Post on 24-Jun-2020
Cybercrime,digitalinves3ga3ons&cloudcompu3ng
Professor Ian Walden Institute of Computer and Communications Law
Centre for Commercial Law Studies, Queen Mary, University of London
Multi-disciplinary Cooperation for Cyber Security, Legal and Digital
Forensics Education Project
December2014-March2016
Introductoryremarks
• Cybercrimes– Criminalisingbehaviours
• Digitalinves3ga3ons– Computer&deviceforensics– Networkforensics
• Inves3gatoryPowersBill
• Cloudcompu3ng– Contracts– Servicelevelagreements
CYBERCRIMES
Definingcybercrime
• CouncilofEuropeCybercrimeConven3on(2001)– ‘BudapestConven3on’:some56signatories,fromEurope&beyond
• Harmonisa3onofoffences&criminalprocedure• Enhanceinterna3onalco-opera3on
• ‘oldwineinnewboQles’or‘newwineinnoboQles’?– Computer-relatedcrimes,e.g.fraud– Computer-integritycrimes,e.g.hacking– Content-relatedcrimes,e.g.childsexualabuseimages– Contact-relatedcrimes,e.g.harassment
Computerintegrityoffences
• Cybercrimes– Unauthorisedaccess,e.g.‘hacking’– Unauthorisedinterference,e.g.viruses&malware– Unauthorisedintercep3on:e.g.‘snooping’– Illegaldevices
• Criminalizingconduct&fault,notthetechnology• Legalanalogies&physicalreality• Over-criminaliza3on• Imposingobliga3onson(poten3al)vic3ms
– Preven3onbeingbeQerthancure......
‘Unauthorised’• Legaldefini3ons
– Limitsofen3tlement
• Impliedlimits– Byconductofperpetrator– Byconductofvic3m,e.g.‘controller’ofresource
• Code-based
• Opera3onoflaw– Publiclaw
• Jurisdic3onallimits
– Privatelaw• Employeeusage,termsofservice,licencecondi3ons
Authorisa3on• UK:ComputerMisuseAct
– “en3tledtocontrolaccessofthekindinques3ontotheprogramordata”s.17(5)
• DPPvBignell(1998)• RvBowStreetMagistrates’Court,exparteAllison(1999)3WLR620• DPPvLennon[2006]AllER(D)147(May)
– Lawenforcement:s.10Savings• Amendmentsforaccess(1994)&interference(2015)• CDPA,s.296ZB(3)re:circumven3onoftechnologicalmeasures
• US:CFAA18USC§1030(e)(6)– "exceedsauthorizedaccess"meanstoaccessacomputerwithauthoriza3onand
tousesuchaccesstoobtainoralterinforma3oninthecomputerthattheaccesserisnoten3tledsotoobtainoralter;”
• USvDrew(2009)U.S.Dist.259F.R.D449;(CDCal.Aug28,2009)– “ifeverysuchbreachdoesqualify,thenthereisabsolutelynolimita3onor
criteriaastowhichofthebreachesshouldmeritcriminalprosecu3on.“• So‘voidforvagueness’,as‘ordinarypeople….wouldnotexpectcriminalpenal3es..’
• Legalnatureofthestatement– Contractual
• e.g.termsofserviceincontractsofadhesion• Statutorycontrolsmayrendertheagreementinvalid:afirstissuetobedecidedupon
• Direc3ve13/40/EU,recital17– “contractualobliga3onsoragreementstorestrictaccesstoinforma3onsystems
bywayofauserpolicyortermsofservice,…shouldnotincurcriminalliability”
Unauthorised by statements
Accesswhat?• CybercrimeConven3on–Art1(a)defines‘computersystem’and‘computerdata’– anydeviceoragroupofinterconnectedorrelateddevices,oneormore
ofwhich,pursuanttoaprogram,performsautoma3cprocessingofdata;
• GuidanceNote#1,‘Ontheno3onof“computersystem”–Ar3cle1.aBudapestConven3ononCybercrime’,T-CY(2012)21
– Direc3ve13/40/EU
• Devices,programmes&data(electricity)– ‘withoutright’
• “access,interference,orintercep3on,whichisnotauthorisedbytheownerorbyanotherrightholderofthesystemorofpartofit”
– Impactoflicencebreach?
IllegalAccess-Mereaccess:ComputerMisuseAct1990,s.1:“unauthorisedaccess”– elements
-actusreus:“..causesacomputertoperformanyfunc3on(withintenttosecureaccesstoanyprogramordataheldinanycomputer;”)
-mensrea:intenttosecureaccess&knowsatthe3meoftheactusreusthatintendedaccessisunauthorised
– caselaw• SeanCropp(1991):AAorney-General’sReference(No.1of1991)[1992]3WLR432
IllegalAccess+
• ‘byinfringingsecuritymeasures’– e.g.Germany,Brazil,Switzerland,Finland,Japan
• Informa3on-related– e.g.DataProtec3onAct1998,s.55
• Obtainingpersonaldatawithouttheconsentofthedatacontroller
• Connectedsystems– Budapest:‘inrela3ontoacomputersystemthatisconnectedtoanothercomputersystem’
• e.g.Japan:‘specificcomputer…..viaatelecommunica3onsline’
• Targetorfacility-related– 18USC.§1030(e)(2):‘ProtectedComputer’
Illegalinterference• Integrity
– ComputerMisuseAct1990,s.3• impairtheopera3onofanycomputer;• preventorhinderaccesstoanyprogramordataheldinanycomputer;or
• impairtheopera3onofanysuchprogramorthereliabilityofanysuchdata
– Inten3on&recklessness(since2006)– From‘unauthorisedmodifica3on’to‘unauthorisedacts’
• From‘contentsofthecomputer’(internal)to‘inrela3ontothecomputer’(external)perspec3ve
– Denial-of-ServiceaQacks(‘DDoS’)• But,s.17(6):re:removabledatamedia
Illegalinterference+
• Target– e.g.‘Cri3calinforma3oninfrastructure’
• EUDirec3ve,art.9(4)(c):‘againstacri3calinfrastructureinforma3onsystem
• Mo3va3on– Organisedcrime
• EUDirec3ve,art.9(4)(a):‘commiQedwithintheframeworkofacriminalorganisa3on’
– TerrorismAct2000• “designedseriouslytointerferewithorseriouslydisruptanelectronicsystem”(s.1(2)(e))
Illegalinterference+
• Harm-related– EUDirec3ve,art.9(4)(b):‘seriousdamage’
• 2015amendmenttoComputerMisuseAct1990:Sec3on3ZA:‘unauthorisedacts
• Damageofa‘materialkind’– Tohumanwelfare,environment,economyorna3onalsecurity– “ofanycountry”
• ‘Humanwelfare’– Including‘disrup3onofasupplyofmoney,food,water,energyorfuel’,‘systemofcommunica3on’,‘facili3esfortransport’&‘servicesrela3ngtohealth’
• Tariff– 14yearstolifeimprisonment(forseriouslossoflifeorinjury)
Illegalintercep3on
• Intercep3onor‘networkaccess’– Tocontent(data),notcommunica3onaQributes
• Data‘intransmission’(-ish)– Storage– Issuesofconfiden3alityandprivacy(rela3onalnotsubjectmaQer)
• Ascriminalconduct– Orcommercialprac3ce
• Ascriminalprocedure– Controllinglawenforcementinves3ga3ons
‘Withoutright’
• Authorisa3on(posi3ve)– ofthe‘systemcontroller’
• Fromcriminaltocivilliability• US:‘owneroroperatorofthe‘protectedcomputer’
– ofthenetworkusers• Consentofbothpar3es(UK:RIPA,s.3(1),since2011)
– EUdataprotec3onlaw• Consentofoneparty(US:18U.S.C.§2511(2)(c)-(d))
– oflawenforcementagencies• e.g.warrant
‘Withoutright’
• Lawfulexcuse(nega3ve)– oftheserviceprovider
• Technicalneedvcommercialdesire,e.g.Spam&malwaredetec3on;behaviouraltargetedadver3sing
– RIPA,s.3(3):“forpurposesconnectedwiththeprovisionoropera3onofthatserviceorwiththeenforcement,inrela3ontothatservice,ofanyenactmentrela3ngtotheuseofpostalservicesortelecommunica3onsservices.”
– “inthecourseoflawfulbusinessprac3ce”• Direc3ve02/58/EC,art.5(2)
– ‘Lawfulbusinessprac3ce’Regula3ons2000
Transmissions
• ‘inthecourseoftransmission’– Intermediatestorage
• S.2(7):“....shallbetakentoincludeany3mewhenthesystembymeansofwhichthecommunica3onisbeing,orhasbeen,transmiQedisusedforstoringitinamannerthatenablestheintendedrecipienttocollectitorotherwisetohaveaccesstoit.”
– Edmondson&orsvR[2013]EWCACrim1026
• Inves3gatoryPowersBill,s.3(4):‘relevant3me’,includesstoreddata‘whetherbeforeoraweritstransmission’
Illegalintercep3on
• Regula3onofInves3gatoryPowersAct2000– Offencesofunauthorisedintercep3on– ‘Publictelecommunica3onsystems’
• Inten3onal&withoutlawfulauthority:s.1(1)– 2yrsimprisonment– DPPconsentrequired,butnoexpresspublicinterestdefence
• e.g.CPS&Ofcom(SkyNews&theDarwins)
• Uninten3onalbutwithoutlawfulauthority:s.1(1A)(2011)– Direc3ve02/58/EC,Art.5(1)&Recital21
• OnlyapplicabletoCSPs?– OfficeoftheIntercep3onofCommunica3onsCommissioner:‘monetarypenaltyno3ce’&procedure:£50,000max.
– ‘Privatetelecommunica3onsystems’• Inten3onal&withoutlawfulauthority:s.1(2)
– 2yrsimprisonment
• Statutorytort:s.1(3)– Ifsystemcontrollerorhasauthorityofsystemcontroller
– ‘Systemcontroller’• “apersonwiththerighttocontroltheopera3onoruseofthesystem”
– Stanford[2006]EWCACrim258• “morethenmerelytherighttoaccessortooperatethesystem.Itmeant
therighttoauthoriseorforbidtheopera3onortheuseofthesystem”
Illegalintercep3on
Illegaldevices
• Toolsdesignedtofacilitatecybercrimes – Devices&data
• e.g.‘zero-exploits’,‘rootkits’,‘botnets’,‘key-logging’sowware• Lowersthresholdofskillrequired
• Crimepreven3on– “prohibitspecificpoten3allydangerousactsatthesource,precedingthecommissionofoffences”(CCEM,atpara.71)
• ‘Maliciousmarketplace’– Organisedcrime
Legalissues
• Criminalisingwhat?– Device&data
• Criminalconduct?– Inchoateoffences
• AQempt,conspiracy&incitement
– Supply&possession• Exportcontrols:dualuse
• Dis3nguishinglawfulfromunlawful– Scien3ficresearch…
UKlaw
• Computer-integrityoffences– ComputerMisuseAct1990,s.3A(2006amendment)
• ‘Ar3cle’includes“anyprogramordataheldinelectronicform”• 3offences:(i)supplieswithintent;(ii)supplies‘believingthatitislikely’and(iii)obtainsintendingtouseorwithaviewtosupplying
– InvictaPlasNcsLtdvClare[1976]RTR251• CPSGuidance(requestedbyGovernment)
– Isthear3clewidelyavailable?– Isitsoldthroughlegi3matechannels?– Doesithaveasubstan3alinstalla3onbase?
• Maximum2yrsimprisonment