Section of Science and Technology Law - American Bar Association

INTERNATIONAL CYBERCRIME PROJECT of the ABA PRIVACY AND COMPUTER CRIME COMMITTEE, Computer Law Division of the Science & Technology Law Section Committee Co-Chairs: Charles L. Mudd Paul Coggins Committee Vice Chair: Jody R. Westby Project Chair: Jody R. Westby Scope of Project and Timeframe The International Cybercrime Project will extend the work of the G-8 and other industrialized nations regarding cybercrime to developing countries with the goal of promoting: Enactment of cybercrime laws Cooperation with national and international law enforcement and Internet Service Providers (ISPs) Cooperation regarding jurisdictional issues Acceptable practices for search and seizure of computers and electronic data (not legal standards, but practical approaches that are effective yet balanced). The goal of the project is to publish an "International Guide to Cybercrime Prevention, Detection and Investigation," with the final draft completed by the 2002 ABA Annual Meeting to be held August 8-14, 2002 in Washington, D.C. The report will be designed to: Step developing countries through the key issues of cybercrime Explain the importance of these issues to their future development Provide guidance on the need for balanced and fair cybercrime laws and international cooperation with law enforcement and ISPs Explain the need for public/private cooperation on cybercrime and information/infrastructure security breaches Provide guidance on the search and seizure of computers and data. The report will include (a) a compilation of U.S. and EU cybercrime laws and regulations, a summary of each, and a link to the statute, regulation or directive, (b) a discussion of jurisdictional issues related to the detection and investigation of cybercrime, (c) a guide to cooperating with national and international law enforcement and ISPs, (d) a discussion on search and seizure of computers and electronic data, with a link to U.S. and international search and seizure guides, and (e) a guide on establishing effective public/private sector cooperation on these issues. The work of the project will: Help advance legal frameworks around the globe Assist industrialized nations investigate cybercrimes Help prevent cybercrime (including organized crime, terrorist, and money laundering activities) Help promote public-private cooperation in developing countries Help promote foreign direct investment (FDI) and high-tech opportunities in developing countries. Participants In addition to ABA Privacy and Computer Crime Committee members, it is expected that the following entities will participate in an unofficial and informal capacity in the work of the committee: U.S. Department of Justice's Computer Crime and Intellectual Property Division Federal Bureau of Investigation U.S. Custom's Cybersmuggling Center U.S. Secret Service E-crimes Division Interpol National Fraud Center American Association for the Advancement of Science Georgia Institute of Technology's Information Security Center and Sam Nunn School of International Affairs Center for Democracy & Technology Electronic Privacy Information Center Background In the future, the impact of IT -- and the opportunities for IT -- will be most dramatic outside the United States. Today, there are over 300 million people connected to the Internet worldwide -- an increase of almost 80% since 1999 -- and for the first time, the U.S. and Canada account for less than 50% of the connected population. Still, this is less than 5% of a world population of 6 billion, with 90% of these Internet users located in the developed world. The G-8, UNDP, World Bank Group, and USAID are each committed to connect people and use technology to meet their development challenges. IT and e-commerce can be utilized in numerous ways to address social and economic challenges -- but the legal and regulatory frameworks are often the first hurdle. Developing countries hold unprecedented opportunities to use IT to progress toward market economies, democratic governments, and industrialized states. These opportunities include: Attracting foreign direct investment to build infrastructure, launch IT projects and related companies, partner with donor organizations and governments on pilot projects, and tap undeveloped markets. Privatizing and liberalizing monopoly providers to introduce competition, lower prices, and advance the deployment and utilization of IT. Attracting "backroom" data processing applications such as data entry, customer service and telemarketing, records processing (accounts receivable, accounts payable, general ledger, etc.), order entry, inventory control, databank development, etc. Attracting Internet start-up companies and e-commerce operations. Developing telemedicine and health care centers. Using IT for distance learning, education, unemployment databases and workforce skills. Using IT for agri-business and agricultural information and industry sector support. Attracting light manufacturing operations. Modernizing the financial sector. Fostering the growth of small and medium enterprises to spur job creation, innovation and flexibility. Reforming and automating court administration and case management and availability of judicial information. Each of these opportunities, however, is dependent upon the development of the legal and regulatory framework to support these activities. Cybercrime and IT security are two of the most important legal and regulatory considerations. Lack of an adequate legal framework -- especially with respect to information and infrastructure security and computer crime -- will diminish or prevent developing countries from grasping these opportunities. The reasons are clear: Backroom data processing requires information and infrastructure security laws for a safe operating environment and protection of data. Internet and e-commerce require a legal framework that supports these operations and provides for security of data and networks. Companies will not allow their data to be processed in countries that do not have adequate legal protections against economic espionage, computer crime, infrastructure attacks, and misuse of telecommunications devices and equipment. Privacy and data protection laws are equally important. The legal framework is one of the most important factors because it touches upon all aspects of commerce, is critical to attracting investment, and is at the core of business operations. The term "legal framework" also includes public policy. In fact, policies are a critical component because they form the underlying foundation of government support for IT and a favorable business environment. Why Security Laws and Regulations are Important The confidentiality, integrity, and availability of data and networks -- including critical infrastructure -- is central to attracting FDI and IT operations to developing countries. Appropriate security laws and regulations are also important because: They protect the integrity of the government and reputation of the country. They help preclude a country from becoming a haven for bad actors, including terrorist actions using/attacking IT systems. They help prevent a country from becoming a repository for cyber-criminal data. They instill market confidence and certainty regarding business operations and attract foreign direct investment. They provide protection of classified, secret, confidential and proprietary information, criminal justice data, personal information, and protected public data. They protect consumers and assist law enforcement and intelligence gathering activities. They deter corruption. They increase national security and reduce vulnerabilities from terrorists and other rogue actors. They help protect corporations against risk of loss of market share, shareholder and class action lawsuits, damage to reputation, fraud, and civil and criminal fines and penalties. They provide a means of prosecution and civil action for acts against information and infrastructure. Security and cybercrime laws are also important to citizens because they help reinforce and protect their freedom of expression, human rights, and legal rights that are secured in international law. The privacy of personal, confidential, and proprietary information is ranked as the top concern of citizens globally. Cybercrime laws also enhance statutory and constitutional rights, such as rights to privacy and protections against search and seizure and self-incrimination. Additionally, they strengthen consumer confidence against fraud. Consumer confidence is essential for successful e-commerce operations. Each of the industrialized countries has its own laws pertaining to IT security and computer crime. The U.S. has one of the most fully developed bodies of cybercrime laws and has been a global leader in this arena. Developing countries in line for accession into the European Union, of course, should closely monitor EU developments and harmonize their cybercrime laws accordingly. In December 2000, the EU announced that it is preparing cybercrime recommendations, including proposed legislation and enforcement cooperation. The Council of Europe recently adopted their long-debated Cybercrime Convention. It is important that governments issue guidelines for searching and seizing computers -- for the benefit of citizens and law enforcement alike. The U.S. government published Federal Guidelines for Searching and Seizing Computers as a multi-agency effort to provide guidance on the ways in which searching a computer is different from traditional searches and seizures. It lists a computer system's components, sets forth general principals regarding search warrants, exigent circumstances, and drafting the warrant, discusses seizing hardware and transporting it, searching for information and understanding where it might be found, provides information on expert assistance, discusses relevant laws, and sets forth post-search procedures. The International Association of Chiefs of Police and the U.S. Secret Service have also published Best Practices for Seizing Electronic Evidence. Along these lines, it is also important for governments to provide citizens and businesses information regarding how to report Internet-related crimes. The United States recently established the Internet Fraud Complaint Center to serve as a central reporting point and repository for Internet fraud cases. The Importance of Public/Private Cooperation Combating cybercrime and protecting data and networks requires unprecedented public/private sector cooperation. It also requires extraordinary cooperation within the private sector. This cooperation raises unique considerations for legal and regulatory frameworks. The key roles for the private sector are: Taking adequate measures to protect private sector networks and critical infrastructure; Cooperation with government agencies; Sharing information regarding security breaches; Taking the lead on improving security practices and technologies for a more secure Internet; and Raising awareness and educating employees, citizens, and children regarding cyberethics. One of the best mechanisms for prevention and response to information and infrastructure breaches is an emergency response center. The Computer Emergency Response Team ("CERT") located at Carnegie Mellon University in the United States is a premier example of an effective central communication point. CERT operates as a central response and assistance point to citizens, businesses, and governments. It operates around-the-clock and provides assistance about intrusions, threats, fixes, etc. Other private sector information sharing and analysis centers ("ISACs") operate to assist member companies regarding infrastructure intrusions. Frequently, ISACs operate within an industry sector. For example, the U.S. financial industry sector was one of the first to establish an ISAC to share information to help prevent security breaches. In 1998, the U.S. government established the National Infrastructure Protection Center to serve as the central focal point for threat assessment, warning, investigation, and response to threats or attacks to critical infrastructure. It serves as the U.S. government's coordinating mechanism for responding to incidents, investigating intrusions and threats, and monitoring restitution efforts. It is electronically linked to other operation centers, including some private sector ISACs. It coordinates and conducts an outreach and information sharing program with the private sector, called InfraGard. The NIPC is located within the FBI and has been active internationally in establishing cooperation and assistance with foreign governments on information/infrastructure issues. The very nature of ISAC operations, however, raise legal framework considerations. These include public access to information shared with governments and antitrust issues. International Coordination and Assistance International coordination and cooperation are as important as the legal and regulatory framework. While nation states still have borders, cyberspace does not and jurisdictional issues loom over numerous e-commerce issues. Cybercrime presents one of the most complex and exigent circumstances for international cooperation. For example, an e-mail sent to a colleague across town may be routed via packet switching through China, Argentina, and South Africa before reaching the recipient's inbox. Cybercriminals can intentionally "weave" their communications through several carriers and countries before attacking a network or system. Likewise, a cyberstalker can route his communication through several jurisdictions before reaching the victim. A child pornographer can hide his identity and route materials over networks of multiple countries before reaching the intended recipients. Someone can also commit a cybercrime against persons in several countries. The point is that a cybercriminal does not have to leave his own home -- or cross a national boundary -- to commit an act in several countries around the globe. His communications may be routed through local phone companies, long distance carriers, Internet Service Providers, and wireless and satellite networks and may go through computers located in several countries before attacking targeted systems around the globe. Evidence of the cybercrime may even be stored on a computer in a different country from where the criminal executed the act. Law enforcement, however, is stopped at the borders of nation states and must go through proper legal channels to receive assistance in cybercrime investigations -- which is often dependent upon the skill levels of law enforcement in that country. Assistance is also dependent upon that country's legal system. Foreign assistance may be needed even if the act is local. Frequently, communications may pass through several countries, requiring law enforcement to seek international assistance just to find out the perpetrator is a local person. Recent examples of the need for international cooperation and assistance include: Officers in Wales, working in coordination with the FBI, arrested two persons for intrusion into e-commerce sites and theft of information pertaining to 26,000 credit cards. Losses were estimated to be as high as $3 million. In developing the case, the FBI worked closely with the Dyfed-Powys Police Service in Britain, the Royal Canadian Mounted Police in Canada, and private industry and involved seven FBI field offices, the U.S. Legal Attache in London, and the National Infrastructure Protection Center. A hacker in the U.S. recently pled guilty to illegally accessing computers belonging to the U.S. Postal Service, the State of Texas, the Canadian Department of Defense, and a publishing company located in the U.S. State of Wisconsin. The conviction of the hacker was the result of a joint investigation involving the Texas Department of Public Safety, the Royal Canadian Mounted Police, the Canadian Forces National Investigative Service, and the U.S. Postal Service Office of the Inspector General. While it is important for developing countries to have cybercrime laws in place, it is equally important that countries have the legal authority to assist foreign countries in an investigation, even if the country at issue has not suffered any damage itself and is merely the location of the intruder or a pass-through site. "Inadequate regimes for international legal assistance and extradition can therefore, in effect, shield criminals from law enforcement: criminals can go unpunished in one country, while they thwart the efforts of other countries to protect their citizens." International legal assistance for subpoenas, interviewing witnesses, producing documents, and search and seizures can be requested through: Mutual Legal Assistance Treaties ("MLATs") If no MLAT is in existence between the two countries, then through domestic mutual assistance laws and practices, which include letters rogatory (a letter of assistance from one country's judicial authority to that of another country). Sometimes, MLATS or domestic legal assistance laws require dual criminality, that is, that the crime for which information is being sought by the requesting country also be a crime in the country from which information is requested and punishable by at least one year in prison. For example, in 1992 the U.S. government sought help from Switzerland regarding hackers from Switzerland who attacked the San Diego Supercomputer Center. The investigation was thwarted, however, because of Switzerland required dual criminality and it did not have similar laws making the hacking criminal conduct. The need for multinational agreement on legal assistance for investigations and prosecutions regarding cybercrimes is clear. Trails of electronic communications are scattered across a globe in different time zones and multiple jurisdictions with differing legal systems and levels of technical skills. The need for coordinated, around-the-clock assistance regarding cybercrimes is pressing. The Internet is now connected to over 200 countries. Investigation of a single communication may require multiple court orders and legal assistance with several countries -- when time is of the essence. G-8 Initiatives In December 1997, the G-8 Meeting of Justice and Interior Ministers, responded to increased international movement and use of IT by criminals, organized crime, and terrorists. The Ministers noted: National laws apply to the Internet and other global networks. But while the enactment and enforcement of criminal laws have been, and remain, a national responsibility, the nature of modern communications networks makes it impossible for any country acting alone to address this emerging high-tech crime problem. A common approach addressing the unique, borderless nature of global networks is needed and must have several distinct components. Each country must have in place domestic laws that ensure that the improper use of computer networks is appropriately criminalized and that evidence of high-crimes can be preserved and collected in a timely fashion. Countries must also ensure that a sufficient number of technically-literate, appropriately-equipped personnel are available to address high-tech crimes. Such domestic efforts must be complemented by a new level of international cooperation since global networks facilitate the commission of transborder offenses. Therefore, consistent with the principles of sovereignty and the protection of human rights, democratic freedoms and privacy, nations must be able to collect and exchange information internationally, especially within the short time frame so often required when investigating international high-tech crimes. The G-8 Ministers agreed to ten "Principles to Combat High-Tech Crime" and an "Action Plan to Combat High-Tech Crime." They pledged to review annually the implementation at the national level of these legal assistance measures. The Heads of the G-8 nations subsequently endorsed the Principles and Action Plan. A G-8 24/7 Point of Contact Newark was established, requiring countries to designate a 24 hour, 7 days per week Point of Contact to provide assistance with cybercrimes. Around 20 countries are currently participating in the program. Additionally, a G-8 high-tech experts group was also formed. They have begun to work on options for improving locating and identifying cybercriminals and undertake such issues as data retention and preservation, tracing, user authentication, and international cooperation. More recently, at the July 2000 Okinawa Summit, the Okinawa Charter on Global Information Society strongly endorsed international cooperation and coordination regarding cybercrime: International efforts to develop a global information society must be accompanied by coordinated action to foster a crime-free and secure cyberspace. We must ensure that effective measures, as set out in the OECD Guidelines for Security of Information Systems, are put in place to fight cyber-crime. . . .Urgent security issues such as hacking and viruses also require effective policy responses. We will continue to engage industry and other stakeholders to protect critical information infrastructures. Conclusion Industrialized nations have only recently begun to address these issues, but their efforts -- and the fruits of their initiatives -- will necessarily be limited because the globally connected network also includes 180 developing countries. Effective global communications and e-commerce and the advancement of the developing world are dependent upon effective legal and regulatory frameworks in all countries, global cooperation, and accepted principles for search and seizure of computers and data. The ABA Privacy and Computer Crime Committee believes this project will advance all of these goals and, in so doing, help bridge the digital divide and bring unprecedented investment and economic opportunity to the 4 billion people living in developing countries.