On G8 and Council of Europe Cybercrime Initiatives

Gus Hosein

Presented September 22, 2000

International Forum on Surveillance by Design

 

On G8: History

In 1995, at the Summit meeting in Halifax, Canada, the G7 (Russian had not yet joined), the heads of state created an Senior Experts Group on Organized Crime known as the "Lyon Group."

Ministerial Conference on Terrorism, Paris, France, July 30, 1996, Agreement on 25 Measures

11. Accelerate consultations, in appropriate bilateral or multilateral fora, on the use of encryption that allows, when necessary, lawful government access to data and communications in order to, inter alia, prevent or investigate acts of terrorism, while protecting the privacy of legitimate communications.

 

Interpretations...

Foreign Ministers' Progress Report Denver Summit Of The Eight June 21, 1997

EFFECTIVE?

Meeting Of Justice And Interior Ministers, Washington DC, 10 December 1997.

The development of effective solutions will also require unprecedented cooperation between government and industry. It is the industrial sector that is designing, deploying and maintaining these global networks and is primarily responsible for the development of technical standards. Thus, it is incumbent on the industrial sector to play its part in developing and distributing secure systems that, when accompanied by adherence to goof computer and personnel security practices, serve to prevent computer abuse. Such systems should also be designed to help detect computer abuse, preserve electronic evidence, and assist in ascertaining the location and identify of criminals.

 

Principles And Action Plan To Combat High-Tech Crime

We hereby endorse the following PRINCIPLES, which should be supported by all countries:

 

Action Plan

In support of these PRINCIPLES, we are directing our officials to:

 

Okinawa Charter on Global Information Society

http://www.g8kyushu-okinawa.go.jp/e/documents/it1.html

What does EFFECTIVE mean?

7. [...] In order to maximise the social and economic benefits of the Information Society, we agree on the following key principles and approaches and commend them to others:

8. International efforts to develop a global information society must be accompanied by co-ordinated action to foster a crime-free and secure cyberspace. We must ensure that effective measures. [...] We will further promote dialogue with industry, building on the success of the recent G8 Paris Conference "A Government/Industry Dialogue on Safety and Confidence in Cyberspace". Urgent security issues such as hacking and viruses also require effective policy responses. [...]

 

CoE

http://conventions.coe.int/treaty/en/projets/cybercrime.htm

Council Of Europe, Committee Of Ministers, Recommendation No. R (95) 13, Of The Committee Of Ministers To Member States Concerning Problems Of Criminal Procedural Law Connected With Information Technology (Adopted by the Committee of Ministers on 11 September 1995 at the 543rd meeting of the Ministers' Deputies).

5. In view of the convergence of information technology and telecommunications, laws pertaining to technical surveillance for the purposes of criminal investigations, such as interception of telecommunications, should be reviewed and amended, where necessary, to ensure their applicability.

6. The law should permit investigating authorities to avail themselves of all necessary technical measures that enable the collection of traffic data in the investigation of crimes.

8. Criminal procedural laws should be reviewed with a view to making possible the interception of telecommunications and the collection of traffic data in the investigation of serious offences against the confidentiality, integrity and availability of telecommunication or computer systems.

9. ... Provisions should be made for the power to order persons to submit any specified data under their control in a computer system in the form required by the investigating authority.

11. Specific obligations should be imposed on operators of public and private networks that offer telecommunication services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the investigating authorities.

12. Specific obligations should be imposed on service-providers who offer telecommunication services to the public ... to provide information to identify the user, when so ordered by the competent investigating authority.

 

DRAFT CONVENTION

Mandate

"Recent attacks against commercial web-sites, such as Amazon.com, drew international attention to the dangers that the Internet and other computer networks need to face: cyber-criminals and cyber-terrorists threaten business and government interests and may cause colossal damages. Time has come for the Council of Europe to take action, which today released a draft Convention to deal with crime in cyberspace.

"The draft Convention is expected to be finalised by an expert group by December 2000 and the Committee of Ministers could adopt the text and open it for signature as early as September 2001. Given the importance of the subject, non-member States, such as Canada, Japan, South-Africa and the United States, also actively participate in the negotiations."

 

YET STILL IS MISSING KEY COMPONENTS...

Look what it has to say on Interception of Communications...

 

Article 18 - Interception

(under discussion)

 

Article 28 - Interception

[under discussion]

 

WHEREASs and CONVICTIONS ON BALANCE

"Convinced that the present Convention is necessary to deter actions directed against the confidentiality, integrity and availability of computer systems, networks and computer data, as well as the misuse of such systems, networks and data, by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating the detection, investigation and prosecution of such criminal offences at both the domestic and international level, and by providing arrangements for fast and reliable international co-operation, while ensuring a proper balance between the interests of law enforcement and respect for fundamental human rights.

NEVER TO BE MENTIONED AGAIN.

 

Definitions

THE OLD TRAFFIC DATA CONUNDRUM

d. "traffic data" means:

  1. a code indicating a network, equipment or individual number or account, or similar identifying designator, transmitted to or from any designated point in the chain of communication;
  2. the time, date, size, and duration of a communication;
  3. as to any mode of transmission (including but not limited to mobile transmissions), any information indicating the physical location to or from which a communication is transmitted;

 

SUBSCRIBER DATA: Effective?

a. "subscriber data"(4) means:

NEVER TO BE MENTIONED AGAIN. Requires "effective" authentication perhaps?

 

"Legislative And Other Measures" on...

... to establish as criminal offences under its domestic law when committed intentionally and without right:

a. the production, sale, procurement for use, import, distribution or otherwise making available of:

  1. a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5;
  2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing the offences established in Articles 2 - 5;

CERIAS at Purdue University Letter

 

Article 7 - Computer-related Forgery

Article 8 - Computer-related Fraud

Article 9 - Offences related to child pornography

Title 4 - Copyright and related offences

 

Encryption Disclosure?

Article 14 - Search and Seizure of Stored Computer Data

Article 16 - Expedited preservation of data stored in a computer system

Article 17 - Expedited preservation and disclosure of traffic data

 

Mutual Assistance

Article 23 - Procedures pertaining to mutual assistance requests

Article 24 - Provisional measures: Expedited preservation of stored computer data

 

PROTECTIONS?

"The powers and procedures referred to in the present Article shall be subject to conditions and safeguards as provided for under national law."

What is required

Constraints on powers first, then powers; where is the CoE Data Protection?

Respect for civil liberties

Less ambiguous terminology

MLAT analysis

Dropping porn and copyright

Complete Consultation

 

http://conventions.coe.int/treaty/en/projets/cybercrime.htm

http://www.cerias.purdue.edu/homes/spaf/coe/

http://www.privacyinternational.org/issues/cybercrime/

http://is.lse.ac.uk/staff/hosein/cybercrime/ong8andcoe.html