Prosecuting Cybercrime and Regulating the Web
-
Upload
darius-whelan -
Category
Education
-
view
1.099 -
download
0
Transcript of Prosecuting Cybercrime and Regulating the Web
Darius Whelan, Faculty of Law,
UCC
CIT March 2014
Prosecuting Cybercrime and Regulating the Web
Current State of Cybercrime and Cyberwar seminar, organised by the MA in Journalism with New Media class, in conjunction with CIT Development Office, Cork
Institute of Technology, March 2014
• Council of Europe Cybercrime Convention
• Extradition • Forensic examination of computers • ‘Trojan Horse’ Defence • Regulability of the Internet • Aspects of online defamation law
2
Summary
• Cybercrime covers: – Offences where the computer is
the target of the offence, e.g. unauthorised access and illegal tampering with systems
– Traditional offences such as theft, fraud and forgery, that are committed by means of computers
• May involve identity theft, phishing, Denial of Service attacks, botnets, malware, possession of child abuse images / child pornography, etc., etc.
3
5
Cybercrime Convention 2001
• Negotiated and signed by many members of Council of Europe + USA, Canada, Japan, South Africa
• Ratified by 42 states so far, including UK, Denmark, France, Netherlands, Norway, USA, Australia, Japan
• Not yet ratified in Ireland
6
Elements of the Convention
• List of crimes which each country must enact into law
• Requires each participating nation to grant new powers of search and seizure to its law enforcement authorities
• Requires law enforcement in every participating country to assist police from other participating countries by cooperating with “mutual assistance requests” from police in other participating nations “to the widest extent possible”
• Optional Protocol on Hate Speech
7
List of Crimes in Convention (1) • Illegal access
• covers electronic trespass or hacking • Illegal interception
• electronic invasion of privacy / burglary prohibiting unauthorised intrusions resulting in the appropriation of data
• Data Interference • System Interference
• denial of service attacks and dissemination of viruses and other malicious codes
8
List of Crimes in Convention (2) • Misuse of Devices
• production / sale / procurement / importation/ distribution of tools to be used in committing the four categories above
• Forgery • Fraud • Copyright infringement and related offences • Child Pornography
9
Copyright - Article 10
• The infringements must occur on a “commercial scale”.
• How large must the copyright infringement be to be considered “commercial”?
• Standard of originality necessary to establish copyright protection varies considerably across jurisdictions
10
24/7 Network – Article 35
• A network of high tech specialists available 24 hours per day, seven days per week for obtaining both technical and legal advice and assistance
11
• Brief Mentions of Human Rights: – Article 15 - the powers and procedures exercised under
Section 2 [procedural Articles] are subject to conditions and safeguards under domestic laws on human rights and liberties, the ECHR, the United Nations International Covenant on Civil and Political Rights and other applicable international human rights instruments.
– Such safeguards shall incorporate the principle of proportionality.
– Also: a paragraph relating to the right to the protection of personal data in the Preamble
12
Commentary • Appears to be supported by large corporations, e.g. those concerned about software copyright violations.
• Severely criticised by human rights groups, e.g. because it does not include sufficient privacy or data protection provisions.
• Also drafts were criticised by the Parliamentary Assembly of the Council of Europe and the Art 29 Working Group.
13
• Contrasts with past approach of Council of Europe, which normally has strong human rights protections in its documents, e.g.
– European Convention on Human Rights 1950 – Strasbourg Convention on Data Protection 1981.
• Note for example that states are not obliged to pass laws requiring that computer systems be secure (which is part of the Data Protection regime.)
• This might help to prevent unauthorised access, and benefit data protection at the same time.
14
• Framework Decision on Attacks on Information Systems (2005)
– Was to be implemented by March 2007 – July 2008: Commission noted that Ireland had not yet
implemented FD – Bill on current list of Bills for drafting:
• Criminal Justice (Cybercrime) Bill – “Publication Expected – Not possible to indicate at this stage”
Proposed Directive
• New proposal for Directive on Attacks against Information Systems, Sept. 2010
• COM(2010) 517 final
15
• Extradition Treaties: – Normally an activity must be
a crime in both the requesting and requested states
17
Dual Criminality
18
• ‘Love Bug’ virus incident – Alleged perpetrator (Onel de Guzman) could not
be extradited from Philippines. – Canadian News Story:
• www.tinyurl.com/LW6560-50
From cbsnews.com
19
• Accused may be extradited when visits another country
– Vladimir Levin case (1994-97) – Re Levin [1997] UKHL 27; [1997] AC 741 – Attack against Citibank by young Russian – No extradition treaty – Visited England for exhibition – Extradited to USA – Disks being operated based in USA
From peoples.ru
20
• Julio Cesar Ardita – 21 year old Argentinian – 1995 Sniffer re Harvard users – Accessed Dept of Defense etc. – Extradition refused to USA – no dual criminality – But later travelled to USA voluntarily, pleaded guilty to
lesser charge
21
“Invita” case - Vasily Gorshkov & Alexy Ivanov
• Russian hackers - Undercover operation – FBI agents posed as reps of security firm ‘Invita’ – invited them to Seattle
• Then they were arrested in Seattle (having recorded their passwords first using keyloggers.)
• Investigators copied data and preserved it until warrant obtained.
• Afterwards they informed the Russian authorities. • Hackers argued the remote cross-border search was
unconstitutional. • Court held relevant computers not protected (outside
USA, not the property of a U.S. resident) • No seizure as data remained unaltered.
23
• Digital evidence is intangible • Also volatile
– When Windows is booted up, this destroys 4 million characters of evidence
• Defence arguments: – Accused was not author of evidence in question – Evidence was tampered with – Unreliability of computer programs created inaccuracies in
output, e.g. bugs, defective code
25
• May be long delays in forensic examination of computers due to volume of computers to be examined
• Chain of custody must be maintained • Risky to allow any access to computer by other witnesses • Use of standardised forensic practices is advisable, e.g. in UK
guidelines from Association of Police officers
26
• Often three images are made of a hard drive: – Master copy as evidence – Copy used for analysis by police – Copy given to accused
27
Sharon Collins Trial 2008 • Conspiracy to Murder • E-mail evidence central to trial
Image source - sligotoday.ie
• Trojan Horse virus / malware: A virus / malware program which presents itself as routine, useful, or interesting in order to persuade victims to install it on their computers. Once installed, it steals or harms system data in some way.
• Trojan Horse Defence – Accused claims a virus / Trojan horse infected their PC and this
was what caused evidence of criminal activity to be on the PC • Some Other Dude Did It Defence
– Accused claims somebody else engaged in the criminal activity using their PC (e.g. by remotely accessing their PC)
30
31
Aaron Caffrey Case (2003)
• Aaron Caffrey, aged 19, charged re computer attack on Port of Houston's web-based systems in September 2001.
• Prosecution and defence both agreed attack was launched from Caffrey's home PC, based in the UK.
• Prosecution claimed it was result of misdirected attack by Caffrey against fellow chat-room user.
• Caffrey claimed evidence was planted on his machine by attackers who used an unspecified Trojan horse program to gain control of his PC and launch the assault.
Image source – bbc.co.uk
32
• Forensic examination of Caffrey's PC found attack tools but no trace of Trojan infection.
• Case hinged on whether jury accepted defence argument that Trojan could wipe itself
• Jury decided Caffrey was not guilty of unauthorised computer modifications
• Defendants may raise Trojan Horse defence in all sorts of cybercrime cases, inc. cases on possession of child abuse images (child pornography)
• Judge / jury will have to decide whether defence applies on the facts
• Note related “caching” defence – if child abuse images found only in browser cache, did defendant knowingly possess them?
• May depend on his/her level of technical knowledge
33
Art. I, Section 8, clause 8 of U.S. Constitution:
The Congress shall have power … to promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.
EU Charter of Fundamental Rights
Article 17 Right to property 1. Everyone has the right to own, use, dispose of and bequeath his or her lawfully acquired possessions. No one may be deprived of his or her possessions, except in the public interest and in the cases and under the conditions provided for by law, subject to fair compensation being paid in good time for their loss. The use of property may be regulated by law in so far as is necessary for the general interest. 2. Intellectual property shall be protected.
0 Defamation is civil matter, not criminal 0 Criminal libel abolished by Defamation Act 2009
0 ‘Libel tourism’ phenomenon – plaintiffs may seek to sue in a country where only a small number of readers viewed the material
47
Hosting Defence 0 E-Commerce Directive (Directive 2000/31/EC) 0 S.I. No. 68 of 2003 0 Article 14 (paraphrased):
0 The service provider is not liable for the information, on condition that: a) the provider does not have actual knowledge of illegal
activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or
b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information
0 This shall not apply when the recipient of the service is acting under the authority or the control of the provider
48
Betfair Case
0 Mulvaney v Sporting Exchange (2013) 0 Forums/ Chatrooms operated by Betfair 0 Bookmakers alleged libel by forum members 0 Betfair sought to rely on hosting defence 0 Clarke J – Betfair could rely on hosting defence
(preliminary issue) 0 [Gambling exception to Directive did not apply as
forums not directly connected to gambling part of site] 49
0 Metropolitan International Schools v Designtechnica & Google (2009) 0 English case suggesting Google not liable for
autocompletes 0 However, facts may vary: in some cases, Google may
be held to be a publisher of the autocomplete results
51
Darius Whelan – [email protected] Twitter: @dariuswirl
LLM in Intellectual Property and E Law programme: www.ucc.ie/en/law-postgrad/taughtprogrammes/
Creative Commons Ireland: www.creativecommonsireland.org
54