Darius Whelan, Faculty of Law,

UCC

CIT March 2014

Prosecuting Cybercrime and Regulating the Web

Current State of Cybercrime and Cyberwar seminar, organised by the MA in Journalism with New Media class, in conjunction with CIT Development Office, Cork

Institute of Technology, March 2014

• Council of Europe Cybercrime Convention

• Extradition • Forensic examination of computers • ‘Trojan Horse’ Defence • Regulability of the Internet • Aspects of online defamation law

2

Summary

• Cybercrime covers: – Offences where the computer is

the target of the offence, e.g. unauthorised access and illegal tampering with systems

– Traditional offences such as theft, fraud and forgery, that are committed by means of computers

• May involve identity theft, phishing, Denial of Service attacks, botnets, malware, possession of child abuse images / child pornography, etc., etc.

3

4

Council of Europe Cybercrime Convention

5

Cybercrime Convention 2001

• Negotiated and signed by many members of Council of Europe + USA, Canada, Japan, South Africa

• Ratified by 42 states so far, including UK, Denmark, France, Netherlands, Norway, USA, Australia, Japan

• Not yet ratified in Ireland

6

Elements of the Convention

• List of crimes which each country must enact into law

• Requires each participating nation to grant new powers of search and seizure to its law enforcement authorities

• Requires law enforcement in every participating country to assist police from other participating countries by cooperating with “mutual assistance requests” from police in other participating nations “to the widest extent possible”

• Optional Protocol on Hate Speech

7

List of Crimes in Convention (1) • Illegal access

• covers electronic trespass or hacking • Illegal interception

• electronic invasion of privacy / burglary prohibiting unauthorised intrusions resulting in the appropriation of data

• Data Interference • System Interference

• denial of service attacks and dissemination of viruses and other malicious codes

8

List of Crimes in Convention (2) • Misuse of Devices

• production / sale / procurement / importation/ distribution of tools to be used in committing the four categories above

• Forgery • Fraud • Copyright infringement and related offences • Child Pornography

9

Copyright - Article 10

• The infringements must occur on a “commercial scale”.

• How large must the copyright infringement be to be considered “commercial”?

• Standard of originality necessary to establish copyright protection varies considerably across jurisdictions

10

24/7 Network – Article 35

• A network of high tech specialists available 24 hours per day, seven days per week for obtaining both technical and legal advice and assistance

11

• Brief Mentions of Human Rights: – Article 15 - the powers and procedures exercised under

Section 2 [procedural Articles] are subject to conditions and safeguards under domestic laws on human rights and liberties, the ECHR, the United Nations International Covenant on Civil and Political Rights and other applicable international human rights instruments.

– Such safeguards shall incorporate the principle of proportionality.

– Also: a paragraph relating to the right to the protection of personal data in the Preamble

12

Commentary • Appears to be supported by large corporations, e.g. those concerned about software copyright violations.

• Severely criticised by human rights groups, e.g. because it does not include sufficient privacy or data protection provisions.

• Also drafts were criticised by the Parliamentary Assembly of the Council of Europe and the Art 29 Working Group.

13

• Contrasts with past approach of Council of Europe, which normally has strong human rights protections in its documents, e.g.

– European Convention on Human Rights 1950 – Strasbourg Convention on Data Protection 1981.

• Note for example that states are not obliged to pass laws requiring that computer systems be secure (which is part of the Data Protection regime.)

• This might help to prevent unauthorised access, and benefit data protection at the same time.

14

• Framework Decision on Attacks on Information Systems (2005)

– Was to be implemented by March 2007 – July 2008: Commission noted that Ireland had not yet

implemented FD – Bill on current list of Bills for drafting:

• Criminal Justice (Cybercrime) Bill – “Publication Expected – Not possible to indicate at this stage”

Proposed Directive

• New proposal for Directive on Attacks against Information Systems, Sept. 2010

• COM(2010) 517 final

15

16

Extradition

• Extradition Treaties: – Normally an activity must be

a crime in both the requesting and requested states

17

Dual Criminality

18

• ‘Love Bug’ virus incident – Alleged perpetrator (Onel de Guzman) could not

be extradited from Philippines. – Canadian News Story:

• www.tinyurl.com/LW6560-50

From cbsnews.com

19

• Accused may be extradited when visits another country

– Vladimir Levin case (1994-97) – Re Levin [1997] UKHL 27; [1997] AC 741 – Attack against Citibank by young Russian – No extradition treaty – Visited England for exhibition – Extradited to USA – Disks being operated based in USA

From peoples.ru

20

• Julio Cesar Ardita – 21 year old Argentinian – 1995 Sniffer re Harvard users – Accessed Dept of Defense etc. – Extradition refused to USA – no dual criminality – But later travelled to USA voluntarily, pleaded guilty to

lesser charge

21

“Invita” case - Vasily Gorshkov & Alexy Ivanov

• Russian hackers - Undercover operation – FBI agents posed as reps of security firm ‘Invita’ – invited them to Seattle

• Then they were arrested in Seattle (having recorded their passwords first using keyloggers.)

• Investigators copied data and preserved it until warrant obtained.

• Afterwards they informed the Russian authorities. • Hackers argued the remote cross-border search was

unconstitutional. • Court held relevant computers not protected (outside

USA, not the property of a U.S. resident) • No seizure as data remained unaltered.

22

Forensic Examination of Computers

23

• Digital evidence is intangible • Also volatile

– When Windows is booted up, this destroys 4 million characters of evidence

• Defence arguments: – Accused was not author of evidence in question – Evidence was tampered with – Unreliability of computer programs created inaccuracies in

output, e.g. bugs, defective code

From Pilipinas Anti-Piracy Team

25

• May be long delays in forensic examination of computers due to volume of computers to be examined

• Chain of custody must be maintained • Risky to allow any access to computer by other witnesses • Use of standardised forensic practices is advisable, e.g. in UK

guidelines from Association of Police officers

26

• Often three images are made of a hard drive: – Master copy as evidence – Copy used for analysis by police – Copy given to accused

27

Sharon Collins Trial 2008 • Conspiracy to Murder • E-mail evidence central to trial

Image source - sligotoday.ie

28

Trojan Horse Defence

29

Image source – goodreads.com

• Trojan Horse virus / malware: A virus / malware program which presents itself as routine, useful, or interesting in order to persuade victims to install it on their computers. Once installed, it steals or harms system data in some way.

• Trojan Horse Defence – Accused claims a virus / Trojan horse infected their PC and this

was what caused evidence of criminal activity to be on the PC • Some Other Dude Did It Defence

– Accused claims somebody else engaged in the criminal activity using their PC (e.g. by remotely accessing their PC)

30

31

Aaron Caffrey Case (2003)

• Aaron Caffrey, aged 19, charged re computer attack on Port of Houston's web-based systems in September 2001.

• Prosecution and defence both agreed attack was launched from Caffrey's home PC, based in the UK.

• Prosecution claimed it was result of misdirected attack by Caffrey against fellow chat-room user.

• Caffrey claimed evidence was planted on his machine by attackers who used an unspecified Trojan horse program to gain control of his PC and launch the assault.

Image source – bbc.co.uk

32

• Forensic examination of Caffrey's PC found attack tools but no trace of Trojan infection.

• Case hinged on whether jury accepted defence argument that Trojan could wipe itself

• Jury decided Caffrey was not guilty of unauthorised computer modifications

• Defendants may raise Trojan Horse defence in all sorts of cybercrime cases, inc. cases on possession of child abuse images (child pornography)

• Judge / jury will have to decide whether defence applies on the facts

• Note related “caching” defence – if child abuse images found only in browser cache, did defendant knowingly possess them?

• May depend on his/her level of technical knowledge

33

34

Regulability of the Internet

Lawrence Lessig

Image source – Rootstrikers on vimeo.com

• Lessig, The Search for a Moose • http://blip.tv/lessig/the-search-for-a-moose-2131975

Art. I, Section 8, clause 8 of U.S. Constitution:

The Congress shall have power … to promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

EU Charter of Fundamental Rights

Article 17 Right to property 1. Everyone has the right to own, use, dispose of and bequeath his or her lawfully acquired possessions. No one may be deprived of his or her possessions, except in the public interest and in the cases and under the conditions provided for by law, subject to fair compensation being paid in good time for their loss. The use of property may be regulated by law in so far as is necessary for the general interest. 2. Intellectual property shall be protected.

Wikimedia Commons - http://en.wikipedia.org/wiki/File:Wikipedia_Blackout_Screen.jpg

Image source – Lessig, Free Culture

Image source – Lessig, Free Culture

Image source – Lessig, Free Culture

Image source – Lessig, Free Culture

Source – New York Times. Image – Lucas Jackson, Reuters

Cartoon by Paul Conrad. Copyright Tribune Media Services Inc. Included in Lessig, Free Culture

46

Aspects of Online Defamation Law

0 Defamation is civil matter, not criminal 0 Criminal libel abolished by Defamation Act 2009

0 ‘Libel tourism’ phenomenon – plaintiffs may seek to sue in a country where only a small number of readers viewed the material

47

Hosting Defence 0 E-Commerce Directive (Directive 2000/31/EC) 0 S.I. No. 68 of 2003 0 Article 14 (paraphrased):

0 The service provider is not liable for the information, on condition that: a) the provider does not have actual knowledge of illegal

activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or

b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information

0 This shall not apply when the recipient of the service is acting under the authority or the control of the provider

48

Betfair Case

0 Mulvaney v Sporting Exchange (2013) 0 Forums/ Chatrooms operated by Betfair 0 Bookmakers alleged libel by forum members 0 Betfair sought to rely on hosting defence 0 Clarke J – Betfair could rely on hosting defence

(preliminary issue) 0 [Gambling exception to Directive did not apply as

forums not directly connected to gambling part of site] 49

Autocompletes

50

0 Metropolitan International Schools v Designtechnica & Google (2009) 0 English case suggesting Google not liable for

autocompletes 0 However, facts may vary: in some cases, Google may

be held to be a publisher of the autocomplete results

51

52 Image Source – Mark Collier - http://www.theopenalgorithm.com/seoleaks/google-in-irish-court/

53

Darius Whelan – d.whelan@ucc.ie Twitter: @dariuswirl

LLM in Intellectual Property and E Law programme: www.ucc.ie/en/law-postgrad/taughtprogrammes/

Creative Commons Ireland: www.creativecommonsireland.org

54