Protecting Privacy and Freedom of Communication in the Fight

against Cybercrime

Southeast Europe Cybersecurity Conference

Sofia, Bulgaria8-9 September 2003

GIPIGlobal Internet Policy Initiative

Introduction

• Cybersecurity is shared responsibility of gov't, service providers, software and hardware makers, and users (large and small).

• Cybersecurity strategy has many components, including:– industry standards and best practices – information sharing (CERTs)– awareness, education– R&D– obligations under civil law (EU Dir., US examples)– criminal law

Cybercrime and Privacy

• Cybercrime law protects privacy by making interception and unauthorized access illegal

• To investigate cybercrime and crimes facilitated by computer, law enforcement agencies need access to – content of communications;– transactional (or traffic) data;– stored data;– data identifying subscriber (e.g., name)

Privacy Protection

“Protection of privacy is a key policy objective in the European Union. It was recognized as a basic right under Article 8 of the European Convention on human rights. Articles 7 and 8 of the Charter of Fundamental Rights of the EU also provide the right to respect for family and private life, home and communications and personal data.” Communication from the Commission on Network and Information Security (2001)

COE Cybercrime Treaty - Art. 15

• “Each party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this section are subject to conditions and safeguards provided for under its domestic law, which shall provide for adequate protection of human rights and liberties … .

• “Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.”

OECD Cybersecurity Guidelines

Principle 5:

“Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency.”

Elements of Surveillance Law - Real-Time Interception -ECHR

• Standards for interception must be spelled out clearly in legislation, with sufficient precision to protect against arbitrary application.

• Approval should be obtained from an independent official (preferably a judge).

• Only for the investigation of serious offenses.• Only upon a strong factual showing of reason to

believe that the target of the search is engaged in criminal conduct.

• Only when it is shown that other less intrusive techniques will not suffice.

Elements of Surveillance Law -2

• Each surveillance order should cover only specifically designated persons or accounts.

• The rules should be technology neutral – all one-to-one communications should in general be treated the same, whether they involve voice, fax, images or data, wireline or wireless, digital or analog.

• The scope and length of time of the interception should be limited.

• The surveillance should be conducted in such a way as to reduce the intrusion on privacy to the minimum necessary to obtain the needed evidence.

Elements of Surveillance Law -3

• Information seized or intercepted for criminal investigative purposes may not be used for other ends (except national security).

• Summary reports back to the approving judge.

• In criminal investigations, all those who have been the subject of interception should be notified after the investigation concludes, whether or not charges result.

• Personal redress should be provided for violations of the privacy standards.

Transactional Data

• Also known as traffic data - connection data, dialed numbers, IP addresses, time, date, duration … .

• Disclosure implicates privacy interests. Malone, ECHR.

• But real-time surveillance may be authorized under a standard lower than that applicable to content interception and for all crimes.

• Internet poses special challenge: drawing line between content and traffic data. COE, Explanatory Report, para. 227.

Stored Data

• May be content or traffic data. • Data stored with user - treated like any other evidence

in the home or office and subject to protections accorded written documents.

• Data stored with service provider or other third party - disclosure generally implicates privacy interests.

• Distinction may be drawn between immediate seizure and procedures for delivery to government:– Immediate seizure usually requires highest form of

approval.– Voluntary disclosures by service providers in some

cases.

Data Retention

• Should service providers be required to keep traffic data beyond time needed operationally?

• EU law permits but does not require states to adopt data retention laws.

• COE Cybercrime Treaty does not require companies to retain data or modify their systems to facilitate interception.

• US law does not require data retention. • US law and the COE treaty provide for data

preservation upon government request, with disclosure based on appropriate authorization.

Encryption

• On balance, strong encryption contributes to security and prevention of crime more than it facilitates crime.

• 1997 OECD Guidelines and 1998 EC report supported availability of encryption.

• US, Canada, Germany, Ireland, France, Belgium, among others have eliminated or loosened restrictions on encryption.

• “The use of encryption technologies … [is] becoming indispensable, particularly with the growth in wireless access.” EC Commun-ication, Creating a Safer Info Society, 2001.

Anonymity

• In order to … enhance the free expression of information and ideas, member sates should respect the will of users not to disclose their identity.” COE Declaration, 2003.

• “An increasing variety of authentication mechanisms is required to meet our different needs in the environments in which we interact. In some environments, we may need or wish to remain anonymous.” EC Communication, 2001.

• Balance - see recommendations of Art. 29 Data Protection Working Party.

ISP Liability

• “No provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider.” Sec. 230, Communications Act, USA.

• “Providers shall not be responsible for any third-party content to which they only provide access.” Sec. 5(3), Information and Communication Services Act, Germany.

• COE Declaration, 2003: No general obligation to monitor content. No liability for content that ISPs transmits or provides access to.

• EU Directive on e-commerce (2000).

ISP Liability under EU Directive

• "Mere conduit" - service provider is not liable.

• "Caching" - service provider is not liable for automatic, intermediate and temporary storage for the sole purpose of efficiency.

• Hosting - service provider not liable if it does not have knowledge, and, upon obtaining knowledge, acts expeditiously to remove or disable access.

• No general obligation to monitor.

• Courts can order injunctions.

• Encourages codes of conduct.

Summary• Privacy and security are two sides of the same coin.• Cybercrime legislation is one key component of

cybersecurity.• Government will need access to communications and

data, subject to procedural safeguards.• No technical mandates on Internet service providers.• Network security is the shared responsibility of the

gov’t and the private sector.– Gov't protects its own networks, contributes to awareness,

info sharing R&D.

• Balance can be found among industry, privacy and law enforcement interests.

More Information

http://www.internetpolicy.net

http://www.cdt.org