table of Contents 24. For a discussion of the importance of 33. David S. Wall, “Policing Cybercrimes: 44. Full list of legislation in the United States public confidence in the banking systems, Situating the Public Police in Networks concerning cyberbulling can be found see, e.g., Vincent Di Lorenzo, “Public of Security within Cyberspace,” Police under this address: http://cyberbullying. Confidence and the Banking System: The Practice & Research, Vol. 8, Issue 2 (2007), org/bullying-laws. For a broad analysis Policy Basis for Continued Separation of pp. 183–205. of cyberbullying law in the United States, Commercial and Investment Banking,” see Megan Rehber & Susan W. Brenner, 35 American Law Review, (1986), pp. 34. Brenner, supra note 2. “‘Kiddie Crime?’ The Utility of Criminal 647–98, at http://www.stjohns.edu/sites/ Law in Controlling Cyberbullying,” First 35. David S. Wall, “Cybercrime as a Conduit default/files/documents/law/dilorenzo- Amendment Law Review, Vol. 8 (2009), pp. for Criminal Activity,” in: A. Pattavina (ed.), public_confidence_policy_basis.pdf. 73–78. Information Technology and the Criminal Public confidence stretches well-beyond Justice System, (Beverly Hills, CA: Sage 45. Weigend, supra note 26, at 53. banking and financial markets, with loss Publications, 2015), pp. 77–98. of confidence being attributed as one 46. Ibid. at 52. of the principle factors contributing to 36. Emilio Viano, “Cybercrime: A New the fall of the Roman Empire. See, e.g., Frontier in Criminology,” International 47. India: State of Tamil Nadu vs. Suhas Katti Edward Gibbon, The Decline and Fall of Annals of Criminology, Vol. 44 (2006), pp. (CC No.4680/2004). the Roman Empire, (New York: Harcourt, 11–22. Brace, 1960). 48. Allen Chein, “A Practical Look at Virtual 37. Audrey Guinchard, “Cybercrime: The Property,” St. John’s Law Review, Vol. 80 25. See generally, WDR supra § 1 A, note 10, Transformation of Crime in the Digital (2006), p. 1088f. See also Theodore J. at 221 et seq. Age,” Information, Communication and Westbrook, “Owned: Finding a Place for Society, Vol. 11 (2008), pp. 1030–32. Virtual World Property Rights,” Michigan 26. Thomas Weigend, “Information Society State Law Review (2006), p. 779ff. and Penal Law: General Report,” Revue 38. See, e.g., Stalking Resource Center, internationale de droit pénal, Vol. 84 National Center for Victims of Crime, 49. In the RuneScape case, the Dutch (2013), p. 53. Stalking Technology Outpaces State Laws, Supreme Court decided that electronic Stalking Resource Center Newsletter, Vol. goods are equal to tangible goods: 27. Latin: “horror vacui”; a postulate of 3, No. 2 (2003), at https://victimsofcrime. “virtual goods are goods [under Dutch physics attributed to Aristotle. org/docs/src/stalking-technology- law], so this is theft”; Ben Kuchera, “Dutch 28. An approximation of the notion of outpaces-state-laws17A308005D0C. Court Imposes Real-World Punishment pdf?sfvrsn=2. for Virtual Theft,” Ars Technica, (23 physics that the least energy state is Oct. 2008), at https://arstechnica.com/ preferable. 39. Emilio C. Viano, “§ II – Criminal Law. gaming/2008/10/dutch-court-imposes- Special Part, Information Society and real-world-punishment-for-virtual-theft/. 29. Francesca Spidalieri, State of the States Penal Law, General Report,” Revue on Cybersecurity, (Newport: Pell Center Internationale de Droit Pénal, Vol. 84 50. The US Dept. of Justice prosecutes cases for International Relations, 2015), p. 3, (2013) 3–4, p. 339. of identity theft and fraud under a variety at http://pellcenter.org/wp-content/ of federal statutes. In 1998, Congress uploads/2017/02/State-of-the-States- 40. USC Title 18, § 1961. However, at least passed the Identity Theft and Assumption Report.pdf. six types of fraud commonly charged in Deterrence Act, which created a new conjunction with USC Title 18, § 1030 offense of identity theft and prohibiting 30. Brett Burns, “Level 85 Rogue: When are RICO predicate offenses, as are “knowingly transfer[ring] or us[ing], Virtual Theft Merits Criminal Penalties,” many serious offenses likely to underlie without lawful authority, a means of University of Missouri-Kansas City Law a cybercrime (trafficking in persons, identification of another person with Review, Vol. 80 (2011), p. 845f. interstate transportation of stolen the intent to commit, or to aid or abet, 31. US Government Accountability Office property, murder for hire, etc.). any unlawful activity that constitutes a (GAO), Public and Private Entities Face violation of Federal law, or that constitutes 41. For more information on RICO, see Challenges in Addressing Cyber Threats, a felony under any applicable State or Charles Doyle, “RICO: A Brief Sketch,” (Washington: GAO, 2007), p. 15, at http:// local law.” USC Title 18, § 1028 - Fraud US Congressional Research Service (CRS), www.gao.gov/new.items/d07705.pdf. and Related Activity in Connection with No. 96-950 (18 May 2016), at https://fas. Identification Documents, Authentication 32. See, e.g., ibid., 23; CoE, Convention on org/sgp/crs/misc/96-950.pdf. Features, and Information. Cybercrime, (23 Nov. 2001) ETS No. 185 42. Mark Gordon, “Ideas Shoot Bullets: How [hereafter, “Budapest Convention”], 51. Jonathan Clough, “Data Theft? the RICO Act Became a Potent Weapon Preamble, at https://www.coe.int/en/ Cybercrime and the Increasing in the War Against Organized Crime,” web/conventions/full-list/-/conventions/ Criminalization of Access to Data,” Concept, Vol. 26, (2002), at https:// treaty/185; Philippines: Cybercrime Criminal Law Forum, Vol. 22 (2011), pp. concept.journals.villanova.edu/article/ Prevention Act of 2012, No. 10175, Ch. 145–70. view/312/275. II, Art. 4-A, at https://www.unodc.org/ 52. Alex Steel, “The True Identity of cld/en/legislation/phl/republic_act_ 43. Weigend, supra note 26, at 51. Australian Identity Theft Offences: A no._10175_cybercrime_prevention_act_ Measured Response or an Unjustified of_2012/chapter_ii/article_4-a/article_4-a. Status Offence?,” University of New South html. Wales Law Journal, Vol. 33 (2010), pp. 503–531. Page 54 | Chapter 1 | End Notes Table of Contents 53. Soumyo D. Moitra, “Cybercrime: Towards 64. Moreover, the gap between technology 73. Association Internationale de Droit Pénal an Assessment of its Nature and Impact, and regulation is significant in FinTech. (AIDP/IAPL), 19th International Congress International Journal of Comparative & It will be important for regulators, of Penal Law, (Aug. 2014), § 1.A.1, (noting, Applied Criminal Justice,” Vol. 28, Issue 2 while attempting to bridge this in relevant part, that “ICT and cyberspace (2004), pp. 105–20. gap, to carefully support market have created specific interests which development, while ensuring consumer must be respected and protected, for 54. Weigend, supra note 26, at 56. security. John Villasenor, “Ensuring example, privacy, confidentiality, integrity Cybersecurity in Fintech: Key Trends and availability of ICT systems as well 55. Viano, supra note 39, at 341. and Solutions,” Forbes, (25 Aug. as the integrity of personal identities in 56. David S. Walls, “Cybercrime, Media 2016), at http://www.forbes.com/sites/ cyberspace”). and Insecurity: The Shaping of Public johnvillasenor/2016/08/25/ensuring- cybersecurity-in-fintech-key-trends-and- 74. Xavier Amadei, “Standards of Liability Perceptions of Cybercrime,” International solutions/#13edc74be1fa. for Internet Service Providers: A Review of Law, Computers and Comparative Study of France and Technology, Special Issue: Crime and 65. For an overview of data partitioning, the United States with a Specific Criminal Justice, Vol. 22 (2008), pp. 45–63. see Microsoft Website, at https:// Focus on Copyright, Defamation, and 57. Leyla Bilge, Thorsten Strufe, Davide docs.microsoft.com/en-us/azure/best- Illicit Content,” Cornell International Balzaroti & Engin Kirda, “All Your practices-data-partitioning. Law Journal, Vol. 35 (1) (2001), at Contacts Belong to Us: Automated http://scholarship.law.cornell.edu/ 66. Jamie Smith, “There Is More to cilj/?utm_source=scholarship.law.cornell. Identity Theft Attacks on Social Blockchain than Moving Money. It Has edu%2Fcilj%2Fvol35%2Fiss1%2F4&utm_ Networks,” SBA Research, at http://www. the Potential to Transform Our Lives— medium=PDF&utm_campaign=PDFCov cs.umd.edu/class/spring2017/cmsc396H/ Here’s How,” World Economic Forum, erPages. downloads/all-your-contacts.pdf. (9 Nov. 2016), at https://www.weforum. 58. Marco Gercke, “Internet-Related org/agenda/2016/11/there-is-more-to- 75. Ronald Noble, Former INTERPOL Identity Theft,”CoE Discussion Paper, blockchain-than-moving-money. Secretary General, at https://cdn.press. (22 Nov. 2007), p. 4, at https://rm.coe. kaspersky.com/files/2013/06/Kaspersky- 67. See, e.g., Kariappa Bheemaiah, “Block Lab-Transparency-Principles_Q3_2015_ int/16802fa3a0. Chain 2.0: The Renaissance of Money,” final.pdf. 59. Weigend, supra note 26, at 57. Wired, (Jan. 2015), at https://www.wired. com/insights/2015/01/block-chain-2-0/. 76. Internet Security Alliance, “Cross Cutting 60. Iain Moir & George R. S. Weir, “Identity Issue #2: How Can We Create Public Theft: A Study in Contact Centres,” in: 68. “How Blockchains Could Change the Private Partnerships that Extended to Hamid Jahankhani, Kenneth Revett & World,” McKinsey & Company, (May Action Plans that Work?,” The White Dominic Palmer-Brown (eds.), Global 2016), at http://www.mckinsey.com/ House of Barack Obama, at https:// E-Security: Communications in Computer industries/high-tech/our-insights/how- obamawhitehouse.archives.gov/ and Information Science, Vol. 12 (Berlin: blockchains-could-change-the-world. files/documents/cyber/ISA%20-%20 Springer, 2008), at http://www.cis.strath. Hathaway%20public%20private 69. Mary-Ann Russon, “Quantum ac.uk/cis/research/publications/papers/ %20partnerships.pdf. Cryptography Breakthrough: strath_cis_publication_2243.pdf. ‘Unbreakable Security’ Possible Using 77. Executive Order—Promoting Private 61. A full list of identity fraud state regulations Pulse Laser Seeding,” International Sector Cybersecurity Information Sharing, can be found at http://www.ncsl.org/ Business Times (7 Apr. 2016), at (13 Feb. 2015). See also “Executive Order issues-research/banking/identity-theft- http://www.ibtimes.co.uk/quantum- -- Promoting Private Sector Cybersecurity state-statutes.aspx. cryptography-breakthrough-unbreakable- Information Sharing,” The White House of security-possible-using-pulse-laser- President Barack Obama, Press Release, 62. Walter A. Effross, “High-Tech Heroes, seeding-1553721. (13 Feb. 2015), at https://www.whitehouse. Virtual Villains, and Jacked-In Justice: gov/the-press-office/2015/02/13/ Visions of Law and Lawyers in Cyberpunk 70. Ibid. executive-order-promoting-private-sector- Science Fiction,” Buffalo Law Review, Vol. cybersecurity-information-shari; Gregory 71. WDR, supra § 1 A, note 10, at 223. 46 (1997), p. 931. Korte, “Obama Signs Two Executive For an interesting perspective on the 63. For example, Venmo does not charge interrelation of analog and digital, see Orders on Cybersecurity,” USA Today, transaction fees for transferring funds Peter Kinget, “The World Is Analog,” (9 Feb. 2016), at http://www.usatoday. between debit card or checking account, Circuit Cellar, No. 292 (Nov. 2014), at com/story/news/politics/2016/02/09/ “Fees & Venmo,” Venmo, at https://help. http://www.ee.columbia.edu/~kinget/ obama-signs-two-executive-orders- venmo.com/hc/en-us/articles/224361007- WhyAnalog/circuitcellar_The_World_Is_ cybersecurity/80037452/. Fees-Venmo. Analog_201410.pdf. 78. Pres. Barack Obama, “Remarks by the 72. WDR, supra § 1 A, note 10, at 223. President on Securing Our Nation’s Cyber Infrastructure,” The White House Office of the Press Secretary, The White House of President Barack Obama, (29 May 2009), at https://obamawhitehouse.archives. gov/the-press-office/remarks-president- securing-our-nations-cyber-infrastructure. Page 55 | Chapter 1 | End Notes Table of Contents 79. On 18 December 2015, the European 83. See Julia Edwards, “FBI Paid More Than 90. Thomas Boué, “Closing the Gaps in EU Commission launched a public $1.3 Million to Break into San Bernardino Cyber Security,” Computer Weekly, (Jun. consultation, accompanied by a policy iPhone,” Reuters, (22 Apr. 2016), at 2015), at http://www.computerweekly. roadmap, to seek stakeholders’ views http://www.reuters.com/article/us-apple- com/opinion/Closing-the-gaps-in-EU- on the areas of work of a future public- encryption-fbi-idUSKCN0XI2IB. cyber-security. private partnership, as well as on potential additional policy measures—in areas 84. Kim Zetter, “The Feds’ Battle with Apple 91. “Number of Internet Users Worldwide such as certification, standardization and Isn’t Over—It Just Moved to New York,” from 2000 to 2015 (in Millions),” labeling—that could benefit the European Wired, (8 Apr. 2016), at https://www.wired. Statista, at http://www.statista.com/ cybersecurity industry. To strengthen com/2016/04/feds-battle-apple-isnt-just- statistics/273018/number-of-internet- EU’s cybersecurity industry, the European moved-ny/. users-worldwide/. Commission will establish a contractual 85. Nathaniel Mott, Take That, “FBI: 92. See, e.g., Tim Bajarin, “The Next Public-Private Partnership (cPPP) on Apple Goes All in on Encryption,” The Big Thing for Tech: The Internet of cybersecurity, as envisaged in the Digital Guardian, (15 Jun. 2016), at https://www. Everything,” Time, (13 Jan. 2014), at Single Market Strategy. The aim of theguardian.com/technology/2016/ http://time.com/539/the-next-big-thing- the PPP is to stimulate the European jun/15/apple-fbi-file-encryption-wwdc. for-tech-the-internet-of-everything/. cybersecurity industry by: bringing together industrial and public resources 86. Cade Metz, “Forget Apple vs. the FBI: 93. See WDR § 1 A, supra note 10. to improve Europe’s industrial policy on WhatsApp Just Switched on Encryption cybersecurity, focusing on innovation for a Billion People,” Wired, (5 Apr. 2016), and following a jointly-agreed strategic at http://www.wired.com/2016/04/forget- research and innovation roadmap; helping apple-vs-fbi-whatsapp-just-switched- build trust among Member States and encryption-billion-people/. industrial actors by fostering bottom-up cooperation on research and innovation; 87. See, e.g., Ivana Kottasova and Samuel helping stimulate cybersecurity Burke, “UK Government Wants Access industry by aligning the demand and to WhatsApp Messages,” CNN Tech, supply for cybersecurity products and (27 Mar. 2017), at http://money.cnn. services, and allowing the industry to com/2017/03/27/technology/whatsapp- efficiently elicit future requirements encryption-london-attack/index.html. from end-users; leveraging funding 88. See, e.g., Amber Rudd, Home Secretary, from Horizon2020 and maximizing the “Social Media Firms Must Join the War impact of available industry funds through on Terror,” Telegraph, (25 Mar. 2017) (“We better coordination and better focus on need the help of social media companies, a few technical priorities; and providing the Googles, the Twitters, the Facebooks visibility to European R&I excellence of this world. And the smaller ones, too: in cyber security and digital privacy. platforms such as Telegram, WordPress See also Commissioner, “Digital Single and Justpaste.it. We need them to Market,” European Commission, at http:// take a more proactive and leading role ec.europa.eu/priorities/digital-single- in tackling the terrorist abuse of their market/. platforms. We need them to develop 80. Warwick Ashford, “Co-Operation Driving further technology solutions. We need Progress in Fighting Cybercrime, Say Law them to set up an industry-wide forum Enforcers,” Computer Weekly, (5 Jun. to address the global threat.”), at http:// 2015), at http://www.computerweekly. www.telegraph.co.uk/news/2017/03/25/ com/news/4500247603/Co-operation- social-media-firms-must-join-war-terror/; driving-progress-in-fighting-cyber-crime- UK Home Secretary, “We need the say-law-enforcers. Help of Social Media Companies,” UK Home Office News Team, (26 Mar. 2017), 81. See also Actual Order Compelling at https://homeofficemedia.blog.gov. Apple, Inc. to Assist Agents in Search of uk/2017/03/26/home-secretary-we-need- iPhone,”Cybersecuritylaw, at http://blog. the-help-of-social-media-companies/. cybersecuritylaw.us/2016/02/23/actual- order-compelling-apple-inc-to-assist- 89. See, e.g., Peter Walker and Heather agents-in-search-of-iphone/. Stewart, “No 10 Repeats Rudd’s Call for Authorities to Access Encrypted 82. See, e.g., Saeed Ahmed, “Who Were Messages,” Guardian, (27 Mar. 2017), Syed Rizwan Farook and Tashfeen at https://www.theguardian.com/ Malik?,” CNN, (4 Dec. 2015), at http:// politics/2017/mar/27/downing-street- www.cnn.com/2015/12/03/us/syed-farook- amber-rudd-authorities-access-encrypted- tashfeen-malik-mass-shooting-profile/ messages-whatsapp-terrorism. index.html. Page 56 | Chapter 1 | End Notes Table of Contents Referenced in: § C. Challenges to 9. United States v. Liberty Reserve et al., 13 14. Supreme Court of Korea, Decision Fighting Cybercrime Cr. 368, UNODC Cybercrime Repository, 2014 No. 8838 (13 Nov. 2014), at at https://www.unodc.org/cld/case-law- http://www.law.go.kr/precInfoP. doc/cybercrimecrimetype/usa/2014/us_v_ do?mode=0&precSeq=176320 (in 1. ITU Understanding Cybercrime, supra § 1 liberty_reserve_et_al..html?&tmpl=cyb; Korean). See also Seoul Central District B, note 1. Indictment & Supporting Documents: Court, Decision 2014 No.323 (26 Jun. United States v. Liberty Reserve et al., 2014), at http://www.law.go.kr/precInfoP. 2. See, e.g., US Access Board, § 508 - (S.D.N.Y. 2013), at http://www.justice. do?evtNo=2014%eb%85%b8323 (in Standards for Electronic and Information gov/usao/nys/pressreleases/May13/ Korean); Seoul Central District Court, Technology, Final Rule, (21 Dec. 2000). LibertyReserveetalDocuments.php; Decision No.4451, 4488 (Consolidation) 3. Ibid., at 75. Emily Flitter, “US Accuses Currency (15 Jan. 2014), at http://mobile.law.go.kr/ Exchange of Laundering $6 Billion,” LSWM/mobile/precScInfo.do;jsessio 4. See, e.g., Kristin Finklea & Catherine A. Reuters, (29 May 2013), at http://www. nid=plrVTdB8eoKZ1bXXaJl0wla9S2E4 Theohary, Cybercrime: Conceptual Issues reuters.com/article/2013/05/29/net- 4BfcfQGizaMGLE3jt081q9o0TtHznXov6J for Congress and US Law Enforcement, us-cybercrime-libertyreserve-charges- FN.de_kl_a6_servlet_PRM?precSeq=176 US Congressional Research Service (CRS), idUSBRE94R0KQ20130529. 605&precScNm=%ED%8C%90%EB%A1 (2015), p. 16 (provides that “For instance, %80&searchKeyword=&pageIndex=127 identity theft (18 USC § 1028(a)(7)) is a 10. Uniting and Strengthening America by &name=precSc (in Korean). crime whether it is committed solely in the Providing Appropriate Tools Required to real world or carried out via cyber means. Intercept and Obstruct Terrorism (USA 15. Korea: Game Industry Promotion Act, at The statute does not distinguish between PATRIOT Act), No. 107–56, 115 Stat. 272 http://elaw.klri.re.kr/eng_mobile/viewer. the means by which the crime is carried (2001) [hereafter, “USA PATRIOT Act”]. do?hseq=28802&type=sogan&key=8 (in out”), at https://www.fas.org/sgp/crs/ English). 11. See infra § 2 B. misc/R42547.pdf. 16. Ibid., Art. 18-3(c). 12. Technological neutrality refers to the 5. For example, “wire transfer” and drafting of laws that are technologically 17. Ibid. “stalking”. agnostic, that is, laws that do not specifically refer to any particular 18. Rohini Tendulkar, Securities Markets and 6. Such as “place” and “document”. technology. Doing so not only assures Systemic Risk: Joint Staff Working Paper 7. UN Office of Drugs and Crime (UNODC), that online and offline conduct is of the IOSCO Research Department and Comprehensive Study on Cybercrime treated equally, but also assures that World Federation of Exchanges, IOSCO (Draft) [hereafter, “UNODC Cybercrime the law is not so easily outdated by Research Department, at pp. 4 & 22, at Study”], (New York: United Nations, technological progress. This strategy, http://www.iosco.org/research/pdf/swp/ 2013), p. 58, at https://www.unodc.org/ refraining from naming any device or Cyber-Crime-Securities-Markets-and- documents/organized-crime/UNODC_ software or using a nonexclusive list, Systemic-Risk.pdf. CCPCJ_EG.4_2013/CYBERCRIME_ punishes a criminal conduct as long 19. Ibid. STUDY_210213.pdf. as the effect is felt. Moreover, not naming a specific technology allows 20. Ibid. at 4. 8. One famous conception of just such laws to stay relevant even after new a scenario is in the 1968 cult-classic device or criminal methodology is 21. United States v. Albert Gonzalez, D. Mass. film 2001: A Space Odyssey, where the developed. See “Technology Neutrality (No. 10223 & No. 10382). spacecraft’s computer, HAL—short for in Internet, Telecoms and Data Protection “heuristically-programmed algorithmic Regulation,” Hogan Lovells Global 22. Kim Zetter, “TJX Hacker Gets 20 Years in computer”—“decides” to terminate the Media and Communications Quarterly, Prison,” Wired, (25 Mar. 2010), at https:// human team members when it becomes (2014), at http://www.hoganlovells. www.wired.com/2010/03/tjx-sentencing/. apparent that the humans, who are com/files/Uploads/Documents/8%20 unaware of the mission’s real purpose, 23. Edecio Martinez, “Albert Gonzalez, Technology%20neutrality%20in%20 ‘SoupNazi’ Credit Card Hacker Gets may jeopardize that purpose. Stanley Internet.pdf. Kubrick, dir. 2001: A Space Odyssey. Writ. 20 Years,” CBS News, (26 Mar. 2010), at Arthur C. Clarke & Stanley Kubrick. Metro 13. See, e.g., WDR, supra § 1 A, note http://www.cbsnews.com/news/albert- Goldwyn-Mayer (MGM), 1968. Film. 10, at 222, noting “Public safety and gonzalez-soupnazi-credit-card-hacker- security in the analog world is a public gets-20-years/; Kim Zetter, “In Surprise good, ensured by governments. In Appeal, TJX Hacker Claims US Authorized the cyberworld, governments also His Crimes,” Wired, (7 Jul. 2011), at http:// have an obligation […] to ensure the www.wired.com/2011/04/gonzalez-plea- protection of data, communications, withdrawal/. and critical infrastructure.” See also ITU 24. Do Punishments Fit the Cybercrime?,” Understanding Cybercrime, supra § 1 B, 2010, InfoSecurity Magazine, (25 Aug. note 1, at 82–84. 2010), at https://www.infosecurity- magazine.com/magazine-features/do- punishments-fit-the-cybercrime/. 25. L. Thomas Winfree, Jr., G. Larry Mays & Leanne Fiftal Alarid Introduction to Criminal Justice (New York: Wolters Kluwer, 2015 Page 57 | Chapter 1 | End Notes Table of Contents 26. See infra § 2 C. 30. Mary M. Cheh, “Constitutional Limits 39. Mott, supra § 1 B, note 85. on Using Civil Remedies To Achieve 27. The ultima ratio principle emphasizes the Criminal Law Objectives: Understanding 40. “Ransomware Cyber-attack Threat repressive nature of the criminal justice and Transcending the Criminal-Civil Escalating—Europe,” BBC News, (14 system and classifies it as the last resort of Law Distinction,” Hastings Law Journal, May 2017), at http://www.bbc.com/news/ the legislator. See, e.g., Sakari Melander, Vol. 42 (1991), p. 1325; Julie Adler, “The technology-39913630. “Ultima Ratio in European Criminal Public’s Burden in a Digital Age: Pressures Law,” Oñate Socio-Legal Series, Vol. 41. “WannaCry: What Is Ransomware on Intermediaries & the Privatization of 3 (2013); Rudolf Wendt, “The Principle and How to Avoid It,” Al Jazeera, (16 Internet Censorship,” Journal of Law of Ultima Ratio and/or the Principle of May 2017), at http://www.aljazeera. & Policy, Vol. 20 (2011), p. 231; James Proportionality,” Oñate Socio-Legal com/news/2017/05/ransomware- R. Marsh, “Predators, Porn and the Series, Vol. 3 (2013); Markus D. Dubber, avoid-170513041345145.html; Victoria Law: America’s Children in the Internet “Ultima Ratio as Caveat Dominus: Legal Woollaston, “Wanna Decryptor Era: A Federal Civil Remedy for Child Principles, Police Maxims and the Critical Ransomware Appears to be Spawning Pornography Victims,” Syracuse Law Analysis of Law,” SSRN (5 Jul. 2013), at and This Time It May Not Have a Kill Review, Vol. 61 (2015), p. 459; Joseph http://ssrn.com/abstract=2289479. Switch,” Wired, (16 May 2017), at http:// Salvador, “Dismantling the Internet Mafia: www.wired.co.uk/article/wanna-decryptor- RICO’s Applicability to Cyber Crime,” 28. Kathleen Fuller, “ICANN: The Debate ransomware. Typically, hackers rely on Rutgers Computer & Technology Law Over Governing the Internet,” Duke Law tricking users to click on attachments Journal, Vol. 41 (2015), p. 268. Microsoft & Technology Review, Vol. 2 (2001); Mary harboring attack code, and email is the has used civil actions to attack botnets. B. Kibble, “Fear Mongering, Filters, the still the preferred attack tool. Ibid. See See Official Microsoft Blog, “Botnets,” Internet and the First Amendment: Why also 2017 Internet Security Threat Report, Microsoft, at https://blogs.microsoft.com/ Congress Should Not Pass Legislation Symantec, at https://www.symantec.com/ blog/tag/botnets/#sm.000013htf1t8ngf0 Similar to the Deleting Online Predators content/dam/symantec/docs/reports/istr- zuycn3473chdh. Act,” Roger Williams University Law 22-2017-en.pdf. Review, Vol. 13 (2007), p. 497. 31. See, e.g., WDR, supra § 1 A, note 10, at 223; see also Bauer, Johannes & Bill 29. Anita Bernstein, “Social Networks and Dutton, Addressing the Cybersecurity the Law: Real Remedies for Virtual Paradox: Economic and Cultural Injuries,” North Carolina Law Review, Challenges to an Open and Global Vol. 90 (Jun. 2012), p. 1457; “New Bill Internet, Background Paper for the World Gives Turkish Government Power to Development Report 2016, (Washington: Shut Down Websites in Four Hours,” World Bank, 2016). BBC Monitoring Europe, (23 Mar. 2015); Nicholas Cecil, “MP Demands Law to 32. Emilio Viano, “Balancing Liberty and Force Internet Providers to Remove Gang Security Fighting Cybercrime: Challenges Videos,” Evening Standard, (6 Nov. 2011), for the Networked Society,” in: Stefano at http://www.standard.co.uk/news/mp- Manacorda (ed.), Cybercriminality: demands-law-to-force-internet-providers- Finding a Balance between Freedom and to-remove-gang-videos-6365780. Security (Milano: ISPAC Editora, 2012), pp. html; Wayne McCormack, “US Judicial 33–64. Independence: Victim in the ‘War on Terror,’” Washington & Lee Law Review, 33. Russell G. Smith, Ray Chak-Chung Vol. 71 (2014), p. 305. Cheung & Laurie Yiu-Chung Lau, Cybercrime Risks and Responses: Eastern and Western Perspectives, (London: Palgrave MacMillan, 2015), p. 47. 34. David Kushner, “The Real Story of Stuxnet: How Kaspersky Lab Tracked Down the Malware that Stymied Iran’s Nuclear-Fuel Enrichment Program,” IEEE Spectrum, (26 Feb. 2013), at http:// spectrum.ieee.org/telecom/security/the- real-story-of-stuxnet. 35. Ibid. 36. Michael S. Schmidt, “Cybersecurity Bill Is Blocked in Senate by G.O.P. Filibuster,” New York Times, (2 Aug. 2012), at: http:// www.nytimes.com/2012/08/03/us/politics/ cybersecurity-bill-blocked-by-gop- filibuster.html?_r=0. 37. Fuller, supra note 28. 38. See AIDP/IAPL, supra § 1 B, note 73. Page 58 | Chapter 1 | End Notes Table of Contents 42. Early linguistic analysis by Flashpoint 44. Speaking to the BBC, MalwareTech 49. US policy had been understood to be indicated a Chinese connection: of the 28 said, “There’s a lot of money in this, one of disclosing identified vulnerabilities languages in which the ransom notice was there is no reason for them to stop. It’s to vendors and others so that they can written, only the Chinese (both Simplified not much effort for them to change the be patched. See Kim Zetter, “Obama: and Traditional) and English versions were code and start over.” Chris Foxx, “Global NSA Must Reveal Bugs Like Heartbleed, written by humans instead of machine- Cyber-attack: Security Blogger Halts Unless They Help the NSA,” Wired, translated, and only the Chinese notice Ransomware ‘by Accident’,” BBC News, (15 Apr. 2014), at https://www.wired. appears to have been written by a fluent (14 May 2017), at http://www.bbc.com/ com/2014/04/obama-zero-day/. Such speaker; the other messages, including news/technology-39907049. being the case, it is not clear why the the Korean message, were apparently vulnerabilities identified had not been translated from the English note using 45. Dave Lee, “Global Cyber-Attack: How released. See Brad Smith, “The Need for Google Translate. See Jon Condra, John Roots Can be Traced to the US,” BBC Urgent Collective Action to Keep People Costello & Sherman Chu, “Linguistic News, (13 May 2017), at http://www.bbc. Safe Online: Lessons from Last Week’s Analysis of WannaCry Ransomware com/news/technology-39905509. The Cyberattack,” Official Microsoft Blog, Messages Suggests Chinese-Speaking,” NSA has neither confirmed nor denied (14 May 2017), at https://blogs.microsoft. Flashpoint, (25 May 2017), at https:// as much. It is not known who conducted com/on-the-issues/2017/05/14/need- www.flashpoint-intel.com/blog/linguistic- the attacks. It has been suggested that urgent-collective-action-keep-people- analysis-wannacry-ransomware/. However, the NSA may have created the tool. Id.; safe-online-lessons-last-weeks-cyberattac more in-depth and nuanced forensic Bill Chappell, “WannaCry Ransomware: k/#oHaqtHbEYodLhwLl.99. See also Matt analyses points to criminals from North Microsoft Calls Out NSA For ‘Stockpiling’ Day, “Microsoft Criticizes Government Korea; that said, no connection to Vulnerabilities,” NPR, (15 May 2017), at Creation of Hacking Tools Used in Global the North Korea state itself had been http://www.npr.org/sections/thetwo- Cyberattack,” Seattle Times, (14 May demonstrated. The cybersecurity service way/2017/05/15/528439968/wannacry- 2017), at http://www.seattletimes.com/ firm Symantec showed “strong links” to ransomware-microsoft-calls-out-nsa- business/microsoft/microsoft-criticizes- Lazarus group, a hacking group based for-stockpiling-vulnerabilities; Thomas government-creation-of-hacking-tools- in Pyongyang and closely associated Fox-Brewster, “An NSA Cyber Weapon used-in-global-cyberattack/. with the North Korean government. See Might Be Behind A Massive Global Symantec Security Response, “WannaCry: Ransomware Outbreak,” Forbes, (12 May 50. “Next Cyber-attack Could Be Imminent, Ransomware Attacks Show Strong Links 2017), at http://www.npr.org/sections/ Warn Experts,” BBC News (14 May 2017), to Lazarus Group,” Symantec Official thetwo-way/2017/05/15/528439968/ at http://www.strategic-culture.org/ Blog, (22 May 2017), at https://www. wannacry-ransomware-microsoft-calls-out- news/2017/05/14/international-cyber- symantec.com/connect/blogs/wannacry- nsa-for-stockpiling-vulnerabilities. attack-roots-traced-us-national-security- ransomware-attacks-show-strong-links- agency.html; Victoria Woollaston, “Wanna 46. Andy Greenberg, “Major Leak Suggests Decryptor Ransomware Appears to Be lazarus-group. That analysis has been NSA Was Deep in Middle East Banking Spawning and This Time It May Not Have since supported by an investigation led by System,” Wired, (14 Apr. 2017), at https:// a Kill Switch,” Wired, (16 May 2017), at Britain’s National Cyber Security Centre www.wired.com/2017/04/major-leak- http://www.wired.co.uk/article/wanna- (NCSC) and supported by the US-CERT. suggests-nsa-deep-middle-east-banking- decryptor-ransomware. See, e.g., Gordon Corera, “NHS Cyber- system/. Attack Was ‘Launched from North Korea,” 51. In March 2017, Microsoft released a patch BBC News, (16 Jun. 2017), at http://www. 47. Bill Chappell, “WannaCry Ransomware: for the vulnerability in question. Microsoft, bbc.com/news/technology-40297493. What We Know Monday,” NPR, (15 May Security Bulletin MS17-010, (14 Mar. 2017), Lazarus group has been blamed for the 2017), at http://www.npr.org/sections/ at https://technet.microsoft.com/en-us/ 2014 cyberattack on Sony and the theft of thetwo-way/2017/05/15/528451534/ library/security/ms17-010.aspx. Following US$81m from Bangladesh’s central bank. wannacry-ransomware-what-we-know- the attacks in May, Microsoft released “More Evidence for WannaCry ‘Link’ to monday. a separate patch for users of older and North Korean Hackers,” BBC News, (23 unsupported operating systems, such as May 2017), at http://www.bbc.com/news/ 48. “WannaCry: Are You Safe?,” Kaspersky Windows XP. technology-40010996. As already noted, Labs, (13 May 2017), at https:// such matters are beyond the scope of the blog.kaspersky.com/wannacry- 52. MSRC Team, “Customer Guidance for Toolkit. See supra § 1 A. ransomware/16518/; “Kaspersky Lab’s WannaCrypt Attacks,” Microsoft Official Notice to Customers about the Shadow Blog, (12 May 2017), at https://blogs. 43. MalwareTech, “How to Accidentally Stop Brokers’ Publication from April 14,” technet.microsoft.com/msrc/2017/05/12/ a Global Cyber Attacks,” MalwareTech Kaspersky Labs, (14 Apr. 2017), at https:// customer-guidance-for-wannacrypt- Blog, (13 May 2017), at https://www. support.kaspersky.com/shadowbrokers. attacks/. malwaretech.com/2017/05/how-to- accidentally-stop-a-global-cyber-attacks. 53. 2017 Data Breach Investigations Report, html. The researcher noted that the 10th ed., Verizon, (27 Apr. 2017), at http:// malware attempted to contact a specific www.verizonenterprise.com/verizon- web address each time it infected a new insights-lab/dbir/2017/. system; the address not being registered, he did so himself, allowing him to see 54. See, e.g., Dave Lee, “Global Cyber- where computers were being affected Attack: How Roots Can Be Traced and unexpectedly triggering a part of the to the US,” BBC News, (13 May code that told the ransomware to stop 2017), at http://www.bbc.com/news/ spreading. Ibid. technology-39905509. Page 59 | Chapter 1 | End Notes Table of Contents 55. Cybercrime Knows No Borders, 64. “256-bit AES key” means that every 73. EU Council Framework Decision 2004/68/ InfoSecurity Magazine, (19 May 2011), at 256-bit number is a valid key or modulus. JHA (22 Dec. 2003) on combating the http://www.infosecurity-magazine.com/ Having superseded DES (Data Encryption sexual exploitation of children and child magazine-features/cybercrime-knows-no- Standard), AES (Advanced Encryption pornography. The Framework Decision borders/. Standard) is a symmetric encryption was replaced by Directive 2011/93/ algorithm (specifically, a block cypher) EU of the European Parliament and 56. WDR, supra § 1 A, note 10, at 222. While in use worldwide, which is defined over of the Council of 13 December 2011 such actions “blur[ ] the lines between keys of 128, 192 and 256 bits. Symmetric on combating the sexual abuse and acts of cybercrime and cyberwar or algorithms are designed to be as simple sexual exploitation of children and child cyberterrorism,” it is nonetheless the and quick as possible (for cryptography), pornography. See OJ 2011 L 335 (17 Dec. responsibility of the government to assure and retain a high level of security. See, 2011), pp. 1–17. public safety and security in cyberspace. e.g., “Why Do You Need a 4096-bit Ibid. at 223. DSA Key When AES Is Only 256-Bits?,” 74. Directive 2006/24/EC of the European Information Security Stack Exchange, Parliament and of the Council of 15 March 57. The first free, widely used end-to-end 2006 on the retention of data generated at http://security.stackexchange.com/ encrypted messaging software was PGP or processed in connection with the questions/59190/why-do-you-need-a- (“Pretty Good Privacy”), coded by Phil provision of publicly available electronic 4096-bit-dsa-key-when-aes-is-only-256- Zimmermann and released in 1991. Andy communications services or of public bits; “What Does ‘Key with Length of Greenberg, “Hacker Lexicon: What Is communications networks and amending X Bits’ Mean?,” Information Security End-to-End Encryption?,” Wired, (25 Nov. Directive 2002/58/EC [2006] OJ L105/54 Stack Exchange, at http://security. 2014), at https://www.wired.com/2014/11/ (“Data Retention Directive”). stackexchange.com/questions/8912/what- hacker-lexicon-end-to-end-encryption/. does-key-with-length-of-x-bits-mean. 75. European Commission v. Hungary, 58. Greenberg, ibid. [hereafter, “Commission v. Hungary”], 65. “Why Do You Need a 4096-bit DSA Key When AES Is Only 256-Bits?,” ibid. Case number C-286/12, [CJEU] (8 Apr. 59. Ibid. 2014), at http://curia.europa.eu/juris/ 60. Information theory can be used to render 66. Mary-Ann Russon, “Quantum documents.jsf?num=C-293/12; EUR-Lex, a cryptosystem information-theoretically Cryptography Breakthrough: Official Journal of the European Union, (8 secure, and therefore cryptanalytically ‘Unbreakable Security’ Possible Using Apr. 2014). unbreakable, even when the adversary Pulse Laser Seeding,” International Business Times, (7 Apr. 2016), at 76. Richard W. Downing, “Shoring Up has unlimited computing power. Ueli http://www.ibtimes.co.uk/quantum- the Weakest Link: What Lawmakers Maurer, “Information-Theoretically cryptography-breakthrough-unbreakable- Around the World Need to Consider Secure Secret-Key Agreement by NOT security-possible-using-pulse-laser- in Developing Comprehensive Laws to Authenticated Public Discussion,” in: seeding-1553721. China has made Combat Cybercrime,” Columbia Journal EUROCRYPT’97 Proceedings of the particular advances in the development of Transnational Law, Vol. 43 (2005), p. 16th annual international conference on of such technology; for the implications 705; Erin I. Kunze, “Sex Trafficking Via the Theory and application of cryptographic of implications of such advances, see Internet: How International Agreements techniques, (1997), pp. 209–25, at ftp:// Andreas Illmer, “China Set to Launch an Address the Problem and Fail to Go Far ftp.inf.ethz.ch/pub/crypto/publications/ ‘Unhackable’ Internet Communication,” Enough,” Journal on Telecommunications Maurer97.pdf. BBC News, (25 July 2017), at http://www. & High Technology Law, Vol. 10 (2010), 61. Greenberg, supra note 57. bbc.com/news/world-asia-40565722. p. 241; Miriam F. Miquelon-Weismann, “The Convention on Cybercrime: 62. PFS-perfect forward secrecy is a technique 67. Greenberg, supra note 57. A Harmonized Implementation used, for instance, by TextSecure, an of International Penal Law: What SMS application for Android, and the 68. See also Nandagopal Rajan, “WhatsApp Prospects for Procedural Due Process,” software integrated by WhatsApp into Is Not Breaking Indian Laws with 256-Bit John Marshall Journal Computer & its messaging services. See, e.g., Dan Encryption, for Now,” Indian Express, (12 Informational Law, Vol. 23 (2005), p. 329; Goodin, “WhatsApp Brings Strong End- Apr. 2016), at http://indianexpress.com/ Deborah Griffith Keeling & Michael M. to-end Frypto to the Masses,” Quora, (18 article/technology/social/whatsapp-end- Losavio, “A Comparative Review of Nov. 2014), at https://www.quora.com/ to-end-encryption-not-illegal-in-india/. Cybercrime Law and Digital Forensics in How-secure-is-WhatsApps-new-end-to- Russia, the United States and under the 69. Russon, supra note 66. end-encryption. Convention on Cybercrime of the Council 70. Brendan J. Sweeney, Global Competition: of Europe,” Northern Kentucky University 63. For a discussion of the mathematics Searching for a Rational Basis for Global Law Review, Vol. 39 (2012), p. 267. behind cracking computer cyphers, see, Competition Rules, Sydney Law Review, e.g., “The Math Behind Estimations to 77. Viano, supra § 1 B, note 39, at 342–44. Vol. 30 (2008), p. 209. Break a 2048-bit Certificate,” DigiCert, at https://www.digicert.com/TimeTravel/ 78. Ibid., at 347–53. 71. Budapest Convention, supra § 1 B, note math.htm. 32. 79. Convention on the Protection of Children against Sexual Exploitation 72. EU Council Framework Decision and Sexual Abuse, CoE, (25 Oct. 2007) 2005/222/JHA (24 Feb. 2005) on Attacks CETS No. 201 [hereafter, “Lanzarote against Information Systems, at http:// Convention”], at http://conventions. eur-lex.europa.eu/legal-content/EN/ coe.int/Treaty/Commun/ChercheSig. ALL/?uri=CELEX:32005F0222. asp?NT=201&CM=&DF=&CL=ENG. Page 60 | Chapter 1 | End Notes Table of Contents 80. See, e.g., Additional Protocol to 90. Christopher Budd, “Why the SpyEye 101. The “harm” principle is fundamental to the Council of Europe Convention Conviction is a Big Deal,” Trend Micro, John Stuart Mill’s approach to justifying on Cybercrime Concerning the (3 Feb. 2014), at http://blog.trendmicro. or rejecting the intervention of the Criminalization of Acts of a Racist and com/spyeye-conviction-big-deal/. state through criminal law to prohibit, Xenophobic Nature Committed through deter and punish certain behaviors. In Computer Systems, CoE (2003), at http:// 91. “SpyEye Botnet Kit Developer Sentenced On Liberty, Mill argues for “one very conventions.coe.int/Treaty/en/Treaties/ to Long Jail Term,” PC World, (20 Apr. simple principle, as entitled to govern Html/189.htm. 2016), at http://www.pcworld.com/ absolutely the dealings of society with article/3059557/spyeye-botnet-kit- the individual in the way of compulsion 81. International Narcotics Control Board, developer-sentenced-to-long-jail-term. and control.” That principle is that “The “Globalization and New Technologies: html. only purpose for which power can be Challenges to Drug Law Enforcement rightfully exercised over any member of in the Twenty-First Century,” (2001), 92. US Attorney’s Office, N.D. Ga., “Cyber a civilized community, against his will, is at https://www.incb.org/documents/ Criminal Pleads Guilty to Developing and to prevent harm to others. His own good, Publications/AnnualReports/AR2001/ Distributing Notorious SpyEye Malware,” either physical or moral, is not a sufficient AR_01_Chapter_I.pdf; ITU Understanding (28 Jan. 2014), at https://archives.fbi.gov/ warrant,” John Gray & G.W. Smith (eds.), Cybercrime, supra § 1 B, note 1, pp. 30– archives/atlanta/press-releases/2014/ J.S. Mill on Liberty, (New York: Routledge, 40; Stefan Frederick Fafinski, “Computer cyber-criminal-pleads-guilty-to- 2003), p. 90. Use and Misuse: The Constellation of developing-and-distributing-notorious- Control,” Ph.D. Dissertation, University of spyeye-malware/. 102. The principle is captured by the Latin Leeds, School of Law, (2008), pp. 273–81. dictum “actus reus non facit reum nisi 93. “Two Major International Hackers Who mens sit rea” (“the act is not culpable 82. See, e.g., “Europol Supports Huge Developed the ‘SpyEye’ Malware Get unless the mind is guilty”). See, e.g., International Operation to Tackle Over 24 Years Combined in Federal Oxford Reference. Organised Crime,” Europol, at https:// Prison,” US Dept. of Justice, (26 Apr. www.europol.europa.eu/content/europol- 2016), at https://www.justice.gov/usao- 103. See, e.g., “Cyberla Tracker,” UNCTAD, supports-huge-international-operation- ndga/pr/two-major-international-hackers- at http://unctad.org/en/Pages/DTL/ tackle-organised-crime. who-developed-spyeye-malware-get- STI_and_ICTs/ICT4D-Legislation/eCom- over-24-years-combined. Data-Protection-Laws.aspx. 83. Eric Neumayer, “Qualified Ratification: Explaining Reservations to International 94. Ibid. 104. For instance, while an early leader in the Human Rights Treaties,” Journal of Legal field of data protection, the US Privacy Act 95. Ibid. See also US Attorney’s Office, supra Studies, Vol. 36 (2007), p. 397. 1974 (USC Title 5, § 552a) applies only to note 92. the Federal Government, and subsequent 84. Budapest Convention, supra § 1 B, note laws applies to specific sectors, but there 96. UNODC Cybercrime Study, supra § 1 C, 32, at Art. 42. is no comprehensive law to date. note 7, at 108. 85. ITU Understanding Cybercrime, supra § 1 105. “What Is Data Protection?,” Privacy 97. See infra § 5 A. B, note 1, at 77–78. International, at https://www. 98. Fernando Molina, “A Comparison privacyinternational.org/node/44. 86. For example, according to “Cybercrime between Continental European and knows no borders” featured by 106. UN General Assembly, Universal Anglo-American Approaches to InfoSecurity Magazine in 2011, Invincea Declaration of Human Rights, (10 Overcriminalization and Some Remarks founder Anup Ghosh notes that “Law Dec. 1948) 217 A (III) [hereafter, on How to Deal with It,” New Criminal enforcement agencies don’t have “UDHR”], at http://www.refworld.org/ Law Review, Vol. 14 (2011), p. 123; jurisdiction to prosecute outside their docid/3ae6b3712c.html. Kimberly Kessler Ferzan, “Prevention, borders, so they need bilateral or multi- Wrongdoing, and the Harm Principle’s lateral agreements to bring criminals to 107. UN General Assembly, International Breaking Point,” Ohio State University justice. But often it is really just sharing Covenant on Civil and Political Rights, Journal of Criminal Law, Vol. 10 (2013), p. information with foreign law enforcement (16 Dec. 1966) United Nations, Treaty 685, at http://ailadc.org/form.php?form_ agencies and hoping they will do Series, Vol. 999, p. 171 [hereafter, id=12; Joel Feinberg & Robert P. George, something about it.” For additional “ICCPR”], at http://www.refworld.org/ “Crime and Punishment: Moralistic information: Ibid. docid/3ae6b3aa0.html. Liberalism and Legal Moralism: Harmless 87. See infra § 2 E. Wrongdoing: The Moral Limits of the 108. OAS, American Convention on Human Criminal Law,” Michigan Law Review, Vol. Rights, (22 Nov. 1969), at http://www. 88. Anthony J. Colangelo, “A Unified 88 (1990), p. 1415. refworld.org/docid/3ae6b36510.html. Approach to Extraterritoriality,” Virginia Law Review, Vol. 97 (2011), p. 1019. 99. US Dept. of Commerce, Internet Policy 109. UN General Assembly, Report of the Task Force, Copyright, Creativity and Special Rapporteur on the promotion 89. United States v. Aleksandr Andreevich Innovation in the Digital Economy, (Jul. and protection of the right to freedom of Panin, a/k/a Harderman, a/k/a 2013). opinion and expression, (10 Aug. 2011) Gribodemon, and Hamza Bendelladj, A/66/290, para. 10, at http://www.ohchr. a/k/a Bx1, (26 Jun. 2013) N.D. Ga., No. 100. Nina Persak, Criminalizing Harmful org/Documents/Issues/Opinion/A.66.290. 1:11-cr-00557-AT-AJB Document 35. Conduct: The Harm Principle, Its Limits pdf. and Continental Counterparts, Springer Science & Business Media, 2007. 110. UNODC Cybercrime Study, supra § 1 C, note 7 at 110. Page 61 | Chapter 1 | End Notes Table of Contents 111. See, e.g., “Brief History of the Internet,” 122. “Access to Information Laws: Overview Internet Society, at http://www.intern and Statutory Goals,” Right2info, (20 Jan. etsociety.org/internet/what-internet/ 2012), at http://right2info.org/access-to- history-internet/brief-history-internet. information-laws. 112. “Freedom of Expression Rapporteurs 123. WDR, supra § 1 A, note 10, at 222. Issue Joint Declaration Concerning the Internet,” R50/11 (1 Jun. 2011), pt. 1(c), at 124. Ibid. http://www.oas.org/en/iachr/expression/ showarticle.asp?artID=848. 113. Ibid. 114. UN Human Rights Council, “Promotion, Protection and Enjoyment of Human Rights on the Internet,” (32nd Session) [hereafter, “UNHRC Internet Resolution”], A/HRC/32/L.20 (27 Jun. 2016), at https:// documents-dds-ny.un.org/doc/UNDOC/ LTD/G16/131/89/PDF/G1613189. pdf?OpenElement. 115. UN General Assembly, “Calling of an International Conference on Freedom of Information,” 59(I) (14 Dec. 1946), at https://documents-dds-ny.un.org/doc/ RESOLUTION/GEN/NR0/033/10/IMG/ NR003310.pdf?OpenElement. 116. Abid Hussain, Report on the Mission to the Republic of Korea of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, 1995 Report to the UN Commission on Human Rights E/ CN.4/1996/39/Add.1 (21 Nov. 1995), at http://hrlibrary.umn.edu/commission/ country52/39-add1.htm. 117. “Access to Information: An Instrumental Right for Empowerment,” Article 19 & ADC, (Jul. 2007), p. 5, at https://www. article19.org/data/files/pdfs/publications/ ati-empowerment-right.pdf. 118. See, e.g., American Bar Association (ABA), “Part I: What Is the Rule of Law,” at https://www.americanbar.org/content/ dam/aba/migrated/publiced/features/ Part1DialogueROL.authcheckdam.pdf. 119. See, e.g., Operations Policy & Country Services (OPCS), “Dealing with Governance and Corruption Risks in Project Lending Emerging Good Practices,” World Bank, (Feb. 2009), p. 7, at http://siteresources.worldbank.org/ EXTGOVANTICORR/Resources/303 5863-1281627136986/EmergingGoo dPracticesNote_8.11.09.pdf. 120. See, e.g., Commission v. Hungary, supra note 74. 121. See, e.g., Budapest Convention, supra § 1 B, note 32, at Art. 15.3. Page 62 | Chapter 1 | End Notes Table of Contents Referenced in: § D. Framework for a 7. UN Development Programme (UNDP), Capacity-building Program Human Development Report 2001: Making New Technologies Work for Human Development, (New York: United 1. WDR, supra § 1 A, note 10, at 28 et seq. Nations, 2001), at http://hdr.undp. See also “World Internet Usage and org/en/content/human-development- Population Statistics,” Internet World report-2001. See also WDR, supra § 1 A, Stats, (4 Mar. 2017), at http://www. note 10, at 42 et seq. internetworldstats.com/stats.htm. 8. See WDR, supra § 1 A, note 10, at 222 et 2. In Uganda, which has 22.6 million mobile seq. phone numbers, there may be more mobile phones than lightbulbs. See 9. For instance, in the fight against fraud and Laura Gray, “Does Uganda Have More corruption, a “culture of compliance” has Mobile Phones Than Light Bulbs?,” BBC been espoused as a necessary element News, (25 Mar. 2016), at http://www.bbc. in rooting out corruption. See, e.g., com/news/magazine-35883649. Mobile “Eight Ways to Move Toward a Culture phones are frequently used to make of Compliance,” Wall Street Journal, (7 payments in remote rural areas: Across Jul. 2013), at http://deloitte.wsj.com/ Africa, more than 25 million active users cfo/2013/06/07/toward-a-culture-of- are reported to use “M-Pesa” (“M” for compliance-eight-initiatives-ccos-can- “mobile” and “Pesa” for “money” in lead/. Swahili), a means for making small-value payments from ordinary mobile. See 10. For additional resources and examples, “Vodafone M-Pesa Reaches 25 Million see, e.g., CyberCrime@EaP, Cybercrime Customers Milestone,” Vodaphone, (25 and Cybersecurity Strategies in the Apr. 2016), at https://www.vodafone.com/ Eastern Partnership Region, (Bucharest: content/index/media/vodafone-group- CoE, 2015), at https://rm.coe.int/ releases/2016/mpesa-25million.html. CoERMPublicCommonSearchServices/ See also “M-Pesa Transactions Rise to DisplayDCTMContent?documentId=090 Sh15bn Daily after Systems Upgrade,” (8 00016803053d2. May 2016), at http://www.nation.co.ke/ 11. For references and links to domestic news/MPesa-transactions-rise-to-Sh15bn- cybercrime legislation, see appendix 9 C. after-systems-upgrade/1056-3194774- llu8yjz/index.html (noting that daily 12. United States v. Chenault, 844 F.2d 1124, M-Pesa transactions in Kenya exceed 1131 (5th Cir. 1988). Sh15bn (~US$145m)); Ignacio Mas & Dan Radcliffe, “Mobile Payments Go Viral 13. Bettina Weisser, “Cyber Crime—The M-PESA in Kenya,” Capco Journal of Information Society and Related Crimes,” Financial Transformation, Vol. 32 (2011): at, http://www.penal.org/sites/default/ 169–82. files/files/RM-8.pdf. Cf. computer fraud, which requires specific intent. USC Title 3. Cf. §§ 2 A & 2 B, below. 18 § 1030; fraud and related activity in connection with computers USC Title 18, 4. Cf. § 2 E, discussing e-evidence. § 1030(a)(4). 5. See, e.g., CyberCrime@IPA, Article 15 14. For additional resources and examples, Conditions and Safeguards under the see, e.g., Budapest Convention, supra § Budapest Convention on Cybercrime: 1 B, note 32, at Art. 15; CoE, Explanatory Discussion Paper with Contributions Report to the Budapest Convention, by Henrik Kaspersen (Netherlands), (23 Nov. 2001) [hereafter, “Budapest Joseph Schwerha (USA), Drazen Explanatory Report”], at https://rm.coe. Dragicevic (Croatia), (Strasbourg: int/CoERMPublicCommonSearchSer CoE, 2012) [hereafter, “Article 15 vices/DisplayDCTMContent?documen Safeguards”], at https://rm.coe.int/ tId=09000016800cce5b; “Country Profiles CoERMPublicCommonSearchServices/ on Cybercrime Legislation,” CoE, at isplayDCTMContent?documentId=09000 http://www.coe.int/en/web/cybercrime/ 01680303194#search=cybercrime%20246 country-profiles; “Data Protection,” CoE, 7%20safeguards%2029mar12. at http://www.coe.int/en/web/data- 6. Cf. §§ 5 A & 5 B, generally, for a protection/home. discussions of safeguards and human rights issues. Page 63 | Chapter 1 | End Notes Table of Contents CHAPTER 2 Foundational Considerations This chapter provides an overview for some of the foundational issues discussed in greater detail in the Toolkit. It starts by describing what is meant by “cybercrime”, discusses what conduct is criminalized and then provides some “basics” regarding procedural, evidentiary, jurisdictional and institutional issues. In this Chapter A. Working Definition of Cybercrime 65 B. Criminalized Conduct 78 C. Procedural Issues 95 D. Evidentiary Issues 109 E. Jurisdicational Issues 121 F. Institutional Framework 130 Page 64 | Chapter 2 | Foundational Considerations CHAPTER 2 A. Working Definition of Cybercrime Table of Contents Introduction 65 I. Defining Cybercrime 66 A. Key Terms 66 B. Technology’s Place: Now and to Come 67 1. Today’s Technological Infrastructure: A Tool & Target for Cybercrime 67 2. New Threats & Opportunities: “To Infinity and Beyond” 20 68 C. Locating the Crime 69 D. Broad & Narrow Understandings of Cybercrime 70 E. National versus International Approaches 71 II. Existing Definitions 71 A. National Level 71 B. International & Regional Instruments 72 C. Academia 72 III. Classifying Cybercrime 73 A. United Nations Secretariat 73 B. Commonwealth Secretariat 73 C. African Union 74 D. Economic Community of West African States 74 E. United Nations Office on Drugs and Crime 75 F. United Nations Interregional Crime and Justice Research Institute 75 G. Council of Europe 76 Conclusion: The Toolkit’s Working Definition of “Cybercrime” 76 Introduction Broadly speaking, “cybercrime” encompasses illegal activities committed in cyberspace that either use ICT systems to commit the crime,1 or that target ICT systems and the data that they store.2 In the former category, ICT—be it a computer, smart phone or other device(s)—is a vital component of the offense’s modus operandi.3 Though vague and vast, such definitional variability is not necessarily detrimental, as technology’s constant development requires an evolving definition of “cybercrime”: a loose and flexible understanding of the term facilitates combatting illegal activities.4 Page 65  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents Recognizing that a tight, globally-accepted definition of cybercrime does not exist,5 this section (I) explores ways in which cybercrime has been understood, then goes through both (II) existing definitions of cybercrime as well as (III) grouping activities constituting cybercrime and (IV) finishes by proposing a working definition of “cybercrime” that will be used in the Toolkit. Discussion focuses on various approaches used by various institutions and organizations with an yet to looking to lessons learned from existing knowledge. I. Defining Cybercrime Different definitions of cybercrime, of varying breadth and depth, have been put forward by experts, industry and academia, some of which have been used by governments.6 Under rule of law principles, it is understood that laws must clearly define prohibited behavior7 and should be construed narrowly8; such tenets, or so-called canons of construction, are particularly true of criminal laws, where the consequences of misbehavior have significantly greater costs for perpetrators. In order to define “cybercrime”, it is helpful to begin (A) by defining a few key terms, before moving on (B) to consider technology’s place in this evolving term and space and (C) to understand where cybercrime actually takes place. The subsection goes on to explore both (D) broad and narrow understandings of cybercrime before concluding with (E) a discussion of how and why national and international approaches differ. A. Key Terms Before further examining different definitions of “cybercrime”, it is useful to describe some key elements central to construing cyberspace, namely “computer” (and “ICT”), “data” and “systems”.9 For the purposes of this Toolkit, these terms are understood as follows: Computer Computer” is understood as an electronic device for storing and processing ” data. While those processes are typically in binary form, according to instructions given to it in a variable program,10 it is expected that, in the not-so- distant future, devices may operate in quantum form using what are known as “quibits” (as opposed to “bits”), which, in essence, take the operating of binary form to a multidimensional level (see section 1 C, box 1.3, above). Relatedly, “information and communications technology” (ICT) is a broader term, which, though less commonly used to define cybercrime, emphasizes the place of Page 66  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents unified communications, and which integrates audio-visual, telephone and computer networks; although no concrete or universal definition exists as the concept continues to evolve with great rapidity, it can be understood as including computer systems and networks, as well as the data processed by them. Data Data” (be it described as computer, ICT, information or electronic) describes ” a representation of facts, information or concepts that can be read, processed or stored by a computer or a computer system. Although some (though not all11) multilateral instruments explicitly provide that “computer data” includes computer “programs”,12 in practice all activities involving data are generally considered to be covered by provisions for computer data.13 System  ystem” (be it described as computer, ICT, information or electronic) means ”S any device capable of processing data. Some multilateral instruments define “computer network” as an interconnection between two or more computer systems.14 In practice, “computer system” includes, but is not limited to, the linking of any number of computers, smart phones, tablets and other such ICT devices.15 B. Technology’s Place: Now and to Come At the heart of the matter of cybercrime is technology, both (1) as it stands now, both as a tool and as a target for cybercrime, and (2) as improvements come usher in both new opportunities and corresponding threats. 1. Today’s Technological Infrastructure: A Tool & Target for Cybercrime In defining cybercrime, it is helpful to have an understanding of the infrastructure allowing it, namely of the technology that underpins it. Technology plays a defining role in cybercrime.16 On the one hand, and as discussed earlier,17 technology, in the form of electronic devices (e.g., computers or smart phones), or software (e.g., viruses and malware) may be used to facilitate a diversity of crimes. Those crimes may be perpetrated against individuals, organizations or governmental entities. Essential cybertools having legitimate and beneficial uses—including high-speed internet, peer-to-peer file sharing and encryption—can be used to both enable and conceal criminal activity. On the other hand, the technology itself may be the target of the crime. That technology needs to be understood in all of its diversity, being both hardware and software, and as being used by both the public and private sectors, as well as by organizations and individuals. Hardware is used by governmental and quasi-governmental authorities to assure the functioning of societies, from the functioning of power grids to the operating of dams and other pieces of infrastructure, to the Page 67  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents coordinating of traffic controls and emergency services. Software is used to assure communications, delivery of goods and monitoring of financial markets and delivery of its products. As the WannaCry cyberattacks demonstrate (see section 1 C, box 1.2, above), much of modern society has come to rely on ICT and systems’ networking, making lives easier, while also making the elements of the infrastructure targets for attack. Regardless of whether technology is understood as a facilitator or as a target in cybercrime, it bears noting that physical technology stores both the fruits and the evidence of cyber-committed crimes.18 The nature of that evidence, as well as concerns such as the handling of e-evidence, is discussed in greater depth further on (see section 2 D, below). It also bears noting that there is a great range and variance in the uses of technology in cybercrime. Certain cybercrimes require more technological savoir-faire or more powerful digital technologies in order to be carried out.19 For instance, “point-and-click” crimes, such as downloading child pornography or engaging in cyberstalking require relatively minimal technological support. By contrast, phishing, identity theft and “denial-of-service” (DoS) or “distributed denial-of-service” (DDoS) attacks presuppose a much deeper and better understanding of digital and electronic technologies (see section 2 B, box 2.1, below). Deviant acts requiring greater technological know- how also tend to be more deeply embedded in the virtual world. 2. New Threats & Opportunities: “To Infinity and Beyond”20 Technological developments have led at once to new opportunities as well as to new threats and complexities. Although it is impossible to know what the future holds, it is important to consider what certain developments might mean. The start of that transformation is already being seen in the so-called “internet of things” (IoT), which, perhaps best defined as “the infrastructure of the information society”,21 is already revolutionized society and ways of life by (increasingly) optimizing device functionality and connectivity, creating new revenue opportunities and lowering operational costs through the inter-connection of all manner of smart devices.22 These devices—including, for instance, household machines, heating, ventilation and air conditioning (HVAC) systems and the global positioning systems (GPS) of automobiles—are typically less secure than computers,23 and yet, collectively, these devices result in an unprecedented sharing of vast volumes of sensitive data, therein raising serious security and privacy concerns.24 Technological developments will continue to transform the meaning of the internet and of interconnectivity. The “internet of everything” (IoE), a step beyond the IoT, is set to dramatically expand the present understanding of what makes the “infrastructure” of the information society. With the addition of the “smart” moniker to (potentially) everything, networking will involve not only devices but also the data on them,25 and will also extend to directly connecting humans, both at the individual and collective level.26 Anticipated advances—such as quantum computing,27 biocomputing,28 machine learning (or “pattern recognition”),29 AI and autonomous systems— will both enhance and challenge today’s norms—for instance, by rendering existing encryption Page 68  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents technology outmoded, prompting the development of “unbreakable” encryption.30 While the ramifications of these concerns are, in their concreteness, beyond the scope of the Toolkit, it bears noting that anticipated technological advances promise to simultaneously revolutionize cyber- securitization and to facilitate more sophisticated cybercrime. This dramatic redefining of society at all levels makes the readying of systems’ interoperability among states today, not tomorrow, all the more important. C. Locating the Crime The borders and physicality of the “real”, physical world are nonexistent in the “virtual”, digital world of cyberspace. Cyberspace enables criminals to impudently disregard borders and jurisdictions, to target large number of victims, and to do so both simultaneously and instantaneously. Although law-making and law-enforcing authorities, threatened by the new environment of cyberspace,31 attempt to impose or imprint a Westphalian nation-state conception of sovereignty and jurisdiction upon cyberspace, the idea of a “border” is vague at best, and largely defies definition.32 That said, physical elements do play a mediating role between the physical and the virtual world, giving cybercrime a “location” that has underlying physical qualities to the more easily discernible virtual ones.33 Recently, and increasingly, the physicality mediating access to cyberspace has moved beyond use of a computer or some other directive piece of ICT to integrative networking of smart devices, including cars, home utilities and wearable technology.34 Indeed, smart cities35—and even networked cities36—are already becoming a reality. While cyberspace “radically subverts a system of rule-making based on borders between physical spaces”,37 these physical elements have been central to tying cybercrime into traditional legal understandings. Although the complexities of jurisdictional issues is discussed in greater depth further on (see section 2 E, below), several points are worth raising here briefly. States typically exercise both their jurisdictional power and apply their laws to offenses committed on their territory. Cyberspace, however, transcends geographical frontiers, enabling perpetrators to act illegally in one state while being physically located in another state. In cases where the crime is enacted from abroad, jurisdiction is asserted on the basis that the committed offense negatively impacted the state (or its citizen). However, while such harm might be used as a means of establishing jurisdiction, the typical baseline for a custodial state to recognize, validate and accept the jurisdictional exercise of the requesting state is instead that of “double criminality” (or “dual criminality”), meaning that the perpetrator’s comportment is punishable in both states.38 This approach both respects the maxim of nulla poena sine lege (“no punishment without law”), as well as typically raising fewer jurisdictional concerns.39 This mutuality is generally the basis, for example, of extradition law.40 Alternatively, jurisdiction might be asserted on the basis that the instrumentality enabling the offense—be it bank, money services or other instrument—was located in the state intending to prosecute. In such an instance, a form of what is often called “long-arm” jurisdiction is being Page 69  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents exerted over the perpetrator, whereby the foreign jurisdiction reaches beyond its territorial expanse to claim jurisdiction.41 In either instance, a basic, territorial approach and understanding to jurisdiction is at work. Case 2.1: Smc Pneumatics (India) Pvt. Ltd. vs. Shri Jogesh Kwatra (OS) No. 1279/2001 (India) In India’s first case of cyber-defamation, Defendant was accused of sending “distinctly obscene, vulgar, filthy, intimidating, embarrassing, humiliating and defamatory” emails to Complainant’s employer and to employer’s subsidiaries around the world. Complainant filed suit for permanent injunction restraining Defendant. The court accepted that Complainant had made a prima facie case, and, the aim and intention established, enjoining Defendant ex parte to, first, cease and desist in sending of further such emails, and, second, restraining him from publishing, transmitting or causing to be published any information in both the physical world and in cyberspace that was derogatory or defamatory or abusive of Complainant. D. Broad & Narrow Understandings of Cybercrime Approaches to criminalizing cybercrime have been largely disunited, resulting in a Balkanization of criminal laws rather than the creation of a single, international corpus juris of “cybercrime”. On a practical level, the absence of a concrete definition is a matter of particular concern in cybercrime as opposed to traditional crimes given cybercrime’s inherent trans-border and trans-jurisdictional nature. In the absence of a concrete definition, law enforcement authorities have generally distinguished between two main types of internet-related crime: A narrow understanding of cyber-enabled crimes, which focuses on advanced cybercrime 1   (or high-tech crime), and which involves sophisticated attacks against computer hardware and software A broad understanding of cyber-enabled crimes, which are so-called “traditional” crimes 2   committed with the facilitation of ICT, or which are committed “in” cyberspace, and might include crimes against children, financial crimes, and even terrorism.42 This binary understanding, which has permeated many systems, was introduced during the Tenth UN Congress on the Prevention of Crime and the Treatment of Offenders in 2000 as “cybercrime in a narrow sense” (or “computer crimes”)43 and “cybercrime in a broad sense” (or “computer-related crimes”).44 Page 70  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents E. National versus International Approaches Defining cybercrime depends on the context and purpose for which the definition will be used. In national, domestic legislation, the purpose of defining cybercrime is to enable investigation and prosecution of various offences falling under that umbrella. As such, it may not be useful to define the term either narrowly or precisely, especially when procedural provisions of domestic law could be applicable to acts constituting cybercrime as well as other crimes involving e-evidence.45 In the international context, defining cybercrime is useful for interpreting provisions concerning cross-border investigative powers. Some multilateral treaties on cybercrime extend international cooperation rules “for the collection of evidence in electronic form of a criminal offence”,46 while others specify that international cooperation rules apply to differentiate between “offences against computer information”47 and “cybercrime”.48 This differentiation has led the United Nations Office on Drugs and Crime (UNODC) to note that “[i]n the international sphere, conceptions of ‘cybercrime’ may thus have implications for the availability of investigative powers and access to extraterritorial e-evidence.”49 That is not to understate the link between national laws and international instruments. To illustrate, note that many concepts in the Budapest Convention draw from national legislations.50 In turn, countries ratifying the Budapest Convention have utilized the Convention’s understanding of cybercrime within their own national laws. This dual integrativeness has helped reduce the friction among national laws, which in turn, improves state coordination and provides clarity through convergence. II. Existing Definitions This section briefly takes stock of selected practices in definitional approaches to “cybercrime” as used (A) in domestic, national legislation, (B) in multilateral instruments on cybercrime and (C) in the literature. A. National Level While a number of countries have legislation dealing with cybercrime,51 only a few countries define “cybercrime” in their national legislation.52 Of those countries with a national cybercrime law, only a few explicitly use the term “cybercrime” in the articles of such law.53 Rather, titles or provisions in national laws pertaining to cybercrime use terms such as: ƒƒ“Electronic crimes” ƒƒ“Computer crimes” Page 71  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents ƒƒ“Information technology crimes” ƒƒ“Crimes in the sphere of computer information” 54 ƒƒ“High-technology crimes” 55 Many other jurisdictions construe cybercrime as a crime committed with the use of ICT.56 Regardless of how cybercrime is addressed, or what method is used to adapt it, a legal definition of “cybercrime” is rarely provided. Even when domestic legislation explicitly refers to “cybercrime”, there are often differences in how various national laws of the same state define the term. For example, while one approach defines cybercrime as “crimes referred to in this law”,57 another approach is to do so on the basis of instrumentalities, broadly defining cybercrime as “criminal offences carried out in a network or committed by the use of computer systems and computer data”.58 B. International & Regional Instruments There is no multilateral cybercrime instrument that explicitly defines the meaning of term. That said, the term has been used to accommodate a broad range of different offences, making any typology or classification difficult59: “[t]he word ‘cybercrime’ itself is not amenable to a single definition, and is likely best considered as a collection of acts or conduct, rather than one single act”.60 There are, however, two general approaches within applicable multilateral instruments on cybercrime on how to conceptualize cybercrime: The first approach understands cybercrime as a collection of acts, without actually providing 1   a singular definition of the term “cybercrime” itself; The second approach is to offer a broad definition of either the term “offences against 2   computer information”61 or to use the term “information crime”62 without explicit reference to the term “cybercrime”. Examples of the first approach can be found, in the Budapest Convention, the AU Convention and the ECOWAS Directive. Examples of the second approach are found in the CIS Agreement63 and the SCO Agreement.64 C. Academia Although academia has made wide and varying contributions to the effort to create a definition of “cybercrime”,65 no single, standardized consensus definition has been agreed upon. One colorful descriptor is that of cybercrime as “new wine, no bottles”.66 In any case, similar to what has been just discussed, there is consensus that cybercrimes can be appropriately understood as including both traditional crimes moved to a new environment, also new crimes made possible by this new Page 72  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents environment.67 This understanding has let one author to classify according to “issues of degree” and “issues of kind”.68 Such variance in the definition of cybercrime is in part due to the rapid advances and evolutions in ICT, as well as understandings of cyberspace.69 III. Classifying Cybercrime While specific cybercrimes will be considered hereafter (see section 2 B, below), it is worth considering how different regimes have classified cybercriminal behavior in developing an understanding of cybercrime. In the absence of a unitary definition, and without any unitary concept of what cybercrime is, the term is better understood as a range of acts falling into a certain category of crimes.70 That said, while a classification or categorization of cybercrime is less contentious, it is nonetheless difficult to find consensus with regard to the appropriate divisions of acts constituting cybercrime in domestic legislation, multilateral instruments or the literature.71 Herein, seven different classifications, as laid out in international instruments are considered, namely, those of (A) the UN Secretariat, (B) COMSEC, (C) the AU; (D) the ECOWAS, (E) UNODC, (F) UNICRI and (G) the CoE. A. United Nations Secretariat The UN Secretariat carries out the diverse day-to-day work of the United Nations, servicing the other principal UN organs and administering their programs and policies. The Secretariat’s activities include administering peacekeeping operations, mediating international disputes, surveying economic and social trends and problems and preparing studies on human rights and sustainable development.72 In a background paper for a workshop on cybercrime presented at the Thirteenth UN Congress on Cybercrime Prevention and Criminal Justice in 2015, the UN Secretariat, building on its earlier documentation,73 took a binary approach to defining cybercrime. Under the UN Secretariat’s approach, cybercrime is categorized according to the nature of the offense: Offenses affecting the confidentiality, integrity and availability of computer data or systems; 1   and Offenses where computer or ICT systems form an integral part of the crime’s modus 2   operandi.74 B. Commonwealth Secretariat COMSEC is the main agency and central institution of the Commonwealth of Nations,75 an intergovernmental organization of fifty-three Member States that were mostly territories of the Page 73  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents former British Empire.76 COMSEC facilitates cooperation between members, organizes meetings, assists and advises on policy development and provides assistance in implementing decisions and policies of the Commonwealth.77 In its 2014 Report to Commonwealth Law Ministers, COMSEC provides that “cybercrime” is not a defined legal category but rather a label that has been applied to a range of illicit activities associated with ICT and computer networks.78 The Report also categorizes cybercrime in a binary fashion: 1   New, criminal offences covering conduct that is harmful to ICT; and Traditional crimes committed using, or affected by, ICT.79 2   C. African Union Established in 200080 with the vision of “[an] integrated, prosperous and peaceful Africa, driven by its own citizens and representing a dynamic force in global arena”,81 the AU plays an important role in international cooperation. The AU is part of a series of initiatives going back to 1980 that had the continent’s economic and social development as their quest.82 In 2014, the AU adopted its Convention on Cyber Security and Personal Data Protection.83 The tripartite Convention speaks to electronic transactions, personal data protection and promoting cyber security and combatting cybercrime.84 The AU Convention classifies cybercriminal offenses in two: 1   Offences specific to ICT85; and 2   ICT-adapted offenses.86 D. Economic Community of West African States Founded in 1975, ECOWAS is a regional group of fifteen West African countries87 headquartered in Abuja, Nigeria with the mandate of promoting economic integration among its constituents.88 An important regional bloc, ECOWAS is one the five regional pillars of the African Economic Community (AEC).89 In working towards that integration, ECOWAS has considered the matter of cybercrime, and has produced its “Directive on Fighting Cyber Crime within ECOWAS”.90 The ECOWAS Directive categorizes cybercrimes in a binary manner: 1   New crimes; and 2   Traditional, ICT-adapted crimes.91 Page 74  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents It bears noting that only the intended objectives of ECOWAS directives are binding on its Member States, and that each Member State retains the freedom to decide on the best strategies for implementing and realizing those objectives.92 E. United Nations Office on Drugs and Crime UNODC is mandated to assist UN Member States in their struggle against illicit drugs, crime and terrorism.93 This mandate is in support of the Millennium Declaration made by Member States, in which they resolved to intensify efforts to fight transnational crime in all its dimensions, to redouble the efforts to implement the commitment to counter the world drug problem, and to take concerted action against international terrorism.94 UNODC is built on the three pillars of (1) field- based technical cooperation projects to enhance Member State capacity to counteract illicit drugs, crime and terrorism; (2) research and analytical work to increase knowledge and understanding of drugs and crime issues and to expand the evidence base for policy and operational decisions; and (3) normative work to assist states in the ratification and implementation of the relevant international treaties, the development of domestic legislation on drugs, crime and terrorism, and the provision of secretariat and substantive services to the treaty-based and governing bodies.95 Taking a slightly more complicated approach to categorizing cybercrime, UNODC posits three, non-exhaustive categories in its Comprehensive Study on Cybercrime96: Acts against the confidentiality, integrity and availability of computer data or systems; 1   Computer-related acts for personal or financial gain or harm, including sending spam; and 2   Computer content-related acts.97 3   F. United Nations Interregional Crime and Justice Research Institute UNICRI exists to assist the international community in formulating and implementing improved crime prevention and criminal justice policies through action-oriented research, training and technical-cooperation programs. Having launched a strategic engagement in technology to support the fight against crime and responding to the misuse of technology, UNICRI is working to maintain a harmonized approach that effectively balances security concerns and human rights. Similar to UNODC, UNICRI posits a tripartite classification of cybercrime in its “Cybercrime: Risks for the Economy and Enterprises” Roundtable in 201398: 1   Cyber analogues of traditional crimes; 2   Cyber publishing of illegal content (e.g., child pornography; incitement to racial hatred); and 3   Crimes unique to cyberspace (e.g., denial of service and hacking).99 Page 75  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents G. Council of Europe Founded in 1949, and with forty-seven Member States and six Observer States,100 the CoE has the purpose of “achieving a greater unity between its members for the purpose of safeguarding and realizing the ideals and principles which are their common heritage and of facilitating their economic and social progress”.101 With a focus on promoting human rights, democracy, rule of law, economic development and integration of certain regulatory functions in Europe,102 the Council has developed a diversity of treaties and explanatory reports.103 Most notable for the purposes at hand is the CoE’s Convention on Cybercrime, commonly known as the “Budapest Convention”.104 The first global instrument on cybercrime, the Convention’s main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially through the adoption of appropriate legislation and by fostering international cooperation.105 Focusing on infringements of copyright, computer-related fraud, child pornography and violations of network security,106 the Convention operates on the aspiration of legal harmonization and, accordingly, seeks and sets the highest international level of agreement. The Convention details powers and procedures, such as for searching computer networks and lawful interception to that effect, all to address both the crimes listed in the Convention and any other crimes entailing e-evidence. The Budapest Convention proposes the most nuanced categorization of cybercrime all major instruments, dividing cybercrime into four different types of criminal behavior: Offenses against the confidentiality, integrity, and availability of computer data and system107; 1   2  Computer-related offenses108; Computer content-related offenses (defined as child pornography)109; and 3   Computer-related offenses involving infringements of copyright and related rights.110 4   The Convention also allows for ancillary liability and sanctions for inchoate offenses (attempt, and aiding or abetting)111 and for corporate liability.112 Conclusion: The Toolkit’s Working Definition of “Cybercrime” A precise definition of “cybercrime” does not exist. Broadly speaking, cybercrime is understood as a “computer-related crime” and need not necessarily target a computer or ICT device.113 A “typology” approach of acts constituting cybercrime has been used by a number of institutions and agreements, including in the AU Convention,114 the ECOWAS Directive115 and COMSEC’s 2014 report to Commonwealth Law Ministers.116 Page 76  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents Instead of categorizing, and, in an effort to make the Toolkit as useful as possible, a broad and expansive working definition of cybercrime is used herein. Accordingly, the term “cybercrime” is understood to include criminal conduct (as provided in substantive law) directed against the confidentiality, integrity and availability of ICTs, as well as criminal acts carried out through the instrumentality of ICTs. Relatedly, the term “ICT”, a term growing in usage, is understood to include computer systems and networks, as well as the data stored and processed thereon. Using the term “ICT” as opposed to computer is helpful as it reflects recent trends in technological developments, including convergences of older forms of technologies with newer ones. Page 77  |  Chapter 2  |  § A. Working Definition of Cybercrime Table of Contents CHAPTER 2 B. Criminalized Conduct Table of Contents Introduction 78 I. Unauthorized Access (“Hacking”) 79 II. Unauthorized Monitoring 81 III. Data Alteration 82 IV. System Interference 83 V. Computer Content-related Offences 84 VI. Cyberstalking 85 A. The Concept of (Cyber)stalking 85 B. Combatting Cyberstalking at the Societal Level 86 C. Examples of Good Practice in Prosecuting Cyberstalking 87 VII. Financial Cybercrimes 88 A. Financial Sector Vulnerabilities 89 B. The Impact of Cyberattacks on the Financial Sector 90 VIII. Misuse of Devices 92 Conclusion 93 Introduction As developed in the previous section,1 the Toolkit uses a broad definition of “cybercrime”, understanding it as criminal conduct (as provided in substantive law) directed against the confidentiality, integrity and availability of ICTs, as well as criminal acts carried out through the instrumentality of ICTs. That definition construes cybercrime as including both information and systems as targets (ICT-targeted), and the use of ICT devices to conduct criminal offenses (ICT-enabled offenses). Building upon the previous section’s definition, this section examines criminalized conduct. While the working definition is bipartite, this section presents criminalized conduct, without trying to classify that behavior as either ICT-targeted or ICT-enabled—indeed, some will be both. Additionally, as much as already been written about them, this section does not attempt to cover all of the well-accepted cybercrimes, but is instead intended to focus on select new and emerging Page 78  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents issues, as well as to shed new light on some of those more well-known cybercrimes. One of the great challenges in combatting cybercrime is “future-proofing” the law—ensuring that the law keeps pace with all sorts of new ways to conduct criminal activity on-line. In practical terms, one question facing policy-makers and legislators is whether to attempt to specifically criminalize each new type of activity, or to craft a legal framework that is more general in nature but flexible enough to ensure that it can be applicable to new sorts of criminal activity as they arise. Just as with the definition of cybercrime, it is equally difficult to find consensus on what constitutes cybercrime beyond a limited, core number of acts compromising ICT confidentiality, integrity and availability. With the exception of ICT-facilitated dissemination of child pornography,2 there is little agreement on what constitutes content-related offences.3 This section runs through several of the mostly commonly criminalized acts constituting cybercrime: (I) unauthorized access to a computer system (or “hacking”), (II) unauthorized monitoring, (III) data alteration (or data “diddling”), (IV) system interference, (V) computer content-related offences, (VI) cyberstalking, (VII) financial cybercrimes and (VIII) misuse of devices. It concludes in an integrative attempt to prepare the discussion on procedural issues, discussed more thoroughly in the next section (see section 2 C, below). I. Unauthorized Access (“Hacking”) The unauthorized access to an ICT system—commonly known as “hacking—, is, in many ways, the most basic cybercrime as it enables subsequent (cyber)criminal behavior.4 Once access is gained to an ICT device or network, the cybercriminal may target information and data, or may turn to target systems. There are various means for infiltrating a device, system or network. “Malware” is an umbrella term used to describe malicious code or software, including viruses, worms, Trojan horses, ransomware, spyware, adware and scareware.5 Box 2.1: Various Hacking Techniques Hacking might be accomplished through a variety of techniques. The most common forms include the following: Malware: A malicious piece of code (including viruses, worms, Trojans or spyware) which infects devices or systems, which is typically capable of copying itself, and which typically has a detrimental effect, such as corrupting the system or destroying data. Adware: A malicious piece of code that downloads or displays unwanted ads when a user is online, collects marketing data and other information without the user’s knowledge or redirects search requests to certain advertising websites. Page 79  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents Social Engineering: The deceptive use of electronic communications, such as emails or social media messages, for purposes of fraud, system access or collecting sensitive information; the most common forms of social engineering includes phishing, pretexting, baiting, quid pro quo and tailgating.6 Botnet: A network of private computers infected with malicious software and controlled as a group without their owners’ knowledge in order to multiply the effects of cyberattack. Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) Attack: An attempt to overwhelm or overload an organization’s website or network in order to render it unavailable to intended users by interrupting or suspending services. Ransomware: Malicious code disguised as a legitimate file used by hackers to encrypt data on users’ devices, thereby preventing access to either the data or to the device itself until a ransom fee is paid. The inverse of a DoS attack, ransomware makes it impossible for the user decrypt his or her its own data without the decryption key, which (in principle) is offered upon payment of a ransom. Injection Attack: The most common and successful attack-type on the internet (e.g., SQL Injection (SQLi), Cross-Site Scripting (XSS)), it targets web-based applications, and works by hiding malicious code (a “payload”) inside verified user input (thereby bypassing authentication and authorization mechanisms) that is shown to the end-user’s browser, which in turn executes the apparently trustworthy script. The script often creates errors visible to the attacker, many of which tend to be sufficiently descriptive to allow an attacker to obtain information about the structure of the database and thereby control it.7 Hacking by definition compromises system integrity and, as such, imperils confidence not only in that individual device, system or network, but also potentially in the larger notion of the integrity of networking and cyberspace as a whole.8 Box 2.2: Target Corp. Targeted in Massive Data Hack In December 2013, in one of the largest data breaches ever reported, hackers infiltrated the ICT systems of Target Corporation, the second-largest discount retailer in the United States, and stole personal information (email, addresses, etc.) of some seventy million customers, including credit and debit card records on more than forty million customers. The Target breach, caused by malware installed on the company’s networks that siphoned away customer information, happened during the holiday shopping period. When Page 80  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents announced, the chain’s traffic, sales and stock value were immediately affected, with profits falling by forty-six percent for that quarter. Target subsequently agreed to pay US$10 million to settle a lawsuit brought by shoppers affected by the breach. Since most ICT systems are usually shielded from unauthorized access, an intruder must penetrate the security system. As such, many legal systems class hacking—simply on the basis of being unauthorized access—as criminal in and of itself.9 The Budapest Convention, for instance, addresses hacking by criminalizing “offenses against the confidentiality, integrity and availability of computer data and systems” at large,10 and, more specifically, by targeting “illegal access”, understood as “access to the whole or any part of a computer system without right”.11 Laws generally categorize the offense as unauthorized entry into a protected ICT system, regardless of the offender’s purpose.12 However, the Budapest Convention allows that further mens rea elements13 in addition to intentionality and “without right” might be included, as State Parties “may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system”.14 Case 2.2: United States v. Marcel Lehe Lazar (USA)15 Defendant, Marcel Lehe Lazar, pled guilty to two of nine counts of an indictment that included three counts of gaining unauthorized access to protected computers, having hacked into email and social media accounts of some one hundred Americans, including family members of two former US Presidents, a former US Cabinet member, a former member of the US Joint Chiefs of Staff and a former presidential advisor. Lazar claims to have breached Hillary Clinton’s personal email server,16 although there is no evidence to verify that claim. Lazar was apprehended and tried in his native Romania, where he was found guilty on similar charges and jailed for seven years.17 Thereafter, in a showing of international cooperation among law enforcement authorities, he was extradited to the United States.18 The US District Court for the Eastern District of Virginia sentenced him to a further seven years in prison.19 II. Unauthorized Monitoring Just like hacking, unauthorized “monitoring”20 might target devices, data or both; when data is targeted, it is often referred to as “illegal interception”. Such activity is typically done by using or installing monitoring devices or software in the ICT system after having gained access to the system. The physical world analogue is wiretapping. It bears noting that, while initial access to the system Page 81  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents may have been granted and authorized, this offence is not in the unauthorized system entry—as in hacking—but rather in remaining “in” the system thereafter, and monitoring or otherwise affecting the system and/or any stored or transmitted data therein.21 Thus, while authorized entry may not have been per se revoked (that is, if it had been granted), permission to remain in the system, even if only in a “viewing” capacity, has not been granted. Box 2.3: Spotting Hack Attacks and Monitoring Malware Edward Snowden, of renown for his unauthorized copying and leaking of classified information collected by the NSA in 2013,22 is developing a smart phone case that will inform the user whether the device has been hacked.23 As mobile phones are the “perfect tracking device”,24 and as it is relatively easy to develop software that masks whether the phone’s integrity has been compromised, Snowden and a colleague are developing a phone- mounted battery case that monitors radio activity. Monitoring technology might be used as much by governments25 as private sector spies.26 An example of monitoring malware is Flame (also known as well as Flamer, sKyWIper, and Skywiper),27 a modular computer malware discovered in 2012 by Kaspersky Labs at the prompting of the ITU, the UN agency that manages information and communication technologies.28 Flame, which may have been active for as long as eight or more years before it was discovered,29 not only targeted computers running the Microsoft Windows operating system, but, in an act that broke world-class encryption, was found to have been delivered through Windows updates.30 A precursor to the Stuxnet virus,31 Flame was designed to stealthily search top-secret files and gather intelligence through keyboard, screen, microphone, storage devices, network, WiFi, Bluetooth, USB and system processes,32 subsequently transmitting document summaries of the gleaned intelligence.33 As network managers might notice sudden data outflows, the malware was designed to gradually transmit harvested information to its command-and-control server.34 Data transfer could be done with any Bluetooth-enabled device, and, with a “Bluetooth rifle”, could have a range of up to two kilometers.35 Flame has been particularly used to target Middle Eastern countries. III. Data Alteration Data alteration (or data “diddling”, or false data entry36), is the interception and changing of data before or during entry into a computer system, or the altering of raw data just prior to processing and then changing it back after processing has been completed.37 It can occur at various points along the chain of information entry. However, as E2EE is growing in both effectiveness38 and in frequency,39 data diddling is increasingly happening by hacking the device before either the to- Page 82  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents be-sent data has been encrypted or after the received data and been unencrypted, rather than intercepting the data and then having to unencrypt it.40 As with many other cybercrimes, data diddling allows cybercriminals to manipulate output while largely preserving the perpetrator’s anonymity; however, data diddling is often very subtle and virtually undetectable. Forging or counterfeiting documents are typical examples. Cyber forensic tools can be used to trace when data was altered, what that data was and then to change it back to its original form. A simpler and more direct method of control is through version control and by keeping multiple records, including hardcopies, just as much for comparison’s sake as to back up the data. Data diddling may be used to target a wide-range of information; indeed, concern over possible tampering with public legal documents has limited governmental recourse to the web in areas as diverse as the publication of court judgments41 and voting.42 Case 2.3: People of Colorado v. Raymond D. Ressin et al. (USA)43 In a matter going back to 1978, Defendants defrauded a brokerage firm of US$171,756.17, and were convicted on three counts of theft. Raymond Ressin, a clerk working for a brokerage firm in Denver, Colorado, purchased two hundred shares of Loren Industries at US$1.50 for his outside accomplice, Robert Millar, amounting to a total of US$300. He subsequently altered the account number suffix, changing the purchase from a legitimate “cash” account, which was to have been paid in full, to a “margin” account, which qualified the purchase for a loan of up to fifty percent of the account value. Ressin subsequently changed the last two digits of the authorization code from LII (Loren Industries, Inc.) to LILN (Longing Island Lighting), an approved margin stock worth US$130 a share. As a result, the account value went from US$300 to US$26,000, which, as a margin account, also came, with a borrowing power of US$13,000. Ressin subsequently adjusted the records inputted into a computerized accounting system. Repeating the process, and then leveraging that fraudulent borrowing power, Defendants made further purchases, parlaying the initial US$300 investment to a net value of US$171,756.17 (approximately US$700,000 in 2016). IV. System Interference As already discussed,44 a fundamental interest is the “integrity” of private and public ICT systems and networks, meaning that they function according to their operating rules and the input furnished by the owners.45 As any unauthorized interference can seriously undermine public trust in the secure, proper functioning of ICT systems, many legal systems have adopted criminal sanctions to punish it.46 This kind of activity goes beyond undermining uncertainty in cyberspace and in the Page 83  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents systems constructed therein.47 Typical examples include unauthorized transmission and changes of data, removal or destruction of data and of software, as well as impeding access to an ICT system.48 Just as system interference (sometimes called “cybersabotage”) can be conducted by either private industry or by governments, so, too, can its targets be either private industry or public operations. In this section, system interference is being discussed in the context of criminal gain.49 Box 2.4: Sony Pictures Entertainment Attacked On 24 November 2014, a hacker group identifying itself as “Guardians of Peace” (GOP) leaked confidential data stolen from the film studio Sony Pictures Entertainment.50 The large amount of leaked data included personal details on Sony Pictures employees and their families, emails between employees, information about executive salaries, copies of then- unreleased Sony films, and other information.51 Following threats to release more information, Sony Pictures bowed to the demands by the GOP group not to release the film The Interview, a spoof on North Korean premier, Kim Jong-un.52 US authorities concluded that North Korea had been “centrally involved” in the hack.53 V. Computer Content-related Offences Computer content-related offences are acts of disseminating, making available or storing material with illegal content by the use of computer systems or the ICTs. Particular concern is given to content that is religiously or racially discriminatory, contains child pornography or incites hate acts or terrorism. This category of offenses can often pose challenges to freedom of expression protections.54 International law allows the prohibition of certain types of expression.55 However, there are often disparities among domestic legislation. For example, the online dissemination of racist and xenophobic material is prohibited in many European countries, while the same acts might be protected in the United States.56 While most areas of cybercrime still lack consensus—especially for computer content-related activities—, cyber child pornography, in particular, is an area where criminalization is generally accepted. Although specific cyber-pornography laws are sometimes legislated,57 such activity is more typically criminalized by expanding either the general criminal law58 or the cybercrime law.59 Amendments tend to make provisions general enough to cover both traditional and online renderings (i.e., “by any means”),60 or to make specific amendments explicitly speaking to online child pornography.61 Page 84  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents VI. Cyberstalking Cyberstalking is a crime that often blurs the line between the real and the virtual, and even between the physical and the psychological. As such, it deserves space to discuss (A) the concept of stalking and cyberstalking, (B) how best to combat cyberstalking at the societal level and (C) a brief exposé of the elements that go into good practice of prosecuting cyberstalking. A. The Concept of (Cyber)stalking Stalking is a pattern of behavior involving willful or intentional acts62 which, though often individually inconsequential, collectively make the victim feel harassed, nervous, anxious, fearful, threatened or otherwise insecure.63 Behavior amounting to stalking ranges from the repeated sending of unwanted messages (telephonic, mail or otherwise) or gifts, to the more aggressive activities of surveying or pursuing the victim. Stalking is committed by those with varying backgrounds, motivations and psychological disorders64; the majority of perpetrators have a problematic social life and may suffer from psychosocial problems or disorders, such as schizophrenia paranoid disorder. In the United States, an estimated 3.4 million persons aged eighteenor older were victims of stalking during any given twelve-month period.65 While a wide range of acts can be involved in stalking, and while they can result from a wide series of causes, two critical elements characterize stalking: first, the repetitiveness of the overall behavior (not necessarily any one type of act); second, the victim’s reasonable perception of that behavior as unwelcomed and unacceptably invasive. Stalking itself does not involve the infliction of any direct physical harm by the perpetrator. Rather, antistalking laws operate as a means of providing law enforcement officials with a mechanism for intervening before violence actually occurs.66 Cyberstalking, the convergence of stalking and cyberspace, is characterized by the repeated use of unwanted electronic communications—emails, spamming, flaming, online defamation, blogging, and the like67—sent directly or indirectly, which renders the victim insecure, or which misrepresents the victim online. Just as with traditional stalking, it is the behavior’s repetitiveness and the reasonable, subjective apprehension that characterize cyberstalking. While the medium might be different, stalking done in the virtual world can be just as distressful, destructive and damaging as that done in the physical world. While cyberstalking may be complemented by physical-world stalking,68 its effects can be far more destructive. Case 2.4: Ramm v. Loong (Singapore)69 Leandra Ramm, a US citizen residing the area of San Francisco, California, was the victim of cyberstalking by Colin Mak Yew Loong, a Singaporean man, residing in Singapore. For six Page 85  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents years, Loong, who had initially posed as a director of a music festival, made harassing phone calls and sent some 5,000 emails, in addition to creating hate groups on Facebook and Twitter and a slanderous blog, through which he made threats of rape and physical violence against Ramm and her family. Loong even made bomb threats to the opera companies that engaged her. A promising opera singer, Ramm’s career was destroyed and she suffered serious psychological episodes, including contemplating suicide, eventually being diagnosed with post-traumatic stress disorder (PTSD).70 For six years, Ramm was rebuffed by the FBI, the New York Police Department and other government agencies, and was met with a lack of interest by Singaporean authorities (where cyberstalking was not criminalized). Eventually, Ramm hired a cybercrime expert with links to the US Secret Service (USSS), who was able to navigate the US and Singaporean legal systems. Eventually, Loong admitted to thirty-one counts of criminal intimidation between 2005 and 2011 (as well as confessing to having harassed two other foreigners (a Ukranian violinst and the German boyfriend of a Hungarian pianist) and a Singaporean business woman; to criminally trespassing at St. James Church; and to stealing biscuits from the Church’s kindergarten. After considering the aggravating factors, the Singapore Subordinate Court determined that Loong made “vicious threats of violence and extremely vulgar email rants” against Ramm that was tantamount to “mental assault” as well as repeated acts of aggressive intrusion, and sentenced Loong to thirty-six months in prison (nine months jail for each of the fourteen counts, with four of the sentences running consecutively) and to pay a fine of S$5,000.71 Taking almost nine years, the conviction makes for the first successful prosecution of an international cyberstalking case.72 In the words of the presiding judge, the case is “a timely reminder that harassment laws need to keep pace with changes in technology and the pervasive use of the Internet and social media”. Singapore has subsequently criminalized cyber-bullying and -stalking.73 B. Combatting Cyberstalking at the Societal Level Cyberstalking has only relatively recently been seen as a serious crime, and is still not universally criminalized. In 2014, a European Union-wide survey across the twenty-eight Member States found that only eleven had specific anti-stalking laws.74 Since then, the CoE’s Istanbul Convention has substantially worked to harmonize laws on violence against women across Europe, including stalking (without distinction between physical- and cyber-stalking).75 In the United States, stalking became an issue of social concern in the 1990s76; the Violence Against Women Act (VAWA) criminalized stalking under US federal legislation.77 The first jurisdiction in the United States to Page 86  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents criminalize cyberstalking was California in 199978; thereafter, in 2000, language was added to the federal law, VAWA, to include cyberstalking.79 While legal definitions vary across jurisdictions,80 thereby complicating prosecution and investigation,81 courts have facilitated legislative hiccups by extending existing, traditional statutes to include electronic tools.82 Case 2.5: United States v. Baker (USA)83 Defendants, Abraham Jacob Alkhabaz, a.k.a. Jake Baker, and Arthur Gonda, were prosecuted for electronic mail messages involving sexual and violent behavior towards women and girls. Baker also posted a reputedly-fictional story describing the torture, rape and murder of a young woman sharing the name of one of Baker’s classmates at the University of Michigan. Although the true identity and whereabouts of Gonda, who was operating from a computer in Ontario, Canada, are still unknown, Baker was arrested and charged under federal statute 18 USC § 875(c), which prohibits interstate communications containing threats to kidnap or injure another person. The count that had been based on Baker’s story publication was dismissed as protected as free speech under the First Amendment of the US Constitution. The other charges, which were based on defendants’ email correspondence, and thus of a private nature, were deemed not to constitute “true threats” by the district court. While the US Court of Appeals for the Sixth Circuit upheld the District Court’s decision, it bears noting that just what constitutes a “true threat” under US law remains unclear.84 Cyberstalking is frequently misconstrued as a crime lacking significance. In order to effectively combat cyberstalking, the government must, first, build sufficient capacity in order to both conduct proper investigations and to offer alleged victims the appropriate degree of psychological support and understanding, and, second, actively work at breaking attitudinal barriers that make such behavior acceptable. Overcoming attitudinal barriers is also a necessary part of crime fighting. In stalking at large, and in cyberstalking in particular, initial contact between perpetrator and victim is generally benign, and may even be positive. Once communications turn disturbing, however, there is a tendency of victims to immediately and spontaneously destroy the unwelcomed overtures; such behavior by victims is typically motivated out of a sudden onset of fear or embarrassment. Unfortunately, doing so can significantly hinder authorities in their investigating. As such, the battle against (cyber) stalking begins by breaking attitudinal barriers and educating people so victims are not oblivious to the signs of stalking and do not destroy evidence. C. Examples of Good Practice in Prosecuting Cyberstalking Page 87  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents The first step to a successful prosecution is collecting sufficient information from the victim. If there are grounds to assume that the act was perpetrated by an acquaintance, investigators may have to focus on the victim’s internet activity. The investigative process stands or falls on trust: investigators must give victims ground for putting trust and confidence in them, and for feeling secure enough in sharing their story, a story that can often be quite disturbing and which can become increasingly disturbing as more evidence is uncovered and the fuller pictures emerges.85 Having established a rapport of trust with the victim and having heard the victim’s account, investigators then need to secure actionable evidence. Having brought the incidences to the attention of law enforcement authorities, victims must be instructed in how to preserve subsequent communication and content; as digital evidence can be particularly fragile, (see section 1 D, below), attention to properly instructing victims should not be undervalued. Further, victims need to be instructed on how best to cooperate with investigators. The anonymity of cyberspace often makes it difficult to identify a methodical cyberstalker who does not wish to be identified. Such is especially complicated by the fact that so many perpetrators have never had a relationship with the victim. Moreover, investigators usually face difficulties tracing suspects, as most cyberstalkers do not have material motivation. Technology has created a whole new space in which crime can occur, and technological developments continue to outpace anti-cyberstalking laws.86 Such being the case, investigators need to be sufficiently trained and experienced in more than just psychology and standard evidence collection. For instance, familiarity should be had in dealing with different subscriber networks, including email, blogs and bulletin boards, text messaging and telephone and fax networks so as to understand how to piece together —and preserve—an evidence trail. As with most cybercrimes, cyberstalking’s frequently transnational, cross-boundary nature, as combined with technical advances that help perpetrators to remain anonymous, significantly increase the cost and timing of the combatting this crime. Indeed, the UK’s Crown Prosecution Service has noted information request result in delays of up to three months, as compared to the apprehending of physical-world stalkers, which is usually completed within hours.87 In addition to drawing out the duration of the crime, these delays also give perpetrators valuable time to destroy evidence. VII. Financial Cybercrimes From fraud to forgery, spoofing to spamming, cybercriminals have particularly targeted the financial services sector.88 As such, it is worth discussing (A) the reasons why the financial sector is especially vulnerable to cybercrime and (B) the impact of cyberattacks on the financial sector. Page 88  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents A. Financial Sector Vulnerabilities Rapid ICT advances have not only allowed financial sector entities to improve their performance and diversify their offerings, but have also enabled criminal networks to carry out new and increased criminal activities in the online environment. As a result, the financial services sector has become particularly dependent, and, correspondingly, susceptible to cybercrime. According to the PricewaterhouseCoopers’ 2014 Global Economic Crime Survey (GECS), thirty-nine percent of financial sector respondents said they have been victims of cybercrime, compared to only seventeen percent in other industries.89 While in the past, a person was needed to physically act to authorize and initiate fund transfers, increased reliance on ICT creates potential weak points for cybercriminals to exploit through hacking technology (see section 2 B, box 2.2, above).90 Partly in light of such potentials, financial sector cybercrime appears to be on the increase.91 There are many reasons why financial institutions are targeted by cybercriminals, but, to use a line attributed to one infamous bank robber, mostly “because that’s where the money is”.92 There are various forms of “money”: banks have money in liquid form, credit card companies have it in plastic form and retailers have it derived from credit card information shared with them by consumers.93 ICT innovations allow customers to access to their finances at any time and from any place.94 As mentioned earlier, in December 2013, the US retailer Target was the object of a malware attack that resulted in the theft of personal information of over seventy million customers (see section 2 B, box 2.2, above).95 Reports show that, each year, financial details of millions are stolen from systems operated by hotels, retail chains, banks and community service providers.96 Box 2.5: Vulnerabilities in Business Practice beyond Banking97 Business email compromise (BEC) is an exceptionally pervasive and injurious type of cybercrime. BEC commonly manifests in one of three forms: hacking of employee emails, hacking of high-level executives or exploitation of supplier relationships. BEC is a method by which cybercriminals gain the confidence of employees, employers or businesses through carefully crafted communications that imitates standard operating procedures, masquerading as legitimate. Once email account relationships are infiltrated, information needed to imitate communications is taken, thereby enabling the sending of fraudulent transaction requests. Businesses of all sizes and varieties are targeted using BEC scams, with the amount of funds stolen depending upon what is typical for that business’s transactions. Statistics compiled by the Internet Crime Complaint Center (IC3), a partner of the FBI, indicate that, between October 2013 and December 2014, there were 2126 cases of BEC amounting to a combined financial loss of US$214,972,503.30. However, as only 45 countries outside the United States sent complaints to IC3, these figures probably underrepresent BEC’s global impact. Page 89  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents As is true of cybercrime at large, BEC scams can be launched from any country and can target any entity or individual relying upon email communications. The money trail can be as difficult to follow as the origin of the attack, as funds are frequently transferred multiple times across several jurisdictions. The nature of this particular type of cybercrime, the number of attacks and the potentially small amounts taken together make it exceedingly difficult to trace, prosecute and recover assets of such crimes. Although cyberattacks may be carried out through malware, phishing or direct hacks, the most common method is through DDoS attacks,98 which aim to cripple the functions of ICT systems of targeted business by bombarding their websites with requests until they are unable to cope and cease to function properly. For instance, in what has been called the “Operation Payback” campaign, the Anonymous group of hackers targeted firms seen as being anti-WikiLeaks, including MasterCard and Visa after they withdrew their services from WikiLeaks, using DDoS attacks to disrupt their web services.99 Although virtual currencies such as Bitcoin are still developing, their implications for financial crime are significant. Criminal networks have shown great interest in virtual currencies for the ability to carry out large-scale money laundering.100 In addition, just as with traditional currencies, virtual currencies are susceptible to cybercrime attacks such as fraud.101 Various approaches have been taken to address financial cybercrime. In the United States, laws combatting wire fraud have been expanded to prosecute cybercrime. Under the US Wire Fraud Statute,the prosecution must show: A scheme to defraud by means of false pretense; 1   Willful and knowing participation with intent to defraud; and 2   Use of interstate wire communications in furtherance of the scheme.102 3   Because computer transmissions are conducted by wire, the Statute remains an effective tool to fight a wide range of financial cybercrimes. B. The Impact of Cyberattacks on the Financial Sector According to the Center for Strategic and International Studies report,103 the estimated annual cost of cybercrime is between US$375 billion and US$575 billion in losses, primarily borne by the private sector. This amount represents the total sum of opportunity costs, confidential business information and market manipulation, and recovery costs for the targeted institutions.104 However, there are also substantial indirect costs associated with the theft and abuse of financial and personal information that are kept by financial institutions. Page 90  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents Case 2.6: United States v. Drinkman (USA)105 The US DoJ indicted Defendants for hacking, wire fraud and unauthorized computer access of financial institutions with the intention of stealing usernames, personal data and credit card information.106 On 28 June 2012, Defendants, four Russians and one Ukrainian, were arrested in the Netherlands. Targeted companies included NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.107 The methods of hacking utilized by Defendants included SQLi attacks, SQLi strings, malware and tunneling. All of these mechanisms were used to gain access to computer systems of the corporate victims and to extract customers’ credit card data and personal information either for direct criminal gang use or for sale on the black market. This scheme mainly targeted retailers, credit card companies and other businesses by successfully invading their computer systems that process payment services.108 Between 2005 and 2012, Defendants retrieved information on 160 million credit card numbers as well as other personal identification information. The information thefts allegedly cost three of the targeted institutions a collective US$300 million in losses, both in direct costs from the stolen date and in subsequent remediation. The costs are under-representative, however, as the effects were not limited to retailers and financial institutions, but also extended to consumers.109 Cyberattacks on financial institutions are of particular concern because they undermine not only individual reputations but also consumer confidence both in that entity’s online services, and in the security of the larger financial sector’s offering of cyber-based services. Undermining consumer confidence decreases financial activity and, if business is shifted to more traditional means, often results in increased costs. More dramatically, it results in consumers removing their money from the financial system and placing it under the proverbial mattress, thereby further hurting the global financial system and markets. As an alternative, as indicated by Target consumers following that cyberattack, customers may, where possible, switch to making cash transactions, which also limits the efficacy and size of the market.110 Left unaddressed, cyberattacks targeting the personal information kept by financial institutions could have cripplingly severe impact upon economies. These costs go well beyond the immediate financial institutions that hackers target, extending to the clients of those services and having subsequent direct (lack of liquidity, opportunity costs, etc.) and indirect effects (lowered credit scores, loss of system confidence, lowered investment rates, etc.). Page 91  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents Case 2.7: United States v. Ulbricht (“Silk Road”) (USA)111 Defendant, Ross Ulbricht, was convicted and sentenced to life in prison without the possibility of parole for conspiracy and money laundering charges stemming from his supposed role as “Dread Pirate Roberts”, the operator of the online marketplace “Silk Road”. Through anonymous payments in bitcoin, the Silk Road enabled the sale of, among other things, controlled substances, pirated software, and fake IDs.112 Run through the Tor network, Silk Road operated on the Dark Web, a virtual space inaccessible without specialized software or access authorization.113 Bitcoin is a digital currency manifestation of “blockchain” technology, a method of recording data that allows for independent recording and verification of “blocks” of digital records that have been lumped together, and then cryptographically (through a technique known as “hashing”) and chronologically bound in a “chain” using complex mathematical algorithms. The recording system can be generically described as a distributed database or “public ledger”; however, this ledger, to which everyone in the network has access, is not stored in any one place but rather distributed across multiple computers around the world. The only recorded data is the fact a transaction’s occurrence and associated hash.114 Not all blockchains are anonymous, and bitcoin is but one manifestation of blockchain technology.115 Blockchain technology has been described as the most disruptive technology since the internet.116 Bitcoin transactions, because they are highly secure and highly anonymous, pose certain challenges to “traditional” forms of combatting financial crimes, particularly with regard to the finding and extraditing of perpetrators. However, even with bitcoin, anonymity is not complete: first, as perpetrators must “cash out” of bitcoin to realize their profits, and, second, as bitcoin’s shared ledger makes transactions public, even if unidentified. Bitcoin also raises regulatory concerns. While banking is a regulated sector, bitcoin transactions are not considered part of the banking system in many jurisdictions, often making it unclear whether banking law or cybercrime law should apply. In banking, various suspicious activity reporting (SAR) rules require financial institutions to report suspicious transactions, many, if not all, of which may not apply to bitcoin transactions.117 That said, the inherent forensic element of bitcoin often lends itself to facilitating investigations once matters reach that stage. VIII. Misuse of Devices The offense of misuse of devices prohibits the use of a device, password or access code in the furtherance of the afore-enumerated acts.118 Acts criminalizing such offenses have existed for some time and have typically been used as a means of targeted hacking by targeting the tools enabling Page 92  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents cybercrime.119 Password trafficking is the sharing or trading accounts—often after passwords have been stolen through hacking techniques—with potential for immediate financial reward or access to private information.120 Such behavior is criminalized for all of the reasons discussed above, but notably because it diminishes the security and reliability of computer data and of cyberspace as a whole. An example of this crime is computer-related forgery.121 The offense can be difficult to ring- fence, however.122 As ready-to-exploit kits are becoming widely available, creating, possessing or distributing hacking software or tools for committing cybercrime must be criminalized.123 Moreover, much technology developed for legitimate purposes has been coopted in order to facilitate cybercrime.124 Keeping these dual use devices away from only cybercriminals presents certain legal obstacles. Case 2.8: Geoffrey Andare v. Attorney General (Kenya)125 In April of 2015, Andare was arrested for violating a Kenyan law criminalizing the misuse of ICT subsequent to his having posted a message on his social media page reprimanding an agency official for allegedly exploiting others. Section 29 of the Kenya Information and Communications Act—“the improper use of an ICT system”—criminalizes the use of any licensed telecommunication system, such as a mobile phone or computer, to “send[] a message or other matter that is grossly offensive or of an indecent, obscene or menacing character”.126 It also imposed a penalty of a fine not exceeding KSh50,000, or imprisonment for a term not exceeding three months, or both.127 In April of 2016, High Court Judge Mumbi Ngugi struck down that section of the law as violating the constitutional right to freedom of expression,128 and also as being overly broad and suffering from vagueness.129 The law, it was determined, had a chilling effect on legitimate online expression. In reaching her decision, the judge offered that the laws of Libel are sufficiently robust, referring to a recent case where damages of KSh5 million were awarded against a blogger for defamation by a separate court which relied on laws of libel. Conclusion This section has discussed certain core and evolving cybercrime acts—namely, hacking, unauthorized monitoring, data alteration, system interference, computer content-related offences, cyberstalking, financial cybercrimes, ransomware, misuse of devices and intellectual property infringements (including cybersquatting). Even with regard to these universally-frowned upon activities, there is not universal consensus that these activities should be criminalized, and, where Page 93  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents there is consensus, no consensus on how or to what extent. Such is particularly true of content- related offences. To amplify the capacity-building purposes of the Toolkit, however, a broad net is cast. As there is consensus on the appropriate delineation or categorization of cybercrimes—especially where they have substantial “offline” activities—, it is often difficult to determine which legislative provisions should govern ICT-related criminal conduct. Moreover, even in instances where the behavior is considered both undesirable and illegal, it is not always clear that cyber law is the appropriate governing law, as the Silk Road case shows.130 Those difficulties are further exacerbated on the international stage, especially when trying to create cooperation among law enforcement agencies. Page 94  |  Chapter 2  |  § B. Criminalized Conduct Table of Contents CHAPTER 2 C. Procedural Issues Table of Contents Introduction 95 I. Adapting Search & Seizure to the Digital World 96 A. The Challenges of Adapting Existing Procedures 96 B. Delimiting Searching & Seizing e-Evidence 96 C. Examples of Good Practice 99 D. Techniques for Identifying Relevant e-Evidence 101 II. Collecting Evidence with the Assistance of Third Parties 102 III. Cloud Computing 105 A. Technological Complications to Search & Seizures 105 B. Jurisdictional Complications to Search & Seizures 106 Conclusion 108 Introduction Information security issues are global in nature. However, while cybercrime is transnational, the means of investigating and prosecuting crimes is territorially defined, and often defined quite locally at that. In addition to tools and training, investigators require appropriate investigative powers and procedural instruments in order to identify offenders and collect evidence. While these measures may not necessarily be cyber- specific, the possibility of offenders acting remotely from the locus of the victim means that cybercrime investigations are very frequently conducted differently from traditional ones. In looking at the procedural issues1 surrounding the search and seizure of in cyberspace, this section considers how to (I) adapt traditional search and seizure techniques to the digital world, (II) the role that third parties play in evidence collection and (III) the implications of technological developments, notably that of cloud computing, for evidence collection and in creating jurisdictional conflicts. Page 95  |  Chapter 2  |  § C. Procedural Issues Table of Contents I. Adapting Search & Seizure to the Digital World In cybercrime, just as in traditional crimes, crucial incriminating evidence is often found during search and seizure operations. Existing search and seizure procedures can be (A) adapted to cybercrime searches and seizures, but must also be (B) limited according to the principles of relevance and effectiveness, which (C) states have done in varying ways. However, while technological developments have made more work for investigators, (D) advanced forensic tools can be used as means of identifying relevant e-evidence. A. The Challenges of Adapting Existing Procedures “The devil”, it is said, “is in the detail”. While reaching consensus on issues of substantive law is a complicated matter, difficulties multiply when discussions turn to procedural law: while the purpose of substantive law is to define the extent of rights and duties, the purpose of procedural law is to regulate the proceedings providing access to those substantive rights and responsibilities. Thus, although there may be agreement on the underlying right, defining how that right is accessed, and what precludes it, requires a greater degree of accord.2 Moreover, the ever-evolving nature of cybercrime requires that procedural law, just as with substantive law, keep pace with new abuses and new technologies.3 The challenge is setting regulation that permits rapid transactions around the world but which relies upon local legal and investigative instruments. Moreover, the swift pace of technological development and the difficulties this poses for designing, updating and disseminating effective technical security measures complicate procedural matters in a way that is not necessarily problematic for substantive law. As discussed further on, arrangements at the international level might overcome many of these procedural barriers where a formal consensus or an informal working arraignment can be found (see sections 3 A and 3 B, below). In the short-to-medium term, cybercrime countermeasures will need to build upon, or at least take into account, existing national and regional efforts to combat cybercrime and terrorism.4 B. Delimiting Searching & Seizing e-Evidence Search and seizure procedures play a critical role in securing evidence necessary to proving culpability. An active mode of investigation, search and seizure involves discovering evidence, identifying suspects, apprehending offenders and interviewing witnesses. Investigating cybercrime requires different techniques, not only because of the cross-jurisdictional nature of cybercrime (see section 1 B, above),5 but also due to the very nature of cyberspace and of e-evidence (see section 2 D, below).6 Page 96  |  Chapter 2  |  § C. Procedural Issues Table of Contents The traditional search-and-seizure approach focuses on collecting and cataloging physical material. Due to rapid developments in cyberspace, however, most evidence, though stored on physical devices, exists only in a digital format. Legal authority and good practices for executing search and seizure warrants varies considerably between jurisdictions and criminal justice systems, especially with regard to rules governing handling e-evidence.7 As such, it is incumbent upon investigators to consider the appropriateness of previewing and forensically acquiring data at the scene and whether the circumstances may justify physically seizing equipment for further analysis in a laboratory.8 Retrieving such information requires augmented investigatory approaches, as well as different evidence-handling techniques.9 The first major procedural issue in pursuing cybercrimes is legislative: procedural law must be changed or adapted to authorize investigators to search and seize computer information, and not only tangible evidence.10 This process presents its own complications. For example, while the United States first drafted procedural laws for authorities to access electronic communications in 1986, law makers at the time only had the telephone in mind, and, accordingly, drafted a limited law specifying that it applied to telephone-related crimes.11 The law soon became outdated and had to be amended to include other existing and anticipated forms of electronic communication; however, that process of revision caused delay and hindrances, and was only done following the terrorist attacks of 11 September 2001.12 Computer information, or data,13 is information that is either stored in a storage device, or which is in transit across virtual networks (see section 2 A, above). First responders investigating cybercrime frequently seize all relevant devices.14 However, as the storage capacity of ICT devices has grown—and continues to grow—exponentially,15 and as the nature of digital documents continues to diversify, much of the information stored on any given device is ordinary business material or private information lacking any investigatory relevance. This trend16 is exacerbated by increasing device capacities17 and the falling costs of digital as opposed to physical storage.18 The principles of relevance and effectiveness are of great importance for the admissibility of e-evidence.19 Indiscriminate or arbitrary search and seizure techniques risk being excessively intrusive. Since the data is not the device itself, and since much of the information on the device is not relevant to the investigation, the device itself should not be seized unless the warrant describes, with particularity, that such is what agents should search for and seize.20 Otherwise, computer hardware should only be seized if it itself is contraband, evidence, fruit or an instrumentality of crime.21 If, by contrast, the probable cause relates only to information, then the warrant should describe the information to be seized, and then request the authority to seize the information in whatever form it may be stored (electronic or otherwise).22 Agents seizing hardware should explain clearly in the supporting affidavit that they intend to search the computer for evidence and/or contraband after seizure and removal from the site of the search.23 Indeed, indiscriminately seizing devices would be the equivalent of entering an investigation scene and seizing everything without any consideration of what was being seized. By contrast, even if the warrant does not describe hardware itself, identification of a device’s IP address and separate email address linked to same physical location, for instance, may be sufficient to justify hardware seizure.24 Page 97  |  Chapter 2  |  § C. Procedural Issues Table of Contents Case 2.9: Korean Teachers & Education Workers’ Union (2009Mo1190) (Korea)25 Korean investigators executed a warrant of search and seizure upon the headquarters of the Korean Teachers & Education Workers’ Union, removing ICT devices containing huge amounts of digital information back to their police offices, where they made copies of the files for subsequent search and analysis. The Court held that the action was allowed, as the quantity of data—over 8,000 files—to exceptional circumstances justifying such removal, even though there was no explicit ground under the warrant for doing so, and as investigators made an effort to “to limit the scope of their investigation to those parts bearing relevance to the charged crimes by copying only those files which had been accessed after a retroactively determined point of time”, with the parties implicitly agreeing on the appropriateness of such measures.26 The Court held that, “[i]n principle, a warrant of search and seizure for digital information must be executed by collecting only parts related to the suspected facts for which the warrant has been issued[….] In cases where circumstances on the site where the warrant is to be executed make it impossible or remarkably difficult to carry out the warrant in this manner, exceptions can be made to allow the storage media itself to be carried off- site […] when the warrant expressly grants for search and seizure to be performed in this manner and when such circumstances exist.”27 The Court continued that the subsequent searching and analyzing of digital information must be “must also be seen as a part of executing the warrant”.28 Moreover, where investigators seize ICT devices containing private information extending beyond information pertaining to the suspected facts, the parties “are continuously guaranteed the right of participation in the process” and not only must “no viewing or copying of the storage media is performed without [their] involvement”, but investigators must assure that “proper measures are taken to prevent files or documents from arbitrary copying or from distortion, misuse or abuse of the digital information”.29 In effect, the ballooning of an individual’s digital footprints may mean that the data—not the devices—should be screened and searched. While there may be certain circumstances where the device itself may be seized—for instance, in order to restore deleted data, to recover encrypted data, or to conduct detailed analyses—, in principle, the relevant data should be extracted from the storage device, and the device itself left on site. Many field tools are currently available to assist on-site data extraction.30 As discussed further on, tools alone are insufficient: on-site data extraction requires sophisticated technical competency and training. Without such capacity, first responders may find themselves faced with the impossible decision of either seizing the suspect hardware and risking exceeding the scope of the search warrant, therein both infringing fundamental rights and risking “tainting” the seized evidence, or leaving the hardware and risking letting evidence Page 98  |  Chapter 2  |  § C. Procedural Issues Table of Contents be lost or destroyed. Prior to commencing a search, investigators should ensure that they abide by applicable laws or risk having seized exhibits declared inadmissible at trial.31 Identifying and selecting relevant hardware has become a major part of an investigation.32 Indeed, while the proverbial “smoking gun” might be found in a subsequent review of seized information, that information may be excluded as illegally obtained evidence.33 In the context of electronic information, illegally obtained information is usually information that was obtained by seizing more than what was specified in the warrant—for instance, if the warrant specifies data and the device was (also) seized. Thus, while investigators may rely on a subsequent review of the collected evidence, the threat of exclusion of that information as evidence operates as a check on investigatory abuse.34 C. Examples of Good Practice A considerable number of countries have prescribed—through legislation, regulation or court decisions—the scope of searches of digital information. In the United States, the courts have crafted procedures that differentiate between searching device and data, and which require explicitness in the warrant, and that the default is a two-stage search process. The US Federal Rules of Criminal Procedure—drafted, issued and approved by the federal judiciary35—note the nuance between device and data stored on that device, stipulating that a warrant must say whether it is authorizing “the seizure of electronic storage media or the seizure or copying of electronically stored information”.36 The Rule continues by saying that, “[u]nless otherwise specified, the warrant authorizes a later review of the media or information consistent with the warrant” and that “[t]he time for executing the warrant […] refers to the seizure or on-site copying of the media or information, and not to any later off-site copying or review”.37 The notes to the Rules prepared by the Advisory Committee make it clear that, unless the warrant explicitly specifies otherwise, the initial search done at the time of seizure need not be more than cursory, with evidentiary reliance being placed on the subsequent review of the seized or copied materials. That position has been reiterated and followed by the courts: “Computers and other electronic storage media commonly contain such large amounts of information that it is often impractical for law enforcement to review all of the information during execution of the warrant at the search location. This rule acknowledges the need for a two-step process: officers may seize or copy the entire stage medium and review it later to determine what electronically stored information falls within the scope of the warrant.”38 Page 99  |  Chapter 2  |  § C. Procedural Issues Table of Contents The Supreme Court of the Republic of Korea has taken a similar position to that of the United States, stating that: “In principle, illegally obtained evidence is not admissible and accordingly, such evidence cannot be used as an evidence to prove guilt of the criminal defendant.” The Court went on to say: “In order to render a final determination of admissibility of illegally obtained seized item, comprehensive consideration should be given to the issue of whether or not violation made by investigative agencies impedes substantial contents of due process by taking into account following factors including 1) the substances and degrees of investigative agency’s violations, 2) the intention of investigative agency, 3) natures and the extent of the infringement of rights or legal interests protected by procedure rules, and so on.” Case 2.10: Customs Evasions Case (Korea)39 Korean law enforcement agents searched the offices of Company A on suspicion of tariff evasion by lowering unit cost for importation, seizing documents and electronic data. In the process for the search and seizure, documents and electronic data pertaining to Company B—not specified in the warrant—were also seized. On the basis of the seized information, Company B was subsequently charged after it was confirmed that Company B had evaded tariffs in the same manner as Company A based. The Supreme Court of Korea subsequently excluded the evidence on the basis that, first, the evidence was not collected in accordance with the procedures as set forth in the Constitution and Criminal Procedure Act, and, second, the secondary evidence failed to follow legal procedures for the protection of fundamental human rights: in principle, the Court ruled, secondary evidence cannot be admitted as evidence to prove guilt. The Court provided that “[d]ocuments and electronic data relating to Company B which were seized, along with seizure of those pertaining to Company A, were neither the object to be seized as stipulated by a search and seizure warrant nor related to the facts of suspicion.” The Court further censured the investigators lack of discrimination between data and device, noting that “[a]fter moving the storage device itself into the office of the investigative agency, and then investigating the electronic information related to facts of suspicion, either the process of printing the concerned electronic information into documents or the process of Page 100  |  Chapter 2  |  § C. Procedural Issues Table of Contents copying the files included in the execution of a search and seizure warrant. In this case, the object of the document-printing process or file-copying process should be confined to the part related to facts of suspicion as specified in the warrant.” By contrast, some countries have cited the successful extension of general search and seizures powers. South African representatives, for example, reported favorably on the nation’s Criminal Procedure Act, which, though not specifically making provision for the seizure of e-evidence, allowed authorities to seize “anything”.40 Other countries also reported that it was good practice for investigative powers relating to computers and other devices to “extend to all crimes and not just traditional computer crimes”, and that relevant procedural laws should be both “comprehensive” and “precise”.41 While such general extensions of power may be warranted and possibly even advisable, it bears noting that judicial oversight to disallow evidence obtained as a result of overly- broad search under more general principles should still be assured and authorized. D. Techniques for Identifying Relevant e-Evidence An analysis of available hardware components can, for example, prove that the suspect’s computer was capable of carrying out a DDoS attack or is equipped with a chip that prevents manipulations of the operating system. Hardware analysis can also be necessary in the process of identifying a suspect. However, hardware analysis does not always mean focusing on physical components attached to a computer system. Most operating systems keep logs of hardware that was attached to a computer system during an operation.42 Based on the entries in log files such as the Windows Registry, forensic examiners can even identify hardware that was used in the past but was not present during the search and seizure procedure. In addition to hardware analysis, software analysis is a regular task in cybercrime investigations. Software tools can be installed to match the functioning of computer systems to the demand of the user. Forensic experts can analyze the functioning of software tools in order to prove that a suspect was capable of committing a specific crime. An inventory of software tools installed on the suspect’s computer can also help to design further investigation strategies. If, for example, the investigators find encryption software or tools used to delete files securely, they can specifically search for encrypted or deleted evidence.43 Investigators can also determine the functions of computer viruses or other forms of malicious software and reconstruct software-operation processes.44 In some cases, where illegal content has been found on suspects’ computers, the suspects have claimed that they did not download the files but that it must have been done by computer virus. In such cases, forensic investigations can try to identify malicious software installed on the computer system and determine its functions. Similar investigations can be carried out if a computer system could have been infected and turned into part of a botnet.45 Page 101  |  Chapter 2  |  § C. Procedural Issues Table of Contents Software analysis can also be important to determine if software is produced solely for committing crimes or can be used for legitimate as well as illegal purposes (dual use). This differentiation can be relevant, insofar as some countries limit criminalization of the production of illegal devices to those that are either solely or primarily designed to commit crimes. Data-related investigations are not confined to the software function, but also include analysis of non-executable files such as pdf-documents or video files. File analysis also includes the examination of digital documents that might have been forged46 as well as metadata investigation.47 Such analysis can determine the time48 the document was last opened or modified.49 Furthermore, metadata analysis can be used to identify the author of a file containing a threatening message, or the serial number of the camera that was used to produce a child-pornography image. Authors can also be identified based on linguistic analysis, which can assist in determining if the suspect has written articles before and left information that can help identification in this context.50 As investigators must focus on relevant evidence in order to prevent inadmissibility, special attention must be given to identifying relevant evidence,51 meaning that forensic experts play an important role in the design of investigation strategies and the selection of relevant evidence. They can, for example, determine the location of relevant evidence on large storage systems. This enables investigators to limit the scope of the investigation to those parts of the computer infrastructure that are relevant for the investigation and avoid inappropriate and large-scale seizure of computer hardware.52 This selection process is relevant as various types of storage devices are available that can make identification of the storage location of relevant evidence challenging.53 This is especially valid if the suspect is not storing information locally but uses means of remote storage. Forensic analysis can then be used to determine if remote-storage services were used.54 Identification of relevant digital information is not confined to files themselves. Databases of software tools that are made available by operating systems to quickly identify files might contain relevant information too. Another example of evidence identification is the involvement of forensic experts in determining the right procedural instruments. A number of countries enable law- enforcement agencies to carry out two types of real-time observations—the collection of traffic data in real time, and the interception of content data in real time. In general, the interception of content data is more intrusive than the collection of traffic data. Forensic experts can determine whether the collection of traffic data is sufficient to prove the committing of a crime, and thereby help investigators to strike the right balance between the need to collect effective evidence and the obligation to protect the rights of the suspect by choosing the least intensive instrument out of the group of equally effect options. Both examples show that the role of forensic investigators is not restricted to the technical aspects of an investigation, but includes a responsibility for protecting the suspect’s fundamental rights and thereby avoiding inadmissibility of the evidence collected. II. Collecting Evidence with the Assistance of Third Parties Page 102  |  Chapter 2  |  § C. Procedural Issues Table of Contents To obtain cybercrime evidence, collaborating with third parties, such as ISPs,55 is vital, as considerable amounts of evidence of cybercriminal activity are stored in information systems managed by third parties. In order to prevent law enforcement from overstepping its powers in such data acquisition, it is important to clearly define what type of information might be acquired, as well as the procedures for requesting and, if necessary, compelling third parties to release that information. Various factors—including where the ISPs are located (both their servers and other hardware), available legal mechanisms and terms and conditions of user agreement—will determine the tone of the third-party cooperation.56 As significant human rights considerations surround such activities, especially around the freedom of communication, it is incumbent upon both law makers and authorities to implement laws and regulations appropriately balancing government power with individual rights. These matters are discussed in greater depth below (see section 4 A, and 4 B below). It is important to realize that not all data is the same, and, as such, that there may be varying degrees of potential privacy considerations, for example. It is also important to distinguish between areas where voluntary cooperation may be appropriate as opposed to situations where third parties are compelled to cooperate with law enforcement. Both are discussed below. Three different classes of stored communication should be differentiated: 1  Subscriber information; Communication records or logs; and 2   3  Communication content. Subscriber information is relatively basic, pertaining to identifying information such as the subscriber’s name, contact and payment details. Such information is typically needed by investigative authorities in order to make requests to obtain warrants and other public requests. Attaining subscriber information—the first type of data—typically implicates fewer privacy concerns than does seeking access to the content of communications, and, as such, this information is generally subject to fewer safeguards and limitations. To facilitate investigations while also protecting individual privacy, laws should further distinguish between basic customer information and information detailing account activity. The second class of data, communication records or logs, are more detailed, and includes IP address(es) of device(s) used by person(s) under investigation, time of transmitting and receiving electric communications, data volume, communication ports, protocol information and the like. As acquiring this information is a significantly greater infringement of privacy, the law should clearly define and delineate both the scope of communication records that might be acquired and the procedures for doing so. Typically, court orders are issued on the basis of “reasonable grounds” showing that the communication record is relevant to the investigation in progress. Moreover, these laws frequently require that, upon completion of the investigation or the prosecution, the investigative agency notify the investigated party of the data acquisition. That said, in some Page 103  |  Chapter 2  |  § C. Procedural Issues Table of Contents countries, notification must be made prior to data acquisition if the communication record is collected through a court order rather than through a search and seizure warrant. As communication content, the final type of third-party stored communication, is the most sensitive form of communications, a search and seizure warrant is invariably required, meaning that the request must make a showing that the desired information is necessary to clarify the “probable cause” relating the object of the search and crime. Here, the procedural law should consider whether all categories of stored content deserve the same kinds of protection. For example, there is a lower expectation of privacy for information in cloud storage as opposed to the contents of an email. Therefore, a full search warrant may be appropriate for emails, whereas only a grand jury subpoena or a court order may be appropriate for cloud-stored information. Cooperation with the private sector, discussed further on, is an essential element to combatting cybercrime (see section 6 C, below). With respect to the present discussion, it bears noting that ISPs, in particular, potentially play an especially important role in many cybercrime investigation as, in many cases they have the technical capability to detect and prevent crimes to support law- enforcement agencies. That assistance is especially relevant in connection with identifying suspects. Obligations discussed range from the mandatory implementation of prevention technology to voluntary support of investigations.57 Cooperation between law-enforcement agencies and ISPs requires the application of certain procedures.58 One example is the forensic tool CIPAV (Computer and Internet Protocol Address Verifier), which was used in the United States to identify a suspect who had been using anonymous communication services.59 Another example of cooperation between ISPs and investigators is email investigation. Emails have become a very popular means of communication.60 To avoid identification, offenders sometimes use free email addresses which they were able to register using fake personal information. However, even in this case, examination of header information61 and log-files of the email provider will in some instances enable identification of the suspect. The need to cooperate and communicate with providers is not limited to ISPs. Since some crimes such as phishing62 and the commercial distribution of child pornography include financial transactions, one strategy to identify the offender is to obtain data from financial institutions involved in the transactions.63 In Germany, for example, investigators worked with credit-card companies to analyze and identify customers who had purchased child pornography on a specific website.64 Such investigations are more challenging when anonymous payment methods are used,65 such as bitcoin.66 Law enforcement often require third-parties to provide communications in real-time. Such is particularly true where there are indications of imminent perpetration or harm, especially in cases of terrorism, and where real-time collection may offer critical evidence. Furthermore, some information can only be captured in real-time as it is never stored (instead existing only in the “cloud”). The communication record (the second class of information) can be had in real-time by monitoring current IP addresses of transmitters and receivers, thereby helping to geolocate suspects. Such Page 104  |  Chapter 2  |  § C. Procedural Issues Table of Contents information might also be helpful in figuring out party relationships in crimes in progress. More dramatically, real-time communication content (the third class of information) can be intercepted with the assistance of third parties. Because of the sensitive nature of both the information, and the manner in which it is being acquired, the law should specify not only the appropriate requirements and procedures for such requests by law enforcement, but also which offenses are subject to interception. Typically, a court’s approval is required, with the requirements for an interception warrant being stricter than those for a seizure warrant. Due to the sensitivity of such requests, numerous cases where it is impossible to secure communications data, even where there are legitimate reasons, exist.67 Lastly, law enforcement may also require the assistance of third parties in preserving data. Information stored by service providers can easily disappear: intentional deletion by subscribers, withdrawal of services by subscribers or automatic deletion policy of service providers are but a few of the ways in which this information can disappear. In order to prevent such evidence loss, measures for preserving data after detecting a link between the data and crimes must be put in place. Data preservation is based on the initiation of a compulsory procedure, therein allowing investigators to obtain the desired data. III. Cloud Computing Cloud computing is the use of a network of remote servers hosted on the internet rather than a local server or a personal computer to store, manage and process data. Evolving cyberspace technologies—especially cloud computing—result in both (A) technological complications to search and seizures, as well as more serious (B) jurisdictional complications. A. Technological Complications to Search & Seizures Due to the flexibility that cloud computing offers users to rent data storage, software and network broadband for services ranging from web-mail to data storage, the practice has become increasingly common. Cloud computing is yet another example of how ever-changing cyberspace capabilities and usages require the legal framework to change and adapt—in this case moving away from the traditional, and now no longer relevant, concept “of the place to be seized”. In cloud computing environments, data subject to search and seizure can be expanded to include information stored in a remote location by a cloud computing service provider. Cloud computing also allows for so-called “virtualization” technology. Virtualization creates virtual computing resources by combining various resources of computers physically existing in different physical locations. Using this technique, data stored by cloud-computing users appears to be stored in a virtualized storage device. Page 105  |  Chapter 2  |  § C. Procedural Issues Table of Contents Distributed databases, by which data is copied, maintained and distributed across servers in various locations, therein offering greater safety and security, complicate localization of data. Through the use of a centralized distributed database management system (DDBMS), the data is synchronized and integrated logically, allowing the user to manage it as if it were all stored in the same location. Distributed databases can be either homogenous or heterogeneous. In a homogenous system, all of the physical locations have the same underlying hardware and run the same operating systems and database applications, while in a heterogeneous system, the hardware, operating systems or database applications may vary at each of the locations. Together with the use of a technique known as “sharding”—a type of database partitioning by which large databases are separated into smaller, more manageable parts called data shards—, accessing comprehensible information can be quite challenging, both for law enforcement and for hackers. Mutual legal assistance treaties (MLATs) facilitate extra-jurisdictional requests for data (see section 3 A, below), and can be particularly useful in these circumstances.68 Where a service provider utilizes a foreign cloud data center (e.g., Amazon Web Services), the data frequently resides in a country other than where the service provider is registered. Notwithstanding the fact that data might be fragmented and stored in several servers, and identical copies may co-exist simultaneously in different places, it is often possible to retrieve that data intact by relying on service providers’ control of the cloud service mechanism. As such, in a spin on traditional understanding, the user’s account together with the name and the headquarter address of the cloud service provider is designated as the “place” subjected to search and seizure rather than a physical location. The US DoJ has provided examples of how a search and seizure warrant against an email account might be prepared.69 Consequently, the execution of a search and seizure warrant in cloud computing environments depends on service providers that control the locations and methods for data storage. The execution of a search and seizure warrant in cloud computing environments is conducted by when law enforcement present the warrant to service providers. Execution of a search and seizure warrant in cloud computing environments can be compared to general forms of search and seizure that require direct participation of investigative authorities. An account in the cloud subjected to search and seizure may be designated differently depending on the internet source used by the offenders: for instance, if webmail is used, the mail account is designated as the one to be seized; when a web drive is used, the URL address is designated for seizure; if web hosting servers are being used, then those IP addresses are selected for seizure. B. Jurisdictional Complications to Search & Seizures While developing technology complicates procedural aspects of search and seizure, more fundamental issues arise over jurisdictional conflicts. Although the question of jurisdiction is discussed in greater depth hereafter (see section 2 E, below), it bears raising the topics here specifically with regard to procedural matters. Cloud computing has particularly complicated Page 106  |  Chapter 2  |  § C. Procedural Issues Table of Contents matters from a jurisdictional standpoint, as many cloud service providers have centers around the world; as a result, jurisdictional disputes between the country where cloud service providers are registered and those where data is stored is growing. Moreover, as discussed, data is frequently fragmented, with parts and pieces not only in various places but in various countries. Once these logistical, storage issues are coupled with issues of data privacy (see section 5 B, below), these jurisdictional conflicts can cause intense disputes. Case 2.11: Microsoft Corp. v. United States (“Microsoft Ireland”) (USA)70 In connection with the provision of its email and cloud-based services, Microsoft required its subscribers to provide certain location information when requesting email and other services. That information was stored in data centers proximate to the location identified by the subscriber. Much of the metadata related to such subscribers (with the exception of certain communication content data) was stored in the United States. In December 2013, the US District Court for the Southern District of New York issued a search warrant on Microsoft authorizing US law enforcement authorities investigating drug trafficking operations to obtain communication data of users that had their data stored in datacenters outside the United States. Microsoft entered a motion to quash the warrant, claiming that the communication content of the concerned email accounts was stored in a data center located in Ireland, arguing that such communication content is beyond the scope of the warrant. On 25 April 2014, the US Magistrate Judge issued an order denying Microsoft’s motion to vacate the warrant, holding that “an ISP located in the United States would be obligated to respond to a warrant issued pursuant to Section 2703(a) [of the US Stored Communications Act (SCA)71] by producing information within its control, regardless of where that information was stored.”72 On 31 July 2014, the US District Court for the Southern District of New York affirmed the Magistrate’s Order.73 Microsoft appealed to the US Court of Appeals for the Second Circuit. The case quickly became a hotly contested one. Private sector entities (including AT&T, Apple and Cisco) raised concerns that the warrant would have to their business environments in amicus curiae briefs; and digital rights groups said it would have been an unwarranted intrusion. On 14 July 2016, a three judge appellate panel ruled in favor of Microsoft, concluding that Congress did not intend that a warrant issued under the SCA to have any extra-territorial effect. The Government has petitioned for a rehearing en banc. Page 107  |  Chapter 2  |  § C. Procedural Issues Table of Contents Conclusion Traditional search and seizure procedures focus on the collection of physical evidence. However, e-evidence has different properties, requiring different search and seizure approaches, which must be dictated by the legal framework. Careful attention must be paid to creating procedures that accommodate the difference between digital information and digital storage devices, and which respect fundamental rights, notably the right to privacy, by limiting the scope of the search and seizure, as prescribed by the warrant. In many jurisdictions, judicial bodies have been attentive to excluding information as evidence of guilt where it has been illegally gathered as beyond the scope of the warrant. Third parties are often essential to the collection of evidence. In order to collect communication data managed by third party (e.g., subscriber information, communication records, communication content), and to do so in real-time, appropriate procedures need to be implemented directing those parties to offer technical and administrative support to law enforcement. Moreover, ISPs not only store subscribers’ data but also have their own technologies and metadata that are of value to law enforcement. Procedures obliging ISPs to cooperate with law enforcement should be based on (1) the classification of requests for data preservation; (2) the acquisition of the stored communication data; and (3) the real-time collection of communication data. Provisions guaranteeing ISPs exemptions from both civil and criminal liabilities that could arise out of third parties’ provision of data should accompany such procedures. Procedures obliging ISPs to cooperate must also strike an appropriate balance between respecting fundamental rights and accounting for cyberspace’s rapidly evolving nature. Rapid technological advancements, notably cloud computing, make create an ever-evolving technological morass through which law enforcement must seek to navigate. The development of cloud computing requires also a legal development with respect to the procedures for search and seizure. Moreover, even once technological obstructions have been surmounted, jurisdictional ones often persist given the disparate physical that support the existence of cyberspace; such issues require an ever-greater push to create a shared, international consensus, if not a single vision. As discussed further on (see section 5, below), it is important to establish corresponding procedural safeguards to protect personal data and privacy rights, as well as to the define limits of procedural powers utilized to investigate cybercrime and to gather e-evidence. Page 108  |  Chapter 2  |  § C. Procedural Issues Table of Contents CHAPTER 2 D. Evidentiary Issues Table of Contents Introduction 109 I. Computer Forensics 110 A. The Nature of e-Evidence 110 B. The Law of Evidence 111 C. Computer Forensics 111 1. Investigating Cybercrime 111 2. Identifying, Collecting & Preserving Evidence 112 II. Assuring Authenticity, Integrity & Reliability 113 A. Good Practices for Handling Digital Evidence 113 1. Forensic Expert Training Program 114 2. e-Evidence Management System & Copying Techniques 114 B. Examples of Good Practices 115 1. The KSPO’s Forensic Expert Training Program 116 2. Centralized e-Evidence Management System 116 III. Prosecution and Presentation 116 IV. The “Hearsay” Rule in Cybercrime 117 A. The “Hearsay” Rule 117 B. Korea’s Treatment of the Hearsay Rule 118 C. Exceptions to the Hearsay Rule 118 Conclusion 119 Introduction Due to the legal tenet of the presumption of innocence—ei incumbit probatio qui dicit, non qui negat1—, the burden of proof lays with the prosecuting authorities.2 That burden is met by proffering sufficient evidence to meet the requisite standard of proof (e.g., beyond reasonable doubt; clear and convincing evidence; preponderance of the evidence). Cybercrime being governed by criminal law, the standard of proof is higher than in either administrative or civil proceedings. Regardless of the type of case, or of the nature of the allegation in question, the case will be decided by the trier of fact based as much upon the authenticity, integrity and the reliability of the evidence as on its quality. Digital or e-evidence presents interesting Page 109  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents challenges. This section (I) explores how best to assure the authenticity, integrity and reliability of e-evidence, before turning to (II) understanding the “hearsay” rule as it applies to e-evidence. I. Computer Forensics Computer forensics is not only necessary to establishing the appropriate proceedings by which cybercrimes are investigated (see section 2 C, above), but also necessary to the collection of e-evidence. To enter into such a discussion, it is important to consider (A) the nature of e-evidence and (B) the nature of the corpus of law of evidence. On the basis of that understanding, (C) the role of computer forensics can be discussed. A. The Nature of e-Evidence As with so much in cyberspace and cybercrime, there is no single definition of a term “digital” or “electronic” evidence (“e-evidence”). For purposes of the Toolkit, the term will be used to refer to “information stored or transmitted in binary form that may be relied in court”.3 E-evidence is used as a proof of crime in the same way as physical evidence. Indeed, beyond “pure” cybercrimes, the development of cyber services and the widespread supply of ICT devices have led to increased use of e-evidence in prosecuting traditional, physical-world crimes. Digital information is electronic by definition and by nature, and therefore has a “virtual” and “imaged” existence. As such, and unlike physical evidence, digital information is not “fixed” to a single device, meaning that it can be easily copied and reproduced onto another device without any alteration or loss of information. However, as courts have generally required original evidence when considering physical evidence, and only relatively rarely allow copies to be presented as evidence, the ease and completeness with which digital data might be reproduced and transposed has led to discussions about whether copies might, in fact, be presented as identical to the “original” copy. By and large, it is impractical to present anything other than the copy of the original e-evidence; indeed, as already discussed,4 sometimes taking a copy of the original digital data is the only way that investigators can examine the often-vast array of information confronting them. As e-evidence is effectively an electronic image constructed out of code, it is much more susceptible to alternation than most physical evidence. Both intentional and unintended alterations might occur if vigilance is not assured. As this vulnerability might lead to claims of unreliability, it is especially critical that investigators assure and preserve the authenticity, integrity and reliability of the original copy of e-evidence throughout the chain of custody, from collection, through analysis and to submission to the court. Page 110  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents B. The Law of Evidence The law of evidence, a procedural body of law, governs how various forms of proof of misdoing are presented and evaluated, typically for presentation at trial.5 It consists of rules and procedures governing the proof of a particular set of facts in issue.6 Matters of evidence are concerned with presenting evidence supporting both the occurrence of events, and the implicated actors thereto. For the purpose of legal proceedings, the concept of electronic evidence may have specific recognition, or it may be admitted as analog evidence, such as in the form of a document, with the meaning of what constitutes a document invariably extending to anything recorded in any form, which must be right.7 From a legal perspective, electronic evidence needs to be: 1   Admissible, meaning that it conforms to legal rules; 2   Authentic, meaning that the evidence can be shown to be what the proponent claims it is; 3   Complete, meaning that it tells the whole story and not just a particular perspective; 4   Reliable, meaning that there is nothing about how the evidence was collected and handled that casts doubt about its authenticity and veracity; and 5  C  redible, meaning that it is believable and understandable by a court.8 From a legal perspective, e-evidence can be defined not only on the basis of what it is—that is, as the legal object constituted by data expressed in electronic format, as defined above—, but also as a construct—that is, the representation of facts or acts legally relevant to the matter and conducted by electronic means. Regardless of which aspect is considered, technical and legal analysis is required in order to show how the evidence was obtained, as well as how to interpret it and show how it pertains to the criminal matter. C. Computer Forensics Computer forensics plays an essential role in both (1) investigating cybercrime and (2) identifying, collecting and preserving evidence. 1. Investigating Cybercrime Investigating a cybercrime may involve invasive surveillance, as followed up by search and seizure.9 Prior to any search and seizure, however, investigations typically begin by proving that the suspect had the ability to commit the crime. Although surveillance of suspects can reveal a great deal— for instance, establishing the requisite know-how, or observing unusually heavy volumes of data traffic to a computer that incriminates the alleged perpetrator10—, those initial suspicions and circumstantial evidence must be corroborated. Page 111  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents Regardless of the crime, traces of the perpetrator and how the crime was committed are left behind.11 Forensics is the use of scientific tests or techniques in connection with the detection of crime.12 Computer forensics refers to the systematic collection of data and analysis of computer technology and information with the purpose of searching for e-evidence.13 Generally utilized after the commission of the crime,14 computer forensics is a major part of cybercrime investigation. Indeed, its centrality to the investigation’s success emphasizes the need for training and capacity- building in this area, as well as the sharing of resources and of information.15 While forensic techniques in traditional crimes typically rely upon physical evidence—DNA, splatter patterns, chemical analysis16—computer forensic techniques rely upon a variety of digital sources—emails, connection logs, various metadata17—; each present their own unique challenges.18 Computer evidence comes in a variety of forms and can be found in a variety of places. Regardless of the location of that evidence—be it on a perpetrator’s hard drive, in the records of a third party provider (such as an ISP) or in fragments scattered around the world (such as in cloud computing)—, procedures are required for gaining access. As already discussed, traditional search and seizure procedures already in existence must be adapted to make the accommodate the novelties of cybercrime investigations (see section 2 C, above). Following search and seizure, forensic experts are required to examine not only hardware and software but also the various and sundry metadata.19 2. Identifying, Collecting & Preserving Evidence Collecting digital or e-evidence requires diverse and complex technical skills. For instance, techniques for accessing and retrieving evidence stored on hard drives differ drastically from those required to intercept data being transmitted.20 Moreover, time is often of the essence, both due to the fragility of the evidence, and given the immediacy of actions taken in cyberspace, often requiring quick decision-making off of investigators. For instance, a common question is whether investigators should shut down a running computer system. There are reasons for going in either direction: for instance, shutting down the system might be necessary in order to prevent alteration of digital information and thereby preserve the integrity of relevant e-evidence.21 That said, “pulling the plug” may actually result in the loss of other evidence, such as temporary files that require programs, applications or internet connections to be maintained and kept running or operating. However, power disruption can activate encryption,22 thereby hindering access to stored data,23 and, if the appropriate security is put in place, possibly even resulting in the destruction of digital information. Additionally, even after the decision has been reached, the appropriate investigative procedures must be followed. First responders, who undertake the first steps to collect e-evidence, bear a significant responsibility for the entire investigation process, as any wrong decision can have a major impact on the ability to preserve relevant evidence.24 If they make wrong decisions on preservation, important traces may be lost. Forensic experts need to ensure that all relevant evidence is identified.25 Doing as much is often difficult, with various tricks employed by offenders, such as hiding files in separate storage device or scattered across the cloud in order to prevent law enforcement from finding and analyzing Page 112  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents their contents. Forensic investigators are essential to identifying hidden files and to making them accessible.26 Forensic investigators are similarly needed for recovering deleted or destroyed digital information.27 Files that are deleted by simply placing them in a virtual trash bin—even if “emptied”—do not necessarily render them unavailable to law enforcement, as they may be recovered using special forensic software tools.28 However, if offenders are using tools to ensure that files are securely deleted by overwriting the information, recovery is in general not possible.29 Encryption technology is another common means of hindering investigations.30 Such technology is not only increasingly common but increasingly effective.31 The situation is a delicate one, for while encryption technology prevents law-enforcement agencies from accessing and examining often-critical information,32 that very same technology is increasingly central to sustaining many of the things that societies around the world have come to consider as normal and necessary to daily life.33 Forensic experts can try to decrypt encrypted files.34 If this is not possible, they can support law- enforcement agencies in developing strategies to gain access to encrypted files, for example by using a key logger.35 Involvement in the collection of evidence includes the evaluation and implementation of new instruments. International cooperative efforts are particularly important in this regard.36 One example of a new approach is the debate on remote forensic tools.37 Remote forensic tools enable investigators to collect evidence remotely in real time38 or to remotely monitor a suspect’s activity39 without the suspect being aware of investigations on his system. Where such tools are available, they can, on a case-by-case basis, play a decisive role in determining the best strategy for collecting e-evidence. II. Assuring Authenticity, Integrity & Reliability Having considered the nature of e-evidence and of computer forensics, the authenticity, integrity and reliability of the e-evidence needs to be assured by looking at (A) good practices for handling e-evidence, and (B) specific instances of the application of those practices. A. Good Practices for Handling Digital Evidence Good practices for handling e-evidence begin with (1) the development of a thorough and uniform forensic expert training program who alone handle e-evidence and (2) the creation of a nation- wide, e-evidence management system, the integrity of which is assured through copying techniques (taught in the training program). Page 113  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents 1. Forensic Expert Training Program The two most important examples of good practices for handling e-evidence are developing training programs for investigators and experts on techniques for identifying, handling and analyzing e-evidence. As with physical evidence, the authenticity, integrity and reliability of e-evidence can best be assured by giving due attention to (1) the examiner’s expertise, (2) the reliability of tools and equipment and (3) the setting standardized procedures and guidelines: 1   First, law enforcement should assure a specialized training and certification process for digital forensic examiners, and restrict the handling of any e-evidence to such examiners. The approach might mirror that taken in the training of forensic scientists dealing with the physical evidence of a crime scene.40 The procedural expertise of the examiner serves as a basis for inferring that the evidence has been handled with care, thereby assuring the integrity of the process—namely, that damage is avoided, alteration or manipulation prevented, and the outcome of the analysis verified. While courts do not generally require any specific training, certification or years of experience, a certain level is necessary to assure expertise. Moreover, just as with other certifications, recertification or continuing training courses are advisable. 2   Second, the collection and analysis of e-evidence requires the use of a variety of tools and equipment. Using widely-recognized tools (e.g., software) and equipment41 helps to warrant evidentiary reliability, and facilitates reexamination of evidence by outside experts. In addition to using such tools and equipment, however, standards exist for testing these forensic tools and equipment. A number of institutions can inspect ICT forensic tools and equipment. For instance, the US National Institute of Standards and Technology (NIST) provides standard testing methods for computer forensic tools and equipment through its Computer Forensics Tool Testing (CFTT) program.42 Similar processes exist for the testing of other scientific equipment. 3   Third, and lastly, standardized procedures and guidelines should be prepared and shared with anyone who might have cause to handle e-evidence. Doing so creates a set, dependable methodology and approach, thereby helping protect against arbitrary handling of evidence. These rules should address handling of evidence at all stages of custody. 2. e-Evidence Management System & Copying Techniques One of the greatest challenges related to e-evidence is the fact that it is highly fragile and can rather easily be deleted43 or modified.44 One consequence of its fragility is the need to maintain its integrity.45 Case records are therefore required. In addition to training and qualifying experts in how to handle evidence, those experts should also be trained in the production of case records.46 There are substantial advantages to storing those records should in a central, online e-evidence Page 114  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents management system that is accessible to certain, qualified law enforcement from around the country, if not world. Such a facility could be particularly important for storing data acquired in incidences where the seizure of hardware is impossible, inadequate or inappropriate, and where investigators have been permitted to copy files. That said, in addition to being difficult to roll-out to users beyond the capital, central systems can create high-profile targets and may represent a security vulnerability. Additionally, special attention needs to be paid to not only protecting the integrity of copied files against any kind of alteration during the copy process,47 but also to the uploading process. In incidences where devices and their original files are not taken into custody, and copies are made of those files, careful attention must be paid to assuring protocols for copying and uploading data for storage and analysis. Methods called “imaging” and “hash-value generation” are used in demonstrating the authenticity of e-evidence. ƒƒ Imaging works in one of two ways, both of which rely upon the creation of a copied “image” of the e-evidence: either (1) by copying the digital data stored in an ICT device to create an image file using the bit-streaming method;48 or (2) by producing a logic image file after selecting the files that are to be seized. Imaging allows investigators to preserve the authenticity of the image files be analyzed, as the data included in the files is not subject to change during the subsequent analysis. ƒƒ Hash-value generation works on the same logic of replicating the evidence in order to have a duplicate version to compare, understand, and analyze. However, rather than taking a duplicate image of the data, this technique relies on a file’s so-called “hash value”: much like a person’s finger print or retinal image, the hash value is unique and inherent to each file. Therefore, reproducing the hash value reproduces the evidence. In a sort of cloning process, that hash value, which is derived from a hash algorithm, can be replicated along with the to-be analyzed file. As files that have the same hash value are regarded the same, the e-evidence is preserved by creating a copy. Imaging and hash-value generation are both generally included in the e-evidence collection toolkit and used for on-site evidence collection. With replicas of the data in hand, investigators are then able to establish authenticity by imaging the seized ICT device itself. Veracity can be ascertained on-the-spot: the selected files are logic-imaged, their hash values generated and then the values produced compared with the hash values of the original evidence. That on-site verification is later submitted to the court. B. Examples of Good Practices Working along the lines of the good practices discussed above, the Supreme Prosecutors’ Office of the Republic of Korea (KSPO) has established a (1) forensic expert training program and (2) centralized e-evidence management system. Page 115  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents 1. The KSPO’s Forensic Expert Training Program A number of law enforcement agencies offer training programs not only for their ICT forensic experts but for any who might have cause to interact with e-evidence. One such example is the six-month digital Forensic Expert Training Program offered by the KSPO. An esteemed and competitive process, the KSPO selects a few trainees from a pool of regular investigators. Trainees receive three months of basic digital forensic training and another three months of on-the-job training in actual digital forensic divisions. Investigators who complete this six-month program are certified as “digital forensic investigators” and are subsequently placed in digital forensic divisions to collect and analyze e-evidence. As discussed above, the KSPO’s program creates national uniformity and standardization of guidance, protocols and procedures, thereby helping to assure and convince the court of the authenticity, integrity and the reliability of e-evidence. The Rule on the Collection and Analysis of Evidence by Digital Forensic Investigator is the KSPO’s standard set of guidelines.49 The Rule not only lays out the qualifications for becoming a digital forensic investigator, but also regulates procedure for on-the-crime-scene prodecures, setting down protocols for who is in charge of collecting and analyzing e-evidence, as well as articulating e-evidence search-and-seizure procedures, and data registration and management procedures for working with the Evidence Management System. The establishment of not only general guidelines but also concrete protocols and procedures make the KSPO’s Rule an excellent example of good practices that go far towards protecting the authenticity, integrity and reliability of e-evidence. 2. Centralized e-Evidence Management System Just as physical evidence collected by law enforcement is stored in a secured repository (often referred to as an “evidence room”), so, too, ought e-evidence to be securely stored in a central management system. Moreover, as e-evidence can be uploaded from multiple terminals, and even from various ICT devices, and as the limitations inherent to analogous physical evidence do not apply, e-evidence might—and should—be stored in one single, online repository, rather than in several disparate “evidence rooms”. The KSPO does as much, operating D-Net, its centralized, online evidence management system. Investigators register evidence collected from search-and-seizure and the results of conducted analysis directly into D-Net’s central server. The system chronicles, registers and conserves the entire process. As such, D-Net preserves the entire chain of custody with respect to not only the e-evidence itself and its life cycle—collection, analysis, submission and disposal—but also work product. Crucially, it also allows for an established and secure means of timely data disposal. III. Prosecution and Presentation Page 116  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents The investigation comes to a close with the presentation of evidence in court.50 While presentation is customarily undertaken by prosecutors, forensic experts can play an important role in criminal proceedings as expert witnesses capable of assisting the triers of fact and of law to understand the evidence-collection procedures undertaken and the nature of the evidence subsequently generated.51 Given the complexity of e-evidence, there is an increasing need to involve forensic experts.52 Although computer forensics deals to a large degree with computer hardware and computer data, it is not necessarily an automated process; indeed, while some processes, such as the search for suspicious keywords or the recovery of deleted files can be automated using special forensic analysis tools,53 the vast majority of computer forensic examinations remains to a large extent manual work.54 Such is especially true with regard to the development of strategies and the search for possible evidence within search and seizure procedures. The amount of time necessary for such manual operations and the ability of offenders to automate their attacks underline the challenges that law enforcement faces, especially in investigations involving a large number of suspects and large data volumes, and even more so when further complicated by cross-border activities.55 IV. The “Hearsay” Rule in Cybercrime Some countries, such as the United Kingdom and Belgium, have special laws governing e-evidence that cover admissibility and authenticity of e-evidence.56 In other countries, such as the United States and Korea, “traditional” rules of evidence (i.e., the “hearsay rule”) may be extended and applied.57 The “hearsay” rule takes on a special form in cybercrime. A. The “Hearsay” Rule The hearsay rule is the basic evidentiary rule which provides assertions made by those outside of the court, and such derivative evidence, are generally inadmissible58; one of the most accepted legal definitions is “a statement not made in oral evidence in the proceedings that is evidence of any matter stated”.59 The rule has its origins in the notion that the trier of fact could only receive an objective, unbiased presentation of evidence if both sides have the same opportunity to confront the source of information (that is, through cross-examination).60 As such, the evidentiary value rests on the credibility of the out-of-court asserter.61 Essentially, the rule forbids notions of overheard evidence—that is, someone’s testifying, “I heard him/her tell...”; or, “I heard say that….”62 Due to the confrontational style increasingly favored in the common law tradition, as opposed to the so-called “inquisitorial” style of the civil law tradition, the hearsay rule has a greater presence and bearing in the former tradition, with the civil law system being “far more receptive to derivative evidence generally”.63 Page 117  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents B. Korea’s Treatment of the Hearsay Rule The admissibility and authenticity of the electromagnetic record that forms e-evidence may be questioned if its printed form is submitted as evidence into courts. In some countries that do not have written regulations on these matters (e.g., Korea), their highest courts may render decisions or judicial interpretations to address these issues. Such issues include the applicability of hearsay rule to determine authenticity and admissibility of such evidence.64 Case 2.12: Yeong Nam Committee Case (Korea)65 The Supreme Court of Korea has decided that the general hearsay rule, outlined in the Korean Criminal Procedural Law, does in fact apply to the authenticity and admissibility of e-evidence.66 Applied to e-evidence, the rule was used to preclude the introduction as evidence of printed forms of digital files (e.g., electronic documents; emails) saved in computers, servers or other storage devices. Although underscoring that a digitized document “is only different in terms of such document’s recording media” and not “in substance […] significantly different” from a printed document containing the statements, the Court nonetheless excluded the presentation of the printed material out of concern for “the possibility of manipulation during the storage and printing process”. As such, and with “no guarantee for cross-examination”, the Court ruled that “the hearsay rule applies to authenticity of the content of a document recorded in digital files”, and that, “under Article 313 (1) of the Criminal Procedure Act, it is admissible as evidence only when the writers (or ‘the drafters’) or the declarants (or ‘the staters’) statement authenticates it”.67 As with evidence in general, the Court appears to be concerned with assuring the evidentiary chain of custody—that is, its authenticity, integrity and reliability—and, therefore, with demonstrating a proper showing of the printed page as an authentic representation of the original, e-evidence. C. Exceptions to the Hearsay Rule As with any rule, there are exceptions to the applicability of hearsay rules. Such examples might be implemented through various routes. Korea, which has been used as an example already, has introduced exemptions through both legislative and judicial mechanisms.68 In Korea, the legislative exception is rather limited and constrained; by contrast, the judicial exceptions have been more expansive. In the aforecited Korean Supreme Court’s decision, a printed version of the digital file was deemed admissible only if its authenticity were established by the testimony of its asserter at a preparatory hearing to during a trial.69 Page 118  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents In addition to such an exception, the Court has given several other exceptions to the general applicability of the hearsay rule: 1   e-Evidence is not hearsay if digital file itself serves as a direct evidence of the offense.70 For instance, in texted phone messages creating fear or apprehension constitute direct evidence of crime in some countries criminalizing cyberstalking (e.g., Korea);71 or child pornography on a computer constitutes a direct evidence of crime in some countries (e.g., USA).72 2   e-Evidence is not hearsay if it is submitted to discredit the truthfulness of a statement, or where it is circumstantial evidence to an indirect fact. For instance, evidence showing that a certain file was run can be used as circumstantial evidence to indirect facts.73 3   e-Evidence that is automatically generated and which does not incorporate any thoughts or emotions is not hearsay. For instance, network log records, web history, call history, GPS navigation information, file meta-information, etc. are all admissible on a showing of authenticity, integrity and reliability.74 Conclusion Investigations must be prepared to turn into prosecutions if they are to have any effect. The evidentiary record, upon which adjudication must turn, being developed from e-evidence, specialized protocols and certifications ought to be developed. It is important that the established procedures, recognize the unique nature of e-evidence, and assure its authenticity, integrity, and reliability. In light of the fragility of e-evidence, law enforcement agencies must look for ways to preserve e-evidence throughout the entirety of the investigatory and prosecution process, from collection, through analysis and on to submission to court. Only trained and expert personnel, with digital forensic expertise, should handle e-evidence. All personnel should work according to established and standardized guidelines, procedures and protocols. Reliable, regularly-calibrated, and tested tools and equipment should be used, and all evidence, for the entire chain of custody— collection, analysis, submission and disposal—, should be uploaded to a central, online e-evidence management system. Consideration should be given as to whether international recognition of evidence could be best facilitated by having an international body dedicated to developing certified training programs, as well as standardized procedures and guidelines. Such a body might be established in a manner similar to informal international information sharing and coordination centers (see section 4 B, below). That body, which, for example, might be housed within INTERPOL75 or UNODC,76 could Page 119  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents serve as a further vehicle for spreading good practices, as well as mitigating if not eschewing certain evidentiary concerns that might arise in cross-jurisdictional matters (see section 2 E, below). In working with e-evidence, it is important to understand how the hearsay rule or similar exclusionary rules of evidence apply, as well as their exceptions. Hearsay rules exclude the admission of evidence that might result in bias or preclude the trier of fact’s objectivity. However, exceptions to hearsay rules may apply to e-evidence where there is no need to be concerned with bias, notably in the following circumstances: 1   When the digital file itself constitutes direct evidence of a crime; 2   When it is circumstantial evidence to an indirect fact; or 3   When the information automatically generated. Page 120  |  Chapter 2  |  § D. Evidentiary Issues Table of Contents CHAPTER 2 E. Jurisdicational Issues Table of Contents Introduction 121 I. The Traditional Notion of Jurisdiction 122 II. Adaptive Jurisdiction Principles 123 A. Principle of Territoriality 123 B. Principle of (Active) Nationality 124 C. Principle of Passive Nationality 124 D. Protective Principle 125 E. Principle of Universal Jurisdiction 126 III. National Frameworks 126 A. Adaptive Legislative Jurisdictional Definitions 126 B. Informal Cooperation 127 IV. Multilateral Instruments 128 Conclusion 128 Introduction The inherently transnational and cross-border nature of cybercrime renders investigating cybercrimes and prosecuting cybercriminals much more difficult than traditional crimes, largely due to the unique jurisdictional obstacles. Unlike their physical world analogs, cybercrimes can be committed from virtually anywhere on the globe, with attacks directed against targets in virtually any part of the world, and with effects potentially being felt by people the world over. For these reasons, states have found it necessary to reach beyond the territorial tethers that have been traditionally used to define sovereignty. While it is important to make space for the theoretical underpinnings to accordingly adapt to cyberspace, at the same time that increasingly-exerted ability of a targeted state to reach offenders beyond its territory must be balanced with respect for the sovereignty of other states. Jurisdiction, understood in its basic sense as the official power to make legal decisions and judgments,1 is a multi-faceted notion. Fundamentally, a state’s jurisdiction is understood as being composed of three different authorities: Page 121  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents 1   Prescriptive authority – that is, authority pertaining to the authority to impose laws; 2   Adjudicative authority – that is, authority pertaining to the authority to investigate and resolve disputes; and 3   Enforceable authority – that is, authority pertaining to the power to induce or punish pursuant to its prescriptive authority and subsequent to its adjudicative authority. Typically, when speaking of a state having jurisdiction, it is with regard to all three of these facets (although, in exercising its authority, a court may apply the laws of another jurisdiction3). Three distinct areas of positive4 jurisdictional conflicts exist: jurisdiction over the crime, over the evidence and over the perpetrator. This section focuses principally on jurisdiction over the crime and then briefly on jurisdiction over the perpetrator. Further discussion of jurisdiction over the perpetrator and jurisdiction over evidence is discussed in sections covering procedural and evidentiary issues,5 and in those covering the cross-border context.6 This section discusses (I) traditional understandings of jurisdiction and (II) the adaptive jurisdictional principles that have emerged in international law. Thereafter, it turns to consider attempts to overcome jurisdictional issues (III) at the national level before (IV) briefly noting the utility of international instruments in extending that process. I. The Traditional Notion of Jurisdiction Jurisdiction of a state to criminalize an act has traditionally been based on its sovereign control over the specific territory in question—what is known as the principle of territoriality.7 With such territorial control, the state is theoretically in a position to exert jurisdiction in its fullest extent for crimes occurring between people in that space, and to do so to the exclusion of all other powers: as the German sociologist Max Weber put it, the defining characteristic of the modern state is that it is a “human community that (successfully) claims the monopoly of the legitimate use of physical force within a given territory”.8 However, the nature of cyberspace often makes such a facile delineation of jurisdiction exceptionally difficult and even possibly nonsensical due to the inherent mobility, difficulty in proving location and geographic irrelevance in executing cybercrimes. Since a cybercrime can be perpetrated from entirely a country while having substantial effects within another country’s borders, the traditional basis for jurisdiction has become inadequate, if not irrelevant. Box 2.6: Inability to Prosecute Creator of the “Love Bug” Virus On 4 May 2000, the so-called “Love Bug” virus (duly named because it was spread by opening an email bearing the title of “ILOVEYOU”) rapidly “hopscotched” around the Page 122  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents world, affecting some fifty million people, from the US Pentagon to the UK Parliament, and costing an estimated US$10 billion worth of damages in a matter of hours.9 The bug was programmed to replace all files with media extensions (images, documents, mp3s, etc.) with copies of itself, and then to send an identical email to all of the contacts of a victim’s Outlook address book.10 Law enforcement traced the bug to the Philippines and identified a Filipino, Onel de Guzman, largely on the basis of an unusually heavy volume of data traffic to a computer located in the home of de Guzman’s sister. The FBI and other authorities moved to take action against de Guzman. However, progress and prosecution was stymied by the fact that the Philippines did not, at that time, have laws governing computer crime (attempts were made to prosecute him under theft, but the charges were dropped due to insufficient evidence).11 As such, the extradition treaties were rendered ineffectual due to the requirement of “dual criminality” (see section 2 A, above). The “Love Bug” shows the limits of traditional notions of jurisdiction in cybercrime: an individual released a destructive antigen into cyberspace, causing damage and deleterious effects in some twenty countries, but, because he was physically located in a jurisdiction that had not criminalized such behavior, no action could be taken by the affected states. II. Adaptive Jurisdiction Principles Faced with the increasingly limited applicability of the traditional notion of jurisdiction to cybercrime, a series of adaptations have been developed, based principles of (A) territoriality, (B) active nationality, (C) passive nationality, (D) protection and (E) universality. A. Principle of Territoriality The principle of territoriality, the notion underpinning so much of our understandings of law, and especially for international law,12 is the base principle for traditional claims of jurisdiction, as well as the basis upon which adaptive notions of jurisdiction are built.13 The traditional understanding of jurisdiction operates on the conceit that the state inherently has complete jurisdiction over crimes occurring in its territory.14 This principle has been extended to nebulous yet quasi-territorial areas. Under the law of the flag (or the “flag principle”), vessels on the “high seas” (and those operating them) “possess” the nationality of the flag that borne by the vessel15 (or where it is registered),16 and thus that state has jurisdiction.17 In 2014, the North Atlantic Treaty Organisation (NATO) deemed cyberspace to be sovereign domain akin to air, land and sea.18 Page 123  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents The principle of territoriality has been used in other ways to alter traditional fixed methods and notions. For example, in one celebrated conflicts of law case, a New York court accepted jurisdiction over a tort matter that occurred outside of its territory, but in which both parties were New York residents; more interestingly, the court went on to apply New York law rather than the law of the place of the tort, as traditional rules would have dictated: the court made this deviation on the logic that the affected interests were in New York and had nothing to do with the other state.19 Similarly, under an adaptive understanding of the principle of territoriality, a cybercrime “initiated” in the territory of one state but launched “at” another state, or made to occur “in”, another state’s territory gives the affected state jurisdiction.20 Another approach to this problem has been to broaden the notion of territoriality to extent to actions occurring in whole or in part in the prosecuting nation’s territory.21 Such an “occurrence” can be understood to include use of the affected state’s infrastructure. Thus, this approach would give the state jurisdiction where both22 or either victim or perpetrator are physically located in the state when the crime was committed,23 or when any part of the crime was committed, planned or facilitated in that country.24 The principle of territoriality remains the principal basis for exerting jurisdiction over cybercrimes. The Budapest Convention, for example, makes it mandatory for signatories to adopt, legislatively or otherwise, all that is necessary for establishing jurisdiction over listed offences committed from within the state’s physical territory.25 B. Principle of (Active) Nationality Under the principle of nationality (or of active nationality), a sovereign may regulate the actions of its nationals abroad.26 The principle is most typically invoked when a national commits a crime in a foreign state, and is more commonly found in the civil law tradition than in the common law tradition.27 Under this principle, nationals of a state are obliged to comply with that state’s domestic law even when they are outside of its territory.28 When a national commits an offence abroad, the state is obliged to have the ability to prosecute if that conduct is also an offence under the law of the state in which it was committed.29 In the instance of cybercrime, the principle is often relevant in child pornography cases, where the national attempts to perform the illegal action in a location where it is not a crime with the intent of distributing the subsequent material in his or her home country. The principle has less relevance in cybercrime than in other areas of criminal law as most cybercrimes can be effectuated from the perpetrator’s home, while having cross border effects.30 C. Principle of Passive Nationality The reciprocal of the principle of active nationality the principle of passive nationality (or passive personality). This principle applies where the national is the victim rather than the perpetrator, Page 124  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents thereby giving the state jurisdiction over the crime by which its national is victimized. The principle only takes on relevance when the entirety of the crime has occurred outside of the territory of the state. The principle is a controversial one, as it not only aggressively expands the notion of a state’s authority, but, in so doing, it also implies that the law of the state with territorial jurisdiction is insufficient to remedy the wrong and incapable—or unwilling—to protect the interest of the victimized national.31 Case 2.13: LICRA v. Yahoo!32 (France) and Yahoo! v. LICRA (USA)33 Plaintiffs, Union des Étudiants Juifs de France (“UEJF”) and La Ligue contre la Racisme et l’Antisemitisme (“LICRA”), brought a civil action against the French and American entities of Yahoo! over an internet auction of Nazi-period memorabilia under French criminal law, the “wear[ing] or exhibit[ing]” of Nazi paraphernalia is prohibited.34 The French court of first instance ruled that there were sufficient links with France to give the court full jurisdiction, and proceeded to enjoin Yahoo! to take all necessary measures to dissuade and prevent French users from accessing the material in question—in other words, to block access to the online auction.35 Although the competence of the French court was challenged and appealed in France, the original decision was upheld. Separate criminal proceedings in France were dismissed and defendants acquitted on all criminal charges; that a verdict that was upheld on appeal. Following the French court decisions, Yahoo! brought suit in the United States, asking that the French judgment be deemed without effect in the United States.36 The US District Court for the Norther District of California instead found that the French court’s decision was inconsistent with US constitutional guarantees of freedom of expression. However, the US Court of Appeals for the Ninth Circuit reversed and remanded, with directions to dismiss the action on the divided basis of lack of ripeness and of lack of personal jurisdiction.37 D. Protective Principle The protective principle (also called the “security principle” and “injured forum theory”) is triggered when the crime—effectuated from beyond the state’s territory—affects not just a national of the state, but a national security interest (domestic or international), such as the proper functioning of the government, or threatening the security of the state.38 It is closely related to competition law’s “effects doctrine” (or, as it is also termed, the “implementation test”),39 which stipulates that where the economic effects of the anticompetitive conduct experienced on the domestic market are substantial, the affected state might exert jurisdiction over both foreign offenders and foreign conduct.40 However, unlike both the effects doctrine and other forms of extraterritorial jurisdiction, the protective principle is not performed in an ad hoc, case-by-case fashion, but is instead used as Page 125  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents the basis for adopting statutes criminalizing extraterritorial behavior without regard to where or by whom the act is committed.41 In the instance of the protective principle, neither perpetrator, nor victim, nor the implicated infrastructure are necessarily within the state. Such a tenuous, even weak, connection to the acting state, as well as to the significant,42 often (at least partially) preemptive nature of the intrusion upon the sovereignty of the other state, makes extraterritorial exertions of jurisdiction based on this principle particularly controversial, and, as a result, probably the least used theory for sanctioning jurisdiction.43 E. Principle of Universal Jurisdiction The principle of universal jurisdiction applies to specific crimes, but requires international—or universal—consensus: this principle recognizes a sovereign’s right to adopt criminal laws restricting the behavior, regardless of who commits it, or where it is committed, insofar as restricting that conduct is recognized by nations as being of universal concern.44 Piracy on the high seas, regarded as one of the first international crimes, is a classic example.45 The use of this principle in cybercrime is limited because of the lack of consensus surrounding the criminality of cybercrimes.46 However, and nonetheless, some states have extended universality to include certain cybercrimes—for instance, the German where the criminal code authorizes its authorities to prosecute all crimes of child pornography.47 III. National Frameworks Regardless of whether international instruments are used to mitigate jurisdictional issues, national legal frameworks (see sections 5 A, and 5 B, below) might be crafted so as to facilitate cooperation. There are two means for a state to implement the above principles: either (A) by formally authorizing adaptive jurisdictional definitions through legislation, or (B) by relying on investigatory agencies to build relations—of varying degrees of formality—with their counterparts in other states. Both options, though different, are of great importance and value, each allowing for faster responses to concerns and better permitting the preservation of evidence. A. Adaptive Legislative Jurisdictional Definitions The first method that states might use to facilitate processes for obtaining jurisdiction over cybercrimes occurring beyond their territory is to legislatively authorize adaptive jurisdictional definitions discussed above.48 Doing so formally extents the state’s legal understanding of what constitutes criminal acts, even if conducted beyond that state’s territory. In effect, it also puts would- be perpetrators on notice. Page 126  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents One such example of this approach is Australia’s Criminal Code Act of 1995.49 The Act’s coverage of jurisdiction begins by building a broad basis of territorial jurisdiction (“standard geographical jurisdiction”).50 The Act provides four different classifications and situations authorizing Australian authorities with jurisdiction over a crime occurring beyond its territory (“extended geographical jurisdiction”).51 Furthermore, the Act stipulates that subsequent criminal legislation is to include a section stating what jurisdictional prescriptions apply.52 By so legislating, Australia has acted “openly and notoriously”, proclaiming to the world that it is at least entitled to exert jurisdiction beyond the immediate geographical borders. B. Informal Cooperation Additionally, or alternatively, states and authorities might address jurisdictional issues on a case- by-case basis through informal understandings and shared experiences of cooperation. Such is most typically done by law enforcement working directly with their counterparts in other states, therein in building informal bonds. Doing so often results in faster responses to requests for information sharing. The need for rapid information sharing is heightened at the investigatory stage, as authorities typically need to work quickly to prevent tampering or destruction of evidence; as already discussed, such is especially important for cybercrime. Informal cooperation is most common when dealing with child pornography and trafficking cases. In order for this informal cooperation to be successful, trust must be built up over time through cooperation and personal ties. In the United States, the Computer Crime and Intellectual Property Section (CCIPS) has put forth a policy encouraging and fostering the building of such bonds.53 Responsible for implementing the US DoJ’s national strategies for combatting cyber and intellectual property crimes, CCIPS “prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts”.54 To this effect, CCIPS initiates and participates in international efforts.55 The matter of informal international cooperation is addressed in greater depth further on (see section 5 B, below). It bears noting that such bonds—the basic currency of diplomacy—need not be built exclusively by working on jurisdictional or even investigatory matters, but also through exchanges, shared trainings, and other periodic interactions. For instance, in early 2016, the world marveled at the successful agreement that the United States and Iran managed to reach in securing the release of ten US sailors captured by Iran after they strayed into Iranian territorial waters: the smooth resolution to a potentially fraught incident was attributed to the open communications channels between high-level representatives of each country that had been established during negotiations over Iran’s nuclear program.56 In that particular case, the personal connections that US Secretary of State John F. Kerry and Iranian Foreign Minister Javad Zarif had established allowed them to speak directly at least five times over a ten hour period.57 Page 127  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents Even where formal instruments of international cooperation such as MLATs exist, informal cooperation is often essential to the successful investigation and prosecution of cybercrime. Major cybercrime cases frequently affect more than one country—for example, when administrators of website selling stolen credit cards are arrested. In such cases, several states may be in a position to exert jurisdiction. However, weighing the particularities and appropriateness is often beyond the scope or means of MLATs. For instance, rather than take on the matter directly, the Budapest Convention simply provides that, if appropriate, countries consult with each other to decide which state should assert jurisdiction.58 At such a crossroads, informal understandings and relationships often play a larger role in determining the expediency with which matters proceed. Indeed, when more than one country is interested in a case, law authorities of the affected states will already be collaborating before any turning point, such as an arrest, is reached. Thus, even if several countries could claim jurisdiction, there may in fact be no dispute. These informal cooperative arrangements are often the best milieu for considering which and whether targets will be tried in one country or another (perhaps on the basis of which sentences are traditionally heavier), or on the order in which prosecution and sentencing will occur. IV. Multilateral Instruments Where cybercriminal matters are concerned, negotiated multilateral instruments—rather than the afore-discussed jurisdictional theories—are the most effective and important means of establishing extra-territorial jurisdiction. International instruments are essential to combatting cybercrime as jurisdictional issues arise frequently and in all forms. As such, international cooperation is crucial to building effective, comprehensive legal frameworks to combat cybercrime. While international cooperation comes in various forms, the two most common forms MLATs and extradition treaties, both of which are discussed in greater depth further on (see section 5 A, below). It bears noting that the issue of convergence of legislation is highly relevant, as a large number of countries base their MLA regime on the principle of dual criminality.59 Conclusion Although there are a number of offences that can be prosecuted anywhere in the world, regional differences play an important role. Cybercrime offenses cannot be properly prosecuted within the confines of traditional understandings of jurisdiction. Due to the transnational nature of cybercrimes, states need to create means for investigating and prosecuting offenses which target or affect them and which occur, or which are launched, from beyond their borders. Such begins by developing comprehensive national legal frameworks. However, jurisdictional extensions meet, and therefore must balance with, the sovereignty of other states. A diversity of legal bases exists Page 128  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents for exerting jurisdiction, the most important of which is the territorial principle and its adaptive notions.60 To best deal with the jurisdictional issues arising from cybercrimes, states need to both develop inclusive definitions of jurisdiction and work on furthering international cooperation in investigations and prosecutions. Increasing reliance on MLATs and on extradition treaties will assist such a process, but those international instruments can only have full effect insofar as states develop adaptive legal national frameworks. Indeed, the biggest obstacle to prosecuting cybercrimes is the dual criminality requirement. As the dual criminality requirement is important on many levels, international cooperation is needed so that similar cybercriminal legislation—at least on what constitutes cybercrime offenses—is implemented. It bears noting that establishing jurisdiction over the crime opens the door to other issues. A state having acted formally through legislation to extend its jurisdictional ambit is confronted by two subsequent challenges: first, as already discussed, that of acquiring personal jurisdiction over the perpetrator; and, second, that of having sufficient capacity to investigate the crime, a matter that is significantly complicated by the fact that the crime occurred beyond its own territory. Both of these complications are best addressed by further developing not only formal levels of cooperation, but also informal ones. Page 129  |  Chapter 2  |  § E. Jurisdicational Issues Table of Contents CHAPTER 2 F. Institutional Framework Table of Contents Introduction 130 I. National Cybersecurity Strategy 130 A. Creating a National Cybersecurity Strategy 131 B. An Example of Good Practice 132 II. Organizing Agencies 133 A. Dealing Overlapping Authorities 133 B. Knowledge Sharing & Joint Taskforces 135 Conclusion 136 Introduction As discussed,1 effectively fighting cybercrime begins by creating a legal framework, which begins with effective legislation and subsequent executive action. That framework must create space for PPPs and increase public awareness. Building upon the basis of that legal framework, the fight against cybercrime requires an institutional framework that allows for inputs and communications between and among both national and international groups and agencies, and which provides at least a base of commonality for policies, procedures, and processes. This section addresses some good practices in building institutional frameworks to combat cybercrime by (I) creating a national cybersecurity strategy (NCS) for safely structuring, shaping, and developing cyberspace, and by (II) dealing with how to most effectively organize authorities charged with various and often overlapping aspects cyberspace. I. National Cybersecurity Strategy There is a strong global trend towards developing national cybersecurity strategies, with dozens of countries across the globe already having done so.2 As such, there is now substantial guidance— from both national and international sources—for those countries looking to create and tailor Page 130  |  Chapter 2  |  § F. Institutional Framework Table of Contents a national cybersecurity strategy to fit their own unique circumstances and exigencies. This subsection looks at (A) various aspects that go into forming a comprehensive and effective national cybersecurity strategy, and (B) considers an example of good practice. A. Creating a National Cybersecurity Strategy NCSs are strategic approaches that help states to mobilize and orchestrate resources to comprehensively and efficiently understand what cyberspace means for them, and to prepare to face threats coming from that space. An effective NCS is cross-dimensional and cross-cutting, speaking to questions of policy, cybersecurity’s larger societal place and the nature of that society. An NCS creates a broad, strategic framework by which relevant government agencies can carry out national policies, thereby implementing a nationally consistent and systematic cybersecurity policy. It is typically aspirational and propositional, requiring subsequent implementation. It comprehensively touches upon all of the diverse factors pertaining to national cybersecurity, such as specialized investigative units, increasing general institutional capacity, coordinating various agencies, supporting knowledge-sharing and operational exchanges., As cybersecurity is a shared responsibility that requires coordinated action from government authorities, the private sector and civil society, an NCS also seeks to raise public awareness of cyber threats and how such incidents might be prevented, as well as looking to limit proliferation of cyber weapons, thereby facilitating prompt response and recovery to attacks. Countermeasures to cybercrimes might also be discussed. The NCS should be both inward and outward looking. The strategy must consider how best to mobilize and coordinate diverse and disparate internal actors, ranging from law enforcement agencies to those involved in the nation’s infrastructure (e.g., power grid, roads, dams). Doing as much demands cooperation among all parties, private and public. For instance, one of the reasons that the alleged US cyberattack on North Korea failed (in contrast to the Stuxnet cyberattack launched against Iran)3 was North Korea’s severe internet and communications isolation, as well as the utter secrecy imposed by the regime.4 This situation is highlighted as indicative of the fact that securing cyberspace requires much more than the mere increase of activity by law enforcement; Moreover, freedom of information and freedom a free, fluid cyberspace being beneficial to society at large, it bears making it explicit that the authors are not advocating for the severe, dictatorial measures imposed by the North Korean government. The NCS should not only be inward but also must also be outward looking. It should be prepared with sufficient flexibility to facilitate collaboration with other national and international institutions. Moreover, the NCS should account and facilitate both formal and informal international inputs (see sections 5 A and 5 B). Part of the strategy should have an office serving as a “control tower” role, both for implementing and monitoring the strategy’s implementation, as well as for carrying on operations thereafter. Such a centralized office is particularly important for coordinating among the diverse actors. This office is crucial to effectively should bringing together all of the diverse elements that might be implicated Page 131  |  Chapter 2  |  § F. Institutional Framework Table of Contents in fighting cybercrime; while space for improvisation should be allowed, those elements should be laid out in the NCS itself, rather than being left in an ad hoc fashion to the office. To facilitate and build momentum, a timeline is typically included. Given the disparate and developing elements covered, certain states have taken a fragmented approach, forming the NCS not of one document but of several. Such is not necessarily problematic, insofar as the fragmented elements forming the NCS can be clearly and coherently pieced together without effort or confusion.5 B. An Example of Good Practice The United Kingdom’s Cyber Security Strategy, published on 25 November 2011, provides an example of good practice in developing a NCS.6 The Strategy begins broadly, being introduced as “set[ting] out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment”.7 The Strategy proceeds by setting out its raison d’être in four large and basic goals that implementation is hoped to accomplish: 1  ackling cybercrime, thereby making Britain one of the most secure places in the world to T do business in cyberspace; 2  ncreasing cyberattack resilience, thereby increasing the Britain’s ability to protect interests I in cyberspace; 3  Helping shape and open-up cyberspace, thereby making it a stable and vibrant space in which the public can safely operate, therein contributing to an open society; 4 Eliminating silos, thereby creating cross-cutting knowledge, skills, and capability needed to underpin cybersecurity at large. These four, overarching goals—intended to deliver the Strategy’s vision of “a vibrant, resilient and secure cyberspace”8—are divided into fifty-seven discreet, manageable tasks covering a full range of issues, including strengthening law enforcement agencies, examining current laws, sharing information on cyber threats, adopting new procedures for responding to cyber incidents and strengthening international cooperation.9 Each task is assigned to one of the following six British agencies in charge of the Strategy’s implementation: the Home Office,10 the Department for Business, Energy and Industrial Strategy (BEIS),11 the Department for Culture, Media and Sport,12 the Cabinet Office,13 the Ministry of Defence14 and the Foreign and Commonwealth Office (FCO).15 The Strategy’s publication in 2011 led to a four-year implementation period. Momentum was maintained through annual progress reports, with the Cabinet Office’s Office of Cyber Security and Information (OCSI) operating as the appraisal and management center.16 At a cost of GB£860 million to date,17 and with the government having committed a further GB£1.9 billion over the next five years to cybersecurity,18 the Strategy is a robust commitment. Page 132  |  Chapter 2  |  § F. Institutional Framework Table of Contents II. Organizing Agencies Just like the physical world, safely structuring, shaping, and developing cyberspace so that all might benefit requires the input of a diversity of actors. As such activity often results in overlapping competencies and authorities, it is important for states to develop an institutional framework by (A) laying out a comprehensive NCS that addresses the vast array of cyberspace issues and by (B) facilitating knowledge sharing among the actors, such as through the creation of joint taskforces. A. Dealing Overlapping Authorities A comprehensive NCS goes well beyond cybercrime and cybersecurity, encompassing a variety of cyberspace issues. It should discuss and develop not only the country’s larger vision and policy issues, but also should explore approaches for promoting ICT development, implementing regulations on the misuse of technology, finding solutions to privacy concerns and exploring the development of investigative and prosecutorial procedures. Due to the cross-cutting nature of cyberspace and of such concerns, various government agencies and offices necessarily handle these issues. While each agency should, in accordance with its own mandate, carry out its own tasks, a timeline and plan for coordinating efforts and for facilitating inter-agency cooperation is crucial to effective strategy implementation. Broadly speaking, the development of cyberspace can be divided into four areas: 1  I  CT policies (e.g., regulation, development); 2  C  ybersecurity (e.g., infringements, certifications); 3  U  ser protection (e.g., protecting privacy, personal information); and 4  C  ybercrime (e.g., combatting, investigating, prosecuting). In mapping responsibilities, it is important that agency roles and responsibilities be clearly assigned. Doing so will allow for the discreet handling of issues, therein avoiding confusion and overlap, as well as facilitating resource allocation and nurturing the development of expertise. Furthermore, the institutional framework should support the legislative and executive mandates created under the legal framework, appropriately assigning specific roles to various agencies. In order for the overall institutional framework to function properly, it is essential that involved agencies constantly engage in self-critical evaluation procedures, as supported and supervised by a central, “control tower” office. An essential part of this process depends upon appropriate feedback loops that the central office must consider. An example of the clear assigning of tasks can be found in the United Kingdom, as discussed above; a more detailed breakdown of the Korean experience follows: Page 133  |  Chapter 2  |  § F. Institutional Framework Table of Contents Table 2.1: Relevant Cyberspace Laws and Administering Agencies Categories Agencies in Charge Relevant Statutes Information  Ministry of Science, ICT and  Act on Promotion of Information and Future Planning Communications Network Utilization and Communications Policies Information Protection  Korea Communications Commission  Digital Signature Act  Act on the Protection, Use, etc., of Location Information  Telecommunications Business Act Cybersecurity  Ministry of Science, ICT and  Act on the Protection of Information and Future Planning (for the private Communications Infrastructure sector)  Act on Promotion of Information and  KrCERT Communications Network Utilization and Information Protection  National Intelligence Service (for the public sector) User Protection  Ministry of Interior  Personal Information Protection Act  Korea Communications  Act on Promotion of Information and Commission Communications Network Utilization and Information Protection  Financial Services Commission  Special Act on Refund of Amount of Damage Caused by Telecommunications Bank Fraud Cybercrime  National Police Agency  Criminal Act  Prosecutor’s Office  Criminal Procedure Act  Ministry of Justice  Protection of Communications Secrets Act As the above table indicates, various acts and agencies play a role in regulating cyberspace. For example, the Act on Promotion of Information and Communications Network Utilization and Information Protection (APICNU), a major statute in Korea’s information communications sector, has as its purpose “to promote the utilization of information and communications networks, to protect the personal information of users utilizing information and communications services, and to build a safe and sound environment for the information and communications networks in order to improve the citizen’s lives and enhance the public welfare.”19 The two competent authorities for this Act are the Ministry of Science, ICT and Future Planning (MSIP) and the Korea Communications Commission (KCC). MSIP mainly deals with facilitating utilization of ICT and maintaining cybersecurity in the private sector, while KCC is in charge of regulating the telecommunications business and of protecting personal information in the information communications network. However, while both MSIP and KCC are the major institutional players, for certain violations, the APICNU provides criminal sanctions, the triggering of which shifts authority away from MSIP and KCC to those agencies generally charged with investigative and prosecutorial roles. Page 134  |  Chapter 2  |  § F. Institutional Framework Table of Contents Power sharing schemes similar to that of the APICNU exist both in most of the other Korean laws, as well as in the laws of many other states. As such, it is all the more important that both a clear institutional framework and a targeted NCS be developed, with competencies and responsibilities being clearly assigned and delineated on the basis of the legal framework. B. Knowledge Sharing & Joint Taskforces Knowledge sharing is a key corollary to any power-sharing scheme, regardless of how formal or informal. Just as a certain degree of flexibility and imprecision should be left in the law in order to accommodate the fast-paced and ever-evolving nature of cybercrime, it is also important that assignations of power not be excessively limiting, and that appropriate inter-agency and inter- departmental communication plans and paths be opened and employed. While the cybersecurity “control tower” office can facilitate information sharing, it is important that each agency realizes and acts on the understanding that information on threats can come through different routes, thereby facilitating investigation, prosecution and overall threat detection. One way of connecting various agencies is through joint investigative taskforces. In forming joint taskforces, each participating agency assigns contact officers to the joint taskforce. In certain cases, those officers may even be seated in the same physical location or otherwise obliged to maintain frequent contact, and may even jointly participate in criminal investigations. A joint taskforce might be organized on a temporary basis in order to resolve a particular case, or established on a more permanent basis. In any case, longer-term arrangements that open up regular channels of communications, and which encourage direct and frequent interactions between agency point persons are helpful in developing a continuous cooperative system between the agencies. Joint taskforces are used by a number of countries. For instance, in the United States, the DoJ has organized the National Cyber Investigative Joint Task Force (NCIJTF) under the purview of the FBI Cyber Division. Separately, the Department of Homeland Security (DHS) has organized more- disparate and localized the Electronic Crimes Task Forces (ECTFs) under the auspices of the Secret Service.20 Formed in 2008, the NCIJTF is the primary US agency responsible for coordinating cyber threats investigations and liaisons among the FBI, Central Intelligence Agency (CIA), Department of Defense (DoD), DHS, and NSA.21 The ECTFs, originally created in New York in 1996 to combine the resources of academia, the private sector and local, state, and federal law enforcement agencies in combating computer-based threats to the nation’s financial payment systems and critical infrastructures,22 was expanded by federal legislative action23 to create a nationwide network (with two offices abroad) that focuses on identifying and locating international cyber criminals connected to cyber intrusions, bank fraud, data breaches, and other computer-related crimes.24 Similarly, in Korean, the KSPO established the Joint Personal Information Investigation Team (JPIIT) in April 2014 following the theft of extremely sensitive personal data—including identification numbers, addresses and credit card numbers, which affected over twenty million South Koreans Page 135  |  Chapter 2  |  § F. Institutional Framework Table of Contents equal to roughly forty percent of the population.25 While the massive breach on Target Corporation was due to malware on point-of-sale systems,26 the Korean banks were compromised by a third- party worker; these two disparate cyberthreats underscore the wide variety of threats facing consumers.27 JPIIT is composed of personnel from eighteen different groups, eleven of which are government agencies and six of which come from the private sector. Different types of tasks are assigned to different agencies. For instance, private actors, including the Online Privacy Association (OPA), communications companies and portal companies, deal with collecting and analyzing illegal personal information. Additionally, the Korean Internet and Security Agency (KISA) deals with infringements. The Ministry of the Interior deals with inspecting personal information security. KSPO and the National Police Agency handle investigations and prosecution. The National Tax Service addresses recovery of criminal proceeds. The Ministry of Strategy and Finance (MOSF), MSIP and the Personal Information Protection Commission (PIPC) address the improvement of policy and regulation. Supervising business communications is done by the Financial Services Commission (FSC) and the Financial Supervisory Service (FSS) supervises the finance sector, while MSIP and the Korea Communications Commission (KCC) supervises communications in the ICT sector. Crucially, JPIIT sits with the High-Tech Crimes Investigation Division 1 of the Seoul Central District Prosecutor’s Office. As this Division is charged with investigating cybercrimes, the joint taskforce participates both directly and indirectly in cybercriminal investigations, should matters escalate to such a level. The participation of a diversity of actors, and the intense degree of information sharing between them, facilitates management of tasks pertaining to personal information, be it the prevention and monitoring of personal information crimes, investigation and prosecution or the recovery of criminal proceeds. Because JPIIT operates at the case-intake point, members can immediately report to their respective agencies upon encountering an issue that falls under their group’s particular purview. Private sector actors play a crucial role in JPIIT by collecting various types of illegally distributed personal information from their regular business operations and handing them over to law enforcement agencies. In so doing, the methods in which cybercriminals use the information system is better understood and directly reported to law enforcement, thereby facilitating repair of vulnerabilities at the earliest stage possible. Conclusion Countries are increasingly establishing NCS as part of their institutional frameworks. Doing so facilitates a robust, organized and structured response to insecurity in cyberspace. These strategies contribute to mobilizing government action—by eliciting wider agency participation, facilitating capacity building and knowledge sharing and helping to assure consistent implementation of Page 136  |  Chapter 2  |  § F. Institutional Framework Table of Contents cybersecurity policies—, while also facilitating public awareness and engagement. Strategy implementation can be facilitated and accelerates by designating an office to manage and periodically assess progress. The institutional framework should take a holistic approach to dealing with cyberspace. As so many divergent actors are required to safely structure, shape, and develop cyberspace for everyone’s benefit, it is vital to share accumulated information and expertise. Joint investigative task forces that bring together relevant actors: agencies involved in systems’ administration, as well as investigatory and prosecutorial proceedings, need to be brought together on a regular basis. Space should also be made to periodically bring key private sector actors, such as data privacy groups and ISPs, to the table. Page 137  |  Chapter 2  |  § F. Institutional Framework Table of Contents End Notes Referenced in: § A. Working 7. On the basis of the legal principle of nulla 13. Ibid. See also, ITU Understanding Definition of Cybercrime poena sine lege (Latin for “no penalty Cybercrime, supra § 1 B, note 1, at 11 & without a law”), it is generally understood 41 (“For example, a person who produces that crimes must be defined with USB devices containing malicious 1. Brenner, “Thoughts, Witches and appropriate certainty (legal certainty) and software that destroys data on computers Crimes,” supra § 1 B, note 2. definiteness (both in the committed act when the device is connected commits and the requisite mental state), and with a crime.”); UNODC Cybercrime Study, 2. “Cybercrime refers to any crime that can appropriate notice given, in order for the supra § 1 B, note 7 (“In practice, computer be committed by means of a computer rule of law to exist. data or information likely includes data system or network, in a computer system or information stored on physical storage or network or against a computer system. 8. Generally speaking, laws are interpreted media (such as hard disk drives, USB In principle, it encompasses any crime by courts according to their “plain” or memory sticks or flash cards), [….]”). capable of being committed in an “literal” meaning, by which judges are electronic environment.” Background to read the letter of the law in a textual, 14. See, e.g., League of Arab States, Arab Paper for the Workshop on Crimes word-for-word sense without diverting Convention on Combatting Information Related to the Computer Network, 10th from its true meaning, with words given Technology Offences (21 Dec. 2010), UN Congress on the Prevention of Crime their plain, ordinary and literal meaning. [hereafter, “Arab Convention”], Art. 2(6); and the Treatment of Offenders, (10–17 See, e.g., United Kingdom: Fisher v Budapest Explanatory Report, supra § 1 Apr. 2000) A/CONF.187/10, [hereafter, Bell [1961] 1 QB 394; United States: D, note 14. “UNODC Conference Paper”] p. 4, at Connecticut Nat’l Bank v. Germain, https://www.unodc.org/documents/ 112 S. Ct. 1146, 1149 (1992). The rule 15. CoE’s Cybercrime Convention Committee congress//Previous_Congresses/10th_ of “narrow” or “strict” construction of (T-CY) notes that “the definition of Congress_2000/017_ACONF.187.10_Crim criminal statutes, the opposite of “liberal” ‘computer system’ in Article 1.a [of the es_Related_to_Computer_Networks.pdf. or “broad” construction, means that a Budapest Convention] covers developing criminal statute may not be expanded forms of technology that go beyond 3. UN Secretariat, “Background Paper: traditional mainframe or desktop by implication or intent beyond the fair Workshop 3 on Strengthening Crime computer systems, such as modern meaning of the statute’s language; its Prevention and Criminal Justice mobile phones, smart phones, PDAs, corollary, the rule of lenity, holds that Responses to Evolving Forms of Crime, tablets or similar”. “Guidance Note # 1: ambiguity should be resolved in the Such as Cybercrime and Trafficking in On the Notion of ‘Computer System’: defendant’s favor. See, e.g., United Cultural Property, Including Lessons Art. 1.a, Budapest Convention,” adopted States v. Granderson, 114 S. Ct. 1259, Learned and International Cooperation,” by the T-CY at its 8th Plenary, (5 Dec. 1263 (1994). The result of this approach 13th UN Congress on Crime Prevention 2012) CoE, T-CY at https://rm.coe.int/ is that “when choice has to be made and Criminal Justice, (2 Feb. 2015) A/ CoERMPublicCommonSearchServices/D between two readings of what conduct CONF.222/12, p. 6, at http://www.unodc isplayDCTMContent?documentId=09 [a legislature] has made a crime, it is .org/documents/congress/Docume 000016802e79e6. UNODC Cybercrime appropriate, before [choosing] the harsher ntation/A-CONF.222-12_Workshop3/ Study, supra § 1 C, note 7 (“Based on the alternative, to require that [the legislature] ACONF222_12_e_V1500663.pdf. core concept of processing computer should have spoken in language that is clear and definite.” Dowling v. United data or information, it is likely that 4. In addition, a cybercrime may be States, 473 U.S. 207, 214 (1985) (internal provisions typically apply to devices such prosecutable under the general criminal quotations and citations omitted). as mainframe and computer servers, code. A standard forgery statute may desktop personal computers, laptop stretch to cover electronic forgery, theft 9. Basic information on international and computers, smartphones, tablet devices, via electronic systems may be covered by regional instruments on cybercrime is and on-board computers in transport and a standard theft statute, and so on. provided in appendix 9 A (Multilateral machinery, as well as multimedia devices 5. COMSEC, “Report of the Commonwealth Instruments on Cybercrime). such as printers, MP3 players, digital Working Group on Experts on cameras, and gaming machines.”). 10. Oxford English Dictionary. Cybercrime,” Meeting of Commonwealth 16. Kristin Finklea & Catherine A. Theohary, Law Ministers and Senior Officials, 11. UNODC Cybercrime Study, supra § 1 B, “Cybercrime: Conceptual Issues for Gaborone, Botswana (5–8 May note 7. Congress and Law Enforcement,” US 2014), Annex A, pp. 13–14, at http:// Congressional Research Service (CRS), (15 thecommonwealth.org/sites/default/files/ 12. See, e.g., Budapest Convention, supra § 1 Jan. 2015), p. 3, at https://fas.org/sgp/crs/ news-items/documents/Report_of_the_ B, note 32, at Art. 1.b. misc/R42547.pdf. Commonwealth_Working_Group_of_ Experts_on_Cybercrime_May_2014.pdf. 17. See supra § 1 C. 6. See, e.g., Wall, “Policing Cybercrimes,” supra § 1 B, note 33. Page 138 | Chapter 2 | End Notes Table of Contents 18. “An Electronic Trail for Every 28. See, e.g., Avaneesh Pandey, “Energy- 40. See infra § 2 E. See also Sunil Crime,” Homeland Security Efficient ‘Biocomputer’ Provides Viable Kumar Gupta, “Extradition Law and Newswire, (19 Apr. 2011), at http:// Alternative to Quantum Computers,” IBT, the International Criminal Court,” homelandsecuritynewswire.com/ (28 Feb. 16), at http://www.ibtimes.com/ Berkeley Journal of Criminal Law, electronic-trail-every-crime. energy-efficient-biocomputer-provides- VOl. 3 (2000), at http://scholarship. viable-alternative-quantum-computers law.berkeley.edu/cgi/viewcontent. 19. Sarah Gordon & Richard Ford, “On -2326448. cgi?article=1072&context=bjcl. the Definition and Classification of Cybercrime,” Journal of Computer 29. Alex Hern, “Google Says Machine 41. See, e.g., “Long-Arm Statute,” LII, Cornell Virology, Vol. 2 (2006), pp. 15–19. Learning Is the Future. So I Tried It University Law School, at https://www.law. Myself,” Guardian, (28 Jun. 2018), cornell.edu/wex/long-arm_statute. 20. John Lasseter, dir. Toy Story. Walt Disney at https://www.theguardian.com/ Pictures & Pixar Animation Studios. 1995. technology/2016/jun/28/google-says- 42. “Cybercrime,” INTERPOL, at http://www. Film. machine-learning-is-the-future-so-i-tried- interpol.int/Crime-areas/Cybercrime/ it-myself/. Cybercrime. 21. ITU, “Overview of the Internet of Things,” Recommendation ITU-T Y.2060 (Jun. 30. See supra § 1 C for a discussion of the 43. UNODC Conference Paper, supra note 2. 2012), Internet of Things Global Standards debate on the strength of encryption. Initiative, at http://www.itu.int/ITU-T/ 44. Ibid. recommendations/rec.aspx?rec=y.2060. 31. David R. Johnson & David Post, “Law and 45. See, e.g., Portugal: Cybercrime Law, Law Cf. US Federal Trade Commission Borders: The Rise of Law in Cyberspace,” No. 109 (15 Sep. 2009), Art. 11, at http:// (FTC), “Internet of Things: Privacy and Stanford Law Review, Vol. 48 (May 1996), www.wipo.int/edocs/lexdocs/laws/en/pt/ Security in a Connected World,” FTC 1367, at https://cyber.harvard.edu/is02/ pt089en.pdf. Staff Report, (Jan. 2015) [hereafter, “FTC readings/johnson-post.html. Report”], at https://www.ftc.gov/system/ 46. Supra Budapest Convention, supra § 1 files/documents/reports/federal-trade- 32. The basis for international public law B, note 32 and Arab Convention, supra commission-staff-report-november- is by and large built upon the notion note 14. 2013-workshop-entitled-internet-things- of the sovereignty of the Westphalian privacy/150127iotrpt.pdf. state. See, e.g., Andreas Osiander, 47. CIS, Agreement on Cooperation “Sovereignty, International Relations, among the States Members of the 22. Ibid. See, also, “Internet of Things (IoT),” and the Westphalian Myth,” International Commonwealth of Independent States Cisco, at http://www.cisco.com/c/en/us/ Organization, Vol. 55 (2001), p. 251–87. (CIS) in Combating Offences Related to solutions/internet-of-things/overview. For a fuller discussion, see infra § 2 E. Computer Information (2001) (entered html. into force on 14 Mar. 2002) [hereafter, 33. See Johnson & Post, supra note 31, at p. “CIS Agreement”], Art. 5, at https://cms. 23. “How Hackers Could Use Doll to Open 1379. unov.org/documentrepositoryindexer/ Your Front Door,” BBC News, (14 Feb. 34. BI Intelligence, “Samsung Is Building a GetDocInOriginalFormat.drsx?DocID= 2017), at http://www.bbc.com/news/ Smart Cities Network in South Korea,” 5b7de69a-730e-43ce-9623-9a103f5cabc0. technology-38966285. Business Insider, (25 May 2016), at http:// 48. African Union, African Union Convention 24. See, e.g., FTC Report, supra note 21. www.businessinsider.com/samsung-is- on Cyber Security and Personal Data building-a-smart-cities-network-in-south- 25. See, e.g., Luke Simmons, “What Is the Protection, EX.CL/846(XXV) (27 Jun. korea-2016-5. Difference between the Internet of 2014) [hereafter, “AU Convention”], Art. Everything and the Internet of Things,” 35. See, e.g., “Brief: Smart Cities,” World 28, para. 1 & 2, at http://pages.au.int/ CloudRail, (14 Oct. 2015), at https:// Bank (8 Jan. 2015), at http://www. infosoc/cybersecurity. The AU Convention cloudrail.com/internet-of-everything-vs- worldbank.org/en/topic/ict/brief/smart- is also sometimes referred to as the internet-of-things/. cities; Smart Cities Council, at http:// “Malabo Convention”. Although a smartcitiescouncil.com/. positive step in the progress of the fight 26. See, e.g., Tim Bajarin, “The Next against cybercrime, the AU Convention Big Thing for Tech: The Internet of 36. See, e.g., European Network of Living is deficient in certain areas. See, e.g., Everything,” Time, (13 Jan. 2014), at Labs, at http://www.openlivinglabs.eu/. Mailyn Fidler, “The African Union http://time.com/539/the-next-big-thing- Cybersecurity Convention: A Missed for-tech-the-internet-of-everything/. 37. See Johnson & Post, supra note 31, at p. Human Rights Opportunity,” Council of 1369. Foreign Relations Blog, (22 Jun. 2015), at 27. See, e.g., “Intelligent Machines Quantum http://blogs.cfr.org/cyber/2015/06/22/the- Computing Now Has a Powerful Search 38. See supra § 1 A. See also Shearer, african-union-cybersecurity-convention- Tool,” MIT Technology Review, (5 Apr. Extradition in International Law, a-missed-human-rights-opportunity/. 2017), at https://www.technologyreview. (Manchester: Manchester University This matter is discussed in greater depth com/s/604068/quantum-computing-now- Press, 1971), p. 137; Schultz, “The Great further on; see infra § 5 A. has-a-powerful-search-tool/. Framework of Extradition and Asylum,” in Treatise on International Criminal Law, Vol. 49. UNODC Cybercrime Study, supra § 1 B, 2 (1973), p. 313. note 7. 39. See FTC Report, supra note 21. 50. See e.g., United Kingdom: Computer Misuse Act, 1990. 51. See, generally appendix 9 C. Page 139 | Chapter 2 | End Notes Table of Contents 52. As indicated in appendix 9 C, 196 58. See, e.g., Kosovo: Law on Prevention and 65. OAS provides that “For the purposes of countries are targeted. As of 2 Fight of the Cyber Crime (2010), Art. 3, this diagnosis, ‘cybercrime’ is defined as October 2015, approximately 76.0% which defines “cybercrime” as a criminal a criminal activity in which information (149 countries) have domestic law that activity carried out in a network that has technology systems (including, inter comprehensively or partially governs as objective or as a way of carrying out alia, telecommunications and computer cybercrime irrespective of having draft the crime, misuse of computer systems systems) are the corpus delicti or means law on cybercrime. Specifically, 137 and computer data, at http://www. of committing an offense.” Final Report countries adopted domestic law that kuvendikosoves.org/common/docs/ of the Second Meeting of Government holistically or partly covers cybercrime, ligjet/2010-166-eng.pdf. Experts on Cyber Crime, (2000), OAS, and another 12 countries had or have p. 2, at http://www.oas.org/juridico/ a draft law that deals with cybercrime, 59. ITU Understanding Cybercrime, supra § 1 english/cybGE_IIrep.pdf (in English). along with having other laws that address B, note 1, at 12. See also Thomas Weigend, Preparatory cybercrime. Further, 12 countries had or Colloquium for the 20th International 60. UNODC Cybercrime Study supra § 1 C, have a draft cybercrime law in progress. Congress of Penal Law on “Information note 7, at 11. However, 33 countries have no domestic Society and Penal Law” (organized by legislation pertaining to cybercrime, while 61. CIS Agreement provides that “offences AIDP), § I (Criminal Law, General Part), 2 countries have no data to assess their against computer information” is § 1: Concept paper and questionnaire, legislative statuses. defined as a criminal act of which (2012), AIDP, p. 1 (articulating that “The target is computer information. Supra term ‘cybercrime’ is understood to cover 53. Examples of domestic law concerning criminal conduct that affects interests note 33, at Art. 1(a). See also Budapest cybercrime whose name explicitly uses associated with the use of information Convention, supra § 1 B, note 32; AU the term “cybercrime” can be found in, and communication technology (ICT) Convention, supra note 48; and the among others, Botswana, Cybercrime (emphasis added) [….]. The common Directive on Fighting Cyber Crime within and Computer Related Crimes, 2007 and denominator and characteristic feature of Economic Community of West African Philippines, Cybercrime Prevention Act, all cybercrime offences and cybercrime States [hereafter, “ECOWAS Directive”], (2012). investigation can be found in their relation at https://ccdcoe.org/sites/default/ files/documents/ECOWAS-110819- to computer systems, computer networks 54. See Russia: Criminal Code, ch. 28, Crimes FightingCybercrime.pdf. and computer data (emphasis added) in the Sphere of Computer Information, at [….]”), at http://www.penal.org/IMG/pdf/ http://www.wipo.int/edocs/lexdocs/laws/ 62. See SCO, Agreement between the Section_I_EN.pdf. en/ru/ru006en.pdf. Governments of the Member States of the SCO on Cooperation in the Field of 66. David Wall, “Cybercrimes: New Wine, No 55. A list of domestic legislation regarding International Information Security (2009) Bottles?,” in Pamela Davies, Peter Francis concerning cybercrime whose name [hereafter, “SCO Agreement”], Art. 2., at & Victor Jupp (eds.), Invisible Crimes: provides the term similar to “cybercrime” http://www.ccdcoe.org/sites/default/files/ Their Victims and their Regulation, (New includes, but is not limited to, Antigua documents/SCO-090616-IISAgreement. York: Macmillan, 1999). See also Peter and Barbuda: Electronic Crimes Act, pdf (considering “information crime” N. Grabosky, “Virtual Criminality: Old (2013); Sri Lanka: Computer Crime as one of the major threats in the field Wine in New Bottles?,” Social & Legal Act, (2007); Bahrain: Law concerning of ensuring international information Studies, Vol. 10 (2001), p. 243 (adapting Information Technology Crimes, (2014); security); Annex 1, ibid. (stating that the phrase be more of a matter of “old and Dominican Republic: Law on High “information crime” means use of and/ wine in new bottles”). The origin of the Technology Crimes, (2007). or attack on information resources in the phrase is Biblical: “No one sews a piece 56. See, e.g., China: Criminal Law, (2016), information space for illegal purposes). of unshrunk cloth on an old cloak, for the Art. 286 (“Whoever, in violation of State patch pulls away from the cloak, and a regulations, cancels, alters, increases 63. CIS Agreement, supra note 47. worse tear is made. Neither is new wine or jams the functions of the computer put into old wineskins; otherwise, the 64. See SCO Agreement, supra note 62. information system, thereby making it skins burst, and the wine is spilled, and impossible for the system to operate the skins are destroyed; but new wine normally, if the consequences are is put into fresh wineskins, and so both serious, shall be sentenced to fixed- are preserved.” The Bible, Mat. 9:16–17 term imprisonment of not more than (NRSV). five years or criminal detention.”). See, 67. Ian Walden, Computer Crimes and Digital e.g., Abhishek Pratap Singh, “China’s Investigations (2d ed.), (Oxford: Oxford First Cyber Security Law,” Institute University Press, 2016), para. 2.27. for Defense Studies and Analyses, (23 Dec. 2016), at http://www.idsa.in/ 68. Anne Flanagan, “The Law and Computer backgrounder/china-first-cyber-security- Crime: Reading the Script of Reform,” law_apsingh_231216#footnote5_w4sr2kl. International Journal of Law & Information Technology, Vol. 13, Issue1 (2005), pp. 57. See, e.g., Oman: Royal Decree Issuing 98–117. the Cyber Crime Law, (2011), which states that “cybercrime refers to crimes referred to in this law,” at http://www.qcert.org/ sites/default/files/public/documents/ om-ecrime-issuing_the_cyber_crime_law- eng-2011.pdf. Page 140 | Chapter 2 | End Notes Table of Contents 69. For instance, it has been noted at 83. AU Convention, supra note 48. As with 95. See “About UNODC,” UNODC, supra UNICRI proceedings that “Due to the the other instruments covered in this note 93. rapidly evolving nature of cybercrime, section, the AU Convention is discussed many governments and international as a means of illustrating the diverse ways 96. UNODC Cybercrime Study, supra § 1 B, organizations have shied away from that cybercrime has been classified. A note 7. adhering to a strict definition of the deeper discussion of various international 97. Ibid., at 16. term.” UNICRI, “Cyber Crime: Risks instruments can be found in § 5 B. for the Economy and Enterprises”: 98. UNICRI, “Cybercrime: Risks for the Proceedings of UNICRI roundtable, (29 84. Ibid., Ch. I: Electronic Transactions (Art. Economy and Enterprises,” at http://www. Nov. 2013), p. 7, at http://www.unicri.it/ 2–7); Ch. II: Personal Data Protection (Art. unicri.it/in_focus/on/Cybercrime_Lucca. in_focus/on/Cybercrime_Lucca. 8–23); Ch. III: Promoting Cyber Security and Combating Cybercrime (Art. 24–38). 99. See Michele Socco, “European 70. UNODC Cybercrime Study, supra § 1 B, Commission, Fight against Cybercrime: A note 7, at 14–15. 85. Ibid., including the following offenses: (1) European perspective,” presented at the attacks on computer systems (Art. 29.1); UNICRI roundtable on “Cybercrime and 71. For additional information, Policing (2) computerized data breaches (Art. 29.2); the risks for economy and enterprises” Cybercrimes: Situating the Public Police in (3) content related offences (Art. 29.3); (2013). Networks of Security within Cyberspace, and (4) offences relating to electronic supra § 1 B, note 30, at 183–205, and message security measures (Art. 29.4). 100. See “Our Member States,” CoE, at Weigend, supra note 65. http://www.coe.int/en/web/about-us/our- 86. Ibid., including the following offenses: member-states. 72. See “Secretariat,” United Nations, at (1) property offences (Art. 30.1); and (2) http://www.un.org/en/sections/about-un/ criminal liability for legal persons (Art. 101. Statute of the Council of Europe (5 May secretariat/index.html. 30.2). 1949), ETS No. 1 [hereafter, “Treaty of London”], Art. 1(a), at http://www. 73. UN Secretariat, “Comprehensive and 87. Ibid., at Member States. coe.int/en/web/conventions/full-list/-/ balanced approaches to prevent and 88. Treaty of Economic Community of West conventions/treaty/001. adequately respond to new and emerging forms of transnational crime Working African States (ECOWAS), (28 May 1975), 102. Ibid. See also “About Us,” CoE, at https:// paper,” (27 Jan. 2015) A/CONF.222/8, Lagos, Nigeria, at http://www.ecowas.int/ www.coe.int/web/about-us/who-we-are. 13th UN Congress on Crime Prevention ecowas-law/treaties/. and Criminal Justice, at http://www. 103. See “Conventions,” CoE, at http:// 89. See, e.g., “African Economic Community unodc.org/documents/congress// www.coe.int/en/web/conventions/. (AEC),” South African Dept. of Documentation/A-CONF.222-8/ Conventions and agreements opened for International Relations and Cooperation, ACONF222_8_e_V1500538.pdf. signature between 1949 and 2003 were at http://www.dfa.gov.za/foreign/ published in the “European Treaty Series” 74. UN Secretariat, supra note 3, at 6. Multilateral/africa/aec.htm. See also (ETS No. 1 to 193 included). Since 2004, Abuja Treaty Establishing The African this Series is continued by the “Council of 75. See “Commonwealth Secretariat,” Economic Community, (3 Jun. 1991), Europe Treaty Series” (CETS No. 194 and The Commonwealth, at http:// at http://www.wipo.int/edocs/lexdocs/ following). Ibid. www.commonwealthofnations.org/ treaties/en/aec/trt_aec.pdf. commonwealth/commonwealth- 104. UNODC Cybercrime Study, supra § 1 B, secretariat/. 90. ECOWAS Directive (2011), supra note 61. note 7. 76. See “About Us,” The Commonwealth at 91. Similarly, in criminalizing cybercrime, the 105. Ibid. http://thecommonwealth.org/about-us. AU Convention distinguishes between “offences specific to information and 106. See “Summary,” Details of ETS No. 77. “Commonwealth Secretariat,” supra note communication technologies” (Art. 29) 185, at https://www.coe.int/en/web/ 75. and those “adapting certain offences conventions/full-list/-/conventions/ to information and communication treaty/185. 78. COMSEC, supra note 5. technologies” (Art. 30). See AU Convention, supra note 48. 107. UNODC Cybercrime Study, supra § 1 B, 79. Ibid., at 11–12. note 7, including the following offenses: 92. Morris Odhiambo, Rudy Chitiga (1) illegal access (Art. 2); (2) illegal 80. Constitutive Act of the African Union, (11 & Solomon Ebobrah, The Civil interception (Art. 3); (3) data interference Jul. 2000), Lomé, Togo, CAB/LEG/23.15, Society Guide to Regional Economic (Art. 4); (4) system interference (Art. 5); and Art. 2, at http://www.au.int/en/sites/ Communities in Africa (Oxford: African (5) misuse of devices (Art. 6). default/files/ConstitutiveAct_EN.pdf. Books Collective Limited, 2016), p. 57. 81. See “AU in a Nutshell,” African Union, at 108. Ibid., including the following offenses: (1) 93. See “About UNODC,” UNODC, at computer-related forgery (Art. 7); and (2) http://www.au.int/en/about/nutshell. https://www.unodc.org/unodc/about- Computer-related fraud (Art. 8). 82. Ibid. unodc/index.html?ref=menutop. 109. Ibid., at Art.9. 94. See UN General Assembly, United Nations Millennium Declaration, (8 Sep. 110. Ibid., at Art.10. 2000) A/RES/55/2, at http://www.un.org/ 111. Ibid., at Art.12. millennium/declaration/ares552e.htm. 112. Ibid., at Art.13. Page 141 | Chapter 2 | End Notes Table of Contents 113. UNODC Conference Paper, supra note 2, at 5. 114. AU Convention, supra note 48. 115. ECOWAS Directive, supra note 44. 116. COMSEC, supra note 5, at http:// thecommonwealth.org/media/news/ communique-commonwealth-law- ministers-meeting-2014. Page 142 | Chapter 2 | End Notes Table of Contents Referenced in: § B. Criminalized 14. Budapest Convention, supra § 1 B, note 27. See, e.g., Laboratory of Cryptography and Conduct 32. System Security (CrySyS Lab), “sKyWIper (a.k.a. Flame a.k.a. Flamer): A Complex 15. United States v. Marcel Lehel Lazar, (E.D. Malware for Targeted Attacks,” Budapest 1. See supra § 2 A. Va. 2016). See also US Dept. of Justice University of Technology and Economics, “Romanian Hacker ‘Guccifer’ Pleads (31 May 2012), at https://www.crysys.hu/ 2. But see Wall, supra § 1 B, note 33, at 6 Guilty to Computer Hacking Crimes,” US skywiper/skywiper.pdf. (noting that “[t]here is global agreement Attorney’s Office, E.D. Va., (25 May 2016), in attitudes and rules condemning the at https://www.justice.gov/usao-edva/pr/ 28. David Kushner, “The Real Story of Stuxnet distribution of child pornography”). romanian-hacker-guccifer-pleads-guilty- How Kaspersky Lab Tracked Down the computer-hacking-crimes. Malware That Stymied Iran’s Nuclear-Fuel 3. See, e.g., ITU Understanding Cybercrime, Enrichment Program,” IEEE Spectrum, (26 supra § 1 B, note 1, which provides, 16. Pete Williams, “Guccifer, Hacker Who Feb. 2013), at http://spectrum.ieee.org/ “[t]here is much lack of agreement Says He Breached Clinton Server, Pleads telecom/security/the-real-story-of-stuxnet. regarding the content of material and Guilty,” NBC News, (25 May 2016), at to what degree specific acts should be http://www.nbcnews.com/news/us-news/ 29. Gallagher, supra note 26. criminalized.” guccifer-hacker-who-says-he-breached- clinton-server-pleads-guilty-n580186. 30. CrysSyS Lab, supra note 27. 4. For instance, the Budapest Convention makes hacking (termed “illegal access”) 17. Budapest Convention, supra § 1 B, note 31. See supra § 2 B, box 2.4. the very first substantive crime. Budapest 32. Convention, supra § 1 B, note 32, Art. 2. 32. Gallagher, supra note 26. See also ITU Understanding Cybercrime, 18. US Dept. of Justice, supra note 15. 33. CrysSyS Lab, supra note 27. supra § 1 B, note 1. 19. Budapest Convention, supra § 1 B, note 34. Ibid. 5. See supra § 2 B, box 2.2. 32. 35. Ibid. 6. See, e.g., David Bisson, “5 Social 20. “Monitoring” is an ambiguous term Engineering Attacks to Watch Out for,” internationally; some jurisdictions use it to 36. See, e.g., “Data Diddling,” Cyber Tripwire, (23 Mar. 2014), at https://www. mean taking content, while others use it Crime and Forensics Blog, at http:// tripwire.com/state-of-security/security- to mean tracing. cybercrimeandforensic.blogspot. awareness/5-social-engineering-attacks- com/2009/02/data-diddling.html. to-watch-out-for/. 21. Sarb Sembhi, “How to Defend Against Data Integrity Attacks,” Computer 37. US Dept. of Justice, National Institute 7. See, e.g., “Injection Attacks,” Phpsecurity, Weekly, (Feb. 2009), at http://www. of Justice, Office of Justice Program, at http://phpsecurity.readthedocs.io/ computerweekly.com/opinion/How-to- Computer Crime: Criminal Justice en/latest/Injection-Attacks.html; “SQL defend-against-data-integrity-attacks. Resource Manual (2d ed.), OJP-86-C-002 Injection,” Acunetix, at http://www. (Aug. 1989). acunetix.com/websitesecurity/sql- 22. See, e.g., “Edward Snowden: Leaks that injection/. Exposed US Spy Programme,” BBC 38. See, e.g., supra § 1 B, case 1.3. News, (17 Jan. 2014), at http://www.bbc. 8. Vick Hargrave, “Hacker, Hacktivist or com/news/world-us-canada-23123964. 39. See, e.g., Massimo Calabresi, “Election CyberCriminal?,” Trend Micro Simply Hackers Altered Voter Rolls, Stole Private Security, (17 Jun 2012), at http://blog. 23. See, e.g., “Snowden Designs Phone Case Data, Officials Say,” Time, (22 Jun. 2017), trendmicro.com/whats-the-difference- to Spot Hack Attacks,” BBC News, (22 at http://time.com/4828306/russian- between-a-hacker-and-a-cybercriminal/. Jul. 2016), at http://www.bbc.com/news/ hacking-election-widespread-private- technology-36865209. data/. 9. Stephanie Koons, “Researchers Examine Role of ‘White Hat’ Hackers 24. Bunnie Huang, “Against the Law: 40. See, e.g., PM, “Could a New Case Stop in Cyber Warfare,” Penn State Countering Lawful Abuses of Digital Your Phone from Being Hacked?,” BBC News, (21 Jan. 2015), at http://news. Surveillance,” PubPub, (26 Jul. 2016), at News, (22 Jul. 2016), at http://www.bbc. psu.edu/story/341564/2015/01/21/ https://www.pubpub.org/pub/direct- co.uk/programmes/p0428n3p. research/ist-researchers-examine-role- radio-introspection. 41. But see, France’s Légifrance, le service %E2%80%98white-hat%E2%80%99- 25. See, e.g., Gordon Corera, “CIA Taps public de l’accès au droit, which, in hackers-cyber-warfare. Huge Potential of Digital Technology,” addition to making publically available 10. Budapest Convention, supra § 1 B, note BBC News, (29 Jun. 2016), at http:// all sorts of basic legal documents 32, at Art. 2. See generally, ibid. www.bbc.com/news/world-us- (constitution, laws, regulations, court canada-36462056. decisions, etc.), verifies the authenticity 11. Ibid. of the information published with each 26. See, e.g., Kevin M. Gallagher, “Private download. 12. Weigend, supra § 1 B, note 25, at 55. Spies Deserve More Scrutiny,” Huffington Post, (18 Jun. 2014), at http://www. 13. The principle is captured by the Latin huffingtonpost.com/kevin-m-gallagher/ dictum “actus reus non facit reum nisi private-sector-surveillance_b_5171750. mens sit rea” (“the act is not culpable html. unless the mind is guilty”). See, e.g., Oxford Reference Dictionary. Page 143 | Chapter 2 | End Notes Table of Contents 42. See, e.g., Hans A. von Spakovsky, “The 49. As already noted, some acts that might 58. See, e.g., China rendered a judicial Dangers of Internet Voting,” The Heritage otherwise constitute cybercrime, or that interpretation whose provisions allow Foundation, at http://www.heritage.org/ with the passage of time are revealed to application of pre-existing legislative research/reports/2015/07/the-dangers-of- be acts of states against states, and that provisions on traditional form of obscenity internet-voting; Michael Agresta, “Will the might be characterized as cyberterrorism offences (Art. 363(1)1 & Art. 364(1)1 Next Election Be Hacked?,” Wall Street or cyberwarfare, are beyond the scope of of the Criminal Law) to cover criminal Journal, (17 Aug. 2012), at http://www.wsj. this Toolkit. See WDR, supra § 1 A, note behaviors involving obscene electronic com/articles/SB10000872396390444508 10, at 222 et seq. information concretely depicting sexual 504577595280674870186. But see, e.g., acts by minors under 18 years of age. Nicole Kobie, “Why Electronic Voting 50. Andrea Peterson, “The Sony Pictures For details, see (1) China: Criminal Law, Isn’t Secure – but May Be Safe Enough,” Hack, Explained,” Washington and (2) China: Interpretation of Some Guardian, (30 Mar. 2015), at https://www. Post, (18 Dec. 2014), at https://www. Questions on Concretely Applicable Law theguardian.com/technology/2015/ washingtonpost.com/news/the-switch/ in the Handling of Criminal Cases of Using mar/30/why-electronic-voting-is-not- wp/2014/12/18/the-sony-pictures-hack- the Internet or Mobile Communication secure. explained/. Terminals and Voicemail Platforms to Produce, Reproduce, Publish, Sell (also 43. People v. Ressin, No. 1978CR9793, Colo. 51. Ibid. translated as “Peddle”) or Disseminate Super. Ct. (Denver Dt.). For a broader Obscene Electronic Information (Sept. 52. See, e.g., Aisha Harris, “Sony Really position situating this crime in the time 2004), at https://chinacopyrightandmedia. Should Release The Interview Online, and in its context, see Jay Becker, “The wordpress.com/2004/09/09/interpretation and Soon,” Slate, (17 Dec. 2014), Trial of a Computer Crime,” Computer -of-some-questions-on-concretely-applic at http://www.slate.com/blogs/ Law Journal. Vol. 2 (1980), p. 441, at http:// able-law-in-handling-criminal-cases-of-usi browbeat/2014/12/17/the_interview_ repository.jmls.edu/cgi/viewcontent. ng-the-internet-or-mobile-communication pulled_from_theaters_due_to_north_ cgi?article=1610&context=jitpl. -terminals-and-voicemail-platforms-to-pro korea_s_apparent_data_hack.html. duce-reproduce-publish-2/#more-1700. 44. See supra § 1 B. 53. David E. Sanger & Nicole Perlroth, “US Said to Find North Korea Ordered 59. See, e.g., Kosovo: Law on Prevention 45. Viano, § 1 B, note 39. Cyberattack on Sony,” New York Times, and Fight of the Cyber Crime (11 Mar. 46. Terry Chia, “Confidentiality, Integrity (17 Dec. 2014), at http://www.nytimes. 2010), Art. 16 (Child pornography and Availability (CIA): The Three com/2014/12/18/world/asia/us-links- through computer systems), at http:// Components of the CIA Triad,” IT Security north-korea-to-sony-hacking.html?_r=1. mzhe.rks-gov.net/repository/docs/ Community Blog, (20 Aug. 2012), at LIGJIPERPARANDALIMINDHE_LUFT http://security.blogoverflow.com/2012/08/ 54. See infra § 4 B. IMINE_KRIMITKIBERNETIKE2010166- confidentiality-integrity-availability-the- alb2010-166-eng.pdf; India: Information 55. Accepted freedom of expression three-components-of-the-cia-triad/. Technology (Amendment) Act, (2008), restrictions range from child pornography, § 67B (Punishment for publishing or 47. One form of cybersabotage technique direct and public indictment, the transmitting of material depicting is cyber-bombing, wherein in malicious commitment of genocide, the children in sexual explicit act, etc., in code, often called a “logic bomb” or dissemination of hate speech, and electronic form) which was inserted “slag code”, is programmed to execute incitement to terrorism. See, e.g., into the Information Technology Act, under certain circumstances, such upon Promotion and Protection of the Right (2000), at https://cc.tifrh.res.in/webdata/ failure to appropriately respond to a to Freedom of Opinion and Expression, documents/events/facilities/IT_act_2008. program command, or after the lapsing Report of the Special Rapporteur on the pdf. of a certain period of time. Such a Promotion and Protection of the Right technique is common in cyberwar and/or to Freedom of Opinion and Expression 60. See, e.g., “Argentina, Penal Code (as cyberterrorism. See, e.g., Sct’y. Carter & to UN General Assembly, Frank La Rue, amended by Act No. 26388 of 2008), Gen. Dunford, US Dept. of Defense Press A/66/290 (10 Aug. 2011), pp. 8–13, at Article 128” (in English),” from: UN Briefing, Pentagon Briefing Room, (29 http://www.ohchr.org/Documents/Issues/ Committee on the Rights of the Child, Feb. 2016), at http://www.defense.gov/ Opinion/A.66.290.pdf. “Consideration of Reports Submitted by News/News-Transcripts/Transcript-View/ States Parties under Art. 12, para. 1, of 56. See, e.g., ITU Understanding Cybercrime, Article/682341/department-of-defense- the Optional Protocol to the Convention supra § 1 B, note 1, at 21. press-briefing-by-secretary-carter- on the Rights of the Child on the Sale and-gen-dunford-in-the. Those topics 57. Cf. Jamaica: Child Pornography of Children, Child Prostitution and Child are beyond the scope of the Toolkit. (Prevention) Act, § 5 (Processing Pornography: Argentina,” (10 Mar. 2010) Nonetheless, it bears noting that the lines or accessing child pornography), CRC/C/OPSC/ARG/1, at pp. 18–19, at between acts of cybercrime and cyberwar at http://moj.gov.jm/sites/default/ http://www.refworld.org/pdfid/50b3526a2. or cyberterrorism are increasingly blurred, files/laws/Child%20Pornograph%20 pdf. especially, as the World Development %28Prevention%29%20Act.pdf. Report has noted, “acts that might previously have been considered civilian attacks are now being uncovered as acts of states against states via nonstate actor proxies”. See WDR, supra § 1 A, note 10. 48. Weigend, supra § 1 B, note 26, at 54. Page 144 | Chapter 2 | End Notes Table of Contents 61. See, e.g., Brunei Darussalam: Penal 71. Claire Huang Jingyi, “3 Years’ Jail, S$5,000 79. The added language criminalized the Code (Amendment) Order, (2012), which Fine for Man Who Harassed US Singer,” “use [ of…] any interactive computer inserted §§ 293A (Possession of Indecent TodayOnline, (21 Dec. 2013), at http:// service or electronic communication Photograph of Child), 293B (Taking, www.todayonline.com/singapore/3-years- service or electronic communication Distribution, Showing, Advertisement and jail-s5000-fine-man-who-harassed-us- system of interstate commerce”. Access of Indecent Photograph of Child), singer?page=1. USC Title 18, § 2261A - Stalking, at 293C (Interpretation of §§ 293A and https://www.law.cornell.edu/uscode/ 293B), and 293D (Defense) into the Penal 72. Mark Albertson, “Singapore Cyberstalker text/18/2261A. The most recent Code, at http://www.agc.gov.bn/AGC%20 Convicted, but Others Roam Free,” reauthorization was signed into law Images/LAWS/Gazette_PDF/2012/EN/ Examiner, (6 Dec. 2013), at http:// in 2013. See “1 is 2 Many:, Resources S026.pdf. www.examiner.com/article/singapore- Violence Against Women Act,” The White cyberstalker-convicted-but-others-roam- House of President Barack Obama, at 62. “Cyberstalking, a New Crime: Evaluating free. https://www.whitehouse.gov/1is2many/ the Effectiveness of Current State and resources. Federal Laws,” Missouri Law Review, Vol. 73. See Protection from Harassment Act 72 (2007), p. 125, at http://scholarship. (Ch. 256A). See also Mong Palatino, 80. While all fifty states, the District of law.missouri.edu/cgi/viewcontent. “Singapore Criminalizes Cyber Bullying Columbia and US Territories have cgi?article=3985&context=mlr. and Stalking,” Diplomat, (24 Mar. 2014), criminalized stalking, cyberstalking at http://thediplomat.com/2014/03/ has only been specifically addressed 63. See, e.g., US Dept. of Justice, National singapore-criminalizes-cyber-bullying- by some thirty-five jurisdictions. See, Institute of Justice, “Domestic Violence, and-stalking/. e.g., Working to Halt Online Abuse, at Stalking, and Antistalking Legislation: http://www.haltabuse.org/resources/ An Annual Report to Congress under 74. EU Agency for Fundamental Rights, laws/; “Stalking Technology Outpaces the Violence Against Women Act,” (Apr. “Violence Against Women: An EU-wide State Laws,” National Center for Victims 1996), p. 1, at https://www.fas.org/sgp/ Survey” (Mar. 2014), at http://fra.europa. of Crime, at https://victimsofcrime. crs/misc/R42499.pdf. Lisa N. Sacco, “The eu/en/publication/2014/violence-against- org/docs/src/stalking-technology- Violence Against Women Act: Overview, women-eu-wide-survey-main-results- outpaces-state-laws17A308005D0C. Legislation, and Federal Funding,” US report. pdf?sfvrsn=2. This fact is troubling as Congressional Research Service (CRS) (26 the constitutional limits on US federal 75. See CoE, Convention on Preventing and May 2015), at https://www.fas.org/sgp/crs/ law mean that VAWA does not apply Combating Violence Against Women misc/R42499.pdf. to cyberstalking conducted exclusively and Domestic Violence, (11 May 2011) CETS No. 210, [hereafter, “Istanbul within the jurisdiction of any one state or 64. See US Dept. of Justice, National Center Convention”], at http://www.coe.int/en/ territory and must involve the interstate for Victims of Crime, Problem-Oriented web/conventions/full-list/-/conventions/ or foreign commerce. See USC TItle 18, Guides for Police Problem-Specific treaty/210. However, cyberstalking is § 2261A(1)- Stalking, at https://www.law. Guides Series Guide: Stalking, No. 22 not listed as a punishable offense in the cornell.edu/uscode/text/18/2261A. That (5 Jan. 2004), at https://victimsofcrime. Budapest Convention. Ibid. much said, the inherently cross-border org/docs/src/stalking-problem-oriented- nature of electronic communications policiing-guide.pdf?sfvrsn=0. 76. California led the way, becoming, in makes it is likely that US federal law 65. Katrina Baum, Shannan Catalano, 1990, the first jurisdiction to specifically would be applicable. Moreover, courts Michael Rand & Kristina Rose, “Stalking criminalize stalking in response to the have facilitated legislative hiccups by Victimization in the United States,” murder of the television star Rebecca extending existing, traditional statutes US Dept. of Justice, Office of Justice Schaeffer. See, e.g., Berkman Center for to include electronic tools. See, e.g., Programs, Bureau of Justice Statistics Internet & Society, “State and Federal Colorado v. Sullivan, 53 P.3d 1181 (Colo. Special Report, (Jan. 2009) at https:// Stalking Laws,” Harvard University, at Ct. App. 2002). www.justice.gov/sites/default/files/ovw/ https://cyber.law.harvard.edu/vaw00/ cyberstalking_laws.html. 81. Katrina Baum, Shannan Catalano, Michael legacy/2012/08/15/bjs-stalking-rpt.pdf. Rand & Kristina Rose, “National Crime 66. Supra note 60. 77. See “Factsheet: The Violence Against Victimization Survey Stalking Victimization Women Act,” The White House of in the United States,” US Dept. of Justice, 67. Paul Mullen, Michele Pathé & Rosemary President Obama, at https://www.nvcc. Bureau of Justice Statistics Special Purcell, “Cyberstalking,” Stalking Risk edu/support/_files/Violence-Against- Report (Jan. 2009), p. 3, at https://www. Profile, at https://www.stalkingriskprofile. Women-Act-Fact-Sheet.pdf. justice.gov/sites/default/files/ovw/ com/victim-support/impact-of-stalking- legacy/2012/08/15/bjs-stalking-rpt.pdf. on-victims. 78. California also became the first state to specifically criminalize 82. See, e.g., Colorado v. Sullivan, supra note 68. Ibid. cyberstalking. See Naomi Harlin 77 (where a Colorado court ruled that Goodno, “Cyberstalking, a New Crime: the phrase “under surveillance” in the 69. Leandra Ramm v. Colin Mak Yew Loong, Evaluating the Effectiveness of Current state’s stalking law included electronic NRIC No. S7524695A (20 Dec. 2013). State and Federal Laws,” Missouri Law surveillance and that a Colorado Review (2007), at http://scholarship. man’s installation of a GPS device in 70. Katharine Quarmby, “How the Law law.missouri.edu/cgi/viewcontent. his estranged wife’s car to check on Is Standing Up to Cyberstalking,” cgi?article=3985&context=mlr. her whereabouts during their divorce Newsweek, (13 Aug. 2014), at http://www. newsweek.com/2014/08/22/how-law- proceedings constituted stalking). standing-cyberstalking-264251.html. 83. United States v. Jake Baker, 104 F.3d 1492 (6th Cir. 1997). Page 145 | Chapter 2 | End Notes Table of Contents 84. Elonis v. United States, 575 U.S. (2015). 94. A.R. Raghavan & Latha Parthiban, 105. United States v. Drinkman, Kalinin, “The Effect of Cybercrime on a Bank’s Rytikov, Smilianets, & Rytikov (Criminal 85. See, e.g., “Building Your Case,” End Finances,” International Journal of No. 09-626 (JBS) (S-2)). Stalking in America, Inc., at http://www. Current Research and Academic Review, esia.net/Building_your_Case.htm. Vol. 2, No. 2, (Feb. 2014), pp. 173–78, at 106. Indictment: United States v. Vladimir http://www.ijcrar.com/vol-2-2/A.R.%20 Drinkman, Aleksandr Kalinin, 86. See “Stalking Technology Outpaces Roman Kotov, Mikhail Rytikov, and Raghavan%20and%20Latha%20Parthiban. State Laws,” supra note 77, at Dmitriy Smilianets, (D.N.J. 2009), pdf. https://victimsofcrime.org/docs/src/ at http://www.justice.gov/iso/opa/ stalking-technology-outpaces-state- 95. Lucian Constantin, “Target Point-of-Sale resources/5182013725111217608630.pdf. laws17A308005D0C.pdf?sfvrsn=2. Terminals Were Infected with Malware,” PC World, (13 Jan. 2014), at http://www. 107. United States v Drinkman, Kalinin, Kotov, 87. Quoted in Katharine Quarmby, supra note Rytikov, Smilianets, UNODC Cybercrime pcworld.com/article/2087240/target- 70. Repository, at https://www.unodc.org/cld/ pointofsale-terminals-were-infected-with- malware.html. case-law-doc/cybercrimecrimetype/usa/ 88. Martin Evans, “Fraud and Cyber us_v_drinkman_kalinin_kotov_rytikov_ Crime are Now the Country’s Most 96. See, e.g., The 2014 Symantec Internet smilianets.html?&tmpl=cyb. Common Offences,” Telegraph, (19 Jan. Security Threat Report, Symantec, (Mar. 2017), at http://www.telegraph.co.uk/ 108. Targeted institutions included, among 2014), at http://www.symantec.com/ news/2017/01/19/fraud-cyber-crime-now- others, Heartland Payment Systems content/en/us/enterprise/other_resourc countrys-common-offences/. Inc., Euronet, Global Payment Systems, es/b-istr_main_report_v19_21291018.en- us.pdf. See also, Kamala Harris, the 2014 7-Eleven, Carrefour S.A., JC Penney 89. PricewaterhouseCoopers, PWC’s 2014 California Data Breach Report, California Inc., Hannaford Brothers Co., Wet Seal Global Economic Crime Survey: Economic Office of the Attorney General, (Oct. Inc., Commidea Ltd., JetBlue Airways, Crime, A Threat to Business Globally 2014), at https://oag.ca.gov/sites/all/files/ Visa Inc., Diners, Ingenicard US, Inc., (2014) [hereafter, “PWC 2014 Global agweb/pdfs/privacy/2014data_breach_ NASDAQ, Dow Jones Inc., ‘Bank A’ Economic Crime Survey”], at https://www. rpt.pdf. (a major UAE bank), and Dexia Bank pwc.at/publikationen/global-economic- Belgium. crime-survey-2014.pdf. 97. “Business Email Compromise, Public Service Announcement,” Internet Crime 109. Report on Cyber Security in the Banking 90. Gordon M. Snow, Statement before the Complaint Center & Federal Bureau of Sector, supra note 99. House Financial Services Committee, Subcommittee on Financial Institutions Investigation, (2015), at https://www. 110. Paula Rosenblum, “In the Wake of and Consumer Credit, (Washington: FBI, ic3.gov/media/2015/150122.aspx; Brian Target Data Breach,” Forbes, (17 Mar. 2011), at https://archives.fbi.gov/archives/ Krebs, “FBI: Businesses Lost $215M to 2014), at http://www.forbes.com/sites/ news/testimony/cyber-security-threats-to- Email Scams,” Krebs on Security, (2015), paularosenblum/2014/03/17/in-wake-of- the-financial-sector at http://krebsonsecurity.com/2015/01/fbi- target-data-breach-cash-becoming-king- businesses-lost-215m-to-email-scams/. again/. 91. See PWC 2014 Global Economic Crime Survey, supra note 89. 98. See supra § 2 B, box 2.2. 111. United States v. Ross William Ulbricht, 99. “Anonymous Hacktivists Say Wikileaks 79 F.Supp. 3d 466 (S.D.N.Y. 2015). Silk 92. Albin Krebs, “Willie Sutton Is Dead at 79,” War to Continue,” BBC News, (9 Dec. Road was tried under a number of New York Times, (19 Nov. 1980). Although 2010), at http://www.bbc.com/news/ legal theories including US banking, lore would have it that Sutton said it in technology-11935539. narcotics trafficking, criminal conspiracy response, Sutton himself denies having and “cybercrime”. Ulbricht’s appeal actually made the statement, writing that, 100. David Carlisle, “Virtual Currencies and of his conviction on the grounds of “The credit belongs to some enterprising Financial Crimes,” RUSI Occasional corruption of DEA agents interfering with reporter who apparently felt a need to fill Paper, Royal United Services Institute evidence and other procedural issues out his copy. I can’t even remember when for Defence and Security Studies (RUSI), at trial was denied in May 2017, see I first read it. It just seemed to appear (March 2017), at https://rusi.org/sites/ United States v. Ulbricht, No. 15-1815, one day, and then it was everywhere. If default/files/rusi_op_virtual_currencies_ (2d Cir. 2017), at https://cases.justia. anybody had asked me, I’d have probably and_financial_crime.pdf com/federal/appellate-courts/ca2/15- said it[…] it couldn’t be more obvious.” 1815/205494850/0.pdf?ts=1496418409. Willie Sutton with Edward Linn, Where 101. Ibid. This case is highlighted again further on the Money Was: The Memoirs of a Bank as an example of the procedural aspects Robber, (New York: Crown/Archetype, 102. USC Title 18, § 1343 “Fraud by Wire, surrounding search and seizure. See infra 2004). Radio, or Television.” See also United § 4 A, case 4.1. States v. Cassiere, 4 F.3d 1006 (1st Cir. 93. Andrew M. Cuomo & Benjamin M. Lawsky, 1993); United States v. Ames Sintering “Report on Cyber Security in the Banking Co., 927 F.2d 232 (6th Cir. 1990). Sector,” New York State Dept. of Financial Services, (New York: New York State Dept. 103. “Net Losses: Estimating the Global of Financial Services, 2014), at http://www. Cost of Cybercrime,” McAfee & CSIS, dfs.ny.gov/reportpub/dfs_cyber_banking_ (June 2014), at http://csis.org/files/ report_052014.pdf. attachments/140609_rp_economic_ impact_cybercrime_report.pdf. 104. Ibid. Page 146 | Chapter 2 | End Notes Table of Contents 112. Ibid. As noted, the Silk Road case is 115. Ibid. 122. A review of the global state of cybercrime highlighted in the Toolkit for a number legislation by the CoE found that only of reasons. Ibid. More generally, it bears 116. See Don Tapscott & Alex Tapscott, 70% of studied countries had legislation noting that “dark web” markets— “The Impact of the Blockchain Goes in place targeting the misuse of devices; where drugs, weapons, malware, toxic Beyond Financial Services,” Harvard dual use of devices was not considered, chemicals, stolen data and the like are Business Review (10 May 2016), at with focus being on the production of traded—is unlikely to go away. Rather, https://hbr.org/2016/05/the-impact-of- some specific devices; misuse of devices as cyberspace continues to gain both the-blockchain-goes-beyond-financial- was found to be criminalized only in commercial and social importance, the services (“where not just information relation with illegal access or system place for such dark markets is only likely but anything of value – money, titles, interference. See Cristina Schulman, “The to grow. Indeed, by all indications, that deeds, music, art, scientific discoveries, Global State of Cybercrime Legislation,” growth is very substantial: recently, two intellectual property, and even votes Workshop 1: Cybercrime legislation additional dark web marketplaces— – can be moved and stored securely (Strasbourg: Octopus Conference, AlphaBay and Hansa—were shut down by and privately. On the blockchain, 6–8 Jun. 2012), at https://rm.coe. FBI-led, global police efforts. See Chris trust is established, not by powerful int/16802f240b. See also Geoffrey Andare Baraniuk, “AlphaBay and Hansa Dark intermediaries like banks, governments v. Attorney General & 2 others, [2016] Web Markets Shut Down,” BBC News, and technology companies, but through eKLR, Petition No.149 of 2015, High Court (20 Jul. 2017), at http://www.bbc.com/ mass collaboration and clever code. of Kenya at Nairobi Milimani Law Courts, news/technology-40670010. In terms Blockchains ensure integrity and trust Constitutional and Human Rights Division, of both traffic and value, AlphaBay and between strangers. They make it difficult at http://kenyalaw.org/caselaw/cases/ Hansa dwarfed Silk Road: while Silk Road to cheat.”). view/121033/. only had 14,000 listings for illicit items of 117. See, e.g., US Currency and Foreign 123. EU Directive 2013/40/EU, at Art. 7. various kinds when it was seized in 2013, Transactions Reporting Act of 1970 (see the DoJ said that AlphaBay had more USC Title 18, §§ 5311–5330 and 31 CFR 124. For example, quantum computing than 350,000 listings, with US$450m was Chapter X [formerly 31 CFR Part 103] is expected to both revolutionize spent via the marketplace between May (“Bank Secrecy Act” or “BSA”). computing and unravel modern 2015 and February 2017. Ibid. While the encryption technology. See supra § 1 C, impact of shutting down AlphaBay and 118. Ibid., at para. 71. box 1.3. Hansa is unclear, there are indications that trade on several of the other dark 119. See, e.g., United Kingdom: Computer 125. Andare, supra note 122. web’s illegal markets has increased, Misuse Act 1990, (criminalizing three acts: though the sales of some goods appear (1) Unauthorized access to computer 126. See Kenya: Information and to have been reduced. See, e.g., Leo material; (2) unauthorized access with Communications Act, Chapter 411A Kelion, “Dark Web Markets Boom after intent to commit or facilitate commission § 29, at https://www.unodc.org/res/ Alphas Bay and Hansa busts,” BBC of further offences; (3) unauthorized cld/document/ken/1930/information- News, (1 Aug. 2017), at http://www.bbc. modification of computer material), and-communications-act_html/Kenya_ com/news/technology-40788266. The at http://www.legislation.gov.uk/ Information_and_Communications_ growing dark side of cyberspace is a ukpga/1990/18/contents. It should be Act_2_of_1998.pdf. matter with which society at large will— noted that amendments to the Computer Misuse Act were introduced in the 127. Ibid. constructively and collectively—have to grapple; fighting cybercrime and assuring Police and Justice Act 2006, http://www. 128. Supra note 114, (stating “the provisions cybersecurity are central elements legislation.gov.uk/ukpga/2006/48/part/5/ of section 29 are so wide and vague therein. See, e.g., Ronald Deibert, “The crossheading/computer-misuse. that they offend the requirements Growing Dark Side of Cyberspace (… with regard to law that carries penal 120. USC Title 18, § 1030(a)(6)(A) & (B) and What to Do About It),” Penn State consequences and do not meet the Journal of Law & International Affairs, 121. Ibid., at para. 81. criteria set in Art. 24 of the Constitution Vol. 1, Issue 2 (Nov. 2012), at http:// which provides instances when rights elibrary.law.psu.edu/cgi/viewcontent. can be limited), para. 80 & 99. Art.33(2), cgi?article=1012&context=jlia. For a Constitution of Kenya, (2010), at https:// provocative, fictional depiction of the role www.kenyaembassy.com/pdfs/the%20 of cyber exchanges, see Jennifer Haley, constitution%20of%20kenya.pdf. “The Nether”, supra § 1 B, note 7. 129. Ibid. (stating “Section 29 imposes a 113. Tamara Tabo, “United States v. The limitation on the freedom of expression Internet: America’s Most Wanted May in vague, imprecise and undefined terms Look a Lot Like You,” AbovetheLaw.com, […]”). (12 Jun. 2015), at http://abovethelaw. com/2015/06/united-states-v-the-internet- 130. See supra § 2 B, case 2.6. See also infra § americas-most-wanted-may-look-a-lot- 4 A, case 4.1. like-you/ 114. See, e.g., “How Blockchain Tech Could Change the Way We Do Business,” BBC News, (22 Jan. 2016), at http://www.bbc. com/news/business-35370304. Page 147 | Chapter 2 | End Notes Table of Contents Referenced in: § C. Procedural 8. Thomas K. Clancy, Cyber Crime and 15. Regarding the need for a formalization of Issues Digital Evidence: Materials and Cases computer forensics, see Ryan Leigland & (New York: Lexisnexis, 2011); Cameron S. Axel W. Krings, “A Formalization of Digital D. Brown, “Investigating and Prosecuting Forensics,” International Journal of Digital 1. This section focuses on investigative and Cyber Crime: Forensic Dependencies and Evidence, Vol. 3, Issue 2 (2004), p. 2. prosecutorial “procedural” issues; “due Barriers to Justice,” International Journal process” issues are treated in § 5 A, infra. of Cyber Criminology, Vol. 9, Issue1 (2015), 16. Michell Lange & Kristin Nimsger, Issue 55, pp. 66–67. Electronic Evidence and Discovery 2. In practice, procedural issues are (Chicago: Section of Science & never entirely detached from the 9. ITU Understanding Cybercrime, supra § 1 Technology Law, American Bar substantive specification of an offense. B, note 1, at 251–56. Association, 2004), p. 6. The specification of the elements and seriousness of the offense are important 10. See, e.g., Budapest Explanatory Report, 17. With regard to developments, see in determining whether cognizance it supra § 1 D, note 14, at para. 12 (“[T] Danny Abramovitch, “A Brief History of taken of a suspected violation, and, if here are some differences with respect to Hard Drive Control,” Control Systems so, what level of intrusiveness will be the search of computer data, which may Magazine, EEE, Vol. 22, Issue 3 (2002), p. permitted during investigation. necessitate different or special procedural 28 et seq.; Tom Coughlin, Dennis Waid, provisions to ensure that computer data & Jim Porter, “The Disk Drive, 50 Years 3. See, e.g., Budapest Explanatory Report, can be obtained in a manner that is of Progress and Technology Innovation,” supra § 1 D, note 14, at para. 132 (“Not equally effective as a search and seizure Coughlin Associates, (2005), at www. only must substantive criminal law keep of tangible data. […] Some changes may tomcoughlin.com/Techpapers/DISK%20 abreast of these new abuses, but so must be required to domestic law to ensure DRIVE%20HISTORY,%20TC%20Edits,%20 criminal procedural law and investigative that intangible data can be searched 050504.pdf. techniques”). and seized. […D]ue to the connectivity of computer systems, data may not be 18. Scott Giordano, “Electronic Evidence and 4. Tonya Putnam & David Elliot, Chapter the Law,” Information Systems Frontiers, stored in the particular computer that is 2- International Responses to Cyber Vol. 6, No. 2 (2006), p. 161; Stephen searched, but such data may be readily Crime, (Stanford: Hoover Institution Willinger & Robin Wilson, “Negotiating accessible to that system. […Allowing Press, 2001), pp. 1–2, at http://www. the Minefields of Electronic Discovery,” such searches may] require new laws hoover.org/sites/default/files/uploads/ Richmond Journal of Law & Technology, to permit an extension of the search to documents/0817999825_35.pdf. Vol. 10, Issue 5 (2004), at http://jolt. where the data is actually stored (or the retrieval of the data from that site to richmond.edu/v10i5/article52.pdf. 5. For instance, the offender is based in one or more different countries, the services the computer being searched), or the 19. Malaga, “Requirements for the utilized are in different countries, the use traditional search powers in a more Admissibility in Court of Digital technology protects is anonymous, the coordinated and expeditious manner at Evidence,” in: Syllabus to the European communications are encrypted. both locations.”). See, e.g., American Law Certificate on Cybercrime and Institute, “Model Code of Cybercrime E-Evidence, (2008), p. 208 et seq. 6. Most tellingly, it bears emphasizing Investigative Procedure,” at http://www. that e-evidence is information stored crime-research.org/library/Model_Code. 20. See, e.g., Searching and Seizing or transmitted in binary form (“0” and htm. Computers and Obtaining Electronic “1”), and that that binary code assigns a Evidence in Criminal Investigations, bit string to each symbol or instruction. 11. USC Title 18, §§ 3123 (1986). supra note 7; US Dept. of Justice, Such being the case, the evidence is in Criminal Division, Office of Professional 12. USA PATRIOT Act, supra § 1 C, note 10. many ways both illusionary and illusive: Development and Training, “Federal the “original” evidence can be identically 13. See supra § 1 B. Guidelines for Searching and Seizing copied with no difference between the Computers,” Bureau of National two except the time of their existence, 14. Korea: Criminal Procedure Act, No. Affairs, Criminal Law Reporter, Vol. 56 and its integrity can be very easily 12784 (15 Oct. 2014) [hereafter “Korean (1994), p. 5, at https://epic.org/security/ compromised. For deeper discussion, see Criminal Procedure Act”], at http:// computer_search_guidelines.txt; Korean supra § 2 B. elaw.klri.re.kr/eng_mobile/viewer. Constitution, Art.12(1) & 12(3); Korean do?hseq=33081&type=sogan&key=9 (in Criminal Procedure Act, supra note 14, at 7. US Dept. of Justice, Searching and English), Art. 106(3), (“Where the object to Arts. 114 & 215. See also infra § 2 C, case Seizing Computers and Obtaining be seized is a computer disc or other data 2.9. Electronic Evidence in Criminal storage medium similar thereto […], the Investigations (Washington: Office court shall require it should be submitted 21. In US law, contraband, an instrumentality of Legal Education, 2009) [hereafter, after the data therein are printed out or of a crime or fruits of crime and therefore “Searching and Seizing e-Evidence”], it is copied within the specified scope may be physically seized. See Rule 41, at https://www.justice.gov/sites/default/ of the data stored: Provided, That the Federal Rules of Criminal Procedure, at files/criminal-ccips/legacy/2015/01/14/ data storage medium or such may be https://www.law.cornell.edu/rules/frcrmp/ ssmanual2009.pdf; UNODC Cybercrime seized, when it is deemed substantially rule_41. See also Giordano, supra note 18. Study, supra § 1 C, note 7. impossible to print out or copy the specified scope of the data or deemed 22. Ibid. substantially impracticable to accomplish 23. Ibid., at 71. the purpose of seizure.”). 24. See, e.g., United States v. Huitt, 2007 WL 2355782, at *4, (D. Idaho 2007). Page 148 | Chapter 2 | End Notes Table of Contents 25. Supreme Court of Korea, Order 38. United States v. Austin Ayers Winther, 48. Regarding the ability to manipulate 2009Mo1190 (26 May 2011), at http:// (E.D. Pa. 2011), p. 21, at http://www. the time information and the response library.scourt.go.kr/SCLIB_data/ paed.uscourts.gov/documents/ in forensic investigations, see Pavel decision/15-2009Mo1190.htm (summary opinions/11d1281p.pdf (quoting the US Gladyshev & Ahmed Patel, “Formalizing in English). Federal Rules of Criminal Procedure, Event Time Bounding in Digital supra note 36). Investigations, International Journal of 26. Ibid. at para.2. Digital Evidence,” Vol. 4, No. 1 (2005); 39. Supreme Court of Korea, Order Regarding dynamic time analysis, see 27. Ibid. at para.1. 2011Do10508 (29 Mar. 2012), at Michael C. Weil, “Dynamic Time & Date http://www.law.go.kr/precInfoP. Stamp Analysis,” International Journal of 28. Ibid. do?mode=0&evtNo=2011%EB%8F Digital Evidence, Vol. 1, Issue 2, (2002). 29. Ibid. %8410508 (in Korean). See also UN Committee against Torture, 49. Eoghan Casey, Digital Evidence and 30. Field tools include Cellebrite, UltraDock, “Consideration of reports submitted Computer Crime, (London: Academic EnCase Portable, etc. For more by States parties under article 19 of the Press, 2004), p. 16. information, see “22 Popular Computer Convention pursuant to the optional Forensics Tools,” InfoSec Institute, at reporting procedure,” Third to Fifth 50. Carole Chaski, “Who’s at the Keyboard? http://resources.infosecinstitute.com/ Periodic Reports of States Parties Authorship Attribution in Digital Evidence computer-forensics-tools/. due in 2012, Korea, (29 Feb. 2016), at Investigations,” International Journal of http://docstore.ohchr.org/SelfServices/ Digital Evidence, Vol. 4, No. 1 (2005). 31. Brown, supra note 8. FilesHandler.ashx?enc=6Q 51. Brown, supra note 8. 32. Gon Ruibin & Mathias Gaertner, “Case- kG1d%2FPPRiCAqhKb7yhsvF6hiQLJAnp Relevance Information Investigation: G6iplFwLNHHRo0OD78WS4LFAhS78yb 52. For guidelines on how to carry out the Binding Computer Intelligence to the K9cAdJ5ZfbR4liAXIyMG4l6gfS%2BNuCz6 seizure of computer equipment, see, Current Computer Forensic Framework,” URY2YsRMgaSD1rC4Di8J1OSunD47yX e.g., General Guidelines for Seizing International Journal of Digital Evidence, d4UH. Computers and Digital Evidence, US Vol. 4, No. 1 (2005). State of Maryland, Maryland State 40. UNODC Cybercrime Study, supra § 1 C, Police, at https://www.coursehero.com/ 33. Giuseppe Vaciago, Digital Evidence note 7, at 159. file/8005384/Article-Maryland-Seize- (Torrino: Giappichelli, 2012), “Situation Computers-1/. 41. Ibid. Report on the Admissibility of Electronic Evidence in Europe,” (Ch. II.1), in: 42. Richard Nolan, Colin O’Sullivan, Jake 53. Lange & Nimsger, supra note 16, at 24. Syllabus to the European Certificate on Branson & Cal Waits, First Responders 54. Gladyshev & Patel, supra note 48, at 283 Cybercrime and E-Evidence, (2008), p. Guide to Computer Forensics, (Arlington, et seq. 220. VA: SEI, 2005), p. 64, at https:// resources.sei.cmu.edu/asset_files/ 55. The Toolkit uses the term “ISP” to include 34. See Weeks v. United States, 232 U.S. Handbook/2005_002_001_14429.pdf. all electronic communications service 383 (1914). See also, H. Frank Way, providers, and not only internet service Jr., “Exclusion of Evidence Illegally 43. Leigland & Krings, supra note 14, at 9. providers. Obtained,” Tennessee Law Review, Vol. 26 (1959) (noting that this “rule […] holds 44. See John Vacca, Computer Forensics, 56. UNODC Cybercrime Study, supra § 1 C, that an individual, whose rights have been Computer Crime Scene Investigation, (2d note 7, at 144. violated under the Fourth Amendment, ed.), (Hingham, MA: Charles River Media, can prohibit the introduction in a trial 2005), p. 30. 57. For an overview of the debate, see Marco against him of any evidence seized as a Gercke, “The Role of Internet Service 45. Botnets is a short term for a group result of the illegal search and seizure. The Providers in the Fight Against Child of compromised computers running rule generally works through mechanics Pornography,” Computer Law Review programs that are under external of a pre-trail motion for the exclusion International, (2009), p. 65 et seq. control. For more details, see Clay and/or suppression of the illegally seized Wilson, Botnets, Cybercrime, and Cyber 58. See Cormac Callanan & Marco Gercke, evidence.”). Terrorism: Vulnerabilities and Policy Issues Study on the Cooperation Between 35. US Rules Enabling Act, USC Title 28, §§ for Congress, (Washington, DC: US Dept. Service Providers and Law Enforcement 2072, 2074. of State, 2007), p. 4, www.fas.org/sgp/crs/ Against Cybercrime: Towards Common terror/RL32114.pdf. See also collected Best-of-Breed Guidelines?, (Strasbourg: 36. US Federal Rules of Criminal Procedure resources, and links in the ITU Botnet CoE, 2008), at https://rm.coe.int/ (eff. 16 Dec. 2016), Rule 41(e)(2)(B) Mitigation Toolkit, (2008), at www.itu.int/ CoERMPublicCommonSearchServices/D (Warrant Seeking Electronically Stored ITU-D/cyb/cybersecurity/projects/botnet. isplayDCTMContent?documentId= Information), at http://www.uscourts. html. 09000016802f69a6. gov/rules-policies/current-rules-practice- procedure. 46. Nolan et al., supra note 42, at 29. 37. Ibid. 47. Lange & Nimsger, supra note 16. Page 149 | Chapter 2 | End Notes Table of Contents 59. John Leyden, “FBI Sought Approval to 66. “Is Bitcoin Turning into a Cyber 73. Loretta A. Preska, Chief US District Judge, Use Spyware against Terror Suspects”, Crime Currency?,” Cyberoam, (6 Dec. Memorandum and Order, In the Matter Register, (8 Feb. 2008), at www.theregister. 2012), at https://web.archive.org/ of a Warrant to Search a Certain Email co.uk/2008/02/08/fbi_spyware_ploy_app/; web/20160404100125/http://www. Account Controlled and Maintained by Declan McCullagh, “FBI Remotely Installs cyberoam.com/blog/is-bitcoin-turning- Microsoft Corporation, (S.D.N.Y. 2014), at Spyware to Trace Bomb Threat,” CNet, into-a-cyber-crime-currency-2/ (“The http://online.wsj.com/public/resources/ (18 Jul. 2007), at https://www.cnet.com/ trouble becomes obvious when creators documents/microsoftstay.pdf. news/fbi-remotely-installs-spyware-to- of dreaded Zeus Botnet start using trace-bomb-threat/; Bogdan Popa, “FBI Bitcoins for transactions, the anonymous Fights against Terrorists with Computer drug sites do brisk business through Viruses,” Softpedia, (19 Jul. 2007), at Bitcoins, hacktivists are quick to Tweet http://news.softpedia.com/news/FBI- their gratitude on anonymous Bitcoin Fights-Against-Terrorists-With-Computer- donation and Wikileaks openly proclaims Viruses-60417.shtml. acceptance of Bitcoin donation. So is the currency turning into a crime currency? 60. Gaurav Gupta, Chandan Mazumdar, The inherent structure of Bitcoin system is & M.S. Rao, “Digital Forensic Analysis based on P2P network that lacks a central of E-Mails: A Trusted E-Mail Protocol,” server making it very difficult to detect International Journal of Digital Evidence, criminal transactions, discover the identity Vol. 2, No. 4 (2004). of users or acquire full transaction records of illicit money transfers. The security 61. For more information, see Larry Crumbley, companies are forever racing against Lester Heitger & Stevenson Smith, cybercrime in securing businesses and Forensic and Investigative Accounting, institutions. And in case of breaches, the (2005), § 14.12; Michael Caloyannides, security companies provide electronic Privacy Protection and Computer trail, which the law applies to trace the Forensics, (2004), p. 149. activities in real world that finally nails 62. The term “phishing” describes an act that them. By leveraging the decentralized is carried out to make targets disclose Bitcoin system, criminals not only make it personal/secret information. It originally hard to trail electronically, but leave very described the use of emails to “phish” for few foot prints in the real world, making passwords and financial data from a sea prosecution almost impossible.”); See of Internet users. The use of “ph” is linked also Goodman, supra note 65. to popular hacker naming conventions. 67. See, e.g., UNODC Cybercrime Study, See Marco Gercke, “The Criminalization supra § 1 C, note 7. of Phishing and Identity Theft,” Computer und Resht, (2005), p. 606; Gunter Ollmann, 68. Ibid., at xxv. “The Phishing Guide: Understanding & Preventing Phishing Attacks,” IBM, (8 Jun. 69. Searching and Seizing e-Evidence, supra 2005), at http://pdf.textfiles.com/security/ note 7. For example, the United States nisrphishing.pdf. Code does not require participation of a law enforcement officer in the scene 63. Gladyshev & Patel, supra note 48, at 19. when executing the search and seizure on the communication data stored by 64. For more information, see Von Jens the service provider. For details, see Todt, Fahnder ueberpruefen erstmals USC Title 18, § 2703(g) - Presence of alle deutschen Kreditkarten, Spiegel Officer Not Required, at http://stanford. Online, (8 Jan. 2007), at www.spiegel.de/ edu/~jmayer/law696/week7/Stored%20 panorama/justiz/0,1518,457844,00.html (in Communications%20Act.pdf. German). 70. Microsoft Corp. v. United States, No. 65. Marc Goodman, “Why the Police Don’t 14-2985 (2d Cir. 2016), at http://law.justia. Care About Computer Crime,” Harvard com/cases/federal/appellate-courts/ Journal of Law & Technology, Vol. 10, No. ca2/14-2985/14-2985-2016-07-14.html. 3 (1997), p. 472. 71. USC Title 18, §§ 2701–2712. 72. James C. Francis IV, Magistrate Judge, Memorandum and Order, In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation, (S.D.N.Y. 2014), at http://pdfserver.amlaw.com/nlj/microsoft- warrant-sdny.pdf; USC Title 18, § 2703 (a), supra note 64. Page 150 | Chapter 2 | End Notes Table of Contents Referenced in: § D. Evidentiary 13. See ITU Understanding Cybercrime, 16. See, e.g., “10 Modern Forensic Issues supra § 1 B, note 1; Giordano, supra § Science Technologies,” Forensic 2 C, note 18, at 162; Vacca, supra § 2 C, Colleges & Universities, at http://www. note 44, at 21; Ruibin & Gaertner, supra forensicscolleges.com/blog/resources/10- 1. Latin: “The burden of proof is on the one § 2 C, note 32; Mark Reith, Clint Carr modern-forensic-science-technologies. who declares, not on one who denies.” & Gregg Gunsch, “An Examination of Digital Forensic Models,” International 17. For an overview of different forensic 2. Semper necessitas probandi incumbit ei investigation techniques related to Journal of Digital Evidence, Vol. 1, Issue qui agit (Latin: “The necessity of proof the most common technologies, see 3 (2002), p. 3; Ashok Patel & Séamus Ó always lies with the person who lays Megan Carney & Marc Rogers, “The Ciardubhain, “The Impact of Forensic charges”). Trojan Made Me Do It: A First Step in Computing on Telecommunication,” IEEE Communications Magazine, Vol. 38, Statistical Based Computer Forensics 3. “Digital Evidence and Forensics,” No. 11 (2000), p. 64, at http://ieeexplore. Event Reconstruction,” International National Institute of Justice (NIJ), at ieee.org/document/883490/. See also Journal of Digital Evidence, Vol. 2, http://www.nij.gov/topics/forensics/ Mathew Hannan, “To Revisit: What Issue 4 (2004); Eoghan Casey, “Practical evidence/digital/Pages/welcome. Is Forensic Computing,” Australian Approaches to Recovering Encrypted aspx. See also Stephen Mason (ed.), Computer, Network & Information Digital Evidence,” International Journal Electronic Evidence: Disclosure, Discovery Forensics Conference, (Perth, Western of Digital Evidence, Vol. 1, Issue 3 (2002), & Admissibility, (London: Lexis Nexis Australia, 25 Nov. 2004), at https://www. at www.utica.edu/academic/institutes/ Butterworths, 2007), para. 2.03 (defining semanticscholar.org/paper/To-Revisit- ecii/publications/articles/A04AF2FB- digital or e-evidence as “data comprising What-is-Forensic-Computing-Hannan BD97-C28C-7F9F4349043FD3A9.pdf; Orin the output of analogue devices or /7fc8d1c9d7fbdb7368685368954c24fc Kerr, “Searches and Seizures in a Digital data in digital format that is created, 20139cc2 Barbara Etter, “The Forensic World,” Harvard Law Review, Vol. 119 manipulated, stored or communicated by Challenges of E-Crime,” Australasian (2005), p. 531 et seq.; Nolan et al., supra any device, computer or computer system Centre for Policing Research, No. 3 (2001), § 2 C, note 42; Jason Siegfried, Christine or transmitted over a communication p. 4, at https://pdfs.semanti Siedsma, Bobbie-Jo Countryman & system, which is relevant to the process of cscholar.org/15c3/5e8721507feee65d59 Chester D. Hosmer, “Examining the adjudication”). 27bf9d909c9ed1497a.pdf. Regarding Encryption Threat,” International Journal 4. See supra § 2 C. the need for standardization, see of Digital Evidence, Vol. 2, Issue 3 (2002), Matthew Meyers & Marc Rogers, at www.utica.edu/academic/institutes/ 5. See, e.g., Wex, “Evidence,” LII, Cornell “Computer Forensics: The Need for ecii/publications/articles/A0B0C4A4- University Law School, at https://www.law. Standardization and Certification,” 9660-B26E-12521C098684EF12.pdf; cornell.edu/wex/evidence. International Journal of Digital Evidence, Benjamin Turnbull, Barry Blundell, & Jill Vol. 3, Issue 2 (2004), at www.utica.edu/ Slay, “Google Desktop as a Source of 6. ITU Understanding Cybercrime, supra § 1 Digital Evidence,” International Journal B, note 1, at 251–56. academic/institutes/ecii/publications/ articles/A0B7F51C-D8F9-A0D0- of Digital Evidence, Vol. 5, Issue 1 (2006); 7. Brown, supra § 2 C, note 8. 7F387126198F12F6.pdf; Carrie Morgan Matthew Kiley, Tim Shinbara & Marcus Whitcomb, “An Historic Perspective of Rogers, “iPod Forensics,” International 8. Donique Brezinski & Tom Killalea, Digital Evidence: A Forensic Scientist’s Journal of Digital Evidence, Vol. 4, Issue Guidelines for Evidence Collection and View,” International Journal of Digital 2 (2007); Gaurav Gupta & Chandan Archiving, (RFC3227, 2002). Evidence, Vol. 1, Issue 1 (2002), at https:// Mazumdar, “Digital Forensic Analysis www.utica.edu/academic/institutes/ of E-Mails: A Trusted E-Mail Protocol,” 9. Robert O’Harrow, No Place to Hide, International Journal of Digital Evidence, ecii/publications/articles/9C4E695B- (New York: New York Free Press, (2005); Vol. 2, Issue 4 (2007); Mayank R. Gupta, 0B78-1059-3432402909E27BB4.pdf; Peter Stephenson, “A Comprehensive Michael D. Hoeschele & Marcus K. Gregory Hall & Wilbon Davis, “Towards Approach to Digital Incident Rogers, “Hidden Disk Areas: HPA and Defining the Intersection of Forensic and Investigation,” Information Security DCO,” International Journal of Digital Information Technology,” International Technical Report, Vol. 8, Issue 2 (2005), Evidence, Vol. 5, Issue 1 (2006); Carole Journal of Digital Evidence, Vol. 4, pp. 42–54; Aleš Završnik, “Towards an E. Chaski, “Who’s at the Keyboard? Issue 1 (2005), at https://www.utica.edu/ Overregulated Cyberspace,” Masaryk Authorship Attribution in Digital Evidence academic/institutes/ecii/publications/ University Journal of Law & Technology, Investigations,” International Journal of articles/B49F0174-F1FB-FE05- Vol. 4, Issue 2 (2010), pp. 173–90. Digital Evidence, Vol. 4, Issue 1 (2005); EBBB4A8C87785039.pdf; Ryan Leigland & Axel W. Krings, “A Formalization of Digital Ty Howard, “Don’t Cache Out Your 10. See infra § 2 E, box 2.7. Forensics,” International Journal of Digital Case: Prosecuting Child Pornography 11. For an overview of different kinds of Forensics, Vol. 3, Issue 2 (2004), at http:// Possession Laws Based on Images evidence that can be collected by people.cs.ksu.edu/~sathya/formalizing-df. Located in Temporary Internet Files,” computer forensic experts, see Nolan et pdf. Berkeley Technology Law Journal, Vol. 19 al., supra § 2 C, note 42. (2004), p. 1233; Dario Forte, “Analyzing 14. See Vacca, supra § 2 C, note 44, at 21. the Difficulties in Backtracing Onion 12. Oxford English Dictionary. Router Traffic,” International Journal of 15. See infra § 3 B for a discussion of informal Digital Evidence, Vol. 1, Issue 3 (2002), at methods of international cooperation, www.utica.edu/academic/institutes/ecii/ including 24/7 networks and information publications/articles/A04AA07D-D4B8- sharing and coordination centers. 8B5F-450484589672E1F9.pdf. Page 151 | Chapter 2 | End Notes Table of Contents 18. Warren Harrison, George Heuston, Mark 34. Siegfried, supra note 17. Regarding 41. Kerr, supra note 17, at p. 538. Morrissey, Aucsmith & Sarah Mocas, “A the decryption process in forensic Lesson Learned Repository for Computer investigations, see Gordon et al., supra 42. “Computer Forensics Tool Testing Forensics,” International Journal of Digital note 28, at 59. Project,” National Institute of Standards Evidence, Vol. 1, Issue 3 (2002). and Technology (NIST), at http://www.cftt. 35. Ibid. Regarding the forensic software nist.gov. 19. Ruibin & Gaertner, supra § 2 C, note 32. magic lantern, developed as a keylogger used by law enforcement in the United 43. Moore, supra note 26, at 58. 20. ITU Understanding Cybercrime, supra § 1 States, see Christopher Woo and Miranda B, note 1. 44. See Casey, supra § 2 C, note 49, at 16; So, “The Case for Magic Lantern, Vacca, supra § 2 C, note 44, at 39. Highlights the Need for Increased 21. Nolan et al., supra § 2 C, note 42, at 171. Surveillance,” Harvard Journal of Law & 45. Chet Hosmer, “Proving the Integrity of 22. Regarding the challenges of encryption, Technology, Vol. 15, No. 2 (2002), p. 521 Digital Evidence with Time,” International see § 1 D; see also Siegfried, supra note et seq.; Spyware: Background and Policy Journal of Digital Evidence, Vol. 1, 17. issues for Congress, US Congressional No. 1 (2001), p. 1, at www.utica.edu/ Research Service (CRS) Report, (2007), academic/institutes/ecii/publications/ 23. Regarding possible counter strategies for p. 3; Thomas Green, “FBI Magic Lantern articles/9C4EBC25-B4A3-6584-C38C5 law enforcement, see J. Alex Halderman, reality check,” Register, (12 Mar. 2001), 11467A6B862.pdf. Seth D. Schoen, Nadia Heninger et al., at www.theregister.co.uk/2001/12/03/ Lest We Remember: Cold Boot Attacks fbi_magic_lantern_reality_check/; Alex 46. Whitcomb, supra note 13. on Encryption Keys, Proc. 17th USENIX Salkever, “A Dark Side to the FBI’s Magic Security Symposium, (San Jose, CA, 47. Regarding the related procedural Lantern,” Bloomberg, (27 Nov. 2001), Jul. 2008), at http://citp.princeton.edu/ instrument, see Art. 19.3, Budapest at https://www.bloomberg.com/news/ memory. Convention, supra § 1 B, note 32. articles/2001-11-26/a-dark-side-to-the- fbis-magic-lantern; Bob Sullivan, “FBI 48. The bit-streaming method consecutively 24. Nolan et al., supra § 2 C, note 42, at 88. Software Cracks Encryption Wall,” NBC duplicates digital data in its minimum 25. Vaciago, supra § 2 C, note 33. News, (20 Nov. 2001), at http://www. unit–bit. This method enables replication nbcnews.com/id/3341694/ns/technology_ of all data, including those hidden or 26. See Vacca, supra § 2 C, note 44, at 43; and_science-security/t/fbi-software- deleted from the original storage device. Robert Moore, “To View or Not to View: cracks-encryption-wall; Elinor Abreu, “FBI Examining the Plain View Doctrine and Confirms ‘Magic Lantern’ Project Exists,” 49. Korea: “Rule on the Collection and Digital Evidence,” American Journal of Rense, (13 Dec. 2001), at http://www. Analysis of Evidence by Digital Forensic Criminal Justice, Vol. 29, No. 1 (2004), p. rense.com/general17/FBIconfirmsmagic. Investigator,” at http://www.law.go.kr/ 59. htm. main.html (in Korean). 27. Moore, ibid., at 58. 36. See infra § 3 B for discussion informal 50. ITU Understanding Cybercrime, supra § 1 international cooperation encouraging B, note 1, at 251–79. 28. Lange & Nimsger, supra § 2 C, note 14, at information sharing and coordination 6; Gary Gordon, Chet Hosmer, Christine centers. 51. See Nolan et al., supra § 2 C, note 42, at Siedsma & Don Rebovich, Assessing 12. Technology, Methods, and Information for 37. Regarding the plans of German law- Committing and Combating Cyber Crime, enforcement agencies to develop 52. Tom Talleur, “Digital Evidence: The Moral (Washingtong, DC: US Dept. of Justice, a software to remotely access a Challenge,” International Journal of Jan. 2003), p. 38, at https://www.ncjrs.gov/ suspect’s computer and perform search Digital Evidence, Vol. 1, Issue 1 (2002), pdffiles1/nij/grants/198421.pdf. procedures, see John Blau, “Debate p. 1 et seq., at https://www.utica.edu/ Rages over German Government Spyware academic/institutes/ecii/publications/ 29. Ibid. Plan,” Infoworld, (5 Sep. 2007), at http:// articles/9C4E398D-0CAD-4E8D- www.infoworld.com/article/2649377/ CD2D38F31AF079F9.pdf; Eoghan Casey, 30. Consider, for instance, the issue of the FBI “Error, Uncertainty, and Loss in Digital security/debate-rages-over-german- attempting to unlock a recovered Apple Evidence,” International Journal of government-spyware-plan.html; Anne iPhone. See supra § 1 B, case 1.3. Digital Evidence, Vol. 1, Issue 2 (2002), at Broache, “Germany Wants to Sic Spyware on Terror Suspects,” CNet News, (31 Aug. www.utica.edu/academic/institutes/ecii/ 31. Casey, supra note 17. 2007), at https://www.cnet.com/news/ publications/articles/A0472DF7-ADC9- 32. Lange & Nimsger, supra § 2 C, note 16, at germany-wants-to-sic-spyware-on-terror- 7FDE-C80B5E5B306A85C4.pdf. 473; Gordon et al., supra note 28; Marco suspects. 53. See UNODC Cybercrime Study, supra § Gercke, “Challenges Related to the Fight 38. Erin Kenneally, “Confluence of Digital 2 C, note 42, at 39 et seq.; Nolan et al., against Cybercrime,” Multimedia und Evidence and the Law: On the Forensic supra § 2 C, note 42, at 85; Gordon, supra Recht, (2008), p. 297. Soundness of Live-Remote Digital note 28, at 41 et seq. 33. See, e.g., Vindu Goel, “Encryption Is Evidence Collection,” UCLA Journal of 54. Ruibin & Gaertner, supra note 13. More Important, and Easier, Than Ever Law & Technology, Vol. 9, No. 2 (2005). By,” New York Times, (14 Oct. 2015), at 55. Gordon, supra note 28, at 62. http://bits.blogs.nytimes.com/2015/10/14/ 39. See Vacca, supra § 2 C, note 42, at 52. encryption-is-more-important-and-easier- 40. See, e.g., “About Us,” American Board of than-ever/?_r=0. Criminalistics, at http://www.criminalistics. com/. Page 152 | Chapter 2 | End Notes Table of Contents 56. UNODC Cybercrime Study, supra § 1 C 66. For details, Korean Criminal Procedure note 7, at 159, provides that “Hearsay Act, supra § 2 C, note 14, at Art. 310-2. is often defined as ‘evidence given of a statement made on some other occasion, 67. Supreme Court of Korea, supra note 65. when intended as evidence of the truth 68. Korean Criminal Procedure Act, supra § 2 of what was asserted’ (Halbury’s Laws, C, note 14, at Art. 316. (“(1) If a statement Vol. 17). Certain types of digital evidence made by a person other than a criminal may strictly constitute hearsay, but could defendant […] at a preparatory hearing be admitted under exceptions such or a trial conveys a statement of the as ‘business records.’” For details, see criminal defendant, such statement shall Leigland & Krings, supra § 2 C, note 11. be admissible as evidence only if it is 57. See, e.g., ibid., at 167. proved that the statement was made in a particularly reliable state. (2) Oral 58. See, e.g., John H. Wigmore, “The History testimony given by a person other than of the Hearsay Rule,” Harvard Law Review, the criminal defendant at a preparatory Vol. 17, No. 7 (1904), pp. 437–58. hearing or during a trial, the import of which is the statement of a person other 59. United Kingdom: § 114(1) Criminal Justice than the criminal defendant, shall be Act 2003. admissible as evidence only when the person making the original statement 60. Ibid. is unable to testify because he/she is 61. See, e.g., Charles T. McCormick, et al., dead, ill, or resides abroad, his/her McCormick on Evidence, 4th ed., (St. whereabouts is not known, or there is any Paul, MN: West Pub, 1992), p. 428. other similar reason, and only when there exist circumstances which lend special 62. Korean Criminal Procedure Act, supra § 2 credibility to such testimony.”). C, note 14, at Art. 310 et seq., (“[…] any document which contains a statement 69. Ibid., Pre-trial hearings are to be in place of the statement made at a conducted pursuant to Art. 313(1). preparatory hearing or during trial, or 70. Supreme Court of Korea, Decision any statement the import of which is 2006Do2556 (25 Nov. 2008), at http://www. another person’s statement made outside law.go.kr/precInfoP.do?precSeq=125192 preparatory hearing or at the time other (in Korean). See also Blumenthal, supra than the trial date, shall not be admitted note 63, at 72. as evidence.”). 71. See, e.g., Korea: Act on Promotion 63. See, e.g., Jeremy A. Blumenthal, of Information and Communications “Shedding Some Light on Calls for Network Utilization and Information Hearsay Reform: Civil Law Hearsay Rules Protection, Art. 44-7, at http://elaw. in Historical and Modern Perspective,” klri.re.kr/kor_service/converter. Pace International Law Review, Vol. 13, do?hseq=7288&type=PDF (in English). No. 1 (2001), at http://digitalcommons. pace.edu/cgi/viewcon 72. See Jang, supra note 64, at 72. tent.cgi?article=1205&context=pilr. 73. Supreme Court of Korea, Decision 64. Junsik Jang, “The Current Situation and 99Do1252 (25 Feb. 2000), at http://www. Countermeasures to Cybercrime and law.go.kr/%ED%8C%90%EB%A1%80/ Cyber-Terror in the Republic of Korea,” (99%EB%8F%841252) (in Korean). 140th International Training Course Visiting Experts’ Papers. Resource 74. Lee Sook-yeon, “Admissibility and Material Series, No. 79 (2008), UNAFEI, Examination of Digital Evidence: With p. 52, at http://www.unafei.or.jp/english/ a Focus on the Criminal Procedure,” pdf/RS_No79/No79_08VE_Jang1.pdf (in Supreme Court Law Journal, Vol. 2, No. 2 English). (2012), p. 77, at http://library.scourt.go.kr/ SCLIB_data/publication/m_531306_v.2-2. 65. Supreme Court of Korea, Decision, pdf (in English). 99Do2317 (3 Sep. 1999), at http://www. law.go.kr/%ED%8C%90%EB%A1%80/ 75. As discussed further on, INTERPOL has (99%EB%8F%842317) (in Korean). See already established information sharing Oh Gi-du, “Statement of Defendant and and coordination centers, which might Authentication of Electronic Documents,” be used as places of instruction and Supreme Court Law Journal, Vol. 3, No. knowledge sharing. See § 3 B, below. 2 (Dec. 2013), p. 73, at http://library. scourt.go.kr/SCLIB_data/publication/ 76. UNODC already sets evidentiary m_531306_v.3-2.pdf (in English). standards. Page 153 | Chapter 2 | End Notes Table of Contents Referenced in: § E. Jurisdictional 8. Max Weber, “Politics as a Vocation,” Max 22. See, e.g., Budapest Explanatory Report, Issues Weber: Essays in Sociology, (Oxford: supra § 1 D, note 4, at para. 233. Oxford University Press, 1946), pp. 77–128, at http://polisci2.ucsd.edu/foundation/ 23. Ibid. 1. Oxford English Dictionary. documents/03Weber1918.pdf. 24. See, e.g., Abraham D. Sofaer, Seymour 2. Kim Soukieh, “Cybercrime–The Shifting 9. Mark Landler, “A Filipino Linked to ‘Love E. Goodman, Mariano-Florentino Cuéllar Doctrine of Jurisdiction,” Canberra Law Bug’ Talks about his License to Hack,” et al., “A Proposal for an International Review, Vol. 10 (2011), pp. 221–38. New York Times, (21 Oct. 2000), at http:// Convention on Cyber Crime and www.nytimes.com/2000/10/21/business/a- Terrorism,” Hoover Institution, CRISP, 3. See, e.g., Babcock v. Jackson, 191 N.E.2d CISAC & Stanford University (Aug. filipino-linked-to-love-bug-talks-about-his- 279 (N.Y. 1963). The collective corpus of 2000), at http://cisac.fsi.stanford.edu/ license-to-hack.html. procedural law devoted to the matter sites/default/files/sofaergoodman.pdf. determining the legal system and the 10. Lorenzo Franceschi-Bicchierai, “Love Transnational fraud, for example, has led law of jurisdiction applying to a given Bug: The Virus That Hit 50 Million People to decisions by national courts assuming legal dispute is known as conflicts of Turns 15,” Motherboard, (4 May 2015), at jurisdiction on the basis of any significant laws at large, although (especially in civil http://motherboard.vice.com/read/love- connection to the conduct involved. law jurisdictions) those matters are often bug-the-virus-that-hit-50-million-people- Among these are the states where a fraud addressed in private and, to a lesser turns-15. was planned, where an effort to defraud extent, in public international law. See, was initiated, where individuals worked at e.g., Robert C. Lawrence, III, International 11. Landler, supra note 9. implementing the fraud, where or through Tax and Estate Planning (3d ed. 1999), which communications were made that Ch. 1. The ability and means of a court of 12. The basis for international public law were intrinsic to the fraud, where the the forum jurisdiction to resolve conflicts is by and large built upon the notion victims were located, and where the of laws is in and of itself an exertion of of Westphalian sovereignty. See, e.g., fraud had material and intended effects. jurisdiction. See ibid. For that and other Andreas Osiander, “Sovereignty, The widespread recognition of fraud as reasons, the Budapest Convention does International Relations, and the criminal activity leads states readily to nothing more than allow, “When more Westphalian Myth,” International find jurisdiction over such activity, despite than one Party claims jurisdiction over an Organization, Vol. 55, (2001), pp. 251–87. the significant relationship particular alleged offence established in accordance 13. See, e.g., Budapest Convention, supra § 1 frauds may have to other states. They with this Convention, the Parties involved B, note 32, at Art. 22.1 et seq.,. tend to assume that punishing fraud will shall, where appropriate, consult with a be supported by other affected states, view to determining the most appropriate 14. Korea: Criminal Act, (30 Dec. 2014) rather than opposed as violating their jurisdiction for prosecution.” Budapest [hereafter, “Korean Criminal Act”], at sovereignty. At the very least, leaving Convention, supra § 1 B, note 32, at Art. http://www.oecd.org/site/adboecdanti- aside the heightened dangers posed 22.5 (emphasis added). See also Budapest corruptioninitiative/46816472.pdf, Art. 2. by cybercrime, the same rationale that Explanatory Report, supra § 1 D, note 14, supports such a broad assertion of at para. 239. 15. See, e.g., Budapest Convention, supra § 1 jurisdiction over fraud supports a similar B, note 32, at Art. 22.1.b. assertion of jurisdiction over cybercrime. 4. It bears noting that while there are positive jurisdictional conflicts—where 16. Ibid., at Art. 22.1.c. 25. Budapest Convention, supra § 1 B, note several states seek jurisdiction over the 32, at Arts. 2–11. 17. Convention on the Law of the Sea, (10 same crime—, negative ones, where Dec. 1982) UN Doc A/Conf.62/122, UN no state claims jurisdiction, also exist. 26. See, e.g., 1999 Revision of the Model Reg. No I-31363, Part VII High Seas, § To limit the occurrence of the latter State Computer Crimes Code, supra note 1 General Provisions, Art. 87; see also, scenario for cybercrimes—which could 21; see also Budapest Convention, supra e.g., Budapest Convention, supra § 1 B, potentially leave would-be plaintiffs § 1 B, note 32, at Art. 22.1.d. note 32, at Art. 4., (“This Act shall apply without any recourse—, the Budapest to aliens who commit crimes on board a 27. See Budapest Explanatory Report, supra § Convention, for one, lists the bases Korean vessel or Korean aircraft outside 1 D, note 14, at para. 236. on which a country may or must assert the territory of the Republic of Korea.”). jurisdiction over a crime covered (Arts. 28. Ibid. 2–11), as well as obliging signatories to 18. Ibid. See Warsaw Summit Communiqué, establish those acts as criminal offenses supra § 1 A, note 12. 29. See infra for discussions of dual in their jurisdictions (Art. 22 et seq.). See criminality. Also, in order to avoid a Budapest Convention, supra § 1 B, note 19. Budapest Convention, supra § 1 B, note case of negative jurisdiction, where no 32. Principles of sovereignty allows that 32. state claims jurisdiction, the Budapest Parties to the Convention are in no way Convention allows that the principle of limited in asserting jurisdiction over other 20. ITU Understanding Cybercrime, supra § nationality might be used to prosecute crimes pursuant to their domestic law, 1 B, note 1, at 235–38; Brenner & Koops, an offender acting in a “place outside the and independent of the Convention. See, “Approaches to Cybercrime Jurisdiction,” territorial jurisdiction of any State”. See e.g., ibid., at Art. 22.4. p. 6. Budapest Explanatory Report, supra § 1 21. See, e.g., 1999 Revision of the Model D, note 14. 5. See §§ 2 C, 2 D & 3 C. State Computer Crimes Code, § 1.03 (A- 30. Supra ITU Understanding Cybercrime, 6. See § 3 D. E), http://www.crime-research.org/library/ supra § 1 B, note 1, at 237; see also, Model.htm. 7. Brenner, supra § 1 B, note 2. Korean Criminal Act, supra note 14, at Arts. 3 & 5. Page 154 | Chapter 2 | End Notes Table of Contents 31. Ibid., ITU Understanding Cybercrime, at 41. See, e.g., USC Title 18,§§ 792–99 (the 56. See Karen DeYoung, “Intense Diplomacy 237. “Espionage Act”). between Secretary of State Kerry and His Iranian Counterpart to Secure Sailors,” 32. LICRA and UEJF v. Yahoo! Inc. and Yahoo 42. Budapest Explanatory Report, supra § 1 Washington Post, (13 Jan. 2016), at France, Tribunal de grande instance de D, note 14, at para. 237. https://www.washingtonpost.com/news/ Paris, Ordonnance de référé (11 Aug. checkpoint/wp/2016/01/13/intense- 2000); see also, LICRA and UEJF vs. 43. Armando Cottim, “Cybercrime, diplomacy-between-secretary-of-state- Yahoo! Inc. and Yahoo France, Tribunal de Cyberterrorism and Jurisdiction: An kerry-and-his-iranian-counterpart-to- grande instance de Paris, Ordonnance de Analysis of Article 22 of the COE secure-sailors-release/. référé (22 May 2000). Convention on Cybercrime,” European Journal of Legal Studies, Vol. 2, Issue 57. Jamie Crawford, “Kerry Tells Iran in Long 33. Yahoo! Inc. v. LICRA and UEJF, 433 F.3d 3 (2010), at http://www.ejls.eu/6/78UK. Day of Calls: This Can be ‘a Good Story 1199 (9th Cir. 2006). htm#_ftnref34. for Both of Us’, ” CNN, (13 Jan. 2016), at http://www.cnn.com/2016/01/13/politics/ 34. France: Code pénal, Art. R645-1 44. See, e.g., France: Code de procédure john-kerry-iran-zarif-sailors/. (prohibiting the wearing or exhibiting pénal, Art. 689 (authorizing French courts in public uniforms, insignias, and to exert jurisdiction for committing of 58. Budapest Convention, supra § 1 B, note emblems that recall those used by (i) any of the following acts beyond the 32, at Art. 22.5. an organization that declared illegal in French territory: torture, terrorism, nuclear application of Art. 9 of the Nuremberg smuggling, naval piracy, and airplane 59. “Dual criminality” (also known as “double Charter, or (ii) an individual who found hijacking); see also, Xavier Philippe, criminality”) refers to a requirement that guilty of crimes against humanity). “The Principles of Universal Jurisdiction the act subject to a request for extradition and Complementarity: How Do the Two or mutual legal assistance must be a 35. Ibid. Principles Intermesh?,” International criminal offence under the laws of both Review of the Red Cross, Vol.88, No. 862 custodial and requesting States. See, 36. Yahoo! Inc. v. UEJF and LICRA, Order (2006), at https://www.icrc.org/eng/assets/ supra § 2 A. Denying Motion to Dismiss, (N.D. files/other/irrc_862_philippe.pdf. Cal. 2001), at http://cyber.law.harvard. 60. For a detailed discussion of other edu/stjohns/Yahoo.html; Yahoo! Inc. 45. Philippe, ibid. jurisdictional possibilities, see Budapest v. UEJF and LICRA, Order Granting Explanatory Report, supra § 1 D, note 14, Motion for Summary Judgment, 46. See supra § 2 A. at para. 234–35. (N.D. Cal. 2001), at http://law.justia. com/cases/federal/district-courts/ 47. Budapest Explanatory Report, supra § 1 FSupp2/169/1181/2423974/. D, note 14, at para. 237–38. 37. Yahoo! Inc. v. LICRA and UEJF, supra note 48. Budapest Convention, supra § 1 B, note 33. 32, at Art. 22. The Budapest Convention allows that each signatory might alter its 38. See Italy: Codice penale, Art. 7; France: bases for setting jurisdiction, and that Code pénal, Art. 113-10; Germany: those provided in the Convention are not Strafgesetzbuch, § 6; and Spain: Código exclusive. Budapest Explanatory Report, penal, Art. 5, No. 1, which specifically supra § 1 D, note 14, at para. 238. deals, inter alia, with computer crime. See also, United States v. Zehe, 601 F. Supp. 49. Australia: Australian Criminal Code Act, 196 (D. Mass. 1985) (where, under the Art.14 & 15, at http://www.austlii.edu.au/ Espionage Act (USC Title 18, §§ 792–99), au/legis/cth/consol_act/cca1995115/sch1. the government brought criminal charges html. against an East German citizen for alleged 50. Ibid., at Art. 14(1). acts of espionage—a threat to national security—against the United States 51. Ibid., at Art.15 (14); see also ibid., at Art. committed in Mexico and in Germany); 16 et seq. see also, Korean Criminal Act, supra note 14, at Art. 6. 52. Ibid., at Art. 14.1. 39. See, e.g., Damien Geradin, Marc Reysen 53. Gregor Urbas, “Cybercrime, Jurisdiction & David Henry, “Extraterritoriality, Comity and Extradition,” Journal of Internet Law, and Cooperation in EC Competition (2012), pp. 9–10. Law,” SSRN, (Jul. 2008), at http://papers. 54. “About the Computer Crime & ssrn.com/sol3/papers.cfm?abstract_ Intellectual Property Section,” US Dept. id=1175003. of Justice, at https://www.justice.gov/ 40. See, e.g., J. P. Griffin, “Extraterritoriality criminal-ccips. in US and EU Antitrust Enforcement,” 55. Ibid. Antitrust Law Journal, Vol. 67 (1999), p. 159. For a class case, see United States v. Aluminum Company of America (Alcoa), 148 F.2d 416 (2d Cir. 1945). Page 155 | Chapter 2 | End Notes Table of Contents Referenced in: § F. Institutional 6. UK Cabinet Office and UK National 16. UK National Security Secretariat, supra Framework Security Secretariat, “The UK Cyber note 6. Security Strategy – Protecting and Promoting the UK in a Digital World,” 17. See UK Cabinet Office & UK National 1. See supra § 2 C. (London: Crown, 2011), at https://www. Security Secretariat, “The UK Cyber gov.uk/government/uploads/system/ Security Strategy 2011-2016: Annual 2. See, e.g., “National Cyber Security Report,” (14 Apr. 2016), at https://www. uploads/attachment_data/file/60961/uk- Strategies in the World,” European Union gov.uk/government/publications/the-uk- cyber-security-strategy-final.pdf. Agency for Network and Information cyber-security-strategy-2011-2016-annual- Security (ENISA), at https://www.enisa. 7. See UK Cabinet Office and UK National report. europa.eu/activities/Resilience-and-CIIP/ Security Secretariat, “Cyber Security national-cyber-security-strategies-ncsss/ Strategy: Progress So Far,” (London: 18. UK Cabinet Office, supra note 7. national-cyber-security-strategies-in-the- Crown, 2013), at https://www.gov.uk/ world. 19. Korea: Act on Promotion of Information government/collections/cyber-security- and Communications Network Utilization strategy-progress-so-far--2. 3. Stuxnet virus was the name of and Data Protection, etc., Act 1, at sophisticated malicious code, believed 8. See The Rt Hon Matt Hancock MP, UK http://www.worldlii.org/int/other/ to have been developed by US and Cabinet Office & UK National Security PrivLRes/2005/2.html (in English). Israeli governments, that was used to Secretariat, “UK Cyber Security Strategy: force the failure of nuclear centrifuges 20. See “United States Secret Service Statement on the Final Annual Report,” of the Natanz uranium enrichment plant Electronic Crimes Task Forces,” at (14 Apr. 2016), at https://www.gov.uk/ in Iran. Rather than hijack computers https://www.dhs.gov/sites/default/files/ government/speeches/uk-cyber-security- themselves or steal information stored publications/USSS%20Electronic%20 strategy-statement-on-the-final-annual- thereon, Stuxnet targeted the equipment Crimes%20Task%20Force.pdf. report. and infrastructure controlled by those 21. Michael Kraft & Edward Marks, US computers. Understood as the “world’s 9. ITU Understanding Cybercrime, supra § 1 Government Counterterrorism: A Guide first digital weapon,” the air-gap—a B, note 1. to Who Does What, (Boca Raton, FL: CRC network security measure used to Press, 2012). ensure that a secure computer network 10. The UK Home Office is the government is physically isolated from unsecured department responsible for immigration, 22. See “Electronic Crimes Task Forces ones—was overcome, and Stuxnet counter-terrorism, police, drugs policy (ECTF),” The White House of introduced into the physically-isolated and related science and research. See President Barack Obama, at https:// Natanz plant, through contaminated USB “Home Office,” Gov.uk, at https://www. obamawhitehouse.archives.gov/files/ keys. It is believed to have been used as a gov.uk/government/organisations/home- documents/cyber/United%20States%20 model for the failed cyberattack on North office. Secret%20Service%20-%20Electronic%20 Korean. See, e.g., Kim Zetter, Countdown 11. “Department for Business, Energy Crimes%20Task%20Forces.pdf to Zero Day: Stuxnet and the Launch of and Industrial Strategy (BEIS),” Gov. the World’s First Digital Weapon, (New 23. USA PATRIOT Act, supra § 1 C, note 10, uk, at https://www.gov.uk/government/ York: Crown Publishers, 2014). Kim Zetter, at § 105. organisations/department-for-business- “An Unprecedented Look at Stuxnet, the innovation-skills. The UK Cyber Security 24. See “Combatting Cyber Crime,” US Dept. World’s First Digital Weapon,” Wired, Strategy speaks of the Department for of Homeland Security, at https://www.dhs. (3 Nov. 2014), at https://www.wired. Business, Innovation and Skills (BIS); gov/topic/combating-cyber-crime. com/2014/11/countdown-to-zero-day- however, that office and the Department stuxnet/. See also, Rachael King, “Stuxnet of Energy and Climate Change 25. Sophia Yan & K.J. Kwon, “Massive Data Infected Chevron’s IT Network,” Wall (DECC) have since merged to form the Theft Hits 40% of South Koreans,” Street Journal, (8 Nov. 2012), at http:// Department for Business, Energy and CNNTech, (21 Jan. 2014), at http://money. blogs.wsj.com/cio/2012/11/08/stuxnet- Industrial Strategy (BEIS). Ibid. cnn.com/2014/01/21/technology/korea- infected-chevrons-it-network/. data-hack/. 12. “Department for Culture, Media and 4. Joseph Menn, “Exclusive: US Tried Sport,” Gov.uk, at https://www.gov.uk/ 26. See supra § 2 B, box 2.3. Stuxnet-Style Campaign Against North government/organisations/department- Korea but Failed—Sources,” Reuters, 27. Yan § Kwon, supra note 25. for-culture-media-sport. (29 May 2015), at http://www.reuters. com/article/us-usa-northkorea-stuxnet- 13. ”Cabinet Office,” Gov.uk, at https:// idUSKBN0OE2DM20150529. www.gov.uk/government/organisations/ cabinet-office. 5. See, e.g., “National Strategies,” ITU, at www.itu.en/ITU-D/Cybersecurity/Pages/ 14. ”Ministry of Defence,” Gov.uk, at https:// National-Strategies.aspx. www.gov.uk/government/organisations/ ministry-of-defence. 15. ”Foreign and Commonwealth Office,” Gov.uk, at https://www.gov.uk/ government/organisations/foreign- commonwealth-office. Page 156 | Chapter 2 | End Notes Table of Contents CHAPTER 3 National Legal Frameworks Building on the procedural, evidentiary, jurisdictional and institutional issues discussed in chapter 2, this chapter provides an overview of substantive criminal aspects of cybercrime and how they are expressed in national legal frameworks. In this Chapter A. Substantive Law 158 Page 157 | Chapter 3 | National Legal Frameworks CHAPTER 3 A. Substantive Law Table of Contents Introduction 158 I. Existing National Cybercriminal Legislation 159 A. Illegal Access 159 B. Illegal Acquisition of Computer Data 160 C. Illegal Interception of Computer Data 161 D. Illegal Interference with Computer Data 161 E. Illegal System Interference 162 F. Misuse of Devices 162 G. Fraud 163 H. Forgery 163 I. Spamming 164 J. Child Pornography Offences 165 K. Copyright & Trademark Offences 166 II. Safeguards 166 A. General Due Process Considerations 167 B. Privacy & Data Protection 167 C. Freedom of Expression 167 Conclusion 167 Introduction In chapter 2, above, the various aspects of cybercrime are addressed at a high level— first, laying out a working definition of cybercrime (see section 2 A), then having discussed what conduct is criminalized (see section 2 B), and going on to consider procedural (see section 2 C), evidentiary (see section 2 D), jurisdictional (see section 2 E) and institutional (see section 2 F) issues. This chapter tries to give a more concrete understanding of those matters. This subsection shows how the already-discussed offences appear in national laws. It also introduces the idea of the how certain safeguards—general due process issues as well as data protection and freedom of expression - appear in national law. Just as there is no one, globally accepted definition of cybercrime (see section 2 A, above), similarly, acts constituting cybercrime differ from state to state, with each state determining the various constitutive elements through Page 158  |  Chapter 3  |  § A. Substantive Law Table of Contents its own domestic processes. As a result of this fragmentation, certain behavior that is understood as criminal in one country may not necessarily be classified as criminal in another; accordingly, perpetrators may not necessarily be subject to criminal punishment largely due to the absence of dual criminality (see section 2 A, above).1 In instances where criminal sanctions may not be available, civil or administrative measures may exist for specific types of individual cybercrime acts.2 I. Existing National Cybercriminal Legislation While various cybercrimes have been discussed in section 2 B, above, this section, following the same construction, considers how national laws have addressed such concerns by looking at the following cybercrimes: (A) the unauthorized access to a computer system, or hacking, (B) illegal acquisition of computer data, (C) illegal interception of computer, (D) illegal access to, and interfering with, computer data, (E) illegal system interference, (F) misuse of devices, (G) fraud, (H) forgery, (I) spamming, (J) child pornography and (K) copyright and trademark offenses. A. Illegal Access Illegal access to a computer system, is, in many ways, one of the most basic cybercrimes as it enables subsequent (cyber)criminal behavior (see section 2 B, above). Correspondingly, that behavior is now widely, though not universally, criminalized. Many countries criminalize hacking through cyber-specific legislation,3 while others criminalize such acts by way of a general offence.4 Depending on the jurisdiction’s chosen approach, the perpetrator must have a certain “guilty” mental state, or mens rea, in order to be found culpable of this offense.5 Some states take an approach that expands this offense beyond unauthorized access to include continued or remained access to the computer system beyond that initial unauthorized trespass, or, if authorization existed, then presence beyond the period or purposes for which that authorization was granted. Other jurisdictions classify “illegal access”—what is often termed as “unauthorized monitoring”6—as a separate offense under separate provisions. Some national laws make illegal access a criminal offense only if it is paired with interference to or with that data— for instance, the copying, blocking, destroying, modifying or deleting of the data7; others criminalize the activity only if such illegal access is committed in connection with one of the components of illegal data or system interference. It is considered good practice to avoid adding further elements to the base-level crime, as doing so might lead to difficulties in distinguishing between other offences (e.g., data espionage, illegal data or system interference), as well as limiting interoperability.8 Page 159  |  Chapter 3  |  § A. Substantive Law Table of Contents Box 3.1: Saint Vincent and the Grenadines Example of Legislation Criminalizing Hacking A person who intentionally, without lawful excuse or justification, accesses the whole or any “ part of an information system commits an offence and is liable on conviction [….]”9 B. Illegal Acquisition of Computer Data The illegal acquisition of computer data refers to obtaining computer data intentionally without authorization. The offense generally lies in the intentional unauthorized possession of such data alone; it does not depend on what may have been done with either that data or to the original data. However, the statutes in some countries require additional elements, such as that a person has breached security measures, or has a specific dishonest intent. Box 3.2: Kazakhstan Example of Legislation Criminalizing Illegal Access to Computer Data “Illegal access to computer information which is protected by law, that is information on a storage medium, in a computer, computer system, or computer network, and equally violation of the rules for operation of a computer, computer system or their network by persons, [by persons and through the creation of programs for computers] who have access to the computer, computer system or their network, if this action entailed destruction, blocking, modification, or the copying of information, or disruption of the work of a given computer, computer system, or computer network [….]”10 In Germany, a wider net is cast, with any data, regardless of its status or of the acquirer’s purpose, being protected from unauthorized acquisition.11 Box 3.3: Germany Example of Legislation Criminalizing Illegal Access to Computer Data Whosoever unlawfully obtains data for himself or another that were not intended for him and “ were especially protected against unauthorized access, if he has circumvented the protection, shall be liable [….]”12 Page 160  |  Chapter 3  |  § A. Substantive Law Table of Contents “[…] above data shall only be those stored or transmitted electronically or magnetically or otherwise in a manner not immediately perceivable.”13 C. Illegal Interception of Computer Data Illegal interception of computer data refers to acts involving intercepting data during transmission without authorization. At the national level, while many states cover illegal interception of computer data transmitted by cyber-specific legislation, others apply existing laws that criminalize unlawful interception of communications.14 Further, while, in some states, the scope of the offence is unrestricted, in others it is limited to private transmissions.15 Box 3.4: Botswana Example of Legislation Criminalizing Illegal Interception of Computer Data A person who intentionally and by technical means, without lawful excuse or justification, “ intercepts— (a) any non-public transmission to, from or within a computer or computer system; or (b) electromagnetic emissions that are carrying data, from a computer or computer system, commits an offence [….]”16 D. Illegal Interference with Computer Data Quite similar to illegal access to computer data, illegal data interference refers to the unauthorized or unjustified interference with computer data (e.g., inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing).17 Box 3.5: Portugal Example of Legislation Criminalizing Illegal Data Interference Whoever, without legal permission or authorization from the owner or holder of the “ right over the full system, or part thereof, deletes, alters, fully or partially deteriorates, damages, suppresses or renders unusable or inaccessible other people’s programmes or other computer data or by any other means seriously hinders their functioning, shall be punishable[….]”18 Page 161  |  Chapter 3  |  § A. Substantive Law Table of Contents E. Illegal System Interference Another variant of illegal interference, this offense criminalizes interference that substantially hinders the functioning of a computer system without authorization or justification.19 Some states have special statutory provisions governing illegal interference with computer systems of critical national infrastructure.20 According to UNODC, seventy percent of the countries reported the existence of a variant of this cyber-specific offence.21 An additional twenty-two percent indicated that this act was criminalized by way of a general offence.22 Box 3.6: The Gambia Example of Legislation Criminalizing Illegal System Interference A person who, without lawful authority or lawful excuse, does an act which causes directly or “ indirectly A degradation, failure, interruption or obstruction of the operation of a computer system A   A denial of access to, or impairment of any program or data stored in, the computer B   system, commits an offence.”23 F. Misuse of Devices Criminalization of the misuse of tools existed well before the development of ICTs. Misuse of devices refers to acts involving computer tools to commit cybercrimes. In the cybercriminal context, the term “tools” is broadly understood, possibly covering not only software or devices, but also passwords or codes that enable access to computer systems and data (also called “access codes”).24 In response to growing underground markets for trading information, software and other tools used to commit crimes in cyberspace, many national laws have adopted provisions specifically targeting acts concerning computer misuse tools.25 UNODC found that approximately sixty-seven percent of responding had cyber-specific offences concerning the misuse of computer tools.26 About ten percent of responding countries indicated that such acts act were criminalized by way of a general offence.27 Domestic laws typically require both that the tool be either designed or adapted for the purpose of the committing the prescribed offence, and that the perpetrator have the requisite intent.28 Other laws, by contrast, are more expansive, either requiring only that the tool’s purpose be the furtherance of a cybercriminal,29 or that perpetrator presents the requisite mens rea.30 The production, distribution, making available or possession of “computer misuse tools” may also be criminalized.31 Relatedly, the unauthorized disclosure of passwords or access codes is often also criminalized.32 Page 162  |  Chapter 3  |  § A. Substantive Law Table of Contents Box 3.7: Ghana Example of Legislation Criminalizing Misuse of Devices33 “A person who intentionally, recklessly, without lawful excuse or justification, possesses, produces, sells, procures for use, imports, exports, distributes or otherwise makes available A device, including a computer programme, that is designed or adapted for the purpose A   of committing an offence A computer password, access code or similar electronic record by which the whole or B   any part of a computer system is capable of being accessed with the intent that it be used by a person for an offence commits an offence and is liable [….]” G. Fraud Fraud is generally understood as consisting of some deceitful practice or willful device intentionally used to deprive another of his or her right, or to cause him or her some other harm.34 For instance, the World Bank, which, working in an administrative system, understands the term more broadly than most, describes “fraudulent practice” as “any act or omission, including misrepresentation, that knowingly or recklessly misleads, or attempts to mislead, a party to obtain financial or other benefit or to avoid an obligation”.35 As traditional notions of fraud require the direct deception of a physical person, transitioning to cyberspace can cause legal complication since ICT-related fraud typically involves acts of data or system manipulation or interference. In order to address potential legal issues, many countries have introduced cyber-specific provisions.36 Relatedly, while some countries incorporate unauthorized use of electronic payment tools into provisions on fraud, others criminalize such acts under stand-alone offences.37 Box 3.8: Korea Example of Legislation Criminalizing ICT-related Fraud38 Any person who acquires any benefits to property or has a third person acquire them, by “ making any data processed after inputting a false information or improper order, or inputting or altering the data without any authority into the data processor, such as computer, etc., shall be punished [….]” Page 163  |  Chapter 3  |  § A. Substantive Law Table of Contents H. Forgery The crime of forgery is typically understood as the false-making, with intent to defraud, of a writing (through construction, alteration or false signature), which, if genuine, would be of legal efficacy or the foundation of a legal liability.39 ICT-related forgery is an act involving interference with computer data resulting in inauthentic data with specific intent to cause such data to be relied upon as if it were authentic.40 According to UNODC, some countries reported having criminalizing computer- related fraud or forgery through a general offense41; others indicate that this act was criminalized by way of a cyber-specific offence.42 Similar to traditional fraud offences, forgery offences often require modification of a writing or other visual representation. That requirement often presents legal difficulties in covering ICT-related forgery which involve manipulation or alteration of computer data. To address such difficulties, some countries extend the legal definition of “document”or “writing” to include data stored on a computer system,43 while other systems have introduced provisions explicitly addressing computer- related forgery.44 Some countries enumerate different punishments depending on whether public or private data are subject to forgery.45 Box 3.9: Samoa Example of Legislation Criminalizing ICT-related Forgery46 A person is liable to […] who intentionally and without authorisation, inputs, alters, deletes, or “ suppresses electronic data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless of whether or not the data is directly readable and intelligible.” I. Spamming Spamming—that is, using the internet to indiscriminately send unsolicited messages (typically to a large numbers of recipients)—is a phenomenon unique to cyberspace because of the free exchange of information and messages. According to UNODC, twenty-one percent of countries have criminalized the sending of spam.47 A further fourteen percent of the responding countries indicated that this act was criminalized by way of a general offence.48 Anti-spam laws typically criminalize the transmission of unsolicited, multiple electronic messages and the manipulation of either the message header or of the originating information.49 In some countries, the unauthorized access to a protected computer and initiation of the transmission of multiple commercial electronic mail messages is also criminalized.50 Page 164  |  Chapter 3  |  § A. Substantive Law Table of Contents Box 3.10: United States of America Example of Legislation Criminalizing Sending Spam51 “(a)  In general. —Whoever, in or affecting interstate or foreign commerce, knowingly— (1)   Accesses a protected computer without authorization, and intentionally initiates the transmission of multiple commercial electronic mail messages from or through such computer (2)    Uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages (3)   Materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages (4)   Registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names (5)   Falsely represents oneself to be the registrant or the legitimate successor in interest to the registrant of 5 or more Internet Protocol addresses, and intentionally initiates the transmission of multiple commercial electronic mail messages from such addresses or conspires to do so, shall be punished as provided in subsection (b).” J. Child Pornography Offences ICT-related child pornography offences criminalize the use of ICT to produce, distribute, access, store or possess child pornography. According to UNODC, sixty-five percent of responding countries reported generally criminalizing child pornography—for instance, by including language such as “by any means” or “in any manner”.52 A further fourteen countries indicated that the offence was criminalized by way of a cyber-specific instrument or element—for instance, by having language such as “through computer systems”.53 Other countries have criminalized ICT-related child pornography through judicial interpretation of general obscenity laws, or by extending a legal definition of “child pornography” to cover child pornographic material in the form of computer data.54 Page 165  |  Chapter 3  |  § A. Substantive Law Table of Contents Box 3.11: Estonia Example of Legislation Criminalizing ICT-related Child Pornography Offence55 A person who manufactures, stores, hands over, displays or makes available in any other “ manner pictures, writings or other works or reproductions of works depicting a person of less than 18 years of age in a pornographic situation, or a person of less than 18 years of age in a pornographic or erotic situation shall be punished [….]” K. Copyright & Trademark Offences Copyright and trademark laws protect a party’s branding and good name from unauthorized usage—trademarks, by identifying and distinguishing the source of the goods, and copyrights, by protecting original works of authorship. Analogs in cyberspace do much the same thing, focusing on limiting those who can claim to have authored or created a work, as well as who can posture as producing products.56 Roughly seventy-one percent of countries responding to UNODC’s survey reported having criminalized computer-related copyright and trademark offence.57 An additional 14 percent indicated that cyber-specific provisions were in place.58 Box 3.12: United States of America Example of Legislation Criminalizing ICT-related Copyright Offence59 In general. —Any person who willfully infringes a copyright shall be punished as provided “(1)  under section 2319 of title 18, if the infringement was committed— (A)  For purposes of commercial advantage or private financial gain (B)  By the reproduction or distribution, including by electronic means, during any 180-day period, of 1 or more copies or phonorecords of 1 or more copyrighted works, which have a total retail value of more than $1,000 (C)  By the distribution of a work being prepared for commercial distribution, by making it available on a computer network accessible to members of the public, if such person knew or should have known that the work was intended for commercial distribution.” II. Safeguards Page 166  |  Chapter 3  |  § A. Substantive Law Table of Contents The other key area to be reflected in national legislation are the safeguards accompanying the criminal sanctions. Although these are discussed more at length in greater depth in the sections 4 A and 4 B, below, it bears highlighting here that ensuring that fundamental rights are protected is as important as criminalizing certain behaviors. Fundamental freedom requiring protection include (A) due process, (B) privacy and data and (C) freedom of expression. A. General Due Process Considerations A number of procedural issues related to investigations and prosecutions are considered in section 2 C; other issues related to due process, such as the rights of the accused to counsel and to being present in connection with certain digital investigations. A vast area for consideration, the Toolkit does not exhaustively deal with the full range of due process issues related generally to criminal law; rather it focuses on specific issues related to cybercrime. B. Privacy & Data Protection According to UNODC, almost all responding countries indicated that existing privacy protections extended to computer data and electronic communications.60 A balance is struck by protecting the privacy of personal data collected and processed by third parties, while allowing, in exceptional circumstances, that these third parties could be obliged to make disclosures to law enforcement.61 C. Freedom of Expression Freedom of expression must be taken into account in criminalizing the dissemination of information via computer systems or cyberspace either because the underlying content is illegal (e.g., child pornography, or because the actor is unauthorized to do so (e.g., copyright).62 Relatedly, the responsibility of facilitators (e.g., ISPs) must be taken into account, with many countries limiting liability.63 Conclusion There is a diversity of ways in which states have defined, criminalized and instituted procedural, evidentiary, jurisdictional and institutional aspects in fight against cybercrime. This section has highlighted just a few of the very many options by which national substantive law has criminalized various cybercrimes, with selection being based on good practices and with an eye to furthering international interoperability. In addition to appropriately empowering authorities to combat cybercrime, it is important to ensure that corresponding safeguards—notably for due process, privacy and data and freedom of expression—are also implemented. Page 167  |  Chapter 3  |  § A. Substantive Law Table of Contents End Notes Referenced in: § A. Substantive Law 12. Ibid., at § 202a(1). 27. UNODC Cybercrime Study, supra § 1 C, note 7, at 93 (Figure 4.16: Criminalization 13. Ibid., at § 202a(2). of production, distribution, or possession 1. See supra § 2 E, box 2.7 (discussing the of computer misuse tools). inability of domestic law enforcement to 14. See, e.g., Korea: Protection of prosecute the creator of the “love bug” Communications Secrets Act, No. 6626 28. See, e.g., Ghana: Electronic Transactions virus, and of foreign law enforcement (2002),Arts. 3 & 16(1)(1), at https://www. Act, No. 772 (2008) [hereafter, “Ghanian authorities to arrange for extradition, imolin.org/doc/amlid/Republic_of_Korea_ Act”], § 135 (Illegal devices), at http:// due to the absence of domestic law Protection_of_Communications_Secrets_ www.researchictafrica.net/countries/ criminalizing computer hacking). Act.pdf. See also, UNODC Cybercrime ghana/Electronic_Transactions_Act_ Study, supra § 1 C, note 7, at 86. no_772:2008.pdf. 2. UNODC Cybercrime Study, supra § 1 C, note 7, at 78. 15. UNODC Cybercrime Study, supra § 1 C, 29. Gambian Act, supra note 23, at § 10 note 7, at 87. (Unlawful possession of devices or data). 3. UNODC, “Cybercrime Questionnaire for Member States”, (2012) [hereafter, 16. Botswana: Cybercrime Act, No. 22 (2007), 30. See, e.g., Sri Lanka: Computer Crimes “UNODC Questionnaire”], Q25, at Ch. 08:06: Cybercrime and Computer Act, No. 24 (2007), § 9, at http://www. https://cms.unov.org/DocumentReposit Related Crimes, § 9, at https://hingx.org/ slcert.gov.lk/Downloads/Acts/Computer_ oryIndexer/GetDocInOriginalFormat. Share/Details/711. Crimes_Act_No_24_of_2007(E).pdf; drsx?DocID=f4b2f468-ce8b-41e9-935f- UNODC Cybercrime Study, supra § 1 C, 17. UNODC Cybercrime Study, supra § 1 C, 96b1f14f7bbc. note 7, at 94. note 7, at 89–90. 4. UNODC Cybercrime Study, supra § 1 C, 31. UNODC Cybercrime Study, supra § 1 C, 18. Portugal: Cybercrime Law, No. 109 (15 note 7, at 82. note 7, at 95. Sep. 2009), Art. 4.1, at http://www.wipo. 5. The principle is captured by the Latin int/edocs/lexdocs/laws/en/pt/pt089en. 32. See, e.g., Antigua and Barbuda: dictum “actus reus non facit reum nisi pdf. Electronic Crimes Act, No. 14 (2013) § 9, mens sit rea” (“the act is not culpable at http://laws.gov.ag/acts/2013/a2013-14. 19. UNODC Cybercrime Study, supra § 1 C, unless the mind is guilty”). See, e.g., pdf. note 7, at 90–91. Oxford Reference. For an overview of the different legal approaches to criminalize 33. Ghanaian Act, supra note 28, at § 135. 20. See, e.g., Korea: Act on the Protection illegal access to computer systems, see of Information and Communications 34. Black’s Law Dictionary. Stein Schjolberg, The Legal Framework Infrastructure, No. 11690 (23 Mar. – Unauthorized Access to Computer 2013), Art. 12 (Prohibition against 35. See, e.g., “What is Fraud and Systems: Penal Legislation in 44 Countries Intrusion, etc. of Critical Information Corruption?,” Integrity Vice Presidency, (Moss District Court, Norway, 2003), at and Communications Infrastructure) World Bank, at http://www.worldbank. http://www.mosstingrett.no/info/legal. and Art. 28 (Penal Provisions), at http:// org/en/about/unit/integrity-vice-pres html#24. elaw.klri.re.kr/eng_mobile/viewer. idency/what-is-fraud-and-corruption. do?hseq=28812&type=part&key=43. 6. See supra § 2 B. 36. See, e.g., Korean Criminal Act, supra § 21. UNODC Questionnaire, supra note 3, at 2 E, note at 14, at Art. 347-2; UNODC 7. See, e.g., Kazakhstan: Criminal Code, No. Q27. Cybercrime Study, supra § 1 C, note 7, at 167 (16 Jul. 1997), Art. 227.1, at http:// 98–99. www.parliament.am/library/Qreakan/ 22. UNODC Cybercrime Study, supra § 1 C, kazakstan.pdf. note 7, at 88 (Figure 4.9: Criminalization 37. See, generally, supra § 2 B. of illegal data interference or system 8. Supra note 2, at 83–84. 38. Korean Criminal Act, supra § 2 E, note 14, damage). at Art. 347-2. 9. Saint Vincent and the Grenadines: 23. Gambia: Information and Electronic Transactions Act, (2007), § 66, 39. Black’s Law Dictionary. Communications Act, (2009), [hereafter, at http://www.oas.org/juridico/spanish/ “Gambian Act”] § 167(1), at http://www. cyb_svg_electronic_act_2007.pdf. 40. UNODC Cybercrime Study, supra § 1 C, wipo.int/edocs/lexdocs/laws/en/gm/ note 7, at 98–99. 10. See, e.g., Kazakhstan Criminal Code, gm006en.pdf. supra note 7 at Arts. 227.1–227.4 (applying 41. UNODC Questionnaire, supra note 3, at 24. UNODC Cybercrime Study, supra § 1 C, to persons (Art. 227.1), to groups of Q 30. note 7, at 93. person (Art. 227.2) and to computer programs (Art. 227.3)) (emphasis added). 42. UNODC Cybercrime Study, supra § 1 C, 25. Ibid., at 92–93. note 7, at 97 (Figure 4.21: Criminalization 11. See, e.g., Germany: Criminal Code, § 26. UNODC Questionnaire, supra note 3, at of computer-related fraud or forgery). 202a, at http://www.gesetze-im-internet. Q28. de/englisch_stgb/german_criminal_code. pdf. Page 168 | Chapter 3 | End Notes Table of Contents 43. See, e.g., Zimbabwe: Criminal Law 60. Ibid., at Q21. (Codification and Reform) Act (No. 23 of 2004), § 135 (Interpretation in Part IV 61. See, e.g., Korea: Personal Information of Chapter VI) and § 137(1) (Forgery), Protection Act, No. 11990 (6 Aug. at https://www.unodc.org/tldb/pdf/ 2013) Arts. 3(6) & 18(2)(7), at http:// Zimbabwe/ZIM_Crim_Law_2004.pdf. elaw.klri.re.kr/eng_mobile/viewer. do?hseq=28981&type=part&key=4. See 44. See, e.g., Korean Criminal Act, supra § 2 also, UNODC Cybercrime Study, supra § 1 E, note 14, at Art. 227-2 (False Preparation C, note 7, at 135–36. or Alteration of Public Electromagnetic Records) and Art. 232-2 (Falsification or 62. See, e.g., Schjolberg, supra note 5, at 21. Alteration of Private Electromagnetic 63. See, e.g., Korea: Copyright Law, No. Records). 9625 (22 Apr. 2009), Arts. 102 & 104(1), at 45. Ibid. http://www.copyright.or.kr/eng/laws-and- treaties/copyright-law/chapter06.do. See 46. Samoa: Crimes Act, No. 10 (2013), § UNODC Cybercrime Study, supra § 1 C, 216, at https://www.unodc.or.g/res/cld/ note 7, at 253. document/wsm/2013/crimes_act_2013_ html/Samoa_Crimes_Act_2013.pdf. 47. UNODC Questionnaire, supra note 3, at Q 33. 48. UNODC Cybercrime Study, supra § 1 C, note 7, at 95 (Figure 4.20: Criminalization of the sending or controlling of the sending of SPAM). 49. Ibid., at 96. 50. See, e.g., United States: USC, Title 18, § 1037. See also, ITU Understanding Cybercrime, supra § 1 B, note 1, at 208. 51. USC, Title 18, § 1037. 52. UNODC Questionnaire, supra note 3, at Q36. 53. UNODC Cybercrime Study, supra § 1 C, note 7, at 101 (Figure 4.23: Criminalization of computer-related production, distribution or possession of child pornography”). 54. For details, see ibid. 55. Estonia: Penal Code, (6 Jun. 2001), § 178(1), at https://www.unodc.org/res/ cld/document/estonia-criminal-code-as- amended-2013_html/Estonia_Criminal_ Code_as_amended_2013.pdf. 56. See, e.g., United States: USC Title 17, § 506 (Criminal offenses), at https://www. gpo.gov/fdsys/pkg/USCODE-2010- title17/pdf/USCODE-2010-title17-chap5- sec506.pdf. 57. UNODC Questionnaire, supra note 3, at Q32. 58. UNODC Cybercrime Study, supra § 1 C, note 7, at 105 (Figure 4.29: Criminalization of computer-related copyright and trademark offences). 59. UNODC Questionnaire, supra note 3, at Q32. Page 169 | Chapter 3 | End Notes Table of Contents CHAPTER 4 Safeguards While issues of procedural due process, protection of data and privacy and freedom of expression could be included in a discussion of national legal frameworks, they are treated separately in this chapter because of the importance of such legal “safeguards”. This chapter examines procedural due process, data protection/privacy and freedom of expression as they relate to cybercrime. In this Chapter A. Due Process 171 B. Data Protection & the Right to Communicate 178 Page 170 | Chapter 4 | Safeguards CHAPTER 4 A. Due Process Table of Contents Introduction 171 I. Concept of Due Process 172 II. Due Process in Investigation & Prosecution of Cybercrimes 172 A. Obtaining Evidence 172 B. Search & Seizure 173 III. Budapest Convention & Due Process 175 A. Safeguards 175 B. Treatment of Stored Computer Data 176 C. Treatment of Traffic Data 176 Conclusion 177 Introduction As stated in the WDR,1 for an ICT ecosystem to be vibrant and to contribute to economic development, it needs to be built around a “trust” environment. Part of that trust environment is ensuring the security of networks, systems and data; but the trust environment is equally built around preserving the individual’s privacy and protecting data about those individuals, as well as ensuring rights of online expression. Efforts at combatting cybercrime tend to aim at the security part; however, as part of the overall trust environment, a cybercrime regime must also pay due regard to preserving individual rights in a balanced way. This section considers due process issues generally, and then focuses on data protection and freedom of expression in subsequent sections. A comprehensive overview of due process rights in investigating and prosecuting crimes is beyond the scope of this Toolkit writ large, and this section in particular. The Toolkit generally operates and is constructed from the perspective that whatever due process rights exist in the case of “conventional” crimes would also apply to cybercrimes. This section attempts to put due process rights of general application in the specific cybercrime context by looking at how such rights were handled in recent high-profile cases, as well as how one country, Korea, has attempted to grapple with these issues. Page 171  |  Chapter 4  |  § A. Due Process Table of Contents I. Concept of Due Process The concept of due process of law and respect for the rule of law is recognized as fundamental to both common and civil law systems.2 Many constitutions offer explicit due process guarantees. For example, the Fifth and the Fourteenth Amendments to the US Constitution provide that “No person shall be […] deprived of life, liberty or property, without due process of law.” Likewise, Korea, which has a more civil law-oriented legal system, has similar clauses in its Constitution. Specifically, Article 12 of the Korean Constitution provides that,“All citizens shall enjoy personal liberty. No person shall be arrested, detained, searched, seized or interrogated except as provided by Act. No person shall be punished, placed under preventive restrictions or subject to involuntary labor except as provided by Act and through lawful procedures. Warrants issued by a judge through due procedures upon the request of a prosecutor shall be presented in case of arrest, detention, seizure or search.” In terms of the scope of due process, both substantive and procedural due process components are recognized by the Supreme Court of the United States.3 Unsurprisingly, greater emphasis is put on the procedural due process aspects of judicial proceedings in that context. However, due to the potential for the loss of liberty if convicted, there is a substantial need for due process in criminal cases because of the potential for the sovereign coercive is bringing its power to bear on individuals.4 This section will discuss peculiar due process issues in investigation and prosecution of cybercrimes and also review relevant arguments linked with the Budapest Convention. II. Due Process in Investigation & Prosecution of Cybercrimes General due process requirements apply when investigating and prosecuting crimes include, inter alia, the right of the defendant to confront his or her accuser, the right to counsel and the right to a speedy trial. As mentioned, this section focuses on more specific and frequent cybercrime-related issues, notably (A) imbalance of obtaining evidence and (B) search and seizure. A. Obtaining Evidence Issues of the admissibility of evidence in court, such as the requirements of authenticity, integrity and reliability of digital evidence, have already been discussed (see sections 2 C and 2 D, above). From a procedural due process point of view, even though cybercriminals operate in a sophisticated and cross-border environment, there can still be a power imbalance between investigative agencies and defendants: compared to individual defendants, investigators and prosecutors have more negotiating power, especially when searching and securing evidence. Page 172  |  Chapter 4  |  § A. Due Process Table of Contents Moreover, once an investigation reaches the prosecutorial phase, there is likely more inculpatory evidence in favor of the state than exculpatory evidence in favor of the defendant. Yet justice systems, beholden to the rule of law, need to be fair and neutral. B. Search & Seizure If the search and seizure violates the criminal procedure law and/or the constitutional law in principle, the evidence that is seized ought to be excluded from evidence. In the United States, there are various federal statues which set a limit on the investigatory power: ƒƒ Wiretap Act (19 USC § 2510): This Act governs the seizure of the content of digital messages. It places a general prohibition on intercepting the contents of wire, oral or electronic communications. Violation of the Act can cause criminal punishment or/and civil damages. Only by an order of a federal judge can interception be permitted or justified.5 ƒƒ Pen Register and Trap and Trace Statue (18 USC § 3121): This statute governs the seizure of real-time traffic data—dialing, routing, addressing and signaling information provided by a communications service provider. It generally prohibits the nonconsensual real-time acquisition of non-content information by any person by wire or electronic communication unless a statutory exception applies.6 ƒƒ Electronic Communications Privacy Act (18 USC § 2701): This Act protects individuals’ privacy and proprietary interests, which applies when law enforcement officials seek to obtain records about a customer or subscriber from a communication service provider.7 Specifically, it looks to protecting stored communications. ƒƒ Fourth Amendment of US Constitution: This constitutional provision—part of the original set of amendments to the US Constitution, collectively known as the Bill of rights—is construed as prohibiting the search or seizure of an individual or their property, unless a warrant is first obtained from a judge or the circumstances fall within very limited number of situations where a warrant is deemed unnecessary.8 The United Kingdom has recently broadened the surveillance capacities of its law enforcement authorities, relying on a so-called “double-lock” procedure to limit potential government abuse: In the United Kingdom, the Investigatory Powers Act 20169 significantly expanded the surveillance power of law enforcement, granting authorities unprecedented surveillance powers to access private data of individuals.10 The controversial law11 was advanced to support law enforcement agencies in prevention and prosecution of modern crimes.12 Specifically, the Act requires communication service providers to preserve their customers’ data for a year. In addition to the data retention obligations, businesses are legally mandated to remove any encryption that interferes with warrants. Moreover, the Act enables authorities to intercept and store all forms of data, even Page 173  |  Chapter 4  |  § A. Due Process Table of Contents where techniques include hacking and surveilling individuals’ electronic devices.13 Lastly, bulk-data collection is permitted for the purpose of acquiring intelligence relating to individuals beyond the UK territorial border, as long as a warrant is issued. Oversight for the Act, and thus for the releasing of these vast and intrusive powers, is controlled through what is called a “double-lock”; that “double-lock” requires a warrant to be approved by both government ministers and the specially-created judicial panel called the Investigatory Powers Commission.14 In case of urgency, a warrant can be issued without the Commission’s involvement insofar as it is subject to review by the Commission within three working days.15 Already a heavily surveilled population,16 UK authorities are now, along with Chinese and Russian authorities, a “global leader” in bulk surveillance of its citizens.17 Among other jurisdictions, Korean law guarantees the right of the defendant to participate in the search and seizure of an information storage device such as a computer. For example, Articles 121 & 122 of the Korean Criminal Procedure Act provide as follows: “A prosecutor, the criminal defendant, or his/her defense counsel may be present when a warrant of seizure or of search is being executed. Where a warrant of seizure or of search is to be executed, the persons listed in the preceding Article shall be notified of the date and place of execution in advance. [...T]his shall not apply in cases where a person prescribed in the preceding Article, clearly expresses his/her will in advance to the court that he/she does not desire to be present or in case of urgency.” The Korean Supreme Court has strictly interpreted the above provisions, ruling that the seizure and search procedure of information storage device was illegal for failing to guarantee the participation right of those subject to seizure in the review procedure conducted after taking out information storage device.18 Case 4.1: United States v. Ulbricht (“Silk Road”) (USA)19 On 29 May 2015, a Manhattan federal court somewhat controversially20 sentenced Ross William Ulbricht to life in prison in connection with his operation and ownership of Silk Road between January 2011 and October 2013.21 Silk Road was a hidden “darkweb” website that enabled users to buy and sell illegal drugs and other unlawful goods and services anonymously and beyond the reach of law enforcement;22 the black market was designed “as an online utopia beyond law enforcement’s reach”.23 During the court proceedings, Ulbricht claimed that, although he had initially been involved in the site, and although he even averred that illicit activities may have been conducted Page 174  |  Chapter 4  |  § A. Due Process Table of Contents on the site, he had sold this stake and was no longer involved in Silk Road. With regard to the evidence that the state presented, the defense argued that government surveillance of Ulbricht’s online accounts was overboard and amounted to a violation of defendant’s constitutional, Fourth Amendment rights, which protects against undue search and seizure.24 It was further argued that evidence favorable to the defendant regarding corrupt officials had been improperly suppressed and tainted the case and evidence. Ulbricht appealed his conviction saying, “The court abused its discretion and denied Ulbricht his Fifth and Sixth Amendment rights to due process, the right to present a defense, and a fair trial by (A) precluding the defense from using at trial the evidence relating to DEA Special Agent Carl Force’s corruption; (B) refusing to order the government to provide additional discovery and ‘Brady’ material regarding corruption; and (C) denying Ulbricht’s motion for new trial based on additional post-trial disclosures regarding Force and another corrupt law enforcement agent involved in the Silk Road investigation.”25 While Ulbricht lost his appeal in May 2017,26 the arguments made are ones that might well be raised by defendants charged with cybercrimes. III. Budapest Convention & Due Process A general discussion of multilateral and international agreements in cybercrime can be found in section 4 B, below. While the Budapest Convention is discussed in more detail in that section, it is worth noting here that the Convention is alone among multilateral and international instruments in specifically addressing safeguards and due process issues. That said, the provisions of the Convention show the inherent tension among information gathering and investigative powers and requirements of due process. With regard to due process safeguards, the Convention has specific provisions on (A) general conditions and safeguards, (B) expedited preservation of stored computer date and search and seizure of stored computer data and (C) expedited preservation and partial disclosure of traffic data and expedited disclosure of preserved traffic data. A. Safeguards Article 15 of the Budapest Convention provides, inter alia, that domestic law shall implement “conditions and safeguards [... that] provide for the adequate protection of human rights and liberties”. Although binding on its Member States, a treaty mechanism alone as a source of due process is insufficient without local law implementation.27 To that end, Member States are bound by the Convention to transpose implementing provisions into their national laws. Page 175  |  Chapter 4  |  § A. Due Process Table of Contents B. Treatment of Stored Computer Data The safeguards referred to in article 15 are balanced against, for example, articles 16 and 29 of the Convention which provide, respectively, that “Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system”,28 and that “[a] Party may request anther Party to order or otherwise obtain the expeditious preservation of data stored by means of a computer system, located within the territory of that other Party and in respect of which the requesting Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data.”29 How the investigative authorities of each Member State carry out effective search and seizure will also be a matter of national law, and the duration of evidance preservation could be confined since the purpose of a preservation order is to get enough time to carry out legal procedures such as issuing warrant.30 C. Treatment of Traffic Data Similarly, articles 17 and 30 of the Budapest Convention set up tools to secure expedited preservation of traffic data and require traffic data to be disclosed to the investigation agency so that routes of transmission can be identified. Article 17 provide that “Each Party shall adopt […] such legislative and other measures as may be necessary to: “(a) Ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and “(b) Ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted.”31 Article 30 complements this language: “[T]he requested Party shall expeditiously disclose to the requesting Party a sufficient amount of traffic data to identify that service provider and the path through which the communication was transmitted.”32 Page 176  |  Chapter 4  |  § A. Due Process Table of Contents Conclusion For a vibrant online community that fosters robust economic growth and development to exist, a “trust” environment must be nurtured and developed. As discussed, doing as much means, first, building secure systems, and creating the enabling environment—legal and institutional—that empowers authorities to combat cybercrime, be it from domestic or international sources. However, securing cyber systems against crime and empowering government authorities is only part of the puzzle: for the ecosystem to thrive, it must be trusted by users in larger sense than for commercial purposes and the sort. The cyberworld must be a place in which individuals and communities desire to constructively and completely engage, and where they are comfortable expressing themselves. To that end, protections safeguarding individual rights and guarding against government abuse or overreach must be built in. Doing so requires ensuring that due process rights are respected, which means that defined procedures—with limits and controls—must be developed for those occasions where authorities seek to obtain evidence or engage in search and seizure. Among international instruments, the Budapest Convention alone includes robust safeguards, which are to be transposed into national substantive law by each Member State. The next section continues this discussion, looking to the government’s responsibility to assure the protection of data and to guarantee the right to communicate. In creating and keeping cyberspace safe and secure, human rights must also be respected and protected. Page 177  |  Chapter 4  |  § A. Due Process Table of Contents CHAPTER 4 B. Data Protection & the Right to Communicate Table of Contents Introduction 178 I. Applicable International Law & Good Practice 179 II. Data Protection & Privacy 182 A. The Security-Privacy Debate 182 B. Legal Instruments Guaranteeing Data Protection & Privacy 182 C. The Special Place for Anonymity 186 III. The Right to Communicate 186 Conclusion 188 Introduction Up to this point, the Toolkit has focused on ways to effectively combat cybercrime, with only the last section looking to expand the responsibilities of the government to include factors requisite for create a “trust” environment (see section 4 A, above). It has done so from a series of different perspectives, including those of protecting not only ICT networks and systems, but also protecting the content and personal data stored therein. However, as the internet becomes an increasingly important platform for not only commercial but also non-commercial purposes, and as societies become increasingly dependent upon the interconnectivity that cyberspace allows, governments have increasingly deployed powers to seek to secure it. Such security must be balanced with the rights of individuals in the community, and must not hamstring the internet as a flexible, decentralized, open and neutral platform. As such, it is important to ensure that, in addition to providing the kind of security that comes from an effective cybercrime regime, the power of the state is deployed in a measured manner that effectively balances security with basic human rights. That balance perhaps most notably applies to assuring the protection of users’ data and their right to privacy which also assures both access to information and freedom of expression.1 At the same time, the state is obliged to defend basic human rights by investigating those who violate the privacy of others’ communications, personal data and the like. Page 178  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents Apart from having a grounding in international law, assuring respect for human rights in the cybercrime context is a matter of good policy.2 Recent scholarship squarely identifies and makes the link between advancing rights of privacy and expression in the ICT context, on the one hand, to achieving development objectives, on the other.3 It is generally accepted that free speech facilitates the creation of a so-called “marketplace of ideas”; in turn, free speech encourages growth, be it commercial, intellectual, artistic or political.4 Balancing stakeholder interests of security and of stability, on the one hand, and promoting human rights, on the other, is essential to promoting the enabling “trust” environment needed for building a digitally interconnected cyber-society (see section 4 A, above).5 Just as society has expanded into cyberspace, so, too, have authorities, and law enforcement in particular, expanded into and taken advantage of technological developments. Law enforcement and national security agencies need access to ICT, and therefore utilize “wiretapping” (and similar targeted-surveillance techniques), call center data registry and other metadata reporting measures to investigate criminal activity.6 While the use of any and all of these tools poses certain privacy concerns, their deployment with appropriate safeguards, including the external seeking of appropriate and independent authorization, has largely resulted in the building of secure, commercially robust, internet-based societies where human rights still manage to flourish. Fundamental principles of “legality”, “necessity” and “proportionality” feature in this debate and in creating such a “trust” environment that is so central to building a robust cyber society (see section 1 B, above). One of the key drivers in the digital economy is the flow of data, much of which is personal data. Indeed, the amount of that data has increased by an estimated ninety percent in the last few years.7 This trend has in part been fueled “big data” applications for monitoring and manipulating data.8 Big data refers to both structured and unstructured data which is both of such a volume and which is also communicated at such a high rate that it is difficult to process using traditional database and software techniques.9 Big data applications can be found in both the public and private sectors. While probably most commonly associated with private sector applications (such as Facebook and Google), it is conceivable that these same, big-data analytical techniques could be used in the fight against cybercrime; if so, attention would need to be paid to the prospect of intrusions into individuals’ privacy. The issue goes beyond simply having and enforcing national laws protecting personal data. As is the case with cyberspace in general, data flows (whether legitimate or not) are global. As such, in order to be effective, privacy regimes need to both enable and further facilitate legitimate internet usage, as well as to assure individuals’ rights in the case of combatting cybercrime. I. Applicable International Law & Good Practice Page 179  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents First, before exploring the application of any rights in detail, it merits clarifying that guaranteeing the protection of human rights on the internet has been recognized in recent years through a series of statements emanating from the United Nations. Beginning in 2011, in a report to the to the UN Human Rights Council (UNHRC) on the promotion and protection of the right to freedom of opinion and expression on the internet, Special Rapporteur, Frank La Rue, concluded that “states [are] providing inadequate protection of the right to privacy and data protection”.10 In the following year, the UNHRC “affirmed that people have the same rights online that they have offline […] in particular [regarding] freedom of expression”.11 In 2016, the UNHRC reaffirmed “the importance of promoting, protecting and enjoying human rights on the internet, including privacy and expression”.12 In June 2016, the UN General Assembly subsequently adopted a Resolution announcing the following: “Calls upon all States to address security concerns on the Internet in accordance with their international human rights obligations to ensure protection of freedom of expression, freedom of association, privacy and other human rights online, including through national democratic, transparent institutions, based on the rule of law, in a way that ensures freedom and security on the Internet so that it can continue to be a vibrant force that generates economic, social and cultural development [....]”13 With the question of government responsibility for adhering to human rights standards in implementing cybersecurity born in mind, the UNHRC concluded as follows: “Decides to continue its consideration of the promotion, protection and enjoyment of human rights, including the right to freedom of expression, on the Internet and other information and communication technology, as well as of how the Internet can be an important tool for fostering citizen and civil society participation, for the realization of development in every community and for exercising human rights, in accordance with its programme of work.”14 Second, and specifically in the cybercrime context, frameworks for generally safeguarding rights while also providing security exist, the most notable of which is perhaps that promulgated by article 15 of the Budapest Convention. That basic framework provides as follows: (1) Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall Page 180  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality. (2) Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure. (3) To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.15 The Explanatory Report to the Budapest Convention discusses the principle of proportionality referenced in article 15.1, as follows: “[A]nother safeguard in the Convention is that the powers and procedures shall incorporate the principle of proportionality. Proportionality shall be implemented by each Party in accordance with relevant principles of its domestic law. For European countries, this will be derived from the principles of the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, its applicable jurisprudence and national legislation and jurisprudence, that the power or procedure shall be proportional to the nature and circumstances of the offence. Other States will apply related principles of their law, such as limitations on over breadth of production orders and reasonableness requirements for searches and seizures.”16 Thus, the basis for assuring human rights, even as cyberspace is secured, is soundly and explicitly provided for in international law. The rest of this section delves in more detail into the concrete application of privacy rights and data protection, as well as the right to communicate (i.e., freedom of expression and the right to access to information). As data protection and the right to communicate are closely interlinked, they are treated together in this section; that said, they also have different features that need to be understood on their own. Page 181  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents II. Data Protection & Privacy The discussion around data protection and privacy merits (A) an introductory discussion of security-privacy debate that can be used to set up a fuller discussion of (B) good practices in legal instruments guaranteeing data protection and privacy. A. The Security-Privacy Debate Data protection speaks to the provision of reasonable assurances that individuals’ rights regarding their personal data and privacy are observed and protected. It extends not only to those under investigation and prosecution but also to potentially innocent third parties who may become involved, or whose data might be touched upon. The policy, legal and technical differences between “security” and “privacy” merit clarifying at this stage. There are a variety of ways in which the two terms can be understood. Generally speaking, “security” can be understood as a set of technological measures that mediate access to personal data stored or transmitted via ICT systems or networks, while “privacy” is the normative framework for allocating who has access to that data, including the right to alter any of it.17 Some posit the two values as running counter to each other, a conception out of which the overly-simplistic argument “if you’ve got nothing to hide, then you’ve got nothing to worry about surveillance” emerges.18 Others posit that the two are not in the same plane, and that there is a false trade-off between privacy and security that has resulted from an incorrect framing of the debate as a zero-sum game in which one value is pitted against the other.19 Still others posit that implementation of good data protection principles is not merely a matter of securing human rights but actually contributes to reducing certain kinds of cybercrime.20 The concern here is how the security aspects of ensuring an effective cybercrime regime impact upon privacy of an individual’s data. B. Legal Instruments Guaranteeing Data Protection & Privacy The right to privacy can be found in both article 12 of the Universal Declaration of Human Rights (UDHR) and in the International Covenant on Civil and Political Rights (ICCPR). Article 12 of the UDHR provides as follows: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”21 Page 182  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents Similarly, article 17 of the ICCPR provides as follows: (1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, or correspondence, nor to unlawful attacks on his honour and reputation. (2) Everyone has the right to the protection of the law against such interference or attacks.22 Importantly, these rights are not absolutes, and, as also reflected in article 15.3 of the Budapest Convention, are subject to certain limits. Figure 4.1: Current Membership in the ICCPR23 While rights to privacy and expression have evolved over time over the past three hundred years24, and, when set down in 1948 in the case of the UDHR, and in 1966 in the case of the ICCPR, were certainly not drafted with the internet or cybercrime in mind, the UN Human Rights Council recently reaffirmed the importance of promoting, protecting and enjoying human rights on the internet, including privacy and expression.25 In 2013, the UN General Assembly adopted a Resolution, introduced by Brazil and Germany, on the Right to Privacy in the Digital Age.26 Today, the UN Conference on Trade and Development (UNCTAD) reports that 107 countries have privacy laws in place, sixty-six of which are developing countries.27 Regional initiatives have built upon these international instruments. In Europe, the European Convention on Human Rights (and related caselaw) sets the legal base for understanding and guaranteeing fundamental human rights, including those to privacy and expression. While there are a number of other relevant instruments, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108)28 is the single most significant Page 183  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents instrument. Opened for signature on 28 January 1981 and entering into force on 1 October 1985, the Convention was the first legally binding international instrument in the data protection field. Under the Convention, Parties are required to take the necessary steps in their domestic legislation to apply the Convention’s principles ensuring respect for the fundamental human rights of all individuals with regard to processing of personal data. Convention 108 is open for accession by any State, regardless of geographic location, or of CoE membership. Uruguay (in 2013) and Mauritius (in 2016) were the first non-European countries to become Parties to the Convention. Today, the Convention has fifty Parties, seven of which are non-Members of the Council of Europe.29 It is indicative that countries seeking to implement the Budapest Convention on Cybercrime also show strong interest in Convention 108, or are enacting their own domestic data protection regimes.30 An additional Protocol to Convention 108 (Convention 181) covers supervisory authorities and transborder data flows.31 The additional Protocol requires Parties to set up supervisory authorities and, among other things, that those authorities exercise their functions in “complete independence”.32 That independence is understood as an element central to the effective protection of individuals with regard to the processing of personal data.33 Still in the European context, a related soft law instrument is CoE’s Recommendation R(87) 15 on data protection in the police sector.34 Bearing in mind the “sectoral approach” taken to data protection up till that time,35 the Recommendation puts forth principles that might guide Member States in their domestic law and practice. Those basic principles include address data control and notification; collection; storage; usage by police; communication between public and private bodies; publicity and right to access, rectify and appeal data; length of storage and updating data; and data security.36 Although soft law, the Recommendation, created on 17 September 1987, has been widely adopted across Europe “to an extent that many European states prima facie already regulate[d] police use of personal data in a way comparable but not necessarily identical to that envisaged in the European Commission’s proposal […] for a Directive” on the same matter.37 While not obviating the utility and advantages of having a suitable new binding legal instrument, the high degree of de facto adherence highlights, first, the degree of influence that even soft law can have, and, second, the degree to which states are both working and able to comfortably balance security and privacy obligation even in the police context. An additional source of international good practice of the principal features of a data protection/ privacy regime can be found in the Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems and Networks (“OECD Guidelines”).38 The Guidelines provide measures direction in ensuring the quality of data collected; the scope of the purposes for which data may be collected and used; the setting of strict limits on the use of collected data; the setting of safeguards in terms of data collection, storage and usage; and covers rights of data subjects to correct or erase erroneous data. Page 184  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents Box 4.1: Basic Information Security Principles from OECD Guidelines Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the purpose specification principle except: a) with the consent of the data subject; or b) by the authority of law. Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Individual Participation Principle: Individuals should have the right: to obtain from a data controller, or otherwise, confirmation of whether or not the data (a)  controller has data relating to them; to have communicated to them, data relating to them (i) within a reasonable time; (ii) (b)  at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to them; to be given reasons if a request made under subparagraphs (a) and (b) is denied, and (c)  to be able to challenge such denial; and to challenge data relating to them and, if the challenge is successful to have the data (d)  erased, rectified, completed or amended. Page 185  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above. Collectively, these international and regional instruments, as well as the principles and guidelines, provide a rich source of international good practice for how to balance security with data protection and privacy. The flexible, open and decentralized nature of the internet augurs in favor of a principles-based approach (with notion of proportionality at its core) that balances state interventions and intrusions with individual human rights. As the internet functions on the basis of the creation of a “trust” environment, it is essential that such considerations and be weighed openly. C. The Special Place for Anonymity Anonymity can be seen as an essential component of protecting privacy on the internet.39 Not infrequently, this same anonymity is also highly problematic for public safety, due in part to legal and technical reasons. Particularly in the digital context, those same basic human rights protections that make the internet such a compelling and exciting tool for development and social advancement can also lead to problems of authentication in general, and attribution— that is, the connecting of a criminal actor to the act perpetrated—in particular. From a technical perspective, encryption is perhaps the most obvious issue.40 From a larger, legal perspective, particular difficulties exist where there is a divergence of legal frameworks, especially in light of a still-evolving MLAT framework. The latter obstacle is in part overcome by shared adherence to multilateral instruments, such as the Budapest Convention, which, among other things, creates such a framework.41 The issue of privacy and data protection in the context of surveillance, especially “mass” surveillance, is a particularly thorny issue.42 While the topic of “surveillance”, generally, is beyond the scope of the Toolkit, surveillance is an important tool for law enforcement in investigating crime, including cybercrime. The technological advances that have enabled cybercrime to expand have also enabled expanded surveillance tools and methodologies. All of these developments have resulted in unresolved questions of what are, and how to define, the appropriate limits on the collection of data relevant to an investigation. III. The Right to Communicate The “right to communicate”, as already discussed, speaks to the complementary rights of “freedom of expression” and “access to information” (see section 1 C, above). Communication, one of the Page 186  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents most basic of human rights and of human behaviors,43 is addressed in the UDHR and is more fully expressed in the ICCPR, as described below. These rights are also reflected in a number of regional instruments.44 The UDHR provides in Article 19 as follows: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” The ICCPR goes somewhat further, providing a specific framework for addressing the balance of security versus rights. The ICCPR not only provides for the right itself (articles 19.1 & 19.2), but also provides factors that should be considered in “balancing” this right with other governmental prerogatives (article 19.3): (1) Everyone shall have the right to hold opinions without interference. (2) Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice. (3) The exercise of the[se] rights […] carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (a) For respect of the rights or reputations of others; [and] (b) For the protection of national security or of public order (“ordre public”), or of public health or morals. Among human rights, the right to communicate is a particularly interesting one, as it is not only substantively fundamental (the right to communicate is a right in itself), but it is also procedurally fundamental (as it also an “enabler” of other fundamental rights). In addition, freedom of expression and access to information are both and equally essential to the enjoyment of economic, social and cultural rights, such as the right to education and the right to partake in cultural life or benefits of scientific progress, as well as civil and political rights, such as the rights to freedom of association and assembly. In this sense, the right to communicate is also part of the “trust” Page 187  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents equation discussed above; illegitimate efforts to repress expression in the name of security could have deleterious effects on internet usage for legitimate purposes.45 The internet thrives on the open exchange of information—that is, the so-called “marketplace of ideas”—which, in equal measure, requires both access to information and freedom of expression.46 For example, innovation, and the incentive to innovate, depends on striking an appropriate balance between providing access to information, on the one hand, and rewarding inventors by protecting intellectual property rights, on the other. Rapid cyber and ICT developments have allowed the internet to be a particularly powerful driver of economic, social and even political changes. Those changes have been accompanied by a wide array of legal and regulatory initiatives, some of which indirectly or even unintentionally place limits on the right to communicate but which nonetheless may have a chilling effect on expression.47 For example, governments frequently regulate access to certain content in order to reduce criminal activity. In other circumstances, it is possible that governments have incidentally criminalized online expression by failing to keep laws regulating broadcasting current with technological developments.48 A recent study by UNESCO on the issue of preserving online freedom of expression advocated promoting a balance between security and expression. According to that study, governments should take a pragmatic approach that minimizes online restrictions yet which addresses issues arising out of legitimate societal values.49 Such an approach helps to ensure a vibrant future of the internet, preserving its role as a place for the exchange of ideas that has made it such a unique and powerful platform for economic, social and political progress. Conclusion In designing and implementing legal frameworks to combat cybercrime, states should reconcile the different interests that are to be protected. Although data protection/privacy and security may be construed as competing, even mutually-exclusive concerns, there is a rich body of international good practices showing that, at minimum, the privileging of one need not result in the significant diminution of the other. In any case, where one right is curtailed, it should be done on the basis of the principle of proportionality. If a state compiles, stores, uses or discloses personal information— for example, in a police register—, such interference or intrusion into a person’s private life should meet certain conditions under law, that respect due process and re-enforce the “trust” principle by being both proportionate to the legitimate aims pursued and necessary. To ensure that the internet’s full potential is reached, and in order to avoid having a chilling effect on communication— both in personal expression, and in the seeking and acquiring of information—, the laws and their application, whether inadvertently or purposefully, must be kept open and pragmatic. Page 188  |  Chapter 4  |  § B. Data Protection & the Right to Communicate Table of Contents End Notes Referenced in: § A. Introduction & 10. Law enforcement authorities only need a 18. Korean Supreme Court, 2011MO1839 (16 Due Process “retention notice”, not a warrant, which Jul. 2015), en banc ruling. requires telecommunications operators to retain specified items of communications 19. Ulbricht, supra § 2 B, note 111. This case 1. See WDR, supra § 1 A, note 10, at 222 et data for the period or periods set out is highlighted above as an exposé of the seq. in the notice (limited to twelve months). diversity of technology and its enabling Although there are safeguards and effect on cybercrime. See supra § 2 B, 2. Although these notions have been most box 2.6. matters that must be considered before broadly developed in common law the giving of a retention notice, the traditions, similar notions are at play in 20. Andy Greenberg, “Judges Question procedural threshold is lower than the civil law tradition in, for example, the Ross Ulbricht’s Life Sentence in Silk Road that for a traditional warrant. See UK concept of respect pour l’Etat de droit Appeal,” Wired, (6 Oct. 2016), at https:// Home Office, Investigatory Powers Bill: (“respect for the state of the law”). See, www.wired.com/2016/10/judges-question- Explanatory Notes to the Investigatory e.g., “Traités et Affaires institutionnelles: ulbrichts-life-sentence-silk-road-appeal/. Powers Bill as brought from the House Respect de l’état de droit – La of Commons on 8 June 2016 (HL Bill 40), 21. See US Dept. of Justice, “Ross Ulbricht, Commission, soutenue par une majorité para. 232, at https://www.publications. A/K/A ‘Dread Pirate Roberts,’ Sentenced du Parlement européen, maintient la parliament.uk/pa/bills/lbill/2016- in Manhattan Federal Court to Life in pression sur Varsovie,” EuropaForum, (13 2017/0040/17040en.pdf. Prison,” Press Release, (29 May 2015), at Sept. 2016), at http://www.europaforum. public.lu/fr/actualites/2016/09/pe- https://www.justice.gov/usao-sdny/pr/ 11. Ewen MacAskill, “‘Extreme Surveillance’ pologne-etat-de-droit/index.html. At the ross-ulbricht-aka-dread-pirate-roberts- Becomes UK Law with Barely a Whimper,” international level, these notions have sentenced-manhattan-federal-court-life- Guardian, (19 Nov. 2016), at https://www. been evoked in, for example, the ICCPR prison. See also Andy Greenberg, “Silk theguardian.com/world/2016/nov/19/ (Art. 14) and in the ECHR (Art. 6). Road Creator Ross Ulbricht Sentenced extreme-surveillance-becomes-uk-law- to Life in Prison,” Wired, (29 May 2016), with-barely-a-whimper. 3. Miriam F. Miquelon-Weismann, at https://www.wired.com/2015/05/silk- “The Conversation on Cybercrime: 12. Andrew Griffin, “Investigatory Powers road-creator-ross-ulbricht-sentenced-life- A Harmonized Implementation of Act Goes into Force, Putting UK Citizens prison/. International Penal Law: What Prospects under Intense New Spying Regime,” for Procedural Due Process?,” John 22. Joshua Bearman & Tomer Hanuak, “The Independent, (31 Dec. 2016), at http:// Marshall Journal of Computer & Rise & Fall of Silk Road,” Wired, (May www.independent.co.uk/life-style/ Information Law, Vol. 23 (2005), p. 355; 2015), at https://www.wired.com/2015/04/ gadgets-and-tech/news/investigatory- Schriro v. Summerlin, 124 S. Ct. 2510, 2523 silk-road-1/. powers-act-bill-snoopers-charter-spying- (2004). law-powers-theresa-may-a7503616.html. 23. Greenberg, supra note 20. 4. Michael Farbiarz, “Accuracy and 13. Emma Woollacott, “UK Joins 24. US Constitution, IV Amend.: “The right of Adjudication: The Promise of Russia and China in Legalizing Bulk the people to be secure in their persons, Extraterritorial Due Process,” Columbia Surveillance,” Forbes, (16 Nov. 2016), houses, papers, and effects, against Law Review, Vol. 116, Issue 3, (Apr. 2016), at https://www.forbes.com/sites/ unreasonable searches and seizures, pp. 636–37. emmawoollacott/2016/11/16/uk-joins- shall not be violated, and no Warrants russia-and-china-in-legalizing-bulk- shall issue, but upon probable cause, 5. Chief Judge B. Lynn Winmill, David L. surveillance/#718b3a2b58ca supported by Oath or affirmation, and Metcalf & Michael E. Band, “Cybercrime: Issues and Challenges in the United particularly describing the place to be 14. UK Investigatory Powers Act, supra note States,” Digital Evidence & Electronic searched, and the persons or things to be 9, at Art. 23. Signature Law Review, Vol. 7 (2010), p. 31. seized.” 15. Ibid., at Art. 24. 6. Ibid. 25. See, e.g., John Zorabedian, “Ross 16. See, e.g., David Barrett, “One Ulbricht Appeals Silk Road Conviction— 7. Ibid., at 32. Surveillance Camera for Every 11 People Did He Get a Fair Trial?,” Naked Security, in Britain, Says CCTV Survey,” Telegraph, (18 Jan. 2016), at https://nakedsecurity. 8. Ibid. sophos.com/2016/01/18/ross-ulbricht- (10 Jul. 2013), at http://www.telegraph. co.uk/technology/10172298/One- appeals-silk-road-conviction-did-he-get- 9. See United Kingdom: Investigatory surveillance-camera-for-every-11-people- a-fair-trial/. Powers Act 2016 [hereafter, “UK Investigatory Powers Act”], Ch. 25, in-Britain-says-CCTV-survey.html; Paul at: http://www.legislation.gov.uk/ Lewis, “You’re Being Watched: There’s ukpga/2016/25/pdfs/ukpga_20160025_ One CCTV Camera for Every 32 People en.pdf. See also, “Investigatory Powers in UK,” Guardian (2 Mar. 2011), at https:// Act 2016”, UK Parliament, at http:// www.theguardian.com/uk/2011/mar/02/ services.parliament.uk/bills/2015-16/ cctv-cameras-watching-surveillance. investigatorypowers.html. 17. Griffin, supra note 12. Page 189 | Chapter 4 | End Notes Table of Contents 26. See United States v. Ulbricht, No. 15-1815, (2d Cir. 2017), at https://cases.justia. com/federal/appellate-courts/ca2/15- 1815/205494850/0.pdf?ts=1496418409. Also see, Greenberg, supra note 20; Andrew Blake, “Attorney for Silk Road Mastermind Ross Ulbricht Challenges Conviction in Federal Appeals Court,” Washington Times, (7 Oct. 2016), at http:// www.washingtontimes.com/news/2016/ oct/7/appeals-court-hears-case-against- ross-ulbricht-con/. 27. Miquelon-Weismann, supra note 3, at 356–57. 28. Budapest Convention, supra § 1 B, note 32, at Art. 16. 29. Ibid., at Art. 19. 30. Hyun Wook Chun & Ja Young Lee, “Convention on Cybercrime and Due Process of Law: on Preservation and Partial Disclosure of Stored Data,” Korean Criminological Review, Vol. 25, Issue ii, (2014), p. 98. 31. UK Investigatory Powers Act, supra note 9, at Art. 17. 32. Ibid., at Art. 30. Page 190 | Chapter 4 | End Notes Table of Contents Referenced in: § B. Data Protection 6. Data about a communication, as opposed 18. See, e.g., Moxie Marlinspike, “Why ‘I & The Right to Communicate to the content of the communication. The Have Nothing to Hide’ Is the Wrong Way aggregation of information commonly to Think about Surveillance,” Wired, referred to as “metadata” may give (13 Jun. 2013), at https://www.wired. 1. A full exposition of privacy/data an insight into an individual’s behavior, com/2013/06/why-i-have-nothing-to- protection and access to information/ social relationships, private preferences hide-is-the-wrong-way-to-think-about- freedom of expression is beyond the and identity that go beyond even that surveillance/. scope of the Toolkit. In its limited conveyed by accessing the content of discussion, while the Toolkit uses the a private communication. As the CJEU 19. See Daniel J. Solove, Nothing to Hide: terms “privacy” and “data protection” recently observed, communications’ The False Tradeoff between Privacy and interchangeably, both terms are intended metadata “taken as a whole may allow Security, (New Haven, Connecticut: Yale to refer to the protection of digital very precise conclusions to be drawn University Press, 2011). data about a person, and not to other concerning the private lives of the normative constructs about what privacy 20. See Maria Grazia Porcedda, Data persons whose data has been retained.” might mean. In addition, there is very Protection and the Prevention of See, e.g., Seitlinger, supra note 2. little in the literature (a few sources Cybercrime: The EU as an Area of appear in this chapter) specifically about 7. Science News, “Big Data, for Better or Security?, (Florence: European University the intersection of the security that Worse: 90% of World’s Data Generated Institute, 2012), at http://cadmus.eui.eu/ comes with a cybercrime regime and Over Last Two Years,” Science Daily, (22 handle/1814/23296. the tensions that security may place on May, 2013), at https://www.sciencedaily. 21. UDHR, supra § 1 C, note 105, at Art. 12. rights such as privacy and the right to com/releases/2013/05/130522085217.htm. communicate. 22. UN General Assembly, International 8. See Seitlinger, supra note 2. Covenant on Civil and Political Rights, 2. See, e.g., Recent jurisprudence from both United Nations, Treaty Series, Vol. 999 (16 the Court of Justice of the European 9. Vangie Beal, “Big Data,” Webopedia, at http://www.webopedia.com/TERM/B/ Dec. 1966), [hereafter ICCPR], p. 177, at Union (CJEU) and the European Court of https://treaties.un.org/doc/publication/ Human Rights (ECtHR) support striking big_data.html. unts/volume%20999/volume-999-i-14668- this balance. In: Digital Rights Ireland 10. UN Human Rights Council, “Report english.pdf. Ltd v. Ireland and Seitlinger and Others, of the Special Rapporteur on the joined cases C-293/12 & C-594/12 (8 Apr. Promotion and Protection of the Right to 23. UN Treaties Collection, “Status: 2014) [hereafter, “Seitlinger”], the CJEU Freedom of Opinion and Expression,” A/ International Covenant on Civil and ruled the EU Data Retention Directive HRC/17/27 (16 May 2011), at http://www2. Political Rights,” United Nations, at to be in violation of the EU Charter of ohchr.org/english/bodies/hrcouncil/ https://treaties.un.org/pages/ViewDetails. Fundamental Rights. Similarly, in: S and docs/17session/A.HRC.17.27_en.pdf. aspx?src=TREATY&mtdsg_no=IV- Marper v. United Kingdom, the ECtHR, 4&chapter=4&lang=en using a proportionality analysis, found 11. UN Human Rights Council, “The the United Kingdom to be in breach of Promotion, Protection and Enjoyment 24. Early records of the foundational Article 8 of the European Convention on of Human Rights on the Internet” (20th principles of individualism that form Human Rights, holding that the long-term Session), A/HRC/20/L.13 (29 Jun. 2012), at the basis of many of these rights first retention of both fingerprints and DNA http://ap.ohchr.org/documents/alldocs. appeared in the French Déclaration samples interfered with an individual’s aspx?doc_id=20280. des droits de l’homme et du citoyen right to privacy. S and Marper v. United (“Declaration of the Rights of Man and of Kingdom, 30562/04 [2008] ECtHR 1581 (4 12. UN Human Rights Council, “The the Citizen”) adopted in 1789. Dec. 2008). Promotion, Protection and Enjoyment of Human Rights on the Internet” (32d 25. UN Human Rights Council, supra note 12, 3. WDR, supra § 1 A, note 10, at 222 et seq. Session), A/HRC/32/L.20 (27 Jun. 2016), at para. 8 & 15. In particular, the WDR notes “[…] that at http://daccess-ods.un.org/access.nsf/ 26. UN General Assembly, “The Right to getting the data protection and privacy Get?Open&DS=A/HRC/32/L.20&Lang=E. Privacy in the Digital Age,” A/RES/68/167 piece of the puzzle right is, together 13. Ibid. (18 Dec. 2013), at http://www.un.org/ with cybersecurity, a key element in ga/search/view_doc.asp?symbol=A/ engendering trust in and confidence in 14. Ibid. RES/68/167. use of the internet” Ibid., at page p. 227. 15. Budapest Convention, supra § 1 B, note 27. See UN Conference on Trade and 4. See e.g, Stanley Ingber, “The Marketplace 32. Development (UNCTAD), “Data of Ideas: A Legitimizing Myth,” Duke Law Protection and Privacy Legislation Journal, Vol. 33 (1987), p. 1. 16. Budapest Explanatory Report, supra § 1 Worldwide,” United Nations, at http:// D, note 14, at para. 251 unctad.org/en/Pages/DTL/STI_and_ICTs/ 5. WDR, supra § 1 A, note 10, at p. 222 et seq. The WDR notes that “getting ICT4D-Legislation/eCom-Data-Protection- 17. See Derek Bambauer, “Privacy Versus the data protection and privacy Laws.aspx Security,” Journal of Criminal Law & piece of the puzzle right is, together Criminology, Vol. 103 (3) (2013), p. 28. CoE, Convention for the Protection of with cybersecurity, a key element in 667, at http://scholarlycommons.law. Individuals with regard to Automatic engendering trust in and confidence in northwestern.edu/cgi/viewcontent. Processing of Personal Data, CETS use of the internet”. Ibid., at p. 227. cgi?article=7454&context=jclc No. 108 (28 Jan. 1981), at http://www. coe.int/en/web/conventions/full-list/-/ conventions/treaty/108 Page 191 | Chapter 4 | End Notes Table of Contents 29. Additional Protocol to the Convention for 40. For a fuller discussion of issues of 45. The importance of the right to the Protection of Individuals with Regard encryption, see supra § 1 C. communicate is also inhered in the to Automatic Processing of Personal Sustainable Development Goals (SDGs). Data, Regarding Supervisory Authorities 41. For a fuller discussion of issues The SDGs recognize that sustainable and Transborder Data Flows, CoE, CETS surrounding multilateral instruments and development includes “public access to 181 (8 Nov. 2001), [hereafter, “Additional cross-border cooperation, see supra § 3 information and fundamental freedoms” Protocol”], at http://www.coe.int/en/ A. as part of a wider goal (number 16) to: web/conventions/full-list/-/conventions/ “Promote peaceful and inclusive societies 42. See generally, Gus Hosein & Caroline treaty/181. for sustainable development, provide Wilson Palow, “The Second Wave of access to justice for all and build effective, 30. For example, Morocco and Senegal Global Privacy Protection: Modern accountable and inclusive institutions have also requested accession to both Safeguards for Modern Surveillance: at all levels.” See UN Sustainable treaties, and the Philippines have enacted An Analysis of Innovations in Development, “Open Working Group domestic data protection laws. Communications Surveillance Proposal for Sustainable Development Techniques,” Ohio State Law Journal, Vol. Goals,” UN Sustainable Development, at 31. Additional Protocol, supra note 29. 74 (2013), p. 1071. https://sustainabledevelopment.un.org/ 32. Ibid., at Art.1.3. 43. Many social scientists have spoken of focussdgs.html the centrality of communication and 33. Ibid. 46. See generally, WDR, supra § 1 A, note 10, communicating in what it means to be at p. 221. human. For instance, Aristotle called 34. See CoE Committee of Minsters, humans “social” or “political animals.” 47. See, e.g., William H. Dutton, Anna “Regulating the Use of Personal Data Politics, Book 1, § 1253a. At the same Dopatka, Michael Hills, Ginette in the Police Sector,” Recommendation time, James Baldwin, in relating the Law & Victoria Nash, Freedom of No. R(87) 15 (17 Sep. 1987), at https:// role of the novelist—an important form Connection, Freedom of Expression; www.privacycommission.be/sites/ of communication—, has said that the Changing Legal and Regulatory privacycommission/files/documents/ humankind “is not […] merely a member Ecology Shaping the Internet, (Paris: aanbeveling_87_15.pdf. of a Society or a Group or a deplorable UNESCO, 2011) [hereafter, “UNESCO 35. See ibid., at Explanatory Memorandum to conundrum to explained by Science. He is 2”], at http://unesdoc.unesco.org/ Recommendation No. R(87) 15, para. 2. […] something more than that, something images/0019/001915/191594e.pdf. resolutely indefinable, unpredictable. 36. Ibid., at Appendix to Recommendation In overlooking, denying, evading his 48. See UNESCO 1, supra note 39, at p. 41. No. R(87) 15, para. 1–8. complexity […] we are diminished and we In some cases, these inhibitory laws may perish; only within the web of ambiguity, have been designed for an analog media 37. Joseph A. Cannataci & Mireille M. paradox, this hunger, danger, darkness, environment, making their application in Caruana, Consultative Committee of can we find at once ourselves and the the digital, internet context potentially the Convention for the Protection of power that will free us from ourselves.” problematic. Individuals with Regard to Automatic “Everybody’s Protest Novel,” in Notes of Processing of Personal Data (T-PD), 49. See UNESCO 2, supra note 47, at p. 79. a Native Son (Boston, MA: Beacon Press, (Strasbourg: CoE, 2014), at https://rm.coe. 1955). int/CoERMPublicCommonSearchServices/ DisplayDCTMContent?documentId=090 44. For example, see Organization of 00016806ae16a American States (OAS), American Convention on Human Rights (22 Jan. 38. OECD, Guidelines for the Security of 1969), Art. 13; CoE, European Convention Information Systems and Network, (Paris: for the Protection of Human Rights and OECD, 2013), at https://www.oecd.org/ Fundamental Freedoms (4 Nov. 1950), sti/ieconomy/privacy-guidelines.htm. Art. 11; Organization of African Unity First promulgated in the 1980s, they were (OAU), African Charter on Human and updated in 2013. The principles contained Peoples’ Rights (27 Jun. 1981), Art. 9; in the OECD Guidelines form the basis of League of Arab States, Arab Charter most data protection/privacy laws around on Human Rights (15 Sep. 1994), Art. the world. See, e.g., Françoise Gilbert, 32; and Association of Southeast Asian Global Privacy & Security Law, (Palo Alto, Nations (ASEAN), ASEAN Human Rights CA: Wolters Kluwer, 2017). Declaration (18 Nov. 2012), Art. 23. 39. See UN Educational, Scientific, and Cultural Organization (UNESCO), “Keystones to Foster Inclusive Knowledge Societies: Access to information and Knowledge, Freedom of Expression, Privacy and Ethics on a Global Internet”, (France: UNESCO, 2015), [hereafter, “UNESCO 1”], p. 43, at http://unesdoc.unesco.org/ images/0023/002325/232563E.pdf. Page 192 | Chapter 4 | End Notes Table of Contents CHAPTER 5 International Cooperation This chapter discusses both formal and informal aspects of international cooperation to combat cybercrime. In this Chapter A. Multilateral Instruments & Cross-border Cooperation 194 B. Establishing Informal International Cooperation 205 Page 193 | Chapter 5 | International Cooperation CHAPTER 5 A. Multilateral Instruments & Cross-border Cooperation Table of Contents Introduction 194 I. Multilateral Treaties on Cybercrime 196 A. Budapest Convention 196 B. Commonwealth of Independent States Agreement 197 C. Shanghai Cooperation Organization Agreement 197 D. League of Arab States Convention on Combating Information Technology Offences 198 E. African Union Convention on Cyber Security and Personal Data Protection 198 F. Areas of Improvement for Formal International Agreements 198 II. Mutual Legal Assistance Treaties 199 A. General Aspects of MLATs 199 B. Budapest Convention’s MLA Provisions 202 III. Extradition Treaties 202 A. General Aspects of Extradition Treaties 203 B. Budapest Convention’s Extradition Provisions 203 Conclusion 204 Introduction The global, trans-national, cross-border nature of cyberspace raises substantial jurisdictional issues (see section 2 E, above). Operating from a Westphalian nation-state concept of sovereignty, states—and their territorially-based cybercrime legislation—have been “plagued” by the boundary-defying fluidity of cyberspace and of cybercrime.1 Further, different legal systems, with their own unique anomalies and idiosyncrasies, often present major obstacles to countries seamlessly and effectively fighting cybercrime across borders. Although there are a number of offences that can be prosecuted anywhere in the world, regional differences play an important role in the effectiveness of combatting cybercrime. For example, different kinds of content are criminalized in different countries, which means that material that can lawfully be made available on a server in one country might be considered illegal in another (see section 2 E, case 2.3). The issue of convergence of legislation is highly relevant, as a large number Page 194  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents of countries base their mutual legal assistance (MLA) regimes on the principle of dual criminality (see section 2 A, above).2 This means that, outside of mechanisms created by instruments such as the Budapest Convention (discussed below), if the “criminal” act for which the MLA request is only criminalized in one country that has acceded to the mutual legal assist stance treaty (MLAT), then the country being requested to provide assistance may not be authorized to do so. Formal international cooperation aims at addressing three basic problems: Gap-fill national criminal laws that are either incomplete (insofar as they do not deal with 1   cybercrime) or that do not contemplate the kind of cross-border cooperation so often required in combatting cybercrime; Proffer procedural powers where nations are not appropriately equipped to combat 2   cybercrime; and Create enforceable MLA provisions that would facilitate and expedite sharing and 3   assistance in cybercrime matters.3 Effectively fighting cybercrime requires addressing each of these three areas, which demands both efforts at the national level, in developing an appropriate legal framework, and, at the international level, in creating mechanisms for the interoperability of those national frameworks. Failing to address both dimensions could result in the creation of safe havens for cybercriminals.4 Formal international measures, mainly in the form of treaties, attempt to address these concerns by getting states to agree on how to address all of these issues. Where cybercrimes are concerned, complete jurisdiction—that is, over the crime, the evidence and the alleged perpetrators (see section 2 E, above)—is frequently not obtained; as such, states must act beyond their territorial borders and, very frequently, cooperate with others in order to investigate and prosecute cybercrimes. Actions taken through the mechanisms of multilateral instruments, rather than by unilateral effort, are the most effective and important means of establishing extra-territorial jurisdiction over cybercrimes. Once a state has developed the appropriate legal framework for combatting cybercrime (see section 3 A, above), international cooperation is necessary to expand national territorially-based purview and to gap-fill, thereby building effective networks of interoperability that can function coherently and cohesively. That said, even where such formal instruments exist, effective implementation largely depends upon developing informal international relations, typically through additional mechanisms and interactions (see section 5 B, below). Formal and informal modes of cooperation facilitate state consent for conducting foreign law enforcement investigations that affect a state’s sovereignty. For example, law enforcement might access data stored extraterritorially where investigators use an existing live connection from a suspect’s device, or where they use (lawfully-obtained) data-access credentials. Investigators may, on occasion, obtain data from extraterritorial ISPs through an informal direct request, although ISPs usually require due legal process (see section 2 C, case 2.11). Page 195  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents Formal international cooperation comes in various forms. The most targeted means are (I) cyber- specific multilateral treaties.5 Globally, more than eighty states have signed and/or ratified one or more binding cybercrime instruments,6 and many of those states have national cybercrime legislation.7 More generally, formal yet non-cyber-specific mechanisms for international cooperation include (II) MLATs and (III) extradition treaties. These instruments set up frameworks for cooperation, encouraging or requiring states to look more closely at their own domestic legislation. The value of these instruments goes beyond their formal membership, however; notably, by providing a benchmark for states not bound to such instruments,8 Including when taken together with other sources of good practice, these instruments provide important guidance when preparing, for example, model laws.9 I. Multilateral Treaties on Cybercrime Five major cybercrime-specific, multilateral treaties exist: (A) the CoE’s Budapest Convention, (B) the CIS Agreement, (C) the SCO Agreement, (D) the Arab Convention and (E) the AU Convention. Despite these accomplishments and the fact that approximately eighty countries are party to one or more of the four major multilateral treaties on cybercrime in force,10 the still-relatively limited coverage of existing multilateral treaties led the Twelfth UN Congress on Crime Prevention and Criminal Justice in 2010 to conclude that serious consideration ought to be given to developing a further convention to combat cybercrime.11 That call prompted a discussion on (F) what lessons have been learned that could enhance membership in formal international instruments. For State Parties, binding multilateral instruments on cybercrime, as well as other more general anti-crime instruments with international cooperation provisions that can be used to combat cybercrime, provide the basic normative framework for addressing cybercrime. While treaties are, by and large, a positive, their proliferation can be of an issue. One underlying purpose of a treaty is to encourage cooperation among its Member States or Contracting Parties on the subject matter of the treaty. However, the growing number of treaties and international agreements regarding cyberspace poses challenges to ensuring interoperability of the various instruments, as well as effective cooperation among countries that may be members of different instruments and may have different obligations regarding cooperation, especially regarding MLA (discussed below). A more in-depth comparison of the contents of the various cybercrime treaties can be found in appendix 9 B. A. Budapest Convention The Budapest Convention of 2001 is the foremost international instrument on cybercrime, in part because it is the only truly “global” instrument, being open to signature by non-CoE Member Page 196  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents States.12 A great deal of great value has already been written about the Budapest Convention; through a few observations are warranted, the Toolkit does not attempt to either repeat or summarize those commentaries. The Budapest Convention combines a comprehensive set of rules on different aspects of cybercrime including substantive, procedural, jurisdictional and international cooperation issues.13 The Convention is legally binding on its Member States. Its clear definition of criminal offenses as balanced against procedural safeguards14 is an excellent example of good practice. In addition, it contains important provisions requiring Contracting Parties to observe due process and human rights while combatting cybercrime.15 While accession is not limited by geography, accession of non-CoE Member States is restricted to those “invited” upon the unanimous consent of the Contracting Parties to the Convention16; understandably, eighty-four percent of the Convention’s signatories are CoE Member States.17 Saying that, the Convention was developed with the participation of four states that are not CoE Member States,18 and another seventeen non-Member States have either acceded to the Convention or have been invited to do so.19 B. Commonwealth of Independent States Agreement The CIS Agreement of 200120 seeks to encourage cooperation in assuring the effective prevention, detection, suppression, uncovering and investigation of cybercrime offences. To do so, Parties agree to adopt such organizational and legislative measures as may be necessary to implement the provisions of this Agreement, and to strive to ensure the harmonization of their national legislation concerning the combating of offences relating to computer information. While, as with the Budapest Convention21 and the SCO Agreement (discussed below),22 accession is not limited by geography, accession is contingent upon the agreement of all Parties.23 Unlike the Budapest Convention, however, the CIS Agreement was developed by all of its twelve Member States24; thus, it is unsurprising that only CIS Member States have acceded. However, while all twelve CIS Member States signed, only six have ratified,25 with one other state (Russia) having sent notification in 2004 that internal procedures for ratification are underway.26 C. Shanghai Cooperation Organization Agreement With the SCO Agreement of 2009,27 the heads of government of the six SCO Member States reaffirmed that current science and technology conditions warranted cooperation in order to enhance the capability of SCO Member States to confront global challenges and threats.28 Like the Budapest Convention29 and the CIS Agreement,30 accession to the SCO Agreement is not limited by geography.31 All six SCO Members States have signed the Agreement.32 Page 197  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents D. League of Arab States Convention on Combating Information Technology Offences The Arab Convention.33 The Arab Convention adopts a common criminal policy, which serves to enhance and strengthen cooperation in the area of combating information technology offenses that threaten security and interests of Member States and the safety of their communities with specific reference to the importance of Islamic law.34 Parties agree to implement procedural and legislative policies, which both criminalize technology offences, and which facilitate the prosecution of cybercrimes, and the tracking and collection of digital evidence. There is noted deference to equality of the regional sovereignty of states and noninterference in the internal affairs of other states.35 Unlike the Budapest Convention,36 the SCO Agreement37 or the CIS Agreement,38 accession is contingent on membership to the League of Arab States.39 Of the twenty-two member States (with Syria’s membership having been indefinitely suspended), eighteen have signed.40 E. African Union Convention on Cyber Security and Personal Data Protection The most recent of international instruments is the AU Convention of 2014.41 Although the AU Convention is a positive step in the progress of the fight against cybercrime, and an undeniable statement of regional political expression, it diverges substantially from other instruments (both international and domestic); as such, that make the AU Convention is a less useful or desirable model upon which to build, notably in terms of safeguards (see sections 4 A and 4 B, above) and the binding legal nature of the AU Convention in the area of MLATs, for example.42 Moreover, of the fifty-four AU Member States, only right have signed the AU Convention, and none have ratified it.43 The AU Convention requires fifteen instruments of ratification in order to enter into force.44 F. Areas of Improvement for Formal International Agreements Many of the formal international instruments combatting cybercrime have been in existence for up to fifteen years. In the age of the internet, this is, if not a lifetime, certainly a generation. The instruments have proved both flexible and encouraged signatories and non-signatories alike to take action to ensure greater interoperability of legal frameworks.45 That said, while more and more countries from more and more places around the globe are adhering to cybercrime treaties, coverage is still far from universal. Furthermore, there are substantive divergences among those instruments. Page 198  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents Some areas for consideration in the next generation of international instruments follow: ƒƒInclusion. To attract interest—and ownership—from all states, space needs to be created to include them in the consideration of the instrument from an early stage. ƒƒMulti-stakeholdersim. Stakeholders have grown and diversified. In particular, in recognition of the role that private sector actors increasingly play in the fight against cybercrime, effective ways of encouraging cooperation with law enforcement should be explicitly addressed. ƒƒIncorporating lessons learned. Cybercrime is evolving. Cybercrime is evolving. Many of the existing instruments may need modification or renewal. There is an inherent tension in any instrument between being sufficiently flexible to accommodate evolving cybercrime, and being too vague or general; each dimension may require different types of adjustment. ƒƒOvercoming persistent limitations in coverage. Perhaps related to inclusion, uptake of membership in international instruments, despite the openness of the Budapest Convention and the proliferation of regional and sub-regional instruments while growing, is still relatively low. ƒƒNational implementation. Joining any of the instruments is not in and of itself the ultimate goal; it is only the starting point. What is really required, ultimately, is national domestication of the terms of those instruments, and subsequent implementing and practicing those requirements by appropriate authorities. ƒƒInternational instruments aggravate differences among states. Because of the variability of implementation of national laws to reflect treaty-based obligations (that is, differences in national laws), cooperation obligations in treaties may exacerbate different approaches. For example, rights of the accused may vary from country to country, but MLA provisions may require assistance, thus potentially facilitating abuses, especially in areas of dual criminality. ƒƒSafeguards. Not all the instruments provide safeguards for protecting due process (see section 4 A, above) and other fundamental rights, notably in matters of privacy and/or data protection and of freedom of expression (see section 4 B, above). II. Mutual Legal Assistance Treaties This subsection first provides a (A) general overview of the nature and general aspects of MLATs, and then (B) examines how these aspects are treated in multilateral instruments using the example of the Budapest Convention’s MLA provisions. A. General Aspects of MLATs MLATs are agreements between two or more countries for the purpose of gathering and exchanging information in order to enforce public or criminal laws. While binding multilateral instruments provide an important basis for international cooperation,46 even non-binding MLATs Page 199  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents (which have been particularly influential in Caribbean and African countries) offer valuable guidance on international or regional standards for dealing with cybercrime.47 Moreover, states having entered into MLATs tend to adopt domestic law on cybercrime.48 In addition, there are a number of regional instruments dealing with MLA in the broader criminal context.49 According to UNODC, extra-territorial evidence in cybercrime cases is obtained through traditional forms of cooperation, with over seventy percent of reporting countries using formal MLA. Within such formal cooperation, almost sixty percent of requests use bilateral MLATs as the legal basis. Multilateral MLATs are used in twenty percent of cases. Response times for formal mechanisms were reported to be of the order of months, for both extradition and MLA requests, a timescale that presents particular in the cybercrime context, as electronic evidence is typically volatile by nature.50 Initiatives for furthering informal cooperation and for facilitating existing formal cooperation, such as 24/7 networks, offer important potential for faster response times (see section 5 B, below).51 While MLATs can be formed at a multilateral or bilateral level, unfortunately, over sixty percent of countries are not party to any multilateral cybercrime instrument, meaning that they have no international legal obligation to either include specialized cybercrime investigative powers in national procedural laws, or to carry out specialized investigations in response to cooperation requests.52 Indeed, UNODC has noted “modes of informal cooperation are possible for around two-thirds of reporting countries, although few countries have a policy for the use of such mechanisms.”53 Box 5.1: Korea Example of Legislation on International Judicial MA in Criminal Matters54 “Art. 5: The scope of mutual assistance shall be as follows: (1) Investigation into the whereabouts of a person or object; (2) Provision of documents and records; (3) Service of documents, etc.; (4) Gathering of evidence, seizure, search, and verification; (5) Transfer of objects, such as evidence; (6) Hearing of statements, and other measures to make any person testify or cooperate with an investigation in the requesting country. “Art. 6: Mutual assistance may not be provided in any of the following cases: (1) Where it might be detrimental to the sovereignty, national security, public peace and order, or public morals, of the Republic of Korea; (2) Where it is deemed that the criminal might be punished, or subject to an unfavorable penalty disposition, due to his/her race, nationality, gender, religion, social status, or the fact that he/she is a member of a specified social organization, or by the reason that he/she has a different political view; (3) Where it is deemed that the crime under mutual assistance is of a political nature, or a request for mutual assistance is made for the purpose of an investigation or trial on another crime of a political nature; (4) Where the crime under mutual assistance does not constitute a crime, or it is a crime against which Page 200  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents no public action may be instituted, under any Act of the Republic of Korea; (5) Where the requesting country fails to give a guarantee although this Act prescribes that the requesting country should do so.” With mechanisms for requesting and obtaining evidence for criminal investigations and prosecutions, MLATs remain one of the most comprehensive tools for building an interoperable legal framework at the international level, and, therefore, for overcoming jurisdictional issues. MLATs allow signatories to shift from strict territorial views to more comprehensive and cooperative views,55 providing them with reciprocal abilities to obtain jurisdictional power over offenses (see section 2 E, above). MLATs, though effective tools, are far from perfect. Frequently, they are not particularly extensive, and, in order for them to have effect, signatories typically must first introduce and domesticate the treaty’s provisions into their own legal systems through legislation or other appropriate means.56 Moreover, it is commonly lamented that MLAT facilitation mechanisms are difficult and take time to effectuate.57 While efforts are underway globally to improve these processes, many factors combine to impede progress. Such hindrances are of particularly great concern in combatting cybercrime, where evidence is often fragile and fleeting, and where it is found in a world—cyberspace—where identity and anonymity are easily created and recreated. Similarly, as the location of the perpetrator may be difficult to identify, determining which entities have control over the desired data may be complicated. Indeed, even once the perpetrator’s location has been identified, the desired data may not be so easy to identify and locate, a matter complicated both by the facile manner in which data might be moved, and by technology developments, such as cloud computing, that allow the fragmenting and (re)routing of data through several countries (see section 2 C, above). All of the above elements together frequently make it unclear which state has legal jurisdiction over the data. As a result, an increasing number of states are asserting jurisdiction to continue electronic investigations even when, in the physical world, that action might be considered an infringement of another state’s sovereignty. For instance, antitrust investigators of Belgium, Brazil, and the EU, among others, assert the right to conduct electronic searches in certain circumstances, even where they are aware that the search will take place outside of the physical territory in which they have authority and know to which country an MLA request could be sent. While these assertions of investigative jurisdiction may be proper under the law of the states or organizations that undertaking such actions, they may be considered as improper by the states where the data is located, or by the investigated party. As such, some states disallow such searches entirely, creating further obstacles to interoperability. As the principle challenge to MLA requests is typically lenghty response times,58 three of the major multilateral treaties on cybercrime—the Budapest Convention,59 the CIS Agreement60 and the Arab Convention61—seek to expedite matters by requiring Member States to designate points- of-contact for MLA requests. Relatedly, in order to facilitate the gathering of electronic evidence, Page 201  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents the same three instruments provide rules on expedited means of communication or other urgent channels for MLA requests.62 However, as these treaties are only binding on their Member States, non-Member States are less likely to have such urgent (or clear) channels for MLA requests in place in comparison to Member States of those treaties.63 B. Budapest Convention’s MLA Provisions The Budapest Convention is the most extensive MLAT on cybercrime. Designed with the purpose of fostering cooperation on cybercrime,64 the Convention comprehensively covers those actions that Parties are to criminalize in their domestic law as cybercrimes (see section 2 B, above), before going on to address procedural and evidentiary issues. The Convention stipulates that each Party is to implement laws giving it jurisdiction over offenses committed: (1) within its territory; (2) on board a ship flying its flag; (3) on board an aircraft registered under its laws; or (4) by one of its nationals.65 In so doing, the Convention combines the principle of territorialty with that of active nationality. It does not, however, utilize other available principles for extending jurisdiction (see section 2 E, above). That said, the Convention does not exclude Parties from unilaterally using such principles to expand jurisdictional requirements.66 In addition to obliging Parties to criminalize the offenses that it enumerates, the Budapest Convention also obliges Parties to ensure that that procedural tools are available to investigate the enumerated crimes, as well as other crimes not listed in the Convention.67 Doing so is a recognition of the importance of electronic investigations in any type of crime, and at any stage of development. For instance, mobile-phone data may be indispensable to combatting human trafficking, corruption, narcotics or child exploitation. The Convention’s procedural tools are tailored to avoid violations of sovereignty and human rights, while still enabling states to adequately investigate crimes.68 Of particular note is the matter of expediency. The Convention makes significant strides towards improving the timeliness with which cybercriminal matters are addressed between Parties. One such mechanism is had by requiring each state to create a “24/7 Network”,69 a matter that, though introduced through formal means, sets up substantial opportunities for developing the often-more effective methods of informal cooperation (see section 5 B, below). III. Extradition Treaties This subsection discusses (A) the general nature and aspects of extradition treaties, and then (B) uses the provisions of the Budapest Convention as an example. Page 202  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents A. General Aspects of Extradition Treaties While MLATs focus on the cross-jurisdictional gathering and exchanging of information, extradition treaties aim to create a means for giving jurisdiction over the perpetrator—what is frequently called physical or personal jurisdiction—to the state desiring to prosecute (referred as the “requesting state”). Extradition treaties are the most common form of international cooperation for obtaining jurisdiction over the alleged perpetrator, who is often referred to as the “target”. Although extradition is frequently included as an element in MLATs,70 separate, standalone agreements are often agreed upon. The core provisions of an extradition agreement create assurances and procedures for the custodial state to honor a warrant issued by the requesting state, thereby obliging the custodial state to take the target into custody and arrange transfer to the requesting state.71 Extradition treaties operate under the principle of aut dedere aut judicare—“extradite or prosecute”.72 However, and notwithstanding that guiding principle, extradition agreements are often limited by crime type,73 and have carve-outs and disallowances—for instance, the European Convention on Extradition disallows extradition where the offense for which extradition is sought is considered political in nature, or where it is punishable by death under the law of the requesting state.74 In instances where the target is a national of the custodial state, or where the custodial state has created some other legal basis necessary for prosecuting the target, that state may prosecute and punish before extraditing to the requesting state.75 Where cybercrime is concerned, the effectiveness of extradition treaties may be hindered by the requirement of what is called “dual criminality”. Dual criminality is the concept that extradition can only be allowed if the allegedly illegal act is a crime in both states.76 For instance, in the case of the “Love Bug” virus, the absence of legislation criminalizing computer crimes in the custodial state (in this case, the Philippines) not only precluded local prosecution of the believed-Filipino hacker, but also prevented foreign authorities (notably, the FBI) from seeking extradition under the applicable agreement due to the requirement of dual criminality (see section 2 E, box 2.7, above). B. Budapest Convention’s Extradition Provisions The Budapest Convention includes specific provisions for extraditing a target.77 However, the obligation to extradite is limited, first, to offenses established in accordance with the Convention, second, by the principle of dual criminality, and, third, to offenses that are punishable by the deprivation of liberty for a maximum period of at least one year or by a more severe penalty.78 This last element—the threshold penalty—was introduced because it was not considered appropriate to require that each of the offences be considered per se extraditable, as Parties might, in their own sovereign discretion, prescript different incarceration periods.79 It bears noting that the determination of whether an offender is extraditable hinges upon the maximum period that may legally be imposed for a violation, not upon the actual penalty imposed.80 Moreover, the Page 203  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents Convention allows for coupling with other extradition treaties: where another extradition treaty exists, the offenses of the Budapest Convention might be deemed extraditable offences under that other treaty,81 thereby potentially expediting matters, especially with states not party to the Convention. Conclusion The inherently transnational, cross-border nature of cybercrime has led to jurisdictional issues—over the crime, the evidence and the alleged perpetrators—that require international cooperation if they are to be overcome. The most effective and efficient means of doing so is through formal instruments, as supplemented through informal mechanisms. There is a threefold lack that these formal instruments attempt to overcome, namely: lack of criminal laws, lack of procedural powers and lack of enforceable MLA provisions.82 The three major means for filling-in these gaps comes through cyber-specific multilateral MLATs, more general MLATs and extradition treaties. The most comprehensive and influential cyber-specific instrument is the Budapest Convention. A leading example of how to address the most urgent issues in the domain of cybercrime, its binding nature on Parties has increased its efficacy and suits its aspirational goal of harmonization—an ambition somewhat beyond interoperability—in this area. Moreover, the indirect impact of the Convention has unquestionably been far-reaching, serving as a model for legislation, offering general guidance and sparking substantial debate the world over. The Convention has done much to further international cooperation, even among states that already enjoyed good relations.83 Notwithstanding its limitations, the Budapest Convention has many strengths, leading one commentator to say that: “[I]t is likely to remain the most significant international legal instrument in the field for the foreseeable future.”84 Page 204  |  Chapter 5  |  § A. Multilateral Instruments & Cross-border Cooperation Table of Contents CHAPTER 5 B. Establishing Informal International Cooperation Table of Contents Introduction 205 I. The Place for Informal Cooperation 206 II. 24/7 Networks 206 A. G8 24/7 Network for Data Preservation 207 B. Budapest Convention 24/7 High Tech Crime Points of Contact Network 208 C. INTERPOL I-24/7 Global Police Communications System 208 III. Information Sharing & Coordination Centers 209 A. INTERPOL’s Global Complex for Innovation 209 B. Europol’s European Cybercrime Center 210 C. EU’s Judicial Cooperation Unit 211 D. US National Cyber-forensics & Training Alliance 212 E. Commonwealth Cybercrime Initiative 214 F. OAS Initiatives 214 IV. Inter-institutional Collaboration 215 V. Standardizing Requesting Procedures 215 Conclusion 216 Introduction This chapter begins, and much of the Toolkit has discusses, the place of formal, international agreements, it does so on the understanding that sovereignty resides with states; however, it does so while keeping an eye to finding global consensus and to promoting international interoperability. However, and for various reasons, formal mechanisms of international cooperation have generally only sketched out the larger cooperative space, leaving a great deal for states to fill in through informal and ad hoc cooperation. As the division between the formal and the informal is often subtle, the Toolkit uses the more clearly delineated provisions of international instruments as indicative of formal mechanisms of international cooperation, leaving the unspoken spaces where Page 205  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents cooperative acts have occurred to the realm of informal cooperation. Notwithstanding that distinction, this section begins by (I) acknowledging that calls for informal cooperation often come from international sources, a reality that deserves discussion in order to better understand and contextualize the environment in which informal international cooperation is situated. In considering informal mechanisms of international cooperation, particular note should be paid to (II) 24/7 networks and (III) information sharing and coordination centers, the skeleton of which formal instruments have laid out, but the meat of which is largely left to states to put on as they see fit. Somewhat separately, it should be recalled that (IV) inter-institutional collaboration can achieve important results. Less visible but also important are (V) efforts to improve interoperability by standardizing information requests and authentication procedures. I. The Place for Informal Cooperation Governments, international organizations and non-governmental organizations alike have all proposed various options supporting international interoperability. For example, in 1990 the UN General Assembly adopted a resolution dealing with computer crime legislation.1 In 1997, the G8 released a Ministers’ Communiqué that included an action plan and principles for combatting cybercrime and protecting data and systems from unauthorized impairment.2 In 2003, the World Summit on the Information Society (WSIS) issued the Geneva Declaration of Principles and Plan of Action, which highlighted the importance of cooperative measures in building confidence and security in the use of ICTs.3 As discussed,4 formal measures, notably the Budapest Convention, the Council of Europe’s 2001 contribution to the quest for international interoperability, help lay a shared framework upon which other informal efforts might be laid. European efforts have particularly focused on overcoming procedural obstacles that pertain to the principles of territoriality and of national sovereignty, and that hamper international computer crime investigations.5 While the highly visible Budapest Convention may largely set the structure,6 much of the work is done through a number of general EU-instituted7 measures to facilitate police cooperation at the operational level.8 II. 24/7 Networks With borders serving as no hindrance to cybercriminals, and with time zones often helping to Page 206  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents cloak their illegal activities from immediate notice, effectively combatting cybercrime requires an internationally-tasked, constantly-active response network that integrates national law enforcement agencies. Because “crime never sleeps”, individual countries should designate directly reachable point-persons for every hour of every day, with contact information kept current. In order for 24/7 networks to operate effectively, national point-persons must understand their own legal and policy framework; how their domestic arrangements intersect and interact with the larger international systems function; have the minimum technical knowledge to understand cybercriminal behavior; and must be capable of communicating in foreign languages, with English language skills being a minimum.9 Several authorities have created such a network, three of which are of particular note: (A) the G8,10 (B) the Budapest Convention and (C) INTERPOL. Table 5.1: Various 24/7 Networks Network Name Date Members Organizing Authority G8 24/7 Network for High-Tech Jun. 2015 70 G8 High-Tech Crime Crime Subgroup Budapest Cybercrime 24/7 Network Sep. 2015 55 CoE INTERPOL Global Police Jun. 2015 136 INTERPOL Communications System A. G8 24/7 Network for Data Preservation Through its Lyon-Roma11 High Tech Crime Subgroup (HTCSG),12 the G8 proposed its 24/7 Network for Data Preservation.13 Becoming operative in 1999,14 and gaining further impetus from the G8 Deauville summit in 2011,15 the network has seventy members today. Its focus is on creating cyber- specialized points-of-contact for incidences requiring urgent assistance with investigations involving electronic evidence. The Computer Crime and Intellectual Property Section (CCIPS) of the US DoJ manages new memberships for the HTCSG and is responsible for periodic updates of information on the point-of-contacts. Further efforts to develop a training initiative will further develop not only the necessary cybersecurity capacity-building, but also boost international understanding and cooperation.16 An example of informal international cooperation facilitated through international instruments, such trainings are not only a vital part in the fight against cybercrime, but also an example of the propulsive effect that international agreements and instruments—even if not formalized at the level of a treaty—can have. Page 207  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents B. Budapest Convention 24/7 High Tech Crime Points of Contact Network The Budapest Convention requires Parties to create a 24/7 High Tech Crime Points of Contact Network.17 Parties are required to “designate a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”18 That assistance is intended to facilitate the provision of technical assistance, data preservation, evidence collection, legal aid and assistance locating suspects.19 The Convention goes so far as to permit those measures to be directly carried out by the requesting state, its domestic law and practice allowing.20 The 24/7 Network has proven quite effective, with its “services [proving…] invaluable in helping to ensure that investigators could preserve and seek the information they needed to investigate the emergency”.21 C. INTERPOL I-24/7 Global Police Communications System INTERPOL’s I-24/7 Global Police—which it calls the “foundation of information exchange between the world’s police”—is a worldwide communications system connecting law enforcement officers in INTERPOL Member States.22 Through each state’s domestically-staffed National Central Bureau (NCB), authorized users—typically frontline law enforcement officers—can share sensitive and urgent police information with their counterparts around the globe on a 24-hour-a-day, 365-day- a-year basis with direct access to INTERPOL’s range of criminal databases, including databases on suspected criminals or wanted persons, stolen and lost travel documents, stolen motor vehicles, fingerprints, DNA profiles, stolen administrative documents and stolen works of art.23 Preparations are underway to extend access to INTERPOL services beyond the NCB to additional frontline officers, including immigration and customs officials.24 In order to further expedite assistance, each state’s NCB designates a National Central Reference Point for Computer-Related Crime (NCRP), who is available through an INTERPOL-managed hotline. Among other things, it features an early warning system between cybercrime investigation units. Box 5.2: Korea Activates 24/7 Network to Secure e-Evidence On 23 December 2014, cybercriminals successfully hacked the computer systems of South Korea’s state-run nuclear operator, Korea Hydro and Nuclear Power Co. Ltd. (KHNP).25 KHNP, which operates Korea’s twenty-three large reactors and its many hydroelectric plants, is responsible for about forty percent of the country’s electric power supply.26 Although there was no evidence that the nuclear controls systems were hacked, sensitive information, including blueprints of nuclear plant equipment, electricity flow charts and estimates of Page 208  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents radiation exposure among local residents, was stolen, some of which was posted on the internet via Twitter.27 The hackers demanded that three of the reactors be shut down, as well as an unspecified amount of money, threatening, in a message posted on Twitter, to “bring destruction” to the power plants if the demands were not met.28 Utilizing the G8 24/7 Network, the Korean point-of-contact sent email and telephone requests to the US point-of-contact asking that digital evidence in the relevant Social Networking Service (SNS) accounts to be preserved. The US point-of-contact subsequently turned to the ISPs managing the relevant accounts, activating protocols enabling the disclosure of evidence in emergency situations. Within twenty-four hours after the request, information on the offenders’ SNS accounts and access logs had been delivered to the Korean investigative team. III. Information Sharing & Coordination Centers While cooperative 24/7 networks can help preserve digital evidence located in other jurisdictions,29 law enforcement has repeatedly lamented the absence of mechanisms to enter electronic networks and to expeditiously preserve computer data, such as connection logs.30 Due to cybercrime’s inherently transnational and cross-jurisdictional nature, at any moment, and from any part of the world, cybercriminals can attack multiple targets. As such, leaving a country’s law enforcement to independently conduct investigations could end up with only partial findings. Moreover, operating independently might inadvertently—and inopportunely—influence investigations in other countries, for instance, by alerting targets, disclosing information, or destroying evidence. Furthermore, the deterrent effect is limited where only certain members of multinational crimes are prosecuted; such is especially true in instances where a state lacks the capacity or resources to investigate and prosecute, thereby encouraging cybercriminals to act with impunity. Several global information sharing and coordination centers have emerged, notably (A) INTERPOL’s Global Complex for Innovation, (B) Europol’s European Cybercrime Center, (C) the EU’s Judicial Cooperation Unit, (D) the US National Cyber-Forensics and Training Alliance, (E) the Commonwealth Cybercrime Initiative and (F) OAS initiatives. A. INTERPOL’s Global Complex for Innovation Recognizing that technological developments mean police worldwide face an increasingly challenging operational and cross-global landscape, the INTERPOL Global Complex for Innovation (IGCI) opened in Singapore in June 2015.31 A cutting-edge research and development facility for the identifying of crimes and criminals, providing innovative training, offering operational support and nurturing partnerships, IGCI places an emphasis on developing and enhancing open-source Page 209  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents forensics cyber tools for local law enforcement. Recent technical innovations have transformed the nature of crime fighting, and open-source forensics tools are particularly favorable as they are so useful for police departments in poor and developing nations. In addition to improving formal, national capacity-building by encouraging and supporting domestic development, IGCI also supports informal cooperation by stationing police officials from various countries at its headquarters. As such, IGCI not only furthers both information sharing but also the larger object of inter-governmental coordination. IGCI is the product of the recognition that combatting cybercrime requires interoperability in both formal and informal ways. Effectively, IGCI is a space for law enforcement to learn about the latest cybercrimes, and to have their work supported by state-of-the-art digital forensics laboratories and research stations. Moreover, as real-time access to criminal data is crucial in today’s technologically innovative and rapidly changing world, private sector and academia, IGCI also serves as an important means for building innovative public-private partnerships by integrating the private sector and academia into its activities. The digital forensic laboratory conducts analysis of criminal trends, tests forensic devices, develops good practices and supports empowerment training. The cyber fusion center analyzes information from the private sector and academia, which it provides to Member States in support of their investigations. The placement of IGCI in Asia was not merely a piece of savvy politicking32 but a conscientious decision: by working in coordination with INTERPOL’s General Secretariat, seated in Lyon, France33 and its recently established Command and Coordination Centre (CCC) in Buenos Aires, Argentina34 constant, global coverage is guaranteed.35 This strategic geographic placement facilitates the combatting of cybercrimes that have targets, not only in multiple jurisdictions, but also in multiple and differing time zones, and which often take place using co-conspirators located in various countries, using ICT systems sitting in equally divergent countries. B. Europol’s European Cybercrime Center Another model for information sharing and coordination is Europol’s European Cybercrime Center (EC3).36 Set up in January 2013, EC3 is tasked with following cybercrimes committed by organized groups (especially, for instance, online fraud); that cause serious harm to the victim (e.g., online child sexual exploitation); and that affect critical EU infrastructure and information systems (e.g., cyberattacks).37 As with the IGCI, EC3 collects criminal information, supports investigation, assists in digital forensics, pursues research and development provides and education and training. Strategically situated within Europol both to draw on Europol’s existing law enforcement capacity and to expand Europol’s existing capabilities, EC3 serves as the central EU hub for criminal information and intelligence, while also supporting Member States’ operations, providing strategic analysis products and providing highly specialized technical and digital forensic support capabilities.38 Staffed by cyber liaisons officers and analysts seconded from EU Member States, as well as from certain non-Member States, EC3 also supports training and capacity-building, and Page 210  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents serves as a comprehensive outreach function connecting cybercrime-related law enforcement authorities with the private sector, academia and other non-law enforcement partners.39 The value of coordination and cooperation has been recognized, leading to the creation of the Joint Cybercrime Action Taskforce (J-CAT). Launched in September 2014 as a six-month project to facilitate joint investigations, the Taskforce has the objective of proactively driving intelligence-led, coordinated action against key cyberthreats and top targets.40 J-CAT is specifically involved with high-tech crimes (such as malware, botnets and intrusion), crime facilitation (such as bulletproof hosting, counter-anti-virus services, infrastructure leasing and rental, money laundering, including virtual currencies), online fraud (online payment systems, carding, social engineering) and the various aspects of child sexual exploitation online.41 C. EU’s Judicial Cooperation Unit Police-to-police efforts are not the only forms of international information sharing and operational coordination. The EU’s Judicial Cooperation Unit (Eurojust) is an example of international judicial coordination. Set up in February 2002 (but with its origins going back to 1999),42 it is composed of national prosecutors, magistrates and police officers of equivalent competence that are detached from each Member State according to their own legal system. Its mission, enshrined at the heart of the European Union by the Treaty of Lisbon, is “to support and strengthen coordination and cooperation between national investigating and prosecuting authorities in relation to serious crime affecting two or more Member States [….]”43 In particular, it assists by facilitating the execution of MLATs and extradition treaties.44 Eurojust has been central to negotiating cooperation agreements with third states and among EU agencies, allowing the exchange of judicial information and personal data.45 Eurojust maintains a network of contact points worldwide that serve as “active intermediaries”, including the twenty-eight EU Member States, as well as contact points in twenty-three non- Member States.46 It also has privileged relationships with the European Judicial Network (EJN), Europol, the European Anti-Fraud Office (OLAF) and Liaison Magistrates.47 In this discussion, the relationship with EJN, which is composed of more than three hundred national contact points throughout the EU Member States, is of particular note.48 Although not an EU entity, it bears noting that the Global Prosecutors E-crime Network (GPEN) of the International Association of Prosecutors (IAP)49 provides networks of national contact points for the facilitation of judicial cooperation, with which Eurojust frequently communicates. These networks focus on personnel exchanges designated by nations and interchanges of expertise by organizing regular conferences and meetings, as well as publishing relevant materials. Now permanently seated in The Hague alongside Europol,50 Eurojust’s competence covers the same types of crime and offences for which Europol has competence, including terrorism, drug trafficking, trafficking in human beings, counterfeiting, money laundering, computer crime, crime against property or public goods including fraud and corruption, criminal offences affecting Page 211  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents the European Union’s financial interests, environmental crime and participation in a criminal organization.51 For matters beyond those for which it has competence, Eurojust may be called to assist in investigations and prosecutions at the request of a Member State.52 Eurojust serves as an organizational and orchestrating authority for cross-Member State matters, with power to ask the competent authorities of concerned Member States concerned to investigate or prosecute specific acts, to coordinate with one another, to determine that one state is better placed to prosecute than another, to set up a Joint Investigation Team, and to provide Eurojust with information necessary to carry out its tasks.53 In December 2008, Ministers of Member States at the Justice and Home Affairs Council adopted a revised Council Decision on the strengthening of Eurojust, notably by increasing information interchange, and by making Eurojust available to national authorities on a 24/7 basis.54 Box 5.3: Operation BlackShades BlackShades was an organization developing and selling malware that enabled buyers to infect and take control of computers—for instance, one buyer infected at least 2,000 computers, controlling the victims’ webcams to take pictures of women and girls.55 A US FBI investigation revealed links to several EU Member States,56 certain of which had already begun their own independent investigations.57 Sellers and users of BlackShades malware were targeted by judicial and law enforcement authorities in sixteen states during this worldwide investigation.58 Eurojust, supported by EC3, subsequently coordinated a common operation. Beginning in November 2013 with information sharing and the coordinating of actions, the operation culminated in May 2014 with a two-day strike involving actions in sixteen countries (the Netherlands, Belgium, France, Germany, the United Kingdom, Finland, Austria, Estonia, Denmark, Italy, Croatia, the United States, Canada, Chile, Switzerland and Moldova).59 Over those two days, 359 house searches were carried out worldwide, 97 people arrested and over 1,100 data storage devices suspected of being used in the illegal activities were seized.60 Substantial quantities of cash, illegal firearms and drugs were also seized, as was the domain of the BlackShades website.61 Eurojust assisted the involved states by delivering overviews of the status of the investigations in each state and by providing judicial assistance, with EC3 providing real-time analytical support. Eurojust also played a key role in determining the optimal country for prosecution. D. US National Cyber-forensics & Training Alliance The National Cyber-Forensics & Training Alliance (NCFTA)62 was established in 2002 as a non- Page 212  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents profit corporation focused on identifying, mitigating and ultimately neutralizing cyberthreats through strategic alliances and partnerships with Subject Matter Experts in the public, private and academic sectors.63 Jointly founded by the FBI, the investigative branch of the DoJ,64 and InfraGard, a partnership between the FBI and the private sector that operates as an association of persons representing businesses, academic institutions, state and local law enforcement agencies and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.65 Headquartered in Pittsburgh, Pennsylvania, the NCFTA has offices in Los Angeles, California and New York, New York66 and has strategic partnerships with institutions around the world.67 The NCFTA shares information on emerging cyberthreats and resources, including Subject Matter Experts, on a real-time basis across all sectors and with all partners via multiple communication channels.68 Foreign cyber law enforcement officers are embedded at NCFTA for extended periods. The most valuable and effective means of communications of NCFTA network is verbal, face-to- face communication that happens daily, in the neutral environment of trust that NCFTA has built. Such efforts are proactive and preventative, thereby enabling NCFTA to give early warnings relating to cyberthreats and cyber transactions, as well as to assist partners in protecting their brand, reputation, shareholder value, economic losses and customer confidence. In an effort to streamline intelligence exchange, NCFTA regularly organizes interaction into threat- specific initiatives. Once a significant cybercrime trend is realized and a stakeholder consensus defined, an initiative is developed wherein NCFTA manages the collection and sharing of intelligence with industry partners, appropriate law enforcement and other cross-sector SMEs. Each initiative analyzes real-time resources to identify threats, threat actors and provide actionable intelligence to industry and law enforcement to neutralize the threats. Through NCFTA initiatives, hundreds of criminal (and some civil) investigations have been launched which would not otherwise have been addressed. Currently, NCFTA has aided in successful prosecutions of more than three hundred cyber criminals worldwide. Furthermore, NCFTA has produced more than eight hundred cyberthreat intelligence reports over the past three years alone to support these initiatives. Law enforcement and private sector entities are co-located at NCFTA.69 In this regard, if, for example, a private sector entity, such as a bank or credit card company, is a victim of a cyberattack, then that entity can immediately pass any relevant information on to other NCFTA members. With the support of law-enforcement agency representatives who are also located at NCFTA headquarters, members can then use that information to open or advance existing investigations in concert with global partners. NCFTA supports specialized and targeted programs, including the Cyber Financial Program (CyFin), which is dedicated to the identification, mitigation and neutralization of cyberthreats to the financial services industry70; the Brand and Consumer Protection (BCP) Program, which focuses on keeping the internet as a safe place for the sale of retail goods71; and the Malware and Cyber Threats (MCT) Program, which researches, identifies and provides timely alerts through data feeds and proactive intelligence on cyberthreats under analysis.72 Page 213  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents The success of NCFTA is in large measure due to the relationships it has engendered between the public and private sectors. Indeed, collaboration and cooperation among private industry, academia and law enforcement has been critical to their continued success and effectiveness.73 E. Commonwealth Cybercrime Initiative The Commonwealth Cybercrime Initiative (CCI)74 is a capacity-building program of the Commonwealth Secretariat aiming to assist member states through multi-stakeholder partnership providing coherent, comprehensive and sustainable assistance to reduce cybercrime.75 Bringing together forty international organizations—including INTERPOL, OAS, CoE, the Commonwealth Telecommunications Organisation (CTO) and ITU—to form the CCI Consortium, it helps put on multidisciplinary programs in Commonwealth countries.76 It brings additional resources to the Commonwealth Model Law on Cybercrime and to the Harare Scheme for MLA.77 The CCI deserves notable attention for, while it and both the Model Legislation and the Harare Scheme are voluntary and non-binding,78 Commonwealth Heads of Government have given it an unambiguous mandate,79 thereby providing CCI with unique political buy-in.80 The Commonwealth Secretariat is the focal point for CCI, with a representative from its Rule of Law Division sitting on CCI’s Executive Management Committee81 and providing secretariat.82 CCI operates by deploying a mission team upon a member state’s request. As an example of the good practices discussed above (see sections 2 C and 2 D, above) is that teams include both at least one technical and one criminal justice expert.83 The team, which is drawn from CCI Consortium Member States best placed to donate the requisite resources, conducts a gap analysis based on the CCI Checklist,84 from which a needs assessment report is produced.85 The report’s outcomes, which are agreed upon with the Member State, outlines priorities and capacities for reform, which the Consortium will then seek to develop. The program regional in its approach, has been active in both the Caribbean (e.g., Trinidad and Tobago) and Africa (e.g., Ghana, Botswana, Kenya, Uganda and Tanzania). Notable regional approaches to tackling cybercrime in which CCI has been central include the EAC Justice Network on Cybercrime and Electronic Evidence (in collaboration with UNODC)86 and a still-nascent Caribbean organization.87 F. OAS Initiatives Bringing together all thirty-five independent states of the Americas, the OAS constitutes the main political, juridical and social governmental forum in the Western Hemisphere, as well as the oldest regional organization in the world (dating to the First International Conference of American States, held in Washington, DC, from October 1889 to April 1890).88 OAS addresses cybercrime through two different projects. First, its Inter-American Committee against Terrorism has a launched the Cyber Security Program.89 Tackling cybersecurity more broadly, and within the context of cyberterrorism,90 it has established CIRTs in each country to Page 214  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents create a Hemispheric watch and warning network providing guidance and support, to cultivate and support NCSs (see section 2 F, above), and to promote a culture and awareness of cybersecurity.91 While cybercrime is an element of that overall approach, it is relatively small one, with emphasis being placed on legislative criminalization and the implementation of appropriate legal tools.92 Second, as part of the 1997 Reunión Extraordinaria de los Ministros de Justicia de las Americas, OAS set up, under the auspices of the Department of Legal Cooperation, both the Inter-American Cooperation Portal on Cyber-Crime and the Working Group on Cyber-Crime, which together aim at strengthening hemispheric cooperation in the investigation and prosecution of cybercrimes.93 Among other things, this project has resulted in the creation of directory of national points of contact, cybercrime questionnaires and training for building capacity for combatting cybercrime.94 IV. Inter-institutional Collaboration Informal international cooperation can also be had at the inter-institutional level. One example of inter-institutional collaboration can be seen in the East African Networking Meeting on Cybercrime and Electronic Evidence was held in Nairobi, Kenya from 19 to 20 August 2015. Organized by UNODC and COMSEC under the auspices of CCI (discussed above), the event was an important cooperative moment for both states and international organizations. The meeting’s objective was to bring together criminal justice officials and key stakeholders from Member States of the EAC and other African states, as well as representatives of relevant intergovernmental and other organizations, to discuss and exchange information on national practices in, and experiences with, the prevention, investigation and prosecution of cybercrime. The meeting devoted its main focus to the establishment of the East African Criminal Justice Network on Cybercrime and Electronic Evidence. The objectives were kept in line with the relevant action points set forth in the “Kampala Outcomes on Strengthening Regional Cooperation”, as agreed at the EAC Regional Meeting on Preventing and Combating Cybercrime, held in Kampala, Uganda, in May 2014. The participants discussed a range of procedural and substantive aspects for the launching and operationalization of such a network, including its membership, chairmanship and functions, as well as its objectives and modus operandi. The network is to aim at (1) promoting the exchange of information and evidence between criminal justice and law enforcement counterparts; (2) facilitating working relationships between the criminal justice and law enforcement sectors and other key stakeholders; and (3) assisting formal and informal cooperation. As a result of the meeting, the participants agreed on the final text of the terms of reference of the network. V. Standardizing Requesting Procedures As a whole, improving interoperability on a procedural level requires at least as great a degree of understanding as it does on a substantive level. In addition to developing sufficiently robust Page 215  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents laws that allow for domestic authorities to conduct cybercrime investigations (see sections 2 C and 2 D, above), it is important for legislative measures to allow for foreign electronic evidence to be admissible in legal proceedings, as long as such evidence is gathered in a way of satisfying procedural legality. While legislative action will be required, it can be facilitated through informal arrangements, such as bilateral agreements, but also through the standardization of requesting procedures. Developing standardized procedures for making information requests and authentication would greatly advance international interoperability.95 While such would be especially the case once formal international instruments and systems have been put in place (see section 5 A, above), those arrangements might also be reached on a more informal level. Such procedures and understandings operate by building upon principles such as the flag principle, by which jurisdiction is somewhat more malleably understood (see section 2 E, above). Control and possession of data has become an increasingly sensitive issue. For instance, the EU-US Safe Harbor Framework on transatlantic data flows was invalidated by the CJEU on the grounds that the scheme “enables [... US] public authorities [to interfere] with the fundamental rights of persons”.96 The fanfare—even alarm97—with which the decision was received, testifies to the ever-increasing importance of data—for both commercial and investigatory purposes—; and the rapidity with which a new EU-US arrangement (the so-called “Privacy Shield”) was crafted98 and adopted99 reinforces that notion (see sections 4 A, and 4 B, above). In that sense, even attempts by some states to mandate that data pertaining to its citizens be stored on domestic servers, or made otherwise made automatically accessible (so-called “data localization”), could be construed by some to facilitate domestic law enforcement agencies. Moves towards data localization, however, would likely also multiply information requests, pacing burdens on both sides Additionally, while challenges to managing cross-border jurisdiction might be mitigated by data localization, the cross-border nature of cybercrime all but ensures that there will be continued need for cross-border exchanges. As with efforts to improve MLA (see section 5 A, above), efforts are underway globally to speed- up international electronic investigations, while ensuring that they do not violate human rights. However, just as with efforts to improve MLA, efforts to speed-yet-constrain, remote cross-border electronic investigation have not yielded a resolution. For many years, the Council of Europe has been active in researching and discussing the issue of cross-border evidence collection, in which there is opportunity for participation by states not having acceded to the Budapest Convention in these discussion.100 Conclusion Cybercrime can only be effectively investigated and prosecuted when supported through international cooperation. Formal means of such cooperation include multilateral treaties on Page 216  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents cybercrime, the most prominent of which is the Budapest Convention, as well as general MLATs treaties and extradition treaties. These instruments facilitate and further international investigations and prosecutions. However, those international instruments can only have full effect insofar as parties develop adaptive legal national frameworks (see sections 2 A, 2 B, 2 C, 2 D, 2 E and 2 F, above). Indeed, the biggest obstacle to international prosecution of cybercrimes is the dual criminality requirement. Formal instruments of international cooperation are insufficient and must be supplemented through informal mechanisms. While the bones that arrange for informal interactions are often laid out in formal agreements, such as the Budapest Convention’s 24/7 Network, it is for the individual states to truly put the meat on that skeletal framework. The informal communication encouraged through most 24/7 networks might be used prior to making a formal request for assistance, or in seeking expedited measures, such as data preservation, a matter typically not conducive to the more plodding procedures of MLATs. Moreover, by making use of 24/7 networks, law enforcement officials become accustomed to working with their counterparts, therein facilitating and furthering cooperation and capacity. Information-sharing centers are another important means of rendering substance to the often- barebones mechanisms of cooperation. Through such centers, crucial cybercrime research and development can be conducted, shared resources brought to bear to support less resource-rich countries (including digital forensics laboratories), capacity-building developed and closer relations through personnel exchange had. Collectively, centers such as those created by INTERPOL (in Lyon, France, in Buenos Aires, Argentina and in Singapore) allow for global coverage at all hours of the day and night. Moreover, and no less importantly, such collaborations need not only be police-to-police, as the judicial collaborations of Eurojust and EC3 have effectively proven. Further, it bears noting that, in a world where real-time information is often crucial, finding analogues and partnerships for involving the private sector will be no less important to combatting cybercrime. Lastly, stardardizing requesting procedures could serve to significantly further formal international cooperation and interoperability. Page 217  |  Chapter 5  |  § B. Establishing Informal International Cooperation Table of Contents End Notes Referenced in: § A. Multilateral 9. COMSEC, “Model Law on Computer 10. Of these multilateral treaties, only the Instruments & Cross-border and Computer Related Crime,” in 2002 AU Convention has not yet entered into Meeting of Commonwealth Law Ministers force, as, per Article 36 of the Convention, Cooperation and Senior Officials: Kingstown, St Vincent the requisite threshold of fifteen ratifying and the Grenadines, 18–21 November AU Member States has not been 1. See generally Johnson & Post, supra § 2002, (London: Commonwealth achieved: to date, only eight Member 2 A, note 31 (arguing that cyberspace Secretariat,2003), at http://www.oecd- States have signed the AU Convention, cannot be governed by laws that rely on ilibrary.org/commonwealth/governance and none have ratified it. See “List of traditional territorial borders). /2002-meeting-of-commonwealth-law-mi Countries Which Have Signed, Ratified/ nisters-and-senior-officials/model-law-on- Acceded to the AU Convention,” African 2. “Dual criminality” (also known as computer-and-computer-related-crime Union, (1 Jun. 2016), at https://www.au.int/ “double criminality”) refers, in the _9781848598188-16-en; COMSEC, “Draft web/sites/default/files/treaties/29560- context of international cooperation, to Model Law on Electronic Evidence,” sl-african_union_convention_on_cyber_ a requirement that the act subject to a in 2002 Meeting of Commonwealth security_and_personal_data_protection. request for extradition or MLA must be a Law Ministers and Senior Officials: pdf. criminal offence according to the criminal Kingstown, St Vincent and the law of both not only the state making the Grenadines, 18–21 November 2002, 11. UN Congress on Crime Prevention, request, but also according to the law of (London: Commonwealth Secretariat, supra § 2 A, note 3, at 15, (discussing the state of which assistance is requested. 2003), at http://www.oecd-ilibrary.org/ recent developments in the use of See, e.g., UNODC Cybercrime Study, commonwealth/governance/2002- science and technology by offenders supra § 1 C, note 7, at 202. meeting-of-commonwealth-law- and by competent authorities in fighting ministers-and-senior-officials/ cybercrime). 3. Amalie M. Weber, “The Council of draft-model-law-on-electronic- Europe’s Convention on Cybercrime,” 12. Budapest Convention, supra § 1 B, note evidence_9781848598188-11-en; Berkeley Technology Law Journal, Vol. 18, 32, at Preamble. Nine non-Member UN Conference on Trade and (2003), p. 426, at http://scholarship.law. States of the CoE (Australia, Canada, Development (UNCTAD) and Eastern berkeley.edu/btlj/vol18/iss1/28 Dominican Republic, Israel, Japan, African Community, “Draft EAC Mauritius, Panama, Sri Lanka and the 4. See US Dept. of State, Bureau of Legal Framework,” (2008), at http:// United States) have acceded to the Counterterrorism, “Ch. 5: Terrorist Safe repository.eac.int:8080/bitstream/ Budapest Convention. See “Chart of Havens” (listing certain “safe-havens”), handle/11671/1815/EAC%20 Signatures and Ratifications of Treaty in: Country Reports on Terrorism Framework%20for%20Cyberlaws. 185,” CoE, at http://conventions. (2014), at http://www.state.gov/j/ct/rls/ pdf?sequence=1&isAllowed=y; Common coe.int/Treaty/Commun/ChercheSig. crt/2014/239412.htm. Market for Eastern and Southern Africa asp?NT=185&CM=8&DF=&CL=ENG. (COMESA), “Cybersecurity Draft Model These countries were not all part of 5. At the same time, it is useful to consider Bill,” (2011); ITU, “HIPSSA-Southern the process when provisions of the the applicability of the United Nations African Development Community Convention were elaborated. A further Convention against Transnational Model Law on Computer Crime and thirteen countries (Argentina, Chile, Organized Crime (UNTOC), a global Cybercrime,” (2013); ITU, CARICOM Colombia, Costa Rica, Israel, Mexico, instrument reaching almost universal & CTU, “Model Legislative Text on Morocco, Paraguay, Peru, Philippines, adherence with 187 States Parties, Cybercrime/e-Crimes and Electronic Senegal, Sri Lanka and Tonga), none of which takes into account “cyber” crimes Evidence,” (2010); ITU and Secretary which are Member States of the Council committed by organized criminal groups. of the Pacific Community, Model Law of Europe, and none of which participated on Cybercrime, (2011). See ibid, for 6. See UNODC Cybercrime Study, supra § 1 in the Convention’s elaboration, selected examples of implementation of C, note 7, at 67. have been invited to accede to this non-binding multilateral instruments on Convention. 7. Some form of national cybercrime cybercrime. legislation exists in 149 countries, either in 13. See supra §§ 4 A & 4 B for a fuller existing (137) or draft (24) form. See, e.g., discussion of the issues of safeguards, appendix 9 C. including due process issues, data protection, and access to information and 8. See, e.g., Zahid Jamil, “Cybercrime freedom of expression. Model Laws: Discussion Paper Prepared for the Cybercrime Convention 14. Ibid. See also Budapest Convention, Committee (T-CY),” Council of Europe, (3 supra § 1 B, note 32, at Art. 15. Dec. 2014), at https://www.coe.int/t/dghl/ 15. Budapest Convention, supra § 1 B, note cooperation/economiccrime/Source/ 32, at Art. 15. Cybercrime/TCY/2014/3021_model_law_ study_v15.pdf. Page 218 | Chapter 5 | End Notes Table of Contents 16. Ibid., at Art. 37.1 (“the Committee of 36. Budapest Convention, supra § 1 B, note 49. See, e.g., ECOWAS, Convention Ministers of the Council of Europe, 32, at Art. 37.1. A/P.1/7/92 on Mutual Assistance after consulting with and obtaining the in Criminal Matters, at http:// unanimous consent of the Contracting 37. SCO Agreement, supra § 2 A, note 62, documentation.ecowas.int/download/ States to the Convention, may invite at Art.12.3, (“This Agreement, upon its en/legal_documents/protocols/ any State which is not a member of the entering into force, shall be open for Convention%20on%20Mutual%20 Council and which has not participated accession by any State that shares the Assistance%20in%20Criminal%20 in its elaboration to accede to this goals and principles of this Agreement.”). Matters.pdf; EU, “Convention on Convention”). Mutual Assistance in Criminal Matters 38. CIS Agreement, supra § 2 A, note 47, at between the Member States of the 17. “Chart of Signatures and Ratifications of Art. 17. European Union,” at http://eur-lex. Treaty 185,” supra note 12. europa.eu/legal-content/EN/TXT/ 39. Arab Convention, supra § 2 A, note 14, at Ch. 5, Final Provision 4 (providing that HTML/?uri=URISERV:l33108&from=EN; 18. Ibid. “Any State of the League of Arab States “SADC Protocol on Mutual Legal 19. Ibid. that has not signed this Convention may Assistance in Criminal Matters,” SADC, at accede to it”). http://www.sadc.int/files/8413/5292/8366/ 20. CIS Agreement, supra § 2 A, note 47. Protocol_on_Mutual_Legal_Assistance_ 40. Ibid. in_Criminal_Matters_2002.pdf. 21. Budapest Convention, supra § 1 B, note 32 , at Art. 37.1. 41. AU Convention, supra § 2 A, note 48. 50. UNODC Cybercrime Study, supra § 1 C, note 7, at xxv. 22. CIS Agreement, supra § 2 A, note 47. 42. See, e.g., Mailyn Fidler, “The African Union Cybersecurity Convention: A 51. Ibid. 23. Budapest Convention, supra § 1 B, note Missed Human Rights Opportunity,” 32. Council of Foreign Relations Blog, 52. Ibid., at 201. (22 Jun. 2015), at http://blogs.cfr.org/ 24. The following are the twelve CIS Member 53. Ibid. cyber/2015/06/22/the-african-union- States: Armenia, Azerbaijan, Belarus, cybersecurity-convention-a-missed- 54. Korean Criminal Act, supra § 2 E, note 14. Georgia, Kazakhstan, Kyrgyzstan, human-rights-opportunity/; Eric Tamarkin, Moldova, the Russian Federation, “The AU’s Cybercrime Response: A 55. “Double Criminality Law & Legal Tajikistan, Turkmenistan, Ukraine and Positive Start, but Substantial Challenges Definition,” US Legal.com, at http:// Uzbekistan. Ahead,” Institute for Security Studies, definitions.uslegal.com/d/double- 25. The following are the six CIS Member (Jan. 2015), at https://www.files.ethz.ch/ criminality/. States having ratified the CIS Agreement: isn/187564/PolBrief73_cybercrime.pdf. 56. Urbas, supra § 2 E, note 53, at 12–13. Armenia, Azerbaijan, Belarus, Kazakhstan, 43. See “List of Countries Which Have Moldova and Tajikistan. 57. See, e.g., Budapest Convention, supra § Signed, Ratified/Acceded to the AU Convention,” supra note 10. 1 B, note 32. 26. “Geneva Internet Platform,” Digital Watch, at https://dig.watch/instruments/ 58. UNODC Cybercrime Study, supra § 1 44. AU Convention, supra § 2 A, note 48, at agreement-cooperation-combating- C, note 7, at 206–07 (noting “the (often Art. 36. offences-related-computer-information- necessary) interplay between a range commonwealth. 45. See, e.g., Anahita Mathai, “The Budapest of government institutions can, in some Convention and Cyber Cooperation,” cases, contributed to the long timescales 27. SCO Agreement, supra § 2 A, note 62. ORF Cyber Monitor, (12 Mar. 2015). reported for responses to requests”). 28. Budapest Convention, supra § 1 B, note 46. UNODC Cybercrime Study, supra § 1 C, 59. Budapest Convention, supra § 1 B, note 32; see e.g., Constance Johnson, “Global note 7, at 199. 32, at Art. 27.2. Legal Monitor,” US Library of Congress, at http://www.loc.gov/law/foreign- 47. Ibid., at 202. 60. CIS Agreement, supra § 2 A, note 47, at news/article/shanghai-cooperation- Art. 4. organization-agreements-signed/. 48. Approximately 150 countries have domestic laws (either enacted or in draft) 61. Arab Convention, supra § 2 A, note 14, at 29. Budapest Convention, supra § 1 B, note governing cybercrime. See appendix 9 C. Art. 34.2. 32, at Art. 37.1. 62. CIS Agreement, supra § 2 A, note 47, at 30. CIS Agreement, supra § 2 A, note 47. Art. 6.2; Budapest Convention, supra § 1 B, note 32, at Art. 25.3 and 27.9; and Arab 31. SCO Agreement, supra § 2 A. note 62. Convention, supra § 2 A, note 14, at Art. 32. “About SCO,” SCO, at http://rus.sectsco. 32.3 and 34.8, respectively. org/about_sco/. 33. Arab Convention, supra § 2 A, note 14. 34. Ibid., at Art. 1. 35. Ibid., at Art. 4.1. Page 219 | Chapter 5 | End Notes Table of Contents 63. While not specific to the above- 72. “The Obligation to Extradite or mentioned three multilateral treaties Prosecute” (“aut dedere aut judicare”), on cybercrime with fast means of Final Report of the UN International communications for urgent MLA requests, Law Commission, (2014), at http:// UNODC provides as follows, “Being legal.un.org/ilc/texts/instruments/ party to an international or regional english/reports/7_6_2014.pdf; Budapest instrument envisaging urgent mutual Convention, supra § 1 B, note 32, at Art. legal assistance channels appears to 24.6. See also Budapest Explanatory have a moderate effect – 55 percent of Report, supra § 1 D, note 14, at para. 251. responding countries that were not party to any multilateral cybercrime instrument 73. See, e.g., Urbas, supra § 2 E, note 53, at did not have channels for urgent 13–14. requests, compared with 40 per cent of 74. European Convention on Extradition, countries that were party to a multilateral Paris, ETS No. 24 (13 Dec. 1957), Arts. cybercrime instrument.” See also UNODC 3 & 11, at https://www.coe.int/en/web/ Cybercrime Study, supra § 1 C, note 7, at conventions/full-list/-/conventions/ 207–208. treaty/024. 64. Budapest Convention, supra § 1 B, note 75. See, e.g., Lazar, supra § 2 B, case 2.2. 32, at Preamble. 76. See, e.g., Budapest Convention, supra § 65. Ibid., at Art. 22.3. With regard to offenses 1 B, note 32, at Art. 24. Dual criminality is committed by the national of a state, intended to protect individuals from state the Convention is only applicable if the persecution for political crimes. offense is criminally punishable where committed, or if the offense is committed 77. Ibid., at Art. 22 & 24. outside the territorial jurisdiction of any state (thereby avoiding the possibility of 78. Ibid., at Art. 24.1.b. negative jurisdiction). Ibid., at Art. 22.3.d. 79. See Budapest Explanatory Report, supra § 66. Ibid., at Art.22.4. 1 D, note 14, at para. 245. 67. Ibid., at Art. 14–15 (discussing the scope 80. Ibid. of, and safeguards for, these tools). 81. Budapest Convention, supra § 1 B, note 68. States bound by the European 32, at Art. 24.1. Convention on Human Rights violate 82. Amalie M. Weber, “The Council of their duty to their citizens and victims’ Europe’s Convention on Cybercrime,” human rights if privacy laws prevent law Berkeley Technology Law Journal, Vol. 18 enforcement authorities from conducting (2003), p. 426, at http://scholarship.law. adequate electronic investigations in berkeley.edu/btlj/vol18/iss1/28. criminal cases. K.U. v. Finland, 2872/02 [2008] ECtHR 1563, at http://www. 83. See, e.g., Statement of US Attorney echr.coe.int/Documents/Reports_ General Alberto R. Gonzales on the Recueil_2008-V.pdf. Although this is a Passage of the Cybercrime Convention, ECtHR decision, it is instructive for other US Dept. of Justice, at http://www.justice. regions. gov/archive/opa/pr/2006/August/06_ ag_499.html (“This treaty provides 69. Budapest Convention, supra § 1 B, note important tools in the battles against 32, at Art. 25. terrorism, attacks on computer networks 70. See, e.g., ibid., at Art. 22 & 24 (especially and the sexual exploitation of children noting at Art. 24.1.3, “If a Party that makes over the Internet, by strengthening U.S. extradition conditional on the existence of cooperation with foreign countries in a treaty receives a request for extradition obtaining electronic evidence.”). from another Party with which it does not 84. Walden, supra § 2 A, note 67. have an extradition treaty, it may consider this Convention as the legal basis for extradition with respect to any criminal offence referred to in paragraph 1 of this article.”). 71. Oxford Dictionary of Law. Page 220 | Chapter 5 | End Notes Table of Contents Referenced in: § B. Establishing 8. See e.g., Budapest Convention, supra § 11. This subgroup, often referred to as Informal International Cooperation 1 B, note 32; EU, Joint Action of 29 Nov. the Roma-Lyon group, is the result of 1996 adopted by the Council on the Basis a meeting in Rome in October 2001 of of Article K.3 of the Treaty on European senior representatives of G8 Justice and 1. UN General Assembly, “Eighth United Union, Concerning the Creation and Home Affairs Ministries to discuss steps Nations Congress on the Prevention of Maintenance of a Directory of Specialized for the G8 to take to combat international Crime and the Treatment of Offenders, Competences, Skills, and Expertise in terrorism, and which combined the 68th Plenary Meeting,” (14 Dec. 1990), at the Fight against International Organized G8’s Lyon Group (fighting transnational http://www.un.org/documents/ga/res/45/ Crime, in Order to Facilitate Law organized crime) and the G8’s Roma a45r121.htm. Enforcement Cooperation between the Group (fighting international terrorism). Member States of the European Union, See “G8 Background,” US Dept. of 2. Weiping Chang, Wingyan Chung, 96/747/JHA (29 Nov. 1996), at http:// Justice, (11 May 2004), at https://www. Hsinchun Chen & Shihchieh Chou, “An eur-lex.europa.eu/legal-content/EN/ justice.gov/ag/g8-background. While International Perspective on Fighting TXT/?uri=CELEX%3A31996F0747; EU, continuing important work to combat Cybercrime,” ISI’03 Proceedings of the 1st Joint Action of 29 Jun. 1998 Adopted transnational organized crime, the group NSF/NIJ Conference on Intelligence and by the Council on the Basis of Article uses its resources to combat terrorism Security Informatics, (2003). K.3 of the Treaty on European Union, through such avenues as enhancements 3. ITU, “Geneva Declaration of Principles on Good Practice in Mutual Legal to legal systems, transport security and and the Geneva Plan of Action,” (Geneva: Assistance in Criminal Matters, OJ L tools for investigating terrorist uses of the ITU, 2003), para. 35–37, at https://www.itu. 191 (7 Jul. 1998), pp. 1–3, at http:// internet. Ibid. int/net/wsis/docs/promotional/brochure- eur-lex.europa.eu/legal-content/EN/ TXT/?uri=CELEX%3A31998F0427; EU, 12. With the goal of ensuring that no dop-poa.pdf. Act of the Management Board of Europol criminal receives safe havens anywhere 4. See supra § 3 A. of 15 Oct. 1998 concerning the Rights in the world, the G8 States established and Obligations of Liaison Officers, OJ the Subgroup of High-Tech Crime in 5. Budapest Convention, supra § 1 B, note C 026 (30 Jan. 1999), pp. 86–88, at http:// 1997 at a meeting in Washington, DC, 32. eur-lex.europa.eu/legal-content/EN/ adopting Ten Principles in the combat TXT/?uri=CELEX%3A31999F0130(08); and against computer crime, G8, “The 6. The Budapest Convention, though Washington Communiqué,” Meeting perhaps the most visible instrument, is the EU, Draft Council Act Establishing the Convention on Mutual Assistance of Justice and Interior Ministers of not the only one. See EU Convention on the Eight, (10 Dec. 1997), at https:// Simplified Extradition Procedure Member in Criminal Matters between the Member States of the European Union, www.justice.gov/sites/default/files/ag/ States, Council Act of 10 March 1995, OJ legacy/2004/06/08/97Communique.pdf. C 78 (30 Mar. 1995). OJ C 251 (2 Sep. 2, 1999), at http:// eur-lex.europa.eu/legal-content/EN/ 13. “G8 – 24/7 Network,” Organization of 7. For instance, even before the Budapest TXT/?uri=CELEX%3A51999AG0902(01). American States (OAS), at http://www.oas. Convention, the European Union had org/juridico/english/cyber_g8.htm. been encouraging its member States 9. See, e.g., “The G8 24/7 Network of to enact national legislation to facilitate Contact Points, Protocol Statement,” 14. Global Monitoring and ECPAT mutual legal assistance in the search and Organization of American States (OAS), International, Status of Action against seizure of evidence from organized crime (2007), p. 2, at http://www.oas.org/ Commercial Sexual Exploitation of and high-tech crime. See e.g., EU, Act juridico/english/cyb_pry_G8_network.pdf. Children: Israel (2016), (Bangkok: ECPAT of 12 March 1999 on Adopting the Rules 10. A multilateral political forum, the G8 International, 2016), at http://www.ecpat. Governing the Transmission of Personal addresses a wide range of international org/wp-content/uploads/2016/06/A4A_ Data by Europol to Third States and economic, political, and security issues. V1_ISARAEL_2016June.pdf. Third Bodies, OJ C 088 (30 Mar. 1999), at It is formed of representation from eight http://eur-lex.europa.eu/legal-content/ 15. See, e.g., Kjell Engelbrekt, High- countries, with responsibility for hosting EN/TXT/?uri=CELEX%3A31999F0330. Table Diplomacy: The Reshaping of the G8 rotating through the Member See also EU Council Resolution of 17 International Security Institutions, States in the following order: France, Jan. 1995, on the Law Interception (Washington, DC: Georgetown University United States, United Kingdom, Russia, of Telecommunications, OJ C 329 Press, 2016), p. 135. See also “G8 Germany, Japan, Italy and Canada. (11 Nov. 1996), at http://eur-lex. Declaration Renewed Commitment For The European Commission attends G8 europa.eu/legal-content/EN/ Freedom And Democracy,” G8 Summit meetings as an observer. Although, TXT/?uri=CELEX%3A31996G1104. of Deauville, (26–27 May 2011), at http:// with Russia’s 2014 suspension (following www.nato.int/nato_static/assets/pdf/ its annexation of Crimea), the G8 was pdf_2011_05/20110926_110526-G8- reduced in number and became the Summit-Deauville.pdf. G7, the 24/7 Network remains named after the G8, though membership is 16. See, e.g., Office of the Spokesperson, open to all. Alison Smale & Michael D. “Media Note: G8 Foreign Ministers’ Shearmarch, “Russia Is Ousted from Meeting Statement,” US Dept. of State, Group of 8 by US and Allies,” New York (11 Apr. 2013), at http://www.state.gov/r/ Times, (24 Mar. 2014), at http://www. pa/prs/ps/2013/04/207354.htm. nytimes.com/2014/03/25/world/europe/ obama-russia-crimea.html?_r=0. 17. Budapest Convention, supra § 1 B, note 32, at Art. 35. 18. Ibid. Page 221 | Chapter 5 | End Notes Table of Contents 19. Ibid., at Art. 35.1(a–c). 31. “The INTERPOL Global Complex for 46. Contact points in non-Member States Innovation,” INTERPOL, at http:// include Albania, Argentina, Bosnia and 20. Ibid., at Art. 35. www.interpol.int/About-INTERPOL/ Herzegovina, Canada, Egypt, the former The-INTERPOL-Global-Complex-for- Yugoslav Republic of Macedonia, Iceland, 21. “Assistant Attorney General Leslie Innovation/About-the-IGCI. Israel, Japan, Korea, Liechtenstein, R. Caldwell Speaks at the CCIPS- Moldova, Mongolia, Montenegro, CSIS Cybercrime Symposium 2016: 32. It bears noting that INTERPOL’s then- Norway, the Russia, Serbia, Singapore, Cooperation and Electronic Evidence president, Khoo Boon Hui (2008–2012), Switzerland, Thailand, Turkey, Ukraine Gathering Across Borders,” US Dept. is Singaporean. See “Khoo Boon Hui,” and the United States. Korea is the most of Justice, (6 Jun. 2016), at https:// INTERPOL, at http://www.interpol. recent addition. See “Mission and Tasks,” www.justice.gov/opa/speech/assistant- int/About-INTERPOL/Structure-and- supra note 44. attorney-general-leslie-r-caldwell-speaks- governance/KHOO-Boon-Hui. ccips-csis-cybercrime-symposium-2016. 47. Ibid. 33. See “Structure and Governance,” 22. “Data Exchange,” INTERPOL, at http:// INTERPOL, at http://www.interpol. 48. Judicial Network & Eurojust, “Joint Task www.interpol.int/INTERPOL-expertise/ int/About-INTERPOL/Structure-and- Force Paper Assistance in International Data-exchange/I-24-7. There are 190 governance/General-Secretariat. Cooperation in Criminal Matters for INTERPOL member countries. See Practitioners European,” Press Release, “World: A Global Presence,” INTERPOL, 34. See “Command and Coordination Council of the European Union, (6 May at http://www.interpol.int/Member- Centre—Aires,” INTERPOL, at http:// 2014), at http://www.consilium.europa.eu/ countries/World. www.interpol.int/INTERPOL-expertise/ ueDocs/cms_Data/docs/pressdata/en/ Command-Coordination-Centre/ jha/104584.pdf. 23. Ibid. Command-and-Coordination-Centre- Buenos-Aires. 49. For details about Global Prosecutors 24. Ibid. E-Crime Network (GPEN), see “Global 35. INTERPOL’s Secretariat has seven regional Prosecutors E-Crime Network,” 25. “Hacker Demands Money for offices: (1) Buenos Aires, Argentina; (2) International Association of Prosecutors, Information on S. Korean Nuclear Yaoundé, Cameroon; (3) Abidjan, Côte (11 Jun. 2012), at Reactors,” Yonhap, (12 Mar. 2015), d’Ivoire; (4) San Salvador, El Salvador; (5) https://rm.coe.int/CoERMPublicComm at http://english.yonhapnews.co.kr/ Nairobi, Kenya; (6) Bangkok, Thailand; onSearchServicesDisplayDCTMContent?d national/2015/03/12/40/03020000 and (7) Harare, Zimbabwe. ocumentId=09000016802f240e. 00AEN20150312008051320F.html; Justin McCurry, “South Korean Nuclear 36. “European Cybercrime Center,” Europol, 50. “History of Eurojust,” supra note 42. Operator Hacked Amid Cyber— at https://www.europol.europa.eu/about- Attack Fears,” Guardian, (23 Dec. europol/european-cybercrime-centre-ec3. 51. “Mission and Tasks,” supra note 44. 2014), at https://www.theguardian. com/world/2014/dec/22/south-korea- 37. “Combating Cybercrime in a Digital 52. Ibid. nuclear-power-cyber-attack-hack; Age,” Europol, European Cybercrime Sohee Kim & Meeyoung Cho, “South Centre (EC3), at https://www.europol. 53. Ibid. Korea Prosecutors Investigate Data europa.eu/ec3. 54. Ibid. Leak at Nuclear Power Plants,” Reuters, (21 Dec. 2014), at http://www.reuters. 38. Ibid. 55. “Operation BlackShades: An Evaluation,” com/article/us-southkorea-nuclear- Eurojust, (2015), at https://www.gccs2015. 39. Ibid. idUSKBN0JZ05120141221. com/sites/default/files/documents/Bijlage 40. “Joint Cybercrime Action Taskforce %202%20-%20Eurojust%20(10%2004%20 26. Ibid. (J-CAT),” Europol, European Cybercrime 15)%20Blackshades-Case-Evaluation.pdf. 27. Caroline Baylon, Roger Brunt & David Centre (EC3), at https://www.europol. europa.eu/ec3/joint-cybercrime-action- 56. “International Blackshades Malware Livingstone, “Cyber Security at Civil taskforce-j-cat. Takedown-Coordinated Law Enforcement Nuclear Facilities Understanding the Actions Announced,” FBI, (2014), at Risks,” Chatham House, (Sep. 2015), at 41. Ibid. https://www.fbi.gov/news/stories/ https://www.chathamhouse.org/sites/files/ international-blackshades-malware- chathamhouse/field/field_document/2015 42. “History of Eurojust,” Eurojust, at takedown-1. 1005CyberSecurityNuclearBaylonBrunt http://www.eurojust.europa.eu/about/ Livingstone.pdf. background/Pages/history.aspx. 57. “Operation BlackShades: An Evaluation,” supra note 55. 28. Pierluigi Paganini, “South Korea—Hacker 43. EU, Treaty of Lisbon Amending the Requests Money for Data on Nuclear Treaty on European Union and the Treaty 58. Ibid. Plants,” Security Affairs, (18 Mar. 2015), at Establishing the European Community, http://securityaffairs.co/wordpress/35013/ (13 Dec. 2007) 2007/C 306/01 [hereafter, 59. Ibid. cyber-crime/hacker-south-korean-nuclear- “Lisbon Treaty”], Ch. 4, Art. 85, at http:// 60. Ibid. plants.html. eur-lex.europa.eu/legal-content/EN/ TXT/?uri=uriserv%3Aai0033. 61. Ibid. 29. See supra table 5.1. 44. “Mission and Tasks,” Eurojust, at 62. “National Cyber-Forensics and Training 30. UNODC Cybercrime Study, supra § 1 C, http://www.eurojust.europa.eu/about/ Alliance,” NCFTA, at http://www.ncfta. note 7, at 124–25. background/Pages/mission-tasks.aspx. net/. 45. “History of Eurojust,” supra note 42. Page 222 | Chapter 5 | End Notes Table of Contents 63. See “Who We Are,” NCFTA, at http:// 79. CCI was created in 2011 under the 90. The topic of cyberterrorism is beyond www.ncfta.net/. auspices of the Commonwealth Connects the scope of the Toolkit. Nonetheless, program that was created by the Heads of it bears noting that the lines between 64. See “Agencies,” US Dept. of Justice, at Government during their 2005 meeting in acts of cybercrime and cyberwar or https://www.justice.gov/agencies. Malta to bridge the digital divide. CCI was cyberterrorism are increasingly blurred, formally endorsed by the Commonwealth especially, as the World Development 65. See “About InfraGard,” InfraGard, at Heads of Government Meeting (CHOGM) Report has noted, “acts that might https://www.infragard.org/. during their 2011 meeting in Perth, previously have been considered civilian 66. See “NCFTA in the News: The National Australia. attacks are now being uncovered as acts Cyber-Forensics and Training Alliance of states against states via nonstate actor 80. “Commonwealth Cybercrime Initiative,” proxies.” See WDR, supra § 1 A, note 10, to Open New Offices in Los Angeles supra note 74. at 222. and New York,” NCTFA, (8 Jan. 2016), at https://www.ncfta.net/Home/News. 81. Executive Management Committee 91. “Cyber Security,” OAS, at https://www. (EMC) Country Members include Canada, sites.oas.org/cyber/en/Pages/default. 67. See “NCFTA in the News: International India, Malta, New Zealand, Trinidad & aspx. Alliance Against Counterfeiting,” NCTFA, Tobago, Uganda and the United Kingdom (18 Jul. 2016), at https://www.ncfta.net/ (current chair); EMC Institutional Members 92. “Best Practices for Establishing a National Home/News. include COMSEC, ComNet, Interpol and CSIRT,” OAS, (2016), at https://www.sites. 68. “Who We Are,” NCFTA, supra note 63. ICANN; the US Dept. of State is an EMC oas.org/cyber/Documents/2016%20-%20 Observer. See “The Commonwealth Best%20Practices%20CSIRT.pdf. 69. For a further discussion of cooperation Cybercrime Initiative: A Quick Guide,” between the public and private sector, supra note 75. 93. Inter-American Cooperation Portal on see infra § 6 F. Cyber-Crime, “Welcome,” OAS, at http:// 82. COMSEC, ibid. www.oas.org/juridico/english/cyber.htm. 70. “CyFin,” NCFTA, at http://www.ncfta.net/ Home/Cyfin. 83. “Commonwealth Cybercrime Initiative,” 94. Ibid. supra note 74. 71. “BCP,” NCFTA, at http://www.ncfta.net/ 95. See e.g., “Progress Report 2013- Home/BCP. 84. Ibid. 2014,” Internet & Jurisdiction, (2014), at http://www.internetjurisdiction.net/ 72. “MCT,” NCFTA, at http://www.ncfta.net/ 85. Ibid. uploads/pdfs/Annual-Reports/Internet- Home/Malware. Jurisdiction-2013-14-Report.pdf. 86. Carolin Weisser, “Eastern African Criminal 73. For a further discussion of cooperation Justice Network on Cybercrime and 96. Schrems v. Data Protection between the public and private sector, Electronic Evidence,” Cybersecurity Commissioner, CJEU, Case C-362/14 see infra § 6 F. Capacity Portal, Oxford University, (4 (6 Oct. 2015), at http://curia.europa. Nov. 2015), at https://www.sbs.ox.ac. eu/juris/document/document. 74. “Commonwealth Cybercrime Initiative,” uk/cybersecurity-capacity/content/ jsf?docid=169195&doclang=EN; See also The Commonwealth, at http:// eastern-african-criminal-justice-network- CJEU, “The Court of Justice Declares thecommonwealth.org/commonwealth- cybercrime-and-electronic-evidence. That the Commission’s US Safe Harbour cybercrime-initiative. Decision Is Invalid,” Press Release, (6 Oct. 87. See CCI, “Gros Islet Communiqué,” 75. “The Commonwealth Cybercrime 2015), at http://curia.europa.eu/jcms/ The Caribbean Stakeholders Meeting Initiative: A Quick Guide,” The upload/docs/application/pdf/2015-10/ on Cybersecurity and Cybercrime Commonwealth (2014), at http://www. cp150117en.pdf. (CSM-II), (16–18 Mar. 2016), at http:// securityskeptic.com/CCI%20Quick%20 thecommonwealth.org/sites/default/ 97. See e.g., Dave Lee, “How Worried Is Guide.pdf. files/news-items/documents/6%20 Silicon Valley about Safe Harbour?,” BBC FinalCastriesDeclaration170316. News, (7 Oct. 2015), at http://www.bbc. 76. Ibid., “Commonwealth Cybercrime pdf; “Caribbean to Tackle Escalating com/news/technology-34461682; Kelli Initiative,” supra note 74. Cybercrime with Regional Approach,” Clark, “The EU Safe Harbor Agreement 77. See supra § 3 A for further discussion of The Commonwealth, (15 Mar. 2016), at Is Dead, Here’s What To Do about It,” the Harare Scheme. http://thecommonwealth.org/media/ Forbes, (27 Oct. 2015), at http://www. press-release/caribbean-tackle-escalating- forbes.com/sites/riskmap/2015/10/27/the- 78. ”Communiqué: Commonwealth Law cybercrime-regional-approach#sthash. eu-safe-harbor-agreement-is-dead-heres- Ministers Meeting,” The Commonwealth, HjmhE8I8.dpuf. what-to-do-about-it/#2f3bd6757171; (5–8 May 2014), para. 14, at http:// Kolvin Stone, Christian Schröder, Antony thecommonwealth.org/media/news/ 88. “Who We Are,” OAS, at http://www.oas. P. Kim & Aravind Swaminathan, “US–EU communique-commonwealth-law- org/en/about/who_we_are.asp. Safe Harbor – Struck Down!,” Orrick Trust ministers-meeting-2014#sthash. Anchor Blog, (6 Oct. 2015), at http:// 89. OAS General Assembly, The Inter- oZZBUeVU.dpuf. blogs.orrick.com/trustanchor/2015/10/06/ American Integral Strategy to Combat Threats to Cyber Security, (8 Jun. 2004) us-eu-safe-harbor-struck-down/. AG/RES.2004 (XXXIV-O/04). Page 223 | Chapter 5 | End Notes Table of Contents 98. European Commission, “EU Commission and United States Agree on New Framework for Transatlantic Data Flows: EU-US Privacy Shield Strasbourg,” Press Release, (2 Feb. 2016), at http://europa. eu/rapid/press-release_IP-16-216_en.htm. 99. European Commission, “EU-US Privacy Shield: Frequently Asked Questions,” Fact Sheet, (12 Jul. 2016), at http:// europa.eu/rapid/press-release_MEMO- 16-2462_en.htm. 100. For various T-CY CoE reports, see “T-CY Reports,” CoE, at http://www.coe.int/en/ web/cybercrime/t-cy-reports. Page 224 | Chapter 5 | End Notes Table of Contents CHAPTER 6 Capacity Building This chapter provides an overview of some capacity-building issues starting by looking at capacity building for policy makers and legislators, law enforcement, consumers and cooperation with the private sector, as well as highlighting activities of the participating organizations. In this Chapter A. The Capacity-building Challenge 226 B. Developing Capacity-building Programs 240 C. Private Sector Cooperation 250 Page 225 | Chapter 6 | Capacity Building CHAPTER 6 A. The Capacity-building Challenge Table of Contents Introduction 226 I. Barriers to Interoperability 227 II. Mapping Technical Assistance Needs 230 III. UNODC Cybercrime Repository 231 IV. ICT-facilitated Child Sexual Abuse & Sexual Exploitation 232 V. Addressing the Capacity-building Challenge 233 A. General Capacity-building Issues 233 B. Increasing Internal Capacity to Improve International Cooperation 234 C. Knowledge Sharing & Dissemination 235 Conclusion 238 Annex 239 Introduction Addressing security concerns related to ICTs is of growing importance for governments, as well as for both regional and international organizations involved in creating a safe, digital environment by building confidence in online transactions. As a consequence, an increasing number of countries have adopted or strengthened their cybercrime legislation. According to the UNCTAD Global Cyberlaw Tracker,1 138 states have adopted a law on cybercrime and fourteen have a draft law. Figure 6.1 shows that the adoption of cybercrime legislation is fairly widespread across developed and transition economies, but less so in Africa and Asia. Page 226  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents Figure 6.1: Cybercrime Legislation Adoption Worldwide (percentage)2 Developped economies Transition economies Africa Asia and Oceania Latin America and Caribbean 0 10 20 30 40 50 60 70 80 90 100 The development of domestic legal frameworks for combating cybercrime should not be done in isolation. It is essential that the interoperability of such laws and policies at the regional and international level be assured. Establishing common minimum standards can help ensure cross- border coordination on the design and implementation of relevant legislation and enforcement mechanisms. As already discussed, the judiciary and the police would benefit from cooperating with their colleagues at the international level (see section 5 B, above). Once the legal framework has been prepared, the onus falls to the implementers to realize effective enforcement regimes. Cybercrime’s facility for crossing borders, especially once combined with the ability of cybercriminals to operate anonymously and to act both from and through multiple jurisdictions, makes the need for strong, cooperative law enforcement mechanisms even more urgent. Furthermore, governments should strive to reinforce the human, procedural and technical resources needed both to collect and analyze evidence, and to identify and prosecute cybercriminals as part of an intergovernmental prosecutorial effort. I. Barriers to Interoperability The main barriers to the development of cybercrime laws faced by governments worldwide, especially in developing countries include: 1   Stakeholders possibly affected by cyberlaw have limited understanding and experience with such legislation. 2   Cyberlaw may be developed in a number of different ways, and implemented in various stages, all of which has varying costs, and which is affected, and often delayed, by a scarcity of both human and financial resources. Page 227  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents 3   Developing legislation takes time, may progress slowly, and may be prolonged due to numerous factors, most notably by the stakeholder consultation processes, which is complicated by the wide range of stakeholders, but which is essential to building consensus before formal introduction and implementation. 4   Enforcing and prosecuting cybercrime is particularly difficult. The need for policy and law-makers to understand cybercrime issues and their multinational dimension is present in all countries. An UNCTAD survey, with responses from government representatives in forty-eight developing countries, emphasized a need to build awareness and knowledge among lawmakers and judiciary bodies with regard to cybercrime law and enforcement igures 6.2 and 6.3). policy (see f Over half of the representatives reported difficulties in understanding legal issues related to cybercrime. Similarly, over forty percent noted that lack of understanding among parliamentarians can delay the adoption of relevant laws. Without awareness and knowledge, it is difficult to formulate informed policies and laws and to enforce them. Figure 6.2: Challenges to the Enactment of e-Commerce Legislation in the ASEAN, ECOWAS and Selected Latin America and Caribbean Countries, 2013-2015 (Percentage of Respondents)3 Lack of skills or training for policy/or lawmakers Lack of skills or training for members of parliament Funding issues Inadequate ICT infrastructure 0 10 20 30 40 50 60 Other challenges include the need for informed regulators and for training law enforcement bodies, as well as sufficient resources to create effective legal frameworks and national certification authorities. Page 228  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents Figure 6.3: Challenges to the Enforcement of e-Commerce Legislation in the ASEAN and Selected Latin America and Caribbean Countries, 2013-2015 (Percentage of Respondents)4 Lack of skills or training for police or law enforcement agencies Lack of skills or training for the courts or regulations Funding issues Inadequate ICT infrastructure Inconsistent court rulings or court interpretation Difficulties dealing with cross-border issues 0 5 10 15 20 25 30 35 40 45 50 The implementation of cybercrime legislation is always challenging, especially in countries where resources (both in terms of skills and security systems) are insufficient. While adequate laws and technology are essential for the provision of protection against information security risks, they need to be complemented by adequate and relevant expertise. With regard to the security of communications infrastructure, national and international coordination and cooperation on matters of access to data and communications are important. In order to act effectively upon criminal procedural needs of specific cases, it is critical that law enforcement have the capacity to execute searches and seizures and intercept communications— and to do so across several jurisdictions. Nonetheless, a large number of countries are facing challenges in understanding the issues at stake and combating cybercrime. A coherent strategy to address these issues is required; such a strategy should aim to: 1   Make the fight against cybercrime a priority and allocate the necessary financial resources; and 2   Assess shortcomings in terms of infrastructure and human capacity. With regard to human capacity, relevant stakeholders who play, or should play, a role in cybersecurity management should be identified. They usually include policy makers, law makers, and law enforcers such as judges and magistrates, police officers and CERT officers. Training and briefing initiatives can be designed based on the category, number and individual needs of each group of stakeholders. For example, policy and law makers, including parliamentarians, need to understand cybercrime and cyberlaw in general, their application and impact. Training workshops can be organized at the government level, involving various ministries/institutions for two to five Page 229  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents days, while for parliamentary committees members, a general briefing on cybercrime issues and of cyberlaw and its application and impact over half a day or one-day maximum. For judges, magistrates and prosecutors—those who need to implement the law and legal regime—the capacity-building might be done two in phases: ƒƒPhase 1 ƒƒ Overview on the legal implications on cybersecurity to criminal laws and other related laws; ƒƒ Overview on the legal framework on cybercrimes and other related emerging issues; ƒƒ Legal issues information security, data protection and security standards; ƒƒ Legal issues on cybersecurity and nature of cybercrimes, children protection online; and ƒƒ Other criminal activities associated with the use of computers. ƒƒPhase 2 ƒƒ Cybercrime prosecution; ƒƒ Computer privacy and data protection principles/cross-border data flows; ƒƒ Legal issues on admissibility of e-evidence; ƒƒ Judicial considerations and case studies; and ƒƒ Criminal law and copyright law (piracy and other related offences). II. Mapping Technical Assistance Needs A useful process to identify needs to be addressed through technical assistance is through the development of indices for assessing relevant threats, national measures to address them, as well as initiatives of organizations. In addition to the Assessment Tool featured in chapter 7, a variety of other tools are available to map technical assistance needs. One such example is the ITU Global Cybersecurity Index (GCI), which measures the cybersecurity commitment of Member States with regards to the five pillars endorsed by the Global Cybersecurity Agenda (GCA), namely the ITU framework for international multi- stakeholder cooperation in cybersecurity aimed at building synergies with current and future initiatives and focuses on the following five work areas: ƒƒLegal measures; ƒƒTechnical and procedural measures; ƒƒOrganizational structures; Page 230  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents ƒƒCapacity-building; and ƒƒInternational cooperation. The objective of the GCI initiative is to help countries identify areas for improvement in the field of cybersecurity, as well as to motivate them to take action to improve their ranking, thus helping raise the overall level of cybersecurity worldwide. Through the collected information, GCI aims to illustrate the practices of others so that Member States can implement selected aspects suitable to their particular national environment, with the added benefit of helping harmonize practices and foster a global culture of cybersecurity. A first iteration of the GCI was conducted in 2014 in partnership with ABI Research and the final results have been published.5 A total of 105 of 193 ITU Member States responded. Secondary data was used to build the index for non- respondents. In parallel, “cyberwellness” profiles of all states were elaborated and are accessible from the GCI website. These profiles are factual representations of cybersecurity actions and planned initiatives by each state. The profiles, unlike the GCI, can be updated at any point in time at the request of the states and are thus considered as live up-to-date documents. GCI 2017 was released in June 2017 and updates and expands the data gathered in the first iteration of the GCI in 2014.6 A total of 134 countries out of 193 ITU Member States responded to the questionnaire. Secondary data was used to build the index for non-respondents. A number of new questions were added in each of the five pillars in order to refine the depth of research. III. UNODC Cybercrime Repository UNODC recently released its Cybercrime Repository, a central data repository of cybercrime laws and lessons learned for the purposes of facilitating the continued assessment of needs and criminal justice capabilities and the delivery and coordination of technical assistance.7 UNODC started developing its Cybercrime Repository in early 2014 pursuant to resolution 22/8 of the Commission on Crime Prevention and Criminal Justice (CCPCJ). The rationale behind the mandate was to make the comprehensive data sets gathered for its Comprehensive Study on Cybercrime via Member State questionnaires accessible to a wider audience.8 The repository contains a Case Law Database, a Database of Legislation and a Lessons Learned Database. The first two databases are the same databases as contained in the SHERLOC portal, a UNODC knowledge management portal aimed at facilitating the dissemination of information regarding the implementation of the UN Convention against Transnational Organized Crime9 and its three Protocols, as well as new and emerging forms of crime and their links to transnational organized crime. Page 231  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents The repository, which was officially launched in May 2015 during a side event at the CCPCJ, contains the following three types of information that are especially pertinent to e-commerce: ƒƒNational cybercrime and cybersecurity strategies (based on desk research); ƒƒNational cybercrime lead agencies (as provided by Member States); and ƒƒLessons learned—cybercrime policies and strategies, as well as good practices in cybercrime investigation, prosecution and prevention (as provided by Member States via questionnaire for the Comprehensive Study on Cybercrime and via Note Verbale in the form of short texts). IV. ICT-facilitated Child Sexual Abuse & Sexual Exploitation While the 2013 UNODC Comprehensive Study on Cybercrime revealed that the criminal misuse of ICT can take many forms, it produced additional evidence showing that children are particularly at risk of becoming victims of ICT-facilitated crimes. The fundamental issue is that children often do not fully understand the threats associated with sharing personal information, photos or videos, nor fully comprehend the facility with which that information can be accessed anonymously. In light of the above, the UN Economic and Social Council adopted resolution 2011/33, entitled “Prevention, protection and international cooperation against the use of new information technologies to abuse and/or exploit children”.10 This resolution mandated the elaboration of a UNODC Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children, which was duly completed in 2015.11 This later UNODC Study is intended to promote the exchange of experience and good practices in an effort to address the growing problem of ICT- facilitated child sexual abuse and exploitation. Findings contained in this Study point to the fact that ICTs can be used both to commit already known forms of child abuse and exploitation and to engage in new forms of child abuse and exploitation. In addition, the use of ICTs for the commission of these acts leads to the continuing victimization of children by facilitating the interlinking of crimes, for example through the production of child sexual abuse material and then through the distribution and possession of such material. Through their use of the internet, children may be exposed to other forms of abuse such as grooming, solicitation, stalking, harassment, bullying and exposure to harmful content. Organized criminal networks have much to gain in financial terms from the use of ICTs in the commission of child abuse and exploitation. Moreover, the accessibility of these relatively inexpensive technologies means that collaboration across borders among organized criminal groups is prevalent. Bearing the above in mind, it is imperative for governments and other partners to develop enhanced international cooperation and prevention strategies, as well as more targeted law enforcement techniques. Page 232  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents As affirmed by the UN Economic and Social Council,12 children should be afforded the same protection in cyberspace as they are in the physical world. To this end, legislation, including necessary criminal provisions, needs to be developed or upgraded, and efficiently implemented, principally by national authorities but also in consultation with other partners, such as civil society and the private sector. Technical capacities for law enforcement, including access to technological tools, need to be strengthened in order to detect, investigate and secure evidence of related offences. The UNODC Study provides a global picture of the issues at stake and further defines the typology of the crimes that need to be addressed, as well as the appropriate responses at national and international levels. It was based on open-source research on the issue, as well as the work of a UNODC Informal Expert Group Meeting on the subject, which was convened in Vienna from 23 to 25 September 2013, and which brought together experts from international organizations, law enforcement, other relevant practitioners and academics. The Study also forms part of UNODC’s technical assistance tools in the area of prevention and combatting of cybercrime. V. Addressing the Capacity-building Challenge Addressing the capacity-building challenge requires (A) a general understanding of the diverse capacity-building issues before (B) a more targeted understanding of how internal capacity can be built to, specifically, improve international cooperation and before (C) discussing the place for knowledge sharing and dissemination at all levels, including citizen awareness. A. General Capacity-building Issues Policy and law makers, as well as criminal justice and law enforcement personnel, especially in developing countries, need training in combating cybercrime, especially in developing countries. Capacity-building at the level of national law enforcement and criminal justice systems, in particular, is critical. While the majority of countries have begun to put in place specialized structures for the investigation of cybercrime and crimes involving e-evidence, in many countries those structures are underfunded and suffer from a lack of capacity. As e-evidence becomes increasingly pervasive in investigating “conventional” crimes, law enforcement authorities may need to make clear distinctions between cybercrime investigators and digital forensic laboratory capacity, establishing clear workflows. Frontline law enforcement officers may also increasingly need to acquire and deploy basic skills, such as those used to produce a sound forensic image of an electronic storage device. Moreover, as new technological developments such as anonymizing networks, high-grade encryption and virtual currencies become commonplace in cybercrime, investigators will also have to adopt new strategies. Law enforcement authorities may, for example, look to strengthen Page 233  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents partnerships with academic research groups that focus on the development of technical methodologies in areas such as the characterization and investigation of virtual currency transactions. Investigators may also need to consider how special investigative techniques, such as surveillance, undercover operations, using informants and controlled delivery in the case of the online sales of illicit goods, might be used alongside internet investigations and digital forensic techniques. Overall, it is clear that capacity-building for law enforcement and criminal justice actors on combating cybercrime will be an ongoing and continuous process, as technology and criminal innovations continue at a rapid pace. B. Increasing Internal Capacity to Improve International Cooperation A specific area of technical assistance to which UNODC devotes particular attention is that of capacity-building in the area of international cooperation to combat cybercrime. Apart from its legislative assistance, and in an effort to help practitioners to draft effective and accurate MLA requests, to receive more useful responses and to streamline the relevant process, UNODC has developed a Mutual Legal Assistance Request Writer Tool (MLA Tool), which can be used for all serious offences and not just those covered by international conventions.13 Since the Seventh Session of the Conference of the Parties to the UN Convention against Transnational Organized Crime (October 2014), UNODC has been working intensively to revise and update the MLA Tool. The redeveloped content and structure of the tool were finalized in May 2016, thus enabling the launching of a pilot phase to test its use in practice. Currently, the Tool is available in English, French, Spanish, Russian, Portuguese, Bosnian, Croatian, Montenegrin and Serbian.14 The first countries where the redeveloped Tool was tested were Ethiopia, Uganda and Kenya in July 2016. The findings of the pilot testing were brought to the attention of the Conference of the Parties to the UN Convention against Transnational Organized Crime at its Eighth Session in October 2016. The new guiding elements in the revised text of the MLA Tool include an additional “digital evidence module”. That module takes into account all pertinent developments in the field of international cooperation to combat cybercrime, and covers the following forms of cooperation: (a) expedited preservation of stored computer data; (b) ensuring access to stored computer data; and (c) real-time collection of traffic data. Several international and regional organizations, including the COMSEC, ITU, UNCITRAL, UNCTAD, UNODC and the CoE provide assistance to countries and regions. These agencies are increasingly joining forces to maximize the impact of their actions (see box 6.1, below). Page 234  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents Box 6.1: UNCTAD Assistance to Partners15 In support of developing countries’ efforts in this area, UNCTAD assists in the preparation and revision of e-commerce laws aligned with international and regional instruments. In the past decade, over 2,500 policy and law makers were trained in the ASEAN, EAC, ECOWAS, Latin America and the Caribbean. The assistance provided by UNCTAD has created a stimulus for countries to push for the adoption of national laws in this area. The work has involved close collaboration with regional institutions such as the AU Commission, the ASEAN Secretariat, the EAC Secretariat, the ECOWAS Commission, the Asociación Latinoamericana de Integración (ALADI) and the Secretaría Permanente del Sistema Económico Latinoamericano y del Caribe (SELA). Over sixty countries have been engaged with UNCTAD thanks to the financial support of Finland and Spain. Capacity-building activities have strengthened the knowledge of policy and lawmakers with regards to the legal issues surrounding e-commerce and international best practices, allowing them to formulate laws that correlate with their regional frameworks. Several agencies are assisting developing countries within their mandates, and inter-agency collaboration is growing. An example is the jointly organized briefing of Commonwealth parliamentarians by UNCTAD, the CTO and the Commonwealth Parliamentary Association during the Commonwealth Cybersecurity Forum in 2013. Another example is the joint workshop on the harmonization of cyber legislation in ECOWAS that took place in Ghana in March 2014. The event was organized by UNCTAD, UNCITRAL, the African Centre for Cyberlaw and Cybercrime Prevention, CoE, and CCI. UNCTAD has built a network of institutions with which it regularly partners with on different projects and activities. Many of them contributed to the development of the Cyberlaw Tracker database, which maps laws in the areas of e-transactions, data protection, cybercrime and the protection of consumers online. The results of this first-ever global mapping are available online.16 C. Knowledge Sharing & Dissemination Knowledge sharing and dissemination can take place through both training workshops and through formal and informal networking among participants at the national and regional levels. Regardless of the approach, it is important to promote beneficiary involvement to ensure sustainability and ownership, and to tailor the training session depending on the needs of the various stakeholders. Regional and national capacity-building activity should aim to: ƒƒRaise awareness of cybercrime issues among policy makers and other stakeholders; Page 235  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents ƒƒExchange good practices among participants from other countries and from regional and international organizations; ƒƒDiscuss possible regional coordination; and ƒƒSet the stage for further assistance and action. An effective way to approach capacity-building is to combine distance-learning with face-to-face training workshops. Doing so allows for a flexible training process that includes active participation. Distance learning allows trainees to: ƒƒChoose the time and place of learning that suits them best; ƒƒExchange information and ideas with trainers and fellow trainees regardless of location; ƒƒBenefit from continued partner support, such as that offered by the UNCTAD TrainForTrade team (discussed below); and ƒƒMaintain contact with international trade specialists and other training institutions. Some international organizations, such as UNCTAD, are using models that include distance learning trainings followed by face-to-face workshops at the national and regional level (see box 6.2, below). The UNODC Global eLearning Programme is designed to offer on-demand capacity-building to stakeholders around the globe on contents related to UNODC staff. The tailored training courses are developed by UNODC in collaboration with international experts and correspond directly to needs of Member States. They are comprised of different subjects, including cybercrime.17 Box 6.2: UNCTAD TrainForTrade Learning Methods18 Combining distance and face-to face learning: UNCTAD’s TrainForTrade Programme combines face-to-face activities with distance-learning courses. Experience shows that the quality of face-to-face seminars increases (in terms of trainees’ participation and learning results) when trainees have first been introduced to the relevant subject matter through an e-learning course. TrainForTrade emphasizes that the pedagogic aspects of training should not be undermined by technology. At the same time, the use of ICT as a tool for knowledge-sharing increases the number of beneficiaries, while also keepings the costs down. Experience shows that adult trainees typically learn better in a group environment. Consequently, TrainForTrade courses use chat rooms and group foraums to facilitate exchange with the instructors and amongst participants. Training the local distance-learning tutor: One essential element of TrainForTrade includes training local experts as tutors to moderate and locally manage the distance learning deliveries. The identification of a training center and a local tutor is essential for maximizing Page 236  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents the impact of the course. During the training of technical tutor’s course, a local tutor learns the process of course delivery and the different pedagogic strategies that he should use to facilitate the delivery. Meeting the needs of beneficiaries: The choice of training methods and technology will always depend on the characteristics and circumstances in the beneficiary country. TrainForTrade uses Moodle, a free and open-source learning management system based on a Linux platform in order to facilitate the sharing of information and technology in an efficient and cost-effective manner. Continuous evolution and development: TrainForTrade is continuously developing new learning tools by exploring new technological opportunities. The expansion of 3G/4G coverage, cell phones, smartphones and tablets has made access to information easier. The development of cloud and mobile learning provides efficient solutions for the storage, dissemination and acquisition of information. The tools can also be used to promote interactive and collaborative learning. Another important way to create awareness is to promote information-security awareness in the population at large. Individuals and enterprises—especially SMEs—increasingly need to be made aware of not only the relevant and ever-changing laws, but also of their rights. Doing so is particularly important in order to build trust in cross-border e-commerce. Industry associations and consumer protection agencies should work together to overcome barriers caused by divergent national legal standards. National public campaigns (including through radio and television programs) aimed at informing about ways to protect consumers online can be a key element of awareness-raising strategies (see box 6.3, below). Box 6.3: Awareness Campaigns on e-Commerce Laws in Uganda19 In Uganda, the National Information Technology Authority (NITA)20 and the Ministry of Information and Communications Technology21 developed and facilitated the enactment of subsidiary legislation to operationalize the EAC Framework on Cyber Laws (UNCTAD, 2012).22 Since 2011, NITA has embarked on a campaign meant to raise awareness about new laws, as well as aspects of information security in general.23 The campaign aims to encourage public administration and private sector actors to put minimum information security controls in place in order to ensure safe e-transactions. Sensitization workshops have been organized for entities such as ministries, banker association, and legal societies, as well as for national chambers of commerce, the Investment Authority and the Securities Exchange. Workshops have been facilitated by a multi-institutional team of lawyers and technical resource persons, Page 237  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents including experts participating in the EAC Task Force supported by UNCTAD. Future plans include the delivery of similar workshops to create awareness of the Data Protection and Privacy Bill, once enacted. Conclusion Building capacity and raising awareness about combatting cybercrime should be a national priority for every country. To address cybercrime at the national level, domestic legal frameworks must be developed. Countries must also coordinate and cooperate across borders with governments and agencies in the formulation of their cybersecurity strategy. Coordination and cooperation is necessary to ensure a shared minimum understanding and interoperability of competencies internationally, on both procedural and substantive levels. However, there remain many challenges, which must be faced. These include, among others, resources and funding, understanding the fast- evolving nature of cybercrime, the slow pace of elaborating legislation, enforcements issues and the implementation of effective regimes to combat cybercrime. One of the key issues in fighting these challenges is making sure that policy makers, law makers and law enforcement receive adequate training on combating cybercrime. Dissemination and sharing of knowledge that takes place during these training sessions benefits the cybercrime awareness of a country. International organizations, such as UNCTAD, help with the training of local staff (e.g., via UNCTAD’s TrainForTrade). Another way to improve awareness is by promoting cybersecurity issues within the population in general, as was done in Uganda, for example. Furthermore, to support national capacity-building, multilateral and bilateral agencies might help by assisting in the preparation and revision of a range of cyberlaw approaches in order to align them with international and regional good practices. By cooperating and coordinating both at the national as well as the international level, these methods help raise awareness of cybercrime and help build cybersecurity capacity. Page 238  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents Annex Global Cybersecurity Index 2017 – Good Practices Country Good Practices Mauritius The top-ranked country in the Africa region, Mauritis scores particularly high in the legal and the technical areas. The Botnet Tracking and Detection project allows Computer Emergency Response Team of Mauritius (CERT-MU) to proactively take measures to curtail threats on different networks within the country. Capacity- building is another area where Mauritius does well. The government IT Security Unit has conducted 180 awareness sessions for some 2,000 civil servants in 32 government ministries and departments. USA With the highest scores for the legal and capacity-building pillars, one notable aspect of both capacity-building and cooperation in the country is the initiatives to coordinate cybersecurity among all states. To that end, the National Governor’s Association established the Resource Center for State Cybersecurity, which offers best practices, tools and guidelines. Egypt Ranking second with a full-range of cooperation initiatives, Egypt is a member of the UN Government Group of Experts (GGE) on cybersecurity, has chaired the ITU Working Group for Child Online Protection, was a founding member of AfricaCERT and has a number of bilateral and multilateral agreements on cybersecurity cooperation. Malaysia Ranked second in the Asia-Pacific region and scores a perfect 100 on capacity- building, Malaysia has developed a range of initiatives in that pillar. Notably, Cybersecurity Malaysia, the government entity responsible for information security in the country, offers professional training via higher education institutions in Malaysia. It maintains the Cyberguru website, dedicated to professional security training. Georgia Top-ranked in the CIS, the government has strongly supported protection of Georgia’s information systems after large-scale cyberattacks on the country in 2008. The Information Security Law established a Cyber Security Bureau with a particular emphasis on protecting critical information systems in the military sphere. Estonia The highest ranked nation in the Europe region, Estonia, like Georgia, substantially enhanced its cybersecurity commitment after a 2007 attack. This enhancement included the introduction of an organizational structure that can respond quickly to attacks as well as a legal act that requires all vital services to maintain a minimal level of operation if they are cut off from the Internet. The country also hosts the headquarters of the NATO Cooperative Cyber Defence Centre of Excellence. Page 239  |  Chapter 6  |  § A. The Capacity-building Challenge Table of Contents CHAPTER 6 B. Developing Capacity-building Programs Table of Contents Introduction 240 I. Offering Cybercrime Training for Government Authorities 241 A. Training for Lawmakers 241 B. Training for Law Enforcement Personnel 241 C. Training for Prosecutors & Judicial Authorities 242 D. Knowledge Sharing 243 E. Furthering Public-Private Cooperation 244 F. Advancing International Cooperation 244 II. Client-driven Capacity Building 245 III. Capacity-building Programs: The CoE’s Experience 245 A. Implementing the Budapest Convention 246 B. CoE Cybercrime Capacity-building Projects 246 1. Global Action on Cybercrime (GLACY) 246 2. Global Action on Cybercrime Extended (GLACY+) 247 3. Cybercrime@Octopus 247 4. Cybercrime@EaP II 248 5. Cybercrime@EaP III 248 6. Cooperation on Cybercrime under the Instrument of Pre-accession (iPROCEEDS) 248 7. Cybercrime Programme Office (C-PROC) 249 Conclusion 249 Introduction As discussed, capacity building starts by creating the framework and infrastructure that allows for capacity to build and to be built; that involves developing an overarching cybersecurity policy and strategy (see section 2 F, above), passing the necessary cybercrime-specific legislation (see section 3 A, above) and creating specialized cybercrime units (see section 1 D, above). Only thereafter can targeted cybercrime capacity-building programs be launched. While the area is a still developing, a multitude of approaches to training techniques exist, as offered by a multitude of organizations.1 Those programs may (I) offer cybercrime training for government authorities, with different courses targeted for law enforcement personnel and members of the prosecutorial and judicial services, respectively. Whichever approach is taken, (II) Page 240  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents cybercrime capacity-building programs must be client-driven if they are to be effective, meaning that, while donor and partners might well bring their own interests and expertise, the program must be client-owned for the program to be truly efficacious. In order to elucidate all of these aspects, this section concludes by (III) exploring the CoE’s experience with capacity-building programs by considering the Budapest Convention and by looking at several project examples. I. Offering Cybercrime Training for Government Authorities While creating units specialized in the handling of cybercriminal matters is important, it is equally important to offer training in foundational cybercriminal matters—including institutional structure and resource availabilty—both (1) to law enforcement personnel and (2) to members of the prosecutorial and judicial services. In order to be truly effective, such trainings should be sustainable, standardized, replicable and scalable. A. Training for Lawmakers As the Toolkit has attempted to make evident, the fight against cybercrime begins with the construction of legal frameworks that are not only robust in their own right, but, due to the internet’s global nature, which are interoperable with the legal frameworks of other nations (see section 1 B, above). As lawmakers are chiefly responsible for the development of such frameworks, they play an essential role in the success of any long-term capacity-building programs. To that end, lawmakers ought to be made knowledgeable about the nature of cybercrime at large and about the policies and laws of other nations.2 In addition to paying detailed attention to targeted sectors, such as the financial sector, lawmakers must be both aware of, and willing to work with, the webbed, intertwined interactions between international instruments and various domestic laws. Further, law makers need the background to be able to foresee economic, constitutional and social impacts of the cybercrime legislation and policies that they develop. B. Training for Law Enforcement Personnel Beyond the creation of specialized units discussed above, and in addition to creating strategic structures and connections for general knowledge dissemination and discussion, foundational cybercrime training should be offered to those on the frontlines of dealing with cybercrime. Indeed, many countries already provide training on general mechanisms via courses or through on-the-job exposure. Page 241  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents Training is important as all types of crimes increasingly involve or implicate cyberspace, be it in the form of electronic evidence, or through the use of ICT. As any law enforcement officer, prosecutor or judge inevitably will be confronted with such matters, they should be appropriately prepared for, and familiarized with, such matters. Comprehensive cybercrime training to authorities should include the following areas: Investigating cybercrime. As discussed (see sections 2 C & 2 D, above), investigating 1   cybercrime requires different skills than those typically used to investigate traditional crimes. In particular, awareness should be raised about procedural differences, methods of ICT forensic analyses and techniques for preserving the authenticity, integrity and reliability of electronic evidence. Understanding existing law enforcement training materials and initiatives might help elucidate this process.3 Differentiating functions. In addition to understanding how the larger system operates, 2   it is also important for stakeholders and actors to understand the skills and competencies, as well as functions at appropriate level, of respective units (from first responder to forensic investigators). Methods of offering inter-agency cross-support, while also assuring network security should all be covered. Facilitating cooperation. For fighting crime in general, it is important that the various 3   authorities cooperate; such is especially the case in cybercrime, where evidence can be nearly ephemeral and may be divided and stored in numerous countries. Cooperation for training purposes should foremostly focus on creating connections between public authorities (law enforcement, prosecutors, judiciary) but should also extend to including ways of working with academia and industry. C. Training for Prosecutors & Judicial Authorities Foundational cybercrime training is not only important for law enforcement officers, who are the first to come into contact with such evidence, but also should be offered to authorities at all levels—investigatory, prosecutorial and judicial authorities alike. Indeed, while specialized cybercrime units are most typically found among police services (where discrete technical support is frequently required), such units are very infrequently found in prosecutorial services and (even less so) in the judiciary. As such specialized services are not always available to prosecutors and judges, foundational cybercrime training is particularly important for these professionals. However, and notwithstanding this need, training on cybercrime and electronic evidence is very rarely offered on any basis, let alone regularly, to prosecutors or judges. Lack of knowledge and skills among prosecutors and judges persists as a point of concern around the world, regardless of the country or region. Page 242  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents While trainings may be held in common—and, indeed, should in part be held in common—it is advisable for trainings to be targeted and audience-specific, especially in light of the division of powers between investigators/prosecutors and the judiciary.4 Thus, in addition to exposing prosecutors and judicial authorities to the training offered to law enforcement authorities (as discussed immediately above), training programs tailored to the needs of prosecutors and judicial authorities should address the following matters: Cybercrime basics. The course should present an understanding not only of the nature of 1   cybercrime, but also of cyber how cybercrime is addressed by law enforcement authorities. Attention should be given to (a) adapting training materials to the needs of the jurisdiction where the training is being offered, (b) to tailoring the training of trainers and (c) the mainstreaming of these cybercrime modules into regular training curricula. Advanced training. The matter and material for cybercrime being copious, separate modules 2   should be offered for more advanced and nuanced topics, including specialization and technical training. Networking. Enhanced knowledge might be accomplished through the networking of judges 3   and prosecutors, and regularly making caselaw and other resources available.5 D. Knowledge Sharing All states and institutions face difficulties in curating and disseminating knowledge. While creating special cyber units and cooperation mechanisms is important, standardized training, on-the-job training and ad hoc courses or informational bulletins for authorities at all levels can all be used to facilitate and further the process. It is important that knowledge be shared as broadly and as routinely as possible. Additionally, care should be taken to assure that dissemination is done geographically—for instance, a cyber unit may be located in the capital city, but, due to the nature of cybercrime, significant cases will almost certainly occur elsewhere in the country. As such, it is also necessary to target knowledge sharing by profession—for example, judges should be aware of matters such as instances when foreign electronic evidence may be properly admissible, even if informally procured by police. Although the creation of specialized cyber units and the offering of targeted trainings may imply the importance of knowledge, the critical nature of such activities merits flagging such measures here under a separate heading. Additionally, it bears noting that many officials in many governments are hesitant to embrace electronic evidence—or e-evidence—, or they may be reluctant to accept Page 243  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents training on the topic for various reasons, including that they are already experts in one field and do not care or need to be trained in another. Such resistance impedes the acceptance of electronic evidence and international cooperation; with that in mind, consciousness-raising and training should be tailored accordingly tailored. Routine knowledge sharing mechanisms can help mitigate such mistrust or discomfort.6 Relatedly, participation in international conferences and sharing exercises with homologues of other nations can contribute significantly: the effects of informal and personal connections, especially as when encouraged alongside formal arrangements and structures, ought not to be underestimated (see section 5 B, above). E. Furthering Public-Private Cooperation Cooperation and information exchange are essential to effectively combatting cybercrime. Such is especially the case as so much of the infrastructure that is essential to the functioning and “existence” of cyberspace is owned, controlled or operated by the private sector as opposed to the public sector. ISPs, financial sector institutions and other industry actors are all essential to the effort to combat cybercrime. To that end, initiatives, including CERTs, CSIRTs, academic and non- governmental projects have been launched. Any such program should seek to do the following: 1   Strengthen cooperation between law enforcement and private sector operators; 2   Support the creation of Information Sharing and Analysis Centers (ISACs), especially for the financial sector; 3   Set-up of cybercrime reporting systems (such as for spam, botnets, child abuse materials); 4   Facilitate cooperation between law enforcement and CIRTS, CERTs or CSIRTs; and 5   Further private-public information sharing in line with data protection requirements.7 F. Advancing International Cooperation Cyberspace is transnational by nature. As such, e-evidence of a cybercrime is quite frequently scattered around jurisdictions, and, indeed, around the world at large. As such, investigators need to be able to secure electronic evidence which, in part, piece or whole, might be beyond the place of their own jurisdictional authority, often with great speed. To that end, international efforts should be undertaken to train and support competent authorities to engage in efficient and expedited international cooperation. Such programs should not only familiarize members of government with the resources in their own jurisdictions, but connect them with their counterparts—domestically, regionally and internationally. Page 244  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents Such programs should focus on the following: 1   Strengthening domestic activities as a basis for international judicial and police-to-police cooperation; 2   Setting up 24/7 points of contact for urgent international cooperation, in particular data preservation; 3   Training and networking of authorities for MLA; and 4   Ratification of, or accession to, international treaties and conclusion of bilateral agreements.8 II. Client-driven Capacity Building Although there may be many ways to sequence activities, capacity-building programs should be developed and implemented in a pragmatic manner that aligns with the needs of the target group—that is, the client. Therefore, a program should support the government, agency or organization seeking to change. The request for assistance should come from that entity, and that request should structure the way in which the assistance is to be provided. Assistance should not be donor driven. Generally speaking, strengthening legislation on cybercrime and electronic evidence is a suitable starting point to enter into dialog. By contrast, starting a program with computer forensic training courses, for example, without having developed a legal framework on cybercrime may prove to be of limited use. Experience shows that engagement of decision-makers is essential for the success of capacity- building programs and for advancing any substantial criminal justice measures in cybercrime in general. A thorough analysis of the cybercrime situation and of the strengths and weakness of criminal justice capabilities will facilitate the engagement of decision makers and will establish benchmarks against which progress can be determined later on. Towards the end of a program (or of a phase thereof), an assessment of the progress made should be undertaken. Thereafter, for that assessment to be of effect, feedback mechanisms should relate back to the overall policies and strategies, seeking to reconfirm the engagement of decision- makers beyond the completion of the program.9 III. Capacity-building Programs: The CoE’s Experience Of the great diversity of cybercrime capacity-building programs that exist, the CoE has had extensive experience, largely structured around (A) implementing the Budapest Convention, as well as through (B) a variety of cybercrime capacity-building projects, be they country-specific, regional or global. Page 245  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents A. Implementing the Budapest Convention The CoE approach on cybercrime consists of three interrelated elements: 1   Setting common standards; 2   Following-up and assessing implementation; and 3   Providing technical assisstance that furthers cooperation for capacity building.10 The Council’s standards are fundamentally drawn from the Budapest Convention, and its Additional Protocol on Xenophobia and Racism committed by means of computer systems. Additional standards come from the treaties on data protection (Convention 108)11, on the sexual exploitation and sexual abuse of children (Lanzarote Convention),12 on money laundering and financing of terrorism13 and others. The key supervising body is the Cybercrime Convention Committee (T-CY), which not only represents the Parties to the Budapest Convention (“Consultations of the Parties”), but also interprets the text of the Convention, prepares Guidance Notes and assesses the Parties’ implementation of the Convention.14 The Council’s approach to capacity building is aimed at assisting governments and organizations in the implementation of the Budapest Convention and related standards, including human rights and rule of law principles and in following up on the assessments carried out by the T-CY. In a dynamic circle, results of capacity building in turn inform standard-setting and the larger work of the T-CY. B. CoE Cybercrime Capacity-building Projects Since 2006, CoE has carried out a range of country-specific, regional and global capacity-building projects. Additional projects are in preparation. Many projects are co-funded by the European Union. The EU supports the Budapest Convention and capacity building on cybercrime worldwide. These include: (1) Global Action on Cybercrime (GLACY), (2) Global Action on Cybercrime Extended (GLACY+), (3) Cybercrime@Octopus, (4) Cybercrime@EaP II, (5) Cybercrime@EaP III, (6) iPROCEEDS and (7) C-PROC. 1. Global Action on Cybercrime (GLACY) The Global action on Cybercrime, or GLACY, was a joint project of the EU and the CoE aimed at supporting countries worldwide in the implementation of the Budapest Convention.15 The specific objective of GLACY was “to enable criminal justice authorities to engage in international cooperation on cybercrime and electronic evidence on the basis of the Budapest Convention on Cybercrime”. The project’s duration was three years, from 1 November 2013 to 31 October 2016. Page 246  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents GLACY was intended to explore measures that would: 1   Engage decision-makers; 2   Facilitate the harmonization of legislation; 3   Develop judicial training programs; 4   Expand the capacities of law enforcement; 5   Improve international cooperation; 6   Increase information sharing; and 7   Assessment of progress. 2. Global Action on Cybercrime Extended (GLACY+) Building upon the success of GLACY,16 the CoE and the EU’s Instrument Contributing to Peace and Stability launched Global Action on Cybercrime Extended, or GLACY+, which runs from 1 March 2016 until 28 February 2020. Intended to extend the experience of the GLACY project, GLACY+, though a global action, initially supports nine priority countries in Africa, the Asia-Pacific region and Latin America, namely: the Dominican Republic, Ghana, Mauritius, Morocco, Senegal, South Africa, Sri Lanka and Tonga. These countries are intended to serve as hubs for knowledge and experience sharing for their respective regions. The objectives of GLACY+ include strengthening the capacities of States around the world through the development and application of cybercrime legislation, while also enhancing their abilities for effective international cooperation in this area. More general objectives for GLACY+ include the following: 1   Promoting consistent cybercrime and cybersecurity policies and strategies; 2   Strengthening the capacity of police authorities to investigate cybercrime and engage in effective police-to-police cooperation with each other as well as with cybercrime units in Europe and other regions; and 3   Enabling criminal justice authorities to apply legislation and prosecute and adjudicate cases of cybercrime and electronic evidence and engage in international cooperation. 3. Cybercrime@Octopus Cybercrime@Octopus is a CoE project based on voluntary contributions that aims at assisting countries around the world in how best to implement the Budapest Convention and to strengthen data protection and rule of law safeguards at large.17 The project had a three-year duration, from 1 January 2014 to 31 December 2017. Page 247  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents The results of Cybercrime@Octopus include the following: 1   Annual Octopus conferences, with attendees from around the globe; 2   Co-funding and supporting the T-CY; and 3   Providing advice and other assistance to states prepared to implement the Budapest Convention and related instruments pertaining to data protection and the protection of children. 4. Cybercrime@EaP II A partnership jointly implemented by the EU and the CoE’s Programmatic Cooperation Framework in the Eastern Partnership (EaP) Countries, Cybercrime@EaP II aims to optimize the regional and international cooperation on cybercrime and electronic evidence.18 Participating countries are the six EaP countries: Armenia, Azerbaijan, Belarus, Georgia, Moldova and Ukraine.19 The project runs from 1 May 2015 to 31 October 2017. Specifically, the project aims to improve of MLA in matters of cybercrime and electronic evidence, and strengthening of the role of 24/7 contact points. 5. Cybercrime@EaP III With a similar timeframe as Cybercrime@EaP II (1 December 2015 to 31 December 2017), and similarly implemented by the EU and the CoE’s Programmatic Cooperation Framework in the EaP countries, Cybercrime@EaP III is a complementary capacity-building program. Cybercrime@EaP III aims at improving cooperation between criminal justice authorities and service providers in specific criminal investigations, while also upholding necessary rule of law safeguards.20 As with Cybercrime@EaP II, participating countries are the six EaP.21 6. Cooperation on Cybercrime under the Instrument of Pre-accession (iPROCEEDS) Targeting eastern Europe and Turkey, Cooperation on Cybercrime under the Instrument of Pre- accession (IPA), or iPROCEEDS, is a joint project of the EU’s IPA II Multi-country action program 2014 and CoE. Its objectives are to strengthen the capacity of authorities in the IPA region to search, seize and confiscate cybercrime proceeds and prevent money laundering on the internet. Project indicators include the extent of financial investigations and prosecutions related to cybercrime and proceeds from online crime, and the level of compliance with international standards on cybercrime, money laundering and the search, seizure and confiscation of proceeds from crime (CoE Conventions 185 and 198). It has a duration period from 1 January 2016 to 30 June 2019, and is being implemented in Albania, Bosnia and Herzegovina, Montenegro, Serbia, the Former Yugoslav Republic of Macedonia, Turkey and Kosovo.22 Page 248  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents 7. Cybercrime Programme Office (C-PROC) With increasing demand for capacity building on cybercrime and electronic evidence, organizations providing support need to enhance their own capabilities.23 To that end, and further to an offer by the Prime Minister of Romania, CoE established a Cybercrime Programme Office (C-PROC) in Bucharest, Romania, in 2013. C-PROC is responsible for the implementation of the capacity- building projects of CoE on cybercrime and electronic evidence worldwide. The added value includes specialization, cost-effective project management, competitiveness and thus increased resource mobilization. The activities managed by C-PROC are closely linked to the work of the T-CY and other intergovernmental activities of CoE in Strasbourg, France. Conclusion Cybercrime capacity building offers a number of advantages. It responds to needs and produces immediate impact. It favors multi-stakeholder cooperation, as well as contributing to human resources development, poverty reduction and respect for the rule of law, while also reducing the digital divide.24 Moreover, policy discussions at the international levels show that cybercrime capacity-building programs have broad political support upon which to build. Experience, good practices and success stories are readily available, offering adaptable and replicable results. Elements of capacity-building programs may include support to cybercrime policies and strategies, legislation including rule of law safeguards; reporting systems and prevention; specialized units, law enforcement and judicial training; interagency cooperation; public/private cooperation; international cooperation; protection of children; and financial investigations. An effective criminal justice response is an essential component of a governance framework that is to ensure the security, confidence and trust in ICT so that societies are able to exploit the benefits of ICTs for development. Strengthening safeguards on law enforcement powers and implementing frameworks for the protection of personal data are an essential precursor to building cybercrime- fighting capacity. The impact of cybercrime capacity-building programs is diverse and important, substantially not just cybercrime-fighting measures, but also positively impacting the larger fight against crime. Results range from increased use of electronic evidence in criminal proceedings; increased numbers of investigations, prosecutions and adjudications; shorter response times to requests for MLA; more efficient police-to-police cooperation; and other verifiable indicators. More generally, the success of such programs can also be seen in further human development and improved democratic governance. Page 249  |  Chapter 6  |  § B. Developing Capacity-building Programs Table of Contents CHAPTER 6 C. Private Sector Cooperation Table of Contents Introduction 250 I. Building Public-Private Partnerships 251 A. Formal & Informal International Cooperation 251 B. The Place for the Private Sector at Large 252 C. Involving ICT-Sector Players 253 D. Tailoring Government Interventions 254 E. The Need for Information Sharing 254 II. Barriers to Effective Cooperation 255 III. Examples of Cyber PPPs 256 A. Corporate Social Responsibility Examples 257 B. Combatting Online Scams & Fraud 257 C. Private-sector Originating Initiatives 257 D. Inter-governmental & International-organization Initiatives 258 E. Initiatives in Europe 259 F. Initiatives in the United States of America 261 Conclusion 261 Introduction The internet and digitization has facilitated commerce, fueled growth and improved the lives of many. Indeed, it has done so to such an extent that it has become central— even critical—to the way that both individuals and society function. The impact of the cyber revolution range from the most basic transactions, to information gathering and sharing, to complex commercial interactions. Moreover, the internet and digitization has become central to the basic operating of critical infrastructure. However, unlike other structure and implements essential to allowing society’s function, the vast majority of the infrastructure underlying and undergirding cyberspace is not in public hands but in private ones. Because so much of the infrastructure and services behind the internet is owned and operated by the private sector, it is essential that the public and private sectors collaborate to both secure that infrastructure and to allow society to continue to develop to the benefit of all. Consequently, cybersecurity is a matter of public safety that can and must be addressed through public-private Page 250  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents cooperation. Even where cooperation already exists, there is room to improve and enhance cooperation between governments and the private sector on cyber security.1 In discussing private sector cooperation with government, specific discussion is needed around (I) building PPPs and (II) some of the notable existing barriers to effective cooperation, with an understanding of good practices made possible through (III) the discussion of various examples of existing PPPs designed to combat cybercrime. I. Building Public-Private Partnerships In order to build effective PPPs, it is important to (A) recall the place of formal and informal international cooperation, before going on to (B) outline the scope of PPPs at large and to (C) explore the role in the ICT sector partners in particular. Additionally, the (D) caveat of tailoring government interventions and (E) the need for information sharing ought also to be highlighted. A. Formal & Informal International Cooperation As discussed earlier in the Toolkit (see sections 5 A and 5 B, above), international cooperation comprises both formal (e.g., mutual legal assistance, extradition, mutual recognition of foreign judgments) and informal mechanisms (e.g., direct police-to-police, 24/7 networks, information sharing and coordination centers). Both formal and informal mechanisms of international cooperation need to take account of the role of private sector actors. For instance, formal instruments have notable shortcomings regarding cross-border access to data owing to a focus on the matter of provider consent, as coupled with a presumed knowledge of the location of the data in question. Such shortcomings have resulted in increased resorting to mechanisms of informal cooperation.2 PPPs are created either informally, through casual agreements or understandings, or formally, by establishing legal arrangements. Collaboration focuses on facilitating the exchange of information on threats and trends, but also for preventing case-specific activities and actions. Such actions complement those of law enforcement and can help mitigate damage to victims. The private sector does not just speak to industry. Academic institutions play a variety of roles in preventing cybercrime, including through delivery of education and training to professionals, law and policy development and work on technical standards and solutions development. Universities house and facilitate cybercrime experts, even hosting CIRTs and other specialized research centers.3 CIRTs play an important role in capacity-building through event-hosting and information sharing, very frequently at a technical level. They also facilitate interactions with local police for identifying cybercriminals, offer important support to the private sector for supporting and coordinating with Page 251  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents other CIRTs to exchange real-time technical data and technical expertise for tracking cybercrimes. These networks extend to regional groups, such as APCERT in the Asia-Pacific region4 and OIC- CERT for the Organisation of the Islamic Cooperation,5 and international groups, such as Forum of Incident Response and Security Teams (FIRST).6 The activities undertaken by these groups are supported through international efforts, such as ITU’s regionally-supported ALERT cyberdrills, which involves the host country, ITU, FIRST and privatesector actors.7 B. The Place for the Private Sector at Large As so much of the relevant infrastructure is in the hands of the private sector, and as cyber has infiltrated virtually every domain of life, PPPs are essential to successfully combatting cybercrime. Indeed, INTERPOL has noted that “the complex and ever-changing nature of the cyberthreat landscape requires high-level technical expertise, and it is essential that law enforcement collaborates across sectors to effectively combat cybercrime and enhance digital security.”8 Presently, law enforcement faces many challenges in scaling-up to address the ever-growing threats emanating from cyberspace.9 “The internet of things presents unprecedented opportunities for criminals, and for effective law enforcement getting perpetrators behind bars should be an integral part of any strategy. Combating cybercrime requires a unified approach, not just in developing partnerships but in ensuring that police around the world are provided with the basic equipment and training they need.”10 As already discussed, the so-called internet of everything (IoE) sets to dramatically expand the present understanding of what makes the “infrastructure” of information society, and, correspondingly, to increase criminal opportunities (see section 2 A, above). However, such partnerships have heretofore been, as the US White House remarked, “at best unclear or ill- defined” with any detailed allocation of roles and responsibilities between industry and government being left unaddressed.11 The development of NCSs, though perhaps structured by the government, must create a space for the private sector as an essential part of combatting cybercrime. This realization is a shared responsibility requiring coordinated action related to the prevention, preparation, response and recovery from incidents by all stakeholders—government, the private sector and civil society at large.12 Use of a PPP-approach is not without criticism.13 Published NCSs typically approach critical infrastructure protection from the perspective of a common-good, with all actors supposedly working in harmony to achieve a common goal.14 Attempts to enhance the dialogue between the public and private sectors often have been unsatisfactory due to issues such as lack of Page 252  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents trust, misplaced expectations, conflicts of interest and laws requiring a certain level of secrecy or openness that may work against the interest of the private actor in question. Further, in a recessionary economy, with industry tending to focus on short-term delivery of revenue lines for survival, longer-term strategic issues may be relegated to secondary importance. Matters such as the stand-off between the FBI and Apple, and the indications of government usage of telecommunications to improve surveillance, for instance, have done little to improve working relations between the two sectors (see section 1 B, case 1.3, above). Box 6.4: Academic and Government PPPs15 Academia plays an important role in building effective PPPs. For instance, the National University of the Philippines and the US DoJ signed an agreement in 2012 for a PPP to develop cybercrime experts through Southeast Asia’s first four-year course on digital forensics. The course—a Bachelor of Science in Computer Studies, Major in Digital Forensics—is intended to develop professionals in the specialized field, particularly in the area of evidence retrieval from computer hard disks, mobile phones and other ICT devices. The long-term PPP is intended to provide institutionalized capacity-building and to allow resource sharing in order to face the global challenge of cybercrime by mobilizing subsequent generations. C. Involving ICT-Sector Players While PPPs at large can be beneficial, there is a particular need to create partnerships involving ICT sector players. ICTs continue to develop and to be diffused at an incredible pace, dramatically changing the way in which societies operate, and driving near unprecedented economic and social development.16 As such, private entities operating in the ICT sector—the drivers of much that progress—are particularly important for developing crime-solving PPPs. Additionally, private sector actors are often better poised to play a constructive role: first, they frequently have greater control over many of the critical systems in need of protection and of relevant data; second, they often have more resources than government for recruiting top talent; and, third, they typically do not face many of the constitutional and statutory limitations that control government’s investigations and police powers. Moreover, the contributory role that ICT entities could play is not merely benevolent: as so much about market success is consumer confidence, ICT entities have many commercial reasons for investing strongly in promoting a safe and secure cyberspace at large, both in their own research and innovation (R&I), as well as in cooperating with the public sector. Given the substantial private R&I being undertaken, ICT companies have an array of security tools that could support public efforts to fight cybercrime. Page 253  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents D. Tailoring Government Interventions While the private sector has crucial insight, expertise and resources for combatting cyberthreats, the government is uniquely positioned to investigate, arrest and prosecute cybercriminals; to collect foreign information on cyberthreats; and, potentially, to provide certain statutory protections to companies that sharing information with government,17 much as is done for whistleblowers in anticorruption efforts. Government also may be privy to threat information—from both domestic and foreign sources—in advance of the private sector and can collect and disseminate information among the various and diverse stakeholders. Government can provide a more complete perspective on the threat and on effective mitigation techniques, while taking steps to protect individual victims. This can help assuage competitive and reputational concerns about revealing a particular company’s vulnerabilities to its competitors, the marketplace and cybercriminals. Moreover, even where critical systems are owned and operated by private companies, the public’s expectation is often still for government to ensure the security and integrity of those systems, and to respond when damaged or otherwise compromised. As such, it is generally in the interest private sector actors to partner with government so that, when necessary, government interventions are efficacious, limiting counter-productivity or heavy-handedness. E. The Need for Information Sharing Though important in any area, robust information sharing and cooperation between the public and the private sectors is particularly important—and notably absent—with regard to cybercrime, largely due to differences in the nature, type and access to pertinent information and capabilities of the two sectors. For instance, having reporting mechanisms for hacked companies to promptly report breaches and allow government access to identify points of entry and other vulnerabilities, or for banks and credit card companies to rapidly identify and track compromised data and provide credit card numbers that are active but not tied to actual identities and to identify and track activity of compromised cards and illicit payments. As discussed earlier (see section 1 C, case 1.5, above), when Albert Gonzalez stole more than 130 million credit card numbers, it was determined—after the fact—that the attacks were connected and likely from the same source.18 Specifically, the government determined that the same code appeared in the SQLi strings that were used to gain backdoor-access to the victims’ systems, and that the infiltration IP address (for injecting malicious code into those systems) and exfiltration IP address (for receiving the credit card data that was removed from the systems) were the same for each incident.19 Cybersecurity coordination is too often episodic or bureaucratic. Across initiatives, a workable culture of information sharing and coordination needs to be implemented. Appropriate institutions must be created to effectuate the implementation of these cultural shifts, as many private actors Page 254  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents still do not know whether, when or how it would be beneficial (or detrimental) to engage with government on these issues. Moreover, as the legal landscape is evolving, it is important that government and private sector communicate regarding the appropriate roles and capabilities, and that authorities in law enforcement agencies and regulatory agencies make clear potential sources of civil liability. II. Barriers to Effective Cooperation Despite its importance and the potentially significant impact of a campaign to harmonize the efforts of the government and private sector in cybersecurity, there exist many legal, pragmatic, cultural and competitive barriers to effective cooperation.20 Several of the more important reasons follow: The lack of prophylactic cooperation: Despite the pervasive and persistent threat, many 1   companies consider actively working with government once they are faced with responding to a cybersecurity incident and are in crisis mode. It is important to create a mental shift that will facilitate cooperation that occurs in times of relative calm, and which progresses in an ongoing, proactive basis well before a crisis occurs and without a cyber incident becoming apparent. Moreover, corporate decision-makers who have not previously dealt with government in a collaborative way may be less keen on doing so when dealing with a cyber-incident and its fallout. By working prophylactically, trust is built early-on, and cooperation—when needed— can be more effective and efficacious. The problem of appearances of working with government: Although typically having 2   greater and more strategic resources to bring to bear in the fight against cybercrime, private sector entities may fear collateral consequences of involving the government in cyber-incident responses. Such a reaction is partially due to confidence in their own capabilities to handle such problems. However, there may also be concerns about appearing to be give government access to sensitive user data and the potential for retribution by market forces from such cooperation. Both public and private sector actors are guilty of failing to sufficiently share information. Stuck in reactivity, not proactivity: The private sector’s comportment has largely been one 3   of reactivity rather than pro-activity. By and large, there has been a general “check-listing” approach in terms of establishing cybersecurity and combatting cyberthreats. In the wider commercial community, acceptance of a shared obligation for security is, as yet, unestablished. There are many reasons for such a perception, not least of which is the competitive nature Page 255  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents of free-market economies, as well as a history of indifference by the private sector, which has traditionally assumed that government will protect them in the event of cyberthreats.21 Robust and participatory engagement must balance wider business community with investigative force. Lack of understanding at the individual level: There is no cohesive effort to integrate either 4   SMEs or individuals into the effort to develop cybersecurity and to build society-wide cyber- resilience. Unlike those working to secure critical infrastructure and creating a shared goal of security, there is hardly any perceived connection between SMEs and individuals to the notion of ownership of building communal cyber-resilience. As such, the disparate consumer audience flounders to find commonalities. Moreover, at the level of the individual consumer, there are— especially in developed nations—reports surfacing of “security fatigue”; such fatigue, it has been found, can cause computer users to feel hopeless and to act recklessly with regard to matters of cybersecurity.22 The lack of any cohesive cybersecurity understanding means that cyber resilience at the consumer level struggles to even identify those who should be partners, let alone those who would be leaders in such an undertaking. The problem of a government-centric approach: Official policy could go further to facilitate 5   and to incentivize private sector involvement. Indeed, according to industry experts, many government-developed cybercrime centers are structured to focus on protecting government systems and critical infrastructure but tend to leave out the private sector. As such, private sector actors, though possibly contributing to the efficacy and functioning of those centers, do not necessarily benefit from such government efforts, therein leaving their computer systems vulnerable to cyberattacks.23 Moreover, and as already noted, substantial information sharing shortcomings endure. Concern over lacking safeguards: Lastly, a general sense of malaise and suspicion limits 6   the willingness of some private sector actors to grant government access. This skepticism is two-fold: on the one hand, there is concern that one government agency might pass along potentially incriminating information to another agency.24 On the other hand, there is concern that government is spying on the businesses and consumers with which government is trying to engage.25 Recent reports of government spying have done little to assuage such suspicions and concerns. III. Examples of Cyber PPPs Although there are barriers to building PPPs, yet there are some important successes in (A) corporate social responsibility, (B) combatting online scams and fraud, (C) private-sector originating Page 256  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents initiatives, (D) inter-governmental and international initiatives, (E) initiatives in Europe and (F) initiatives in the United States. A. Corporate Social Responsibility Examples Examples of effective corporate social responsibility collaboration between crime agencies and ICT companies exist with regard to cybercrime, fraud protection, online safety and security and fighting child exploitation. These models demonstrate not just the value of such collaboration but also the sheer variety in the nature of the response.26 B. Combatting Online Scams & Fraud Collaboration to combat online scams and fraud are rapidly increasing. For instance, more than one hundred governments work with Microsoft in its Security Cooperation Program (SCP)27. This program provides protection from critical risks to information and infrastructure and helps to reduce government vulnerability to attacks that can critically disable administration and disrupt economies. A biannual global Security Intelligence Report provides in-depth insight into the threat landscape of the moment based on data derived from hundreds of millions of computers worldwide.28 On average, seventeen percent of reporting computers worldwide encountered malware over the past four quarters.29 Further, other high-severity vulnerabilities, such as downloaded Trojans, continue to be on the rise. The aggregated data indicates that financial gain remains attackers’ top motivation. Accounting for divergent motivations has also become an issue. For example, hacktivists and practitioners of military and economic espionage are relatively recent newcomers and have different interests from typical cyberattackers. Additionally, the nature of the attack strategies has changed, with rogue security software or fake antivirus software used to trick people into installing malware and disclosing sensitive information being replaced by ransomware that seeks to extort victims by encrypting their data. Commercial exploit kits now dominate the list of means of compromising unpatched computers, meaning attacks are increasingly professionally managed and constantly optimized at an increasingly rapid rate. Targeted attacks have become the norm rather than the exception.30 C. Private-sector Originating Initiatives Private ICT companies around the world, including CISCO, Google, McAfee, Microsoft, Symantec, Verizon and Yahoo!, engage in hundreds of non-commercial government partnerships that offer internet safety training programs and educational literature to schools, communities and individuals. To do so, these and other companies frequently partner with organizations such as the National Cyber Security Alliance or the Family Online Safety Institute. Volunteers from the Page 257  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents corporations typically drive these programs and collaborate with community leaders, teachers, and the police force to deliver content.31 One particularly interesting private sector initiative is in combatting online child exploitation: trade in child-sex images are now annually estimated to have reached almost US$20 billion.32 In response to pleas, Microsoft Canada developed its Child Exploitation Tracking System (CETS) software with the Royal Canadian Mounted Police (RCMP) and the Toronto Police Service following a personal email plea from Toronto Police Detective Sergeant Paul Gillespie to Microsoft Chairman and Chief Software Architect Bill Gates in January 2003.33 CETS supports criminal investigators to efficiently organize and share media they come across during investigations, allowing units from various countries to effectively classify, track and identify links between indecent material, enabling them to identify owners and uncover international child-porn syndicates. As of March 2009, the CETS has been deployed in twelve countries and is being used by over 1200 investigators worldwide.34 Microsoft offers the program to interested law enforcement agencies free of charge and donates all training and server software required to deploy the application at no cost. So far, this collaborative initiative has achieved impressive results. It has been used to solve several high-profile cases and in establishing an international network of information and communications to help fight the problem. More recently, in 2008, Australian Federal Police used the CETS to smash an international pedophile internet network.35 The investigation led to the arrest of more than twenty-two pedophiles in the United States, Canada, Australia and across Europe; the pedophiles, acting under the impression that their robust encryption codes offered sufficient protection and made them undetectable, were found out. Such collaborations help law enforcement to outsmart cybercriminals, who typically employ very sophisticated means to hide their crimes.36 D. Inter-governmental & International-organization Initiatives At a macro-level, regional organizations are playing a strong role in coordinating government policy alignment and engaging corporations to address challenges. UN organizations have been particularly involved in building partnerships. For instance, UNODC has launched initiatives to engage the private sector37 as part of its larger efforts to support UN Member States in the fight against cybercrime.38 Similarly, ITU has launched interesting initiatives—for instance, in the Asia Pacific region, ITU helped to form the APCERT, and has partnered with national ministries of defense to create cybersecurity information sharing partnerships, such as with Japan. The ITU GCA is a five-pillared framework (legal, technical, organizational, capacity-building, cooperation) that builds on existing initiatives to improve cooperation and efficiency with and between all relevant partners.39 Since its launch, the GCA has attracted the support and recognition of leaders and cybersecurity experts around the world.40 In Egypt and Turkey, where online crime is a relatively new and growing phenomenon, the CoE partners with Microsoft to conduct training with the judiciary, detailing how cybercrimes are committed and how criminals can be prosecuted, by demonstrating the most effective Page 258  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents methodologies for obtaining evidence. Both McAffee and Microsoft have joined forces with the CoE for a similar training in Romania. As another example, Nigeria has earned unenviable (and perhaps no longer deserved) notoriety as the hub for online scams. To break the mythology of quick financial wins through cybercrime and provide young people with a bridge to more legitimate and meaningful forms of employment, Microsoft partners with Nigerian government agencies, the European Union, UNODC and youth NGO networks to deliver online safety outreach and employability programs. The programs provide participants with broad-based ICT training, offer a recognizable certification to boost job prospects, and additional support in developing youth- driven ICT-based small business.41 Box 6.5: The Simda Botnet42 The Simda botnet, which had victims in 190 countries around the world, was successfully taken down through collaboration between INTERPOL, Trend Micro, Microsoft, Kaspersky Lab and the Cyber Defense Institute. The global dispersion of systems gathered to form the Simda botnet helped criminals commit crimes in disparate corners of the world, making it very difficult for law enforcement to combat. In a PPP with Trend Micro and Kaspersky, threat researchers working in IGCI, INTERPOL’s Singapore-based center (see section 5 B, above), supported investigative efforts, offering expertise and access to unique threat intelligence not always available to law enforcement. With that pooled intelligence, experience and support, INTERPOL built the case for the arrest of the threat actors. E. Initiatives in Europe While the importance of cooperation is recognized in Europe, there is a wide diversity in national approaches and maturity levels on this issue.43 At the European level, the CoE has engaged various corporations, including McAffee and Microsoft, to support its fight against cybercrime based on the framework of the Budapest Convention.44 Corporate engagement is provided through training for government officials on how to effectively address threats both within national boundaries and cross-jurisdictionally. In May 2010, the European Commission developed the Digital Agenda in May 2010.45 The Agenda contains 101 actions grouped around seven priority areas, and operates with the dual aims of, first, improving Europe’s ability to prevent, detect and, second, respond to cyberthreats, and of ensuring that digital technologies facilitate growth across the EU.46 As a result, it is intended to strengthen the resilience of critical infrastructure, improve preparedness and promote a culture of cybersecurity through the centralization of information and the creation of PPPs. Page 259  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents Responding directly to recognized cyberthreats, and seeking to strengthen the EU’s cybersecurity industry, the European Commission contractually established its PPP on cyberspace (cPPP) according to its Digital Single Market Strategy.47 The aim of the cPPP is to stimulate the European cybersecurity industry by: Bringing together industrial and public resources to improve Europe’s industrial policy on 1   cybersecurity, focusing on innovation and following a jointly-agreed strategic research and innovation roadmap; Helping build trust among Member States and industrial actors by fostering bottom-up 2   cooperation on research and innovation; Helping stimulate the cybersecurity industry by aligning demand and supply for 3   cybersecurity products and services, and allowing industry to efficiently elicit future requirements from end-users; Leveraging funding from Horizon202048 and maximizing the impact of available industry 4   funds through better coordination and better focus on a few technical priorities; and Providing visibility to European R&I excellence in cybersecurity and digital privacy.49 5   At the national level, most European nations are only at the very early stage of developing PPPs50; however, five countries—Austria, Germany, the Netherlands, Spain and the United Kingdom— have taken robust efforts on this front. For example, the British government has enacted the Data Protection Bill, which obliges companies to report all cyber incidents and violations, and has also launched its Cybersecurity Information Sharing Partnership (CISP), which, among other things, has led to the development of an online platform for real-time exchange of information about cyberthreats and vulnerabilities.51 Additionally, Britain’s National Crime Agency (NCA) is leading the initiative to help network administrators by developing intelligence reports for ISPs and hosting companies. The reports are based on data from Britain’s national CERT (UK-CERT) and the volunteer intelligence gathering Shadowserver Foundation. The reports have identified 5,531 compromises on servers in the United Kingdom, each of which attackers can use to send spam email, launch attacks and steal information through phishing. NCA estimates organizations acting on the advice in these reports could eliminate half of phishing attacks—one of the most prevalent cyberattacks—originating from the United Kingdom. Indeed, according to one analysis, the United Kingdom ranks tenth highest for countries from which cyberattacks originate.52 While certain elements of cybersecurity protection apply across all areas, and a wide variety of recommendations are available from national and international organizations, there is also a need for guidance that is tailored to the business needs of particular entities or provides methods to address unique risks or specific operations in certain sectors. Moreover, while there is a growing interest in establishing sector-specific responses to cybersecurity, practical implementation is still fairly limited in Member States. The same countries that are leading the way in PPPs also are the leaders in this field, often establishing sector-specific dialogues and information exchanges with the private sector. Such steps can help promote the most suitable and effective guidance throughout individual sectors.53 Page 260  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents F. Initiatives in the United States of America The US government has created many cybersecurity taskforces and interagency groups to facilitate robust information sharing not only among government agencies but also with the private sector. An example of interagency cooperation is the National Cyber Investigative Joint Task Force (NCIJTF). Led by the FBI, it is comprised of nineteen members from US intelligence and law enforcement agencies, and serves as the lead national focal point for coordinating, integrating and sharing pertinent information related to domestic cyberthreat information and national security investigations.54 In terms of public-private coordination, the DoD’s Defense’s Defense Cyber Crime Center (DC3), a military initiative, is a national center focused on addressing forensics, investigative training, research and analytics impacting those operating in the defense sector.55 Similarly, US-CERT, housed in DHS, is the operational arm of the National Cybersecurity and Communications Integration Center (NCCIC), and plays a leading role in international information sharing.56 DoJ’s Computer Crime and Intellectual Property Section (CCIPS) works with prosecutors and agents nationally and overseas, as well as with companies and governments, to investigate and prosecute cybercrime.57 ISACs and the USSS’s various Electronic Crimes Task Forces (ECTFs) have significantly advanced public-private information sharing.58 For example, the ECTFs, which focus on identifying and locating international cybercriminals, have achieved significant success in detecting and apprehending numerous international cybercriminals.59 Additionally, USSS’s Cyber Intelligence Section has worked with law enforcement partners worldwide to secure the arrest of cybercriminals responsible for the thefts of hundreds of millions of credit card numbers and losses exceeding US$600 million to financial and retail institutions.60 Conclusion Public-private collaboration is essential to have effective cybersecurity solutions and systems. On the one hand, the private sector brings specialized expertise and proximity to the implicated infrastructure. On the other hand, government is typically better poised to reach across borders and develop comprehensive international solutions to tracking, identifying and mitigating cyberthreats.61 Developing effective PPPs requires the implementation of certain fundamentals that must tie into building a strong cybersecurity framework. These range from establishing strong legal foundations and a comprehensive and regularly updated cyber security strategy, to engendering trust, working in partnership and promoting cybersecurity education. These building blocks provide valuable guidance for national governments that are ultimately responsible for implementing cybersecurity rules and policies.62 In building systems, it is important for the private sector to be involved at the start of the process, from concept development and through implementation. Page 261  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents The need for PPPs in the deployment of cyber-resilience goes beyond simply partnering with the private sector. To successfully engage a widespread audience of individual consumers and small scale business operators, such partnerships need the added impetus of urgency at all levels of the critical infrastructure sphere of influence.63 That said, partnerships should actively work to extend beyond “critical” infrastructure and actively seek to include all ICT stakeholders to create robust cyber resilience. For PPPs to be successful, a sustained engagement and dialogue around the targeted need must be maintained. Given cultural attitudes and perspectives, the initial onus will typically be on governments, but as the incentives of government and the private sector increasingly come to align, both parties will contribute to innovative solutions. Certain tools for building partnerships— legal instruments, industry initiatives and information-sharing platforms—already exist and should be built upon. Through PPPs, existing instruments and industry standards can be used to encourage dialogue and cooperation on practical ways of dealing with cybercrime that are suitable to all. Transparency and accountability are essential elements therein. Page 262  |  Chapter 6  |  § C. Private Sector Cooperation Table of Contents End Notes Referenced in: § A. The Capacity- 15. UNCTAD Global Cyberlaw Tracker, 2016. building Challenge 16. “Summary of Adoption of E-Commerce Legislation Worldwide,” UNCTAD, at 1. See UNCTAD, UNCTAD Information unctad.org/cyberlawtracker. Economy Report 2015: Unlocking the Potential of E-Commerce for Developing 17. UNODC’s Global eLearning Programme Countries, (New York & Geneva: UN, has integrated the Cybercrime Repository 2015), Ch. V, at http://unctad.org/en/ website (http://cybrepo.unodc.org) into PublicationsLibrary/ier2015_en.pdf the cybercrime course available on the platform. 2. “Cybercrime Legislation Worldwide,” UNCTAD, (2016), at http://unctad.org/ 18. See “TrainForTrade,” UNCTAD, at https:// en/Pages/DTL/STI_and_ICTs/ICT4D- tft.unctad.org/?page_id=119. Legislation/eCom-Cybercrime-Laws.aspx. 19. UNCTAD Global Cyberlaw Tracker, supra 3. UNCTAD Global Cyberlaw Tracker, 2016. note 15. 4. Ibid. 20. Uganda: National Information Technology Authority (NITA), Ministry of 5. See “Global Cybersecurity Index,” ICT & National Guidance, at http://www. ITU, at http://www.itu.int/en/ITU-D/ nita.go.ug/. Cybersecurity/Pages/GCI.aspx. 21. Uganda, Ministry of ICT & National 6. Ibid. Guidance, at https://www.ict.go.ug/. 7. For a collection of cybercrime laws, 22. Uganda: Electronic Transactions Act please visit the “UNODC Repository on (2011), at http://www.ulii.org/ug/ Cyber Crime,” UNODC, at https://www. legislation/act/2015/8-3; Uganda: unodc.org/cld/v3/cybrepo/legdb/index. Electronic Signatures Act (2011), at html?lng=en. http://www.nita.go.ug/sites/default/files/ Electronic-Signatures-Act.pdf. 8. UNODC Cybercrime Study, supra § 1 C, note 7. 23. NITA, “NISS Final Draft,” Republic of Uganda Ministry of ICT & National 9. “SHERLOC Portal,” UNODC, at https:// Guidance, (2011), at https://www. www.unodc.org/cld/v3/sherloc/. researchictafrica.net/countries/uganda/ National_Information_Security_ 10. UN Economic and Social Council, Strategy_2011.pdf. Resolution Prevention, Protection and International Cooperation Against the Use of New Information Technologies to Abuse and/or Exploit Children, E/ RES/2011/33 (28 Jul. 2011), at http://www. un.org/en/ecosoc/docs/2011/res%20 2011.33.pdf. 11. Steven Malby, Tejal Jesrani, Tania Bañuelos, Anika Holterhof & Magdalena Hahn, Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children (Vienna: UNODC, 2011), at http://www.unodc.org/ documents/organized-crime/cybercrime/ Study_on_the_Effects.pdf. 12. UN Economic and Social Council, supra note 10. 13. “Mutual Legal Assistance Request Writer Tool,” UNODC, at https://www.unodc. org/mla/introduction.html. 14. Ibid. Page 263 | Chapter 6 | End Notes Table of Contents Referenced in: § B. Developing 7. For additional resources and examples, 21. See Eastern Partnership, Migration and Capacity-building Programs see, e.g., “Law Enforcement- Internet Home Affairs, supra note 14. Service Provider Cooperation,” CoE, at http://www.coe.int/en/web/cybercrime/ 22. This designation is without prejudice to 1. See, e.g., UNODC, “UNODC Provided lea-/-isp-cooperation; NCFTA, supra § positions on status, and is in line with Training to South East Asian Institutions 5 B, note 62.; “Financial Services-ISAC,” UNSC 1244 and the ICJ Opinion on the to Combat Cybercrime,” (13 Oct. 2016), at Financial Sector Information Sharing and Kosovo Declaration of Independence. https://www.unodc.org/unodc/en/frontpa Analysis Center (FSIAC), at http://www. ge/2016/October/unodc-provided-trainin 23. “Cybercrime Programme Office fsisac.com. g-to-south-east-asian-institutions-to-comb (C-PROC),” CoE, at http://www.coe.int/ at-cybercrime.html; “SANS Courses,” 8. For additional resources and examples, en/web/cybercrime/cybercrime-office-c- Sans, at https://uk.sans.org/courses; see, e.g., Budapest Convention, supra proc-. “Cybercrime Programme Office § 1 B, note 32, at Ch. 3; “24/7 Points of 24. See WDR, supra, § 1 A, note 10. (C-PROC),” CoE, at http://www.coe.int/ Contact,” CoE, at http://www.coe.int/en/ en/web/cybercrime/cybercrime-office- web/cybercrime/resources. c-proc-. 9. See, e.g., “Action against Cybercrime,” 2. David Rath, “Legislating Cybersecurity: CoE, at http://www.coe.int/en/web/ Lawmakers Recognize Their Responsibility cybercrime. with Cyberthreats,” Government Technology, (11 Oct. 2016), at http:// 10. Ibid. For an example of a quarterly www.govtech.com/security/Legislating- update, see “Cybercrime at COE Update Cybersecurity-Lawmakers-Recognize- April–June 2016,” CoE, at https://rm.coe. Their-Responsibility-with-Cyberthreats. int/CoERMPublicCommonSearchServices/ html. DisplayDCTMContent?documentId=0900 001680693147. 3. See, e.g., Council of Europe, Law Enforcement Training Strategy, 11. Convention 108, supra § 4 B, note 28. (Strasbourg: Council of Europe, 2011), at 12. Lanzarote Convention, supra § 1 C, note https://rm.coe.int/CoERMPublicCommon 7. SearchServices/DisplayDCTMContent?do cumentId=09000016802f6a34; “Electronic 13. CoE, Convention on Laundering, Search, Evidence Guide,” CoE, at http://www.coe. Seizure and Confiscation of the Proceeds int/en/web/octopus/home; “European from Crime and on the Financing of Cybercrime Training and Education Terrorism (1 May 2008) CETS No. 198, at Group,” European Cybercrime Training https://www.coe.int/en/web/conventions/ and Education Group (ECTEG), at http:// full-list/-/conventions/treaty/198. www.ecteg.eu. 14. See “Cybercrime Convention 4. Joint training of prosecutors and judges Committee,” CoE, at https://www.coe.int/ may not be possible in countries where en/web/cybercrime/tcy. rules of ethics or statutory law prohibit as much. 15. “Global Action on Cybercrime,” CoE, at http://www.coe.int/en/web/cybercrime/ 5. For additional resources and examples, glacy. see, e.g., “Law Enforcement – Internet Service Provider Cooperation,” CoE, at 16. “Global Action on Cybercrime: From http://www.coe.int/en/web/cybercrime GLACY to GLACY+,” CoE, at http://www. /lea-/-isp-cooperation; CoE Project on coe.int/en/web/human-rights-rule-of- Cybercrime and the Lisbon Network, law/-/global-action-on-cybercrime-from- “Cybercrime Training for Judges and glacy-to-glacy-. Prosecutors: A Concept,” (Strasbourg: 17. “Global Project Cybercrime@Octopus,” CoE, 2009), at https://rm.coe.int/ CoE, at http://www.coe.int/en/web/ CoERMPublicCommonSearchServices/ cybercrime/cybercrime-octopus. DisplayDCTMContent?documentId=09 000016802fa3c3; CoE, Octopus 18. “Regional Project Cybercrime@EaP II,” Cybercrime Community, “Advanced CoE, at http://www.coe.int/en/web/ Course for Judges and Prosecutors,” cybercrime/cybercrime-eap-ii. at http://www.coe.int/en/web/octopus/ home; Electronic Evidence Guide, supra 19. “Eastern Partnership, Migration and note 3. Home Affairs,” European Commission, at https://ec.europa.eu/home-affairs/ 6. See, e.g., “National Conference of State what-we-do/policies/international-affairs/ Legislature,” National Conference of eastern-partnership_en. State Legislature, at http://www.ncsl.org/. 20. Supra note 13. Page 264 | Chapter 6 | End Notes Table of Contents Referenced in: § C. Private Sector 9. “INTERPOL Backs World Economic 17. Judith H. Germano, Cybersecurity Cooperation Forum cybercrime Project,” INTERPOL, Partnerships: A New Era of Public- (22 Jan. 2016), (“Policing, especially in Private Collaboration, (New York: New cyberspace, is no longer the exclusive York University School of Law, Center 1. US Office of Press Secretary, “Executive preserve of law enforcement. The private on Law & Security, 2014), at http://www. Order: Promoting Private Sector sector, academia, and citizens themselves lawandsecurity.org/Portals/0/Documents/ Cybersecurity Information Sharing,” all need to be involved”), at http://www. Cybersecurity.Partnerships.pdf. For The White House of President Barack interpol.int/News-and-media/News/2016/ examples of legislative efforts to promote Obama, (Feb. 13, 2015) No. 13691, at N2016-010. public-private sharing of cybersecurity https://obamawhitehouse.archives. information in the United States, see, e.g., gov/the-press-office/2015/02/13/ 10. Ibid. Homeland Security Act of 2002, Pub. L. executive-order-promoting-private- 108–275, Title II, Subtitle B, §§ 211, 116, sector-cybersecurity-information-shari; 11. Larry Clinton, “Cross Cutting Issue #2 Stat. 2135, 2150 (codified at 6 USC §§ Korte, supra § 1, note 77. In Europe, the How Can We Create Public Private 131–134 (2002)) (limiting the disclosure of European Commission launched a public Partnerships that Extend to Action cyberthreat information shared with the consultation, accompanied by a policy Plans that Work?,” ISA, at https:// US Dept. of Homeland Security); H.R. 624, roadmap, to seek stakeholders’ views obamawhitehouse.archives.gov/ 113th Cong., at https://beta.congress. on the areas of work of a future public- files/documents/cyber/ISA%20-%20 gov/bill/113th-congress/house-bill/624, private partnership, as well as on potential Hathaway%20public%20private%20 (allowing for the sharing of internet traffic additional policy measures in areas partnerships.pdf. information between the government and such as certification, standardization, 12. See “National Cybersecurity Strategies,” technology companies); S. 2588, 113th labelling that could benefit the European ITU, at http://www.itu.int/en/ITU-D/ Cong., at https://beta.congress.gov/ cybersecurity industry, see “Public Cybersecurity/Pages/National-Strategies. bill/113thcongress/senate-bill/2588 (same) Consultation on the Public-Private as cited in ibid., at 16, note 1. aspx. Partnership on Cybersecurity and Possible Accompanying Measures,” 13. See, e.g., Susan W. Brenner, “Private- 18. See, e.g., United States v. Gonzalez: European Commission, at https:// Public Sector Cooperation in Combating Indictment (charges involving cyberattacks ec.europa.eu/digital-single-market/en/ Cybercrime: in Search of a Model,” on Heartland Payment Systems, Inc.; news/public-consultation-public-private- Journal of International Law and 7–11, Inc.; and Hannaford Brothers Co.), partnership-cybersecurity-and-possible- Technology, Vol. 2, Issue 2, (2007), pp. (N.J.D. 2009), at http://www.wired.com/ accompanying-measures; European 58–67, at http://www.jiclt.com/index.php/ images_blogs/threatlevel/2009/08/ Commission, “Roadmap,” Public jiclt/article/view/20. gonzalez.pdf; see, e.g., United States v. Private Partnership on Cybersecurity, Gonzalez: Indictment (charges involving (14 Dec. 2015), http://ec.europa.eu/ 14. See, e.g., Eric Luiijf, Kim Besseling & cyberattacks on BJ’s Wholesale Club, smart-regulation/roadmaps/docs/2015_ Patrick De Graaf, “Nineteen National DSW, OfficeMax, Boston Market, Barnes cnect_004_cybersecurity_en.pdf. See Cyber Security Strategies,” International & Noble, Sports Authority, and several Commissioner, “Digital Single Market,” Journal of Critical Infrastructures, Vol. 9, TJX companies), (D. Mass. 2008), at European Commission, http://ec.europa. (2013), pp. 3–31. http://www.securityprivacyandthelaw. eu/priorities/digital-single-market/. com/uploads/file/2008%20Gonzalez%20 15. Tarra Quismundo, “DOJ, NU Join Indictment.pdf; see, e.g., United States 2. UNODC Cybercrime Study, supra § 1 C, Forces against Cybercrime,” Philippine v. Gonzalez: Superseding (charges note 7, at xxv–xxvi. Daily Inquirer, (11 Oct. 2014), at http:// involving cyberattacks on Dave & Buster’s, technology.inquirer.net/38998/doj-nu-join- Inc.), (E.D.N.Y., 2008); see, e.g., James 3. Ibid., at xxvii. forces-against-cybercrime. Verini, “The Great Cyberheist,” New 4. See APCERT, at https://www.apcert.org/. 16. Jeffrey Avina, “Public-Private York Times Magazine, (10 Nov. 2010), at Partnerships in the Fight against http://www.nytimes.com/2010/11/14/ 5. See OIC-CERT, at https://www.oic-cert. magazine/14Hacker-t.html. Crime,” Journal of Financial Crime, org/en/. Vol. 18, Issue 3, (2011), pp. 282–29, at 19. See ibid. 6. See, e.g., “CIRT Programme,” ITU, http://www.emeraldinsight.com/doi/ at http://www.itu.int/en/ITU-D/ pdfplus/10.1108/13590791111147505. 20. David Cook, “Mitigating Cyber-Threats Cybersecurity/Pages/Organizational- through Public-Private Partnerships: Structures.aspx. Low Cost Governance with High Impact Returns,” in Proceedings of 7. See “CIRT Programme,” ITU, at http:// the 1st International Cyber Resilience www.itu.int/en/ITU-D/Cybersecurity/ Conference, (Perth, Western Australia: Pages/Organizational-Structures.aspx. Edith Cowan University, 2010), pp. 23–24, at http://ro.ecu.edu.au/cgi/viewcontent. 8. Kaspersky Lab, Kaspersky Lab cgi?article=1002&context=icr. Transparency Principles, (Moscow: Kaspersky Lab., 2015), at https://cdn. 21. Some acts that might otherwise press.kaspersky.com/files/2013/06/ constitute cybercrime, or that with the Kaspersky-Lab-Transparency-Principles_ passage of time are revealed to be acts Q3_2015_final.pdf. of states against states, and that might be characterized as cyberterrorism or cyberwarfare, are beyond the scope of this Toolkit. Page 265 | Chapter 6 | End Notes Table of Contents 22. “’Security Fatigue’ Can Cause Computer 34. Microsoft Public Sector, “Ensuring the 43. “In actuality, most of the cyber security Users to Feel Hopeless and Act Safety of Our Children,” Microsoft, (2008), initiatives the European Commission Recklessly,” NIST, (4 Oct. 2016), at https:// at https://www.microsoft.com/industry/ sponsors are conducted through vessels www.nist.gov/news-events/news/2016/10/ publicsector/InGov/Child_Safety.aspx. lead by ENISA. ENISA is the European security-fatigue-can-cause-computer- agency that has come the longest way users-feel-hopeless-and-act-recklessly. 35. Frank Walker, “How Police Broke Net in providing mechanisms for information Pedophile Ring,” Sydney Morning sharing. By its current mandate, ENISA 23. Ngair Teow-Hin, CEO of SecureAge. Herald, (23 Mar. 2008), at http:// tackles barriers to information sharing www.smh.com.au/news/national/ by encouraging a homogeneous and 24. Steven Bucci, Paul Rosenzweig & David how-police-broke-net-pedophile- simplified regime for ‘network and Inserra, “A Congressional Guide: Seven ring/2008/03/22/1205602728709.html. information security,’ ‘[encourage] Steps to US Security, Prosperity, and economic growth and ensuring trust,’ Freedom in Cyberspace,” Heritage 36. Ibid. See also Avina, supra note 16, at ‘bridging the gap between technology Foundation, at http://www.heritage. 289–90. and policy’ and ‘encourage and improve org/research/reports/2013/04/a- 37. See Erwin Dotzauer, “UNODC– multi-stakeholder models which need to congressional-guide-seven-steps-to- Comprehensive Study on Cybercrime,” have a clear added value for benefiting us-security-prosperity-and-freedom-in- Cybersecurity Capacity Portal, (3 Nov. end-users and industry,’” for details, cyberspace. 2014), at https://www.sbs.ox.ac.uk/ see UNICRI, Information Sharing and 25. Ibid. cybersecurity-capacity/content/unodc- Public-Private Partnerships: Perspectives comprehensive-study-cybercrime. and Proposals, Working Paper, (Turin: 26. Avina, supra note 16, at 288. UNICRI, 2014), at http://www.unicri.it/ 38. For instance, see “Commission on Crime special_topics/securing_cyberspace/ 27. See, e.g., “Microsoft Further Prevention and Criminal Justice (CCPCJ),” current_and_past_activities/current_ Strengthens Security Support for Global UNODC, at http://www.unodc.org/unodc/ activities/Information_Sharing_cover_ Governments With Security Cooperation commissions/CCPCJ/. See also “Crime INDEXED_0611.pdf. Program,” Microsoft News Center, (2 Congress 2015: A Focus on Cybercrime,” Feb. 2005), at https://news.microsoft. UNODC, at https://www.unodc.org/ 44. CoE, Cybercrime: A Threat to Democracy, com/2005/02/02/microsoft-further- unodc/en/frontpage/2015/March/focus_ Human Rights and the Rule of Law, strengthens-security-support-for-global- its-a-crime_-cybercrime.html. (Strasbourg: CoE, 2009); see also, governments-with-security-cooperation- Budapest Convention, supra § 1 B, note program/#lDhJZVyHCOTcYs68.97. 39. See “Global Cybersecurity Agenda 32. (GCA),” ITU, at http://www.itu.int/en/ 28. See “Microsoft Security Intelligence action/cybersecurity/Pages/gca.aspx. 45. “Digital Agenda for Europe,” EUR-Lex, Report,” Microsoft, Vol. 21 (14 Dec. at http://eur-lex.europa.eu/legal-content/ 2016), at https://blogs.microsoft.com/ 40. Ibid., noting that H.E. Dr. Óscar Arias EN/TXT/?uri=URISERV:si0016. microsoftsecure/2016/12/14/microsoft- Sánchez, Former President of the security-intelligence-report-volume-21-is- Republic of Costa Rica and Nobel Peace 46. Ibid., at 61. For more details, see “DG now-available/. Laureate & H.E. Blaise Compaoré, Connect,” European Commision, at President of Burkina Faso, are both https://ec.europa.eu/digital-single- 29. “Microsoft Security Intelligence Report,” Patrons of the GCA. market/dg-connect. Microsoft, Vol. 19, (Jan.–Jun. 2015), at http://download.microsoft.com/ 41. Avina, supra note 16, at 289. 47. See “Digital Single Market,” supra note 1. download/4/4/C/44CDEF0E-7924-4787- 42. Jon Clay, “Operation SIMDA: The Power 48. See “Horizon 2020,” European A56A-16261691ACE3/Microsoft_Security_ of Public/Private Partnerships,” Trend Commission, at https://ec.europa.eu/ Intelligence_Report_Volume_19_English. Micro/Simply Security, (13 Apr. 2015), at programmes/horizon2020/ pdf. http://blog.trendmicro.com/operation- 49. See “Digital Single Market: Bringing 30. Ibid., at 6. simda-the-power-of-publicprivate- Down Barriers to Unlock Online partnerships/. 31. Ibid. Opportunities,” European Commission, at http://ec.europa.eu/priorities/digital- 32. Internet Watch Foundation, IWF Annual single-market/. Report 2008, (Cambridge: IWF, 2008), at https://www.iwf.org.uk/assets/media/ 50. BSA (Business Software Alliance), EU IWF%20Annual%20Report%202008.pdf. Cybersecurity Dashboard: A Path to a Secure European Cyberspace, 33. See “Microsoft Collaborates with (Washington DC, 2015), http://www.bsa. Global Police to Develop Child org/~/media/Files/Policy/Security/EU/ Exploitation Tracking System for Law study_eucybersecurity_en.pdf; Warwick Enforcement Agencies,” Microsoft Ashford, “Co-Operation Driving Progress New Center, (7 Apr. 2005), at https:// in Fighting Cyber Crime, Say Law news.microsoft.com/2005/04/07/ Enforcers,” Computer Weekly, (5 Jun. microsoft-collaborates-with-global- 2015), at http://www.computerweekly. police-to-develop-child-exploitation- com/news/4500247603/Co-operation- tracking-system-for-law-enforcement- driving-progress-in-fighting-cyber-crime- agencies/#cECWZKIO2fx3kuuZ.99. say-law-enforcers. Page 266 | Chapter 6 | End Notes Table of Contents 51. “Government Launches Information Sharing Partnership on Cyber Security,” Government of the United Kingdom, Press Release, (23 Mar. 2013), at https:// www.gov.uk/government/news/governm ent-launches-information-sharing-partner ship-on-cyber-security. 52. See “Live Cyber Attack Threat Map,” Threatcloud, at https://threatmap. checkpoint.com/ThreatPortal/livemap. html. 53. Clay, supra note 42, at 61. 54. “National Cyber Investigative Joint Task Force,” FBI, at https://www.fbi.gov/about- us/investigate/cyber/ncijtf. 55. “DoD Cyber Crime Center (DC3),” US Dept. of Defense, at http://www.dc3.mil/. 56. “US-CERT: About Us,” US CERT (Computer Emergency Readiness Team), at https://www.us-cert.gov/about-us. 57. “Computer Crime & Intellectual Property Section (CCIPS): About the Computer Crime & Intellectual Property Section,” US Dept. of Justice, at https://www.justice. gov/criminal-ccips. 58. See, e.g., Mary Kathleen Flynn, “ISACs, Infragard, and ECTF: Safety in Numbers,” CSO, (8 Nov. 2002), at http://www. csoonline.com/article/2113264/security- leadership/isacs--infragard--and-ectf-- safety-in-numbers.html. 59. Germano, supra note 17 at p. 13. 60. Ibid., at 18, note 55. 61. Ibid., at 2. 62. Thomas Boué, “Closing the Gaps in EU Cyber Security,” Computer Weekly, (Jun. 2015), at http://www.computerweekly. com/opinion/Closing-the-gaps-in-EU- cyber-security. 63. Avina, supra note 16. Page 267 | Chapter 6 | End Notes Table of Contents CHAPTER 7 In‑country Assessment Tool This chapter provides an overview of various existing tools to use in conducting assessments of cybercrime preparedness (mainly those of the participating organizations) and introduces the Assessment Tool developed as a part of the Toolkit. As explained in further detail in the chapter, the Assessment Tool synthesizes various aspects of other existing instruments to enable users to determine gaps in capacity and highlight priority areas to direct capacity-building resources. In this Chapter A. Assessment Tool—Overview 269 Page 268 | Chapter 7 | In‑country Assessment Tool CHAPTER 7 A. Assessment Tool—Overview Table of Contents Introduction 269 I. Overview of the Toolkit’s Assessment Tool 269 A. Existing Assessment Tools 270 B. Developing a Synthetic Assessment Tool 271 II. Summary of the Assessment Tool 272 A. What Is Covered & How It Works 272 B. Other Features of the Assessment Tool 273 Conclusion 274 Introduction The first part of the Toolkit (chapters 1 to 6) provides resources and context for building-capacity to combat cybercrime, presenting the various issues related to cybercrime. This second part of this Toolkit is more interactive, providing an overview of existing tools used to make cybercrime preparedness assessments and introducing the synthetic Assessment Tool that has been developed under this Project. It begins with (I) an overview of the Toolkit’s assessment tool (Assessment Tool), and concludes with (II) a summary of the Assessment Tool. I. Overview of the Toolkit’s Assessment Tool The focus of the Toolkit is developing country capacity to combat cybercrime. Although perhaps axiomatic, capacity needs to be assessed before capacity-building priorities can be identified or resources can be allocated. Accordingly, this section (A) reviews some of the existing assessment tools—notably those used by organizations participating in this Project (AIDP, CoE, ITU, KSPO, Oxford, UNICRI and UNODC), but also those of others (notably INTERPOL and OAS)—, and then (B) describes the purpose, structure and methodology proposed by the Assessment Tool. Page 269  |  Chapter 7  |  § A. Assessment Tool—Overview Table of Contents A. Existing Assessment Tools A number of the Toolkit’s participating organizations have their own cybercrime assessment tools.1 While there is some overlap of issues addressed by each of them, each organization’s assessment was designed for a specific purpose and assesses cybercrime from different aspects. The tables provided in appendix 9 D identify each topic or issue being assessed by each assessment and also shows whether that topic or issue is addressed by one or multiple assessment tools. As can be seen from reviewing appendix 9 D, there is considerable common ground covered by each of the different assessment tools—for example in the areas of enactment of laws, definitions of cybercrime and certain procedural issues, to name a few. Conversely, the tables of the appendix also show that not all assessments cover all subjects. In light of various means of assessing cybercrime, and of its diverse impacts,2 it is worth presenting a brief synopsis, in chronological order, highlighting the different areas of the focus and orientation of each of the participating organizations’ assessment tools: ƒƒAIDP: AIDP’s assessment tool is in the form of “questionnaire”, and was developed in 2012 to 2013 following sections I to IV of AIDP’s Preparatory Colloquia for the Nineteenth International Congress of Penal Law on “Information Society and Penal Law”.3 These questionnaires are designed to elicit a narrative response to each question. ƒƒCoE: The CoE assessment tool, also in the form of a “questionnaire” or country profile, was prepared in 2007 in connection with CoE’s Octopus Conference on “Cooperation against Cybercrime” (see section 6 B, above).4 This tool aims to assess domestic laws’ compliance with provisions of the Budapest Convention.5 ƒƒITU: The ITU assessment tool, presented in the form of a “country work sheet”, was developed in 2010.6 Its aim is to enable provisions of domestic laws consistent with those of sample legislative language in the ITU Toolkit for Cybercrime Legislation.7 Neither the CoE nor the ITU assessment tools contain questions regarding to either rules on e-evidence, or to cybercrime issues arising outside of legal frameworks. ƒƒUNODC: The UNODC assessment tool, prepared also in the form of a “questionnaire”, was developed in 2012 in preparation for its Comprehensive Study on Cybercrime.8 The UNODC assessment tool is designed to holistically assess both legal and non-legal frameworks for addressing cybercrime issues, along with a country’s capacity to investigate, to prosecute and to try cybercrime cases. ƒƒOxford’s GCSCC: The Global Cyber Security Capacity Centre (GCSCC) of Oxford University’s Martin School has developed a comprehensive “maturity model” assessment tool that was launched in 2014.9 The purpose of the maturity model is aimed at making it possible for countries to evaluate their level of preparedness with respect to a variety of dimensions of cybersecurity by allowing them to self-assess their current cybersecurity capacity. The maturity model assesses cybercrime as part of a broader assessment of a country’s cybersecurity preparedness. Page 270  |  Chapter 7  |  § A. Assessment Tool—Overview Table of Contents In addition, the Project evaluated the assessment methodologies of INTERPOL and the OAS. A brief synopsis of the salient features of these follows: ƒƒINTERPOL: INTERPOL conducts two types of assessments for its members: first, an on-request “National Cyber Review” that assesses different aspects of a country’s ability and institutional and human-capacity to investigate and prosecute cybercrimes and an assessment of threat levels; second, “Rapid Cyber Assessments” that focus on a country’s operational readiness to combat cybercrime. ƒƒOAS: The OAS Cybercrime Questionnaire assesses whether OAS Member States have 10 substantive and procedural cybercrime legislation, as well as some institutional attributes. Relatedly, OAS, together with the Inter-American Development Bank (IADB), publishes a country-by-country reviews of OAS Member State cybersecurity readiness utilizing the Oxford methodology in its 2016 Cybersecurity Report Cybersecurity: Are we ready in Latin America and the Caribbean?11 This is a broader cyber-security review, and not a cybercrime specific review. B. Developing a Synthetic Assessment Tool The overall purpose of the Toolkit is to identify and examine international good practices and to bring together, perhaps in ways that they have not been so in the past, different aspects of providing assistance to developing countries in the fight against cybercrime. In so doing, the Toolkit incorporates information and experience from cases and looks at not only new and evolving means of committing cybercrimes (e.g., financial crimes and child pornography), but also at new, evolving and perhaps even non-traditional ways of combatting cybercrime (e.g., reliance on data provided by the private sector and novel formal and informal means of cooperation with the private sector). Further, the Toolkit is not aimed at duplicating existing efforts but at providing nexi for synergizing various existing approaches, taking the best from various sources and combining them in a way that perhaps has not been done before. This approach and ethos also underlays the synthetic Assessment Tool developed by the Project that can be found in appendix 9 E. The Assessment Tool is topically organized according to the general structure that can be found in the table of contents of the Toolkit. Using this thematic structure, the Project examined the existing assessment tools mentioned above, identifying both common ground and certain gaps. The Assessment Tool attempts to address capacity building to combat cybercrime in a holistic fashion. Furthermore, while the focus of the Toolkit is on policy, legal and law-enforcement issues, it was recognized that, in order to be as useful as possible, a more comprehensive tool going beyond assessing merely “legal” issues would be needed. At that same time, methodologically, the Assessment Tool attempts to bring in good practices from a number of sources, in particular Oxford’s aforementioned maturity-model approach to cybersecurity capacity-building assessment,12 but focusing on “objective” rather than subjective analyses. One limitation of many of the assessments reviewed (including the Assessment Tool), is Page 271  |  Chapter 7  |  § A. Assessment Tool—Overview Table of Contents that it does take a certain amount of assumed knowledge of the subject matter in order to be able to actually assess a response to the various criteria—a need which the Project aims to fill through the text and discussion found in the first part of the Toolkit. Furthermore, many of the criteria assessed in the existing assessments reviewed require subjective judgements. Accordingly, the challenge of developing the Assessment Tool was to retain the richness of the maturity-model approach but to limit the subjectively-based criteria and responses of some of the existing assessments. Objectivity, richness and accessibility are all needed to make an assessment tool effective and universally-applicable, all of which are key considerations of the Assessment Tool: ƒƒObjectivity is achieved by making the response to each question in the Assessment Tool a binary, “yes/no” response to the greatest extent possible, or to create a clear choice along a small-scale of options. ƒƒRichness is achieved by “weighting” each criterion. The Assessment Tool uses approximately 115 indicators grouped into nine themes (or dimensions). ƒƒEase-of-comprehension is achieved through graphic representations of In order to graphically show where a country’s capacity-building resources, showing—in one picture—all of the thematic areas in a single “spider” chart. That chart shows, relative to the other thematic areas, how a country fares with respect to each criterion or dimension. Each theme on the general spider chart can also be drilled -down to a more granular level showing performance on each of the different sub-criteria. The combination of these three elements facilitates policy, law and decision makers to best decide how resources should be allocated, while first-time users of the Assessment Tool may require some guidance, it is anticipated that the Assessment Tool is relateively straightforward and that it could be used in subsequent years to periodically measure progress. II. Summary of the Assessment Tool A. What Is Covered & How It Works The Assessment Tool is organized along the following lines. First, basic structure begins with policy assessment, before moving on to consider legislation (both substantive and procedural law), then going on to safeguards, MLA and, finally, institutional matters. As possibly evident, the Tool takes inspiration for its architecture from the topics that are covered in the Toolkit, in some form or another, as well as from the other assessments mentioned above. Page 272  |  Chapter 7  |  § A. Assessment Tool—Overview Table of Contents Conceptually, the Assessment Tool’s 115 indicators are organized around the following nine dimensions: ƒƒNon-Legal Framework, covering national strategies and policies and other matters of a non- legal nature such as cooperation with the private sector; ƒƒLegal Framework, covering national law and whether a country has joined a treaty; ƒƒSubstantive Law, addressing activities that have been criminalized; ƒƒProcedural Law, mainly addressing investigatory matters; ƒƒe-Evidence, focusing on admissibility and treatment of digital evidence in the cybercrime context; ƒƒJurisdiction, focusing at how the jurisdiction of the crime is determined; ƒƒSafeguards, focusing on three elements—“due process”, data protection and freedom of expression13; ƒƒInternational Cooperation, focusing on, first extradition, and, second, on both formal and in- formal levels of MLA; and ƒƒCapacity-building, looking at both institutional (e.g., law enforcement training academies) and human capacity-building focusing on training needs for law enforcement, prosecution and the judiciary. It bears noting that in three dimensions—Legal Framework, Substantive Law and Procedural law— no distinction is made between whether there is a bespoke cybercrime law or whether provisions regarding cybercrimes are found in a general criminal law. B. Other Features of the Assessment Tool Importantly, the Assessment Tool is not expected to be or result in a ranking of countries. While the Assessment is available as part of the Toolkit, is available as a stand-alone instrument freely available on the internet (www.combattingcybercrime.org) for anyone to use. The results of the Assessment Tool will also be confidential to those choosing to use it (i.e., if a country does an assessment of its capacity to combat cybercrime, those results will be only available to the person or entity making the assessment). A country can choose to release the results of the assessment if it chooses. However, as the Assessment Tool is publicly and freely available, it will be an instrument of transparency and contestability. Moreover, to ensure accountability, anyone can download the Assessment Tool and do an assessment of a country’s preparedness to combat cybercrime. The Assessment Tool also acts as a kind of “due diligence” checklist for countries contemplating elaborating policies and legislation to combat cybercrime. Page 273  |  Chapter 7  |  § A. Assessment Tool—Overview Table of Contents Conclusion The Project’s Assessment Tool is a synthesis of the various assessment tools used by a number of institutions, many of whom have contributed to, and partnered in, its development. The Tool is not intended to duplicate efforts but to provide nexi for synergizing various existing approaches. The Tools seeks to present an assessment that is objective (through clear-choice answers), information-rich (through weighted criteria) and easy to comprehend (through graphic representations). It considers policy and legislation, takes account of actual cases and brings together international good practices. The aim is to give countries the means for holistically building their capacity to fight cybercrime. The Tool’s structure parallels that of the chapters of the Toolkit, to which reference should be made for further elucidation and understanding of the aspects that are being assessed. Page 274  |  Chapter 7  |  § A. Assessment Tool—Overview Table of Contents End Notes Referenced in: § A. Assessment 13. Indeed, there may be other basic due Tool—Overview process issues to be addressed as well. These are included in the “Procedural” section of the Assessment Tool. As 1. A full list of the existing tools of structured, the Assessment Tool breaks participating organizations can be found out under “safeguards” the two issues— in appendix 9 D. data protection (privacy) and freedom of expression. 2. See, e.g., WDR, supra § 1 A, note 10, at 222 et seq. 3. See, e.g., endnote ”i” in appendix 9 D. 4. See, e.g., endnote ”ii” in appendix 9 D. 5. See Budapest Convention, supra § 1 B, note 32. 6. See, e.g., endnote “iii” in appendix 9 D. 7. ITU, Toolkit for Cybercrime Legislation (Feb. 2010), at http://www.cyberdialogue. ca/wp-content/uploads/2011/03/ITU- Toolkit-for-Cybercrime-Legislation. pdf; see also ITU, Global Cybersecurity Index (GCI), (2014), at https://www.itu. int/en/ITU-D/Cybersecurity/Pages/ GCI-2014.aspx. The 2016 GCI, though focusing more broadly on issues of cybersecurity, also presents issues related to cybercrime preparedness. See ITU, Global Cybersecurity Index (GCI) 2015/16 Questionnaire Guide,” at https://www.itu. int/en/ITU-D/Cybersecurity/Documents/ QuestionnaireGuide-E.pdf. 8. See, e.g., endnote “v” in appendix 9 D. See also Comprehensive Study on Cybercrime, supra § 1 C, note 7. 9. GCSCC Maturity Model [hereafter, “Oxford”], at https://www.sbs.ox.ac. uk/cybersecurity-capacity/system/files/ CMM%20Version%201_2_0.pdf. 10. See, e.g., “Questionnaire Related to the Recommendations from the Fourth Meeting of Governmental Experts on Cyber-Crime,” OAS, (2006), at http://www. oas.org/juridico/english/cybGE_IVquest. doc. 11. OAS & IADB, 2016 Cybersecurity Report, Cybersecurity: Are We Ready in Latin America and the Caribbean?, at https:// goo.gl/4UUfwQ. 12. See, Oxford, supra note 9. Page 275 | Chapter 7 | End Notes Table of Contents CHAPTER 8 Analysis & Conclusion This final chapter offers some concluding thoughts on evolving good practices in combatting cybercrime. In this Chapter A. Analysis & Conclusion 277 Page 276 | Chapter 8 | Analysis & Conclusion CHAPTER 8 A. Analysis & Conclusion Table of Contents Introduction 277 I. Challenges—Known, New & Evolving 278 II. Collaboration & Coordination 279 Conclusion: The Way Forward 279 Introduction The Toolkit, as well as its accompanying Assessment Tool and virtual library,1 are aimed at addressing the capacity-building needs of countries with developing economies in the legal aspects of the global fight against cybercrime. It recognizes that a variety of stakeholders—both public and private—are involved in different aspects of this struggle. As the recent WannaCry2 and Petya3 ransomware attacks underscore, cybercrime is a global and pervasive threat, intimately intertwined with virtually every sector, from finance to health to ICT. The needs and challenges in the investigation and prosecution of cybercrime apply modus modendi to any type of crime involving electronic evidence. Cybercrime is no longer an isolated concern, and combatting it is no longer realistic without a comprehensive, collaborative, global approach. Indeed, global-cybersecurity awareness, training and capacity-building are critical in this interconnected world. In attempting to bolster capacity in the struggle against global cybercrime, the Toolkit attempts to provide insight into a range of questions: ƒƒ What is cybercrime? ƒƒ How is cybercrime addressed in national policy and legislation? ƒƒ What, given cybercrime’s global nature, are good practices for formal international cooperation? ƒƒ What informal cross-border cooperative methods can be encouraged? ƒƒ What are some of the safeguards in place that balance security with due process and rule of law? ƒƒ What are some of the challenges facing capacity-building initiatives, and what efforts are being made to address those challenges? ƒƒ What tools are there for countries to assess their capacity-building priorities? Page 277  |  Chapter 8  |  § A. Analysis & Conclusion Table of Contents In addressing some of these foundational questions, the appendices to the Toolkit also provide reference materials regarding selected recent cases that interpret national cybercrime laws, a compilation of nations’ laws on cybercrime, international instruments addressing cybercrime and other existing assessment tools. In building capacity to combat cybercrime, both international and domestic law issues must be taken into account. Additionally, there is a complementarity to be maintained between the security that comes from effective prosecution of cybercrimes, on the one hand, and the interests of due process, data protection and access to information, on the other. I. Challenges—Known, New & Evolving Throughout, the Toolkit explores the myriad challenges of developing building-capacity to combat cybercrime, and does so from multiple perspectives. On the legal front, combatting cybercrime involves a mixture of both domestic and international law and policy: However, that mixture is a complex one. Moreover, despite the fact that many countries have cybercrime laws, a host of other complicating factors, such as the lack of a common treatment of what is criminalized, leads to problems of interoperability, and therefore to complications in cross-border cooperation. Furthermore, technological advances continue to complicate matters. “New” technologies and approaches, such as cloud services and distributed or shared-ledger technology (such as blockchain), may offer users and industry important boons; at the same time, however, those very same technologies may be exploited by criminals, thus posing new and additional capacity-building challenges. ƒƒ Cloud services: Centralized data storage and processing pose challenges on a variety of fronts. Jurisdictionally, because, first, the physical site of the cloud facility’s servers may not be in the same jurisdiction as either the crime or the victim, and, second, the state in which the cloud facility’s servers are geographically located may not similarly criminalize the activity as the jurisdiction of either the crime or its victim—that is, the essential requirement of “dual criminality”, upon which cross-border cooperation is typically premised, may not be in place (see section 2 A, above), thereby hindering interoperability from the start (see section 2 E, box 2.6). Furthermore, for a host of reasons, the distributed technology of shared ledgers may also make investigations more difficult. Both centralized and distributed technologies make the process of “attribution” of criminal actions more challenging. ƒƒ “Policing”: Making cybercrime more expensive for cybercriminals is increasingly evolving from efforts focused on “prosecution” to “prevention”. Efforts that include policing of activities by third-party, private-sector and service providers are also considered under this category.4 Similarly, in terms of managing liability to cover the costs of cybercrime, it is possible to conceive of “privatizing” the costs of combatting cybercrime by imposing liability on manufacturers of “insecure” devices.5 Page 278  |  Chapter 8  |  § A. Analysis & Conclusion Table of Contents ƒƒ State-actor cyber-interventions: Finally, and although beyond the scope of the Toolkit, it bears noting that the rise of state-actors in cyber activities that, in a non-military context would be considered cybercrime, has resulted in an increased blurring of the lines between cybercrime and cyberwarfare.6 II. Collaboration & Coordination Much of the Toolkit’s focus has been on the importance of collaboration and coordination among actors in combatting cybercrime. International organizations, some of whom have participated in the elaboration of this Toolkit and the Assessment Tool, such as CoE, ITU, UNCTAD and UNODC, are working towards providing and sharing open tools and other resources with governments and other stakeholders, sometimes through including the resources of other organizations in addition to their own. Still other international organizations, such as the Commonwealth, are supporting and facilitating communication between their Member States. An ever-increasing number of tools are being made available–for example, by the OAS–for governments, therein enabling them, first, to identify their needs and, second, to develop their own counter-cybercrime strategies, complete with means for establishing baselines to measure their progress. And new partnership initiatives between civil society, the private sector and international or regional organizations, such as INTERPOL, are resulting in the forging of joint -ction plans. At the CoE, the State Parties to the Budapest Convention meet twice per yearly to review the implementation of the Budapest Convention and to negotiate solutions to address emerging challenges. More in-depth studies, such as those done through Chatham House, are being developed, having the aim of bridging gaps between policy and technology experts and of keeping stakeholders abreast of how cybercrime develops. Inexpensive online tools for capacity-building are being made available for law enforcement agencies, prosecutors and lawyers, guaranteeing sustainability and a wider reach. Efforts at harmonizing and creating common approaches to cybercrime issues, such as evidence, are facilitating criminal investigations. All of these effprts are essential to combatting cybercrime. Conclusion: The Way Forward Cybercrime not being an isolated concern, it can only be combatted through a comprehensive, collaborative, global approach, which necessities global cybersecurity awareness and global capacity-building. Such a vision is increasingly emerging and, in these times of progressive partnerships and rapid technological development, so, too, is international interoperability increasingly emerging. Additionally, just as technological developments increasingly make interconnected-efforts and shared operations possible, so, too, do they present increased potential for cybercriminals, thus requiring greater legal malleability, a further factor that must be included in advancing developing that global cybersecurity effort. Page 279  |  Chapter 8  |  § A. Analysis & Conclusion Table of Contents Even as these collaborative and cooperative initiatives are being undertaken, it bears emphasizing that it is increasingly being recognized that combatting cybercrime is not a one-size-fits-all proposition. A tailored, setting-sensitive approach must be taken. Moreover, there is also recognition of the need to avoid duplicating existing efforts. One challenge, of course, is that, as organizations pursue their respective mandates, they also attempt to synthesize and to build upon existing work within the scope of their mandate.7 Coordination between actors is an ongoing and continuing effort. As such, awareness-raising, information-exchange and capacity- building continue to be main priorities around which organizations are partnering. Lastly, such collaboration and cooperation must not only account for the various strengths of each organization offering support, but must also account for, and be sensitive to, client needs. Such sensitivity can best be inculcated through client ownership.8 As those two parts of the puzzle are increasingly put in place, international interoperability and a shared effort to combat cybercrime is increasingly emergent. Page 280  |  Chapter 8  |  § A. Analysis & Conclusion Table of Contents End Notes Referenced in: § A. Analysis & 6. WDR, supra § 1 A, note 10, at 222. While Conclusion such actions “blur[ ] the lines between acts of cybercrime and cyberwar or cyberterrorism,” it is nonetheless the 1. The Assessment Tool is described in detail responsibility of the government to assure in section 7. The Toolkit, Assessment Tool public safety and security in cyberspace. and virtual library are all available at www. Ibid. at 223. See also supra § 2 F. The combattingcybercrime.org. spectrum of such activities ranges vastly, from actions affecting private entities and 2. See supra § 1 C, box 1.2. individuals that might more strictly and 3. See, e.g., Kevin Conklin, “The Petya more straightforwardly be understood Virus—Return of the Ransomware as cybercrime if a state-actor were not Attacks,” Information Management, involved (e.g., hacking, data theft), to (Jun. 2017), at https://www.information- more aggressive activities that might management.com/opinion/the-petra- better be understood as cyberwarfare virus-return-of-the-ransomware-attacks. (e.g., targeting nuclear facilities). In certain instances, states are taking to airing 4. Remarks delivered by Ian Walden at grievances openly, and even taking legal “Cybersecurity and Cybercrime: New action to combat against such activities: Tools for Better Cyber Protection,” for instance, in the United States, a grand UNTAD e-Commerce Week (Geneva: jury recently indicted four defendants, UNCTAD, 24–28 Apr. 2017), at http:// including two Russian Federal Security unctad.org/meetings/en/Presentation/ Service (FSB) agents, for “computer dtl_eWeek2017p07_IanWalden_en.pdf. hacking, economic espionage and other criminal offenses in connection 5. Ibid. with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts.” US Dept. of Justice, Office of Public Affairs, “U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts,” (15 Mar. 2017), at https://www.justice.gov/opa/pr/ us-charges-russian-fsb-officers-and-their- criminal-conspirators-hacking-yahoo-and- millions. See also United States v. Dmitry Dokuchaev, et al., CR17-103 (N.D. Cal. 2017), at https://www.justice.gov/opa/ press-release/file/948201/download. For a discussion of the larger implications of instances tending towards what might be construed as cyberwarfare and government responsibility for accounting for such matters, see, e.g., supra § 2 F; see also, Nicole Perlroth, “Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say,” New York Times, (6 Jul. 2017), at https://www. nytimes.com/2017/07/06/technology/ nuclear-plant-hack-report.html?mcubz=0. 7. As Sir Isaac Newton said, “If I have seen further it is by standing upon ye shoulders of Giants.” Letter to Robert Hooke (15 Feb. 1676). 8. See supra § 6 B. Page 281 | Chapter 8 | End Notes Table of Contents CHAPTER 9 Appendices The following appendices provide additional detailed “meta” information discussed in the preceding chapters of the Toolkit. In this Chapter Appendix A – Cases 283 Appendix B – Multilateral Instruments 340 Appendix C – National Legal Frameworks 355 Appendix D – Comparative Assessment Indicators 375 Appendix E – Assessment Tool 393 Page 282 | Chapter 9 | Appendices A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Explanatory Note: This Appendix lists cases intended to capture the issues addressed in this Toolkit, used in the text of the Toolkit. Cases appearing in the Toolkit highlight five critical issues: 1) the direct including both the challenges and complexities of addressing cybercrime, as well as successes that and indirect monetary implications of the attacks on financial and non-financial institutions; 2) the can be achieved through multi-jurisdictional and private sector cooperation. The cases are illustrative different approaches on the legal basis for charging alleged criminals (some cases use specific anti- (and by no means exhaustive) and were gathered from credible public and private sector open sources. cybercrime legislation, others use anti-money laundering law, and still others use violation of some The cases reviewed are primarily from the following jurisdictions: Australia, Canada, Germany, Japan, underlying statute using a computer network); 3) some cases illustrate the cross-border nature of Korea, Russia, Switzerland, Ukraine, United Kingdom and the United States. The Appendix analyzes cybercrime (inevitably requiring that in order to conduct successful investigations, countries will have the cases looking at the characteristics of the attackers; the origin and target jurisdiction; the targets to cooperate); 4) space/forum has to be created that brings together the public and private sectors to of the attack; the amount involved or stolen; the mode/methodology of attack; whether they were collaborate in investigating cybercrime threats; and 5) the means used to carry out the cyberattacks, any indictments on the alleged attackers; the legal basis for any indictments; and the sources for the include malware, phishing schemes and social engineering, hacking, botnet, distributed denial of case information. A number of the cases shown in this Appendix correspondents to the references service and many other methods. Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Carbanak Origin: Unclear Banks (100 banks $300 million - Kaspersky Lab, INTERPOL, N/A N/A http://www.securityweek.com/ha and other financial $1 billion Europol, and authorities from ckers-hit-100-banks-unprecedented- (Anunak is the name Target: Banks institutions in 30 various nations. 1-billion-cyber-attack-kaspersky-lab of the malware in Russia, Japan, nations) author that is often the Netherlands, http://25zbkz3k00wn2tp5092n6di7 mentioned alongside Switzerland, the b5k.wpengine.netdna-cdn.com/ this case) U.S. and others. files/2015/02/Carbanak_APT_eng.pdf (Jan. 2013-present) http://www.nytimes.com/2015/02/15/ world/bank-hackers-steal-millions-via- malware.html http://www.nytimes. com/2015/02/15/world/bank- hackers-steal-millions-via-malware. html?partner=socialflow&smid=tw- nytimes&_r=2 Page 283 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Bangladesh Central Origin: Unclear Federal Reserve $100 Million Bangladesh government N/A N/A http://www.bbc.com/news/ Bank Reserve Hack but stolen funds Bank of New York reported the missing funds to business-35809798 were transferred the U.S. Federal Reserve. (Feb 2016) https://www.bloomberg.com/ to accounts in the news/articles/2016-03-08/u-s-fed- Phillipines. responsible-for-missing-100-million- Target: U.S. bangladesh-says Carberp Trojan Origin: Ukraine Ukrainian and $250 million Joint operations by the Security N/A N/A http://www.securityweek.com/source- (Kiev, Zaporzhe, Russian Banks Service of Ukraine and the code-carberp-trojan-sale-cybercrime- (2009-2013) Lyov, Odessa and Russian Federal Security Service underground Kherson) http://www.securityweek.com/russia Target: Ukrainian n-authorities-claim-capture-master and Russian mind-behind-carberp-banking-trojan http://translate.google.com/translate ?sl=ru&tl=en&js=n&prev=_t&hl=en &ie=UTF-8&eotf=1&u=http%3A%2F %2Fwww.kommersant.ua%2Fdoc%2F 2160535 Page 284 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Gameover Zeus Origin: Russia, individual computers, $100 million FBI, law enforcement from The indictment for GameOver Zeus https://www.fbi.gov/news/stories/ Ukraine and U.K. information therein the Australian Federal Police; the creator of the is an extremely malware-targets-bank-accounts (2012) and financial the National Police of the malware: sophisticated type of Target: U.S. https://www.fbi.gov/file-repository/ institutions. Netherlands National High malware used to steal http://www.justice gameoverzeus_v13_fullgraphic_web_ Tech Crime Unit; European banking and other .gov/sites/default/f opt2.pdf Cybercrime Centre (EC3); credentials from the iles/opa/legacy/201 Germany’s Bundeskriminalamt; computers it infects. 4/06/02/pittsburgh- France’s Police Judiciare; Infected computers, indictment.pdf Italy’s Polizia Postale e delle unbeknownst to the Comunicazioni; Japan’s National http://www.justice. owners, become Police Agency; Luxembourg’s gov/opa/documents- part of a botnet Police Grand Ducale; New and-resources-june-2- that uses the stolen Zealand Police; the Royal 2014-announcement credentials to initiate Canadian Mounted Police; wire transfers to the Ukraine’s Ministry of Internal accounts overseas Affairs – Division for Combating owned by criminals. Cyber Crime; and the United Evgeniy Bogachev, Kingdom’s National Crime the creator of the Agency participated in the malware, received operation. The Defense Criminal one 1 count Investigative Service of the U.S. conspiracy, 1 count Department of Defense also of wire fraud, 1 count participated in the investigation. of computer fraud, 9 counts of bank fraud, and 2 count of money laundering. Operation High Roller Origin: Hosting Boutique Financial Estimated $78 Identified by McAfee N/A N/A http://www.scmagazine.com/racket-drains- locations and Institutions, credit million stolen and Guardian Analytics. high-roller-bank-accounts-in-automated- (January 2012 to April style/article/247542/ command and unions, large global with potenitally Subsequently pursued by 2012) http://www.reuters.com/ control servers banks and regional 2 billion euros relevant authorities. article/2012/06/26/us-online-bankfraud- mainly located banks. in attempted idUSBRE85P04620120626 in Russia, with fraud. http://blogs.wsj.com/cio/2012/06/26/ some in the U.S., operation-high-roller-targets-corporate- Germany, Italy, bank-accounts/ Ukraine and China. https://www.finextra.com/finextra- Target: Mainly U.S., downloads/newsdocs/high-roller.pdf Europe, Columbia Page 285 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) SpyEye Origin: Atlanta, Victims’ bank Panin was on Investigated by the FBI. Assisted http://krebsonsecurity. 11 counts of http://www.bbc.com/news/ Georgia. U.S. accounts. Interpol redlist by the United Kingdom’s com/wp-content/ Computer Fraud and technology-25946255 2009-2011. for banking National Crime Agency, the uploads/2014/01/ Abuse, 1 count of Target: http://www.wired.com/2014/01/spy- (potentiallty still scams stealing Royal Thai Police-Immigration Panin-Indictment.pdf Copmputer Fraud Multinational eye-author-guilty-plea/ active: 10,000 bank more than $5 Bureau, the National Police and Abuse conspiracy, accounts had been million. The of the Netherlands-National 10 counts of wire compromised by it in malware was High Tech Crime Unit (NHTCU), fraud, 1 count of 2013) mainly sold and Dominican Republic’s wire and bank fraud used by others. Departamento Nacional de conspiracy. ‘soldier’ stole Investigaciones (DNI), the more than $3.2 Cybercrime Department at million during a the State Agency for National 6 month period Security-Bulgaria, and the in 2011. Australian Federal Police (AFP). Private sector: Trend Micro’s Forward-looking Threat Research (FTR) Team, Microsoft’s Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer, and the Norwegian Security Research Team known as Underworld.no. Page 286 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Jabber Zeus Crew Origin: Ukraine, Bank accounts $70 million Colloaborative law enforecment http://www.justice. For malicious http://www.scmagazine.com/ Russian and the of medium sized stolen ($220 effort which partnered U.S. gov/iso/opa/resou activities dating as indictment-charges-jabber-zeus-crew- (Fall 2010) U.K. businesses, towns million governmental entities with rces/5922014411104 far back as 2009, with-using-malware-to-steal-millions/ and churches. attempted) their counterparts in the 621620917.pdf all the individuals article/342375/ Target: U.S. United Kingdom, Ukraine, and are charged http://www.fbi.gov/news/stories/ Netherlands. with conspiracy 2010/october/cyber-banking-fraud to participate in racketeering activity, http://www.securityweek.com/zeus- conspiracy to commit source-code-leaked-really-game- computer fraud changer and identity theft, aggravated identity theft, and multiple counts of bank fraud Coreflood Origin: Search Company $600,000 DOJ was able sieze domain https://www.fbi.gov/ The U.S. Attorney’s http://www.fbi.gov/news/ warrants were information (1.5 million names and to later decomission newhaven/press- Office for the District stories/2011/april/botnet_041411/ (2009-2011) issued for control (Michigan, attempted) the botnet through the use releases/2011/pdf/ of Connecticut filed botnet_041411 and command South Carolina, of the NPO Internet Systems nh041311_1.pdf a civil complaint http://www.fbi.gov/newhaven/press- servers in Arizona, North Carolina, Consortium (ISC). FBI’s against 13 “John releases/2011/nh041311.htm Georgia, Texas, Connecticut, New Haven Division led the Doe” defendants on Ohio, and Tenessee) investigation, in coordination the grounds of wire http://www.htnp.com/ California. with the U.S. Marshals Service. fraud, bank fraud, and easthampton/2011/04/13/fbi-cracks- Microsoft, the Internet illegal interception international-bot-network-that- Target: U.S. Systems Consortium, and of electronic has-infected-more-than-2-million- other private industry partners communications. computers/ also contributed. The case is being prosecuted by the U.S. Attorney’s Office for the District of Connecticut, and attorneys from the Computer Crime and Intellectual Property Section in the Justice Department’s Criminal Division Page 287 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Gauss Origin: Unknown Mainly Lebanese Gauss covertly Kapersky Labs detected the N/A N/A http://www.telegraph. banks (Blombank, collects Gauss virus. co.uk/technology/internet- (2012) Target: Lebanon ByblosBank and banking security/9466718/Cyber-espionage- and Middle Credit Libanais) but credentials, virus-targets-Lebanese-banks. Eastern Financial also Citibank and web browsing html?mobile=basic Institutions. paypal costumers history and passwords, and detailed technical information about the computer that could assist further attacks. Dyre Banking Trojan Origin: Eastern Targeted customers Theft of The Dell SecureWorks Counter N/A N/A http://www.secureworks.com/cyber- Europe or Russia of over 1,000 banks credentials Threat Unit (CTU) research team threat-intelligence/threats/dyre- (aka Dyreza, Dyzap, and companies (identity discovered the Virus in June banking-trojan/ and Dyranges) Target: Mainly U.S. worldwide. informational 2014. and UK http://www.symantec.com/connect/ (2014) Consumers in like date of blogs/dyre-emerges-main-financial- English-speaking birth as well trojan-threat countries were as PIN codes at highest risk, and credit card particularly those in details) the U.S. and UK. Page 288 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Dridex Banking Trojan Origin: Personal computers- The National Governmental entities, N/A N/A http://researchcenter. The trojan takes Crime Agency International entities, and paloaltonetworks.com/2014/10/ (July 2014- Oct. 2014) Target: United personal information says that “up private industry. dridex-banking-trojan-distributed- States, UK, Taiwan, such as usernames to” £20m was word-documents/ Neherlands, and passwords lost to the Canada, Australia, http://www.bankinfosecurity.com/ with the end goal hackers, and Belgium, Israel, dridex-banking-trojan-worldwide- of hacking bank the FBI says Germany, Norway, threat-a-7557/op-1 accounts and that a first Spain, other. stealing funds. $10m was lost http://www.theguardian.com/ domestically. technology/2015/oct/14/what-is- Also focused on dridex-how-can-i-stay-safe small- and medium- $1m was stolen sized organisations. from a school district in Pennsylvania and successfully transferred. Over $3.5m was stolen from Penneco Oil in the course of three separate attacks. Page 289 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Gozi Bank Malware Origin: Russia, Financial Institutions tens of millions FBI led investigation beginning http://www.justice.go The creator of http://www.huffingtonpost. Latvia, Romania in 2010. Law Enforcement v/usao/nys/pressrel the Gozi malware com/2013/01/23/gozi-virus- (2005-2010) and Intelligence authorities in eases/January13/Goz along with two co- fbi_n_2535282.html Target: U.S. latvia, Romania, Moldova, the iVirusDocuments/Kuz conspirators were Netherlands, Germany, Finland, min,%20Nikita%20 charged for infecting Switzerland, the U.K. and the U.S. Complaint.pdf more than a million computers worldwide http://www.justice.go in order to steal v/usao/nys/pressrele banking and other ases/January13/Go credentials from ziVirusDocuments/Ca tens of thousands of lovskis,%20Deniss%20 victims. S4%20Indictment.pdf http://www.justice.gov /usao/nys/pressreleas es/January13/GoziVi rusDocuments/Paune scu,%20Mihai%20Ion ut%20Indictment.pdf Page 290 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) US v Liberty Reserve Origin: N/A (was a money Estimated to The United States Secret Service, http://www.justice.gov 1 count conspiracy http://www.justice.gov/usao/ et al (costa rican- Laundering funds laundering case) have laundered the Internal Revenue Service- /usao/nys/pressrelea to commit money nys/pressreleases/May13/ based digital currency internationally $6 billion Criminal Investigation, and the ses/May13/LibertyRes laundering, 1 count LibertyReserveetalDocuments.php exchange) U.S. Immigration and Customs ervePR/Liberty%20Res conspiracy to operate Target: U.S. and http://www.reuters.com/ Enforcement’s Homeland erve,%20et%20al.% unlicensed money (Liberty Reserve was others article/2013/05/28/net-us- Security Investigations, which 20Redacted%20AUS transmitting business, indicted on Tuesday cybercrime-libertyreserve-charges- worked together in this case as A%20Appln%20with% and 1 count operation May 28th 2013) idUSBRE94R0KQ20130528 part of the Global Illicit Financial 20exhibits.pdf of an unlicensed Team. The Judicial Investigation money transmitting https://www.justice.gov/usao-sdny/ Organization in Costa Rica, business. pr/founder-liberty-reserve-arthur- Interpol, the National High Tech budovsky-pleads-guilty-manhattan- Crime Unit in the Netherlands, federal-court the Spanish National Police, Financial and Economic Crime Unit, the Cyber Crime Unit at the Swedish National Bureau of Investigation, and the Swiss Federal Prosecutor’s Office. The case is being prosecuted by the Department of Justice’s Asset Forfeiture and Money Laundering Section and the Department of Justice’s Office of International Affairs and Computer Crime and Intellectual Property Section (more specifically the Office’s Complex Frauds and Cybercrime Unit and Money Laundering and Asset Forfeiture Unit) Page 291 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Unlimited Operation Origin: New York First attack targeted $45 million USD The investigation was led http://www.justice.go N/A https://nakedsecurity.sophos. based-cell, but a card processor by the United States Secret v/usao/nye/pr/2013/ com/2013/05/10/casher-crew-from- (Oct. 2012 to Apr. the organization is that handled Service with support from the 2013may09.html global-cyberheist-busted-in-new- 2013) multinational. transactions for Department of Homeland york/ prepaid mastercard Security as well as Mastercard, Target: debit cards from the RAKBANK, and the Bank Muscat. National Bank of Law enforcement authorites in Ras Al-Khaimah PSC Japan, Canada, Germany, and (RAKBANK). Romania, and also thanked authorities in the United Arab The second attack Emirates, Dominican Republic, targeted the same Mexico, Italy, Spain, Belgium, type of cards issued France, United Kingdom, Latvia, by the Bank of Estonia, Thailand, and Malaysia Muscat in Oman. also cooperated with the investigation. Project Blitzkrieg Origin: Launched 30 U.S. banks. $5 million USD RSA claimed that they had N/A N/A http://krebsonsecurity.com/2012/10/ from a server in Credit card unions, was stolen by discovered an operation run project-blitzkrieg-promises-more- (Oct. 2012) Ukraine. federal credit one group in by an individual known as aggressive-cyberheists-against-u-s- union, genereic 2008 using this vorVzakone banks/#more-17096 Target: U.S. banking platforms, virus. http://www.mcafee.com/us/ investment banks, resources/white-papers/wp- large national analyzing-project-blitzkrieg.pdf banks, national banks, online http://krebsonsecurity.com/2012/12/ payment processors, new-findings-lend-credence-to- regional banks project-blitzkrieg/ and state credit unions. To include Bank of America, Capital One and Suntrust, and investment banks such as American Funds, Ameritrade, eTrade, Fidelity, OptionsExpress, and Schwab. Page 292 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Direct Costs Continued from last page Cybercrime Related to Financial Institutions with Direct Cost Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) United States v Albert Origin: U.S. Large corporate $200 million The investigation was led by the https://www.justice. 19 counts of https://www.justice.gov/opa/pr/ Gonzalez networks with USD United States Secret Service with gov/opa/pr/alleged- conspiracy, computer international-hacker-pleads-guilty- Target: U.S. credit card and atm support from the Federal Bureau international-hacker- fraud, wire fraud, massive-hacks-us-retail-networks (2009) numbers saved of Investigation. indicted-massive- access device fraud within internal attack-us-retail-and- and aggravated servers. banking-networks identity theft. Zberp Origin: N/A Targeting more N/A Discovered and named by N/A N/A http://securityintelligence.com/new- than 450 financial security researchers from IBM zberp-trojan-discovered-zeus-zbot- (2014) Target: Mainly in institutions around subsidiary Trusteer. carberp/ the U.S., U.K. and the world. Australia Page 293 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Indirect Costs Cybercrime related to Financial Institutions with Indirect Costs Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) JPMorgan Chase and Origin: Believed to 10 U.S. financial Bank Data For JP Morgan: JP Morgan’s N/A N/A http://dealbook.nytimes. 9 other U.S. banks be from Russia institutions including (mainly security team first identified the com/2014/10/03/hackers-attack-cracked- JPMorgan Chase coustomer attack. The U.S. Department 10-banks-in-major-assault/?_r=0 (8/1/2014) Target: U.S. personal data) of Treasury, the Secret Service http://www.symantec.com/connect/ and intelligence agencies app#!/blogs/us-banks-breached- have been working alonside cyberattack-what-bankers-should-do- JP Morgan’s security team to stay-protected-0 locate the source of the attack. http://www.nytimes.com/2014/08/28/ technology/hackers-target-banks- including-jpmorgan.html?_r=2 https://www.bloomberg.com/news/ videos/b/0e6c09e9-c79c-4e3f-8cd4- 6903468411ce http://www.nytimes.com/ interactive/2014/10/03/business/ dealbook/jpmorgan-documents.html Nasdaq Origin: N/A Web-based app Unclear what Intially investigated by the N/A N/A http://www.wsj.com/articles/SB10001424 callled directors was taken but United States FBI and NSA. 052748704843304576126370179332758 (Feb. 5, 2011) Target: U.S. desk, where the portion of Follow-up investigations http://www.nytimes.com/2011/02/06/ companies can share the Nasdaq were carried out by the the business/06nasdaq.html info, may have been which handles National Cybersecurity and hacked. Has 5,000 trades was not Communications Integration users. hacked. Center (NCCIC). Page 294 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Indirect Costs Continued from last page Cybercrime related to Financial Institutions with Indirect Costs Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Target Origin: N/A Customer Data 40 million Federal Law Enforcement N/A N/A http://bits.blogs.nytimes. customers’ officials notified Target of the com/2014/11/06/home-depot- (Nov. 27- Dec. 15, Target: U.S. credit card breach on December 12, 2013. says-hackers-also-stole-email- 2013) information, Company investigators worked addresses/?ref=topics and 70 million to uncover what happened. http://dealbook.nytimes. others com/2014/10/02/jpmorgan-discovers- further-cyber-security-issues/ http://money.cnn.com/2013/12/22/news /companies/target-credit-card-hack/ http://www.bloomberg.com/news/articl es/2014-03-13/target-missed-warnings- in-epic-hack-of-credit-card-data Home Depot Origin: N/A Customer Data 53 million N/A N/A N/A http://bits.blogs.nytimes.com/2014/1 customer 1/06/home-depot-says-hackers-also- (April, 2014) Target: U.S. email stole-email-addresses/?ref=topics addresses, http://dealbook.nytimes.com/2014/10 payment /02/jpmorgan-discovers-further-cyber- card details security-issues/ for millions, (56 million http://www.wsj.com/articles/home- in totoal depot-hackers-used-password-stolen- affected) from-vendor-1415309282 T.J. Maxx Origin: N/A Customer Data Data for N/A N/A N/A http://www.nytimes.com/2013/12/20/ 90 million technology/target-stolen-shopper-data. (July 2005-December Target: U.S. customers html 2006) http://www.washingtonpost.com/ wp-dyn/content/article/2007/09/25/ AR2007092500836.html Page 295 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Indirect Costs Continued from last page Cybercrime related to Financial Institutions with Indirect Costs Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Sony & Qriocity Origin: U.S., U.K. Sensitive customer Sensitive FBI https://www.wired. N/A http://money.cnn.com/gallery/ and Ireland information information com/wp-content/ technology/security/2013/12/19/ (April-17-19, 2011) for 77 million uploads/2014/05/ biggest-credit-card-hacks/5.html Target: U.S. customers Monsegur.pdf (personal information and perhaps credit card numbers) Neiman Marcus Origin: Russia Sensitive customer 1 million N/A N/A N/A http://www.bloomberg.com/news/art information credit card icles/2014-04-07/neiman-marcus-breach- Target: U.S. information linked-to-russians-who-eluded-u-s- stolen Rex Mundi Origin: N/A Banque Cantonale Hacked N/A N/A N/A http://www.reuters.com/ de Geneve system and article/2015/01/09/us-bc-geneve-hacker- (Jan. 2015) Target: Swiss bank (confidential client stole 30,000 idUSKBN0KI1MK20150109 BCGE (twiiter account name information) emails of which announced the clients from hacking event) the bank and attempted to extort 10,000 euros in exchange for not publishing the information. Page 296 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Indirect Costs Continued from last page Cybercrime related to Financial Institutions with Indirect Costs Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) com.II Origin: N/A Kookmin, Nong Costumer South Korean Police N/A N/A http://www.securityweek.com/new- Hyup, Shinhan, bank log in android-malware-targets-banking-apps- (Summer 2014 (hack Target: Korea Hana N, Woori, information, phone-information-fireeye announced by cheetah Busan, and the bank account mobile on June 27th)) https://www.fireeye.com/blog/threat- Korean Federation information, research/2014/07/the-service-you-cant- of Community Credit phone refuse-a-secluded-hijackrat.html Cooperatives numbers, device IDs, http://www.securityweek.com/fake- and contact android-apps-target-south-korean-bank- lists customers Dump Memory Grab Origin: Russian Major U.S. banks harvest info N/A N/A N/A http://www.securityweek.com/exclusive- Federation (chase, capital one, from credit new-malware-targeting-pos-systems- (2013) citibank, and union and debit atms-hits-major-us-banks Target: U.S. bank of california) cards vSkimmer Origin: Circulating Designed capture Credit card The vskimmer malware was first N/A N/A http://www.securityweek.com/exclusive- on criminal forums credit card data from information detected by McAfee’s sensor new-malware-targeting-pos-systems- (Feb. 2013-) out of Russia systems running network. atms-hits-major-us-banks Windows that host Target: http://www.securityweek.com/vskimmer- payment processing Multinational botnet-targeting-payment-card- software. terminals-connected-windows http://www.computerworld.com/ article/2495732/cybercrime-hacking/ researchers-uncover-vskimmer-malware- targeting-point-of-sale-systems.html Page 297 | Chapter 9 | Appendix A A APPENDIX Cybercrime Related to Financial Institutions TABLE A with Indirect Costs Continued from last page Cybercrime related to Financial Institutions with Indirect Costs Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred (legal provision that case was charged under) Dexter Origin: N/A 42% of infections Credit card N/A N/A N/A http://www.securityweek.com/exclusive- in North America. information. new-malware-targeting-pos-systems- (Sept.-Dec. 2012) Target: Mostly big-name Loss of 80,00 atms-hits-major-us-banks Multinational retail, hotels, credit cards http://www.securityweek.com/new- restaurants, private from Subway malware-targets-point-sale-systems-just- parking providers, restaurants in time-holiday-rush and eateries. 2012 http://www.securityweek.com/vskimmer- botnet-targeting-payment-card- terminals-connected-windows Airline Fraud Scheme Origin: 60 airlines in over 45 Nearly $1 Europol in The Hague, 118 individuals were Defendants from https://www.europol.europa.eu/ Multinational countries billion from Netherlands; INTERPOL arrested various jurisdictions content/118-arrested-global-action- (11/1/2014) the airline through its General Secretariat were charged for against-online-fraudsters-airline-sector Target: 60 industry alone in Lyon, France and the crimes related to airlines in over 45 https://www.unodc.org/cld/case- INTERPOL Global Complex for credit card fraud. countries. Also law-doc/cybercrimecrimetype/xxx/ Innovation (IGCI) in Singapore; greatly impacted operation_global_action_against_ and AMERIPOL in Bogota, the banking and online_fraudsters_in_the_airline_sector. Colombia. More than 60 travel sectors as html?&tmpl=cyb airlines and 45 countries were well as airlnes. involved in the activity, which http://www.interpol.int/News-and- took place at some 80 airports media/News/2014/N2014-228 across the world. The International Air Transport Association (IATA) also took part in the investigation. Page 298 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred Russian Cybercrime Origin: N/A Heartland Payment More than The U.S. Secret Service, U.S. v. Drinkman, http://www.justice. http://krebsonsecurity.com/tag/ Syndicate Systems 2007 160 million Criminal Investigations, led Kalinin, Kotov, Rytikov, gov/usao/nj/Press/ aleksandr-kalinin/ Target: U.S. (130 million credit credit card the investigation. The U.S. & Smilianets files/Drinkman,%20 http://www.justice.gov/usao/nj/Press/ cards), Hannaford numbers from also collaborated with the Vladimir%20et%20 http://www.justice. files/Drinkman,%20Vladimir%20 Brothers Co 2007 U.S. retailers, New Jersey U.S. Attorney’s al.%20Indictment%20 gov/usao/nj/Press/ et%20al.%20Indictment%20News%20 (4.2 million card banks and card Office Criminal Division, News%20Release. files/pdffiles/2013/ Release.html numbers), Carrefour processors. The Department of Justice’s html Drinkman,%20 S.A. 2007 (2 million Computer Crime and https://nakedsecurity.sophos. Vladimir%20%20 card numbers), Intellectual Section as well com/2010/03/25/tjx-hacker-jail-20- et%20al.,%20 Commidea Ltd. as with the Dutch Ministry of years-stealing-40-million-credit-cards/ Indictment.pdf 2008, (30 million card Security and Justice and the http://www.nytimes.com/2013/12/20/ numbers), Euronet National High Tech Crime Unit technology/target-stolen-shopper- 2010 (2 million card of the Dutch National Police. data.html numbers), Visa, Inc 2011 (800,000 card http://www.bloomberg.com/bw/ numbers), Discover stories/2009-07-06/lessons-from-the- Financial Services data-breach-at-heartlandbusinessweek- (500,000 diners business-news-stock-market-and- card numbers). financial-advice Also hacked into NASDAQ, 7-Eleven, JetBlue, JCPenny, Wet Seal, Dexia, Dow Jones, & Ingenicard. Page 299 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Continued from last page Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred Sonya Martin Origin: Chicago, Personal Bank $9 million was The U.S. Federal Bureau N/A http://www.fbi. https://nakedsecurity.sophos. Illinois, U.S.A. Accounts with stolen from of Investigation led the gov/atlanta/press- com/2012/08/28/prison-atm-worldpay/ ATM withdrawal over 2,100 investigation with assistance releases/2012/ Target: capabilities. ATMs in at provided by numerous sentencing-in-major- Multinational least 280 cities domestic and international international-cyber- worldwide, law enforcement partners. crime-prosecution including WorldPay reported the crime cities in the and substantially assisted in United States, the investigation. Case was Russia, Ukraine, prosectued by the Department Estonia, Italy, of Justice Computer Crime and Hong Kong, Intellectual Property Section Japan, and with assistance from the Canada. The Department of Justice Office of event took International Affairs. place in less than 12 hours on Nov. 8, 2008. Chinese-Run Origin: China via “The group had N/A (Attack Kenyan Police N/A N/A http://www.nation.co.ke/ Cybercrime Network Kenya been preparing to foiled) news/77-Chinese-held-in-cyber- “raid the country’s bust/-/1056/2543786/-/t5vf43/-/index. Target: Kenya communication html systems” and had http://www.theguardian.com/ equipment capable world/2014/dec/05/kenya-chinese- of infiltrating nationals-cybercrime-nairobi bank accounts, Kenya’s M-Pesa http://www.newsweek.com/77- mobile banking chinese-nationals-arrested-kenya- system and ATM cybercrimes-289539 machines.”retrieved from http://www.bbc. com/news/world- africa-30327412 Page 300 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Continued from last page Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred Evgeniy Bogachev Origin: Western Financial Institutions $100 million Besides the United States, http://www.justice 1 count conspiracy, 1 http://www.justice.gov/sites/default/ District of stolen law enforcement from the .gov/sites/default/file count of wire fraud, files/opa/legacy/2014/06/02/ Pennsylvania Australian Federal Police; s/opa/legacy/2014/0 1 count of computer pittsburgh-indictment.pdf the National Police of the 6/02/pittsburgh-indic fraud, 9 counts of Target: U.S. and http://www.bbc.com/news/world-us- Netherlands National High tment.pdf bank fraud, and 2 elsewhere canada-31614819 Tech Crime Unit; European count of money https://web.archive.or Cybercrime Centre (EC3); laundering. http://www.justice.gov/opa/pr/ g/web/201609261039 Germany’s Bundeskriminalamt; us-leads-multi-national-action- 34/https://www.justic France’s Police Judiciare; against-gameover-zeus-botnet-and- e.gov/opa/documents Italy’s Polizia Postale e delle cryptolocker-ransomware -and-resources-june-2- Comunicazioni; Japan’s 2014-announcement National Police Agency; Luxembourg’s Police Grand Ducale; New Zealand Police; the Royal Canadian Mounted Police; Ukraine’s Ministry of Internal Affairs – Division for Combating Cyber Crime; and the United Kingdom’s National Crime Agency participated in the operation. The Defense Criminal Investigative Service of the U.S. Department of Defense also participated in the investigation. Invaluable technical assistance was provided by Dell SecureWorks and CrowdStrike. Numerous other companies also provided assistance, including facilitating efforts by victims to remediate the damage to their computers inflicted by Gameover Zeus. These companies include Microsoft Corporation, Abuse. ch, Afilias, F-Secure, Level 3 Communications, McAfee, Neustar, Shadowserver, Anubis Networks, Symantec, Heimdal Security, Sophos and Trend Micro. Page 301 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Continued from last page Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred African Cyber Criminal Origin: Commonly More than 85 Retail goods. FBI N/A N/A http://www.fbi.gov/washingtondc/ Enterprise (ACCE) Nigeria companies and Approxiamtely press-releases/2014/african-cyber- universities in the $5 million lost criminal-enterprise-members-using- Target: U.S. U.S. Approxiamtely so far. After school-impersonation-scheme-to- 400 actual or the fraud is defraud-retailers attempted incidents discovered, http://www.fbi.gov/news/stories/2014/ targeting 250 the retailer april/understanding-school- vendors. is forced to impersonation-fraud absorb the financial losses. https://www.ic3.gov/media/2014/14 0904.aspx https://www.fbi.gov/news/stories/ purchase-order-scam-leaves-a-trail-of- victims Online Marketplace Origin: Romania Users of online Funds from FBI http://www.justice. 1 count of conspiracy http://www.state.gov/j/inl/tocrewards/ Fraud and other marketplace and consumers gov/usao/nye/ to commit wire fraud, c64997.htm European countries auction websites using online pr/2013/doc/ money laundering http://www.state.gov/j/inl/tocrewards/ such as ebay. marketplace Popescu.Signed%20 and passport fraud to Target: U.S. c64996.htm com, cars.com, websites. Indictment%20(12%20 traffic in counterfeit autotrader.com, and Attacks CR%20785).pdf service marks, 7 cycletrader.com. resulted in counts of wire fraud, potentially 2 counts of wire fraud, million dollar 4 counts of wire fraud, losses to U.S. 1 count of passport victims. fraud, 1 count of passport fraud, 1 count of trafficking in counterfeit service marks, 1 count of money laundering, 1 count of money laundering, 1 count of money laundering, 1 count of money laundering, 1 count fo money laundering, 1 count of money laundering. Page 302 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Continued from last page Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred People’s Liberation Origin: China American Information The investigation was led Indictment: 1 count of conspiracy http://www.reuters.com/ Army (PLA) Unit commercial stolen from by the U.S. FBI. The case http://www.justice. to commit computer article/2014/05/20/us-cybercrime-usa- Target: U.S., 61398 enterprises (nuclear, commerical is being prosecuted by the gov/iso/opa/resources fraud and abuse, 8 china-unit-idUSBREA4J08M20140520 Western District of metal and solar enterprises U.S. Department of Justice’s /512201451913235846 counts of computer (Defendants Charged Pennsylvania. https://www.justice.gov/opa/pr/ firms). Alcoa to be used by National Security Division 1949.pdf fraud and abuse, 14 on May 19, 2014) us-charges-five-chinese-military- Inc, Allegheny competitors Counterespionage Section counts of damaging hackers-cyber-espionage-against-us- Technologies Inc, in China. and the U.S. Attorney’s Office a computer, 6 counts corporations-and-labor United States Steel Information for the Western District of of aggravated identity Corp, Toshiba Corp such as trade Pennsylvania. theft, 1 count of unit Westinghouse secrets. economic espionage, Electric Co, the and 1 count of theft of U.S. subsidiaries trade secret. of SolarWorld AG, and a steel workers’ union were among the targeted institutions. Roman Valerevich Origin: Servers Defraud various Stole and The U.S. Secret Service Indictment: 5 counts of Bank http://www.capitolhillseattle. Seleznev were located in financial insitutions sold credit Electronic Crimes Task Force http://krebsonsecurity. fraud, 8 counts of com/2014/07/russian-hacker-arrested- Russia, Ukraine, including Boeing card numbers. (includes detectives from the com/wp-content/upl intentional damage to in-2010-broadway-grill-data-breach (Oct. 2, 2009 - Feb. 22, and multiple Employee’s Credit At least $1.7 Seattle Police Department) oads/2014/07/Selezn a protected computer, 2011) http://www.justice.gov/usao-wdwa/ servers in the U.S. Union, Chase million in losses ev-Indictment-CR11- 8 counts of obtaining pr/alleged-russian-cyber-criminal- such as McLean Bank, Capital One, to banks and 0070RAJ-1.pdf information from a now-charged-40-count-superseding- Virginia. Citibank, and credit card protected computer, indictment Keybank. companies. 1 coutn of possession Target: Westerm of fifteen or more District of unauthorized access Washinton and devices, 2 counts elsewhere. of trafficking in unauthorized access devices, and 5 counts of aggravated identity theft. Page 303 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Continued from last page Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred Alexsey Belan Origin: E-commerce Stole, exported U.S. Federal and state N/A In Nevada, charged http://rt.com/news/fbi-wanted-list- Multinational companies. and sold user authorities. with obtaining russian-340/ (Jan. 2012- Apr. 2013) databases from information from a Target: Nevada https://www.fbi.gov/wanted/cyber/ e-commerce protected computer; and San Francisco, alexsey-belan/view companies. possession of fifteen U.S. or more unauthorized access devices; and aggravated identity theft. In San Francisco, was charged with two fraud counts and two counts of aggravated identity theft. Alexandr Sergeyevich Origin: Russian Scheme utilized Attempted FBI Southern District of 1 count of conspiracy http://www.fbi.gov/wanted/cyber/ Bobnev Federation the accounts of to steal and New York indicted him to commit wire alexandr-sergeyevich-bobnev/view major provider of launder on Nov. 26, 2008 fraud and 1 count of (June 2007 -August Target: U.S. investment services. funds from conspiracy to commit 2007) investment money laundering service accounts. Wired or attempted to wire $350,000 Page 304 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Continued from last page Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred Yahoo! Inc. Email Hack Origin: Russia and 500 million email $350 million US Justice Department, FBI, N/A A Canadian, Karim https://www.justice.gov/opa/press- Canada addresses Canada Baratov, is accused release/file/948201/download in a massive hack of Target: Everywhere Yahoo emails (500 million emails) in 2014. Baratov was arrested under the Extradition Act after U.S. authorities indicted him and three others — two of them allegedly officers of Russia’s Federal Security Service — for computer hacking, economic espionage and other crimes. Guccifer Case Origin: Romania Hilary Clinton’s N/A FBI, DSS, and Secret Service https://assets. Marcel Lazar, a https://www.justice.gov/usao-edva/pr/ private email domain documentcloud.org/ Romanian hacker romanian-hacker-guccifer-sentenced- Target: Hilary documents/1197719/ nicknamed “Guccifer” prison Clinton (USA) lazar-indictment.pdf who helped expose the existence of a private email domain Hillary Clinton used when she was U.S. secretary of state was sentenced to 52 months in prison by a federal court in Alexandria, Virginia after pleading builty in May 2017 to including unauthorized access to a protected computer and aggravated identity theft after being extradited from Romania. Page 305 | Chapter 9 | Appendix A A APPENDIX TABLE A Major Cybercrime by Individuals/Groups Continued from last page Major Cybercrime by Individuals/Groups Cyber Crime Syndicate Affected Target(s) of attack Damages Responding Entity Indictment(s) Case information Resources Jurisdictions Incurred The Yanbian Gang Origin: the Yanbian Targeted mobile The Yanbian Yanbian gang hack was first N/A N/A http://www.securityweek.com/cyber- Prefecture in Jilin, banking customers cybergang documented and detailed by gang-steals-millions-mobile-banking- China. of at least five banks is thought to Trend Micro Mobile Threat customers-south-korea in South Korea since have stolen Team. Target: South http://www.securityweek.com/chinas- 201. These banks millions from Korea cybercrime-marketplace-boomed- included B Kookmin at least five 2013-trend-micro Bank, NH Bank, korean banks. Hana Bank, Shinhan http://www.securityweek.com/16-milli Bank, and Woori on-mobile-devices-infected-malware- Bank. 2014-alcatel-lucent http://www.securityweek.com/inside- chinas-market-mobile-cybercrime http://www.trendmicro.com/cloud- content/us/pdfs/security-intelligence/ white-papers/wp-the-south-korean- fake-banking-app-scam.pdf New York Money Origin: Based in Bank accounts Stole more FBI agents and agents of the 37 people were “Semenov... was http://www.wired.com/2010/09/zeus- Mules Online Bank Eastern Europe but belonging primarily than $3 million Secret Service, ICE, and the charges in 21 cases. charged with botnet-ring/ Fraud Scheme’ had money mule to small businesses State Department’s Diplomatic “An arrest warrant was conspiracy to http://www.rferl.org/content/ network in U.S. and municipalities. Security Service carried out issued for Semenov in commit bank fraud; In_US_Cybercrime_Case_Track_ arrests in this multi-defendant the Southern District conspiracy to possess Target: U.S. Record_Indicates_Russia_Willing_To_ case targeting overseas of New York on false identification Cooperate/2185564.html computer hackers. September 29, 2010, documents; and false after he was charged use of passport” with conspiracy to retrieved from commit bank fraud; http://www.fbi.gov/ conspiracy to possess wanted/cyber/artem- false identification semenov/view documents; and false use of passport.” Page 306 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) DDoS Attack against Origin: Korea National (Central) Not related to 1. N  ational Police Agency in Korean Supreme Legal provisions: N/A. 1. KSPO Press Release: National (Central) Election Commission this case cooperation with National Court Decision 2012 Target: Korea Potentially relevant http://www.spo.go.kr/seoul/ Election Commission Homepage, Finding Cyber Security Center and Do 16086 Decided provisions: notice/notice/notice01. Homepage the polling place March 28, 2013,  eoul Central District 2. S jsp?mode=view&board_ Function available at: http:// 1. Act on Promotion (2011, October, 26) Prosecutors’ Office Special no=116&article_no=523931 glaw.scourt.go.kr/ of Information and Investigation Team in Communications  hosun Ilbo (English Edition), 2. C cooperation with Korea Network Utilization News: Internet Security Agency did and Information investigation. http://english.chosun.com/sit Protection, etc.; e/data/html_dir/2011/10/27/201 Articles 48, Paragraph 1102701142.html 3; 71, Subparagraph 10; 2. Act on the Protection of Information and Communications Infrastructure, Articles 12; 28; 3. Public Officials Election Act, Article 237, Paragraph 1 Page 307 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Prosecution v. Baksa Origin: Hungary Mainly: Copyright- N/A Hungarian law enforcement N/A N/A UNODC, Cybercrime Repository: Timea and Others protected content Relevant Info: searched 5 server rooms, Target: Hungary http://www.unodc.org/cld/case- Seizedmoney- seized 48 servers . In response (Criminal activities law-doc/cybercrimecrimetype/hun/ 48,000,000 HUF to Hungarian authorities started in 2002) prosecution_vs._baksa_timea_and_ The criminal request sent out to Romanian others.html organization authorities via INTERPOL engaged channels, the information on in money the death of the leader of the laundering criminal orgs was obtained. (proceeds of illegal activities) assisted by Ukrainian nationals (According to law enforcement info-761,000,000 HUF between 2007 and 2009). Credit Card Data Theft Origin: Romania Credit card data of N/A During the house searches N/A Legal Provisions: UNODC Cybercrime Repository in Romania wealthy tourists in executed at the premises of Target: Touristic 1. Law No. 39 of 2003 http://www.unodc.org/cld/case- Croatia and Turkey the defendants were found (2015) areas in Croatia and on preventing and law-doc/cybercrimecrimetype/rou/ skimming devices. A computer Turkey combating organized credit_card_data_theft_in_romania. search revealed that the crime, Aricle.7, html defendants used software able Paragraph 1 (Initiation to read the magnetic tracks of or constitution of an credit cards. organized criminal group). 2. Law No. 365 of 2002 on electronic commerce, Article 25 (Possession of equipment with a view to forging electronic means of payment). Page 308 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Online Storage Origin: Republic of (Copyright- Not specified, Seoul Central District N/A Specific provisions are KSPO Press Release: Companies, Aiding Korea Protected) but the Prosecutors’ Office not provided: Possibly http://www.spo.go.kr/seoul/ and Abetting Violation Work proceeds of relevant provisions: Target: Republic of notice/notice/notice01. of Copyright Act, etc. illegal activities Korea (1) Aid, Abet Violation jsp?mode=view&board_ through leaving (Not specified, but the of Copyright Act no=116&article_no=533012 the (copyright- investigation result was Copyright Act, Article protected) released to the press 136, Paragraph 1; work (illegally on April 20, 2012) Copyright Act, Article uploaded) 140, Sub-paragraph 1 on the online 1; Criminal Act, Article storage sites : 32, Paragraph 1; 1,140,000,000 Won (according (2) Violation of to the Seoul Copyright Act: Article Central District 136, Paragraph 1;’ Prosecutors’ Copyright Act; Article Office info) 140, Sub-paragraph 1 Apprehension of Voice Origin: Republic of Individuals with Three billion four Seoul Central District N/A Specific provisions: KSPO Press Release Phishing Organization Korea poor credit ratings hundred million Prosecutors’ Office NA. http://www.spo.go.kr/seoul/ in the Republic of and who need loan Won (KRW 3,400, Target: Republic of Possibly relevant notice/notice/notice01. Korea -Voice Phishing services 000, 000) Korea provisions: 1, Criminal jsp?mode=view&board_ against Low Credit Act, Article 347 no=116&article_no=533736 Individuals in the (Fraud); 2. Act on Dorm of Fake Loans the Aggravated (From November, 2011 Punishment, etc. of to April, 2012) Specific Economic Crimes, Article 3, Paragraph 1, Subparagraph 2 (Aggravated Punishment of Specific Property Crime) Page 309 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Fraudulent eBay Origin: Romania users of eBay Fraudsters Romanian authorities[Romanian N/A N/A 1. SC Magazine News: Auctions in Romania auctions located in stole the Euro Directorate for Investigating Target: Spain, http://www.scmagazine.com/ different countries equivalent of Organized Crime and Terrorism (Between 2006 and Italy, France, New romanian-police-fbi-break- more than $1 (DIICOT)], in conjunction 2009) Zealand, Denmark, up-70-strong-ebay-fraud-ring/ million. with U.S. law enforcement (in Sweden, Germany, article/167554/ partnership with the FBI and Austria, the United U.S. Secret Service from the 2. UNODC Cybercrime Repository: States, Canada and U.S. Embassy in Bucharest), http://www.unodc.org/cld/case- Switzerland arrested alleged offenders. law-doc/cybercrimecrimetype/ rou/fraudulent_ebay_auctions_ in_romania.html Operation Exposure Origin: The 1. Governmental N/A With the support of Europol, N/A Specific legal 1. UNODC Cybercrime Repository: servers used for agencies of the U.S., law enforcement agencies provision are not (Date of arrest: http://www.unodc.org/cld/case- the purposes of Israel, Tunisia and of the involved countries available. According to February, 2012) law-doc/cybercrimecrimetype/ administration of Uganda websites; 2. carried out the investigation UNODC Cybercrime esp/operation_exposure.html some of the secure child pornography (1. Simultaneous arrests; 2. Repository, the communication websites; 3.copyright Search and seizure; 3. Server suspects were 2. EUROPOL Press Release: channels used protection disruptions and 4. Expedited charged with illegal https://www.europol.europa. by Anonymous institutions; religious preservation of computer data) interference, breach of eu/newsroom/news/hacktivists- were hosted by entities; and private privacy and disclosure arrested-in-spain companies located corporations, of confidential in Czech Republic including PayPal, information. and Bulgaria, MasterCard, Visa although they were and Sony websites remotely controlled from Spain. Target: Unclear. However, among its victims are governmental agencies of the U.S., Israel, Tunisia and Uganda. Page 310 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Violation of Criminal Origin: Korea Divulged personal 1. Proceeds from Prosecutors, Police, Judges [1] Korean Supreme 1. Criminal Act, Korean Court Decisions on this Act, Act on Promotion Information of acquiring game Court Decision 2014 Art. 347-2; 2. Game case, available at: Target: Korea of Information and another person items (jointly with Do 8838 Decided Industry Promotion http://glaw.scourt.go.kr/wsjo/ Communications defendant 1): Nov. 13, 2014; [2] Act, Arts. 32, Para. intesrch/sjo022.do Network Utilization KRW 125, 678, Seoul Central District 7, and 44, Para 1, and Information 400 2. Proceeds Court Decision 2012 Subpara 2. [and its Protection, etc., from the sale No 323 Decided Jun. Enforcement Decree, and Game Industry of game items 26, 2014, and [3] Seoul Art. 18-3., Para. Promotion Act (1) Jointly with Central District Court 3, Subpara c. and defendant 1: Decision 2013 Go Dan Former Enforcement (2009-2013) KRW 405, 471, 4451, 2013 Go Dan Decree (prior to the 229 (2) Solely 4488 (Consolidation) Amendment No. by defendant 2: Decided Jan. 15, 23863, June 19, 2012) KRW 1,901, 266, 2014, available at: Art. 18-3, Subpara. 3.; 177 http://glaw.scourt. 3. Act on Promotion go.kr/wsjo/intesrch/ of Information and sjo022.do Communications Network Utilization and Information Protection, etc., Arts. 28-2, Para 2. and 71, Subpara 6. Prosecution of People Origin: Republic of Stolen Personal N/A Police officers and prosecutors, N/A Violation of 1. Personal KSPO Press Release: Who Stole Personal Korea Information/Data in collaboration with Information Protection http://www.spo.go.kr/seoul/notic Information and Data, mobile phone companies Act, 2. Criminal Act, 3. Target: Republic of e/notice/notice01.jsp?mode=view Forged National (private sector) and sharing Act on the Aggravated Korea &board_no=116&article_ Identity Cards, investigation know-how Punishment, etc. of no=585659 Illegally Opened Cell between police officers and Specific Economic Phone Accounts prosecutors, carried out Crimes 4. Act investigation. on Promotion of (February, 2011 to Information and August, 2013) Communications Network Utilization and Information Protection, etc., and 5. Radio Wave Act Page 311 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Arrest of an Origin: China, Korea Personal N/A Seoul Central District N/A Specific legal KSPO Press Release: organization based Information/data Prosecutors’ Office provisions are not Target: Korea http://www.spo.go.kr/seoul/ in China which provided. Attackers notice/notice/notice01. asked hacking and 1, 2, 5, 8 and 9 were jsp?mode=view&board_ selling/supplying or charged with violation no=116&article_no=572591 purchasing personal of Act on Promotion information/data of Information and Communications (From May, 2012 to Network Utilization February, 2014) and Information Protection, etc. according to KSPO press release. Credit Card Origin: Republic of Customer The customer Changwon District Prosecutors’ N/A Specific law and legal 1. KSPO Press Release: Companies, leakage of Korea information (Personal data of at least Office provision are not http://www.spo.go.kr/ customer information Information held by 26 million available. However, Target: Republic of spo/notice/press/press. in the Republic of credit card firms) (26,000,000) posisbly relevant law: Korea jsp?mode=view&board_ Korea including financial people was Violation of Personal no=2&article_no=567739 data illegally Information Protection (From May, 2012 to collected. Act 2. ZDNet, Security, Newsletter December, 2013) http://www.zdnet.com/article/ south-korean-credit-card-firms- suspended-over-data-breach/ Page 312 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Apprehension Origin: Republic of USD $11, 000,000 Commercial In cooperation with (or Indictment(s)/Court According to KNPA Korean National Police Agency 1.  of members of a Korea (“”Korea””) [KRW 12,200,000,000] Banks (located “Through mutual assistance”) Decision(s): Not press release, legal (KNPA) Press Release: criminal organization [Additional issue: in U.S.) Federal Bureau of Investigation publicly available provisions applicable Target: (Commercial http://www.spo.go.kr/ that committed Money laundering] (FBI), Korean National Police online as of June 2, to this case is 1. Banks located in) spo/notice/press/press. international financial Agency (KNPA) identified this 2015 Article 347, Paragraph U.S. jsp?mode=view&board_ scams organization and arrested 1 (Fraud); 2. Article no=2&article_no=567739 its members (Nigerians and 231 (Counterfeit or (From January, 2011 to Korean) located in Korea during Alteration of Private 2. Hankook Ilbo News News, July, 2012 (1 year and 7 the period of time ranging Document, etc.); 3. http://www.koreatimes.com/ months)) from July 19, 2012 to October Article 234 (Uttering article/836700 8, 2012. of Falsified Private Document, etc.) of the Criminal Act. The organization that Origin: Korea Computer system By manipulating Seoul Central District N/A All relevant legal  orea Joongang Daily, Social 1. K illegally won (online) of Nara Jangteo, the lowest Prosecutors’ Office provisions are not Affairs, News: Target: Korea construction bids of Korea’s online bidding price, provided. However, http://koreajoongangdaily. Nara Jangteo, Korea’s e-procurement the companies possibly relevant joins.com/news/article/article. online e-procurement system, which is won 77 legal provisions: 1. aspx?aid=2981472 system through operated by the construction Criminal Act, Article hacking a computer Public Procurement bids, worth a 347-2 (Fraud by Use 2. KSPO Press Release: system was busted Service (PPS) total of 110 of Computer, etc.) 2. http://www.spo.go.kr/seoul/ billion won. Criminal Act, Article notice/notice/notice01. (From May 2011 to 315 (Interference with jsp?mode=view&board_ October 2012) Auction or Bidding) 3. no=116&article_no=565540 Act on the Protection of Information and Communications Infrastructure, Articles 12; 28 Page 313 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Operation Imperium Origin: European 1. Credit/financial N/A Bulgarian and Spanish law N/A N/A, however, 1. UNODC Cybercrime Repository: countries card data; 2. (ATM) enforcement and judicial according to (Date of incident: http://www.unodc.org/cld/case- Payment system agencies together with UNODC Cybercrime Unclear Date of arrest: Target: 1. Obtaining law-doc/cybercrimecrimetype/ Europol’s European Cybercrime Repository, 31 September 30, 2014) credit card info in EU bgr/2014/operation_imperium. Centre (EC3) did a joint members of an (e.g. Italy, France, html operation. 26 arrests & 40 organized criminal Spain, Germany, house searches in Bulgaria five group were arrested 2. EUROPOL Press Release: and Turkey), 2. arrests and two house searches for ATM skimming, https://www.europol.europa.eu/ Withdrawing cash: in Spain. electronic payment content/31-arrests-operation- outside EU (e.g. fraud, forgery of against-bulgarian-organised- in Peru and the documents and other crime-network Philippines). crimes (possibly breach of privacy or data protection measures). Pletnyov Operation Origin: Not explicitly Targeted U.S. and N/A This investigation was N/A. However, N/A. However, UNODC Cybercrime Repository: state jurisdictional other nationals conducted by the FBI- according to according to (July 2005 - November http://www.unodc.org/cld/case- origin. According to who were using Hungarian National Bureau of UNODC Cybercrime UNODC Cybercrime 2006) law-doc/cybercrimecrimetype/usa/ UNODC Cybercrime E-bay or other web Investigation (HNBI) Organized Repository, the Repository, all of pletnyov_operation.html Repository, victims sites subject to Crime Task Force located indictment expressly the defendants funds were wired defendants’ cyber in Hungary. (Bilateral and charged the were charged and to Hungary, attacks in issue multilateral cooperation) defendants with adjudicated in federal Slovakia, the Czech conspiracy to launder court in the District of Republic and Poland money and conspiracy Columbia. (Thus, it is controlled by co- to commit wire fraud. presumed that U.S. conspirators. laws were applied to this case). Target: Attackers targeted U.S. and other nationals with online fraud Page 314 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Operation against Origin: Involved Operation of remote N/A According to EUROPOL’s press N/A N/A. However,  NODC Cybercrime Repository: 1. U Remote access Trojans countries: several access Trojans release, the operation was according to http://www.unodc.org/cld/case- EU countries led by France- working with UNODC Cybercrime (Date of arrest: around law-doc/cybercrimecrimetype/ According to Europol’s European Cybercrime Repository, the use November 2014 fra/2014/operation_against_ UNODC Cybercrime Centre (EC3) and the involved of remote access in according to EUROPOL remote_access_trojans.html Repository, the European countries (Estonia, Europe is punished by Press Release) international France, Romania, Latvia, Italy, a number of offences, 2. EUROPOL’s Press Release: operation – led by and U.K.) authorities. including illegal access https://www.europol.europa.eu/ France - resulted to computer data, content/users-remote-access- in the arrest of breach of privacy and trojans-arrested-eu-cybercrime- 15 individuals in illegal interception. operation Estonia, France, Romania, Latvia, Italy and the U.K. Target: Involved countries: several EU countries According to UNODC Cybercrime Repository, the international operation – led by France - resulted in the arrest of 15 individuals in Estonia, France, Romania, Latvia, Italy and the U.K. Page 315 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Operation Stop Origin: Jurisdictional Employees of the N/A International cooperation N/A N/A UNODC Cybercrime Repository: Intrusion origin: Not Italian Ministry of (including INTERPOL) through http://www.unodc.org/cld/case- explicitly provided. Foreign Affairs and the 24/7 Network as well as law-doc/cybercrimecrimetype/ita/ [Countries involved other civil servants’ formal cooperation. The 24/7 operation_stop_intrusion.html in the operation: credentials and Network is intended to offer 1. Romania, 2. access restricted computer crime investigators Malaysia, and 3. information a fast and reliable channel Italy] to request preservation of computer evidence. Further Target: Jurisdictional evidence was later obtained target: Not through formal mutual legal explicitly provided. assistance procedures. [Countries involved in the operation: 1. Romania, 2. Malaysia, and 3. Italy] Page 316 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Investigation on Origin: N/A, but a cyber attack on According to the Moroccan police was informed N/A [According to According to UNODC Cybercrime Repository: “DIABLO” and possibly Morocco several multinational victims, this virus by their American counterparts UNODC Cybercrime UNODC Cybercrime http://www.unodc.org/cld/case- “CODER” (Moroccan groups (With specific caused more of a cyber attack. The Repository, no Repository, the law-doc/cybercrimecrimetype/ police identified regard to one of than USD $ 5 investigation by the Moroccan information on relevant offences mar/investigation_on_diablo_and_ three alleged suspects: stolen million in losses. police led to the identification the proceedings is are codified in the coder.html perpetrators, two credit card data of three alleged perpetrators, available.] Moroccan Penal Code, Moroccans and and passwords two Moroccans and one Turk. in particular Articles one Turk after from multinational This case is considered to be 607-11 and 607-3. being informed companies’ the first cybercrime case in by their American websites) Morocco. Judicial and police counterparts) international cooperation proved to be key in order to Target: Not identify the suspects. provided in UNODC Cybercrime Repository, but possibly includes U.S. Besides, a suspect used the stolen data to withdraw large sums of money from bank accounts of people living in Russia. Page 317 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) U.S. vs. 18 defendants Origin: Counts 1, 2, 1. Personal According to 1. U.S. ICE 2. U.S. Homeland Indictment: 1. Count 1 : 18 U.S.C. 1. UNODC Cybercrime Repository: and 3: In Harrison identification U.S. ICE news, Security Investigations (HSI) 3. http://www.ice.gov/ § 1341, 1343, 1344 & [Joint U.S. - South http://www.unodc.org/cld/case- County, in the information (PII) this financial South African Police Service’s doclib/news/releases/ 1349 2. Count 2: 18 Africa Operation] law-doc/cybercrimecrimetype/ Southern Division of 2. Credit card/ fraud scam has Directorate for Priority Crime 2014/140521pretoria. U.S.C. §1028 (a)(7); usa/joint_us_-_south_africa_ (2001-2014) the Southern District bank data; and resulted in the Investigation 4. South Africa’s pdf 1029 (a)(3); 1029(a)(5); operation.html of Mississippi Information on loss of millions of Crime Intelligence 5. INTERPOL 641; & 371 3. Count 3: and elsewhere. credit card/bank U.S. dollars. 6. South Africa Tactical 18 U.S.C. § 1341  .S. Immigration and Customs 2. U Defendants were accounts, etc. 3. Response Team 7. South Africa Enforcement (ICE), News: resided & arrested United States Postal Department of Home Affairs – http://www.ice.gov/news/ in U.S., Canada, and Service (U.S.P.S.) Immigration releases/cyber-financial-fraud- South Africa. shipping labels 4. investigation-nets-numerous- Government funds, arrests-south-africa-canada-us Target: Not etc. specified. However, according to U.S. Immigration and Customs Enforcement (ICE) news, investigators have so far identified hundreds of victims to this financial fraud scam in the U.S. Page 318 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) U.S. v. Kilbride Origin: Defendants Individuals who N/A U.S. Ninth Circuit Court of Information on court 1. Computer Fraud UNODC Cybercrime Repository: operated of their received defendants’ Appeals: The court affirmed decision: and Abuse Act, (2003) http://www.unodc.org/cld/case- business overseas, emails the defendants’ convictions 18 U.S.C. § 1037(a)(3), http://www.nyls.edu/ law-doc/cybercrimecrimetype/ running it through and sentences and recognized § 1037(a)(3) and (a)(4); wp-content/uploads/ usa/2009/us_v_kilbride.html Ganymede that there was a clerical error 2. 18 U.S.C. § 1462; 3. sites/141/2013/08/ Marketing with regard to counts 1-3 (the 18 U.S.C. § 1465; 4. 18 584-F.3d-1240-US-v.- (“Ganymede”), a CAN-SPAM Act offences) and U.S.C. § 1956; and =5. Kilbride.pdf Mauritian company, remanded. 18 U.S.C. § 2257.[The and using servers court recognized there located in the was a clerical error with Netherlands. regard to acts relating to the CAN-SPAM Act Target: Unclear, but (15. U.S.C.) offenses including individuals and remanded.] located in U.S. [U.S. government called 8 witnesses from various parts of the country who had complained to the Federal Trade Commission about defendants’ emails.] Page 319 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Operation: In Origin: Jurisdictional Patent holders of (Computer- 1. EUROPOL and U.S. N/A N/A 1. UNODC Cybercrime Repository: Our Sites (IOS) Origin: Unrelated infringed websites related or online) Immigration and Customs http://www.unodc.org/cld/case- Transatlantic V to this operation. and the customers Infringement Enforcement (ICE) Homeland law-doc/cybercrimecrimetype/ [the transnational (Countries who purchased of IP Rights Security Investigations xxx/operation_in_our_sites_ios_ operation – called involved in this counterfeit goods by selling, (HSI) together with 25 law transatlantic_v.html ‘In Our Sites (IOS) operation: several from the infringed purchasing enforcement agencies from Transatlantic V’] EU countries and websites (or trafficking) 19 countries carried out this 2. EUROPOL Press Release: U.S. according to counterfeit investigation. https://www.europol.europa. (Date of incident: UNODC Cybercrime products on eu/content/292-internet- Unrelated to this 2. Trademarks holders reported Repository) websites by domain-names-seized-selling- operation , Date of several infringing websites to infringing IP counterfeit-products seizure of Intellectual Target: Unrelated EUROPOL and U.S. National rights’ holders Property (IP) to this operation Intellectual Property Rights infringing websites: (Countries Coordination Center (IPR since November involved in this Center), which alerted the 2012 (according to operation: several competent national authorities UNODC Cybercrime EU countries and Repository)) U.S. according to UNODC Cybercrime Repository) Page 320 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Operation Strikeback Origin: Unrelated Victims of Online sexual INTERPOL Digital Crime Centre N/A N/A 1. UNODC Cybercrime Repository: to this operation ‘sextortion’ exploitation (IDCC) launched the operation (Date of incident: http://www.unodc.org/cld/case- (Countries involved (online sextortion in cooperation with Police unrelated to this law-doc/cybercrimecrimetype/ in this operation: cases) Scotland, the US Immigration operation, Date phl/operation_strikeback.html Philippines, U.K., and Customs Enforcement of launch of this U.S., Australia, (ICE), the Philippines 2. INTERPOL Press Release: operation: late in 2013) Indonesia, Malaysia, Department of Justice Office http://www.interpol.int/News-an Republic of Korea of Cybercrime, the U.K.’s d-media/News/2014/N2014-075 according to National Crime Agency CEOP UNODC Cybercrime Command, the Hong Kong  imeline of Operation Strikeback 3. T Repository) Police Force and the Singapore combating ‘sextortion’ Police Force. The investigators http://www.unodc.org/res/cld/ Target: Unrelated identified (1) victims in a case-law-doc/cybercrimecrimet to this operation number of jurisdictions, ype/phl/operation_strikeback_ (Countries involved including Indonesia, the html/2014-075-Timeline-of- in this operation: Philippines, the U.K. and the Operation-Strikeback.pdf Philippines, U.K., U.S. and (2) potential victims in U.S., Australia, Australia, Hong Kong, Korea, Indonesia, Malaysia, Malaysia and Singapore. Republic of Korea according to UNODC Cybercrime Repository) Page 321 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Facebook, Inc. v. Origin: (Name of the Facebook servers N/A According to UNODC case Info, TRO: https://cases. 1. Controlling the UNODC, Cybercrime Repository: Jeremy Fisher, etc. State, U.S. where (located in California) the U.S. District Court for the justia.com/federal/ Assault of Non- http://www.unodc.org/cld/case- the defendants Northern District of California district-courts/califorSolicited Pornography (Since November 2008) law-doc/cybercrimecrimetype/ resided or located) San Jose Division issued nia/candce/5:2009c and Marketing Act of usa/2009/facebook_inc_v_jeremy_ D1, D4: New an Order Granting Motion v05842/222386/21/0. 2003 (CAN-SPAM), fisher.html York; D2, D5, D6 for a Temporary Restraining pdf?ts=1377125623 15 U.S.C. § 7701, California; D3, D7: Order (TRO) upon request of etseq,; 2. Computer Order granting Colorado Facebook. [Further details to Fraud and Abuse Act, plaintiff’s motion be checked by review of the 18 U.S.C. § 1030; 3. Target: (Facebook for declaratory Complaint, TRO, and order California Business and servers located in) judgment: http://www. granting plaintiff’s motion for Professions Code,§ California plainsite.org/dockets/ declaratory judgment.] 22948, The California download.html?id=24 Anti-Phishing Act of 299386&z=e2682a55 2005; 4. California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502. Microsoft (MS) v. Origin: Texas and (1) Infecting Infecting more MS Digital Crimes Unit Complaint: http:// 1. Computer 1. UNODC Cybercrime Repository: ZeroAccess Botnet the Western District computers of than 2 million disrupted a botnet in botnetlegalnotice. Fraud and Abuse http://www.unodc.org/cld/case- operators [Operation: of Texas, U.S. individuals: computers, collaboration with (1) com/zeroaccess/files/ Act, 18 U.S.C. § law-doc/cybercrimecrimetype/ Disruption of the Computers of specifically EUROPOL’s European Cmplt.pdf 1030 2. Electronic Target: 1. xxx/2013/operation_disruption_of_ ZeroAccess botnet] individuals targeting Cybercrime Centre (EC3); (2) Communications ZeroAccess Infected Temporary Restraining the_zeroaccess_botnet.html search results law enforcement cybercrime Privacy Act, 18 U.S.C. (2013) Computers: (2) Online advertising Order(s): 1) Jason on Google, units from Germany, Latvia, § 2701 3. Trademark 2. Microsoft News Center: located in U.S. and fraud (browser Lyons, http://botnetle Bing and Yahoo Luxembourg, Switzerland and Infringement Under http://news.microsoft.com/2013 Europe; 2. Infected hijacking and click galnotice.com/zeroac search engines, the Netherlands; (3) FBI; and the Lanham Act, 15 /12/05/microsoft-the-fbi-europol- computers relied fraud): MS, and its cess/files/Decl_Lyons. and is estimated (4) leaders in the technology U.S.C.§ 1114 et. Seq. and-industry-partners-disrupt-the- on servers located advertiser , and/or pdf to cost online industry, including A10 4. False Designation notorious-zeroaccess-botnet/ at 18 IP addresses customers advertisers $2.7 Networks Inc. 2) David Anselmi, of Origin Under the and 49 Internet 3. EUROPOL Press Release million each http://botnetlegalnot Lanham Act, 15 U.S.C. domains maintained month. ice.com/zeroaccess/ § 1125(a) 5. Trademark https://www.europol.europa.eu/co by defendants at files/Decl_Anselmi.pdf Dilution Under the ntent/notorious-botnet-infecting-2- hosting companies Lanham Act, 15. U.S.C. million-computers-disrupted in Germany, Latvia, § 1125 (C) Switzerland, Luxembourg, and the Netherlands. Page 322 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) U.S. v. Blake Benthall Origin: Southern 1. Computer-related Amount of According to FBI , 1. FBI Complaint: http:// 1. Narcotics trafficking 1. UNODC Cybercrime Repository, District of New York, illicit trafficking in damages: N/A. with help from the following, www.justice.gov/usao/ conspiracy: 21 (Title [Operation Onymous http://www.unodc.org/cld/case- U.S. and elsewhere goods and services According to among others, 2. New York nys/pressreleases/Nov 21). U.S.C. (United (an operation law-doc/cybercrimecrimetype/xxx/ (in drugs, fraudulent the FBI, as of State Police, 3. Department ember14/BlakeBentha States Code), § launched by law Target: Not operation_onymous.html identification September 2014, of Justice’s Computer Crime llArrestPR/Benthall,%2 (Section) 846; 2. enforcement officers specified in a documents and Silk Road 2.0 and Intellectual Property 0Blake%20Complaint. Conspiracy to commit 2. EUROPOL Press Release, and prosecutors in 16 complaint, but computer-hacking was generating Section, 4. Drug Enforcement pdf. and aid and abet https://www.europol.europa.eu/ European countries possibly global, services) sales of at least Administration; and 5. law computer hacking: content/global-action-against- and U.S., coordinated including Southern approximately enforcement authorities of 18. U.S.C. § 1030(b); dark-markets-tor-network with EUROPOL in Nov. District of New York, 2. Computer-related $8 million per France, Germany, Lithuania, 3. Conspiracy to 2014)] U.S. and elsewhere money laundering 3. FBI Press Release, month and the Netherlands, and the transfer fraudulent (A Tor network is a (1. Providing a platform approximately U.K. According to UNODC, identification https://www.fbi.gov/contact-us/ worldwide network) for illicit trafficking 150,000 active 6. service providers and 7. documents: 18. U.S.C. field-offices/newyork/news/press- in goods and users. EUROPOL § 1028 (f); and 4. releases/operator-of-silk-road-2.0- services (fraudulent Money laundering website-charged-in-manhattan- identification docs, conspiracy: 18. U.S.C. federal-court drugs, hacking § 1956 (h) services): Nov. 2013 to Oct. 2014 2. Money laundering: Dec. 2013 to Oct. 2014) Page 323 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) UEJF and LICRA v Court’s Location: N/A Computer- N/A N/A Court Decision: The UNODC Cybercrime Repository: Yahoo! Inc and Yahoo France related acts court ordered Yahoo! http://www.unodc.org/cld/case- France involving racism Inc. to take all the Place where law-doc/cybercrimecrimetype/ and xenophobia measures necessary to (2000) defendants are fra/2000/uejf_and_licra_v_yahoo_ dissuade and prevent incorporated: inc_and_yahoo_france.html access to auctions for Yahoo, France: Nazi memorabilia and France; Yahoo! Inc.: content supporting USA Nazism. The court ordered Yahoo, France to warn users that, should Yahoo’s search results include content prohibited under French law, they shall refrain from accessing such content to avoid incurring legal sanctions. Legal Provision: French Criminal Code, Article R645-1 which prohibits to “wear or exhibit” in public uniforms, insignias and emblems which “recall those used” by (i) an organization declared illegal in application of Art. 9 of the Nuremberg Charter, or (ii) a person found guilty of crimes against humanity. Page 324 | Chapter 9 | Appendix A A APPENDIX Cybercrime Targeting Non-Financial Institutions TABLE A and Financial Institutions Continued from last page Cybercrime Targeting Non-Financial Institutions and Financial Institutions Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case info. Resources Jurisdictions Incurred (legal provision that case was charged under) Yahoo! Inc. v UEJF and Court location: U.S. N/A Computer- N/A N/A U.S. Supreme Court’s UNODC Cybercrime Repository: LICRA related acts Decision: Proceeding Location where http://www.unodc.org/cld/case- involving racism 5 (2006) The Supreme (1. District Court, defendants are law-doc/cybercrimecrimetype/ and xenophobia Court denied LICRA’s Proceedings 1 and incorporated: 1. usa/2006/yahoo_inc_v_uejf_and_ [Allowing users request to issue an 2: 2001, 2. Court of UJEF (Union of licra_.html to post Nazi order to review the Appeals for the Ninth French Jewish paraphernalia judgment (certiorari), Circuit, Proceeding 3: Students): and Third Reich http://www.unodc.org/ 2004; Proceeding 4: French non-profit memorabilia, res/cld/case-law-doc/cy 2006; and 3. Supreme organization 2. in violation of bercrimecrimetype/usa/ Court, Proceeding 5: LICRA (International Article R645-1 of 2006/yahoo_inc_v_uejf 2006) League against French Criminal _and_licra__html/Supre Racism and Anti- Code on Yahoo! me_Court_Certiorari.pdf Semitism): French Inc.run-auction organization Issue 1. legitimacy of websites.] limitations to freedom of expression: The need for a balance between freedom of expression and prohibition of online illegal speech has been addressed in different ways under different jurisdictions. Issue 2. Extraterritorial applicability of domestic laws: Transnational character of online communications challenges the concept of traditional jurisdiction. Asserting jurisdiction over website operators cause concerns over applicability of laws of the country where their websites are accessible. Page 325 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred Flame and Stuxnet Origin: U.S. & Israel Intelligence and N/A N/A N/A N/A http://rt.com/news/flame- destroys capacity stuxnet-kaspersky-iran-607/ Target: Iran, Lebanon, Syria, http://www.wired.com/2012/05/ Sudan and Israeli flame/ occupied territories Operation Ghost Origin: Estonia Over 4 million By rerouting The U.S. FBI, NASA OIG, https://www.fbi.gov/ N/A http://www.fbi.gov/news/ Click computers were internet traffic to and the Estonian Police and newyork/press-rele stories/2011/november/ Target: U.S. infected in more websites which Border Guard Board led the ases/2011/manhatta malware_110911 (2007-Oct. 2011) than 100 countries. allowed for the investigation. The National n-u.s.-attorney-charg https://www.fbi.gov/newyork/ In the U.S., 500,000 perpetrators High Tech Crime Unit of es-seven-individuals- press-releases/2011/ computers were to be paid, the Dutch National Police for-engineering-soph manhattan-u.s.-attorney- infected including the operation Agency. The FBI and NASA isticated-internet-fra charges-seven-individuals-for- those used by generated OIG received assistance ud-scheme-that-infe engineering-sophisticated- individuals, as $14 million in from multiple domestic and cted-millions-of-com internet-fraud-scheme-that- well as computers illegitimate international private sector puters-worldwide-an infected-millions-of-computers- housed in income. partners, including Georgia d-manipulated-intern worldwide-and-manipulated- businesses and Tech University, Internet et-advertising- internet-advertising-business government Systems Consortium, Mandiant, business entities such as National Cyber-Forensics and NASA. Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG) Page 326 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Continued from last page Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred Morpho Cyber Origin: N/A High profile confidential Detection by individual N/A N/A http://www.computerweekly. Espionage technology, information companies and private sector com/news/4500249597/Sym Target: U.S., internet, and intellectual entities such as Semantec. antec-uncovers-Morpho-cyber- (2012-present) Europe, and Canada commodities, and property espionage-operation pharmaceutical companies. Pawn Storm Origin: N/A Military, diplomatic Data Researchers at Trend Micro N/A N/A http://www.computerweekly. and defence uncovered the scheme. com/news/2240233415/Rese (2014) Target: U.S., industry archers-uncover-sophisticated- Europe, and cyber-espionage-campaign Pakistan State of Tamil Nadu Origin: India A known family Obscene, Police responded by tracing N/A “The accused is found guilty http://lawmantra.co.in/ vs. Suhas Katti friend who refused defamatory the accused to Mumbai and of offences under section tamil-nadu-v-suhas-katti-2004- Target: India to marry Suhas Katti and annoying arresting him following a 469, 509 IPC and 67 of IT case-related-to-the-posting- (2/1/2004) messages in a camplaint made by the victim. Act 2000 and the accused is of-obscene-messages-on-the- Yahoo message convicted and is sentenced internet/ group for the offence to undergo RI for 2 years under 469 IPC and to pay fine of Rs.500/-and for the offence u/s 509 IPC sentenced to undergo 1 year Simple imprisonment and to pay fine of Rs.500/- and for the offence u/s 67 of IT Act 2000 to undergo RI for 2 years and to pay fine of Rs.4000/- All sentences to run concurrently.” Page 327 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Continued from last page Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred National Association Origin: India Software and N/A Delhi HC issued judgement in https://indiankano “The Delhi HC stated that http://cyber-law-web.blogspot. of Software and Service Companies the lawsuit on.org/doc/1804384/ even though there is no com/2009/07/case-study-cyber- Target: India Service Companies vs specific legislation in India law-nasscom-vs-ajay.html Ajay Sood & others to penalize phishing, it held phishing to be an illegal act (3/1/2005) by defining it under Indian law as “a misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to the consumer but even to the person whose name, identity or password is misused.” The court held the act of phishing as passing off and tarnishing the plaintiff’s image. The defendants were operating a placement agency involved in head- hunting and recruitment. In order to obtain personal data, which they could use for purposes of headhunting, the defendants composed and sent e-mails to third parties in the name of Nasscom. The high court recognised the trademark rights of the plaintiff and passed an ex- parte adinterim injunction restraining the defendants from using the trade name or any other name deceptively similar to Nasscom. The court further restrained the defendants from holding themselves out as being associates or a part of Nasscom.” Page 328 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Continued from last page Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred SMC Pneumatics Origin: India SMC Pnuematics cyber Court of Delhi https://indiankanoon “After hearing detailed http://www.mondaq.com/ India Pvt. Ltd. v. India Pvt. Ltd. defamation .org/doc/31110930/ arguments of Counsel for india/x/218890/Social+Media/ Target: India Jogesh Kwatra Plaintiff, Hon’ble Judge of the Cyber+Defamation+In+C Delhi High Court passed an orporate+World (2001) ex-parte ad interim injunction observing that a prima facie case had been made out by the plaintiff. Consequently, the Delhi High Court restrained the defendant from sending derogatory, defamatory, obscene, vulgar, humiliating and abusive emails either to the plaintiffs or to its sister subsidiaries all over the world including their Managing Directors and their Sales and Marketing departments. Further, Hon’ble Judge also restrained the defendant from publishing, transmitting or causing to be published any information in the actual world as also in cyberspace which is derogatory or defamatory or abusive of the plaintiffs.” Page 329 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Continued from last page Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred Vyakti Vikas Origin: India 4 individuals N/A Delhi High Court https://indiankanoon Defendant No.2 (D2) is an https://indiancaselaws. Kendra, India Public connected to the .org/doc/121103864/ “intermediary” within the wordpress.com/2013/10/23/ Target: India Charitable Trust India Public Trust, definition of Section 2(1) vyakti-vikas-kendra-india-public- THR Trustee Mahesh His Holiness Sri (w) and Section 79 of the charitable-trust-thr-trustee- Gupta & ORS vs. Sri Ravi Shankar, Information Technology Act, mahesh-gupta-ors-vs-jitender- Jitender Baggaa & and Art of Living 2000. Under Section 79(3) bagga-anr/ ANR. Teacher. (b) of the IT Act, 2000, D2 is under an obligation to (2013) remove unlawful content if it receives actual notice from the affected party of any illegal content being circulated/published through its service. D2 is also bound to comply with Information Technology (Intermediaries Guidelines) Rules 2011. Rule 3(3) of the said rules read with Rule 3(2) requires an intermediary to observe due diligence or publish any information that is grossly harmful, defamatory, libellious, disparaging or otherwise unlawful. Rule 3(4) of the said rule provides obligation of an intermediary to remove such defamatory content within 36 hours from receipt of actual knowledge. The said rule is cited below for easy reference. Page 330 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Continued from last page Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred United States v. Origin: US N/A (was an online The operator FBI http://www.nysd. Ross Ulbricht, “Dread Pirate https://www.bloomberg.com/ Ulbricht black market case) had over $28.5 uscourts.gov/cases/ Roberts,” was convicted news/articles/2017-05-31/silk- Target: US and million at the show.php?db=spe and sentenced to life in road-s-ross-ulbricht-must-serve- (2013) everywhere time of the cial&id=416 prison without the possibility life-sentence-court-says seizure of parole for conspiracy and money laundering charges from his role as the operator of the online black market “Silk Road.” Using cryptotechnology, the Silk Road facilitated the sale of controlled substances among other things. Page 331 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Continued from last page Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred Runescape Case Origin: Netherlands A Runescape player Virtual items of The Dutch Police https://uitspraken. On the 31st of January 2012, http://www.virtualpolicy.net/ the victim were rechtspraak.nl/#zo the Supreme Court of the runescape-theft-dutch-supreme- (2012) Target: Netherlands transferred to the ekverfijn/ljn=BQ92 Netherlands made a ground- court-decision.html virtual accounts 51&so=Relevance (in breaking decision with of the two Dutch) implications for the online defendants. gaming industry everywhere. It found that items in the online game RuneScape had been stolen from a player. This is revolutionary, as it is the highest national court in the West to rule that taking virtual objects in this way is theft under national criminal law. In 2007, the two defendants used violence and threats of violence to force the victim to log into the game of RuneScape and transferred virtual items and virtual currency from the victims account to their own. The Supreme Court upheld the conviction for theft as defined by the law of the Netherlands. Page 332 | Chapter 9 | Appendix A A APPENDIX TABLE A Other Forms of Cybercrime Continued from last page Other Forms of Cybercrime Cyber Crime Case Affected Target(s) of attack Damages Responding Entity Court Documents Case Information Resources Jurisdictions Incurred United States v. Origin: Naples, Children sexual abuse/ FBI and EUROPOL N/A Steven W. Chase, 58, the https://www.justice.gov/opa/pr/ Chase Florida (USA) exploitation of creator and lead administrator florida-man-sentenced-prison- children of Playpen, one of the world’s engaging-child-exploitation- (2017) Target: US and largest child sexual abuse enterprise everywhere websites with more than 150 000 users around the world, was sentenced to 30 years in prison for engaging in a child exploitation enterprise, advertising child pornography, transportation of child pornography and possession of child pornography. This case highlights the use of online forums on anonymous networks to abuse and exploit of innocent children. Page 333 | Chapter 9 | Appendix A A APPENDIX TABLE A Alternate Forms of Cybercrime Alternate Forms of Cybercrime Cyber Crime Case Attacker Date of Jurisdic- Jurisdic- Target(s) of Methodology of Indict- Responding Case information Resources Characteristics Incident tional itonal attack Attack ment(s) Entity (legal provision that case was charged under) Origin Target State of Tamil Nadu Suhas Katti: An Feb-04 India India A known “Posting of Police “The accused is found guilty of vs. Suhas Katti idividual who took family friend obscene, responded offences under section 469, 509 up harassmentvia who refused defamatory, by tracing the IPC and 67 of IT Act 2000 and the internet against to marry Suhas and annoying accused to the accused is convicted and a female target. Katti messages” about Mumbai and is sentenced for the offence to the victim in a arresting him undergo RI for 2 years under 469 yahoo message following a IPC and to pay fine of Rs.500/- group. The camplaint made and for the offence u/s 509 IPC harassment by the victim. sentenced to undergo 1 year Simple campaign also imprisonment and to pay fine of involved the Rs.500/- and for the offence u/s 67 creation of fake of IT Act 2000 to undergo RI for 2 emails and email years and to pay fine of Rs.4000/- All communications. sentences to run concurrently.” Page 334 | Chapter 9 | Appendix A A APPENDIX TABLE A Alternate Forms of Cybercrime Continued from last page Alternate Forms of Cybercrime Cyber Crime Case Attacker Date of Jurisdic- Jurisdic- Target(s) of Methodology of Indict- Responding Case information Resources Characteristics Incident tional itonal attack Attack ment(s) Entity (legal provision that case was charged under) Origin Target National Association A placement Mar-05 India India Software Phishing Delhi HC issued “The Delhi HC stated that even of Software and company involved and Service judgement in the though there is no specific Service Companies vs in headhunting and Companies lawsuit legislation in India to penalize Ajay Sood & others recruitment. phishing, it held phishing to be an illegal act by defining it under Indian law as “a misrepresentation made in the course of trade leading to confusion as to the source and origin of the e-mail causing immense harm not only to the consumer but even to the person whose name, identity or password is misused.” The court held the act of phishing as passing off and tarnishing the plaintiff’s image. The defendants were operating a placement agency involved in head-hunting and recruitment. In order to obtain personal data, which they could use for purposes of headhunting, the defendants composed and sent e-mails to third parties in the name of Nasscom. The high court recognised the trademark rights of the plaintiff and passed an ex-parte adinterim injunction restraining the defendants from using the trade name or any other name deceptively similar to Nasscom. The court further restrained the defendants from holding themselves out as being associates or a part of Nasscom.” Page 335 | Chapter 9 | Appendix A A APPENDIX TABLE A Alternate Forms of Cybercrime Continued from last page Alternate Forms of Cybercrime Cyber Crime Case Attacker Date of Jurisdic- Jurisdic- Target(s) of Methodology of Indict- Responding Case information Resources Characteristics Incident tional itonal attack Attack ment(s) Entity (legal provision that case was charged under) Origin Target SMC Pneumatics Employee at 2001 India India SMC Harassment Court of Delhi “After hearing detailed arguments India Pvt. Ltd. v. company bringing Pnuematics of Counsel for Plaintiff, Hon’ble Jogesh Kwatra lawsuit. India Pvt. Ltd. Judge of the Delhi High Court passed an ex-parte ad interim injunction observing that a prima facie case had been made out by the plaintiff. Consequently, the Delhi High Court restrained the defendant from sending derogatory, defamatory, obscene, vulgar, humiliating and abusive emails either to the plaintiffs or to its sister subsidiaries all over the world including their Managing Directors and their Sales and Marketing departments. Further, Hon’ble Judge also restrained the defendant from publishing, transmitting or causing to be published any information in the actual world as also in cyberspace which is derogatory or defamatory or abusive of the plaintiffs.” Page 336 | Chapter 9 | Appendix A A APPENDIX TABLE A Alternate Forms of Cybercrime Continued from last page Alternate Forms of Cybercrime Cyber Crime Case Attacker Date of Jurisdic- Jurisdic- Target(s) of Methodology of Indict- Responding Case information Resources Characteristics Incident tional itonal attack Attack ment(s) Entity (legal provision that case was charged under) Origin Target Vyakti Vikas Defendants posted 2013 India India 4 individuals Defendants Defendant No.2 (D2) is an Kendra, India Public defamtory material connected posted a high “intermediary” within the definition Charitable Trust on blogger to the India volume of highly of Section 2(1)(w) and Section 79 THR Trustee Mahesh webpage Public Trust, defamatory of the Information Technology Gupta & ORS vs. His Holiness materials on Act, 2000. Under Section 79(3)(b) Jitender Baggaa & Sri Sri Ravi an internet of the IT Act, 2000, D2 is under ANR. Shankar, and website and an obligation to remove unlawful Art of Living indiscriminantly content if it receives actual notice Teacher. sent defamatory from the affected party of any illegal emails. The content being circulated/published materials included through its service. D2 is also personal attacks bound to comply with Information or alleged Technology (Intermediaries defamation, Guidelines) Rules 2011. Rule 3(3) parody or satire of the said rules read with Rule 3(2) of individuals, requires an intermediary to observe distasteful due diligence or publish any imagery or information that is grossly harmful, language, and defamatory, libellious, disparaging political or social or otherwise unlawful. Rule 3(4) of commentary. the said rule provides obligation of an intermediary to remove such defamatory content within 36 hours from receipt of actual knowledge. The said rule is cited below for easy reference. Page 337 | Chapter 9 | Appendix A A APPENDIX TABLE A Miscellaneous Attacks (to demonstrate capability) Miscellaneous Attacks (to demonstrate capability) Cyber Crime Case Attacker Date of Jurisdictional Jurisdicitonal Target(s) of What was Methodology of Indict- Responding Resources Characteristics Incident Origin Target attack stolen? Attack ment(s) Entity Flame and Stuxnet Allegedly U.S. & Israel Iran, Lebanon, Intelligence N/A Malware-spreads http://rt.com/news/ Governments Syria, Sudan and and destroys through bluetooth, flame-stuxnet- Israeli occupied capacity controls, copies and kaspersky-iran-607 territories. destroys. Shows the http://www.wired. power of cyber attacks. com/2012/05/flame/ Operation Ghost 2007- Oct. Estonia U.S. Domain Name System http://www.fbi.gov/ Click 2011 (DNS) hacked millions news/stories/2011/ of computers to make november/ money from marketing malware_110911 companies through the manipulation of viewer data. Morpho Cyber Corporate 2012-present US, Europe and High profile confidential Application of malware Detection http://www. Espionage espionage group Canada technology, information Mac OS X backdoor by individual computerweekly. dubbed ‘Morpho’ internet, and program known as companies and com/news/45002 commodities, intellectual OSX.Pintsized as well private sector 49597/Symantec- and property as windows backdoor entities such as uncovers-Morpho- pharmaceutical program Backdoor. Semantec. cyber-espionage- companies. Jiripbot operation Page 338 | Chapter 9 | Appendix A A APPENDIX TABLE A Miscellaneous Attacks (to demonstrate capability) Continued from last page Miscellaneous Attacks (to demonstrate capability) Cyber Crime Case Attacker Date of Jurisdictional Jurisdicitonal Target(s) of What was Methodology of Indict- Responding Resources Characteristics Incident Origin Target attack stolen? Attack ment(s) Entity Pawn Storm cyber espionage 2014 U.S., Europe, and Military, Data Operation was dubbed Researchers http://www. group Pakistan diplomatic ‘pawn storm’ because at Trend Micro computerweekly. and defence the attackers used two uncovered the com/news/2240 industry or more connected tools scheme. 233415/Researchers- or tactics to attack a uncover-sophistica target. Used phishing ted-cyber-espio and spear-phishing.Used nage-campaign javascript trick to target Microsoft Outlook Web Access then specifically crafted emails to manipulate targets into visiting bogus Micorsoft outlook web access pages where they would enter their credentials. Page 339 | Chapter 9 | Appendix A B APPENDIX TABLE B1 Overview of Multilateral Instruments on Cybercrime Explanatory Note: This Appendix is divided into two parts. The first part (Table B1) lists the major multilateral instruments on cybercrime and describes the binding nature of each instrument. The second part (Table B2) identifies by article in each instrument (listed across the top of the page) where the substantive cybercrime provision (listed in the left column) can be found in that instrument. Multilateral Instrument Binding Multilateral Instruments on Cybercrime Non-binding Multilateral Instruments on Cybercrime Instruments developed in the context  CoE, Convention on Cybercrime (2001), Additional Protocol to the Convention  Commonwealth Model Laws on Computer and Computer-related Crime (2002) of, or inspired by, CoE or EU on Cybercrime (2003), and Convention on Protection of Children against Sexual and Electronic Evidence (2002) Exploitation and Sexual Abuse (2007)  EU legislation including on e-Commerce (2000/31/EC), on Combating Fraud and Counterfeiting of Non-Cash Means of Payment (2001/413/JHA), on Personal Data (2002/58/EC as amended), on Attacks against Information Systems (2013/40/EU replacing 2005/222/JHA) and Proposal for 2005/222/JHA [COM(2010) 517 final], and on Child Pornography (2011/92/EU) Instruments developed by CIS  CIS, Agreement on Cooperation among the States members of the CIS in Combating Offences related to Computer Information (2001) Instruments developed by SCO  SCO, Agreement between the Governments of the Member States of the SCO on Cooperation in the Field of International Information Security (2009) Instruments developed in the African  ECOWAS, Directive on Fighting Cybercrime within ECOWAS (2011)  East African Community (EAC) Legal Framework for Cyberlaws (Draft) (2008) context  AU, African Union Convention on Cyber Security and Personal Data Protection  Common Market for Eastern and Southern Africa (COMESA), Cyber Crime (2014) Model Bill (2011)  ITU, Harmonization of ICT Policies in Sub-Saharan Africa (“HIPSSA”), Southern African Development Community (SADC) Model Law on Computer Crime and Cybercrime (2013) Instruments developed by Arab League  League of Arab States, Arab Convention on Combating Information Technology  League of Arab States, Model Law on Combating Information Technology Offences (2010) Offences (2004) Instruments developed in the context  ITU, Information and Communications Capacity Building for Pacific Island of Pacific Islands Countries (“ICB4PAC”), Electronic Crimes : Knowledge-Based Report (Skeleton) (2013) Instruments developed in the Caribbean  ITU, Harmonization of ICT Policies, Legislation and Regulatory Procedures in the context Caribbean (HIPCAR), Model Legislative Texts on Cybercrime/e-Crime (2012) and Electronic Evidence (2013)  Organization for Eastern Caribbean States (OECS), Electronic Crimes Bill (Fourth Draft) (2011) and Electronic Evidence Bill (Third Draft) (2011) Page 340 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Definitions Definitions AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Computer/Information/ Art.1 Art. 1(a) Art. 2(5) Art. 1 Sec.1 Sec. 2 Sec. 3 Sec. 3(5) Sec.3(5) Sec. 3(13) Electronic System Computer (Electronic) Art.1 Art. 1(b) Art. 1(b) Arts. 2(1), Art. 1 Sec. 1 Sec. 2 Sec. 3 Sec. 3(6) Sec. 3(6) Secs. 3(9), data [Computer 2(3) 3(18) information, Data] Subscriber information Art. 18(3) Art. 2(9) Sec. 1 Sec. 2 Traffic data Art. 1(d) Sec. 1 Sec. 2 Sec. 3 Sec. 3(18) Sec. 3(22) Sec. 3(24) Service provider/ISP Art. 1(c) Art. 2(2) Sec. 1 Sec. 2 Sec. 3 Sec. 3(17) Sec. 3(21) Sec. 3(20) Page 341 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Substantive Law, Cybercrime Acts, Acts Directed against the Confidentiality, Integrity and Availability of Computer systems or Data, Criminalization Criminalization AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Illegal access to a Arts. 29(1) Art. 2 Art. 6(1) Art. 4 Sec. 18 Secs. 4(1)(a), Sec. 5 Sec. 4 Sec. 4 Sec. 2 computer system (a), 29(1)(b) 4(2) Illegal interception Art. 29(2)(a) Art. 3 Art. 7 Art. 8 Sec. 21 Sec. 8 Sec. 6 Sec. 6 Sec. 4 Illegal interference with Arts. 29(1) Art. 3 (1)(c) Art.4. Art. 8 Arts. 7, 9 Sec. 20(2) Secs. 4(1)(d4) Sec. 6 Sec. 7 Sec. 7 Sec. 5 computer data (e), 29(1)(f) (1)(i), 4(2) Illegal interference with a Art. 29(1)(d) Art. 3 (1)(c) Art. 5 Art. 6(2)(a) Art. 6 Sec. 20(1) Secs. 4(1)(d4) Sec. 6 Sec. 7 Sec. 7 Sec. 5 computer system (1)(i), 4(2) Misuse of devices Art. 29(1)(h) Art. 3(1)(b) Art. 6 Art. 9 Art. 14 Sec. 22 Sec. 19 Sec. 9 Sec. 10 Sec. 10 Sec. 8 Illegal access to computer Art. 3(1)(a) Art. 2 Sec. 19 data Illegal acquisition of Art. 2 Sec. 4(1)(b) Sec. 8 Sec. 8 Sec. 6 computer data Illegal remaining in a Art. 29(1)(c) Art. 5 Sec. 5 Sec. 5 Sec. 3 computer system Page 342 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Substantive Law, Cybercrime Acts, Acts Committed by Use of Computer Systems or Data, Computer-related Acts, Criminalization Criminalization AU1 CIS2 CoE3, 8 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Computer-related forgery Art. 29(2)(b) Art. 7 Art. 10 Art. 10 Sec. 23 Sec.8 Sec. 11 Sec. 11 Computer-related fraud Art. 29(2)(d) Art. 8 Art. 11 Art. 11 Sec. 24 Sec. 9 Sec. 12 Sec. 12 Sec. 10 Computer-related Art. 3(1)(d) Art. 10 Art. 17 copyright and trademark offences Sending SPAM, etc. Arts. 2 to 6, Sec. 19(7) Sec. 5 Sec. 15 Sec. 19 Sec. 14 8, 10 to 11 Computer-related identity Arts. 2 to 6 Sec.6 Sec. 14 Sec. 15 Sec. 13 offences Computer-related Lanzarote Sec. 19 solicitation of a child Conventi (grooming) on, Art. 23 Cyber-harassment Sec. 18 Sec. 22 Cyberstalking Sec. 17 Sec. 17 Sending offensive Sec. 5 messages through communication services Page 343 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Substantive Law, Cybercrime Acts, Acts Committed by Use of Computer Systems or Data, Computer Content-related Acts, Criminalization Criminalization AU1 CIS2 CoE3, 7 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Computer-related child Arts. 29(3)(1) Art 9. Arts. 12(2), Arts. 16 to 18 Sec. 13 Sec. 10 Sec. 13 Sec. 13 Sec. 11 pornography offence (a) to 29(3) 12(3) (1)(c) Computer-related Art. 29(3) Additional Art. 20 Sec. 16(c) dissemination of racist and (1)(e) Protocol, xenophobic material Art. 3 Computer-related racist Art. 29(3) Additional Art. 21 and xenophobic motivated (1)(f) Protocol, threat Art. 4 Computer-related racist Art. 29(3) Additional Art. 22 Sec. 17 and xenophobic motivated (1)(g) Protocol, insult Art. 5 Computer-related denial or Art. 29(3) Additional Art. 23 Sec. 18 justification of genocide or (1)(h) protocol, crimes against humanity Art. 6 Computer-related acts in Arts 2 to 8, Arts. 15(1) support of terrorism 11 to 12 to 15(3) Cyber-defamation Sec. 7 Sec. 20 Computer-related Arts. 12(1), Arts. 16 to 18 Sec. 12 pornography offence 13 Facilitation of access of a Art. 29(3) Art. 9 Art. 19 Sec. 14 child to pornography (1)(d) Computer-related religious Art. 15(4) Sec. 21 offences Page 344 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Substantive Law, Other Cybercrime Acts, Criminalization Criminalization AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Computer-related money Art. 16(1) laundering offence Computer-related illicit Arts. 16(2) trafficking to 16(4) Illegal online gambling Art. 13 Sec. 18 Computer-related extortion Sec. 25 Computer-related acts Art. 29(2)(e) Arts 2 & 4 Art. 12 involving personal information/personal data Computer-related breach Art. 31(2)(c) Arts 2 & 3 of secrecy Use of forged/fraudulently Art. 29(2)(c) Arts 7 & 8 Art. 13 obtained data Illicit use of electronic Art. 18 payment tools Computer-related acts Arts 2 & 4 Art. 14 Sec.11 against privacy Disclosure of details of an Arts 16, 20 Sec. 29(2) Sec. 21(1) Sec. 16 Sec. 20 Sec. 15 investigation by a service & 21 provider Failure to provide Arts 16, 18, Sec. 13(2) Sec. 17 Sec. 21 Sec. 16 assistance in an 20 & 21 investigation Failure to comply with in an Arts 16, 18, Secs. 23(4) investigative request 20 & 21 (b),23(5) Obstruction of an Secs. 23(4) investigation (a), 23(5) Page 345 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Substantive Law, Sanctions and Liabilities Substantive Law, AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Sanctions and Liabilities Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Aggravating circumstance Art. 30(1)(b) Art. 21 Art. 24 for conventional offence committed by means of a computer system Attempt and aiding or Arts. 29(1) Art. 11 Art 19. Sec. 26 Sec. 22 abetting (a-f), 29(2)(a) Corporate liability Art. 30(2) Art. 12 Art. 20 Art. 27 Sec. 27 Sec. 22 Sanctions and measures Art. 31 Art. 13 Arts. 28, 29 Page 346 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Procedural Law Procedural Law AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Scope of procedural Art. 14 Art. 22 Sec. 28 provisions Procedural conditions and Art. 15 Sec. 32 safeguards Expedited preservation of Art. 31(3)(d) Art. 16 Art. 23 Art. 31 Sec. 33 Sec. 20 Sec. 17 Sec. 23 Sec. 28 Sec. 28 stored computer data Expedited preservation Art. 17 Art. 24 Sec. 34 Sec. 21 Sec. 18 Sec. 24 Sec. 29 Sec. 29 and partial disclosure of traffic data Expedited preservation Sec. 35 of computers or storage media Production order Art. 18 Art. 25 Sec. 36 Sec. 22 Sec. 15 Sec .22 Sec. 27 Sec. 27 Search and Seizure of a Arts. 31(3) Arts. 19(1) Arts. 26, Art. 30 Secs. 37(1) to Secs. 12, 14 Sec. 20 Sec. 25 Sec. 25 computer system or data (a), 31(3)(b) to 19(3) 27(1) 37(3) Real-time collection of Art. 20 Art. 28 Sec. 38 Sec. 24 Sec. 19 Sec. 25 Sec. 30 Sec. 30 traffic data Interception of content Art. 31 (3)(e) Art. 21 Art. 29 Sec. 39 Sec. 18 Sec. 26 Sec. 31 Sec. 31 data Use of remote forensic Sec. 27 Sec. 32 Sec. 32 tools Trans-border access to Art. 32 Art. 40 Sec. 49 stored computer data Provision of assistance in Art. 31(3)(e) Art. 19(4) Art. 27(2) Sec, 37(4) Sec. 13 Sec. 21 Sec. 26 Sec. 26 investigation Retention of computer Secs. 29 to Data 31 Page 347 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Admissibility of Electronic Evidence Admissibility of AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, electronic evidence Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Admissibility of electronic Arts. 6(6), Art. 32 Sec. 5(1) Sec. 20 Sec. 5 Sec. 24 Sec. 24 evidence 29(4) Admissibility of foreign Sec. 16 electronic evidence Page 348 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Jurisdiction Jurisdiction AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Committed within the Art. 22(1)(a) Art. 30(1)(a) Sec. 40(1)(a) Sec. 3 (a) Sec. 4(a) Sec. 19(a) Sec. 23(a) Sec. 23(a) territory Committed on a registered Arts. 22(1) Arts. 30(1) Sec. 40(2) Sec. 4(b) Sec. 19(b) Sec. 23(b) ship or aircraft (b), 22(1)(c) (b), 30(1)(c) Using a computer system/ Sec. 40(1)(b) data within the territory Directed against a Sec. 40(1)(c) computer system/data within the territory Nationality principle Art. 22(1)(d) Art. 30(1)(d) Secs. 40(3) Secs. 4(c), 4(d) Sec. 19(c) Secs. 23(c), Secs. 23(b), (Offender) (a), 40(3)(b) 23(d) 23(c) State interest principles Art. 30(1)(e) Jurisdiction when Art. 22(3) Art. 30(2) Sec. 40(4) extradition refused Concurrent jurisdiction Art. 22(4) Art. 30(3) Sec. 40(5) Establishment of place of Sec. 40(6) offence Dual criminality Art. 22(1)(d) Art. 30(1)(d) Sec. 40(3)(a) Sec. 4(d) Sec. 19(c) Sec. 23(d) Sec. 23(b) Reservation Art. 22(2) Sec. 40(7) Page 349 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime International Cooperation, International Cooperation: General Principles International AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Cooperation: General Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Principles International cooperation: Art. 28 Art. 5 Art. 23 Arts. 3 to 5 Art. 33 Sec. 41 general principles International Cooperation, Extradition: General Principles Extradition: General AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Principles Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Extradition: general Art. 24 Art. 31 Sec. 42 principles Dual criminality Art. 24(1)(a) Art. 31(1)(a) Sec. 42(1) Extraditable Offences Arts. 24(1), Arts. 31(1), Secs. 42(1), Sec. 31 24(2), 24(4) 31(2), 31(4) 42(3) Page 350 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime International Cooperation, Mutual Assistance (MA): General Principles [Mutual Legal Assistance (MLA): General Rules] MA: General principles AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, (MLA: General Rules) Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 MA: General principles Art. 28 (2) Art. 6 Arts. 25-27 Arts. 32 to Secs. 43 to (MLA–General Rules) 34 45 Expedited means of Art. 6(2) Arts. 25(3), Arts. 32(3), Secs. 43(2), communication or other 27(9) 34(8) 45(8) urgent channels Dual criminality Art. 28(2) Art. 25(5) Art. 32(5) Sec. 43(4) Spontaneous (Unsolicited) Art. 6(1) Art. 26 Art. 33 Sec. 44 information Refusal of cooperation/ Art. 8 Arts. 25(4), Art. 35 Secs. 43(3), assistance 27(4) 45(5) Confidentiality of Art. 9 Art. 28 Art. 36 Art. 6 Secs. 45(9), information to be provided 45(10) and Limitation on Use Confidentiality of the fact Art. 27(8) Art. 34(7) Sec. 45(7) of any request made and its subject Page 351 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime International Cooperation, Mutual Assistance (MA): Specific Provisions [Mutual Legal Assistance (MLA): Specific Rules] MA: Specific Provisions AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, (MLA: Specific Rules) Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 Expedited preservation of Art. 29 Art. 37 Sec. 46 stored computer data Expedited disclosure of Art. 30 Art. 38 Sec. 47 preserved traffic data MA: Accessing of stored Art. 31 Art. 39 Sec. 48 computer data Trans-border access to Art. 32 Art. 40 Sec. 49 stored computer data MA: Real-time collection of Art. 33 Art. 41 Sec. 50 traffic data MA: Interception of content Art. 34 Art. 42 Sec. 51 data Page 352 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime International Cooperation, 24-7 Network 24-7 Network AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 24/7 Network Art. 35 Art. 43 Sec. 52 Page 353 | Chapter 9 | Appendix   View citations at the end of this section page 403 B APPENDIX Comparative Analysis of Provisions of Multilateral TABLE B2 Instruments on Cybercrime Service Provider Liability and Responsibility Service Provider Liability AU1 CIS2 CoE3 LAS4 SCO5 ECOWAS6 COMESA9 OECS15 The ITU, ITU, ITU, and Responsibility Commonwealth10 HIPCAR11 HIPSSA12 ICB4PAC13 No general monitoring Sec. 17(1) Sec. 28 Sec. 33 Sec. 33 obligation Voluntary Supply (Provision) Sec. 17(2) of Information Take-down notifications Sec. 16 Liability of access providers Sec. 12 Sec. 29 Sec. 34 Sec. 34 Liability of caching Sec. 13 Sec. 31 Sec. 35 Sec. 36 providers Liability of hosting Sec. 14 Sec. 30 Sec. 36 Sec. 35 providers Liability of hyperlink Sec. 15 Sec. 32 Sec. 37 Sec 37 providers Liability of search engine Sec. 33 Sec. 38 Sec. 38 providers Page 354 | Chapter 9 | Appendix   View citations at the end of this section page 403 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) Explanatory Note: This Table reviews the legal frameworks of 196 countries, based on initial research computer systems or data (“core” cybercrime acts) are criminalized. However, states are not deemed of publicly available laws, regulations and electronic data which were verified and updated based on to have domestic legislation regarding cybercrime if “core” cybercrime acts are not criminalized.1 No a review of ITU1 and UNCTAD data,1 as well as UNCTAD’s Cyber Law Tracker1. This Table provides an distinction is made between laws on the basis of naming: some states specifically refer to “cybercrime” overview of national legal frameworks using the working definition of cybercrime adopted in section or some other similar term, in their laws, while for other states use the same terms found in their penal 2 A, with particular reference to whether acts against the confidentiality, integrity and availability of or criminal code. National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Afghanistan No No No No No Albania Yes Criminal Code (last amended in 2013) (e.g., Article 192/b) {Has signed and/or No No No ratified (or acceded to)} Algeria Yes Law No. 09-04 of 14 Sha’ban 1430 Corresponding to 5 August 2009 No {Has signed and/or No No Containing Specific Rules on the Prevention and Fight Against ratified (or acceded to)} Information Technologies and Communication’s Crimes (enacted in 2009) Andorra Yes Penal Code [Article 225 (Computer Damage)] {Has signed and/or No No No ratified (or acceded to)} Angola No & Draft Law  Draft Law to Combat Crime in the Field of ICT and Services for No No No No the Information Society (2011)  Preliminary Draft Penal Code [e.g., Article 399 (Computer Damage)] Antigua and Yes Electronic Crimes Act, 2013 No No No No Barbuda Argentina Yes Penal Code (enacted by Law No. 11, 179 of 1984 and amended by Invited to accede No No No Law No. 26,388 of 2008) (e.g., Sections 153B, 153C, and 153D) Armenia Yes Criminal Code (adopted on 18 April 2003), Chapter 24. Crimes {Has signed and/or No {Has signed and/or No against computer information security (Articles 251-257) ratified (or acceded to)} ratified (or acceded to)} Page 355 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Australia Yes Criminal Code [enacted by Act No. 12 of 1995 as amended up {Has signed and/or No No No to Act No. 50 of 2010 and further amended by Act No. 120 of ratified (or acceded to)} 2012 (Cybercrime Legislation Amendment Act 2012)], Chapter 10.National Infrastructure, Part 10.7 —Computer offences (Articles 476.1 to 478.4) Austria Yes Criminal Code (Sections 118a, 119, 119a, 126a, 126b, 126c, 148a, {Has signed and/or No No No 225a) ratified (or acceded to)} Azerbaijan Yes  Criminal Code (adopted on 30 September 1999 and came into {Has signed and/or No {Has signed and/or No force on 1 September 2000), Chapter 30. Crimes in Sphere of ratified (or acceded to)} ratified (or acceded to)} the Computer Information (Articles 271, 272, and 273)  Criminal Procedure Code (adopted on 14 July 2000) Bahamas, The Yes Computer Misuse Act, 2006 No No No No Bahrain Yes Law No. 60 of 2014 concerning Information Technology Crimes No {Has signed and/or No No ratified (or acceded to)} Bangladesh Yes Information & Communication Technology Act, 2006 [amended No No No No by Information & Communication Technology (Amendment) Act, 2013], Chapter VII. Offenses, Investigation, Adjudication, Penalties etc. (Sections 54 to 90) Barbados Yes Computer Misuse Act, 2005 No No No No Belarus Yes Criminal Code (Penal Code) (enacted in 1999) (as amended up to No No {Has signed and/or No 2013)], Section XII. Chapter 31. Crimes against information security ratified (or acceded to)} (Articles 349-355) Belgium Yes  Criminal Code (amended by Law on computer crime of 28 {Has signed and/or No No No November 2000) (Article 210bis; Article 504quater, Article ratified (or acceded to)} 550bis, Article 550ter)  Criminal Procedure Code (Article 39bis; Article 88ter; Article 88quater; Article 90quater) Page 356 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Belize No No No No No Benin No & Draft Law  Draft Decree No. 200/MISP/DC/SGM/DGPN/SERCT/DER/SA No No No No related to the creation of a division in charge of the fight against internet crime  Draft Law on the Fight against Cybercrime Bhutan Yes Information, Communications and Media Act 2006, Provisions No No No No relating to certain cyber offenses (Sections 171 to 182) Bolivia Yes  Penal Code (Articles 363bis and 363 ter) No No No No Bosnia and Yes Criminal Code (2003, amended in 2013) (Chapter 24A. Criminal {Has signed and/or No No No Herzegovina Offences against Computer Data Security) (Articles 292a to 292e) ratified (or acceded to)} Botswana Yes Cybercrime and Computer Related Crimes (Chapter 08: 06) (Date No No No No of commencement: 28 Dec. 2007) Brazil Yes Criminal Code (enacted by Law No. 2, 848 of 1940, and amended No No No No by Law No. 9,983 of 2000, Law No. 11, 829 of 2008, Law No. 12, 735 of 2012, and Law No. 12, 737 of 2012) [e.g., Article 154 – A (Trespass of a computing device)] Brunei Darussalam Yes  Computer Misuse Act, 2007 (Chapter 194) No No No No  Penal Code [enacted in 1951, as last amended by Penal Code (Amendment) Order, 2012] Bulgaria Yes  Penal Code, Chapter 9, Computer Crimes (Articles 319a to {Has signed and/or No No No Articles 319f) ratified (or acceded to)}  Criminal Procedure Code Burkina Faso Yes & Draft Law  Penal Code, 1996 [Chapter V. Offences Concerning Computers No No No No (Articles 541-548)]  Draft Law on Cybercrime Page 357 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Burundi Yes Penal Code (enacted in 2009) (Articles 467-470) No No No No Cabo Verde Yes Penal Code [Article 187 (Illegal Computer Processing)] No No No No Cambodia Yes & Draft Law  Draft Cybercrime Law No No No No  Criminal Code (Articles 317 to 320, Articles 427 to 432) Cameroon Yes Law No. 12 of 2010 on Cybersecurity and Cybercrime (also No No No No known as “Law No. 12 of 2010 Relating to Cybersecurity and Cybercriminality”) Canada Yes Criminal Code [last amended by “Protecting Canadians from {Has signed and/or No No No Online Crime Act” (assented on 9 December 2014)] ratified (or acceded to)} Central African No No No No No Republic Chad Yes Law No. 14 of 2014 regarding Electronic Communications (Articles No No No No 114, 115, 116, and 120) Chile Yes Law on Automated Data Processing Crimes (also known as “Law {Has signed and/or No No No No. 19,223 of 1993 on Categories of Computer-Related Offenses”) ratified (or acceded to)} China Yes Criminal Law (adopted in 1979 and last amended in 2011) (Articles No No No {Has signed and/or 285, 286 and 287) ratified (or acceded to)} Colombia Yes Penal Code [enacted by Law No. 599 of 2000, amended by Law Invited to accede No No No No. 1273 of 2009 (Protection of Information and Data), and last amended by Law No. 1336 of 2009] (Article 269A to Article 269J) Comoros No No No No No Congo, Dem. Rep. No No No No No Page 358 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Congo, Rep. No & Draft Law Draft Law on the Fight against Cybercrime (in progress) No No No No Costa Rica Yes Penal Code [enacted by Law No. 4573 and amended by Law No. Invited to accede No No No 9048 (10 July 2012) and last amended by Law No. 9135 (24 April 2013)] (Articles 196, 196bis, 217bis, 229bis) Cote d’Ivoire Yes Act No. 2013-451 dated 19 June 2013 on the fight against No No No No cybercrime Croatia Yes  Criminal Code (Enacted by Text No. 2498 of 2011, Amended by {Has signed and/or No No No Text No. 3076 of 2012, Date of Entry into Force: 1 January 2013) ratified (or acceded to)} (Articles 266 –272)  Criminal Procedure Code Cuba5 No No No No No Cyprus Yes Law Ratifying the Cybercrime Convention of 2001 (No. 22(III)/2004) {Has signed and/or No No No ratified (or acceded to)} Czech Republic Yes Criminal Code, Act No. 40 of 2009 Coll. of January 8, 2009 (effective {Has signed and/or No No No in 2010 and as amended in 2011) (Sections 230, 231, and 232) ratified (or acceded to)} Denmark Yes Penal Code (Sections 263-263a) {Has signed and/or No No No ratified (or acceded to)} Djibouti Yes Penal Code [Chapter VII. Offences Concerning Computers (Articles No No No No 548-555)] Dominica No & Draft Law  Electronic Crime Bill No No No No  Computer and Computer Related Crimes Bill, 2005 Dominican Yes Law No. 53 of 2007 on High Technology Crimes (adopted in 2007) {Has signed and/or No No No Republic ratified (or acceded to)} Page 359 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Ecuador Yes Organic Comprehensive Criminal Code (Law No. 180 of 2014), No No No No (Articles 229 to 234) Egypt, Arab Rep. Yes & Draft Law  Penal Code (Article 309bis) No {Has signed and/or No No ratified (or acceded to)}  Telecommunication Regulation Law (Law No. 10 of 2003) (Article 78)  Draft Cybercrime Law (2016) El Salvador Yes Special Law against Computer and Related Crimes (Published on No No No No 26 Feb. 2016) Equatorial Guinea No No No No No Eritrea Yes Penal Code (2015) [Art. 374 (Unauthorized Use of a Computer), Art. No No No No 375 (Aggravated Unauthorized Use of a Computer)] Estonia Yes  Criminal Code (Penal Code) (as amended up to Act RT I, {Has signed and/or No No No 29.12.2011, 1) (Sections 206 to 208) ratified (or acceded to)}  Criminal Procedure Code Ethiopia Yes & Draft Law  Criminal Code (Proclamation No.414/2004), [Part II. Special Part; No No No No Book VI. Crimes against Property; Title I. Crimes against rights in property; Section II. Computer Crimes (Articles 706-711)]  Draft Cybercrime Law (2016) [called “(Draft) Computer Crime Proclamation No…/2016”] Fiji Yes Crimes Decree 2009 (Decree No. 44 of 2009) [Chapter III – Criminal No No No No Offenses, Part 17 — Fraudulent Conduct, Division 6 — Computer Offences, Articles 336-346] Finland Yes  Criminal Code (Chapter 38 - Data and communications {Has signed and/or No No No offences, Sections 1 to 12) ratified (or acceded to)}  Criminal Procedure Act Page 360 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime France Yes  Criminal Code [Book III. Felonies and Misdemeanors against {Has signed and/or No No No Property, Title II. Other offences against Property, Chapter III. ratified (or acceded to)} Unauthorized Access to Automated Data Processing (Articles 323-1 to 323-7)]  Criminal Procedure Code  Law No.2004-575 of 21 June 2004 regarding Confidence in the Digital Economy Gabon No & Draft Law Draft Law on Cybercrime (in progress) No No No No Gambia Yes Information and Communications Act, 2009 (amended by No No No No “Information and Communication (Amendment) Act, 2013”), Chapter 3- Information Society Issues (Sections 163-173) Georgia Yes Criminal Code, Chapter 35. Computer crimes (Articles 284, 285 and {Has signed and/or No No No 286) ratified (or acceded to)} Germany Yes  German Criminal Code (e.g., Section 202a, Section 303a, {Has signed and/or No No No Section 303b) ratified (or acceded to)}  German Code of Criminal Procedure Ghana Yes  Electronic Transactions Act (Act No. 772 of 2008), [Cyber No No No No inspectors (Sections 98 to 106), Cyber offences (Sections 107 to 140)]  Criminal Code (Act 29 of 1960) (also known as “Criminal Offences Act”) Greece Yes Penal Code (amended by Law 1805/1988) (Articles 370, 370C, 386) {Has signed and/or No No No ratified (or acceded to)} Grenada Yes  Electronic Crimes Act of 2013 No No No No  [published in the Official Gazette on October 3, 2013 according to the International Press Institute (IPI)]  Electronic Transactions Act, 2008 (Section 43) Page 361 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Guatemala Yes Penal Code (Articles 274A to 274G) No No No No Guinea No No No No No Guinea-Bissau No No No No No Guyana No No No No No Haiti No No No No No Holy See No data No No No No Honduras No No No No No Hungary Yes Criminal Code (promulgated on 13 July 2012) (Sections 423-424) {Has signed and/or No No No ratified (or acceded to)} Iceland Yes Penal Code (Articles 155, 157, 158, 228, 249a, and 257) {Has signed and/or No No No ratified (or acceded to)} India Yes Information Technology Act, 2000 [amended by Information No No No No Technology (Amendment) Act, 2008] (Sections 43 to 45, Sections 65 to 78) Indonesia Yes Law Concerning Electronic Information and Transactions (No. 11 of No No No No 2008) (Articles 27 to 37, Articles 45 to 52) Iran, Islamic Rep. Yes Computer Crimes Law No No No No Page 362 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Iraq No & Draft Law Draft Informatics Crimes Law, 2010 (Revoked in 2013) No {Has signed and/or No No ratified (or acceded to)} Ireland Yes  Criminal Justice (Theft and Fraud Offences) Act, 2001, Section 9 {Has signed and/or No No No ratified (or acceded to)}  Criminal Damages Act, 1991 Israel Yes Computers Law of 1995 [Chapter 2. Computer Offences (Sections {Has signed and/or No No No 2 to 6)] ratified (or acceded to)} Italy Yes Criminal Code (amended by Law No. 547 of 23 December 1993. {Has signed and/or No No No Amendment of the Provisions of the Penal Code & the Code of ratified (or acceded to)} Criminal Procedure in Relation to Computer Criminality) Jamaica Yes Cybercrimes Act, 2010 No No No No Japan Yes Act on Prohibition of Unauthorized Computer Access (enacted in {Has signed and/or No No No 1999 and amended in 2012 and 2013) ratified (or acceded to)} Jordan Yes Information Systems Crime Law of 2010 No {Has signed and/or No No ratified (or acceded to)} Kazakhstan Yes Criminal Code (enacted in 1997 and amended in 2004), Chapter 7. No No {Has signed and/or {Has signed and/or Crimes in the Sphere of Economic Activity (Article 227) ratified (or acceded to)} ratified (or acceded to)} Kenya Yes & Draft Law  Draft Law: Cybercrime and Computer related Crimes Bill, 2014 No No No No  Information and Communications Act, 2009 [amended by “ Information and Communications (Amendment) Act, 2013”] (Sections 83U to 84F) Kiribati Yes Telecommunications Act, 2004 [Part VII – Computer Misuse No No No No (Sections 64 to 69)] Korea, Dem. Yes Criminal Law (last amended in 2012) (Articles 192, 193, and 194) No No No No People’s Rep. Page 363 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Korea, Rep. Yes Act on Promotion of Information and Communications Network No No No No Utilization and Information Protection, etc. (last amended in 2015) [Chapter X. Penal Provisions (Articles 70 to 76)] Kosovo Yes Law on Prevention and Fight of the Cyber Crime, 2010 No No No No Kuwait Yes Law No. 63 of 2015 on combating cyber crimes (effective as of 12 No {Has signed and/or No No Jan. 2016) ratified (or acceded to)} Kyrgyz Republic Yes Criminal Code (enacted in 1997 and amended in 2006), Chapter 28. No No {Has signed and/or {Has signed and/or Crimes in the Sphere of Computer Information (Articles 289-291) ratified (or acceded to)} ratified (or acceded to)} Lao PDR No No No No No Latvia Yes Criminal Code (Sections 241 to 245) {Has signed and/or No No No ratified (or acceded to)} Lebanon No No No No No Lesotho Yes & Draft Law  Draft Law: Computer Crime and Cybercrime Bill, 2013 No No No No  Penal Code Act, 2010 (Government Gazette: 9 March 2012) [Section 62 (Misuse of property of another), Subsection (2)] Liberia No No No No No Libya No No {Has signed and/or No No ratified (or acceded to)} Liechtenstein Yes Criminal Code (e.g., Article 126a, Article 126b) {Has signed and/or No No No ratified (or acceded to)} Page 364 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Lithuania Yes  Criminal Code (enacted in 2000 and amended in 2010), Chapter {Has signed and/or No No No 30. Crimes against Security of Electronic Data and Information ratified (or acceded to)} Systems (Articles 196 to 198(2))  Criminal Procedure Code Luxembourg Yes Penal Code (as amended by Act of 15 Jul. 1993, Law of 14 Aug. {Has signed and/or No No No 2000, Law of 10 Nov. 2006, and Law of 18 Jul. 2014) (Articles 231bis, ratified (or acceded to)} 491, and 496, as well as, Section VII.4 – On offences in the field of data processing, Articles 509-1 to 509-7) Macedonia, FYR Yes Criminal Code (e.g., Article 251. Damage and unauthorized {Has signed and/or No No No entering in a computer system) ratified (or acceded to)} Madagascar Yes Act 2014-006 on the fight against cybercrime No No No No Malawi No & Draft Law  Electronic Transactions Bill, 2015, Part X –Offences (Sections 86 No No No No to 98)  E-Bill, 2012, Part V-Security in Digital Economy, Chapter 2-Cyber criminality, Sections 42 to 44 Malaysia Yes Computer Crimes Act, 1997 (incorporating all amendments up to No No No No 2006) Maldives No No No No No Mali Yes Penal Code (Articles 264 to 271) No No No No Malta Yes Criminal Code (Chapter 9) (Articles 337B to 337G) {Has signed and/or No No No ratified (or acceded to)} Marshall Islands No No No No No Page 365 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Mauritania No & Draft Law Draft Law: Bill on Cybercrime No {Has signed and/or No No ratified (or acceded to)} Mauritius Yes Computer Misuse and Cybercrime Act, 2003 (Act No. 22 of 2003) {Has signed and/or No No No ratified (or acceded to)} Mexico Yes Federal Criminal Code (Articles 211bis 1 to Articles 211bis 7) Invited to accede No No No Micronesia, Fed. No No No No No Sts. Moldova Yes Criminal Code (enacted in 2002 and amended in 2009), Chapter XI. {Has signed and/or No {Has signed and/or No Computer Crimes and Crimes in the Telecommunications Sphere ratified (or acceded to)} ratified (or acceded to)} (Articles 259-2611) Monaco Yes Law on Digital Economy {Has signed and/or No No No ratified (or acceded to)} Mongolia Yes Criminal Code (Enacted in 2002) [Special Part, Title 8. Crimes No No No No against Public Security and Health, Chapter 25: Crimes against the security of computer data (Articles 226 to 229)] Montenegro Yes  Criminal Code, Chapter 28. Criminal Acts against Safety of {Has signed and/or No No No Computer Data (Articles 349 to 356) ratified (or acceded to)}  Criminal Procedure Code Morocco Yes Penal Code (Articles 607-3 to 607-10) Invited to accede {Has signed and/or No No ratified (or acceded to)} Mozambique No No No No No Myanmar Yes Electronic Transactions Law, 2004 (Articles 2, 34, 38) No No No No Page 366 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Namibia No & Draft Law Draft Law: Electronic Communication and Cybercrime Bill No No No No Nauru No No No No No Nepal Yes Electronic Transaction Act, 2008, Chapter 9. Offense relating to No No No No Computer (Sections 44-59) Netherlands Yes Criminal Code (e.g., Art. 138ab and Art. 138b) {Has signed and/or No No No ratified (or acceded to)} New Zealand Yes Crimes Act 1961 (amended by Crimes Amendment Act, 2003) No No No No (Articles 248-254) Nicaragua Yes Penal Code (e.g., Article 198) No No No No Niger Yes Penal Code, Title VII. Offences in the Field of Computers (Articles No No No No 399.2 to 399.9) Nigeria Yes Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 No No No No Norway Yes General Civil Penal Code (Penal Code) (e.g., Sections 145 to 146) {Has signed and/or No No No ratified (or acceded to)} Oman Yes Royal Decree No. 12 of 2011 Issuing the Cyber Crime Law No {Has signed and/or No No ratified (or acceded to)} Pakistan Yes & Draft Law  Draft Law: Bill - Prevention of Electronic Crimes Act, 2015 No No No No  Prevention of Electronic Crime Ordinance, 2009  Electronic Transactions Ordinance 2002 (Sections 36 to 37) Palau No No No No No Page 367 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Panama Yes Penal Code (approved by Law No. 14 of 2007, with amendments {Has signed and/or No No No and additions introduced by Law No. 26 of 2008, Law No. 5 of 2009, ratified (or acceded to)} and Law No. 14 of 2010) (Articles 289 to 292) Papua New No No No No No Guinea Paraguay Yes Penal Code (amended by Law No. 4439 of 2011 amending the Invited to accede No No No Penal Code) [e.g., Article 174b (Unauthorized Access to Computer Systems)] Peru Yes  Law No. 30096 of 2013 (Computer Crimes Act) Invited to accede No No No  Law 30171 of 2014 [Law amending the Law No. 30096 of 2013 (Computer Crimes Act)] Philippines Yes Cybercrime Prevention Act of 2012(Republic Act No. 10175 of 2012) Invited to accede No No No Poland Yes Penal Code (Articles 267, 268 and 269) {Has signed and/or No No No ratified (or acceded to)} Portugal Yes Law No. 109/2009, of September 15 (Cybercrime Law) {Has signed and/or No No No ratified (or acceded to)} Qatar Yes Cybercrime Prevention Law (Law No. 14 of 2014) No {Has signed and/or No No ratified (or acceded to)} Romania Yes Law on Certain Steps for Assuring Transparency in Performing High {Has signed and/or No No No Official Positions, Public and Business Positions, for Prevention and ratified (or acceded to)} Sanctioning the Corruption (Law No. 161/2003) (Anti-Corruption Law) , Title III Preventing and Fighting Cyber Crime (Articles 34 to 67) Russian Yes Criminal Code (enacted in 1996 and amended in 2012), Section No No {Has signed and/or {Has signed and/or Federation IX. Crimes Against Public Security and Public Order, Chapter 28. ratified (or acceded to)} ratified (or acceded to)} Crimes in the Sphere of Computer Information (Articles 272, 273, and 274) Page 368 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Rwanda Yes  Organic Law instituting the Penal Code (No. 01/2012/OL of No No No No 02/05/2012), Section 5: Theft committed by use of computers or other similar devices (Articles 306 to 315)  Law Relating to Electronic Messages, Electronic Signatures and Electronic Transactions (No. 18/2010 of 12/05/2010), Chapter 9: Computer Misuse and Cyber Crime (Articles 58 to 65) Samoa Yes Crimes Act (No 10. of 2013), Part 18. Crimes involving Electronic No No No No Systems (Sections 205 to 220) San Marino Yes  Law No. 70 of 1995, Rules Concerning the Processing of No No No No Personal Data related to Information Technology (Article 17)  Penal Code (Articles 402 and 403) Sao Tome and No No No No No Principe Saudi Arabia Yes Anti-Cyber Crime Law (2007) No {Has signed and/or No No ratified (or acceded to)} Senegal Yes Penal Code (as amended by Law No. 2008-11 on Cybercrime) (Arts. {Has signed and/or No No No 431-7 to 431-63; 677-34 to 677-42) ratified (or acceded to)} Serbia Yes Criminal Code, Chapter 27. Criminal Offense against Security of {Has signed and/or No No No Computer Data (Articles 298-304a) ratified (or acceded to)} Seychelles Yes Computer Misuse Act [enacted by Computer Misuse Act (Act No. No No No No 17 of 1998) and amended by Computer Misuse (Amendment) Act (Act No. 6 of 2012)] Sierra Leone No No No No No Singapore Yes Computer Misuse and Cybersecurity Act (Chapter 50A) No No No No Page 369 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Slovak Republic Yes Criminal Code (Law No. 300 of 2005) [e.g., Section 247 (Harm Done {Has signed and/or No No No to and Abuse of an Information Carrier )] ratified (or acceded to)} Slovenia Yes Penal Code [e.g., Article 225 (Unauthorized Access to an {Has signed and/or No No No Information System)] ratified (or acceded to)} Solomon Islands No No No No No Somalia No No No No No South Africa Yes & Draft Law  Electronic Communications and Transactions Act, 2002 (No. 25 {Has signed and/or No No No of 2002), Chapter 8: Cybercrime (Sections 85-89) ratified (or acceded to)}  Cybercrimes Bill, 2015 South Sudan Yes Penal Code Act, 2008, Chapter 27. Computer and Electronic No No No No Related Offenses (Sections 388 to 394) Spain Yes Criminal Code (e.g., Article 197) {Has signed and/or No No No ratified (or acceded to)} Sri Lanka Yes Computer Crime Act (also known as “ Computer Crimes Act”), (No. {Has signed and/or No No No 24 of 2007) ratified (or acceded to)} St. Kitts and Nevis Yes Electronic Crimes Act, 2009 No No No No St. Lucia No & Draft Law Draft Law: Electronic Crimes Bill, 2009 No No No No St. Vincent and Yes Electronic Transactions Act, 2007, Part X. Information Systems and No No No No the Grenadines Computer Related Crimes (Sections 64 to 73) Sudan Yes The Informatic Offences (Combating) Act, 2007 No {Has signed and/or No No ratified (or acceded to)} Page 370 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Suriname No & Draft Law  Bill of the First Book of the Criminal Code (2006) No No No No  Bill of the Second Book of the Criminal Code (2009) (e.g., Articles 187g, 213C, and 414a) Swaziland No & Draft Law Draft Law: Computer Crime and Cybercrime Bill, 2013 No No No No Sweden Yes Penal Code, Chapter 4, Section 9 c {Has signed and/or No No No ratified (or acceded to)} Switzerland Yes Penal Code (Articles 143bis &144bis) {Has signed and/or No No No ratified (or acceded to)} Syrian Arab Yes Law for the Regulation of Network Communication Against Cyber No {Has signed and/or No No Republic Crime, 2012 (also called “Law on the network communication and ratified (or acceded to)} computer crime control, 2012”) Tajikistan Yes Criminal Code (enacted in May 21, 1998), Section XII. Crimes No No {Has signed and/or {Has signed and/or against Information Security, Chapter 28. Crimes against ratified (or acceded to)} ratified (or acceded to)} Information Security (Articles 298-304) Tanzania Yes Cybercrimes Act, 2015 No No No No Thailand Yes Computer Crime Act, 2007 No No No No Timor-Leste No No No No No Togo No & Draft Law The Draft Law on the Fight against Cybercrime No No No No Tonga Yes Computer Crimes Act (Act No. 14 of 2003) {Has signed and/or No No No ratified (or acceded to)} Page 371 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime Trinidad and Yes & Draft Law  Computer Misuse Act, 2000 No No No No Tobago  Draft Law: The Cybercrime Bill, 2015 Tunisia Yes & Draft Law  Draft Law: Cybercrime Bill, 2014 No {Has signed and/or No No ratified (or acceded to)}  Penal Law (Articles 199 bis and 199ter) Turkey Yes  Criminal Code (10th Section. Offences in the field of Data {Has signed and/or No No No Processing Systems. Articles 243 to 246) ratified (or acceded to)}  Law No. 5651 on Regulation of Internet Publications and Combating Crimes Committed through such Publications, 2007 (amended by Law No. 6518 of 2014)  Regulation on the Principles and Procedures of Regulating the Publications on the Internet Turkmenistan Yes Criminal Code (enacted in 1997, entered into force in 1998, and No No No No last amended in 2014), Chapter 33. Computer Information Crimes (Articles 333 to 335) Tuvalu No No No No No Uganda Yes Computer Misuse Act, 2011 No No No No Ukraine Yes & Draft Law  Draft Law on Combating Cybercrime, 2014 {Has signed and/or No {Has signed and/or No ratified (or acceded to)} ratified (or acceded to)}  Criminal Code (enacted in 2001 and amended in 2005), Chapter XVI. Criminal Offenses related to the Use of Electronic Computing Machines (Computers), Systems and Computer Networks and Telecommunication Networks (Articles 361 to 363-1) United Arab Yes Federal Decree-Law No. 5 of 2012 on Combating Cyber Crimes No {Has signed and/or No No Emirates (replacing Federal Law No. 2 of 2006 on the Prevention of ratified (or acceded to)} Information Technology Crimes) Page 372 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime United Kingdom Yes  Computer Misuse Act, 1990 (last amended by Serious Crimes {Has signed and/or No No No Act, 2015) ratified (or acceded to)}  Regulations of Investigatory Powers Act, 2000 United States Yes  15 (Title 15) U.S.C. (United States Code), Chapter 103 - {Has signed and/or No No No Controlling the Assault of Non-solicited Pornography and ratified (or acceded to)} Marketing , § (Section) 7701-7713  18 U.S.C., Chapter 47-Crimes and Criminal Procedure, § 1028 through 1030; Chapter 119 - Wire and Electronic Communications Interception and Interception of Oral Communications; Chapter 121 - Stored Wire and Electronic Communications and Transactional Record Access; and §3121, General prohibition on pen register and trap and trace device use; exception Uruguay Yes Penal Code [Enacted by Law No. 9,155 of 1933 and Amended No No No No by Law No. 18,383 of 2008 (Attack on the regularity of telecommunications)] (e.g., Article 217) Uzbekistan Yes Criminal Code (enacted in 1994, came into force in 1995, and No No {Has signed and/or {Has signed and/or amended in 2001), Special Part, Section III. Economic Crimes, ratified (or acceded to)} ratified (or acceded to)} Chapter 11. Crimes unrelated to Larceny of Property (Article 174: Computer-related Crimes) Vanuatu No No No No No Venezuela, RB Yes Special Law against Computer Crimes, 2001 No No No No Vietnam Yes  Law on information technology (Law No. 67/2006/QH11) No No No No  Penal Code (Enacted by Law No. 15/1999/QH10 and Amended by Law No. 37/2009/QH12) (e.g., Article 226a) Page 373 | Chapter 9 | Appendix   View citations at the end of this section page 404 C APPENDIX National Legal Frameworks on Combating TABLE C Cybercrime (Assessment Table) National Legal Frameworks on Combating Cybercrime1 Country Name2 Has domestic Name of domestic legislation regarding cybercrime International or Regional Instrument3 legislation regarding Budapest Convention Arab Convention CIS Agreement SCO Agreement cybercrime West Bank and No & Draft Law Draft Penal Code (Part 12. Cybercrimes, Articles 646 to 677) No {Has signed and/or No No Gaza ratified (or acceded to)} Yemen, Rep. No & Draft Law Draft law for combating electronic crimes (also called “Draft Law on No {Has signed and/or No No Combating Electronic Crime”) ratified (or acceded to)} Zambia Yes  Computer Misuse and Crimes Act, 2004 (No. 13 of 2004) No No No No  Electronic Communication and Transactions Act, 2009 (No. 21 of 2009) [Part XIV. Cyber Inspectors (Sections 93 to 97), Part XV. Cyber Crimes (Sections 98 to 109)] Zimbabwe Yes & Draft Law  Computer Crime and Cybercrime Bill No No No No  Criminal Law (Codification and Reform) Act, Chapter VIII. Computer-related Crimes (Sections 162-168) Page 374 | Chapter 9 | Appendix   View citations at the end of this section page 404 D APPENDIX Comparative Analysis of Indicators Used in TABLE D1 In-Country Assessment Tools Explanatory Note: The Project reviewed the in-country assessment tools used developed by exogenous reference (e.g., a particular multilateral instrument or a sample legislative language) the participants in this Project. The indicators developed (in the left-hand column) are a synthesis of those indicators were considered in light of those corresponding. The frequency with which an indicator assessments, as well as other assessments. The synthesized set of indicator were then “mapped” appears in the assessments is shown in the right-hand column. The color-coding for frequency is shown against the respective tools. Where an assessment includes an indicator, it is indicated with a “Y”, as at the bottom of the table. More information about the assessments may be found in the endnotes to well as where in the particular assessment, the indicator can be found or is referenced. In cases where this Appendix. The synthesized indicators shown here also formed the basis of the Assessment Tool an assessment explicitly stated that its questions were prepared corresponding to provisions of an developed by this Project and included in appendix 9. Non-Legal Frameworks In-Country Assessment Tools / AIDP1 CoE2 ITU3 UNODC Cybercrime Oxford6 Frequency Indicators Questionnaire (2012)4 & Number Comprehensive Study5 of Entities Covered (out of 5) Non-Legal Frameworks Y (Page 5) Y (2012) [a.Q1 to Q11, b.Q113 Y (Pages 29 to 32) 3 of 5 to Q120, c.Q15 to Q164, d.Q186 to 192, e.Q241 to 261] 1. National strategy (or “national policy”) on cybercrime Y (2012) (Q1) 1 of 5 a. Binding all relevant authorities and private sector 0 of 5 i. Binding public-private 0 of 5 ii. Binding public 0 of 5 iii. No binding force 0 of 5 b. Long term strategy? 0 of 5 i. Longer than 5 years 0 of 5 ii. Longer than 3 years 0 of 5 iii. Less than 3 years 0 of 5 iv. No specific term 0 of 5 c. Define specific vulnerable areas to be protected 0 of 5 Page 375 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D1 In-Country Assessment Tools Continued from last page Non-Legal Frameworks In-Country Assessment Tools / AIDP1 CoE2 ITU3 UNODC Cybercrime Oxford6 Frequency Indicators Questionnaire (2012)4 & Number Comprehensive Study5 of Entities Covered (out of 5) d. Define resources and necessities to fight cybercrime 0 of 5 i. Human resource (HR) 0 of 5 ii. Assets including devices & infrastructure 0 of 5 iii. User protection strategy 0 of 5 2. Define lead government institution responsible for coordinating the prevention and combating cybercrime Y (2012) (Q2) 1 of 5 a. Higher than PM 0 of 5 b. Ministerial level 0 of 5 c. Lower than ministerial level 0 of 5 3. PPPs to obtain information and evidence from the private sector (e.g., service providers) Y (2012) (Q6) 1 of 5 Formal cooperation with the private sector (e.g., service providers) a.  Y (2012) (Q102), Y (2013) 1 of 5 (Page 146) i. By court order Y (2012) (Q102), Y (2013) 1 of 5 (Page 146) ii. By prosecution order Y (2012) (Q102), Y (2013) 1 of 5 (Page 146) iii. By police letter Y (2012) (Q102), Y (2013) 1 of 5 (Page 146) b. Informal cooperation with the private sector (e.g., service providers) Y (2012) (Q103) 1 of 5 Maintain statistics on 4.  Y (Page 5) Y (2012) (a.Q10, b.Q54 to 71, Y (Pages 29 to 32) 3 of 5 cybercrime c.Q121 to Q138, d.Q165 to Q182) Page 376 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D1 In-Country Assessment Tools Continued from last page Non-Legal Frameworks In-Country Assessment Tools / AIDP1 CoE2 ITU3 UNODC Cybercrime Oxford6 Frequency Indicators Questionnaire (2012)4 & Number Comprehensive Study5 of Entities Covered (out of 5) a. Designated authority to collect & analyze statistics on cybercrime 0 of 5 b. Define statistics necessary for cybercrime 0 of 5 c. Updates to statistics on cybercrime regularly 0 of 5 5. Technical cooperation on cybercrime Y (2012) (Q241 to Q261) 1 of 5 Page 377 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D2 In-Country Assessment Tools Legal Frameworks In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) National Legal Frameworks Y (Pages 1 to 5) Y (Arts. 1 to 35) Y (Q1 to Q34) Y (Q12 to Q53) Y (Pages 27 to 28) 5 of 5 1. D  omestic legislation regarding Y (Pages 1 to 5) Y (Arts. 1 to 35) Y (Q1 to Q34) Y (Q12 to Q53) Y (Pages 27 to 28) 5 of 5 cybercrime a. Is cybercrime regulated by law Y (Page 1) [(…) criminal laws Y (Page 1) [Corresponding Y (Page 35) (Citation of Y (Q12) [(…) main legislation Y (Pages 27 to 28) (Substantive 5 of 5 related to cyber-crimes (…)] provisions (…) in national provision, Consistent with that is specific to cybercrime cybercrime law, Procedural legislation] Toolkit) (…)] cybercrime law) i. Comprehensively Yes 0 of 5 ii. Partially Yes with draft law 0 of 5 iii. Partially Yes without draft law 0 of 5 iv. No (no enacted law) but draft law 0 of 5 b. Have detailed definitions of the terms related cybercrime Y (Art.1) Y (Q1) 2 of 5 i. Computer data Y (Art. 1 – “computer data”) Y (Q1.c.) 2 of 5 ii. Computer system Y (Art. 1 – “computer system”) Y (Q1.e.) 2 of 5 iii. Service provider Y (Art. 1 – “service provider”) Y (Q1.p.) 2 of 5 iv. Subscriber information Y (Art. 18, – Ex. Rept. 177-180) Y (Q1.q.) 1 of 5 v. Traffic data Y (Art. 1 – “traffic data”) Y (Q1.r.) 2 of 5  ultilateral treaties on 2. M Y (Page 1) Y (Pages 27 to 28) 2 of 5 cybercrime a. Signature Y (Page 1) Y (Page 27) 2 of 5 b. Ratification (or “accession”) Y (Page 1) Y (Pages 27 to 28) 2 of 5 Page 378 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D3 In-Country Assessment Tools Substantive Law In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) Substantive Law Y (2013) (Pages 1 to 5) Y (Arts. 2 to 12) Y (Q2 to Q11) Y (Q25 to Q40) Y (Pages 27 to 28) 5 of 5  riminalization of offences 1. C Y (2013) (Pages 1 to 2) Y (Arts. 2 to 6) Y (Q2 to Q6) Y (Q25 to Q29) 4 of 5 directed against the confidentiality, integrity, and availability of computer data or systems llegal access to a computer a. I Y (2013) (Page 1) Y (Art 2.) Y (Q2) Y(Q25) 4 of 5 system b. Illegal interception Y (2013) (Page 1) Y (Art. 3) Y (Q5) Y (Q26) 4 of 5 c. Data interference Y (2013) (Page 1) Y (Art. 4) Y (Q4, b.) Y (Q27) 4 of 5 d. System interference Y (2013) (Page 1) Y(Art. 5) Y (Q4, a.) Y (Q27) 4 of 5 e. Misuse of devices Y (2013) (Page 2) Y(Art. 6) Y (Q6) Y (Q28) 4 of 5  riminalization of traditional 2. C Y (2013) (Pages 2 to 4) Y (Arts. 7 to 10) Y (Q7, and Q8) Y (Q30 to Q32, Q34 to Q38) 4 of 5 offences committed by/through the use of computer systems or data a. Computer-related forgery Y (2013) (Page 2) Y (Art. 7) Y (Q7) Y (Q30) 4 of 5 b. Computer-related fraud Y (2013) (Page 4) Y (Art. 8) Y (Q8) Y (Q30) 4 of 5  omputer-related copyright and c. C Y (2013) (Page 4) Y (Art. 10) Y (Q32) 3 of 5 trademark offences  omputer-related identity d. C Y (2013) (Page 3) Y (Arts. 2-8) Y (Q31) 2 of 5 offences  omputer-related child e. C Y (2013) (Pages 3 to 4) Y (Art. 9) Y (Q36) 3 of 5 pornography offences Page 379 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D3 In-Country Assessment Tools Continued from last page Substantive Law In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) 3. Corporate liability Y (Art. 12) Y (Q11) Y (Q40) 3 of 5 4. Aid, abet or attempt a. Aid or abet Y (Art. 11) Y (Q10) 4 of 5 b. Attempt Y (Art. 11) Y (Q10) Y (Q40) 3 of 5 Page 380 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D4 In-Country Assessment Tools Procedural Law In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) Procedural Law Y (Pages 1 to 2) Y (Arts. 14 to 21) Y (Q12 to Q20) Y (Q42 to Q53) Y (Page 28) 5 of 5 1. Scope of procedural provisions Y (Art. 14) Y (Q12 2 of 5 2. Procedural conditions & safeguards Y (Art. 15) Y (Q13) 2 of 5 3. E  xpedited Preservation of Y (Art. 16) Y (Q14) Y (Q49) 3 of 5 stored computer data (data preservation) 4. E  xpedited preservation & Y (Art. 17) Y (Q15) Y (Q45) 3 of 5 partial disclosure of traffic data 5. Expedited preservation of computers or storage media7 Y (Q16) 1 of 5 6. Production Order  roduction order: Specified a. P Y (Art. 18) Y (Q17) 2 of 5 computer data  roduction order: Subscriber b. P Y (Art. 18) Y (Q17) Y (Q44) 3 of 5 information  earch & seizure of computer 7. S Y (Page 1) Y (Art. 19) Y (Q18) Y (Q42, Q43) 4 of 5 data and/or computer systems  eal-time collection of traffic 8. R Y (Page 1) Y (Art.20) Y (Q19) Y (Q47) 4 of 5 data 9. Interception of content data Y (Page 1) Y (Art. 21) Y (Q20) Y (Q48) 4 of 5 10. Use of remote forensic tools Y (Q50) 1 of 5  rans-border access to 11. T Y (Art. 32) Y (Q51) 1 of 5 computer data Page 381 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D4 In-Country Assessment Tools Continued from last page Procedural Law In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) 12. Obtaining information and evidence from third parties a. Compelling third parties (non-targets) to provide information Y (Q101) 1 of 5 Compelling private actors (e.g., b.  Y (Page 1) Y (Arts. 18-21) 1 of 5 service providers) to provide information Private actors (e.g., service (2)  Y (Page 1) 1 of 5 providers)’ voluntary provision (supply) of information Page 382 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D5 In-Country Assessment Tools Electronic Evidence In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) e-Evidence Y (Page 2) Y (2012) (Q111, Q105, Q144 Y (Pages 29 to 32) 3 of 5 to Q147), Y (2013) (Pages 157 to 182) 1. Rules on e-evidence  ules on admissibility of (1) R Y (Page 2) Y (2012) (2012) (Q144) 2 of 5 e-evidence  ules on admissibility of (2) R Y (2012) (Q145) 1 of 5 e-evidence obtained from foreign jurisdictions Rules on discovery of e-evidence Y (Page 2) (3)  1 of 5  ules on evaluating (probative (4) R Y (Page 2) 1 of 5 value of) e-evidence  ther rules specific to (5) O Y (Page 2) Y (2012) (Q146) 2 of 5 e-evidence 2. Law enforcement and Electronic Evidence  ollecting e-evidence with (1) C Y (Page 2) Y (2012) (Q111) 2 of 5 integrity (2) Storing/retaining e-evidence Y (Page 2) Y (2012) (Q111) 2 of 5 (3) Transferring e-evidence to courts or prosecutors from law enforcement agencies Y (2012) (Q111) 1 of 5 (4) Obtaining e-evidence in foreign jurisdictions Y (2012) (Q105), Y (2013) (Page 1 of 5 201) 1) Formal MLA request Y (Arts. 27 to 28, 31) Y (2012) (Q105), Y (2013) (Page 1 of 5 201) Page 383 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D5 In-Country Assessment Tools Continued from last page Electronic Evidence In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) 2) Informal police cooperation Y (2012) (Q105), Y (2013) (Page 1 of 5 201) Direct contact with service 3)  Y (2012) (Q105), Y (2013) (Page 1 of 5 providers 201) 4) 24/7 network Y (Arts. 35) Y (2012) (Q105), Y (2013) (Page 1 of 5 201) 5) Other (please specify) Y (Arts. 26, 29, 30, 32 to 34) Y (2012) (Q105), Y (2013) (Page 1 of 5 (respectively spontaneous 201) information, preservation, expedited disclosure, transborder search, real-time traffic collection, real-time interception) Page 384 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D6 In-Country Assessment Tools Jurisdiction In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) Jurisdiction Y (Page 1) Y (Art. 22) Y (Q21) Y (2012) (Q18 to Q19), Y (2013) 4 of 5 (Pages 191 to 196) 1. Common national bases for jurisdiction over cybercrime acts (1) Territory basis  ffence is committed (partly or 1) O Y (Art. 22) Y (Q21.a.) Y (2012) (Q18), Y (2013) (Page 2 of 5 wholly) within its territory 191)  ffence is committed using a computer system or data located 2) O Y (Art. 22) Y (2012) (Q18), Y (2013) (Page 1 of 5 within its territory 192)  ffence is directed against a computer system or data within its 3) O Y (Art. 22) Y (2012) (Q18), Y (2013) (Page 1 of 5 territory 192) 4) Effect or damage of the offence is located within its territory Y (2012) (Q18), Y (2013) (Page 1 of 5 191)  ffence is committed on a ship 5) O Y (Art. 22) Y (Q21.b) 1 of 5 or aircraft registered to your country (2) Nationality-basis 1) Nationality of the offender Y (Art. 22) Y (Q21.c.) Y (2012) (Q18), Y (2013) (Page 2 of 5 191) 2) Nationality of the victim Y (2012) (Q18), Y (2013) (Page 1 of 5 191)  urisdiction where extradition 2. J Y (Art. 22) Y (Q21.d.) 1 of 5 refused  oncurrent jurisdiction (conflicts 3. C Y (Page 1) Y (Art. 22) Y (Q21.e.) Y (2012) (Q18) 3 of 5 of jurisdiction) Page 385 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D6 In-Country Assessment Tools Continued from last page Jurisdiction In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) Establishment of the place 4.  Y (Page 1) Y (Q21.f) 2 of 5 where the offence occurred 5. Dual criminality Y (2012) (Q18), Y (2013) (Page 1 of 5 194) 6. Reservation Y (Art. 22) Y (Q21.g.) 1 of 5 Page 386 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D7 In-Country Assessment Tools Legal Safeguards In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) Safeguards Y (2012) (Page 2) Y (Art. 15) Y (Q20 to Q24) Y (Pages 26 to 27) 3 of 5 1. P  rivacy and (personal) data CoE Convention 108 Y (Q21 to Q24) Y (Pages 26 to 27) 3 of 5 protection 2. Freedom of expression Y (2012) (Page 2) Y (Q20) Y (Pages 26) 3 of 5 Page 387 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D8 In-Country Assessment Tools International Cooperation In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) International Cooperation Y (Pages 1 to 2) Y (Arts. 23 to 35) Y (Q22 to Q33) Y (2012) (Q193 to Q240) Y (Pages 29 to 32) 5 of 5 1. Formal international cooperation  eneral principles relating to a. G Y (Art. 23) Y (Q22) 2 of 5 international cooperation b. General Principles relating to Extradition Y (Art. 24) Y (Q23) Y (2012) (Q193 to Q215) 3 of 5  omestic legislation for i. D Y (Art. 24) Y (2012) (Q 193), Y (2013) (Page 1 of 5 extradition in cybercrime cases 200)  reaty or reciprocity in the ii. T Y (Art. 24) Y (2012) (Q202 to Q207), Y 1 of 5 absence of treaty provisions (2013) (Page 201) iii. Central authority Y (Art. 24) Y (2012) (Q195) 1 of 5 iv. Refusal of extradition Y (Art. 24) Y (Q23.d) 1 of 5 v. Dual criminality Y (Art. 24) Y (2012) (Q198), Y (2013) (Page 1 of 5 204)  eriousness of a minimum vi. S Y (Art. 24) Y (2012) (Q198), Y (2013) (Page 1 of 5 penalty 204)  eneral principles relating to c. G Y (Page 1) Y (Art. 25) Y (Q24) Y (2012) (Q216 to Q240) 4 of 5 MLA  omestic legislation for MLA in i. D Y (Art. 25) Y (2012) (Q216), Y (2013) (Page 1 of 5 cybercrime cases 200)  reaty or reciprocity in the ii. T Y (Art. 27) Y (2012) (Q227 to Q232), Y 1 of 5 absence of treaty provisions (2013) (Page 201) iii. Central Authority Y (Art. 27) Y (2012) (Q217) 1 of 5 Page 388 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D8 In-Country Assessment Tools Continued from last page International Cooperation In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) iv. Expedited means of communication Y (Arts. 25 & 27) Y (Q24.b.) 1 of 5 v. Refusal to cooperate or assist Y (Page 1) Y (Arts. 25 & 27) Y (Q24.c, Q26.c) 2 of 5 vi. Dual Criminality Y (Page 1) Y (Arts. 25) Y (Q24.d.) Y (2012) (Q220), Y(2013) (Pages 2 of 5 204 to 205) Confidentiality of information to be provided and limitation on vii.  Y (Art. 28 Y (Q26.g) 2 of 5 use viii. Spontaneous (unsolicited) information Y (Art. 26) Y (Q25) 2 of 5 Specific Provisions relating to d.  Y (Page 1) Y (Arts. 29 to 34) Y (Q27 to Q32) Y (2012) (Q108) 4 of 5 MLA i. MLA relating to provisional measures (a) Expedited preservation of stored computer data Y (Art. 29) Y (Q27) 2 of 5 (b) Expedited disclosure of preserved traffic data Y (Art. 30) Y (Q28) 2 of 5 MLA relating to investigative ii.  powers (a) MLA regarding accessing of stored computer data Y (Art. 31) Y (Q29) 2 of 5 (b) Trans-border access to stored computer data Y (Art.32) Y (Q30) Y (2012) (Q108) 3 of 5 (c) MLA in the real-time collection of traffic data Y (Art. 33) Y (Q31) 2 of 5 Page 389 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D8 In-Country Assessment Tools Continued from last page International Cooperation In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) MLA regarding the interception (d)  Y (Page 1) Y (Art. 34) Y (Q32) 3 of 5( of content data 2. Informal international cooperation Multilateral network (e.g., 24/7 a.  Y (Page 2) Y (Art. 35) Y (Q33) Y (2012) (Q107) 4 of 5 network) b. Bilateral network (e.g., direct police-to-police cooperation) Y (2012) (Q106, Q223) 1 of 5 Page 390 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D9 In-Country Assessment Tools Capacity Building In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5) Capacity-building Y (Page 5) Y (a.Q113 to Q120, b.Q157 to Y (Pages 29 to 32) 3 of 5 Q164, c.Q186 to Q192) 1. CERT Y (Q10) 1 of 5 2. Law enforcement (police) Y (Page 5) Not in the treaty text but Y (Q113 to Q120) Y (Pages 29 to 30) 3 of 5 extensive ancillary program  aw enforcement structure for a. L Y (Q 113) 1 of 5 cybercrime cases  eparate unit/agency specifically b. S Y (Page 5) Y (Q114) 2 of 5 for investigating cybercrime c. Specialized police officers assigned to cybercrime cases Y (Q115) 1 of 5  ufficient resources and capabilities to investigate cybercrime cases and/or cases involving d. S Y (Page 29) 1 of 5 electronic evidence (including digital forensic tools)  raining programs to police e. T Y (Page 5) Y (Q117 to Q120) Y (Page 29) 3 of 5 officers in the investigation of cybercrime cases 3. Prosecution Y (Page 5) Not in the treaty text but Y (Q157 to Q164) Y (Pages 30 to 31) 3 of 5 extensive ancillary program  rosecution structure for a. P Y (Q157) 1 of 5 cybercrime cases  eparate unit/agency specifically b. S Y (Page 5) Y (Q158) 2 of 5 for prosecuting cybercrime Page 391 | Chapter 9 | Appendix   View citations at the end of this section page 405 D APPENDIX Comparative Analysis of Indicators Used in TABLE D9 In-Country Assessment Tools Continued from last page Capacity Building In-Country Assessment Tools / AIDP CoE ITU UNODC Cybercrime Oxford Frequency Indicators Questionnaire & Number Comprehensive Study of Entities Covered (out of 5)  pecialized prosecutors assigned c. S Y (Q159 to Q163) 1 of 5 to cybercrime cases Sufficient resources and capacities to prosecute cybercrime cases and/or cases involving electronic d.  Y (Page 30) 1 of 5 evidence Training programs to prosecutors Y (Page 5) e.  Y (Q161 to Q164) Y (Page 30) 3 of 5 for cybercrime cases 4. Court Y (Page 5) Not in the treaty text but Y (Q186 to Q192) Y (Pages 31 to 32) 3 of 5 extensive ancillary program Court structure for cybercrime a.  Y (Q186) 1 of 5 cases Separate courts specifically for b.  Y (Q 186 to Q187) 1 of 5 the trial of cybercrime cases Specialized judges assigned to c.  Y (Q188 to Q191) 1 of 5 cybercrime cases Training programs to judges in d.  Y (Page 5) Y (Q189 to Q192) Y (Page 31) 3 of 5 the trial of cybercrime cases Page 392 | Chapter 9 | Appendix   View citations at the end of this section page 405 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Explanatory Note: This Table sets forth the Toolkit’s synthetic, in-country assessment tool (Assessment provide a basis for monitoring progress. Use and results of the Assessment Tool are for the benefit Tool), as discussed in chapter 7. The purpose of the Assessment Tool is to enable a user to determine of the user downloading it. Workflow remains solely with the user and there is no tracking, ranking or gaps in capacity and to highlight priority areas in directing capacity-building resources. The first use reporting back of results. The Assessment Tool can also be found in its online format at: http://www. of the Assessment Tool will provide a baseline. Periodic updating by using the Assessment Tool will combattingcybercrime.org/. Level 1 Level 2 Level 3 Level 4 Response Binding Public & Private  Yes    No Binding all relevant authorities and Private Sectors? Binding Public  Yes    No No binding Force  Yes    No Longer than 5 years  Longer than 5 years Longer than 3 years  Longer than 3 years Long term strategy? Less than 3 years  Less than 3 years National Strategy/Policy?  No specific terms No specific terms Define specific Vulnerable Areas to be protected?  Yes    No Non-Legal Framework HR  Yes    No Define Resources and Necessities to fight Cybercrime Assets incl. devices & Infra  Yes    No User Protection Strategy  Yes    No Update plan?  Yes    No higher than PM  Yes    No Lead Government Institution responsible for coordinating Ministerial level  Yes    No the prevention and combating cybercrime lower than Ministerial  Yes    No Page 393 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Continued from last page Level 1 Level 2 Level 3 Level 4 Response By Court Order  Yes    No Formal Cooperation with Private Sector by Prosecutor’s Order  Yes    No Public-Private Partnership to by Police Letter  Yes    No obtain information and/or evidence? Informal Cooperation with Private Sector  Yes    No Designated authority to collect & analyze statistics?  Yes    No Non-Legal Framework Maintain Statistical Information? Define statistics necessary for cybercrime?  Yes    No Updates regularly?  Yes    No Technical Cooperation?  Yes    No Page 394 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response Comprehensively Yes  Comprehensively Yes Partially /Draft  Partially/Draft Cybercrime is regulated by law?1  Partially/No-Draft Partially /No-Draft  No, but Draft  No Domestic Legislation on No but Draft cybercrime? Have detailed definition related to cybercrime?  Yes    No Legal Framework signed  Yes    No Joined any Treaties? ratified2  Yes    No Page 395 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response Criminalization of traditional crime committed by/through computer  Yes    No related activities3 Criminalization of newly emerged cybercrime4  Yes    No Criminal liability of corporate entity  Yes    No Substantive Law Aid or Abet aid, abet and attempt  Yes    No Attempt Page 396 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response During Investigation  Yes    No Due Process Conditions and Safeguards During Prosecution  Yes    No Production order: Specified computer data  Yes    No Production order through interception of content data Production order: Subscriber information  Yes    No Search and Seizure of computer data and/or computer  Yes    No systems Real-time collection of traffic data  Yes    No Investigation Interception of Content Data  Yes    No Procedural Law Trans-border access to computer data  Yes    No Compelling third parties  Yes    No Obtaining evidence from 3rd parties Compelling service providers to provide information  Yes    No Preservation of stored data  Yes    No Prosecution Preservation of traffic data  Yes    No Preservation of computers or storage media  Yes    No Page 397 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response Rules on admissibility of electronic evidence  Yes    No Rules on admissibility of electronic evidence obtained abroad  Yes    No Rules on discovery of electronic evidence  Yes    No Rules specific to e-evidence Rules on evaluating probative value of electronic evidence  Yes    No Other rules specific to electronic evidence  Yes    No Evidentiary law specific to cybercrime  Yes    No E-evidence Collecting E-evidence with integrity  Yes    No Storing/retaining e-evidence  Yes    No Transferring e-evidence to courts or prosecutors from Law enforcement agencies  Yes    No Law enforcement and e-Evidence Formal MLA  Yes    No Informal MLA  Yes    No Obtaining e-evidence from foreign jurisdiction Direct Contact with service provider  Yes    No 24/7 network  Yes    No Page 398 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response Offence is committed (partly or wholly) within its  Yes    No territory (Territorial principle) Offence is committed using computer system/data  Yes    No located within its territory Offence is directed against computer system/data Territory basis  Yes    No within its territory Common national basis of Effects/damages of the offence are located within its  Yes    No Jurisdiction territory Offence is committed on Ships/Aircrafts  Yes    No offender’s nationality  Yes    No Nationality basis Jurisdiction victim’s nationality  Yes    No Jurisdiction where extradition is refused  Yes    No Concurrent Jurisdiction  Yes    No Establishment of the place where offences occurred  Yes    No Dual criminality  Yes    No Reservation  Yes    No Page 399 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response Limit on the collection of data  Yes    No Purpose of collected data specified at time of collection  Yes    No Use of the data specified  Yes    No Data Protection Reasonable data security in place  Yes    No Individual has the right to know if government has Safeguards  Yes    No information about him/her Is the personal data relevant, necessary, accurate and  Yes    No complete? Right to seek redress  Yes    No Freedom of expression expressed in the law  Yes    No The right of communication the right to information expressed in the law  Yes    No Page 400 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response General Principle6  Yes    No domestic legislation7  Yes    No treaties  Yes    No General central authority  Yes    No Extradition refusal of extradition  Yes    No dual criminality  Yes    No seriousness of a minimum penalty  Yes    No domestic legislation for MLA  Yes    No treaties  Yes    No International central authority  Yes    No Cooperation expedited means of MLA  Yes    No General principles on Mutual Legal Assistance refusal of MLA request  Yes    No Formal dual criminality  Yes    No confidentiality of information to be provided and limitation on use  Yes    No spontaneous information  Yes    No provisional measures  Yes    No Specific Provisions on Mutual Legal Assistance investigative powers  Yes    No Multi-lateral Networks (e.g., 24/7)  Yes    No Informal Bilateral Coop Network  Yes    No Page 401 | Chapter 9 | Appendix E  View citations at the end of this section page 406 E APPENDIX Synthetic In-Country Assessment Tool TABLE E (Assessment Table) Level 1 Level 2 Level 3 Level 4 Response CERT  Yes    No Law enforcement structure for cybercrime cases  Yes    No Separate unit/agency specifically for investigating cybercrime cases  Yes    No Specialized law enforcement officers assigned to cybercrime cases  Yes    No Law Enforcement Sufficient resources and capabilities to investigate cybercrime cases and/or cases involving electronic  Yes    No evidence (including digital forensic tools) Training programs to police officers for the investigation of cybercrime cases  Yes    No Prosecution structure for cybercrime cases  Yes    No Capacity Building Separate unit/agency specifically for prosecuting  Yes    No cybercrime cases Prosecution Specialized prosecutors assigned to cybercrime cases  Yes    No Sufficient resources and capacities to prosecute cybercrime cases and/or cases involving e-evidence  Yes    No Training programs to prosecutors for cybercrime cases  Yes    No Court structure for cybercrime cases  Yes    No Separate courts specifically for the trial of cybercrime cases  Yes    No Court Specialized judges assigned to cybercrime cases  Yes    No Training programs to judges for the trial of cybercrime cases  Yes    No Page 402 | Chapter 9 | Appendix E  View citations at the end of this section page 406 End Notes Referenced in: Appendix B 10. Commonwealth Secretariat. 2002. “Annex B – Computer and Computer Related Crimes Bill.” In Model Law on Computer and Computer Related Crime, 1. African Union. 2014 (Adopted on 27 Jun. 2014). African 15-24. London: The Commonwealth. Union Convention on Cyber Security and Personal Data Protection. 11. ITU. 2012. HIPCAR, “Section II: Model Legislative Text – Cybercrime/e-Crimes.” Cybercrime/e-Crimes: Model 2. Commonwealth of Independent States (CIS). Policy Guidelines & Legislative Texts, 15-28. Geneva: 2001(Done on 1 Jun. 2001). Agreement on cooperation ITU. among the States members of the Commonwealth of Independent States in Combating Offences related to 12. ITU. 2013. HIPSSA, Computer Crime and Cybercrime: Computer Information. Southern African Development Community (SADC) Model Law. Geneva: ITU. 3. Council of Europe. 2001 (Opened for Signature 23 Nov. 2001). Convention on Cybercrime. 13. ITU. 2013. ICBRPAC, Electronic Crimes: Knowledge- Based Report (Skeleton). Geneva: ITU. 4. League of Arab States. 2010 (Done on 21 Dec. 2010). Arab Convention on Combating Information 14. ITU. 2013. HIPCAR, “Section II: Model Legislative Text Technology Offences. –Electronic Crimes.” Electronic Evidence: Model Policy Guidelines and Legislative Texts, 13-20. Geneva: ITU. 5. Shanghai Cooperation Organization (SCO). 2009 (Done on 16 Jun. 2009). Agreement between the 15. Organization for Eastern Caribbean States (OECS). Governments of the Member States of the Shanghai 2011. Electronic Crimes Bill (Fourth Draft). Castries: Cooperation Organization on Cooperation in the Field OECS. of International Information Security. 6. Economic Community of West African States (ECOWAS). 2011 (Done on 19 Aug. 2011). Directive on Fighting Cybercrime within Economic Community of West African States. 7. Council of Europe. 2003 (Opened for signature on 28 Jan. 2003). Additional Protocol to Convention on Cybercrime Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems. 8. Council of Europe. 2007(Opened for signature on 25 Oct. 2007). Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse. 9. Common Market for Eastern and Southern Africa (COMESA). 2011. “Cybercrime Model Bill, 2011.” In 2011 Gazette Volume 16, 45-77. Lusaka: COMESA. Page 403 | Chapter 9 | Appendix End Notes Referenced in: Appendix C 1. Unless otherwise noted, information contained in this Appendix was verified as of 16 June 2016. 2. 196 countries are included in this list. Countries are included if they are either (1) a Member of the World Bank (“Member Countries: International Bank for Reconstruction and Development”; http:// www.worldbank.org/en/about/leadership/members (last visited 4 February 2016), (2) a Member State of the UN (“Member States of the United Nations”; http://www.un.org/en/member-states/ (last visited 4 February 2016)); or (3) Permanent Observers to the UN (“Permanent Observers: Non-member States”; http:// www.un.org/en/sections/member-states/non-member- states/index.html (last visited 4 February 2016). 3. The instruments cited here are discussed in more detail in subchapter 5 A. Membership of a country in an international or regional instrument is indicated as follows: Blue =Yes, has signed and/or ratified (or acceded to) the instrument; Light Blue = has been invited to accede to the instrument; No color = No membership. The Africa Union Convention (https:// www.au.int/web/en/treaties/african-union-convention- cyber-security-and-personal-data-protection) (last accessed 30 August 2016) is not dealt with here because of the 54 potential members to the Convention only 8 have signed it and none have ratified it. Page 404 | Chapter 9 | Appendix End Notes Referenced in: Appendix D 3. Toolkit for Cybercrime Legislation (Draft), Country Worksheet, 2010, ITU, at 39 to 50 (ITU Country Worksheet), at: http://www.cyberdialogue.ca/wp- 1. The AIDP Assessment is based on a number of content/uploads/2011/03/ITU-Toolkit-for-Cybercrime- background papers prepared by its members. Legislation.pdf. Among these are: 4. ICB4PAC, Electronic Crimes: Knowledge-Based Report yy Weigend, Thomas. 2012. “Section 1: Concept (Assessment), Annex 1: Questionnaire, 2013, ITU, at 123 paper and questionnaire.” Paper prepared for to 124, at: http://www.itu.int/en/ITU-D/Projects/ITU-EC- AIDP’s Preparatory Colloquium Section I for the ACP/ICB4PAC/Documents/FINAL%20DOCUMENTS/ 19th International Congress of Penal Law on cybercrime_assessment.pdf. Information Society and Penal Law, “Criminal Law General Part,” Verona, Italy, 28-30 November. 5. Cybercrime Questionnaire for Member States, 2012, UNODC, at: https://cms.unov.org/DocumentRepositor yy Nijboer, Johannes F. 2013. “Section 3: Concept yIndexer/GetDocInOriginalFormat.drsx?DocID=f4b2f4 Paper and Questionnaire.” Paper prepared for 68-ce8b-41e9-935f-96b1f14f7bbc. AIDP’s Preparatory Colloquium Section III for the 19th International Congress of Penal Law on 6. University of Oxford, Global Cyber Security Capacity Information Society and Penal Law, “Criminal Centre. 2014. “Dimension 4 –Legal and regulatory Procedure,” Antalya, Turkey, 23-26 September. frameworks, D4-1: Cyber security legal frameworks and D4-2: Legal Investigations.” In Cyber Security Capability yy Klip, André. 2013. “Section 4: Concept Paper Maturity Model (CMM) – Pilot, 26-32. University of and Questionnaire.” Paper prepared for AIDP’s Oxford, Global Cyber Security Capacity Centre. Preparatory Colloquium Section IV for the 19th International Congress of Penal Law on Information 7. “Media” – as used here means any device capable Society and Penal Law, “International Criminal of storing digital or electronic data, such as, but not Law,” Helsinki, Finland, 10-12 June. limited to, computer hard drives, memory card, disk, or USB-device, for example. yy Viano, Emilio, “Section 2: Concept Paper and Questionnaire.” Paper presented at the Preparatory Colloquium: Section II (Criminal Law, Special Part) for the 20th International Congress of Penal Law on “Information Society and Penal Law”, 2013, AIDP, at 1 to 5, at: http://www.penal.org/IMG/pdf/ Section_II_EN.pdf. 2. Country Profile (Questionnaire in preparation of the Conference), 2007, Council of Europe. (Paper prepared for the Octopus Interface Conference, “Conference on Cooperation against Cybercrime,” Strasbourg, 11-12 June, 2007), at: http://www.coe.int/t/dghl/cooperation/ economiccrime/Source/567-m-if%202008%20 quest_en.doc. This questionnaire refers to provisions in national legislation corresponding to the provisions of the Budapest Convention. Additional resources - country profiles and numerous questionnaires to parties and observers - are available at: http://www.coe.int/en/ web/cybercrime/country-profiles and http://www.coe. int/en/web/cybercrime/t-cy-reports. Page 405 | Chapter 9 | Appendix End Notes Referenced in: Appendix E 1. This would include, for example, definitions of “computer system”, “computer data”, “service provider”, “subscriber information” and “traffic data”. 2. “Ratified” as used in this Assessment Table would also include “acceded to”. 3. These would include: Illegal access to a computer system; Illegal Interception; Data Interference; System Interference; and Misuse of Devices as well as Computer-related fraud; Computer-related forgery; Computer-related copyright and trademark offences; Computer-related identity offences. 4. Such issues would include: financial crimes; sending SPAM; and computer-related child pornography offences. 5. E.g. reciprocity through a treaty of comity 6. Due process issues refer to the rights of the accused during investigations and at trial. What constitutes “due process” varies from country to country and legal system. These could include, without limitation, the right not to testify, the right to a fair trial, the right to confront one’s accuser, the right to counsel, etc. Accordingly, rather than enumerate specific rights, the Assessment seeks to record whether any such rights exist at the investigatory and prosecutorial levels. 7. This refers to legislation on extradition, as opposed to cybercrime. 8. Treaty here refers to an “extradition” treaty, as opposed to a cybercriome treaty. Page 406 | Chapter 9 | Appendix End Notes CHAPTER 10 Bibliography In this Chapter Bibliography 408 Page 407 | Chapter 10 | Bibliography Bibliography Books, Reports, Journals, Studies, Working Papers, Conference Papers, News Release, Blogs, Online encyclopedia articles and Electronic magazines Jump to section: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A Abramovitch, Daniel Y. and Gene F. Franklin. 2002. “A Brief History of Disk Drive Control.” IEEE Control Systems Magazine 22(3): 28–42. Abreu, Elinor Mills. 2001 (Posted on 12 Dec. 2001). “FBI confirms “Magic Lantern” Project Exists.” Reuters. http://www.uhuh.com/control/magicfbi.htm. Acunetix. “SQL Injection.” Acunetix. http://www.acunetix.com/websitesecurity/sql-injection/. Adler, Julie. 2011. “The Public’s Burden in a Digital Age: Pressures on Intermediaries & the Privatization of Internet Censorship.” Journal of Law & Policy 20(1): 231 –265. http://brooklynworks. brooklaw.edu/cgi/viewcontent.cgi?article=1093&context=jlp. African Union. 2016. “List of Countries Which Have Signed, Ratified/Acceded to the AU Convention.” African Union. https://www.au.int/web/sites/default/files/treaties/29560-sl-african_ union_convention_on_cyber_security_and_personal_data_protection.pdf. Agresta, Michael. 2012 (Posted on 17 Aug. 2012). “Will the Next Election Be Hacked?” Wall Street Journal. http://www.wsj.com/articles/SB10000872396390444508504577595280674870186 Ahmed, Saeed. 2015 (Posted on 4 Dec. 2015). “Who Were Syed Rizwan Farook and Tashfeen Malik?” CNN. http://www.cnn.com/2015/12/03/us/syed-farook-tashfeen-malik-mass-shooting- profile/index.html. Akers, Ronald L. 1997. Criminological Theories: Introduction and Evaluation (2nd Edition). Los Angeles: Roxbury. Al Jazeera. 2017 (Posted on 16 May 2017).“WannaCry: What Is Ransomware and How to Avoid It.” Al Jazeera. http://www.aljazeera.com/news/2017/05/ransomware-avoid-170513041345145.html. Page 408 | Chapter 10 | Bibliography Table of Contents Albertson, Mark. 2013 (Posted 6 Dec. 2013). “Singapore Cyberstalker Convicted, but Others Roam Free.” Examiner. http://www.examiner.com/article/singapore-cyberstalker-convicted-but-others- roam-free. Amann, Diane Marie, ed. 2014. “Jurisdictional, Preliminary and Procedural Concerns.” Benchbook on International Law: II.A-1 to 16. https://www.asil.org/sites/default/files/benchbook/jurisdiction.pdf. American Law Institute. “Model Code of Cybercrime Investigative Procedure.” American Law Institute. http://www.crime-research.org/library/Model_Code.htm. Amnesty International. 2016. Encryption: A Matter of Human Right. Washington D.C.: Amnesty International. http://www.amnestyusa.org/sites/default/files/encryption_-_a_matter_of_human_ rights_-_pol_40-3682-2016.pdf. Apple. 2016 (Posted on 16 Feb. 2016). “A Message to Our Customers.” Apple. http://www.apple. com/customer-letter/. Armstrong, Jonathan, Gayle McFarlane and André Bywater. 2015. “European Court Rules Safe Harbor Invalid in Schrems Case.” Cordery Compliance Limited. http://www.corderycompliance. com/european-court-rules-safe-harbor-invalid-in-schrems-case/. Ashford, Warwick. 2014 (Posted on 27 Oct. 2014). “Researchers Uncover Sophisticated Cyber Espionage Campaign.” Computer Weekly. http://www.computerweekly.com/news/2240233415/ Researchers-uncover-sophisticated-cyber-espionage-campaign. Ashford, Warwick. 2015 (Posted on 2 Mar. 2015). “National Crime Agency Leads Partnership to Guard UK against Cybercrime.” Computer Weekly. http://www.computerweekly.com/ news/2240241511/National-Crime-Agency-leads-partnership-to-guard-UK-against-cyber-crime. Ashford, Warwick. 2015 (Posted on 5 Jun. 2015). “Co-Operation Driving Progress in Fighting Cyber Crime, Say Law Enforcers.” Computer Weekly. http://www.computerweekly.com/news/4500247603/ Co-operation-driving-progress-in-fighting-cyber-crime-say-law-enforcers. Ashford, Warwick. 2015 (Posted on 29 Jun. 2015). “Police Arrest 130 In Global Anti-cyber Fraud Operation.” Computer Weekly. http://www.computerweekly.com/news/4500248925/Police-arrest- 130-in-global-anti-cyber-fraud-operation. APEC (Asia-Pacific Economic Cooperation). 2009. APEC Cross-border Privacy Enforcement Arrangement. Singapore: APEC. http://www.apec.org/~/media/Files/Groups/ECSG/CBPR/CBPR- CrossBorderPrivacyEnforcement.pdf. Ausloos, Jef. 2012. “The Right to Be Forgotten—Worth Remembering?” Computer Law and Security Review 28 (1): 143–52. Page 409 | Chapter 10 | Bibliography Table of Contents Australian Government, Attorney-General’s Department. 2015. Data Retention: Guidelines for Service Providers. Barton ACT 2600, Australia: Australian Government, Attorney- General’s Department. https://www.ag.gov.au/NationalSecurity/DataRetention/Documents/ DataRetentionGuidelinesForServiceProviders.pdf. Australian Government, Attorney-General’s Department. 2015. Discussion Paper--Mandatory Data Breach Notification. Barton ACT 2600, Australia: Australian Government, Attorney-General’s Department. https://www.ag.gov.au/Consultations/Documents/data-breach-notification/ Consultation-draft-data-breach-notification-2015-discussion-paper.DOCX. Avina, Jeffrey. 2011. “Public-private Partnerships in the Fight against Crime.” Journal of Financial Crime 18(3): 282 –291. http://www.emeraldinsight.com/doi/pdfplus/10.1108/13590791111147505. B Bacon, Stephen L. 2011. “A Distinction without a Difference: “Receipt” and “Possession” of Child Pornography and the Double Jeopardy Problem.” University of Miami Law Review 65(3): 1027 –1058. http://lawreview.law.miami.edu/wp-content/uploads/2011/12/v65_i3_sbacon.pdf. Bajaj, Avneet Kaur and Chander Jyoti.2015. “Cyber Crime through Mobile Phone in India and Preventive Methods.” International Journal of Research & Review 2(3): 110 – 113. http://www. gkpublication.in/IJRR_Vol.2_Issue3_March2015/IJRR0033.pdf. Bajarin, Tim. 2014 (Posted on 13 Jan. 2014). “The Next Big Thing for Tech: The Internet of Everything.” Time. http://time.com/539/the-next-big-thing-for-tech-the-internet-of-everything/. Bambauer, Derek. 2013. “Privacy Versus Security.” Journal of Criminal Law & Criminology 103(3). http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=7454&context=jclc. Banisar, David & Gus Hosein. 2000. A Draft Commentary on the Council of Europe Cybercrime Convention. Privacy Lecture Series. http://privacy.openflows.org/pdf/coe_analysis.pdf. Baranjuk, Chris. 2015 (Posted on 30 Oct. 2015). “Tor Launches Anti-Censorship Messenger Service.” BBC News. http://www.bbc.com/news/technology-34677323. Baraniuk, Chris. 2017 (Posted on 20 Jul. 2017). “AlphaBay and Hansa Dark Web Markets Shut Down.” BBC News. http://www.bbc.com/news/technology-40670010. Barendt, Eric. 2012. “Freedom of Speech and Privacy.” Free Speech Debate. http:// freespeechdebate.com/en/discuss/freedom-of-speech-and-privacy/. Page 410 | Chapter 10 | Bibliography Table of Contents Barrett, David. 2013 (Posted on 10 Jul. 2013). “One Surveillance Camera for Every 11 People in Britain, Says CCTV Survey.” Telegraph. http://www.telegraph.co.uk/technology/10172298/One- surveillance-camera-for-every-11-people-in-Britain-says-CCTV-survey.html. Bauer, Johannes M. & William H. Dutton. 2015. “The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet.” Background Paper for the World Development Report (WDR) 2016. Washington D.C.: World Bank. https://openknowledge.worldbank.org/ handle/10986/23641. Baum, Katrina, Shannan Catalano, Michael Rand & Kristina Rose. 2009. “Stalking Victimization in the United States.” U.S. Department of Justice, Office of Justice Programs. https://www.justice.gov/ sites/default/files/ovw/legacy/2012/08/15/bjs-stalking-rpt.pdf. Baylon, Caroline, Roger Brunt and David Livingstone. 2015. Cyber Security at Civil Nuclear Facilities Understanding the Risks. London: The Royal Institute of International Affairs, Chatham House. https://www.chathamhouse.org/sites/files/chathamhouse/field/field_ document/20151005CyberSecurityNuclearBaylonBruntLivingstone.pdf. Beal, Vangie. “Big Data.” Webopedia. http://www.webopedia.com/TERM/B/big_data.html. Bearman, Joshua & Tomer Hanuak. 2015 (Posted on May 2015). “The Rise & Fall of Silk Road.” Wired. https://www.wired.com/2015/04/silk-road-1/. Becker, Jay. 1980. “The Trial of a Computer Crime.” Computer Law Journal 2. http://repository.jmls. edu/cgi/viewcontent.cgi?article=1610&context=jitpl. Berkman Center for Internet & Society. “State and Federal Stalking Laws.” Harvard University. https://cyber.law.harvard.edu/vaw00/cyberstalking_laws.html. Bernstein, Anita. 2012. “Real Remedies for Virtual Injuries.” North Carolina Law Review 90: 1457– 1490. http://brooklynworks.brooklaw.edu/cgi/viewcontent.cgi?article=1447&context=faculty. Bheemaiah, Kariappa. 2015 (Posted on Jan. 2015). “Block Chain 2.0: The Renaissance of Money.” Wired. https://www.wired.com/insights/2015/01/block-chain-2-0/. Bilge, Leyla, Thorsten Strufe, Davide Balzaroti & Engin Kirda. 2009. “All Your Contacts Belong to Us: Automated Identity Theft Attacks on Social Networks.” Paper prepared for the 18th international conference on World Wide Web, Madrid, 20-24 Apr. http://seclab.tuwien.ac.at/papers/www- socialnets.pdf. BI Intelligence. 2016 (Posted on 25 May 2016). “Samsung Is Building a Smart Cities Network in South Korea.” BI Intelligence. http://www.businessinsider.com/samsung-is-building-a-smart-cities- network-in-south-korea-2016-5. Page 411 | Chapter 10 | Bibliography Table of Contents Bisson, David. 2014 (Posted on 23 Mar. 2014). “5 Social Engineering Attacks to Watch Out for.” Tripwire. https://www.tripwire.com/state-of-security/security-awareness/5-social-engineering- attacks-to-watch-out-for/. Blagov, Sergei. 2015. (Posted on 2 Sep. 2015). “Multinationals to Meet Russia Data Localization Rules.” Bloomberg BNA: News. http://www.bna.com/multinationals-meet-russia-n17179935650/. Blagov, Sergei. 2015 (Posted on Aug. 5 2015). “Russia Clarifies Looming Data Localization Law.” Bloomberg BNA: News. http://www.bna.com/russia-clarifies-looming-n17179934521/. Blake, Andrew. 2016 (Posted on 7 Oct. 2016). “Attorney for Silk Road Mastermind Ross Ulbricht Challenges Conviction in Federal Appeals Court.” Washington Times. http://www.washingtontimes. com/news/2016/oct/7/appeals-court-hears-case-against-ross-ulbricht-con/. Blau, John. 2007 (5 Sep. 2007). “Debate Rages over German Government Spyware Plan.” InfoWorld. http://www.infoworld.com/article/2649377/security/debate-rages-over-german- government-spyware-plan.html. Blumenthal, Jeremy A. 2001. “Shedding Some Light on Calls for Hearsay Reform: Civil Law Hearsay Rules in Historical and Modern Perspective.” Pace International Law Review 13, no.1. http:// digitalcommons.pace.edu/cgi/viewcontent.cgi?article=1205&context=pilr. Borchers, Detlef. 2007. (Posted on 19 Jul. 2007). “Secret Online Search Warrant: FBI uses CIPAV for the first time.” Heise News. http://www.h-online.com/security/news/item/Secret-online-search- warrant-FBI-uses-CIPAV-for-the-first-time-733274.html. Borisevich, Galina, Natalya Chernyadyeva, Evelina Frolovich, Pavel Pastukhov, Svetlana Polyakova, Olga Dobrovlyanina, Deborah Griffith Keeling and Michael M. Losavio. 2012. “A Comparative Review of Cybercrime Law and Digital Forensics in Russia, the United States and under the Convention on Cybercrime of the Council of Europe.” Northern Kentucky Law Review 39(2): 267. Boué, Thomas. 2015 (Jun. 2015) “Closing the Gaps in EU Cyber Security.” Computer Weekly. http:// www.computerweekly.com/opinion/Closing-the-gaps-in-EU-cyber-security. Bourke, Latika. 2016. “WhatsApp Gets Full Encryption to Protect User Privacy.” The Sydney Morning Herald, April 6. http://www.smh.com.au/technology/smartphone-apps/whatsapp-gets-full- encryption-to-protect-user-privacy-20160405-gnzaf2.html#ixzz453LPLDus. Brenner, Susan W. 2001. “Cybercrime Investigation and Prosecution: the Role of Penal and Procedural Law.” Murdoch University Electronic Journal of Law 8(2). http://unpan1.un.org/intradoc/ groups/public/documents/APCITY/UNPAN003073.pdf. Brenner, Susan W. and Bert-Jaap Koops. 2004. “Approaches to Cybercrime Jurisdiction.” Journal of High Technology Law 4(1): 1-46. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=786507. Page 412 | Chapter 10 | Bibliography Table of Contents Brenner, Susan W. 2007. “Cybercrime: Re-thinking Crime Control Strategies.” In Crime Online edited by Yvonne Jewkes, 12–28. Cullompton: Willan Publishing. Brenner. Susan W. 2007. “Private-public Sector Cooperation in Combating Cybercrime: in Search of a Model.” Journal of International Law and Technology 2(2): 58 –67. http://www.jiclt.com/index.php/ jiclt/article/view/20. Brenner, Susan W. 2009 (Posted on 6 May 2009). “Thoughts, Witches and Crimes.” CYB3RCRIM3: Observations on Technology, Law, and Lawlessness. http://cyb3rcrim3.blogspot.com/2009/05/ thoughts-witches-and-crimes.html. Brenner, Susan W. 2010 (Posted on 7 Jun. 2010). “Time Period for Seizing Computers.”CYB3RCRIM3: Observations on Technology, Law, and Lawlessness. http://cyb3rcrim3. blogspot.com/2009/05/thoughts-witches-and-crimes.html. Brezinski, D. and Tom Killalea. 2002. Guidelines for evidence collection and archiving. IETF RFC 3227. BBA (British Bankers’ Association). 2014. The cyber Threat to Banking: A Global Industry Challenge. London: BBA. https://www.bba.org.uk/wp-content/uploads/2014/06/BBAJ2110_Cyber_report_ May_2014_WEB.pdf. BBC (British Broadcasting Corporation). 2010. (Posted on 9 Dec. 2010). “Anonymous Hacktivists Say Wikileaks War to Continue.” BBC. http://www.bbc.com/news/technology-11935539. BBC Monitoring Europe. 2015 (Posted on 23 Mar. 2015). “New Bill Gives Turkish Government Power to Shut Down Websites in Four Hours.” BBC. BBC News. 2014 (Posted on17 Jan. 2014). “Edward Snowden: Leaks that Exposed US Spy Programme.” BBC News. http://www.bbc.com/news/world-us-canada-23123964. BBC News. 2016 (Posted on 22 Jul. 2016). “Snowden Designs Phone Case to Spot Hack Attacks.” BBC News. http://www.bbc.com/news/technology-36865209. BBC News. 2017 (Posted on 14 Feb. 2017). “How Hackers Could Use Doll to Open Your Front Door.” BBC News. http://www.bbc.com/news/technology-38966285. BBC News. 2017 (Posted on 14 May 2017). “Ransomware Cyber-attack Threat Escalating—Europe.” BBC News. http://www.bbc.com/news/technology-39913630. BBC News. 2017 (Posted on 14 May 2017). “Next Cyber-attack Could Be Imminent, Warn Experts.” BBC News. http://www.strategic-culture.org/news/2017/05/14/international-cyber-attack-roots- traced-us-national-security-agency.html. Page 413 | Chapter 10 | Bibliography Table of Contents BBC News. 2017 (Posted on 23 May 2017). “More Evidence for WannaCry ‘Link’ to North Korean Hackers.” BBC News. http://www.bbc.com/news/technology-40010996. Broache, Anne. 2007 (Posted on 31 Aug. 2007). “Germany Wants to Sic Spyware on Terror Suspects.” CNET. http://www.cnet.com/news/germany-wants-to-sic-spyware-on-terror-suspects/. Brown, Cameron S.D. 2015. “Investigating and Prosecuting Cyber Crime: Forensic Dependencies and Barriers to Justice.” International Journal of Cyber Criminology 9(1): 55-119. http://www. cybercrimejournal.com/Brown2015vol9issue1.pdf. Brown, Christopher L. T. 2006. Computer Evidence: Collection and Preservation (1st Edition). Newton Centre: Charles River Media. Bucci, Steven, Paul Rosenzweig & David Inserra. “A Congressional Guide: Seven Steps to US Security, Prosperity, and Freedom in Cyberspace.” Heritage Foundation. http://www.heritage. org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and- freedom-in-cyberspace. Budd, Christopher. 2014 (Posted on 3 Feb. 2014). “Why the SpyEye Conviction is a Big Deal.” Trend Micro. http://blog.trendmicro.com/spyeye-conviction-big-deal/. Burns, Brett. 2012. “Level 85 Rogue: When virtual Theft Merits Criminal Penalties.” UMKC Law Review 80(3): 831. BSA (Business Software Alliance). 2015. EU Cybersecurity Dashboard: A Path to a Secure European Cyberspace. Washington D.C.: BSA. http://www.bsa.org/~/media/Files/Policy/Security/EU/study_ eucybersecurity_en.pdf. Buttarelli, Giovanni. 2011. “Security and Civil Liberties in the Fight against Cybercrime: Fundamental Legal Principles for a Balanced Approach.” Courmayeur: ISPAC (International Scientific and Professional Advisory Council of the United Nations Crime Prevention and Criminal Justice Programme). https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/EDPS/ Publications/Speeches/2011/11-12-02_Cybercrime_speech_GB_EN.pdf. C Calabresi, Massimo. 2017 (Posted on 22 Jun. 2017). “Election Hackers Altered Voter Rolls, Stole Private Data, Officials Say.” Time. http://time.com/4828306/russian-hacking-election-widespread- private-data/. California Department of Justice, Office of the Attorney General. 2014. California Data Breach Report. California Department of Justice, Office of the Attorney General. https://oag.ca.gov/sites/ all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf. Page 414 | Chapter 10 | Bibliography Table of Contents Callanan, Cormac and Gercke, Marco. 2008. Cooperation between Law Enforcement and Internet Service Providers against Cybercrime: Towards Common Guidelines Best-of-Breed Guidelines. Strasburg: Council of Europe. http://www.coe.int/t/dg1/legalcooperation/economiccrime/ cybercrime/Documents/Reports-Presentations/567%20prov-d-wg%20STUDY%20final%20_25%20 june%202008_.pdf. Caloyannides, Michael A. 2004. Privacy Protection and Computer Forensics (2nd Edition). Norwood: Artech House. http://www.pdfarchive.info/pdf/C/Ca/Caloyannides_Michael_A_-_Privacy_ protection_and_computer_forensics.pdf. Cannataci, Joseph A. & Mireille M. Caruana. 2014. Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD). Strasbourg: CoE. https://rm.coe.int/CoERMPublicCommonSearchServices/ DisplayDCTMContent?documentId=09000016806ae16a. Carlisle, David. 2017. “Virtual Currencies and Financial Crimes.” RUSI Occasional Paper, Royal United Services Institute for Defence and Security Studies (RUSI). https://rusi.org/sites/default/files/ rusi_op_virtual_currencies_and_financial_crime.pdf. Carlson, Eric and Livingston, Scott. 2014 (Posted on 12 Aug. 2014). “Fraud Investigators Imprisoned for Illegally Collecting Personal Data in China.” Convington & Burling LLP –Inside Privacy. https:// www.insideprivacy.com/international/fraud-investigators-imprisoned-for-illegally-collecting- personal-data-in-china/. Carney, Megan and Marc Rogers. 2004. “The Trojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction.” International Journal of Digital Evidence 2(4). https://www.utica.edu/academic/institutes/ecii/publications/articles/A0B2CCCB-E6FC-6840- AF4A01356B9B687A.pdf. Casey, Eoghan. 2000. Digital Evidence and Computer Crime: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (1st Edition). London: Academic Press. Casey, Eoghan. 2002. “Error, Uncertainty and Loss in Digital Evidence.” International Journal of Digital Evidence 1(2). https://www.utica.edu/academic/institutes/ecii/publications/articles/ A0472DF7-ADC9-7FDE-C80B5E5B306A85C4.pdf. Casey, Eoghan. 2002. “Practical Approaches to Recovering Encrypted Digital Evidence.” International Journal of Digital Evidence 1(3). https://www.utica.edu/academic/institutes/ecii/ publications/articles/A04AF2FB-BD97-C28C-7F9F4349043FD3A9.pdf. Casey, Eoghan. 2004. Digital Evidence and Computer Crime: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet (2d ed.). London: Academic Press. Page 415 | Chapter 10 | Bibliography Table of Contents Cassin, Richard L. 2015 (Posted on 11 Sep. 2015). “A Different World after 9/11: Egmont Group Statement on Global Fight against Terrorist Financing.” The FCPA Blog. http://www.fcpablog.com/ blog/2015/9/11/a-different-world-after-911-egmont-group-statement-on-global.html. Castells, Manuel. 2002. The Internet Galaxy: Reflections on the Internet, Business, and Society. Oxford: Oxford University Press. Cate, Fred H., Peter Cullen and Viktor Mayer-Schönberger. 2014. Data Protection Principles for the 21st Century Revising the 1980 OECD Guideline. Oxford: Oxford Internet Institute, University of Oxford. http://www.oii.ox.ac.uk/publications/Data_Protection_Principles_for_the_21st_Century.pdf. Catteddu, Daniele and Giles Hogben, eds. 2009. Cloud Computing: Benefits, Risks and recommendations for Information Security. Heraklion: ENISA (European Network and Information Security Agency). https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment/ at_download/fullReport. Cecil, Nicholas. 2011 (Posted on 6 Nov. 2011). “MP Demands Law to Force Internet Providers to Remove Gang Videos.” Evening Standard. http://www.standard.co.uk/news/mp-demands-law-to- force-internet-providers-to-remove-gang-videos-6365780.html. CDT (Center for Democracy & Technology). 2012. Shielding the Messengers: Protecting Platforms for Expression and Innovation (Version 2, Updated December 2012). Washington, D.C.: CDT. https://cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf. CSIS (Center for Strategic and International Studies). 2014. Net Losses: Estimating the Global Cost of Cybercrime (Economic impact of cybercrime II). Washington D.C.: CSIS. http://csis.org/files/ attachments/140609_rp_economic_impact_cybercrime_report.pdf. Chandran, Nyshka. 2016 (Posted on 25 Jan. 2016). “Facebook’s Troubles in India Keep Snowballing.” CNBC. http://www.cnbc.com/2016/01/25/facebook-struggles-to-lift-ban-on-free- basics-in-india.html. Chang, Weiping, Wingyan Chung, Hsinchun Chen and Shihchieh Chou. 2003. “An International Perspective on Fighting Cybercrime.” In: Intelligence and Security Informatics: First NSF/NIJ Symposium, ISI 2003, Tucson, AZ, USA, June 2–3, 2003 Proceedings, 379-384. Berlin-Heidelberg: Springer. Chappell, Bill. 2017 (Posted on 15 May 2017). “WannaCry Ransomware: Microsoft Calls Out NSA for ‘Stockpiling’ Vulnerabilities.” NPR. http://www.npr.org/sections/thetwo-way/2017/05/15/528439968/ wannacry-ransomware-microsoft-calls-out-nsa-for-stockpiling-vulnerabilities. Chappell, Chappell. 2017 (Posted on 15 May 2017). “WannaCry Ransomware: What We Know Monday.” NPR. http://www.npr.org/sections/thetwo-way/2017/05/15/528451534/wannacry- ransomware-what-we-know-monday. Page 416 | Chapter 10 | Bibliography Table of Contents Chaski, Carole E. 2005. “Who’s at the Keyboard? Authorship Attribution in Digital Evidence Investigations.” International Journal of Digital Evidence 4(1). https://www.utica.edu/academic/ institutes/ecii/publications/articles/B49F9C4A-0362-765C-6A235CB8ABDFACFF.pdf. Chawki, Mohamed, Ashraf Mohammad Darwish, Ayoub Khan and Sapna Tyagi. 2015. Cybercrime, Digital Forensics and Jurisdiction. Berlin: Springer International Publishing. Cheh, Mary M. 1991. “Constitutional Limits on Using Civil Remedies to Achieve Criminal Law Objectives: Understanding and Transcending the Criminal-Civil Law Distinction.” Hastings Law Journal 42. Chein, Allen. 2012. “A Practical Look at Virtual Property.” St. John’s Law Review 80(3) 1059-1090. http://scholarship.law.stjohns.edu/cgi/viewcontent.cgi?article=1211&context=lawreview. Chia, Terry. 2012 (Posted on 20 Aug. 2012). “Confidentiality, Integrity and Availability (CIA): The Three Components of the CIA Triad.” IT Security Community Blog. http://security.blogoverflow. com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/. Chief Judge B. Lynn Winmill, David L. Metcalf & Michael E. Band. 2010. “Cybercrime: Issues and Challenges in the United States.” Digital Evidence & Electronic Signature Law Review 7. Chin, Josh. 2015 (Posted on 12 Feb. 2015). “China Internet Restrictions Hurting Business, Western Companies Say.” The Wall Street Journal: China Real Time Report. http://blogs.wsj.com/ chinarealtime/2015/02/12/china-internet-restrictions-hurting-business-western-companies-say/. Choi, Kyung-shick. 2008. Structural Equation Modeling Assessment of Key Causal Factors in Computer Crime Victimization: A Dissertation Submitted to the School of Graduate Studies and Research. In: Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy. Indiana University of Pennsylvania. http://knowledge.library.iup.edu/cgi/viewcontent. cgi?article=1444&context=etd. Chun, Hyun Wook & Ja Young Lee. 2014. “Convention on Cybercrime and Due Process of Law: on Preservation and Partial Disclosure of Stored Data.” Korean Criminological Review 25 (ii). Ciardhuain, Séamus Ó. 2004. “An Extended Model of Cybercrime Investigation.” International Journal of Digital Evidence 3(1). https://www.utica.edu/academic/institutes/ecii/publications/ articles/A0B70121-FD6C-3DBA-0EA5C3E93CC575FA.pdf. Clancy, Thomas K. 2011. Cyber Crime and Digital Evidence: Materials and Cases. New York: Lexisnexis. Clark, Kelli. 2015 (Posted on 27 Oct. 2015). “The EU Safe Harbor Agreement Is Dead, Here’s What to Do about It.” Forbes. http://www.forbes.com/sites/riskmap/2015/10/27/the-eu-safe-harbor- agreement-is-dead-heres-what-to-do-about-it/#2f3bd6757171. Page 417 | Chapter 10 | Bibliography Table of Contents Clay, Jon. 2015 (Posted on 13 Apr. 2015). “Operation SIMDA: The Power of Public/Private Partnerships.” Trend Micro/Simply Security. http://blog.trendmicro.com/operation-simda-the- power-of-publicprivate-partnerships/. Clinton, Larry. “Cross cutting Issue #2 How Can We Create Public Private Partnerships that Extend to Action Plans that Work? (Updated).” ISA (Internet Security Alliance). https://www.whitehouse. gov/files/documents/cyber/ISA%20-%20Hathaway%20public%20private%20partnerships.pdf. Clough, Jonathan. 2011. “Data Theft? Cybercrime and the Increasing Criminalization of Access to Data.” Criminal Law Forum 22 (1 –2):145–170. Cohen, Lawrence E. and Marcus Felson. 1979. “Social Change and Crime Rate Trends: A Routine Activity Approach.” American Sociological Review 44: 588-608. http://www.personal.psu.edu/ exs44/597b-Comm%26Crime/Cohen_FelsonRoutine-Activities.pdf. Cohen, Lawrence E., Marcus Felson and Kenneth C. Land. 1981. “Social Inequality and Predatory Criminal Victimization: An Exposition and a Test of a Formal Theory.” American Sociological Review 46 (5):505-24. Colangelo, Anthony J. 2011. “A Unified Approach to Extraterritoriality.” Virginia Law Review 97: 1019-1109. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1762935. Collins, Judith. 2014 (Posted on 28 May 2014). “Privacy Law Changes to Strengthen Protection.” The Beehive. https://www.beehive.govt.nz/release/privacy-law-changes-strengthen-protection. COMESA (Common Market for Eastern and Southern Africa). 2011. “Cybercrime Model Bill, 2011.” In: 2011 Gazette 16, 45-77. Lusaka: COMESA. Commonwealth Secretariat. 2002. “Annex B – Computer and Computer Related Crimes Bill.” In: Model Law on Computer and Computer Related Crime, 15-24. London: The Commonwealth. http://www.cybercrimelaw.net/documents/%7BDA109CD2-5204-4FAB-AA77-86970A639B05%7D_ Computer%20Crime.pdf. Commonwealth Secretariat. 2003. “Draft Model Law on Electronic Evidence,” in: 2002 Meeting of Commonwealth Law Ministers and Senior Officials: Kingstown, St Vincent and the Grenadines, 18–21 November 2002. London: Commonwealth Secretariat. http://www.oecd-ilibrary.org/ commonwealth/governance/2002-meeting-of-commonwealth-law-ministers-and-senior-officials/ draft-model-law-on-electronic-evidence_9781848598188-11-en. Commonwealth Secretariat. 2014. “Annex A – The Commonwealth Working Group of Experts on Cybercrime Report to Commonwealth Law Ministers 2014.” In: Report of the Commonwealth Working Group of Experts on Cybercrime: Paper by the Commonwealth Secretariat, i-57. London: The Commonwealth. http://thecommonwealth.org/sites/default/files/news-items/documents/ Report_of_the_Commonwealth_Working_Group_of_Experts_on_Cybercrime_May_2014.pdf. Page 418 | Chapter 10 | Bibliography Table of Contents Commonwealth Network. “Commonwealth Secretariat.” Commonwealth Network. http://www. commonwealthofnations.org/commonwealth/commonwealth-secretariat/. Conklin, Kevin. 2017 (Posted in Jun. 2017). “The Petya Virus—Return of the Ransomware Attacks.” Information Management. https://www.information-management.com/opinion/the-petra-virus- return-of-the-ransomware-attacks. Constantin, Lucian. 2014 (Posted on 13 Jan. 2014). “Target Point-of-sale Terminals were Infected with Malware.” PC World. http://www.pcworld.com/article/2087240/target-pointofsale-terminals- were-infected-with-malware.html. Cook, David M. 2010. “Mitigating Cyber-Threats through Public-Private Partnerships: Low Cost Governance with High Impact Returns.” In: Proceedings of the 1st International Cyber Resilience Conference, Perth, Western Australia, 23-24 Aug. pp. 22–30. Perth, Western Australia: Edith Cowan University. http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1002&context=icr. CCDCOE (Cooperative Cyber Defence Centre of Excellence). 2015 (Posted on 20 Feb. 2015). “Mixed Feedback on the ‘African Union Convention on Cyber Security and Personal Data Protection.” CCDCOE. https://ccdcoe.org/mixed-feedback-african-union-convention-cyber- security-and-personal-data-protection.html. Corera, Gordon. 2016 (Posted on 29 Jun. 2016). “CIA Taps Huge Potential of Digital Technology.” BBC News. http://www.bbc.com/news/world-us-canada-36462056. Corera, Gordon. 2017 (16 Jun. 2017). “NHS Cyber-Attack Was ‘Launched from North Korea’,” BBC News. http://www.bbc.com/news/technology-40297493. Cottim, Armando. 2010. “Cybercrime, Cyberterrorism and Jurisdiction: An Analysis of Article 22 of the COE Convention on Cybercrime.” European Journal of Legal Studies 2(3). http://www.ejls. eu/6/78UK.htm#_ftnref34. Coughlin, Tom, Dennis Waid and Jim Porter. 2004 (Posted in April 2004). “The Disk Drive, 50 Years of Progress and Technology Innovation.” In: Computer Technology Review. http://docplayer. net/25956649-The-disk-drive-50-years-of-progress-and-technology-innovation-the-road-to-2-billion- drives-tom-coughlin-dennis-waid-and-jim-porter.html. Couldry, Nick. 2008. “Mediatization or Mediation? Alternative Understandings of the Emergent Space of Digital Storytelling.” New Media & Society 10(3): 373-391. http://eprints.lse.ac.uk/50669/1/ Couldry_Mediatization_or_mediation_2008.pdf. Council of Europe. “Chart of Signatures and Ratifications of Treaty 185.” Council of Europe. http:// conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG. Page 419 | Chapter 10 | Bibliography Table of Contents Council of Europe. “Cybercrime Programme Office (C-PROC).” Council of Europe. http://www.coe. int/en/web/cybercrime/cybercrime-office-c-proc-. Council of Europe. “Electronic Evidence Guide.” Council of Europe. http://www.coe.int/en/web/ octopus/home. Council of Europe. “T-CY Reports.” Council of Europe. http://www.coe.int/en/web/cybercrime/t-cy- reports. Council of Europe. “Law Enforcement – Internet Service Provider Cooperation.” Council of Europe. http://www.coe.int/en/web/cybercrime/lea-/-isp-cooperation. Council of Europe. “Law Enforcement- Internet Service Provider Cooperation.” Council of Europe. http://www.coe.int/en/web/cybercrime/lea-/-isp-cooperation Council of Europe. “24/7 Points of Contact.” Council of Europe. http://www.coe.int/en/web/ cybercrime/resources. Council of Europe. “Action against Cybercrime.” Council of Europe. http://www.coe.int/en/web/ cybercrime. Council of Europe. “Cybercrime at COE Update April–June 2016.” Council of Europe. https:// rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001 680693147. Council of Europe. “Cybercrime Convention Committee.” Council of Europe. https://www.coe.int/ en/web/cybercrime/tcy. Council of Europe. “Global Action on Cybercrime: From GLACY to GLACY+.” Council of Europe. http://www.coe.int/en/web/human-rights-rule-of-law/-/global-action-on-cybercrime-from-glacy-to- glacy-. Council of Europe. “Global Project Cybercrime@Octopus.” Council of Europe. http://www.coe.int/ en/web/cybercrime/cybercrime-octopus. Council of Europe. “Regional Project Cybercrime@EaP II.” Council of Europe. http://www.coe.int/ en/web/cybercrime/cybercrime-eap-ii. Council of Europe. 2001. Explanatory Report to the Convention on Cybercrime. Budapest: Council of Europe. https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?docu mentId=09000016800cce5b. Page 420 | Chapter 10 | Bibliography Table of Contents Council of Europe. 2007. “Questionnaire in preparation of the Conference.” Paper prepared for the Octopus Interface Conference, “Conference on Cooperation against Cybercrime.” Strasbourg, 11-12 June. http://www.coe.int/t/dghl/cooperation/economiccrime/Source/567-m-if%202008%20 quest_en.doc. Council of Europe. 2009. Cybercrime: a Threat to Democracy, Human Rights and the Rule of Law. Strasburg: Council of Europe. Council of Europe. 2011. Article 15 –Conditions and Safeguards under the Budapest Convention on Cybercrime: Discussion Paper with Contributions by Henrik Kaspersen (Netherlands) Joseph Schwerha (USA). Strasbourg: Council of Europe. https://rm.coe.int/CoERMPublicCommonSearchSe rvices/DisplayDCTMContent?documentId=09000016802f2464. Council of Europe. 2011. Law Enforcement Training Strategy. Strasbourg: Council of Europe. https:// rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680 2f6a34. Council of Europe. 2012. T-CY Guidance Note # 1 on the Notion of “Computer System”: Article 1.a. of the Budapest Convention on Cybercrime. Strasbourg: Council of Europe. https://rm.coe.int/ CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016802e79e6. Council of Europe. 2013. Capacity Building on Cybercrime: Discussion Paper. Strasbourg: Council of Europe. http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports- Presentations/cyber%20CB_v1y.pdf. Council of Europe. 2014. Cybercrime Model Laws: Discussion Paper Prepared for the Cybercrime Convention Committee (T-CY). Strasbourg: Council of Europe. http://www.coe.int/t/DGHL/ cooperation/economiccrime/cybercrime/Cybercrime@Octopus/Reports/2014_Zahid/3021_model_ law_study_v15.pdf. Council of Europe. 2015. Cybercrime and Cybersecurity Strategies in the Eastern Partnership Region. Bucharest: Council of Europe. https://rm.coe.int/CoERMPublicCommonSearchServices/ DisplayDCTMContent?documentId=09000016803053d2. Council of Europe, Octopus Cybercrime Community. “Advanced Course for Judges and Prosecutors.” Council of Europe. http://www.coe.int/en/web/octopus/home. Council of Europe, Project on Cybercrime and the Lisbon Network. 2009. “Cybercrime Training for Judges and Prosecutors: A Concept.” Strasbourg: Council of Europe. https://rm.coe.int/ CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016802fa3c3. Council of Europe/Committee of Ministers. 1987. Recommendation R (87)15 Regulating the Use of Personal Data in the Police Sector. Strasbourg: Council of Europe. http://ec.europa.eu/justice/data- protection/law/files/coe-fra-rpt-2670-en-471.pdf. Page 421 | Chapter 10 | Bibliography Table of Contents Council of Europe/Economic Crime Division. 2008. Guidelines for the cooperation of law enforcement and internet service providers against cybercrime. Strasbourg: Council of Europe. http://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/Documents/Reports- Presentations/567_prov-d-guidelines_provisional2_3April2008_en.pdf. Council of Europe/European Court of Human Rights. 2007. “Freedom of expression in Europe: Case-law concerning Article 10 of the European Convention on Human Rights.” Human Rights Files, no. 18. Strasbourg: Council of Europe, European Court of Human Rights. http://www.echr.coe. int/LibraryDocs/DG2/HRFILES/DG2-EN-HRFILES-18(2007).pdf. Council of Europe/European Court of Human Rights. 2011 (Updated in June 2015). Internet: la jurisprudence de la CEDH. Strasbourg: Council of Europe. http://www.echr.coe.int/Documents/ Research_report_internet_FRA.pdf. Council of the European Union. 2014. EU Human Rights Guidelines on Freedom of Expression Online and Offline: Foreign Affairs Council meeting (Brussels, 12 May 2014). Brussels: European Commission, Newsroom Editor. http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/ EN/foraff/142549.pdf. CJEU (Court of Justice of the European Union). 2015 (Posted on 6 Oct.2015). “The Court of Justice Declares That the Commission’s US Safe Harbour Decision Is Invalid.” CJEU. http://curia.europa.eu/ jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. Cox, Joseph. 2016 (Posted on 5 Jan. 2016). “The FBI’s ‘Unprecedented’ Hacking Campaign Targeted over a Thousand Computers.” Motherboard. http://motherboard.vice.com/read/the-fbis- unprecedented-hacking-campaign-targeted-over-a-thousand-computers. Crawford, Jamie. 2016 (Posted on 13 Jan. 2016). “Kerry Tells Iran in Long Day of Calls: This Can be ‘a Good Story for Both of Us’.” CNN. http://www.cnn.com/2016/01/13/politics/john-kerry-iran-zarif- sailors/. Crumbley, Larry, Lester E. Heitger and G. Stevenson Smith. 2005. Forensic and Investigative Accounting (2nd Edition). Washington D.C.: CCH. Cuomo, Andrew M. and Benjamin M. Lawsky. 2014. Report on Cyber Security in the Banking Sector. New York: New York State Department of Financial Services. http://www.dfs.ny.gov/reportpub/ dfs_cyber_banking_report_052014.pdf. Cyber Crime and Forensics Blog. 2009 (Posted on 26 Feb. 2009). “Data Diddling.” Cyber Crime and Forensics Blog. http://cybercrimeandforensic.blogspot.com/2009/02/data-diddling.html. Cyber Security Law & Policy. 2016 (Posted on 23 Feb. 2016). “Actual Order Compelling Apple, Inc. to Assist Agents in Search of iPhone.” Cybersecuritylaw. http://blog.cybersecuritylaw. us/2016/02/23/actual-order-compelling-apple-inc-to-assist-agents-in-search-of-iphone/. Page 422 | Chapter 10 | Bibliography Table of Contents Cyberoam. 2012 (Posted on 6 Dec. 2012). “Is Bitcoin Turning into a Cyber Crime Currency?” Cyberoam. https://web.archive.org/web/20160404100125/http://www.cyberoam.com/blog/is- bitcoin-turning-into-a-cyber-crime-currency-2/. D Daily News. 2015 (Posted on 20 Mar. 2015). “Approved Article Gives Turkish Gov’t Power to Shut Down Websites in Four Hours.” Daily News. http://www.hurriyetdailynews. com/approved-article-gives-turkish-govt-power-to-shut-down-websites-in-four-hours. aspx?pageID=238&nID=79941&NewsCatID=339. Day, Matt. 2017 (Posted on 14 May 2017). “Microsoft Criticizes Government Creation of Hacking Tools Used in Global Cyberattack.” Seattle Times. http://www.seattletimes.com/business/microsoft/ microsoft-criticizes-government-creation-of-hacking-tools-used-in-global-cyberattack/. Deibert, Ronald. 2012. “The Growing Dark Side of Cyberspace (…and What to Do About It).” Penn State Journal of Law & International Affairs 1(2). http://elibrary.law.psu.edu/cgi/viewcontent. cgi?article=1012&context=jlia. Deleon, Nicholas. 2008 (Posted on 26 Mar. 2008). “Phishing Scam Targeting Facebook Users.” TechCrunch.com. http://techcrunch.com/2008/03/26/phishing-scam-targeting-facebook-users/. Deloitte CFO. 2013 (Posted on 7 Jul. 2013). “Eight Ways to Move Toward a Culture of Compliance.” Wall Street Journal. http://deloitte.wsj.com/cfo/2013/06/07/toward-a-culture-of-compliance-eight- initiatives-ccos-can-lead/. DeYoung, Karen. 2016 (Posted on 13 Jan. 2016). “Intense Diplomacy between Secretary of State Kerry and His Iranian Counterpart to Secure Sailors.” Washington Post. https://www. washingtonpost.com/news/checkpoint/wp/2016/01/13/intense-diplomacy-between-secretary-of- state-kerry-and-his-iranian-counterpart-to-secure-sailors-release/. Di Lorenzo, Vincent. 1986. “Public Confidence and the Banking System: The Policy Basis for Continued Separation of Commercial and Investment Banking.” American Law Review 35. http:// www.stjohns.edu/sites/default/files/documents/law/dilorenzo-public_confidence_policy_basis.pdf. DigiCert. “The Math Behind Estimations to Break a 2048-bit Certificate.” DigiCert. https://www. digicert.com/TimeTravel/math.htm. Digital Watch. “Geneva Internet Platform.” Digital Watch. http://digitalwatch.giplatform.org/ instruments/agreement-cooperation-combating-offences-related-computer-information- commonwealth. Page 423 | Chapter 10 | Bibliography Table of Contents Douglas, Thomas and Brian D. Loader, eds. 2000. “Introduction–Cyber Crime: Law Enforcement, Security and Surveillance in the Information Age.” In: Douglas, Thomas and Brian D. Loader, eds. 2000. Cyber crime: Law enforcement, security and surveillance in the information age. London: Routledge. Dotzauer, Erwin. 2014 (Posted on 3 Nov. 2014). “UNODC – Comprehensive Study on Cybercrime.” Cybersecurity Capacity Portal. https://www.sbs.ox.ac.uk/cybersecurity-capacity/content/unodc- comprehensive-study-cybercrime. Downing, Richard W. 2005. “Shoring Up the Weakest Link: What Lawmakers Around the World Need to Consider in Developing Comprehensive Laws to Combat Cybercrime.” Columbia Journal of Transnational Law 43(3): 705. Doyle, Charles. 2016 (Posted on 18 May 2016). “RICO: A Brief Sketch.” US Congressional Research Service (CRS), no. 96-950. https://fas.org/sgp/crs/misc/96-950.pdf. Dubber, Markus D. 2013 (Posted on 3 Jul. 2013). “Ultima Ratio as Caveat Dominus: Legal Principles, Police Maxims, and the Critical Analysis of Law.” SSRN (Social Science Research Network). http:// papers.ssrn.com/sol3/papers.cfm?abstract_id=2289479. Dunham, Jennifer, Bret Nelson and Elen Aghekyan. 2015. Freedom of the Press 2015. Washington, D.C.: Freedom House. https://freedomhouse.org/sites/default/files/FreedomofthePress_2015_ FINAL.pdf. Dutton, William H. Anna Dopatka, Michael Hills, Ginette Law & Victoria Nash. 2011. Freedom of Connection, Freedom of Expression; the Changing Legal and Regulatory Ecology Shaping the Internet. Paris: UNESCO. http://unesdoc.unesco.org/images/0019/001915/191594e.pdf. Dutton, William H., Ginette Law, Gillian Bolsover and Soumitra Dutta. 2013. The Internet Trust Bubble: Global Values, Beliefs and Practices. Geneva: WEF (World Economic Forum). http://www3. weforum.org/docs/WEF_InternetTrustBubble_Report2_2014.pdf. E Eadicicco, Lisa. 2015 (Posted on 19 Oct. 2015). “Hundreds of Apps Have Been Banned from Apple’s App Store for Spying on Your Personal Information.” Business Insider. http://www.businessinsider. com/apple-removes-apps-youmi-sdk-personal-information-2015-10. Edwards, Julia. 2016 (Posted on 22 Apr. 2016). “FBI Paid More Than $1.3 Million to Break into San Bernardino iPhone.” Reuters. http://www.reuters.com/article/us-apple-encryption-fbi- idUSKCN0XI2IB. Page 424 | Chapter 10 | Bibliography Table of Contents Effross, Walter A. 1997. “High-Tech Heroes, Virtual Villains and Jacked-In Justice: Visions of Law and Lawyers in Cyberpunk Science Fiction.” Buffalo Law Review 45 (3):931-974. Electronic Frontier Foundation. “The Playpen Cases: Frequently Asked Questions The Basics.” Electronic Frontier Foundation. https://www.eff.org/pages/playpen-cases-frequently-asked- questions#howmanycases. Emerging Technology from the arXiv. 2017 (Posted on 5 Apr. 2017). “Intelligent Machines Quantum Computing Now Has a Powerful Search Tool.” MIT Technology Review. https://www. technologyreview.com/s/604068/quantum-computing-now-has-a-powerful-search-tool/. End Stalking in America, Inc. “Building Your Case.” End Stalking in America, Inc. http://www.esia. net/Building_your_Case.htm. Engelbrekt, Kjell. 2016. High-Table Diplomacy: The Reshaping of International Security Institutions. Washington, DC: Georgetown University Press. Eskola, Marko. 2012. “From Risk Society to Network Society: Preventing Cybercrimes in the 21st Century.” Journal of Applied Security Research 7(1): 122 –150. Etter, Barbara. 2001. The forensic challenges of e-crime. Marden: ACPR (Australasian Centre for Policing Research). EuropaForum. 2016 (Posted on 13 Sep. 2016). “Traités et Affaires institutionnelles: Respect de l’état de droit – La Commission, soutenue par une majorité du Parlement européen, maintient la pression sur Varsovie.” EuropaForum. http://www.europaforum.public.lu/fr/actualites/2016/09/pe-pologne- etat-de-droit/index.html. EC (European Commission). 2010. “A Comprehensive Approach on Personal Data Protection in the European Union.’’ COM (2010) 609 Final. Brussels: EC. http://ec.europa.eu/justice/news/consulting_ public/0006/com_2010_609_en.pdf. EC. 2010. “The EU Internal Security Strategy in Action: Five steps towards a more secure Europe.” COM (2010) 673 Final. Brussels: EC. http://eur-lex.europa.eu/legal-content/EN/TXT/ PDF/?uri=CELEX:52010DC0673&from=EN. EC. 2015 (Posted on 14 Dec. 2015).“Roadmap.” Public Private Partnership on Cybersecurity. http:// ec.europa.eu/smart-regulation/roadmaps/docs/2015_cnect_004_cybersecurity_en.pdf. EC. 2016 (Posted on 2 Feb. 2016). “EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield.” European Commission –Press Release. http:// europa.eu/rapid/press-release_IP-16-216_en.htm. Page 425 | Chapter 10 | Bibliography Table of Contents EC. 2016 (Posted on 12 Jul. 2016). “EU-US Privacy Shield: Frequently Asked Questions,” Fact Sheet, European Commission. http://europa.eu/rapid/press-release_MEMO-16-2462_en.htm. EC. “Eastern Partnership, Migration and Home Affairs.” European Commission. https://ec.europa. eu/home-affairs/what-we-do/policies/international-affairs/eastern-partnership_en. EC. “Public Consultation on the Public-Private Partnership on Cybersecurity and Possible Accompanying Measures.” European Commission. https://ec.europa.eu/digital-single-market/en/ news/public-consultation-public-private-partnership-cybersecurity-and-possible-accompanying- measures. EC. “DG Connect.” European Commission. https://ec.europa.eu/digital-single-market/dg-connect. EC. “Horizon 2020.” European Commission. https://ec.europa.eu/programmes/horizon2020/. EC. “Digital Single Market: Bringing Down Barriers to Unlock Online Opportunities.” European Commission. http://ec.europa.eu/priorities/digital-single-market/. EC, Commissioner. “Digital Single Market.” European Commission. http://ec.europa.eu/priorities/ digital-single-market/. EDRi (European Digital Rights). 2008 (Posted on 17 Dec. 2008). “Bulgarian Court Annuls a Vague Article of the Data Retention Law.” EDRi. https://edri.org/edri-gramnumber6-24bulgarian- administrative-case-data-retention/. EDRi. 2010 (Posted on 10 Mar. 2010). “German Federal Constitutional Court Rejects Data Retention Law.” EDRi. https://edri.org/edrigramnumber8-5german-decision-data-retention-unconstitutional/. EU Agency for Fundamental Rights. 2014. “Violence Against Women: An EU-wide Survey.” EU Agency for Fundamental Rights. http://fra.europa.eu/en/publication/2014/violence-against-women- eu-wide-survey-main-results-report. European Parliament. 2015 (Posted on 7 Dec. 2015). “MEPs Close Deal with Council on First Ever EU Rules on Cybersecurity.” European Parliament –Press Release. http://www.europarl.europa.eu/ news/en/news-room/20151207IPR06449/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on- cybersecurity. EUROPOL (European Police Office). 2014 (Posted on 9 May 2014). “Worldwide Operation against Cybercriminals.” EUROPOL. https://www.europol.europa.eu/content/worldwide-operation-against- cybercriminals. EUROPOL. 2015. The Internet Organised Crime Threat Assessment (IOCTA) 2015. The Hague: EUROPOL. https://www.europol.europa.eu/sites/default/files/publications/europol_iocta_ web_2015.pdf. Page 426 | Chapter 10 | Bibliography Table of Contents EUROPOL. “Europol Supports Huge International Operation to Tackle Organised Crime.” Europol. https://www.europol.europa.eu/content/europol-supports-huge-international-operation-tackle- organised-crime. EUROPOL. “European Cybercrime Centre- EC3.” Europol. https://www.europol.europa.eu/about- europol/european-cybercrime-centre-ec3. EUROPOL. “Combating Cybercrime in a Digital Age.” Europol, European Cybercrime Centre (EC3). https://www.europol.europa.eu/ec3. Europol. “Joint Cybercrime Action Taskforce (J-CAT).” Europol, European Cybercrime Centre (EC3). https://www.europol.europa.eu/ec3/joint-cybercrime-action-taskforce-j-cat. European Union Agency for Network and Information Security (ENISA). “National Cyber Security Strategies in the World.” ENISA. https://www.enisa.europa.eu/activities/Resilience-and-CIIP/ national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world. EUR-Lex. “Digital Agenda for Europe.” EUR-Lex. http://eur-lex.europa.eu/legal-content/EN/ TXT/?uri=URISERV:si0016. EUROJUST (European Union’s Judicial Cooperation Unit). 2015. Operation BlackShades: An Evaluation. Hague: EUROJUST. https://www.gccs2015.com/sites/default/files/documents/ Bijlage%202%20-%20Eurojust%20(10%2004%2015)%20Blackshades-Case-Evaluation.pdf. Eurojust. “History of Eurojust.” Eurojust. http://www.eurojust.europa.eu/about/background/Pages/ history.aspx. Eurojust. “Mission and Tasks.” Eurojust. http://www.eurojust.europa.eu/about/background/Pages/ mission-tasks.aspx. European Cybercrime Training and Education Group (ECTEG). “European Cybercrime Training and Education Group.” European Cybercrime Training and Education Group. http://www.ecteg.eu. European Network of Living Labs.” European Network of Living Labs.” European Network of Living Labs. http://www.openlivinglabs.eu/. Evans, Martin. 2017 (Posted on 19 Jan. 2017). “Fraud and Cyber Crime are Now the Country’s Most Common Offences.” Telegraph. http://www.telegraph.co.uk/news/2017/01/19/fraud-cyber-crime- now-countrys-common-offences/. Evening Standard. 2011 (Posted on 8 Nov. 2011). “MP Demands Law to Force Internet Providers to Remove Gang Videos.” Evening Standard –News. http://www.standard.co.uk/news/mp-demands- law-to-force-internet-providers-to-remove-gang-videos-6365780.html. Page 427 | Chapter 10 | Bibliography Table of Contents Executive Office of the President. 2014. Big Data: Seizing Opportunities, Preserving Values. Washington D.C.: The White House https://obamawhitehouse.archives.gov/sites/default/files/docs/ big_data_privacy_report_may_1_2014.pdf. Executive Office of the President, President’s Council of Advisors on Science and Technology. 2014. Big Data and Privacy: A Technological Perspective. Washington D.C.: The White House. https:// www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_ may_2014.pdf. Exum, Jelani Jefferson. 2010. “Making the Punishment Fit the (Computer) Crime: Rebooting Notions of Possession for the Federal Sentencing of Child Pornography Offenses.” Richmond Journal of Law and Technology 16(3). http://jolt.richmond.edu/v16i3/article8.pdf. F Fafinski, Stefan Frederick. 2008. Computer Use and Misuse: The Constellation of Control. The University of Leeds, School of Law. http://etheses.whiterose.ac.uk/2273/1/Fafinski_S_Law__ PhD_2008.pdf. Farbiarz, Michael. 2016. “Accuracy and Adjudication: The Promise of Extraterritorial Due Process.” Columbia Law Review 116(3). FBI (Federal Bureau of Investigation). 2014 (Posted on 19 May. 2014). “International Blackshades Malware Takedown-Coordinated Law Enforcement Actions Announced.” FBI. https://www.fbi.gov/ news/stories/2014/may/international-blackshades-malware-takedown/international-blackshades- malware-takedown. FBI. “National Cyber Investigative Joint Task Force.” FBI. https://www.fbi.gov/investigate/cyber/ national-cyber-investigative-joint-task-force. Feigenbaum, Joan, Aaron Johnson & Paul Syverson. 2006. “A Model of Onion Routing with Provable Anonymity.” Financial Cryptography & Data Security. http://www.cs.yale.edu/homes/jf/ FJS.pdf. Feinberg, Joel and Robert P. George. 1990. “Crime and Punishment: Moralistic Liberalism and Legal Moralism: Harmless Wrongdoing: The Moral Limits of the Criminal Law.” Michigan Law Review 88: 1415. Ferzan, Kimberly Kessler. 2013. “Prevention, Wrongdoing and the Harm Principle’s Breaking Point.” Ohio State Journal of Criminal Law 10(2): 679 –695. http://moritzlaw.osu.edu/students/groups/osjcl/ files/2013/03/25.-Ferzan.pdf. Page 428 | Chapter 10 | Bibliography Table of Contents Fidler, Mailyn. 2015 (Posted on 22 Jun. 2015). “The African Union Cybersecurity Convention: A Missed Human Rights Opportunity.” Council of Foreign Relations Blog. http://blogs.cfr.org/ cyber/2015/06/22/the-african-union-cybersecurity-convention-a-missed-human-rights-opportunity/ Figliola, Patricia Moloney. 2009. Spyware: Background and Policy Issues for Congress. Washington D.C.: CRS (Congressional Research Service). https://ia601307.us.archive.org/0/items/135973Spyw areBackgroundandPolicyIssuesforCongress-crs/135973%20Spyware_%20Background%20and%20 Policy%20Issues%20for%20Congress.pdf. FSIAC. “Financial Services-ISAC.” Financial Sector Information Sharing and Analysis Center. http:// www.fsisac.com. Finkle, Jim. 2016 (Posted on 31 Aug. 2016). “SWIFT Discloses More Cyber-Thefts, Pressures Banks on Security.” Reuters. http://www.reuters.com/article/us-cyber-heist-swift-idUSKCN11600C. Finklea, Kristin and Catherine A. Theohary. 2015. Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement. Washington D.C.: CRS (Congressional Research Service). https://www.fas. org/sgp/crs/misc/R42547.pdf. Flanagan, Anne. 2005. “The Law and Computer Crime: Reading the Script of Reform.” International Journal of Law & Information Technology 13(1). Flitter, Emily. 2013 (Posted on 29 May. 2013 ). “U.S. Accuses Currency Exchange of Laundering $6 Billion.” Reuters. http://www.reuters.com/article/2013/05/29/net-us-cybercrime-libertyreserve- charges-idUSBRE94R0KQ20130529. Flynn, Mary Kathleen. 2002 (Posted on 8 Nov. 2002). “ISACs, Infragard and ECTF: Safety in Numbers.” CSO. http://www.csoonline.com/article/2113264/security-leadership/isacs--infragard-- and-ectf--safety-in-numbers.html. Forensic Colleges & Universities. “10 Modern Forensic Science Technologies.” Forensic Colleges & Universities. http://www.forensicscolleges.com/blog/resources/10-modern-forensic-science- technologies. Forte, Dario. 2002. “Analyzing the Difficulties in Backtracing Onion Router Traffic.” International Journal of Digital Evidence 1(3). https://www.utica.edu/academic/institutes/ecii/publications/ articles/A04AA07D-D4B8-8B5F-450484589672E1F9.pdf. Fox-Brewster, Thomas. “An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak.” Forbes. https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by- wannacry-ransomware-in-global-explosion/#514a4d77e599. Foxx, Chris. 2017 (Posted on 14 May 2017). “Global Cyber-attack: Security Blogger Halts Ransomware ‘by Accident’.” BBC News. http://www.bbc.com/news/technology-39907049. Page 429 | Chapter 10 | Bibliography Table of Contents Franceschi-Bicchierai, Lorenzo. 2015 (Posted on 4 May 2015). “Love Bug: The Virus That Hit 50 Million People Turns 15.” Motherboard. http://motherboard.vice.com/read/love-bug-the-virus-that- hit-50-million-people-turns-15. Fujikawa, Megumi. 2014 (Posted on 22 Oct. 2014). “Google Japan Case Raises Issue of ‘Right to Be Forgotten’.” Wall Street Journal. http://www.wsj.com/articles/google-japan-case-raises-privacy- issues-1413981229. Fuller, Kathleen E. 2001. “ICANN: The Debate over Governing the Internet.” Duke Law and Technology Review 1(1). http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1000&contex t=dltr. Furnell, Steven. 2002. Cyber crime: Vandalizing the information society. London: Addison Wesley. G G8. 1997 (Posted on 10 Dec. 1997). “The Washington Communiqué.” Meeting of Justice and Interior Ministers of the Eight. https://www.justice.gov/sites/default/files/ag/legacy/2004/06/08 /97Communique.pdf. Galeote, Rocio. 2015 (Posted on 30 Jul. 2015). “South Korea: Major Health Data Breach Hits Sector ‘Weak’ in Compliance.” Data Guidance. http://www.dataguidance.com/dataguidance_privacy_this_ week.asp?id=4621. Gallagher, Harold, Wade McMahon and Ron Morrow. 2014. Cyber Security: Protecting the Resilience of Canada’s Financial System. Ottawa: Bank of Canada. http://www.bankofcanada.ca/wp- content/uploads/2014/12/fsr-december14-morrow.pdf. Gallagher, Kevin M. 2014 (Posted on 18 Jun. 2014). “Private Spies Deserve More Scrutiny.” Huffington Post. http://www.huffingtonpost.com/kevin-m-gallagher/private-sector- surveillance_b_5171750.html. Garofalo, James. 1987. “Reassessing the Lifestyle Model of Criminal Victimization.” In: Michael R. Gottfredson and Travis Hirschi, eds. 1987. Positive criminology: 23-42. Thousand Oaks: Sage Publications, Inc. Gemalto. 2015. 2015 First Half Review: Findings from the Breach Level Index. North Holland, Netherlands: Gemalto NV. http://www.gemalto.com/brochures-site/download-site/Documents/ Gemalto_H1_2015_ BLI_Report.pdf. Geradin, Damien, Marc Reysen & David Henry. 2008. “Extraterritoriality, Comity and Cooperation in EC Competition Law.” SSRN. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1175003. Page 430 | Chapter 10 | Bibliography Table of Contents Gercke, Marco. 2004. “The Implementation of the Cybercrime Convention –Procedural Law.” In: Multimedia und Recht: 801 to 806. Gercke, Marco. 2005. “Phishing and Identity Theft.” Computer und Recht: 606-612. Gercke, Marco. 2007. Internet-Related Identity Theft: A Discussion Paper by Marco Gercke (Germany). Strasbourg: Council of Europe. http://www.coe.int/t/dg1/legalcooperation/ economiccrime/cybercrime/cy%20activity_events_on_identity_theft/567%20port%20id-d- identity%20theft%20paper%2022%20nov%2007.pdf. Gercke, Marco. 2008. “Challenge of Fighting Cybercrime.”In: Multimedia und Recht: 291 –298. Gercke, Marco. 2008. “The Council of Europe Guidelines for the Cooperation between Law Enforcement Agencies and Internet Service Providers against Cybercrime.” Computer Law Review International: 91-101. Gercke, Marco. 2009. “The Role of Internet Service Providers in the Fight against Child Pornography.” Computer Law Review International: 65 –72. Gercke, Marco. 2009. Understanding Cybercrime: A Guide for Developing Countries. Geneva: ITU. http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-understanding-cybercrime-guide.pdf. Gercke, Marco. 2011. “Legal Approaches to Criminalize Identity Theft.” In: UNODC. Handbook on Identity-related Crime, 1 –54. New York: UN. https://www.unodc.org/documents/treaties/UNCAC/ Publications/Handbook_on_ID_Crime/10-57802_ebooke.pdf. Gercke, Marco. 2012. Understanding Cybercrime: Phenomena, Challenges and Legal Response. Geneva: ITU. http://www.itu.int/en/ITU-D/Cybersecurity/Documents/CybcrimeE.pdf. Gercke, Marco. 2014. Understanding Cybercrime: Phenomena, Challenges and Legal Response (November 2014). Geneva: ITU. http://www.itu.int/en/ITU-D/Cybersecurity/Documents/ cybercrime2014.pdf. Germano, Judith H. 2014. Cybersecurity Partnerships: A New Era of Public-Private Collaboration. New York: New York University School of Law/Center on Law and Security. http://www. lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf. Gibson Dunn. 2016. Cybersecurity and Data Privacy Outlook and Review: 2016. Los Angeles: Gibson, Dunn & Crutcher LLP. http://www.gibsondunn.com/publications/documents/Cybersecurity- and-Data-Privacy-Outlook-and-Review--2016.pdf. Gibbon, Edward. 1960. The Decline and Fall of the Roman Empire. New York: Harcourt, Brace. Gilbert, Françoise. 2017. Global Privacy & Security Law. Palo Alto: Wolters Kluwer. Page 431 | Chapter 10 | Bibliography Table of Contents Giordano, Scott M. 2004. “Electronic Evidence and the Law.” Information Systems Frontiers 6(2): 161 –174. Gladyshev, Pavel and Ahmed Patel. 2005. “Formalizing Event Time Bounding in Digital Investigations.” International Journal of Digital Evidence 4(2). https://www.utica.edu/academic/ institutes/ecii/publications/articles/B4A90270-B5A9-6380-68863F61C2F7603D.pdf. Global Monitoring and ECPAT International. 2016. Status of Action against Commercial Sexual Exploitation of Children: Israel (2016). Bangkok: ECPAT International. Global Partners Digital Development House. 2015. GCCS2015 Collated Training Summaries. London: Global Partners Digital Development House. http://www.gp-digital.org/wp-content/ uploads/pubs/GCCS2015%20Collated%20Webinar%20Summaries%20final.pdf. Goel, Vindu. 2015 (Posted on 14 Oct. 2015). “Encryption Is More Important, and Easier, Than Ever By.” New York Times. http://bits.blogs.nytimes.com/2015/10/14/encryption-is-more-important-and- easier-than-ever/?_r=0. Goel, Vindu & Nicole Perlroth. 2016 (Posted on 14 Dec. 2016). “Yahoo Says 1 Billion User Accounts Were Hacked.” New York Times. https://www.nytimes.com/2016/12/14/technology/yahoo-hack. html?mcubz=3. Goger, Thomas. 2016. “Cross-border Cybercrime Investigations – Making MLATs Work”. Mimeo. Goodin, Dan. 2014 (Posted on 18 Nov. 2014). “WhatsApp Brings Strong End-to-end Frypto to the Masses.” Quora. https://www.quora.com/How-secure-is-WhatsApps-new-end-to-end-encryption. Goodman, Marc. D. 1997. “Why the Police don’t care about Computer Crime.” Harvard Journal of Law & Technology 10(3): 465–494. http://jolt.law.harvard.edu/articles/pdf/v10/10HarvJLTech465.pdf. Goodman, Marc D. and Susan W. Brenner. 2002. “The Emerging Consensus on Criminal Conduct in Cyberspace.” UCLA Journal of Law and Technology 10(2): 139–223. Goodno, Naomi Harlin. 2007. “Cyberstalking, a New Crime: Evaluating the Effectiveness of Current State and Federal Laws.” Missouri Law Review 72. http://scholarship.law.missouri.edu/cgi/ viewcontent.cgi?article=3985&context=mlr. Gordon, Gary R., Chet D. Hosmer, Christine Siedsma and Don Rebovich. 2002. Assessing Technology, Methods, and Information for Committing and Combating Cyber Crime. Rockville: NCJRS (National Criminal Justice Reference Service). https://www.ncjrs.gov/pdffiles1/nij/ grants/198421.pdf. Page 432 | Chapter 10 | Bibliography Table of Contents Gordon, Mark. 2002. “Ideas Shoot Bullets: How the RICO Act Became a Potent Weapon in the War Against Organized Crime,” Concept, Vol. 26, (2002). https://concept.journals.villanova.edu/article/ view/312/275. Gordon, Sarah and Richard Ford. 2006. “On the Definition and Classification of Cybercrime.” Journal of Computer Virology 2: 13-20. https://pdfs.semanticscholar. org/12f8/7da74f91c7bfac67b6e83213fefe2c08bb67.pdf. Gottfredson, Michael R. 1984. “Victims of Crime: The Dimensions of Risk.” Home Office Research Study No.18. London: Her Majesty’s Stationer. http://webarchive.nationalarchives.gov. uk/20110218135832/rds.homeoffice.gov.uk/rds/pdfs05/hors81.pdf. Gov.uk. “Cabinet Office.” Gov.uk. https://www.gov.uk/government/organisations/cabinet-office. Gov.uk. “Department for Business, Energy and Industrial Strategy (BEIS).” Gov.uk. https://www.gov. uk/government/organisations/department-for-business-innovation-skills Gov.uk. “Department for Culture, Media and Sport.” Gov.uk. https://www.gov.uk/government/ organisations/department-for-culture-media-sport. Gov.uk. “Foreign and Commonwealth Office.” Gov.uk. https://www.gov.uk/government/ organisations/foreign-commonwealth-office. Gov.uk. “Home Office.” Gov.uk. https://www.gov.uk/government/organisations/home-office. Gov.uk. “Ministry of Defence.” Gov.uk. https://www.gov.uk/government/organisations/ministry-of- defence. Government of the United Kingdom. 2013 (Posted on 23 Mar. 2013). “Government Launches Information Sharing Partnership on Cyber Security.” Government of the United Kingdom/Press Release. https://www.gov.uk/government/news/government-launches-information-sharing- partnership-on-cyber-security. Gowen, Annie. 2016 (Posted on 28 Jan. 2016). “India, Egypt Say No Thanks to Free Internet from Facebook”. The Washington Post. https://www.washingtonpost.com/world/asia_pacific/ india-egypt-say-no-thanks-to-free-internet-from-facebook/2016/01/28/cd180bcc-b58c-11e5-8abc- d09392edc612_story.html. Grabosky, Peter. 2000. “Cyber Crime and Information Warfare.” Paper presented at the Australian Institute of Criminology Conference, “Transnational Crime,” Canberra, 9-10 Mar. http://aic.gov.au/ media_library/conferences/transnational/grabosky.pdf. Gray, John and G.W. Smith, eds. 1991. J.S. Mill’s On Liberty in Focus (1st Edition). New York: Routledge. Page 433 | Chapter 10 | Bibliography Table of Contents Gray, Laura. 2016 (Posted on 25 Mar. 2016). “Does Uganda Have More Mobile Phones Than Light Bulbs?” BBC News. http://www.bbc.com/news/magazine-35883649. Green, Thomas. 2011 (Posted on 12 Mar. 2001). “FBI Magic Lantern reality check.” Register. www. theregister.co.uk/2001/12/03/fbi_magic_lantern_reality_check/. Greenberg, Andy. 2014 (25 Nov. 2014). “Hacker Lexicon: What Is End-to-End Encryption?” Wired. https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/. Greenberg, Andy. 2016 (Posted on 29 May 2016). ““Silk Road Creator Ross Ulbricht Sentenced to Life in Prison.” Wired. https://www.wired.com/2015/05/silk-road-creator-ross-ulbricht-sentenced-life- prison/. Greenberg, Andy. 2016 (Posted on 6 Oct. 2016). “Judges Question Ross Ulbricht’s Life Sentence in Silk Road Appeal.” Wired. https://www.wired.com/2016/10/judges-question-ulbrichts-life-sentence- silk-road-appeal/. Greenberg, Andy. 2017 (Posted on 14 Apr. 2017). “Major Leak Suggests NSA Was Deep in Middle East Banking System.” Wired. https://www.wired.com/2017/04/major-leak-suggests-nsa-deep- middle-east-banking-system/. Greene, Thomas C. 2001 (Posted on 3 Dec. 2001). “FBI ‘Magic Lantern’ reality check.” The Register. http://www.theregister.co.uk/2001/12/03/fbi_magic_lantern_reality_check/. Greenleaf, Graham and George Tian. 2013. “China Expands Data Protection through 2013 Guidelines: A ‘Third Line’ for Personal Information Protection (With a Translation of the Guidelines).” Privacy Laws & Business International Report Issue 122. http://papers.ssrn.com/sol3/ papers.cfm?abstract_id=2280037. Greenwald, Glenn. 2014. No Place to Hide: Edward Snowden, the NSA and the Surveillance State. New York: Metropolitan Books. Griffin, Andrew. 2016 (Posted on 31 Dec. 2016). “Investigatory Powers Act Goes into Force, Putting UK Citizens under Intense New Spying Regime.” Independent. http://www.independent.co.uk/life- style/gadgets-and-tech/news/investigatory-powers-act-bill-snoopers-charter-spying-law-powers- theresa-may-a7503616.html. Griffin, J.P. 1999. “Extraterritoriality in US and EU Antitrust Enforcement,” Antitrust Law Journal 67. Guinchard, Audrey. 2008. “Cybercrime: The Transformation of Crime in the Information Age.” Information, Communication and Society 11 (7):1030-1032. Page 434 | Chapter 10 | Bibliography Table of Contents Gupta, Gaurav, Chandan Mazumdar & M. S. Rao. 2004. “Digital Forensic Analysis of E-Mails: A Trusted E-Mail Protocol.” International Journal of Digital Evidence 2(4). https://utica.edu/academic/ institutes/ecii/publications/articles/A0B4342D-E76E-F8F2-AC926AB64EC719B8.pdf. Gupta, Mayank R., Michael D. Hoeschele and Marcus K. Rogers. 2006. “Hidden Disk Areas: HPA and DCO.” International Journal of Digital Evidence 5(1). https://www.utica.edu/academic/ institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf. Gupta, Sunil Kumar. 2000. “Extradition Law and the International Criminal Court.” Berkeley Journal of Criminal Law 3. http://scholarship.law.berkeley.edu/cgi/viewcontent. cgi?article=1072&context=bjcl. H Halderman, J. Alex, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum and Edward W. Felten. 2008. “Lest we Remember: Cold Boot Attacks on Encryption keys.” Communications of the ACM 52(5): 91-98. https://www. usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf. Hall, Gregory A. and Wilbon P. Davis. 2005. “Towards Defining the Intersection of Forensic and Information Technology.” International Journal of Digital Evidence 4(1). https://www.utica.edu/ academic/institutes/ecii/publications/articles/B49F0174-F1FB-FE05-EBBB4A8C87785039.pdf. Hannan, Mathew. 2004 (Posted on 25 Nov. 2004). “To Revisit: What is Forensic Computing.” Paper presented at the 2nd Australian Computer Network & Information Forensics Conference, Perth, Western Australia.https://conferences.ecu-sri.org/proceedings/2004/forensics04/Hannan.pdf. Hargrave, Vic. 2012 (Posted on 17 Jun. 2012). “Hacker, Hacktivist or Cybercriminal?” Trend Micro/ Simply Security. http://blog.trendmicro.com/whats-the-difference-between-a-hacker-and-a- cybercriminal/. Harris, Aisha. 2014 (Posted on 17 Dec. 2014). “Sony Really Should Release the Interview Online, and Soon.” Slate. http://www.slate.com/blogs/browbeat/2014/12/17/the_interview_pulled_from_ theaters_due_to_north_korea_s_apparent_data_hack.html. Harris, Kamala. 2014. 2014 California Data Breach Report. California Office of the Attorney General. https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf. Harrison, Warren, George Heuston, Mark Morrissey, David Aucsmith, Sarah Mocas and Steve Russelle. 2002.”A Lesson Learned Repository for Computer Forensics.” International Journal of Digital Evidence 1(3). https://www.dfrws.org/2002/papers/Papers/Warren_Harrison.pdf. Page 435 | Chapter 10 | Bibliography Table of Contents Hern, Alex. 2016 (Posted on 28 Jun. 2016). “Google Says Machine Learning Is the Future. So I Tried It Myself.” Guardian. https://www.theguardian.com/technology/2016/jun/28/google-says-machine- learning-is-the-future-so-i-tried-it-myself/. Ho, Michael, Joyce Hung and Michael Hasnick. 2015. The Carrot and the Stick: Innovation versus Anti-Piracy Enforcement. Redwood City: The Copia Institute. https://copia.is/wp-content/ uploads/2015/10/COPIA-The-Carrot-Or-The-Stick.pdf. Hoboken, Joris van. 2012. Search Engine Law and Freedom of Expression: A European Perspective. New York: Wolters Kluwer Law & Business, Kluwer Law International. Hogan Lovells. 2014. “Technology Neutrality in Internet, Telecoms and Data Protection Regulation.” Hogan Lovells Global Media and Communications Quarterly. http://www.hoganlovells.com/files/ Uploads/Documents/8%20Technology%20neutrality%20in%20Internet.pdf. Homeland Security News Wire. 2011 (Posted on 19 Apr. 2011). “An Electronic Trail for Every Crime.” Homeland Security News Wire. http://www.homelandsecuritynewswire.com/electronic-trail-every- crime. Hosein, Gus & Caroline Wilson Palow. 2013. “The Second Wave of Global Privacy Protection: Modern Safeguards for Modern Surveillance: An Analysis of Innovations in Communications Surveillance Techniques.” Ohio State Law Journal 74. Hosmer, Chet. 2002. “Proving the Integrity of Digital Evidence with Time.” International Journal of Digital Evidence 1(1). https://www.utica.edu/academic/institutes/ecii/publications/ articles/9C4EBC25-B4A3-6584-C38C511467A6B862.pdf. Hostetler, Baker. 2015. “International Compendium of Data Privacy Laws.” BakerLaw.com. http:// www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/International- Compendium-of-Data-Privacy-Laws.pdf. Houle, Kevin J. and George M. Weaver. 2001. Trends in Denial of Service Attack Technology. Pittsburgh: CMU (Carnegie Mellon University). https://resources.sei.cmu.edu/asset_files/ WhitePaper/2001_019_001_52491.pdf. Howard, Try E. 2004. “Don’t Cache Out Your Case: Prosecuting Child Pornography Possession Laws Based on Images Located in Temporary Internet Files.” Berkeley Technology Law Journal 19 (4): 1227 –1274. http://www.btlj.org/data/articles2015/vol19/19_4/19-berkeley-tech-l-j-1227-1274.pdf. Huang, Bunnie. 2016 (Posted on 26 Jul. 2016). “Against the Law: Countering Lawful Abuses of Digital Surveillance.” PubPub. https://www.pubpub.org/pub/direct-radio-introspection. Page 436 | Chapter 10 | Bibliography Table of Contents I Illmer, Andreas. 2017 (Posted on 25 Jul. 2017). “China Set to Launch an ‘Unhackable’ Internet Communication.” BBC. http://www.bbc.com/news/world-asia-40565722. International Association of Prosecutors. 2012 (Posted on 11 Jun. 2012). “Global Prosecutors E-Crime Network.” International Association of Prosecutors. https://rm.coe.int/ CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016802f240e. Information Exchange Network for Mutual Assistance in Criminal Matters and Extradition. 2007. “What is the Law?” OAS. https://www.oas.org/juridico/mla/en/can/en_can_mla_what.html. Information Security Stack Exchange. “Why Do You Need a 4096-bit DSA Key When AES Is Only 256-Bits?” Information Security Stack Exchange. http://security.stackexchange.com/ questions/59190/why-do-you-need-a-4096-bit-dsa-key-when-aes-is-only-256-bits. Information Security Stack Exchange. “What Does ‘Key with Length of X Bits’ Mean?” Information Security Stack Exchange. http://security.stackexchange.com/questions/8912/what-does-key-with- length-of-x-bits-mean. InfoSec Institute. “22 Popular Computer Forensics Tools.” InfoSec Institute. http://resources. infosecinstitute.com/computer-forensics-tools/. InfoSecurity Magazine. 2010 (Posted on 20 Aug. 2010). “Do Punishments fit the cybercrime?” InfoSecurity Magazine. https://www.infosecurity-magazine.com/magazine-features/do- punishments-fit-the-cybercrime/. InfoSecurity Magazine. 2011 (Posted on 9 May. 2011). “Cybercrime Knows No Borders.” InfoSecurity Magazine. http://www.infosecurity-magazine.com/magazine-features/cybercrime-knows-no- borders/. InfraGard. “About InfraGard.” InfraGard. https://www.infragard.org/. Ingber, Stanley. 1987. “The Marketplace of Ideas: A Legitimizing Myth.” Duke Law Journal 33. Insa, Fredesvinda. 2007. “The Admissibility of Electronic Evidence in Court (A.E.E.C.): Fighting against High-Tech Crime—Results of a European Study.” Journal of Digital Forensic Practice: 285- 289. http://www.tandfonline.com/doi/pdf/10.1080/15567280701418049. IADB (Inter-American Development Bank) and OAS (Organization of American States). 2016. Cybersecurity: Are We Ready in Latin America and the Caribbean? Washington D.C: IADB. https:// publications.iadb.org/bitstream/handle/11319/7449/Cybersecurity-Are-We-Prepared-in-Latin- America-and-the-Caribbean.pdf?sequence=1. Page 437 | Chapter 10 | Bibliography Table of Contents ICMEC (International Centre for Missing and Exploited Children). 2012. Child Pornography: Model Legislation & Global Review (7th Edition). Alexandria, Virginia: ICMEC. http://www.icmec.org/wp- content/uploads/2015/10/7th-Edition-EN.pdf. INTERPOL (International Criminal Police Organization). 2015. National Cyber Review. Singapore: INTERPOL Global Complex for Innovation, Cyber Innovation and Outreach. https://www. interpol.int/content/download/28038/375648/version/4/file/IGCI-CIO_cyber%20review_ projectsheet_2015-03_EN_LR.pdf. INTERPOL. 2016 (Posted on 22 Jan. 2016). “INTERPOL Backs World Economic Forum Cybercrime Project.” INTERPOL–News. http://www.interpol.int/News-and-media/News/2016/N2016-010. INTERPOL. “Command and Coordination Centre—Buenos Aires.” INTERPOL. http://www.interpol. int/INTERPOL-expertise/Command-Coordination-Centre/Command-and-Coordination-Centre- Buenos-Aires. INTERPOL. “Cybercrime.” INTERPOL. http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime. INTERPOL. “Data Exchange,” INTERPOL. http://www.interpol.int/INTERPOL-expertise/Data- exchange/I-24-7. INTERPOL. “Khoo Boon Hui.” INTERPOL. http://www.interpol.int/About-INTERPOL/Structure-and- governance/KHOO-Boon-Hui. INTERPOL. “Structure and Governance.” INTERPOL. http://www.interpol.int/About-INTERPOL/ Structure-and-governance/General-Secretariat. INTERPOL. “The INTERPOL Global Complex for Innovation.” INTERPOL. http://www.interpol.int/ About-INTERPOL/The-INTERPOL-Global-Complex-for-Innovation/About-the-IGCI. INTERPOL. “World: A Global Presence.” INTERPOL. http://www.interpol.int/Member-countries/ World. INCB (International Narcotics Control Board). 2001. Globalization and New Technologies: Challenges to Drug Law Enforcement in the Twenty-first Century. E/INCB/2001/1. Vienna: INCB. https://www.incb.org/documents/Publications/AnnualReports/AR2001/AR_01_Chapter_I.pdf. ITU (International Telecommunication Union). 2003. Geneva Declaration of Principles and the Geneva Plan of Action. Geneva: ITU. https://www.itu.int/net/wsis/docs/promotional/brochure-dop- poa.pdf. ITU. 2010. ITU Toolkit for Cybercrime Legislation (Draft). Geneva: ITU.http://www.cyberdialogue.ca/ wp-content/uploads/2011/03/ITU-Toolkit-for-Cybercrime-Legislation.pdf. Page 438 | Chapter 10 | Bibliography Table of Contents ITU. 2012. “Section II: Model Legislative Text – Cybercrime/e-Crimes.” In: HIPCAR, Cybercrime/e- Crimes: Model Policy Guidelines & Legislative Texts, 15-28. Geneva: ITU. http://www.itu.int/ITU-D/ projects/ITU_EC_ACP/hipcar/reports/wg2/docs/HIPCAR_1-5-B_Model-Policy-Guidelines-and- Legislative-Text_Cybercrime.pdf. ITU. 2012. “Overview of the Internet of Things.” Recommendation ITU-T Y.2060. Internet of Things Global Standards Initiative. http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=y.2060. ITU. 2013. HIPSSA, Computer Crime and Cybercrime: Southern African Development Community (SADC) Model Law. Geneva: ITU. http://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/ Documents/FINAL%20DOCUMENTS/FINAL%20DOCS%20ENGLISH/sadc_model_law_cybercrime. pdf. ITU. 2013. ICBRPAC, Electronic Crimes: Knowledge-Based Report (Skeleton). Geneva: ITU. http:// www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/ICB4PAC/Documents/FINAL%20DOCUMENTS/ cybercrime_skeleton.pdf. ITU. 2013. “Section II: Model Legislative Text –Electronic Crimes.” In: HIPCAR, Electronic Evidence: Model Policy Guidelines and Legislative Texts, 13-20. Geneva: ITU. http://www.itu.int/en/ITU-D/ Projects/ITU-EC-ACP/HIPCAR/Documents/FINAL%20DOCUMENTS/ENGLISH%20DOCS/e- evidence_mpg.pdf. ITU. 2015. “Annex 3: Cyberwellness country profiles A-Z.” In: Global Cyber Security Index & Cyberwellness Profiles, 41-515. Geneva: ITU. http://www.itu.int/dms_pub/itu-d/opb/str/D-STR- SECU-2015-PDF-E.pdf. ITU. “Global Cybersecurity Index.” ITU. http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx. ITU. “Global Cybersecurity Agenda (GCA).” ITU. http://www.itu.int/en/action/cybersecurity/Pages/ gca.aspx. ITU. “National Cybersecurity Strategies.” ITU. http://www.itu.int/en/ITU-D/Cybersecurity/Pages/ National-Strategies.aspx. Internet & Jurisdiction. 2014.“Progress Report 2013-2014.” Internet & Jurisdiction: Paris. Internet Crime Complaint Center & Federal Bureau of Investigation. 2015.“Business Email Compromise, Public Service Announcement.” Internet Crime Complaint Center & Federal Bureau of Investigation. https://www.ic3.gov/media/2015/150122.aspx; Internet Security Alliance.“Cross Cutting Issue #2: How Can We Create Public Private Partnerships that Extended to Action Plans that Work?” The White House of Barack Obama. https:// obamawhitehouse.archives.gov/files/documents/cyber/ISA%20-%20Hathaway%20public%20 private%20partnerships.pdf. Page 439 | Chapter 10 | Bibliography Table of Contents Internet Society. “Brief History of the Internet.” Internet Society. http://www.internetsociety.org/ internet/what-internet/history-internet/brief-history-internet. IWF (Internet Watch Foundation). 2008. IWF Annual Report 2008. Cambridge: IWF. https://www.iwf. org.uk/assets/media/IWF%20Annual%20Report%202008.pdf. Internet World Stats. 2017. “World Internet Usage and Population Statistics.” Internet World Stats. http://www.internetworldstats.com/stats.htm. J Jang, Junsik. 2009. “The Current Situation and Countermeasures to Cybercrime and Cyber-Terror in the Republic of Korea.” Resource Material Series no. 79: 46-56. Tokyo: UNAFEI. http://www.unafei. or.jp/english/pdf/RS_No79/No79_08VE_Jang1.pdf. Jarrett, H. Marshall, Michael W. Bailie, Ed Hagen and Nathan Judish. 2009. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (3rd Edition). Washington D.C. U.S. Department of Justice, Office of Legal Education Executive Office for U.S. Attorneys. http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf. Jens Todt, Von. 2007 (Posted on 8 Jan. 2007). Fahnder ueberpruefen erstmals alle deutschen Kreditkarten. Spiegel Online. www.spiegel.de/panorama/justiz/0,1518,457844,00.html (in German). Jingyi, Claire Huang. 2013 (Posted on 21 Dec. 2013). “3 Years’ Jail, S$5,000 Fine for Man Who Harassed US Singer.” TodayOnline. http://www.todayonline.com/singapore/3-years-jail-s5000-fine- man-who-harassed-us-singer?page=1. Johnson, David R. and David G. Post. 1996 “Law and Borders –The Rise of Law in Cyberspace.” Stanford Law Review 48: 1367-1402. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=535. Joyce, Daniel. 2015. “Privacy in the Digital Era: Human Rights Online?” Melbourne Journal of International Law 16(1): 270. Judicial Network & Eurojust. 2014 (Posted 6 May 2014). “Joint Task Force Paper Assistance in International Cooperation in Criminal Matters for Practitioners European.” Press Release, Council of the European Union. http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressdata/en/ jha/104584.pdf. K Kaspersky Lab. 2015. Kaspersky Lab Transparency Principles. Moscow: Kaspersky Lab. https://cdn. press.kaspersky.com/files/2013/06/Kaspersky-Lab-Transparency-Principles_Q3_2015_final.pdf. Page 440 | Chapter 10 | Bibliography Table of Contents Kaspersky Labs. 2017 (Posted on 13 May 2017). “WannaCry: Are You Safe?” Kaspersky Labs. https:// blog.kaspersky.com/wannacry-ransomware/16518/. Kaspersky Labs. 2017 (Posted on 14 May 2017). “Kaspersky Lab’s Notice to Customers about the Shadow Brokers’ Publication from April 14.” Kaspersky Labs. https://support.kaspersky.com/ shadowbrokers. Kastrenakes, Jacob. 2015 (Posted on 23 Dec. 2015). “India Temporarily Bans Facebook’s Controversial Free Internet Service.” The Verge. http://www.theverge.com/2015/12/23/10657916/ free-basics-internet-org-service-temporary-ban-india. Keizer, Gregg. 2007 (Posted on 29 Jul. 2007). “FAQ: What We Know (Now) about the FBI’s CIPAV Spyware.” Computerworld. http://www.computerworld.com/article/2542777/security0/faq--what- we-know--now--about-the-fbi-s-cipav-spyware.html. Kelion, Leo. 2017 (Posted on 1 Aug. 2017). “Dark Web Markets Boom after Alphas Bay and Hansa Busts.” BBC News. http://www.bbc.com/news/technology-40788266. Kenneally, Erin. 2005. “Confluence of Digital Evidence and the Law: On the Forensic Soundness of Live-Remote Digital Evidence Collection.” UCLA Journal of Law & Technology 9(2). http://papers. ssrn.com/sol3/papers.cfm?abstract_id=2145647. Kerr, Orin S. 2005. “Searches and Seizures in a Digital World.” Harvard Law Review 119: 531 –585. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=697541. Khatib, Lina, William H. Dutton and Michael Thelwall. 2012. “Public Diplomacy 2.0: A Case Study of the US Digital Outreach Team.” Middle East Journal 66(3): 453–472. http://papers.ssrn.com/sol3/ papers.cfm?abstract_id=1734850. Kibble, Mary B. 2008. “Fear Mongering, Filters, the Internet and the First Amendment: Why Congress Should Not Pass Legislation Similar to the Deleting Online Predators Act.” Roger Williams University Law Review 13(2). 497 –529. http://docs.rwu.edu/cgi/viewcontent. cgi?article=1391&context=rwu_LR. Kiley, Matthew, Tim Shinbara & Marcus Rogers. 2007. “iPod Forensics.” International Journal of Digital Evidence 4(2). Kim, Sohee and Meeyoung Cho. 2014 (Posted on 21 Dec. 2014). “South Korea Prosecutors Investigate Data Leak at Nuclear Power Plants.” Reuters. http://www.reuters.com/article/us- southkorea-nuclear-idUSKBN0JZ05120141221. King, Rachael. 2012 (Posted on 8 Nov. 2012). “Stuxnet Infected Chevron’s IT Network.” Wall Street Journal. http://blogs.wsj.com/cio/2012/11/08/stuxnet-infected-chevrons-it-network/. Page 441 | Chapter 10 | Bibliography Table of Contents Kinget, Peter. 2014 (Posted on Nov. 2014). “The World Is Analog.” Circuit Cellar, no. 292. http:// www.ee.columbia.edu/~kinget/WhyAnalog/circuitcellar_The_World_Is_Analog_201410.pdf. Kitchin, Rob and Martin Dodge. 2001. “‘Placing’ Cyberspace: Why Geography Still Matters.” Information Technology, Education and Society 1(2): 25-46. Klip, André. 2013. “Section 4: Concept Paper and Questionnaire.” Paper prepared for IAPL’s Preparatory Colloquium Section IV for the 20th International Congress of Penal Law on Information Society and Penal Law, “International Criminal Law,” Helsinki, 10-12 June. http://www.penal.org/ IMG/pdf/Section_IV_EN.pdf. Kobie, Nicole. 2015 (Posted on 30 Mar. 2015). “Why Electronic Voting Isn’t Secure – but May Be Safe Enough.” Guardian. https://www.theguardian.com/technology/2015/mar/30/why-electronic-voting- is-not-secure. Kolochenko, Illia. 2016 (Posted on 16 Dec. 2016). “Cybercrime: The Price of Inequality.” Forbes. http://www.forbes.com/sites/forbestechcouncil/2016/12/19/cybercrime-the-price-of- inequality/2/#1994040176db. Konnikova, Maria. 2015 (Posted in May 2015). “Virtual Reality Gets Real: The Promises—and Pitfalls—of the Emerging Technology.” The Atlantic. http://www.theatlantic.com/magazine/ archive/2015/10/virtual-reality-gets-real/403225/. Koons, Stephanie. 2015 (Posted on 21 Jan. 2015). “IST Researchers Examine Role of “White Hat” Hackers in Cyber Warfare.” Penn State: News. http://news.psu.edu/story/341564/2015/01/21/ research/ist-researchers-examine-role-%E2%80%98white-hat%E2%80%99-hackers-cyber-warfare. Korte, Gregory. 2016 (Posted on 9 Feb. 2016). “Obama Signs Two Executive Orders on Cybersecurity” USA Today. http://www.usatoday.com/story/news/politics/2016/02/09/obama-signs- two-executive-orders-cybersecurity/80037452/. Kottasova, Ivana & Samuel Burke. 2017 (Posted on 27 Mar. 2017). “UK Government Wants Access to WhatsApp Messages.” CNN Tech. http://money.cnn.com/2017/03/27/technology/whatsapp- encryption-london-attack/index.html. Kraft, Michael & Edward Marks. 2012. US Government Counterterrorism: A Guide to Who Does What. Boca Raton, FL: CRC Press. Krebs, Albin. 1980 (Posted on 19 Nov. 1980).”Willie Sutton Is Dead at 79.” The New York Times. http://graphics8.nytimes.com/packages/pdf/books/Willie-Sutton-Obit.pdf. Krebs, Brian. 2014 (Posted on 14 Jan. 2014). “Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen.” Krebs on Security. http://krebsonsecurity.com/2014/01/target-names- emails-phone-numbers-on-up-to-70-million-customers-stolen/. Page 442 | Chapter 10 | Bibliography Table of Contents Krebs, Brian. 2015. “Carbanak APT: The Great Bank Robbery.” Kapersky Lab. http://krebsonsecurity. com/wp-content/uploads/2015/02/Carbanak_APT_eng.pdf. Krebs, Brian. 2015 (Posted on 15 Jan. 2015).“FBI: Businesses Lost $215M to Email Scams.” Krebs on Security. http://krebsonsecurity.com/2015/01/fbi-businesses-lost-215m-to-email-scams/. Krebs, Brian. 2015 (Posted on 15 Feb. 2015). “The Great Bank Heist, or Death by 1,000 Cuts?” Krebs on Security. http://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/. Kubrick, Stanley, dir. 2001: A Space Odyssey. Writ. Arthur C. Clarke & Stanley Kubrick. Metro Goldwyn-Mayer (MGM), 1968. Film. Kuchera, Ben. 2008 (23 Oct. 2008). “Dutch Court Imposes Real-World Punishment for Virtual Theft.” Ars Technica. https://arstechnica.com/gaming/2008/10/dutch-court-imposes-real-world- punishment-for-virtual-theft/. Kunze, Erin I. 2010. “Sex Trafficking via the Internet: How International Agreements Address The Problem And Fail To Go Far Enough.” Journal of High Technology Law 10(2): 241 –287. https://www. suffolk.edu/documents/jhtl_publications/kunze.pdf. Kushner, David. 2013 (Posted on 26 Feb. 2013). “The Real Story of Stuxnet: How Kaspersky Lab Tracked Down the Malware that Stymied Iran’s Nuclear-Fuel Enrichment Program.” IEEE Spectrum. http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet. L Laboratory of Cryptography and System Security (CrySyS Lab). 2012 (Posted on 31 May 2012). “sKyWIper (a.k.a. Flame a.k.a. Flamer): A Complex Malware for Targeted Attacks.” Budapest University of Technology and Economics. https://www.crysys.hu/skywiper/skywiper.pdf. Landler, Mark. 2000 (Posted on 21 Oct. 2000). “A Filipino Linked to ‘Love Bug’ Talks about his License to Hack.” New York Times. http://www.nytimes.com/2000/10/21/business/a-filipino-linked- to-love-bug-talks-about-his-license-to-hack.html. Laney Zhang. 2013. “China: NPC Decision on Network Information Protection.” Washington, D.C.: Library of Congress, Global Legal Monitor. http://www.loc.gov/law/foreign-news/article/china-npc- decision-on-network-information-protection/. Lange, Michell C.S. and Kristin M. Nimsger. 2004. Electronic Evidence and Discovery: What Every Lawyer Should Know. Chicago: ABA (American Bar Association). Lasseter, John, dir. 1995. Toy Story. Walt Disney Pictures & Pixar Animation Studios. Film. Page 443 | Chapter 10 | Bibliography Table of Contents Law, Jonathan, ed. 2015. “Extradition Treaty.” In: A Dictionary of Law (8 Ed.). http://www. oxfordreference.com/view/10.1093/acref/9780199664924.001.0001/acref-9780199664924-e- 1504?rskey=jCiT5L&result=1642. Lawrence III, Robert C. 1999. International Tax and Estate Planning. 3d ed. LawTeacher. 2013. “Computer and Cybercrime.” LawTeacher.net. http://www.lawteacher.net/free- law-essays/technology-law/computer-and-cybercrime.php. Lee, Dave. 2015 (Posted on 7 Oct. 2015). “How Worried Is Silicon Valley about Safe Harbour?” BBC News. http://www.bbc.com/news/technology-34461682. Lee, Dave. 2017 (Posted on 13 May 2017). “Global Cyber-Attack: How Roots Can be Traced to the US.” BBC News. http://www.bbc.com/news/technology-39905509. Lee, Sook-yeon. 2012. “Admissibility and Examination of Digital Evidence: With a Focus on the Criminal Procedure.” Supreme Court Law Journal 2(2): 11-84. http://library.scourt.go.kr/SCLIB_data/ publication/m_531306_v.2-2.pdf. Legal Information Institute. “Long-Arm Statute.” Cornell University Law School. https://www.law. cornell.edu/wex/long-arm_statute. Leigland, Ryan and Axel W. Krings. 2004. “A Formalization of Digital Forensics.” International Journal of Digital Evidence 3(2). http://people.cis.ksu.edu/~sathya/formalizing-df.pdf. Lewis, Paul. 2011 (Posted on 2 Mar. 2011). “You’re Being Watched: There’s One CCTV Camera for Every 32 People in UK.” Guardian. https://www.theguardian.com/uk/2011/mar/02/cctv-cameras- watching-surveillance. Lewontin, Max. 2016 (Posted on 8 Feb. 2016). “Why Defeat in India Leaves an Uncertain Path for Facebook’s ‘Free Basics’” The Christian Science Monitor. http://www.csmonitor.com/ Technology/2016/0208/Why-defeat-in-India-leaves-an-uncertain-path-for-Facebook-s-Free-Basics. Leyden, John. 2005 (Posted on 25 Jul. 2005). “UK War Driver Fined £500.” The Register. http://www. theregister.co.uk/2005/07/25/uk_war_driver_fined/. Leyden, John. 2008. “FBI Sought Approval to Use Spyware against Terror Suspects.” The Register. http://www.theregister.co.uk/2008/02/08/fbi_spyware_ploy_app/. Library of Congress. 2014. Full Report of European Union: ECJ Invalidates Data Retention Directive. Washington D.C.: Library of Congress. http://www.loc.gov/law/help/eu-data-retention-directive/eu- data-retention-directive.pdf. Page 444 | Chapter 10 | Bibliography Table of Contents Litvinova, Dari. 2015 (Posted on 1 Sep. 2015). “Russia’s New Personal Data Law Will Be Hard to Implement, Experts Say.” The Moscow Times. http://www.themoscowtimes.com/news/article/ russias-new-personal-data-law-will-be-hard-to-implement-experts-say/529195.html. Lloyd, Ian J.2014. Information Technology Law (7th Edition). London: Oxford University Press. Luiijf, Eric, Kim Besseling and Patrick De Graaf. 2013. “Nineteen National Cyber Security Strategies.” International Journal of Critical Infrastructures 9 (1-2): 3 –31. Lynch, James P. 1987. “Routine Activity and Victimization at Work.” Journal of Quantitative Criminology 3 (4):283-300. M MacAskill, Ewen. 2016 (Posted on 19 Nov. 2016). “‘Extreme Surveillance’ Becomes UK Law with Barely a Whimper.” Guardian. https://www.theguardian.com/world/2016/nov/19/extreme- surveillance-becomes-uk-law-with-barely-a-whimper. Macovei, Monica. 2004. Freedom of Expression: A guide to the Implementation of Article 10 of the European Convention on Human Rights (2nd Edition). Human Rights Handbooks, No 2. Strasbourg: Council of Europe. http://www.echr.coe.int/LibraryDocs/DG2/HRHAND/DG2-EN- HRHAND-02(2004).pdf. Malaga. 2008. “Requirements for the Admissibility in Court of Digital Evidence.” in: Syllabus to the European Certificate on Cybercrime and E-Evidence. Malby, Steven, Tejal Jesrani, Tania Bañuelos, Anika Holterhof & Magdalena Hahn. 2011. Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children. Vienna: UNODC. http://www.unodc.org/documents/organized-crime/cybercrime/Study_on_the_Effects. pdf. Malmström, Cecilia. 2012. “Public-private Cooperation in the Fight against Cybercrime.” Speech made at the EU Cybersecurity & Digital Crimes Forum, Brussels, 31 May. http://europa.eu/rapid/ press-release_SPEECH-12-409_en.pdf. MalwareTech. 2017 (Posted on 13 May 2017). “How to Accidentally Stop a Global Cyber Attacks.” MalwareTech Blog. https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global- cyber-attacks.html. Manes, Gavin W., Elizabeth Downing, Lance Watson and Christopher Thrutchley. 2007. “New Federal Rules and Digital Evidence.” Paper Prepared for the ADFSL (Association of Digital Forensics, Security and Law) Conference, “Digital Forensics, Security and Law,” Alexandria, 18-20 Apr. http://proceedings.adfsl.org/index.php/CDFSL/article/viewFile/12/12. Page 445 | Chapter 10 | Bibliography Table of Contents Marcella Jr., Albert and Doug Menendez. 2007. Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes (2nd Edition). Boca Raton: Auerbach Publications. Marino, Catalina Botero (Special Rapporteur for Freedom of Expression Inter-American Commission on Human Rights). 2013. Freedom of Expression and the Internet. OEA/Ser.L/V/ II CIDH/RELE/INF.11/13. Washington D.C.: OAS. http://www.oas.org/en/iachr/expression/docs/ reports/2014_04_08_Internet_ENG%20_WEB.pdf. Marlinspike, Moxie. 2013 (Posted on 13 Jun. 2013). “Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think about Surveillance.” Wired. https://www.wired.com/2013/06/why-i-have-nothing-to-hide-is- the-wrong-way-to-think-about-surveillance/. Marsh, James R. 2011. “Masha’s Law: A Federal Civil Remedy for Child Pornography Victims.” Syracuse Law Review 61(3): 459 –497. http://heinonline.org/HOL/Page?handle=hein.journals/ syrlr61&div=25&g_sent=1&collection=journals. Martinez, Edecio and Albert Gonzalez. 2010 (Posted on 26 Mar. 2010). “SoupNazi” Credit Card Hacker, Gets 20 Years.” CBS News. http://www.cbsnews.com/news/albert-gonzalez-soupnazi-credit- card-hacker-gets-20-years/. Mas, Ignacio & Dan Radcliffe. 2011. “Mobile Payments Go Viral M-PESA in Kenya.” Capco Journal of Financial Transformation 32. Mason, Stephen, ed. 2007. Electronic Evidence: Discovery, Disclosure and Admissibility. London: LexisNexis (U.K.)–Butterworths. Mathai, Anahita. 2015 (Posted on 12 Mar. 2015). “The Budapest Convention and Cyber Cooperation.” ORF Cyber Monitor. Maurer, Ueli. 1997. “Information-Theoretically Secure Secret-Key Agreement by NOT Authenticated Public Discussion,” in: EUROCRYPT’97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques. ftp://ftp.inf.ethz.ch/pub/crypto/publications/ Maurer97.pdf. McAFee. 2016. “Infographic: McAfee Labs Threats Report.” McAFee. https://www.mcafee.com/us/ resources/misc/infographic-threats-report-mar-2016.pdf. McAfee & CSIS. 2014. “Net Losses: Estimating the Global Cost of Cybercrime.” CSIS. http://csis. org/files/attachments/140609_rp_economic_impact_cybercrime_report.pdf. McBath, J. Elizabeth. 2012. “Trashing Our System of Justice? Overturning Jury Verdicts Where Evidence Is Found in the Computer’s Cache.” American Journal of Criminal Law 39 (3): 381-424. Page 446 | Chapter 10 | Bibliography Table of Contents McCormack, Wayne. 2014. “U.S. Judicial Independence: Victim in the “War on Terror”.” Washington and Lee Law Review 71(1): 305 –402. http://scholarlycommons.law.wlu.edu/cgi/ viewcontent.cgi?article=4374&context=wlulr. McCormick, Charles T. et al. 1992. McCormick on Evidence, 4th ed. St. Paul, MN: West Pub. McCullagh, Declan. 2005 (Posted on 28 Nov. 2005). “Fuzzy Logic Behind Bush’s Cybercrime Treaty.” CNET. http://www.cnet.com/news/fuzzy-logic-behind-bushs-cybercrime-treaty/. McCullagh, Declan. 2006 (Posted on 8 Aug. 2006). “Senate Ratifies Controversial Cybercrime Treaty.” CNET. http://www.cnet.com/news/senate-ratifies-controversial-cybercrime-treaty/. McCullagh, Declan. 2007 (Posted on 18 Jul. 2007). “FBI Remotely Installs Spyware to Trace Bomb Threat.” CNET. http://www.cnet.com/news/fbi-remotely-installs-spyware-to-trace-bomb-threat/. McCurry, Justin. 2014 (Posted on 23 Dec. 2014). “South Korean Nuclear Operator Hacked Amid Cyber-Attack Fears.” The Guardian. http://www.theguardian.com/world/2014/dec/22/south-korea- nuclear-power-cyber-attack-hack. McGath, Gary 2016. “Net Neutrality Kills Free Internet - Is Internet Access a Basic Human Right?” Atlanta: FEE (Foundation for Economic Education). https://fee.org/articles/net-neutrality-kills-free- internet/. McKinsey & Company. 2016. “How Blockchains Could Change the World.” McKinsey & Company. http://www.mckinsey.com/industries/high-tech/our-insights/how-blockchains-could-change-the- world. Melander, Sakari. 2013. “Ultima Ratio in European Criminal Law.” Oñate Socio-Legal Series 3(1): 42–61. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2200871. Mendel, Toby. 2000. “Freedom of Information as an Internationally Protected Human Right.” In: American Civil Liberties Union International Civil Liberties Report. Los Angeles: ACLU (American Civil Liberties Union). https://www.article19.org/data/files/pdfs/publications/foi-as-an-international- right.pdf. Menn, Joseph. 2015 (Posted on 29 May 2015). “Exclusive: US Tried Stuxnet-Style Campaign Against North Korea but Failed—Sources.” Reuters. http://www.reuters.com/article/us-usa-northkorea- stuxnet-idUSKBN0OE2DM20150529. Metz, Cade. 2016 (Posted on 5 Apr. 2016). “Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People.” Wired. http://www.wired.com/2016/04/forget-apple-vs-fbi- whatsapp-just-switched-encryption-billion-people/. Page 447 | Chapter 10 | Bibliography Table of Contents Meyers, Matthew and Marc Rogers. 2004. “Computer Forensics: The Need for Standardization and Certification.” International Journal of Digital Evidence 3(2) https://utica.edu/academic/institutes/ ecii/publications/articles/A0B7F51C-D8F9-A0D0-7F387126198F12F6.pdf. Microsoft. 2008. Case Study: Forefront Helping to Protect Australia’s Borders from Illegal Immigration, Drug Smuggling and Other Security Threats. Redmond: Microsoft. Microsoft. 2015. Microsoft Security Intelligence Report Vol. 19 (January –June 2015). Redmond: Microsoft. http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A- 16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf. Microsoft.2016. Microsoft Security Intelligence Report Vol. 21. Microsoft. https://blogs.microsoft. com/microsoftsecure/2016/12/14/microsoft-security-intelligence-report-volume-21-is-now- available/. Microsoft. 2017 (Posted on 14 Mar. 2017). Security Bulletin MS17-010. Microsoft. https://technet. microsoft.com/en-us/library/security/ms17-010.aspx. Microsoft Security Response Center. 2017 (Posted on 12 May 2017). “Customer Guidance for WannaCrypt Attacks.” Microsoft. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer- guidance-for-wannacrypt-attacks/. Miethe, Terance D. and Robert F. Meier. 1990. “Criminal Opportunity and Victimization rates: A Structural-choice Theory of Criminal Victimization.” Journal of Research in Crime and Delinquency 27:243-66. Milanovic, Marko. 2015. “Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age.” Harvard International Law Journal 56(1): 81 to 146. http://www.harvardilj.org/wp-content/ uploads/561Milanovic.pdf. Miller, Joe. 2014 (Posted on 19 Sep. 2014). “Google and Apple to introduce Default Encryption.” BBC. http://www.bbc.com/news/technology-29276955. Miquelon-Weismann, Miriam F. 2005. “The Convention on Cybercrime: A Harmonized Implementation of International Penal Law: What Prospects for Procedural Due Process.” John Marshall Journal of Computer and Information Law 23(2): 329 –361. http://repository.jmls.edu/cgi/ viewcontent.cgi?article=1057&context=jitpl. Mitchell, William J. 1995. City of Bits: Space, Place and the Infobahn. Cambridge: MIT Press. https:// mitpress.mit.edu/sites/default/files/9780262133098.pdf. Moir, Iain, George R. S. Weir. 2008. “Identity Theft: A Study in Contact Centres.” Paper presented at the 4th International Conference on Global E-Security, London, 23-28 Jun. http://www.cis.strath. ac.uk/cis/research/publications/papers/strath_cis_publication_2243.pdf. Page 448 | Chapter 10 | Bibliography Table of Contents Moitra, Soumyo D. 2004. “Cybercrime: Towards an Assessment of its Nature and Impact.” International Journal of Comparative and Applied Criminal Justice 28 (2): 105 –120. Molina, Fernando. 2011. “A Comparison Between Continental European and Anglo-American Approaches to Overcriminalization and Some Remarks on How to Deal with It.” New Criminal Law Review 14 (1): 123–138. Moore, Robert. 2004. “To View or Not to View: Examining the Plain View Doctrine and Digital Evidence.” American Journal of Criminal Justice 29(1): page 57 –73. Morris, Jr., John B. 2011. Hearing on “Data Retention as a Tool For Investigating Internet Child Pornography And Other Internet Crimes. Washington D.C.: CDT (Center for Democracy & Technology). https://cdt.org/files/pdfs/20110124_morris_DataRetention_testi.pdf. Mott, Nathaniel. 2016 (15 Jun. 2016). “Take That, FBI: Apple Goes All in on Encryption.” Guardian. https://www.theguardian.com/technology/2016/jun/15/apple-fbi-file-encryption-wwdc. Mullen, Paul. Michele Pathé & Rosemary Purcell. “Cyberstalking.” Stalking Risk Profile. https://www. stalkingriskprofile.com/victim-support/impact-of-stalking-on-victims. Munro, Susan and Lin Yang. 2015. “China Promulgates the Ninth Amendment to the PRC criminal law.” Washington, D.C.: Steptoe & Johnson LLP. http://www.steptoe.com/publications-10742.html. N National Center for Victims of Crime. “Stalking Technology Outpaces State Laws.” National Center for Victims of Crime. https://victimsofcrime.org/docs/src/stalking-technology-outpaces-state- laws17A308005D0C.pdf?sfvrsn=2. National Conference of State Legislature. “National Conference of State Legislature.” National Conference of State Legislature. http://www.ncsl.org/. NCFTA (National Cyber-Forensics and Training Alliance). “Who We Are.” NCFTA. http://www.ncfta. net/. NCFTA. 2016 (Posted on 8 Jan. 2016). “NCFTA in the News: The National Cyber-Forensics and Training Alliance to Open New Offices in Los Angeles and New York.” NCTFA. https://www.ncfta. net/Home/News. NCFTA. 2016 (Posted on 18 Jul. 2016). “NCFTA in the News: International Alliance Against Counterfeiting.” NCTFA. https://www.ncfta.net/Home/News. NCFTA. “CyFin.” NCFTA. http://www.ncfta.net/Home/Cyfin. Page 449 | Chapter 10 | Bibliography Table of Contents NCFTA. “BCP.” NCFTA. http://www.ncfta.net/Home/BCP. NCFTA. “MCT.” NCFTA. http://www.ncfta.net/Home/Malware. National Institute of Justice (NIJ). “Digital Evidence and Forensics.” U.S. Department of Justice. http://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx. National Institute of Standards and Technology (NIST). “Computer Forensics Tool Testing Project.” NIST. http://www.cftt.nist.gov. NIST. 2016 (Posted on 4 Oct. 2016). “’Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly.” NIST. https://www.nist.gov/news-events/news/2016/10/security- fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly. National White Collar Crime Center. 2011. Criminal Use of Social Media (2011). Fairmont: National White Collar Crime Center. http://www.iacpsocialmedia.org/Portals/1/documents/External/ NW3CArticle.pdf. NDTV Correspondent. 2015 (Posted on 28 May. 2015). “Gaana.com Confirms Its User Database Was Hacked.” Gadgets360. http://gadgets.ndtv.com/internet/news/gaanacom-allegedly-hacked-details- of-all-users-exposed-697111. Neumayer, Eric. 2007. “Qualified Ratification: Explaining Reservations to International Human Rights Treaties.” Journal of Legal Studies 36(2): 397 –430. http://eprints.lse.ac.uk/3051/1/Qualified_ ratification_(LSERO).pdf. News Report. 2006 (Posted 4 Aug. 2006). “CSIA Applauds Ratification of Cybercrime Treaty.” GT (Government Technology). http://www.govtech.com/security/CSIA-Applauds-Ratification-of- Cybercrime-Treaty.html. Nicoll, Chris. 2003. “Concealing and Revealing Identity on the Internet.” In: Digital Anonymity and the Law edited by Chris Nicoll, J. E. J. Prins and Miriam J. M. van Dellen, 99-120. The Hague: T.M.C. Asser Press. Nijboer, Johannes F. 2013. “Section 3: Concept Paper and Questionnaire.” Paper prepared for IAPL’s Preparatory Colloquium Section III for the 20th International Congress of Penal Law on Information Society and Penal Law, “Criminal Procedure,” Antalya, 23-26 September. http://www. penal.org/IMG/pdf/Section_III_EN.pdf. Nolan, Richard, Colin O’Sullivan, Jake Branson and Cal Waits. 2005. First Responders Guide to Computer Forensics. Arlington: SEI (Software Engineering Institute). http://www.sei.cmu.edu/ reports/05hb001.pdf. Page 450 | Chapter 10 | Bibliography Table of Contents NATO. 2011. “G8 Declaration Renewed Commitment for Freedom And Democracy.” G8 Summit of Deauville, (26–27 May 2011). http://www.nato.int/nato_static/assets/pdf/ pdf_2011_05/20110926_110526-G8-Summit-Deauville.pdf. NATO (North Atlantic Treaty Organization). 2016. “Warsaw Summit Communiqué, Issued by the Heads of State and Government Participating in the Meeting of the North Atlantic Council in Warsaw 8–9 July 2016: Press Release (2016) 100.” http://www.nato.int/cps/en/natohq/official_ texts_133169.htm. NTT Innovation Institute, Inc. 2015. 2015 Global Threat Intelligence Report –Executive Summary. East Palo Alto: NTT Innovation Institute, Inc. http://www.nttcomsecurity.com/en/uploads/files/ US_GTIR_Executive_Summary_Public_Approved_v8.pdf. Nugent, John. “Cyber Security Outlook.” In: RISKMAP REPORT 2016. Washington D.C.: Control Risks, 22-23. https://www.controlrisks.com/webcasts/studio/flipping-book/riskmap_report_2016/ files/assets/common/downloads/RISKMAP%202016%20REPORT.pdf. Nussbaum, Ania. 2015 (Posted on 18 Jun. 2015). “Russia’s Data Law Will Hurt Its Economy –Think Tank.” The Wall Street Journal: Digits. http://blogs.wsj.com/digits/2015/06/18/russias-data-law-will- hurt-its-economy-think-tank/. O Obama, Barack. 2009 (Posted on 29 May. 2009). “Remarks by the President on Securing Our Nation’s Cyber Infrastructure.” The White House –Office of the Press Secretary. https://www. whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure. OECD (Office of Economic Cooperation and Development). 2013. Guidelines for the Security of Information Systems and Network. Paris: OECD. https://www.oecd.org/sti/ieconomy/privacy- guidelines.htm. Office of the Privacy Commissioner of Canada. 2015. Fact Sheet on the Digital Privacy Act. Gatineau, Quebec. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/resource/ fs-fi/02_05_d_63_s4_e.pdf. Official Microsoft Blog. “Botnets.” Microsoft. https://blogs.microsoft.com/blog/tag/botnets/#sm.0 00013htf1t8ngf0zuycn3473chdh. O’Harrow Jr., Robert. 2005. No Place to Hide. New York: Free Press. Oh, Gi-du.2013. “Statement of Defendant and Authentication of Electronic Documents.” Supreme Court Law Journal 3(2): 71-114. http://library.scourt.go.kr/SCLIB_data/publication/m_531306_v.3-2. pdf. Page 451 | Chapter 10 | Bibliography Table of Contents Ollmann, Gunter. 2007. The Phishing Guide: Understanding & Preventing Phishing Attacks. New York: IBM (IBM Global Technology Services). http://www-935.ibm.com/services/us/iss/pdf/phishing- guide-wp.pdf. Ondieki, Elvis. 2016 (Posted on 8 May 2016). “M-Pesa Transactions Rise to Sh15bn Daily after Systems Upgrade.” http://www.nation.co.ke/news/MPesa-transactions-rise-to-Sh15bn-after- systems-upgrade/1056-3194774-llu8yjz/index.htmln. Open Rights Group. 2015. Data retention in the EU following the CJEU ruling – updated April 2015. London: Open Rights Group. https://www.openrightsgroup.org/assets/files/legal/Data_Retention_ status_table_updated_April_2015_uploaded_finalwithadditions.pdf. OAS. “G8 – 24/7 Network.” Organization of American States (OAS). OAS. http://www.oas.org/ juridico/english/cyber_g8.htm. OAS (Organization of American States). 2000. Final Report of the Second Meeting of Government Experts on Cyber Crime. OAS. http://www.oas.org/juridico/english/cybGE_IIrep.pdf OAS. “Who We Are.” OAS. http://www.oas.org/en/about/who_we_are.asp. OAS. “Cyber Security,” OAS. https://www.sites.oas.org/cyber/en/Pages/default.aspx. OAS. “Welcome,” Inter-American Cooperation Portal on Cyber-Crime. OAS. http://www.oas.org/ juridico/english/cyber.htm OAS. 2006. Questionnaire Related to the Recommendations from the Fourth Meeting of Governmental Experts on Cyber-Crime. Washington D.C.: OAS. http://www.oas.org/juridico/ english/cybGE_IVquest.doc. OAS. 2007. The G8 24/7 Network of Contact Points: Protocol Statement. Washington D.C.: OAS. http://www.oas.org/juridico/english/cyb_pry_G8_network.pdf. OAS. 2011. “Freedom of Expression Rapporteurs Issue Joint Declaration Concerning the Internet.” OAS. http://www.oas.org/en/iachr/expression/showarticle.asp?artID=848. OAS. 2016. “Best Practices for Establishing a National CSIRT.” OAS. https://www.sites.oas.org/ cyber/Documents/2016%20-%20Best%20Practices%20CSIRT.pdf. OECS (Organization for Eastern Caribbean States). 2011. Electronic Crimes Bill (Fourth Draft). Castries: OECS. http://www.oecs.org/publications/e-government-for-regional-integration-project/ oecs-harmonized-e-government-legislation/575-electronic-crimes-bill-ags-09-10-11/file. Page 452 | Chapter 10 | Bibliography Table of Contents Osgood, D. Wayne, Janet K. Wilson, Patrick M. O’Malley, Jerald G. Bachman and Lloyd D. Johnston. 1996. “Routine Activities and Individual Deviant Behavior.” American Sociological Review. 61 (4): 635-55. Osiander, Andreas. 2011. “Sovereignty, International Relations, and the Westphalian Myth.” International Organization Vol. 55. Otake, Tomoko. 2015 (Posted on 1 Jun 2015). “1.25 million Affected by Japan Pension Service Hack”. Japan Times. http://www.japantimes.co.jp/news/2015/06/01/national/crime-legal/japan- pension-system-hacked-1-25-million-cases-personal-data-leaked/#.VvVfpNIrKUk. P Paganini, Pierluigi. 2015 (Posted on 18 Mar. 2015). “South Korea—Hacker Requests Money for Data on Nuclear Plants.” Security Affairs. http://securityaffairs.co/wordpress/35013/cyber-crime/hacker- south-korean-nuclear-plants.html. Palatino, Mong. 2014 (Posted on 24 Mar. 2014). “Singapore Criminalizes Cyber Bullying and Stalking.” Diplomat. http://thediplomat.com/2014/03/singapore-criminalizes-cyber-bullying-and- stalking/. Pandey, Avaneesh. 2016 (Posted on 28 Feb. 2016). “Energy-Efficient ‘Biocomputer’ Provides Viable Alternative to Quantum Computers.” IBT. http://www.ibtimes.com/energy-efficient-biocomputer- provides-viable-alternative-quantum-computers-2326448. Parliamentary Office of Science and Technology (POST). 2015 (Posted on 9 Mar. 2015). “The Darknet and Online Anonymity.” UK Houses of Parliament, No. 488. http://researchbriefings.parliament.uk/ ResearchBriefing/Summary/POST-PN-488. Parsons, Mark and Peter Colegate. 2015 (Posted on 12 Feb. 2015). “2015: The Turning Point for Data Privacy Regulation in Asia?” In: Data Protection & Law Policy (January 2015). Hogan Lovells Chronical of Data Protection. http://www.hldataprotection.com/2015/02/articles/international-eu- privacy/2015-the-turning-point-for-data-privacy-regulation-in-asia/. Patel, Ahmed and Séamus Ó Ciardhuáin. 2000. “The Impact of Forensic Computing on Telecommunication.” IEEE Communications Magazine 38 (11): 64 –67. Paxson, Vern. 2001. “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks.” ACM SIGCOMM Computer Communication Review 31(3): 38 –47. http://www.icir.org/vern/papers/ reflectors.CCR.01.pdf. Page 453 | Chapter 10 | Bibliography Table of Contents PC World. 2016 (Posted on 20 Apr. 2016). “SpyEye Botnet Kit Developer Sentenced to Long Jail Term.” PC World. http://www.pcworld.com/article/3059557/spyeye-botnet-kit-developer- sentenced-to-long-jail-term.html. Pearson, Sarah Hinchliff. 2009 (Posted on April 17 2009). “The Dynamic Balance between Free Speech and Privacy Interests.” Stanford Law School Blog. http://cyberlaw.stanford.edu/ blog/2009/04/dynamic-balance-between-free-speech-and-privacy-interests. Perlroth, Nicole. 2017 (Posted on 6 Jul. 2017). “Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say.” New York Times. https://www.nytimes.com/2017/07/06/technology/ nuclear-plant-hack-report.html?mcubz=0. Persak, Nina. 2007. Criminalizing Harmful Conduct: The Harm Principle, its Limits and Continental Counterparts. Berlin-Heidelberg: Springer. Peterson, Andrea. 2014 (Posted on 18 Dec. 2014). “The Sony Pictures Hack, Explained.” Washington Post. https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack- explained/. Philippe, Xavier. 2006. “The Principles of Universal Jurisdiction and Complementarity: How Do the Two Principles Intermesh?” International Review of the Red Cross 88, no. 862. https://www.icrc.org/ eng/assets/files/other/irrc_862_philippe.pdf. Phpsecurity. “Injection Attacks.” Phpsecurity. http://phpsecurity.readthedocs.io/en/latest/Injection- Attacks.html. PM. 2016 (Posted on 22 Jul. 2016). “Could a New Case Stop Your Phone from Being Hacked?” BBC News. http://www.bbc.co.uk/programmes/p0428n3p. Popa, Bogdan. 2007 (Posted on 19 Jul. 2007). “FBI Fights against Terrorists with Computer Viruses.” Softpedia. http://news.softpedia.com/news/FBI-Fights-Against-Terrorists-With-Computer- Viruses-60417.shtml. Porcedda, Maria Grazia. 2012. “Data Protection and the Prevention of Cybercrime: The EU as an Area of Security?” EUI Working Papers, EUI (European University Institute), Florence. http://cadmus. eui.eu/bitstream/handle/1814/23296/LAW-2012-25.pdf?sequence=1&isAllowed=y. Poulsen, Kevin. 2007 (Posted on 18 Jul. 2007). “FBI’s Secret Spyware Tracks down Teen Who Makes Bomb Threats.” ABC News. http://abcnews.go.com/Technology/story?id=3389624. Privacy International. “What Is Data Protection?” Privacy International. https://www. privacyinternational.org/node/44. Page 454 | Chapter 10 | Bibliography Table of Contents Putnam, Tonya L. and David D. Elliott. 2001. “Chapter 2: International Responses to Cyber Crime.” In: The Transnational Dimension of Cyber Crime and Terrorism edited by Abraham D. Sofaer and Seymour E. Goodman, 35 –67. Stanford: Hoover Institution Press.http://www.hoover.org/sites/ default/files/uploads/documents/0817999825_35.pdf. PwC (PricewaterhouseCoopers). 2014. Financial Services Sector Analysis of PwC’s 2014 Global Economic Crime Survey: Threats to the Financial Services Sector. Washington D.C.: PwC. https:// www.pwc.com/gx/en/financial-services/publications/assets/pwc-gecs-2014-threats-to-the-financial- services-sector.pdf. PWC. 2014. PWC’s 2014 Global Economic Crime Survey: Economic Crime, A Threat to Business Globally. https://www.pwc.at/publikationen/global-economic-crime-survey-2014.pdf. Q Quarmby, Katharine. 2014 (Posted on 13 Aug. 2014). “How the Law Is Standing Up to Cyberstalking.” Newsweek. http://www.newsweek.com/2014/08/22/how-law-standing- cyberstalking-264251.html. Quismundo, Tarra. 2014 (11 Oct. 2014). “DOJ, NU Join Forces against Cybercrime.” Philippine Daily Inquirer. http://technology.inquirer.net/38998/doj-nu-join-forces-against-cybercrime. R Raghavan, A.R. and Latha Parthiban. 2014. “The Effect of Cybercrime on a Bank’s Finances.” International Journal of Current Research and Academic Review 2(2): 173 to 174. http://www.ijcrar. com/vol-2-2/A.R.%20Raghavan%20and%20Latha%20Parthiban.pdf. Rajan, Nandagopal. 2016 (Posted on 12 Apr. 2016). “WhatsApp Is Not Breaking Indian Laws with 256-Bit Encryption, for Now.” Indian Express. http://indianexpress.com/article/technology/social/ whatsapp-end-to-end-encryption-not-illegal-in-india/. Rath, David. 2016 (Posted on 11 Oct. 2016). “Legislating Cybersecurity: Lawmakers Recognize Their Responsibility with Cyberthreats.” Government Technology. http://www.govtech.com/security/ Legislating-Cybersecurity-Lawmakers-Recognize-Their-Responsibility-with-Cyberthreats.html. Rayman, Noah. 2014 (Posted on 7 Aug. 2014). “The World’s Top 5 Cybercrime Hotspots.” Time. http://time.com/3087768/the-worlds-5-cybercrime-hotspots/. Rehberg, Megan and Susan W. Brenner. 2010. “‘Kiddie Crime?’ The Utility of Criminal Law in Controlling Cyberbullying.” First Amendment Law Review. http://papers.ssrn.com/sol3/papers. cfm?abstract_id=1537873. Page 455 | Chapter 10 | Bibliography Table of Contents Reith, Mark, Clint Carr, Gregg Gunsch. 2002. “An Examination of Digital Forensic Models.” International Journal of Digital Evidence 1(3). https://www.utica.edu/academic/institutes/ecii/ publications/articles/A04A40DC-A6F6-F2C1-98F94F16AF57232D.pdf. Repeta, Lawrence. 1999. Local Government Disclosure Systems in Japan. Seattle: The National Bureau of Asian Research. http://unpan1.un.org/intradoc/groups/public/documents/APCITY/ UNPAN026259.pdf. Roberts, Alasdair S. 2001. “Structural Pluralism and the Right to Information.” University of Toronto Law Journal 51(3): 243-271. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1305423. Rosenblum, Paula. 2014 (Posted on 17 Mar. 2014). “In Wake of Target Data Breach, Cash Becoming King Again.” Forbes. http://www.forbes.com/sites/paularosenblum/2014/03/17/in-wake-of-target- data-breach-cash-becoming-king-again/. Rossignol, Joe. 2015 (Posted on 24 Sep 2015). “Apple Lists Top 25 Apps Compromised by XcodeGhost Malware.” MacRumors –Newsletter. http://www.macrumors.com/2015/09/24/ xcodeghost-top-25- apps-apple-list/. RT. 2015 (Posted on 22 May. 2015). “Yemeni Group Hacks 3,000 Saudi Govt Computers to Reveal Top Secret Docs – Report.” RT. https://www.rt.com/news/261073-yemen-cyber-hack-saudi/. Rudd, Amber. 2017 (Posted on 25. Mar. 2017). “Social Media Firms Must Join the War on Terror.” Telegraph. http://www.telegraph.co.uk/news/2017/03/25/social-media-firms-must-join-war-terror/. Ruibin, Gon, Tony Kai Yun Chan and Mathias Gaertner. 2005. “Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework.” International Journal of Digital Evidence 4(1). http://citeseerx.ist.psu.edu/viewdoc/download?doi =10.1.1.81.4278&rep=rep1&type=pdf. Russon, Mary-Ann. 2016 (Posted on 7 Apr. 2016). “Quantum Cryptography Breakthrough: ‘Unbreakable Security’ Possible Using Pulse Laser Seeding.” International Business Times. http:// www.ibtimes.co.uk/quantum-cryptography-breakthrough-unbreakable-security-possible-using- pulse-laser-seeding-1553721. S Sacco, Lisa N. 2015. “The Violence Against Women Act: Overview, Legislation, and Federal Funding.” U.S. Congressional Research Service. https://www.fas.org/sgp/crs/misc/R42499.pdf. Salkever, Alex. 2001 (Posted on 27 Nov. 2001). “A Dark Side to the FBI’s Magic Lantern.” Bloomberg. http://www.bloomberg.com/news/articles/2001-11-26/a-dark-side-to-the-fbis-magic- lantern. Page 456 | Chapter 10 | Bibliography Table of Contents Salvador, Joseph. 2015. “Dismantling the Internet Mafia: RICO’s Applicability to Cyber Crime.” Rutgers Computer & Technology Law Journal 41(2): 268 –297. Sampson, Robert J. and John D. Woodredge. 1987. “Linking the Micro- and Macro-level Dimensions of Lifestyle-routine Activity and Opportunity Models of Predatory Victimization.” Journal of Quantitative Criminology 3 (4): 371-93. Sanger, David E. & Nicole Perlroth. 2014 (Posted on 17 Dec. 2014). “US Said to Find North Korea Ordered Cyberattack on Sony.” New York Times. http://www.nytimes.com/2014/12/18/world/asia/ us-links-north-korea-to-sony-hacking.html?_r=1. SANS Institute.“SANS Courses.” SANS. https://uk.sans.org/courses. Schjolberg, Stein. 2003. The Legal Framework – Unauthorized Access to Computer Systems: Penal Legislation in 44 Countries. Moss District Court, Norway. Schmidt, Michael S. 2012 (Posted on 2 Aug. 2012). “Cybersecurity Bill Is Blocked in Senate by G.O.P. Filibuster.” New York Times. http://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill- blocked-by-gop-filibuster.html?_r=0. Schuba, Christoph L., Ivan V. Krsul, Markus G. Kuhn, Eugene H. Spafford and Aurobindo Sundaram, Diego Zamboni. 1996. “Analysis of a Denial of Service Attack on TCP.” Computer Science Technical Reports. Paper 1327. http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2326&context=cstech. Science News. 2013 (Posted on 22 May 2013). “Big Data, for Better or Worse: 90% of World’s Data Generated Over Last Two Years.” Science Daily. https://www.sciencedaily.com/ releases/2013/05/130522085217.htm. Scott, Mark. 2015 (Posted on 12 Jan. 2015). “British Prime Minister Suggests Banning Some Online Messaging Apps.” New York Times: Bits. http://bits.blogs.nytimes.com/2015/01/12/british-prime- minister-suggests-banning-some-online-messaging-apps/?_r=0. Secretary of Defense Ash Carter & Chairman of the Joint Chiefs of Staff General Joseph F. Dunford. 2016 (Posted on 29 Feb. 2016). Dept. of Defense Press Briefing. Pentagon Briefing Room. http:// www.defense.gov/News/News-Transcripts/Transcript-View/Article/682341/department-of-defense- press-briefing-by-secretary-carter-and-gen-dunford-in-the Selyukh, Alina and Camila Domonoske. 2016 (Posted on 17 Feb. 2016). “Apple, The FBI and iPhone Encryption: A Look at what’s at stake.” NPR. http://www.npr.org/sections/thetwo- way/2016/02/17/467096705/apple-the-fbi-and-iphone-encryption-a-look-at-whats-at-stake. Sembhi, Sarb. 2009 (Posted on Feb. 2009). “How to Defend against Data Integrity Attacks.” Computer Weekly. http://www.computerweekly.com/opinion/How-to-defend-against-data-integrity- attacks. Page 457 | Chapter 10 | Bibliography Table of Contents Sen, Jaydip. 2013. “Chapter 1: Security and Privacy Issues in Cloud Computing.” In: Architectures and Protocols for Secure Information Technology Infrastructures edited by Antonio Ruiz-Martinez, Rafael Marin-Lopez and Fernando Pereniguez Garcia, 1-45. Hershey, Pennsylvania: Information Science Reference. https://arxiv.org/ftp/arxiv/papers/1303/1303.4814.pdf. Shaftan, Vera. 2015 (Posted on 23 Jul. 2015). “Russia Signs Controversial ‘Right to be Forgotten’ Bill Into Law.” Data Protection Report. http://www.dataprotectionreport.com/2015/07/russia-signs- controversial-right-to-be-forgotten-bill-into-law/. Shim, Elizabeth. 2015 (Posted on 20 Oct. 2015). “Spy agency: North Korea Hackers Stole Sensitive South Korean Data.” UPI: Top News/World News. http://www.upi.com/Top_News/ World-News/2015/10/20/Spy-agency-North-Korea-hackers-stole-sensitive-South-Korean- data/9041445353950/. Shore, Malcolm, Yi Du and Sherali Zeadally. 2011. “A Public-Private Partnership Model for National Cybersecurity.” Policy & Internet 3(2). http://onlinelibrary.wiley.com/doi/10.2202/1944-2866.1114/ pdf. Siegfried, Jason, Christine Siedsma, Bobbie-Jo Countryman and Chester D. Hosmer. 2004. “Examining the Encryption Threat.” International Journal of Digital Evidence 2(3). https://www.utica. edu/academic/institutes/ecii/publications/articles/A0B0C4A4-9660-B26E-12521C098684EF12.pdf. Silverman, Craig & Lawrence Alexander. 2016 (Posted on 3 Nov. 2016). “How Teens in the Balkans Are Duping Trump Supporters with Fake News.” Buzzfeed News. https://www.buzzfeed. com/craigsilverman/how-macedonia-became-a-global-hub-for-pro-trump-misinfo?utm_term=. eiWv81lZY#.yrrb4qwgD. Silverstone, Roger. 2006. Media and morality on the rise of the Mediapolis. New York: Wiley. Simmons, Luke. 2015 (Posted on 14 Oct. 2015). “What Is the Difference between the Internet of Everything and the Internet of Things.” CloudRail. https://cloudrail.com/internet-of-everything-vs- internet-of-things/. Simson, Caroline. 2015 (Posted on 27 Mar. 2015). “Australia OKs Data Retention Bill despite Privacy Concerns.” Law360. https://www.law360.com/articles/636319/australia%20 oksdataretentionbilldespiteprivacyconcerns. Singh, Abhishek Pratap. 2016 (Posted on 23 Dec. 2016). “China’s First Cyber Security Law.” Institute for Defense Studies and Analyses. http://www.idsa.in/backgrounder/china-first-cyber-security-law_ apsingh_231216#footnote5_w4sr2kl. Smale, Alison & Michael D. Shearmarch. 2014 (Posted on 24 Mar. 2014). “Russia Is Ousted from Group of 8 by US and Allies.” New York Times. http://www.nytimes.com/2014/03/25/world/europe/ obama-russia-crimea.html?_r=0. Page 458 | Chapter 10 | Bibliography Table of Contents Smart Cities Council. “Smart Cities Council.” Smart Cities Council. http://smartcitiescouncil.com/. Smith, Brad. 2017 (Posted on 14 May 2017). “The Need for Urgent Collective Action to Keep People Safe Online: Lessons from Last Week’s Cyberattack.” Official Microsoft Blog. https://blogs. microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online- lessons-last-weeks-cyberattack/#oHaqtHbEYodLhwLl.99. Smith, Jamie. 2016 (Posted on 9 Nov. 2016). “There Is More to Blockchain than Moving Money. It Has the Potential to Transform Our Lives—Here’s How.” World Economic Forum. https://www. weforum.org/agenda/2016/11/there-is-more-to-blockchain-than-moving-money. Smith, Russell G., Ray Chak-Chung Cheung, Laurie Yiu-Chung Lau, eds. 2015. Cybercrime Risks and Responses: Eastern and Western Perspectives. London: Palgrave MacMillan. Snow, Gordon M. 2011. Statement before the House Financial Services Committee. Subcommittee on Financial Institutions and Consumer Credit. Washington: FBI. https://archives.fbi.gov/archives/ news/testimony/cyber-security-threats-to-the-financial-sector. Socco, Michele. 2013. “Fight against Cybercrime: a European perspective.” In: Cyber Crime: Risks for the Economy and Enterprises (Proceedings of UNICRI round table), Lucca, Italy, 29 Nov., 29–32. Turin: UNICRI. http://www.unicri.it/special_topics/securing_cyberspace/current_and_past_activities/ current_activities/Lucca_Proceedings.pdf. Sofaer, Abraham D. and Seymour E. Goodman. 2000. A Proposal for an International Convention on Cyber Crime and Terrorism. Stanford: CISAC (Center for International Security and Cooperation). http://cisac.fsi.stanford.edu/sites/default/files/sofaergoodman.pdf. Solove, Daniel J. 2011. Nothing to Hide: The False Tradeoff between Privacy and Security. New Haven: Yale University Press. Solove, Daniel J. and Paul Schwartz. 2014. Information Privacy Law (5th Edition). Frederick: Wolters Kluwer Law & Business. Sotto, Lisa J. and Aaron P. Simpson. “Data Protection and Privacy 2016.” In: Getting the Deal Through: 169-175. Washington, D.C.: Hunton & Williams LLP. https://www.hunton.com/files/ Publication/5c30013e-fa2d-4f6f-8cf0-1df81bf2209d/Presentation/PublicationAttachment/8ddc7e60- dfd4-4b07-a845-221bb6667921/data-protection-privacy-eu-usa.pdf. Soukieh, Kim. 2011. “Cybercrime –The Shifting Doctrine of Jurisdiction.” Canberra Law Review 10: 221-238. http://www.austlii.edu.au/au/journals/CanLawRw/2011/9.pdf. Spidalieri, Francesca. 2015. State of the States on Cybersecurity. Newport: Pell Center for International Relations and Public Policy. http://pellcenter.org/wp-content/uploads/2015/11/Pell- Center-State-of-the-States-Report.pdf. Page 459 | Chapter 10 | Bibliography Table of Contents Stalder, Felix. 1998. “The Logic of Networks: Social Landscapes vis-a-vis the Space of Flows.” Ctheory.net. http://www.ctheory.net/articles.aspx?id=263. Stalking Resource Center, National Center for Victims of Crime. 2003. “Stalking Technology Outpaces State Laws.” Stalking Resource Center Newsletter 3, no. 2. https://victimsofcrime.org/ docs/src/stalking-technology-outpaces-state-laws17A308005D0C.pdf?sfvrsn=2. State of New Jersey/Department of Law & Safety, Division of Criminal Justice. 2000. New Jersey: Computer Evidence Search and Seizure Manual. Trenton: State of New Jersey/Department of Law & Public Safety, Division of Criminal Justice. www.state.nj.us/lps/dcj/pdfs/cmpmanfi.pdf. Statista. Number of Internet Users Worldwide from 2000 to 2015 (in Millions).” Statista. http://www. statista.com/statistics/273018/number-of-internet-users-worldwide/. Steel, Alex. 2010. “The True Identity of Australian Identity Theft Offences: A Measured Response or an Unjustified Status Offence?” University of New South Wales Law Journal Vol. 33: 503 –531. Stephenson, P. 2003. “A Comprehensive Approach to Digital Incident Investigation.” Information Security Technical Report 8(2): 42-54. Stone, Kolvin, Christian Schröder, Antony P. Kim & Aravind Swaminathan. 2015 (Posted 6 Oct. 2015). “US–EU Safe Harbor – Struck Down!” Orrick Trust Anchor Blog. http://blogs.orrick.com/ trustanchor/2015/10/06/us-eu-safe-harbor-struck-down/. Sturges, Paul. 2006. “Limits to Freedom of Expression? Considerations Arising from the Danish Cartoons Affair” IFLA Journal 32 (3): 181-188. http://www.ifla.org/files/assets/faife/publications/ sturges/cartoons.pdf. Sullivan, Bob. 2001 (Posted on 20 Nov. 2001). “FBI Software Cracks Encryption Wall.” NBC News. http://www.nbcnews.com/id/3341694/ns/technology_and_science-security/t/fbi-software-cracks- encryption-wall/#.V0DuWTotBjo. Supreme People’s Court and Supreme People’s Procuratorate. 2004. “Interpretation of Some Questions on Concretely Applicable Law in the Handling of Criminal Cases of Using the Internet or Mobile Communication Terminals and Voicemail Platforms to Produce, Reproduce, Publish, Peddle or Disseminate Obscene Electronic Information.” China Copyright and Media. https:// chinacopyrightandmedia.wordpress.com/2004/09/09/interpretation-of-some-questions- on-concretely-applicable-law-in-handling-criminal-cases-of-using-the-internet-or-mobile- communication-terminals-and-voicemail-platforms-to-produce-reproduce-publish-2/#more-1700. Sweeney, Brendan J. 2008. “Global Competition: Searching For a Rational Basis for Global Competition Rules.” Sydney Law Review 30: 209 –244. https://sydney.edu.au/law/slr/slr30_2/ Sweeney.pdf. Page 460 | Chapter 10 | Bibliography Table of Contents Swire, Peter and Lauren Steinfeld. 2002. “Security and Privacy after September 11: The Health Care Example.” Minnesota Law Review 86(6):1515-1540. http://papers.ssrn.com/sol3/papers. cfm?abstract_id=347322. Symantec Corporation. 2014. Internet Security Threat Report 2014: Volume 19. Mountain View: Herndon, Virginia: Symantec Corporation. http://www.symantec.com/content/en/us/enterprise/ other_resources/b-istr_main_report_v19_21291018.en-us.pdf. Symantec Corporation. 2015. Norton Cybersecurity Insights Report. Herndon, Virginia: Symantec Corporation. https://us.norton.com/norton-cybersecurity-insights-report-global?inid=hho_norton. com_cybersecurityinsights_hero_seeglobalrpt. Symantec Corporation. 2016. Norton Cybersecurity Insights Report. Herndon, Virginia: Symantec Corporation. https://us.norton.com/norton-cybersecurity-insights-report-global?inid=hho_norton. com_cybersecurityinsights_hero_seeglobalrpt. Symanetc Corporation. 2017. 2017 Internet Security Threat Report. Herndon, Virginia: Symantec Corporation. https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf. Symantec Security Response. 2017 (Posted on 22 May 2017). “WannaCry: Ransomware Attacks Show Strong Links to Lazarus Group.” Symantec Official Blog. https://www.symantec.com/connect/ blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group. T Tabo, Tamara. 2015 (Posted on 12 Jun. 2015). “United States v. The Internet: America’s Most Wanted May Look a Lot Like You.” Above the Law. http://abovethelaw.com/2015/06/united-states-v-the- internet-americas-most-wanted-may-look-a-lot-like-you/. Tamarkin, Eric. 2015 (Posted on Jan. 2015). “The AU’s Cybercrime Response: A Positive Start, but Substantial Challenges Ahead.” Institute for Security Studies. https://www.files.ethz.ch/isn/187564/ PolBrief73_cybercrime.pdf. Tapscott, Don. & Alex Tapscott. 2016 (Posted on 10 May 2016). “The Impact of the Blockchain Goes Beyond Financial Services.” Harvard Business Review. https://hbr.org/2016/05/the-impact-of-the- blockchain-goes-beyond-financial-services. Taylor, Paul. 2001. “The Scope of Government Access to Copies of Electronic Communication Stored with Internet Service Providers: A Review of Legal Standards.” Journal of Technology Law and Policy 6(2): 109-174. Talleur, Tom. 2002. “Digital Evidence: The Moral Challenge.” International Journal of Digital Evidence 1(1). https://www.utica.edu/academic/institutes/ecii/publications/articles/9C4E398D- 0CAD-4E8D-CD2D38F31AF079F9.pdf. Page 461 | Chapter 10 | Bibliography Table of Contents Tendulkar, Rohini. 2013. “Cyber-crime, Securities Markets and Systemic Risk.” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges, ICSCO, Madrid. http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf. The Bible, Mat. 9:16–17 (NRSV). The Commonwealth. “About Us.” The Commonwealth. http://thecommonwealth.org/about-us. The Commonwealth. “Commonwealth Cybercrime Initiative.” The Commonwealth. http:// thecommonwealth.org/commonwealth-cybercrime-initiative. The Commonwealth. 2014. “The Commonwealth Cybercrime Initiative: A Quick Guide.” The Commonwealth. http://www.securityskeptic.com/CCI%20Quick%20Guide.pdf. The Commonwealth. 5–8 May 2014. “Communiqué: Commonwealth Law Ministers Meeting.” The Commonwealth. http://thecommonwealth.org/media/news/communique-commonwealth-law- ministers-meeting-2014#sthash.oZZBUeVU.dpuf. The Commonwealth. (16–18 Mar. 2016). “Gros Islet Communiqué.” The Caribbean Stakeholders Meeting on Cybersecurity and Cybercrime (CSM-II) Commonwealth. http://thecommonwealth.org/ sites/default/files/news-items/documents/6%20FinalCastriesDeclaration170316.pdf. The Commonwealth. 2016 (Posted on15 Mar. 2016). “Caribbean to Tackle Escalating Cybercrime with Regional Approach.” The Commonwealth. http://thecommonwealth.org/media/press-release/ caribbean-tackle-escalating-cybercrime-regional-approach#sthash.HjmhE8I8.dpuf. The Economist. 2012. (Posted on 11 Feb. 2012). “Indian Telecoms Scandal: Megahurts.” The Economist. http://www.economist.com/node/21547280. The Egmont Group. 2015. The Egmont Group Strategic Plan 2014 – 2017. Toronto: The Egmont Group. http://www.egmontgroup.org/library/download/415. The Rt Hon Matt Hancock MP, UK Cabinet Office & UK National Security Secretariat. 2016. “UK Cyber Security Strategy: Statement on the Final Annual Report.” GOV.uk. https://www.gov.uk/ government/speeches/uk-cyber-security-strategy-statement-on-the-final-annual-report. The White House. 2012. Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. Washington, D.C.: The White House. https://www.whitehouse.gov/sites/default/files/privacy-final.pdf. The White House. 2012. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure. Washington, D.C.: The White House. https://www.dhs.gov/ sites/default/files/publications/Cyberspace_Policy_Review_final_0.pdf. Page 462 | Chapter 10 | Bibliography Table of Contents The White House of President Barack Obama. “1 is 2 Many: Resources Violence Against Women Act.” The White House of President Barack Obama. https://obamawhitehouse.archives. gov/1is2many. The White House of President Barack Obama. “Factsheet: The Violence Against Women Act.” The White House of President Barack Obama. https://obamawhitehouse.archives.gov/sites/default/files/ docs/vawa_factsheet.pdf. The White House of President Barack Obama. “Electronic Crimes Task Forces (ECTF).” The White House of President Barack Obama. https://obamawhitehouse.archives.gov/files/documents/cyber/ United%20States%20Secret%20Service%20-%20Electronic%20Crimes%20Task%20Forces.pdf. The White House of Barack Obama. 2015 (Posted on 13 Feb. 2015). “Executive Order -- Promoting Private Sector Cybersecurity Information Sharing.” The White House of President Barack Obama. https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promo ting-private-sector-cybersecurity-information-shari Threatcloud. “Live Cyber Attack Threat Map.” Threatcloud. https://threatmap.checkpoint.com/ ThreatPortal/livemap.html. Tiernan, B. 2000. E-tailing. Chicago: Dearborn. Tor Project. “Tor.” Tor Project. https://torproject.org/. Tosza, Stanislaw. 2013. “Online Social Networks and Violations Committed Using I.T. –Identity Fraud and Theft of Victual Property.” International Review of Penal Law 84:115–139. Tsukayama, Hayley. 2014 (Posted on 13 Nov. 2014). “Facebook Rewrites Its Privacy Policy so that Humans Can Understand It.” The Washington Post. https://www.washingtonpost.com/news/the- switch/wp/2014/11/13/facebook-rewrites-its-privacy-policy-so-that-humans-can-understand-it/. Turnbull, Benjamin, Barry Blundell and Jill Slay. 2006. “Google Desktop as a Source of Digital Evidence.” International Journal of Digital Evidence 5(1). https://www.utica.edu/academic/ institutes/ecii/publications/articles/EFE47BD9-A897-6585-5EAB032ADF89EDCF.pdf. U U.K. (United Kingdom) Cabinet Office and UK National Security Secretariat. 2011. “The UK Cyber Security Strategy—Protecting and Promoting the UK in a Digital World.” London: Crown. https:// www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security- strategy-final.pdf. Page 463 | Chapter 10 | Bibliography Table of Contents U.K. Cabinet Office and UK National Security Secretariat. 2013. “Cyber Security Strategy: Progress So Far.” London: Crown. https://www.gov.uk/government/collections/cyber-security-strategy- progress-so-far--2. U.K. Cabinet Office & UK National Security Secretariat. 2016. “The UK Cyber Security Strategy 2011- 2016: Annual Report.” Gov.uk. https://www.gov.uk/government/publications/the-uk-cyber-security- strategy-2011-2016-annual-report. U.K. Home Office. 2016. Investigatory Powers Bill: Explanatory Notes to the Investigatory Powers Bill as brought from the House of Commons on 8 June 2016 (HL Bill 40). https://www.publications. parliament.uk/pa/bills/lbill/2016-2017/0040/17040en.pdf. U.K. Home Secretary. 2017 (Posted on 26 Mar. 2017). ‘We need the Help of Social Media Companies.” UK Home Office News Team. https://homeofficemedia.blog.gov.uk/2017/03/26/ home-secretary-we-need-the-help-of-social-media-companies/. U.K. NCA (National Crime Agency). 2014 (Posted on 19 May. 2014). “Unprecedented UK Operation Aids Global Strike against Blackshades Malware.” NCA. http://www.nationalcrimeagency.gov.uk/ news/news-listings/371-uk-arrests-in-international-operation. U.K. Parliament. “Investigatory Powers Act 2016.” U.K. Parliament. http://services.parliament.uk/ bills/2015-16/investigatorypowers.html. UN (United Nations). 2000. “Crime Related to Computer Networks: Background Paper for the Workshop on Crimes Related to Computer Networks.” A/CONF.187/10. Paper prepared for the 10th UN Congress on the Prevention of Crime and Treatment of Offenders, “Crime and Justice: Meeting the Challenges of the Twenty-first Century,” Vienna, 10-17 April. http://www.un.org/ga/ search/view_doc.asp?symbol=A/CONF.187/10. UN. 2006. “Annex E. Extraterritorial Jurisdiction.” In: Report of the International Law Commission: Fifty-eighth session (1 May-9 June and 3 July-11 August 2006), 516-40. A/61/10. New York: UN. http://legal.un.org/ilc/documentation/english/reports/a_61_10.pdf. UN. 2010. “Working Paper Prepared by the Secretariat on Recent Developments in the Use of Science and Technology by Offenders and by Competent Authorities in Fighting Crime, including the Case of Cybercrime.” A/CONF.213/9. Paper prepared for the 12th UN Congress on Crime Prevention and Criminal Justice, “Comprehensive strategies for global challenges: crime prevention and criminal justice systems and their development in a changing world,” Salvador, 12-19 April. http://www.un.org/ga/search/view_doc.asp?symbol=A/CONF.213/9. UN. 2014. “The Obligation to Extradite or Prosecute.” Final Report of the UN International Law Commission. http://legal.un.org/ilc/texts/instruments/english/reports/7_6_2014.pdf Page 464 | Chapter 10 | Bibliography Table of Contents UN. 2015. “Background Paper on the Workshop on Strengthening Crime Prevention and Criminal Justice Responses to Evolving Forms of Crime, such as Cybercrime and Trafficking in Cultural Property, including Lessons Learned and International Cooperation.” A/CONF.222/12. Paper prepared for the 13th UN Congress on Crime Prevention and Criminal Justice, “Integrating crime prevention and criminal justice into the wider UN agenda to address social and economic challenges and to promote the rule of law at the national and international levels and public participation,” Doha, 12-19 April. http://www.un.org/ga/search/view_doc.asp?symbol=A/ CONF.222/12. UN. 2015. “Draft Doha Declaration on Integrating Crime Prevention and Criminal Justice into the Wider United Nations Agenda to Address Social and Economic Challenges and to Promote the Rule of Law at the National and International Levels and Public Participation.” A/CONF.222/L.6. Paper prepared for the 13th UN Congress on Crime Prevention and Criminal Justice, “Integrating crime prevention and criminal justice into the wider UN agenda to address social and economic challenges and to promote the rule of law at the national and international levels and public participation,” Doha, 12-19 April. http://www.un.org/ga/search/view_doc.asp?symbol=A/ CONF.222/L.6. UN. 2015 (Posted on 16 April. 2015). “Public-private Partnerships Needed to Combat Transnational Cyber-crime.” UN/Multimedia. http://www.unmultimedia.org/radio/english/2015/04/public-private- partnerships-needed-to-combat-transnational-cyber-crime/#.V0XQ0IcUU5u. UN. “Secretriat.” UN. http://www.un.org/en/sections/about-un/secretariat/index.html. UN Commission on Human Rights. 1999. Report of the Special Rapporteur on the Protection and Promotion of the Right to Freedom of Opinion and Expression, Mr. Abid Hussain. E/CN.4/1999/64. New York: UN. http://dag.un.org/bitstream/handle/11176/223391/E_CN.4_1999_64-EN. pdf?sequence=3&isAllowed=y. UN Commission on Human Rights. 1995. Promotion and protection of the right to freedom of opinion and expression Report of the Special Rapporteur, Mr. Abid Hussain, pursuant to Commission on Human Rights resolution 1993/45 (E/CN.4/1995/32). New York: UN. https:// documents-dds-ny.un.org/doc/UNDOC/GEN/G94/750/76/PDF/G9475076.pdf?OpenElement. UN Committee against Torture. 2016. “Consideration of reports submitted by States parties under article 19 of the Convention pursuant to the optional reporting procedure.” Third to Fifth Periodic Reports of States Parties due in 2012. Korea: UN. http://docstore.ohchr.org/SelfServices/ FilesHandler.ashx?enc=6QkG1d%2FPPRiCAqhKb7yhsvF6hiQLJAnpG6iplFwLNHHRo0OD78WS4LFA hS78ybK9cAdJ5ZfbR4liAXIyMG4l6gfS%2BNuCz6URY2YsRMgaSD1rC4Di8J1OSunD47yXd4UH. Page 465 | Chapter 10 | Bibliography Table of Contents UN CRC (United Nations Committee on the Rights of the Child). 2010. Consideration of Reports Submitted by States Parties under Article 12, Paragraph 1, of the Optional Protocol to the Convention on the Rights of the Child on the Sale of Children, Child Prostitution and Child Pornography, Initial Reports of States Parties Due in 2005, Argentina. CRC/C/OPSC/ARG/1. Geneva: UN OHCHR. http://tbinternet.ohchr.org/_layouts/treatybodyexternal/Download. aspx?symbolno=CRC%2FC%2FOPSC%2FARG%2F1&Lang=en. UNCTAD (UN Conference on Trade and Development). “Data Protection and Privacy Legislation Worldwide.” United Nations. http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/ eCom-Data-Protection-Laws.aspx. UNCTAD. Information Economy Report 2005. Geneva: UNCTAD. http://unctad.org/en/docs/ sdteedc20051_en.pdf. UNCTAD. 2012. Harmonizing Cyberlaws and Regulations: The Experience of the East African Community. Geneva: UNCTAD. http://unctad.org/en/PublicationsLibrary/dtlstict2012d4_en.pdf. UNCTAD. 2015. Information Economy Report 2015: Unlocking the Potential of E-commerce for Developing Countries. Geneva: UNCTAD. http://unctad.org/en/PublicationsLibrary/ier2015_en.pdf. UNCTAD. 2016. “Cybercrime Legislation Worldwide.” UNCTAD. http://unctad.org/en/Pages/DTL/ STI_and_ICTs/ICT4D-Legislation/eCom-Cybercrime-Laws.aspx. UNCTAD. “Cyberla Tracker.” UNCTAD. http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D- Legislation/eCom-Data-Protection-Laws.aspx. UNCTAD. “Summary of Adoption of E-Commerce Legislation Worldwide.” UNCTAD. unctad.org/ cyberlawtracker. UNCTAD. “TrainForTrade.” UNCTAD. https://tft.unctad.org/?page_id=119. UNCTAD & Eastern African Community. 2008. “Draft EAC Legal Framework.” The East African Community IRC Repository. http://repository.eac.int:8080/bitstream/handle/11671/1815/EAC%20 Framework%20for%20Cyberlaws.pdf?sequence=1&isAllowed=y. UN Department of Economic and Social Affairs. 2014. Open Working Group Proposal for Sustainable Development Goal. New York: UN. https://sustainabledevelopment.un.org/content/ documents/1579SDGs%20Proposal.pdf. UN Development Programme (UNDP). 2001. Human Development Report 2001: Making New Technologies Work for Human Development. New York: United Nations. http://hdr.undp.org/en/ content/human-development-report-2001. Page 466 | Chapter 10 | Bibliography Table of Contents UNESCO (United Nations Educational, Scientific and Cultural Organization). 2008. Medium-Term Strategy for 2008-2013. Geneva: UNESCO. http://unesdoc.unesco.org/ images/0014/001499/149999e.pdf. UNESCO. 2014. World Trends in Freedom of Expression and Media Development: Regional Overview of Asia and the Pacific. Paris: UNESCO. http://unesdoc.unesco.org/ images/0022/002277/227737e.pdf. UNESCO. 2014. World Trends in Freedom of Expression and Media Development: Regional Overview of Latin America and the Caribbean. Paris: UNESCO. http://unesdoc.unesco.org/ images/0022/002277/227740e.pdf. UNESCO. 2015. Keystones to Foster Inclusive Knowledge Societies: Access to information and Knowledge, Freedom of Expression, Privacy and Ethics on a Global Internet. Paris: UNESCO. http:// unesdoc.unesco.org/images/0023/002325/232563E.pdf. UNESCO. 2016. Concept Note: Access to Information and Fundamental Freedoms This Is Your Right! (World Press Freedom Day 3 May 2016). Paris. UNESCO. http://www.unesco.org/new/ fileadmin/MULTIMEDIA/HQ/CI/CI/pdf/WPFD/WPFD2016_Concept-Note.pdf. UN General Assembly. 2011. Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression. A/66/290.New York: UN. http://www.un.org/ga/ search/view_doc.asp?symbol=A/66/290. UN General Assembly. 2012. Report of the Special Rapporteur on the Situation of Human Rights Defenders. A/67/292. New York: UN. http://www.un.org/ga/search/view_doc.asp?symbol=A/67/292. UN General Assembly. 2015. Report of the Special Rapporteur on the Situation of Human Rights Defenders. A/70/217. New York: UN. http://www.un.org/ga/search/view_doc.asp?symbol=A/70/217. UN Human Rights Committee. 1988. Report of the Human Rights Committee –General Assembly Official Records: Forty-third Session Supplement No. 40. A/43/40.New York: UN. http://www.un.org/ en/ga/search/view_doc.asp?symbol=A/43/40. UN Human Rights Committee. 1999. General Comments adopted by the Human Rights Committee under Article 40, Paragraph 4, of the International Covenant on Civil and Political Rights. CCPR/C/21/Rev.1/Add.9. New York: UN. https://documents-dds-ny.un.org/doc/UNDOC/GEN/ G99/459/25/PDF/G9945925.pdf?OpenElement. UN Human Rights Committee. 2014. Concluding observations on the fourth periodic report of the United States of America. CCPR/C/USA/CO/4. Geneva: UN OHCHR. http://tbinternet.ohchr.org/_ layouts/treatybodyexternal/Download.aspx?symbolno=CCPR%2fC%2fUSA%2fCO%2f4&Lang=en. Page 467 | Chapter 10 | Bibliography Table of Contents UN Human Rights Committee. 2015. Concluding observations on the seventh periodic report of the United Kingdom of Great Britain and Northern Ireland. CCPR/C/GBR/CO/7. Geneva: UN OHCHR. http://tbinternet.ohchr.org/_layouts/treatybodyexternal/Download.aspx?symbolno=CCPR/C/GBR/ CO/7&Lang=En. UN Human Rights Committee. 2015. Concluding Observations on the Fifth Periodic Report of France. CCPR/C/FRA/CO/5. Geneva: UN OHCHR. http://tbinternet.ohchr.org/_layouts/ treatybodyexternal/Download.aspx?symbolno=CCPR/C/FRA/CO/5&Lang=En. UN Human Rights Council. 2010. Report of the Special Rapporteur on the Promotion and Protection of Human Rights and Fundamental Freedoms while Countering Terrorism, Martin Scheinin: Compilation of Good Practices on Legal and Institutional Frameworks and Measures that Ensure Respect for Human Rights by Intelligence Agencies while Countering Terrorism, Including on Their Oversight. A/HRC/14/46. New York: UN. https://documents-dds-ny.un.org/doc/UNDOC/GEN/ G10/134/10/PDF/G1013410.pdf?OpenElement. UN Human Rights Council. 2011. Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank La Rue. A/HRC/17/27. New York: UN. https://documents-dds-ny.un.org/doc/UNDOC/GEN/G11/132/01/PDF/G1113201. pdf?OpenElement. UN Human Rights Council. 2013. Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank La Rue. A/HRC/23/40. New York: UN. https://documents-dds-ny.un.org/doc/UNDOC/GEN/G13/133/03/PDF/G1313303. pdf?OpenElement. UN Human Rights Council. 2014. The Right to Privacy in the Digital Age: Report of the Office of the United Nations High Commissioner for Human Rights. A/HRC/27/37. New York: UN. https:// documents-dds-ny.un.org/doc/UNDOC/GEN/G14/088/54/PDF/G1408854.pdf?OpenElement. UN Human Rights Council. 2015. Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, David Kaye. A/HRC/29/32. New York: UN. https://documents-dds-ny.un.org/doc/UNDOC/GEN/G15/095/85/PDF/G1509585. pdf?OpenElement. UN Human Rights Council. 2016. The Promotion, Protection and Enjoyment of Human Rights on the Internet. A/HRC/32/L.20. http://daccess-ods.un.org/access.nsf/Get?Open&DS=A/HRC/32/ L.20&Lang=E. UNICRI (United Nations Interregional Crime and Justice Research Institute). 2013. “Background Information: How is cybercrime defined?” In: Cyber Crime: Risks for the Economy and Enterprises [Proceedings of UNICRI round table (Lucca, Italy, 29 November 2013)], 7. Turin: UNICRI. http://www. unicri.it/special_topics/securing_cyberspace/current_and_past_activities/current_activities/Lucca_ Proceedings.pdf. Page 468 | Chapter 10 | Bibliography Table of Contents UNICRI. 2014. Cybercrime: Risks for the Economy and Enterprises at the EU and Italian Level. Turin: UNICRI. http://www.unicri.it/in_focus/files/Criminalita_informatica_inglese.pdf. UNICRI. 2014. “Information Sharing and Public-Private Partnerships: Perspectives and Proposals.” Working Paper. UNICRI, Turin. http://www.unicri.it/special_topics/securing_cyberspace/current_ and_past_activities/current_activities/Information_Sharing_cover_INDEXED_0611.pdf. UNICRI. 2015. Guidelines for IT Security in SMEs. Turin: UNICRI. http://www.unicri.it/news/files/ Research-Guidelines_for_IT_Security_of_SMEs-Flavia_Zappa_FINAL.pdf. UNODC (United Nations Office on Drugs and Crime). 2012. Cybercrime Questionnaire for Member States. Vienna: UNODC. https://cms.unov.org/DocumentRepositoryIndexer/ GetDocInOriginalFormat.drsx?DocID=f4b2f468-ce8b-41e9-935f-96b1f14f7bbc. UNODC. 2013. Comprehensive Study on Cybercrime (Draft). Vienna: UNODC. http://www.unodc. org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf. UNODC. 2015. Study on the Effects of New Information Technologies on the Abuse and Exploitation of Children. Vienna: UNODC. https://www.unodc.org/documents/organized-crime/ cybercrime/Study_on_the_Effects.pdf. UNODC. 2016 (Posted on 13 Oct. 2016). “UNODC Provided Training to South East Asian Institutions to Combat Cybercrime.” UNODC. https://www.unodc.org/unodc/en/frontpage/2016/ October/unodc-provided-training-to-south-east-asian-institutions-to-combat-cybercrime.html UNODC. “UNODC Repository on Cyber Crime.” UNODC. https://www.unodc.org/cld/v3/cybrepo/ legdb/index.html?lng=en. UNODC. “SHERLOC Portal.” UNODC. https://www.unodc.org/cld/v3/sherloc/. UN Secretariat. 2015. “Comprehensive and balanced approaches to prevent and adequately respond to new and emerging forms of transnational crime Working paper.” A/CONF.222/8. 13th UN Congress on Crime Prevention and Criminal Justice. http://www.unodc.org/documents/ congress//Documentation/A-CONF.222-8/ACONF222_8_e_V1500538.pdf. UN Sustainable Development. “Open Working Group Proposal for Sustainable Development Goals.” UN Sustainable Development. https://sustainabledevelopment.un.org/focussdgs.html U.S. (United States) Attorney’s Office, N.D. Ga. 2014 (Posted on 28 Jan. 2014). “Cyber Criminal Pleads Guilty to Developing and Distributing Notorious SpyEye Malware.” FBI. https://archives. fbi.gov/archives/atlanta/press-releases/2014/cyber-criminal-pleads-guilty-to-developing-and- distributing-notorious-spyeye-malware. Page 469 | Chapter 10 | Bibliography Table of Contents U.S. CERT (Computer Emergency Readiness Team. “US-CERT: About Us.” US CERT. https://www. us-cert.gov/about-us. U.S. Department of Commerce, Internet Policy Task Force. 2013. Copyright, Creativity and Innovation in the Digital Economy. Washington, D.C.: U.S. Department of Commerce. http://www. uspto.gov/sites/default/files/news/publications/copyrightgreenpaper.pdf. U.S. Department of Defense. “DoD Cyber Crime Center (DC3).” U.S. Department of Defense. http://www.dc3.mil/. U.S. Department of Homeland Security. “Combatting Cyber Crime.” U.S. Department of Homeland Security. https://www.dhs.gov/topic/combating-cyber-crime. U.S. Department of Justice. 1989. Computer Crime: Criminal Justice Resource Manual (2d ed.). National Institute of Justice, Office of Justice Program. OJP-86-C-002. U.S. Department of Justice. 1994. “Federal Guidelines for Searching and Seizing Computers.” Bureau of National Affairs, Criminal Law Reporter Vol. 56. https://epic.org/security/computer_ search_guidelines.txt U.S. Department of Justice. 1996. “Domestic Violence, Stalking, and Antistalking Legislation: An Annual Report to Congress under the Violence Against Women Act.” U.S. Department of Justice, National Institute of Justice. https://www.fas.org/sgp/crs/misc/R42499.pdf. U.S. Department of Justice. 2004. Problem-Oriented Guides for Police Problem-Specific Guides Series Guide: Stalking, no. 22. U.S. Department of Justice, National Center for Victims of Crime. https://victimsofcrime.org/docs/src/stalking-problem-oriented-policiing-guide.pdf?sfvrsn=0. U.S. Department of Justice. 2004 (Posted on 11 May 2004). “G8 Background.” U.S. Department of Justice. https://www.justice.gov/ag/g8-background. U.S. Department of Justice. 2009. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Washington: Office of Legal Education. https://www.justice. gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf. U.S. Department of Justice. 2010. Leader of Hacking Ring Sentenced for Massive Identity Theft from Payment Processor and U.S. Retail Networks. Washington D.C.: U.S. Department of Justice. https:// www.justice.gov/sites/default/files/usao-nj/legacy/2014/09/02/dojgonzalez0326rel.pdf. U.S. Department of Justice. 2016 (Posted on 7 Dec. 2016). “Assistant Attorney General Leslie R. Caldwell Delivers Remarks Highlighting Cybercrime Enforcement at Center for Strategic and International Studies.” Office of Public Affairs, U.S. Department of Justice. https://www.justice.gov/ opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-highlighting-cybercrime. Page 470 | Chapter 10 | Bibliography Table of Contents U.S. Department of Justice. 2016 (Posted on 26 Apr. 2016). “Two Major International Hackers Who Developed the ‘SpyEye’ Malware Get Over 24 Years Combined in Federal Prison.” US Dept. of Justice. https://www.justice.gov/usao-ndga/pr/two-major-international-hackers-who-developed- spyeye-malware-get-over-24-years-combined. U.S. Department of Justice. 2016 (Posted on 6 Jun. 2016). “Assistant Attorney General Leslie R. Caldwell Speaks at the CCIPS-CSIS Cybercrime Symposium 2016: Cooperation and Electronic Evidence Gathering Across Borders.” U.S. Department of Justice. https://www.justice.gov/opa/ speech/assistant-attorney-general-leslie-r-caldwell-speaks-ccips-csis-cybercrime-symposium-2016. U.S. Department of Justice, Office of Public Affairs. 2017 (Posted on 15 Mar. 2017). “U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts.” U.S. Department of Justice. https://www.justice.gov/opa/pr/us-charges-russian-fsb- officers-and-their-criminal-conspirators-hacking-yahoo-and-millions U.S. Department of Justice. “Agencies.” U.S. Department of Justice. https://www.justice.gov/ agencies/list. U.S. Department of Justice. “Computer Crime & Intellectual Property Section (CCIPS): About the Computer Crime & Intellectual Property Section.” U.S. Department of Justice. https://www.justice. gov/criminal-ccips. U.S. Department of State. 2013 (Posted on 11 Apr. 2013), “Media Note: G8 Foreign Ministers’ Meeting Statement,” Office of the Spokesperson, U.S. Department of State. http://www.state. gov/r/pa/prs/ps/2013/04/207354.htm. U.S. Department of State, Bureau of Counterterrorism. 2014. “Ch. 5: Terrorist Safe Havens.” in: Country Reports on Terrorism. http://www.state.gov/j/ct/rls/crt/2014/239412.htm. U.S. FTC (Federal Trade Commission). 2013. “Mobile Privacy Disclosures: Building Trust through Transparency.” Washington, D.C.: U.S. FTC. https://www.ftc.gov/sites/default/files/documents/ reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission- staff-report/130201mobileprivacyreport.pdf. U.S. FTC. 2015. “Internet of Things: Privacy and Security in a Connected World.” FTC Staff Report. https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report- november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf. U.S. FTC. 2015. Statement of Enforcement Principles Regarding “Unfair Methods of Competition” Under Section 5 of the FTC Act. Washington, D.C.: U.S. FTC. https://www.ftc.gov/system/files/ documents/public_statements/735201/150813section5enforcement.pdf. U.S. GAO (Government Accountability Office). 2007. Public and Private Entities Face Challenges in Addressing Cyber Threats. Washington, D.C.: U.S. GAO. http://www.gao.gov/new.items/d07705. pdf. Page 471 | Chapter 10 | Bibliography Table of Contents U.S. Legal.com. “Double Criminality Law & Legal Definition.” U.S. Legal.com. http://definitions. uslegal.com/d/double-criminality/. U.S. State of Maryland. General Guidelines for Seizing Computers and Digital Evidence. US State of Maryland, Maryland State Police. https://www.coursehero.com/file/8005384/Article-Maryland-Seize- Computers-1/. University of Oxford–Oxford Martin School, GCSCC (Global Cyber Security Capacity Centre). 2014. Cyber Security Capability Maturity Model (CMM) – Pilot. London: University of Oxford–Oxford Martin School, GCSCC. http://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CMM%20 Pilot%20version%20A.15.12.2014.pdf. Urbas, Gregor. 2012. “Cybercrime, Jurisdiction and Extradition: The Extended Reach of Cross- Border Law Enforcement.” Journal of Internet Law 16 (1): 7-17. V Vaidyanathan, A. 2015. “Supreme Court Reserves Orders on Validity of Section 66A of IT Act.” NDTV, 28 Feb. http://www.ndtv.com/india-news/supreme-court-reserves-orders-on-validity-of- section-66a-of-it-act-742758. Vacca, John R. 2005. Computer Forensics, Computer Crime Scene Investigation (2nd Edition). Newton Centre: Charles River Media. Vaciago, Giuseppe. 2012. Digital Evidence. Torino: Giappichelli. Venmo. “Fees & Venmo.” Venmo. https://help.venmo.com/hc/en-us/articles/224361007-Fees- Venmo. Verini, James. 2010. (Posted on 10 Nov. 2010). “The Great Cyberheist.” New York Times Magazine. http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html. Verizon. 2017. 2017 Data Breach Investigations Report, 10th ed. Verizon. http://www. verizonenterprise.com/verizon-insights-lab/dbir/2017/. Viano, Emilio C. 2006. “Cybercrime: A New Frontier in Criminology.” International Annals of Criminology 44 (1/2): 11-22. Viano, Emilio C. 2012. “Balancing Liberty and Security Fighting Cybercrime: Challenges for the Networked Society.” In: Cybercriminality: Finding a Balance between Freedom and Security, edited by Stefano Manacorda. 33-63. Milano: ISPAC (International Scientific and Professional Advisory Council) of the United Nations Crime Prevention and Criminal Justice Programme. http://ispac. cnpds.org/download.php?fld=pub_files&f=ispacottobre2012bassa.pdf. Page 472 | Chapter 10 | Bibliography Table of Contents Viano, Emilio C. 2013. “Section 2: Concept Paper and Questionnaire.” Paper Prepared for IAPL’s Preparatory Colloquium Section II for the 20th International Congress of Penal Law on Information Society and Penal Law, “Criminal Law Special Part,” Moscow, 24-27 Apr. http://www.penal.org/IMG/ pdf/Section_II_EN.pdf. Viano, Emilio C. 2013. “Section II – Criminal Law. Special Part. Information Society and Penal Law: General Report.” International Review of Penal Law 84: 335 – 355. Villasenor, John. 2016 (Posted on 25 Aug. 2016). “Ensuring Cybersecurity in Fintech: Key Trends and Solutions.” Forbes. http://www.forbes.com/sites/johnvillasenor/2016/08/25/ensuring-cybersecurity- in-fintech-key-trends-and-solutions/#13edc74be1fa. Vodaphone. 2016 (Posted on 25 Apr. 2016). “Vodafone M-Pesa Reaches 25 Million Customers Milestone.” Vodaphone. https://www.vodafone.com/content/index/media/vodafone-group- releases/2016/mpesa-25million.html. von Spakovsky, Hans A. “The Dangers of Internet Voting.” The Heritage Foundation. http://www. heritage.org/research/reports/2015/07/the-dangers-of-internet-voting. Voreacos, David. 2015 (Posted on 13 Feb. 2015). “Accused Moscow Hacker Drinkman arrives in the U.S. for trial.” Bloomberg Business. http://www.bloomberg.com/news/articles/2015-02-13/accused- moscow-hacker-drinkman-arrives-in-u-s-to-face-trial. W Wakefield, Jane. 2005 (Posted on 28 Jul. 2005). “Wireless Hijacking Under Scrutiny.” BBC. http:// news.bbc.co.uk/2/hi/technology/4721723.stm. Walden, Ian. 2007. Computer Crimes and Digital Investigations. London: Oxford University Press. http://www.stephenmason.eu/pdf/book-review-2008.pdf. Walden, Ian. 2016. Computer Crimes and Digital Investigations (2d ed.). Oxford: Oxford University Press. Walden, Ian. 24–28 Apr. 2017. “Cybersecurity and Cybercrime: New Tools for Better Cyber Protection.” UNTAD e-Commerce Week. Geneva: UNCTAD. http://unctad.org/meetings/en/ Presentation/dtl_eWeek2017p07_IanWalden_en.pdf. Walker, Frank. 2008 (23 Mar. 2008). “How Police Broke Net Pedophile Ring.” Sydney Morning Herald. http://www.smh.com.au/news/national/how-police-broke-net-pedophile- ring/2008/03/22/1205602728709.html. Page 473 | Chapter 10 | Bibliography Table of Contents Walker, Peter & Heather Stewart. 2017 (Posted on 27 Mar. 2017). “No 10 Repeats Rudd’s Call for Authorities to Access Encrypted Messages.” Guardian. https://www.theguardian.com/politics/2017/ mar/27/downing-street-amber-rudd-authorities-access-encrypted-messages-whatsapp-terrorism. Wall, David. 1999. “Cybercrimes: New Wine, No Bottles?” In: Pamela Davies, Peter Francis & Victor Jupp (eds.), Invisible Crimes: Their Victims and their Regulation. New York: Macmillan. Wall, David S. 2001. “Cybercrimes and the Internet.” In: Crime and the Internet edited by David S. Wall, 1 –17. New York: Routledge. Wall, David S. 2007. Cybercrime: The Transformation of Crime in the Information Age. Cambridge: Polity Press. Wall, David S. 2007 (published in 2007, as well as revised in 2010 and 2011). “Policing Cybercrimes: Situating the Public Police in Networks of Security within Cyberspace.” Police Practice & Research: An International Journal: 183 to 205. http://www.cyberdialogue.ca/wp-content/uploads/2011/03/ David-Wall-Policing-CyberCrimes.pdf. Wall, David S. 2008. “Cybercrime, Media and Insecurity: The Shaping of Public Perceptions of Cybercrime.” International Review of Law, Computers and Technology –Crime and Criminal Justice 22 (1-2): 45-63. Wall, David S. 2015. “Cybercrime as a Conduit for Criminal Activity.” In: Information Technology and the Criminal Justice System edited by April Pattavina, 77-98. Beverly Hills, California: Sage Publications. Weber, Amalie M. 2003. “The Council of Europe’s Convention on Cybercrime.” Berkeley Technology Law Journal 18(1): 425-446.http://scholarship.law.berkeley.edu/cgi/viewcontent. cgi?article=1416&context=btlj. Weber, Max. 1946. “Politics as a Vocation.” Max Weber: Essays in Sociology. Oxford: Oxford University Press. http://polisci2.ucsd.edu/foundation/documents/03Weber1918.pdf. Webster, Stephen, et al. 2012. European Online Grooming Project: Final Report. European Online Grooming Project. http://www.europeanonlinegroomingproject.com/media/2076/european-online- grooming-project-final-report.pdf. Weigend, Thomas. 2012. “Section 1: Concept Paper and Questionnaire.” Paper prepared for IAPL’s Preparatory Colloquium Section I for the 20th International Congress of Penal Law on Information Society and Penal Law, “Criminal Law General Part,” Verona, 28-30 November. http://www.penal. org/IMG/pdf/Section_I_EN.pdf. Page 474 | Chapter 10 | Bibliography Table of Contents Weigend, Thomas. 2013. “Section I – Criminal Law General Part. Information Society and Penal Law: General Report.” International Review of Penal Law (Vol. 84): 51-75. http://www.penal.org/spip/IMG/ SECTION%20I%20General%20Report%20EN.pdf. Weil, Michael C. 2002. “Dynamic Time & Date Stamp Analysis.” International Journal of Digital Evidence 1(2). https://www.utica.edu/academic/institutes/ecii/publications/articles/A048B1E4-B921- 1DA3-EB227EE7F61F2053.pdf. Weisser, Bettina. “Cyber Crime—The Information Society and Related Crimes.” Penal. http://www. penal.org/sites/default/files/files/RM-8.pdf. Weisser, Carolin. 2015 (Posted on 4 Nov. 2015). “Eastern African Criminal Justice Network on Cybercrime and Electronic Evidence.” Cybersecurity Capacity Portal, Oxford University. https:// www.sbs.ox.ac.uk/cybersecurity-capacity/content/eastern-african-criminal-justice-network- cybercrime-and-electronic-evidence. Wendt, Rudolf. 2013. “The Principle of ‘Ultima Ratio’ and/or the Principle of Proportionality.” Oñate Socio-Legal Series 3(1): 81 –94. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2200873. Westbrook, Theodore J. 2006. “Owned: Finding a Place for Virtual World Property Rights.” Michigan State Law Review: 779-812 Westby, Jody R. 2003. ABA International Guide to Combating Cybercrime. Chicago: ABA. Whitcomb, Carrie Morgan. 2002. “An Historical Perspective of Digital Evidence: A Forensic Scientist’s View.” International Journal of Digital Evidence 1(1). https://www.utica.edu/academic/ institutes/ecii/publications/articles/9C4E695B-0B78-1059-3432402909E27BB4.pdf. Wigmore, John H. 1904. “The History of the Hearsay Rule.” Harvard Law Review 17, no. 7. Williams, Pete. 2016 (Posted on 25 May 2016). “Guccifer, Hacker Who Says He Breached Clinton Server, Pleads Guilty.” NBC News. http://www.nbcnews.com/news/us-news/guccifer-hacker-who- says-he-breached-clinton-server-pleads-guilty-n580186. Wilson, Clay 2007 (Published in 2007 and Updated in 2008). Botnets, Cybercrime and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress. Washington D.C.:U.S. Department of State. http://www.fas.org/sgp/crs/terror/RL32114.pdf. Winfree, Jr., Thomas, G. Larry Mays & Leanne Fiftal Alarid. 2015. Introduction to Criminal Justice. New York: Wolters Kluwer. Woo, Christopher and Miranda So. 2002. “The Case for Magic Lantern: September 11 Highlights the Need for Increased Surveillance.” Harvard Journal of Law & Technology 15(2): 521 –538. http:// jolt.law.harvard.edu/articles/pdf/v15/15HarvJLTech521.pdf. Page 475 | Chapter 10 | Bibliography Table of Contents Woollacott, Emma. 2016 (Posted on 16 Nov. 2016). “UK Joins Russia and China in Legalizing Bulk Surveillance.” Forbes. https://www.forbes.com/sites/emmawoollacott/2016/11/16/uk-joins-russia- and-china-in-legalizing-bulk-surveillance/#718b3a2b58ca. Woollaston, Victoria. 2017 (Posted on 16 May 2017). “Wanna Decryptor Ransomware Appears to be Spawning and This Time It May Not Have a Kill Switch.” Wired. http://www.wired.co.uk/article/ wanna-decryptor-ransomware. Working to Halt Online Abuse. “U.S. Laws.” Working to Halt Online Abuse. http://www.haltabuse. org/resources/laws/. World Bank. 2014. “Comoros Policy Notes: Accelerating Economic Development in the Union of Comoros.” Washington D.C.: World Bank. World Bank. 2015 (Posted on 8 Jan. 2015). “Brief: Smart Cities.” World Bank. http://www.worldbank. org/en/topic/ict/brief/smart-cities. World Bank. 2016. World Development Report 2016: Digital Dividends. Washington, DC: World Bank. https://openknowledge.worldbank.org/handle/10986/23347. WEF (World Economic Forum). 2016. Recommendations for Public-Private Partnership against Cybercrime. Geneva: WEF. http://www3.weforum.org/docs/WEF_Cybercrime_Principles.pdf. Y Yadron, Danny, Spencer Ackerman and Sam Thielman. 2016 (Posted on 18 Feb. 2016). “Inside the FBI’s Encryption Battle with Apple.” The Guardian. https://www.theguardian.com/technology/2016/ feb/17/inside-the-fbis-encryption-battle-with-apple. Yan, Sophia. & K.J. Kwon. 2014 (Posted on 21 Jan. 2014). “Massive Data Theft Hits 40% of South Koreans.” CNN Tech. http://money.cnn.com/2014/01/21/technology/korea-data-hack/. Yar, Majid. 2005. “The novelty of ‘cybercrime’: An assessment in light of routine activity theory.” European Society of Criminology 2 (4): 407-27. Yonhap. 2015 (Posted on 12 Mar. 2015).“Hacker Demands Money for Information on S. Korean Nuclear Reactors.” Yonhap. http://english.yonhapnews.co.kr/ national/2015/03/12/40/0302000000AEN20150312008051320F.html Page 476 | Chapter 10 | Bibliography Table of Contents Z Zappa, Flavia. 2014. Cyber Crime: Risks for the Economy and Enterprises at the EU and Italian Level. Turin: UNICRI. http://www.unicri.it/in_focus/files/Criminalita_informatica_inglese.pdf. Završnik, Aleš. 2010. “Towards an Overregulated Cyberspace.” Masaryk University Journal of Law & Technology 4(2): 173-190. https://journals.muni.cz/mujlt/article/viewFile/2566/2130. Zetter, Kim. 2011 (Posted on 7 Apr. 2011). “In Surprise Appeal, TJX Hacker Claims U.S. Authorized His Crimes.” Wired. http://www.wired.com/2011/04/gonzalez-plea-withdrawal/. Zetter, Kim. 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. New York: Crown Publishers. Zetter, Kim. 2014 (Posted on 28 Jan. 2014). “Coder Behind Notorious Bank-hacking Tool Pleads Guilty.” Wired. http://www.wired.com/2014/01/spy-eye-author-guilty-plea/. Zetter, Kim. 2014 (Posted on 15 Apr. 2014). “Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA,” Wired. https://www.wired.com/2014/04/obama-zero-day/. Zetter, Kim. 2014 (Posted on 3 Nov. 2014). “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/. Zetter, Kim. 2016 (Posted on 8 Apr. 2016). “The Feds’ Battle with Apple Isn’t Over—It Just Moved to New York.” Wired. https://www.wired.com/2016/04/feds-battle-apple-isnt-just-moved-ny/. Zorabedian, John. 2016 (Posted on 18 Jan. 2016). “Ross Ulbricht Appeals Silk Road Conviction—- Did He Get a Fair Trial?” Naked Security. https://nakedsecurity.sophos.com/2016/01/18/ross- ulbricht-appeals-silk-road-conviction-did-he-get-a-fair-trial/. Zuckerberg, Mark. 2013. “Is Connectivity a Human Right?” Facebook. https://www.facebook.com/ isconnectivityahumanright. Page 477 | Chapter 10 | Bibliography Table of Contents Multilateral Instruments Treaties, Directives, Additional Protocols and Resolutions, etc African Union. 2014 (Adopted on 27 Jun. 2014). African Union Convention on Cyber Security and Personal Data Protection. https://www.au.int/web/en/treaties/african-union-convention-cyber- security-and-personal-data-protection. ASEAN (Association of Southeast Asian Nations). 2012. ASEAN Human Rights Declaration. CIS (Commonwealth of Independent States). 2001 (Done on 1 Jun. 2001). Agreement on cooperation among the States members of the Commonwealth of Independent States in Combating Offences related to Computer Information. https://cms.unov.org/ documentrepositoryindexer/GetDocInOriginalFormat.drsx?DocID=5b7de69a-730e-43ce-9623- 9a103f5cabc0. Council of Europe. 1950 (Opened for Signature on 4 Nov. 1950). Convention for the Protection of Human Rights and Fundamental Freedoms (also known as “European Convention on Human Rights”). https://rm.coe.int/CoERMPublicCommonSearchServices/ DisplayDCTMContent?documentId=0900001680063765. Council of Europe. 1957. European Convention on Extradition. Paris, ETS No. 24. https://www.coe. int/en/web/conventions/full-list/-/conventions/treaty/024. Council of Europe. 1981 (Opened for Signature on 28 Jan. 1981). Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. https://rm.coe.int/ CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680078b37. Council of Europe. 2001 (Opened for Signature on 23 Nov. 2001). Convention on Cybercrime. http://conventions.coe.int/treaty/en/treaties/word/185.doc. Council of Europe. 2003 (Opened for signature on 28 Jan. 2003). Additional Protocol to Convention on Cybercrime Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems. http://conventions.coe.int/treaty/en/Treaties/Word/189. doc. Council of Europe. 2007 (Opened for signature on 25 Oct. 2007). Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse. http://www.coe.int/t/dghl/standardsetting/ children/Source/Text_en.doc. Council of Europe.2008. Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime and on the Financing of Terrorism (1 May 2008) CETS No. 198. https://www. coe.int/en/web/conventions/full-list/-/conventions/treaty/198. Page 478 | Chapter 10 | Bibliography Table of Contents Council of Europe. 2009 (Opened for Signature on 18 Jun 2009). Council of Europe Convention on Access to Official Documents. https://rm.coe.int/CoERMPublicCommonSearchServices/ DisplayDCTMContent?documentId=0900001680084826. Council of Europe. 2011. Convention on Preventing and Combating Violence Against Women and Domestic Violence. CETS No. 210. http://www.coe.int/en/web/conventions/full-list/-/conventions/ treaty/210. Council of Europe.2008. Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime and on the Financing of Terrorism (1 May 2008) CETS No. 198. https://www. coe.int/en/web/conventions/full-list/-/conventions/treaty/198. Council of the European Union. 2005. Council Framework Decision 2004/68/JHA of 22 December 2003 on combating the sexual exploitation of children and child pornography. Council of the European Union. 2005. Council Framework Decision 2005/222/JHA of 24 February 2005 on Attacks against Information Systems. http://eur-lex.europa.eu/legal-content/EN/TXT/ PDF/?uri=CELEX:32005F0222&from=EN. ECOWAS (Economic Community of West African States). 1975. Treaty of Economic Community of West African States. http://www.internationaldemocracywatch.org/attachments/351_ecowas%20 treaty%20of%201975.pdf. ECOWAS. 2011 (Done on 19 Aug. 2011). Directive on Fighting Cybercrime within Economic Community of West African States. https://ccdcoe.org/sites/default/files/documents/ECOWAS- 110819-FightingCybercrime.pdf. ECOWAS. Convention A/P.1/7/92 on Mutual Assistance in Criminal Matters. http://documentation. ecowas.int/download/en/legal_documents/protocols/Convention%20on%20Mutual%20 Assistance%20in%20Criminal%20Matters.pdf EU (European Union). 1995. Convention on Simplified Extradition Procedure Member States, Council Act of 10 March 1995, OJ C 78. EU. 1995. EU Council Resolution of 17 Jan. 1995 on the Law Interception of Telecommunications, OJ C 329. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31996G1104. EU. 1996. Joint Action of 29 Nov. 1996 Adopted by the Council on the Basis of Article K.3 of the Treaty on European Union, Concerning the Creation and Maintenance of a Directory of Specialized Competences, Skills, and Expertise in the Fight against International Organized Crime, in Order to Facilitate Law Enforcement Cooperation between the Member States of the European Union, 96/747/JHA. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31996F0747 Page 479 | Chapter 10 | Bibliography Table of Contents EU. Joint Action of 29 Jun. 1998 Adopted by the Council on the Basis of Article K.3 of the Treaty on European Union, on Good Practice in Mutual Legal Assistance in Criminal Matters, OJ L 191.pp. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31998F0427. EU. 1999. Draft Council Act Establishing the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union, OJ C 251. http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A51999AG0902(01). EU. 1999. Act of the Management Board of Europol of 15 Oct. 1998 Concerning the Rights and Obligations of Liaison Officers, OJ C 026. http://eur-lex.europa.eu/legal-content/EN/ TXT/?uri=CELEX%3A31999F0130(08). EU. 1999. Act of 12 March 1999 on Adopting the Rules Governing the Transmission of Personal Data by Europol to Third States and Third Bodies, OJ C 088. http://eur-lex.europa.eu/legal-content/EN/ TXT/?uri=CELEX%3A31999F0330. EU. 2000. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market (also known as “EU Directive on Electronic Commerce”). http://eur-lex.europa.eu/ legal-content/EN/TXT/PDF/?uri=CELEX:32000L0031&from=en. EU. 2000. “Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union.” http://eur-lex.europa.eu/legal-content/EN/TXT/ HTML/?uri=URISERV:l33108&from=EN EU. 2006. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC (also known as “EU Data Retention Directive”). http://eur-lex. europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF. EU. 2007. Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community. 2007/C 306/01. http://eur-lex.europa.eu/legal-content/EN/ TXT/?uri=uriserv%3Aai0033. EU. 2013. Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on Attacks against Information Systems and Replacing Council Framework Decision 2005/222/JHA. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013L0040&from=EN. League of Arab States. 1994. Arab Charter on Human Rights. League of Arab States. 2010 (Done on 21 Dec. 2010). Arab Convention on Combating Information Technology Offences. https://cms.unov.org/DocumentRepositoryIndexer/GetDocInOriginalFormat. drsx?DocID=3dbe778b-7b3a-4af0-95ce-a8bbd1ecd6dd. Page 480 | Chapter 10 | Bibliography Table of Contents OAS (Organization of American States). 1969 (Opened for Signature on 22 November 1969). American Convention on Human Rights. https://www.oas.org/dil/treaties_B-32_American_ Convention_on_Human_Rights.pdf. OAS General Assembly. (8 Jun. 2004). The Inter-American Integral Strategy to Combat Threats to Cyber Security. AG/RES.2004 (XXXIV-O/04). OAU (Organization of African Unity). 1991. Abuja Treaty Establishing The African Economic Community. http://www.wipo.int/edocs/lexdocs/treaties/en/aec/trt_aec.pdf. OAU. 1981. African Charter on Human and Peoples’ Rights. SADC (Southern African Development Community). 2002. “SADC Protocol on Mutual Legal Assistance in Criminal Matters.” http://www.sadc.int/files/8413/5292/8366/Protocol_on_Mutual_ Legal_Assistance_in_Criminal_Matters_2002.pdf. SCO (Shanghai Cooperation Organization). 2009 (Done on 16 Jun. 2009). Agreement between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security. http://www.ccdcoe.org/sites/default/files/ documents/SCO-090616-IISAgreement.pdf. UN (United Nations). 1966 (Adopted on 10 December 1966). International Covenant on Civil and Political Rights. https://treaties.un.org/doc/Publication/UNTS/Volume%20999/volume-999-I-14668- English.pdf. UN 2000 (Adopted on 25 May 2000). Optional Protocol to the UN Convention on the Rights of the Child on the Sale of Children, Child Prostitution and Child Pornography. http://www.ohchr.org/ Documents/ProfessionalInterest/crc-sale.pdf. UN Commission on Human Rights. 1999 (Adopted on 26 April 1999). Resolution 1999/36 on Right to freedom of opinion and expression (E/CN.4/1999/L.52). http://www.consilium.europa.eu/uedocs/ cms_data/docs/pressdata/EN/foraff/142549.pdf. UN Economic and Social Council. 2011. Resolution Prevention, Protection and International Cooperation Against the Use of New Information Technologies to Abuse and/or Exploit Children. E/RES/2011/33. http://www.un.org/en/ecosoc/docs/2011/res%202011.33.pdf. UN General Assembly. 1990 (Adopted on 14 December 1990). Resolution 45/121 on the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders (A/ RES/45/121). http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/45/121. UN General Assembly. 1946 (Adopted on 14 December 1946). Resolution 59(l) on the Calling of an International Conference on Freedom of Information [A/RES/59(I)]. http://www.un.org/en/ga/search/ view_doc.asp?symbol=A/RES/59(I). Page 481 | Chapter 10 | Bibliography Table of Contents UN General Assembly. 1948 (Adopted on 10 Dec. 1948). Universal Declaration of Human Rights. http://www.ohchr.org/EN/UDHR/Documents/UDHR_Translations/eng.pdf. UN General Assembly. 1990. “Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, 68th Plenary Meeting.” http://www.un.org/documents/ga/res/45/a45r121. htm. UN General Assembly. 2000. United Nations Millennium Declaration. A/RES/55/2. http://www. un.org/millennium/declaration/ares552e.htm. UN General Assembly. 2013 (Adopted On 18 December 2013). Resolution 68/167 on the Right to Privacy in the Digital Age (A/RES/68/167). http://www.un.org/en/ga/search/view_doc. asp?symbol=A/RES/68/167. UN Special Rapporteur on Freedom of Opinion and Expression, the OSCE Representative on Freedom of the Media and the OAS Special Rapporteur on Freedom of Expression and the ACHPR Special Rapporteur on Freedom of Expression and Access to Information. 2011 (Adopted on 1 Jun. 2011). International Mechanisms for Promoting Freedom of Expression: Joint Declaration on Freedom of the Media and the Internet. http://www.osce.org/fom/78309?download=true. WTO (World Trade Organization). 1994 (Adopted on 15 Apr. 1994). Agreement on Trade-Related Aspects of Intellectual Property Rights. https://www.wto.org/english/docs_e/legal_e/27-trips.pdf. Page 482 | Chapter 10 | Bibliography Table of Contents This Project was financed by a grant from the Korean Ministry of Strategy and Finance under the Korea-World Bank Group Partnership Facility. The Project team was led by staff of the World Bank, and included the participation of the following organizations: the Council of Europe, the International Association of Penal Law, the International Telecommunication Union, the Korea Supreme Prosecutors Office, the Oxford Cyber-security Capacity Building Centre, the United Nations Conference on Trade & Development, the United Nations Interregional Crime and Justice Research Institute, and the United Nations Office on Drugs & Crime. PARTNERS