‘Prosecuting Cybercrime and Regulating the Web’, at seminar on the current State of Cybercrime and Cyberwar seminar, organised by the MA in Journalism with New Media class, in conjunction with CIT Development Office, Cork Institute of Technology, March 2014
Disha NEET Physics Guide for classes 11 and 12.pdf
Prosecuting Cybercrime and Regulating the Web
1. Darius Whelan,
Faculty of Law,
UCC
CIT
March 2014
Prosecuting Cybercrime and
Regulating the Web
Current State of Cybercrime and Cyberwar seminar, organised by the MA in
Journalism with New Media class, in conjunction with CIT Development Office, Cork
Institute of Technology, March 2014
2. • Council of Europe Cybercrime
Convention
• Extradition
• Forensic examination of computers
• ‘Trojan Horse’ Defence
• Regulability of the Internet
• Aspects of online defamation law
2
Summary
3. • Cybercrime covers:
– Offences where the computer is
the target of the offence, e.g.
unauthorised access and illegal
tampering with systems
– Traditional offences such as theft,
fraud and forgery, that are
committed by means of
computers
• May involve identity theft, phishing,
Denial of Service attacks, botnets,
malware, possession of child abuse
images / child pornography, etc., etc.
3
5. 5
Cybercrime
Convention
2001
• Negotiated and signed by many
members of Council of Europe + USA,
Canada, Japan, South Africa
• Ratified by 42 states so far, including
UK, Denmark, France, Netherlands,
Norway, USA, Australia, Japan
• Not yet ratified in Ireland
6. 6
Elements of
the
Convention
• List of crimes which each country
must enact into law
• Requires each participating nation to
grant new powers of search and
seizure to its law enforcement
authorities
• Requires law enforcement in every
participating country to assist police
from other participating countries by
cooperating with “mutual assistance
requests” from police in other
participating nations “to the widest
extent possible”
• Optional Protocol on Hate Speech
7. 7
List of Crimes in Convention (1)
• Illegal access
• covers electronic trespass or hacking
• Illegal interception
• electronic invasion of privacy / burglary prohibiting
unauthorised intrusions resulting in the appropriation of
data
• Data Interference
• System Interference
• denial of service attacks and dissemination of viruses and
other malicious codes
8. 8
List of Crimes in Convention (2)
• Misuse of Devices
• production / sale / procurement / importation/
distribution of tools to be used in committing the four
categories above
• Forgery
• Fraud
• Copyright infringement and related offences
• Child Pornography
9. 9
Copyright -
Article 10
• The infringements must occur on a
“commercial scale”.
• How large must the copyright
infringement be to be considered
“commercial”?
• Standard of originality necessary to
establish copyright protection varies
considerably across jurisdictions
10. 10
24/7
Network –
Article 35
• A network of high tech
specialists available 24 hours
per day, seven days per week
for obtaining both technical
and legal advice and
assistance
11. 11
• Brief Mentions of Human Rights:
– Article 15 - the powers and procedures exercised under
Section 2 [procedural Articles] are subject to conditions
and safeguards under domestic laws on human rights and
liberties, the ECHR, the United Nations International
Covenant on Civil and Political Rights and other
applicable international human rights instruments.
– Such safeguards shall incorporate the principle of
proportionality.
– Also: a paragraph relating to the right to the protection
of personal data in the Preamble
12. 12
Commentary
• Appears to be supported by large
corporations, e.g. those concerned
about software copyright violations.
• Severely criticised by human rights
groups, e.g. because it does not
include sufficient privacy or data
protection provisions.
• Also drafts were criticised by the
Parliamentary Assembly of the
Council of Europe and the Art 29
Working Group.
13. 13
• Contrasts with past approach of Council of Europe,
which normally has strong human rights protections
in its documents, e.g.
– European Convention on Human Rights 1950
– Strasbourg Convention on Data Protection 1981.
• Note for example that states are not obliged to pass
laws requiring that computer systems be secure
(which is part of the Data Protection regime.)
• This might help to prevent unauthorised access, and
benefit data protection at the same time.
14. 14
• Framework Decision on Attacks on Information Systems
(2005)
– Was to be implemented by March 2007
– July 2008: Commission noted that Ireland had not yet
implemented FD
– Bill on current list of Bills for drafting:
• Criminal Justice (Cybercrime) Bill – “Publication Expected – Not possible
to indicate at this stage”
17. • Extradition Treaties:
– Normally an activity must be
a crime in both the
requesting and requested
states
17
Dual
Criminality
18. 18
• ‘Love Bug’ virus incident
– Alleged perpetrator (Onel de Guzman) could not
be extradited from Philippines.
– Canadian News Story:
• www.tinyurl.com/LW6560-50
From cbsnews.com
19. 19
• Accused may be extradited when visits another country
– Vladimir Levin case (1994-97)
– Re Levin [1997] UKHL 27; [1997] AC 741
– Attack against Citibank by young Russian
– No extradition treaty
– Visited England for exhibition
– Extradited to USA
– Disks being operated based in USA
From peoples.ru
20. 20
• Julio Cesar Ardita
– 21 year old Argentinian
– 1995 Sniffer re Harvard users
– Accessed Dept of Defense etc.
– Extradition refused to USA – no dual criminality
– But later travelled to USA voluntarily, pleaded guilty to
lesser charge
21. 21
“Invita” case - Vasily Gorshkov & Alexy Ivanov
• Russian hackers - Undercover operation – FBI agents
posed as reps of security firm ‘Invita’ – invited them to
Seattle
• Then they were arrested in Seattle (having recorded
their passwords first using keyloggers.)
• Investigators copied data and preserved it until warrant
obtained.
• Afterwards they informed the Russian authorities.
• Hackers argued the remote cross-border search was
unconstitutional.
• Court held relevant computers not protected (outside
USA, not the property of a U.S. resident)
• No seizure as data remained unaltered.
23. 23
• Digital evidence is intangible
• Also volatile
– When Windows is booted up, this destroys 4 million
characters of evidence
• Defence arguments:
– Accused was not author of evidence in question
– Evidence was tampered with
– Unreliability of computer programs created inaccuracies in
output, e.g. bugs, defective code
25. 25
• May be long delays in forensic examination of computers due
to volume of computers to be examined
• Chain of custody must be maintained
• Risky to allow any access to computer by other witnesses
• Use of standardised forensic practices is advisable, e.g. in UK
guidelines from Association of Police officers
26. 26
• Often three images are made of a hard drive:
– Master copy as evidence
– Copy used for analysis by police
– Copy given to accused
27. 27
Sharon Collins Trial 2008
• Conspiracy to Murder
• E-mail evidence central to trial
Image source - sligotoday.ie
30. • Trojan Horse virus / malware: A virus / malware program which
presents itself as routine, useful, or interesting in order to persuade
victims to install it on their computers. Once installed, it steals or
harms system data in some way.
• Trojan Horse Defence
– Accused claims a virus / Trojan horse infected their PC and this
was what caused evidence of criminal activity to be on the PC
• Some Other Dude Did It Defence
– Accused claims somebody else engaged in the criminal activity
using their PC (e.g. by remotely accessing their PC)
30
31. 31
Aaron Caffrey Case (2003)
• Aaron Caffrey, aged 19, charged re computer attack on
Port of Houston's web-based systems in September 2001.
• Prosecution and defence both agreed attack was
launched from Caffrey's home PC, based in the UK.
• Prosecution claimed it was result of misdirected attack by
Caffrey against fellow chat-room user.
• Caffrey claimed evidence was planted on his machine by
attackers who used an unspecified Trojan horse program
to gain control of his PC and launch the assault.
Image source – bbc.co.uk
32. 32
• Forensic examination of Caffrey's PC found attack tools
but no trace of Trojan infection.
• Case hinged on whether jury accepted defence argument
that Trojan could wipe itself
• Jury decided Caffrey was not guilty of unauthorised
computer modifications
33. • Defendants may raise Trojan Horse defence in all
sorts of cybercrime cases, inc. cases on possession
of child abuse images (child pornography)
• Judge / jury will have to decide whether defence
applies on the facts
• Note related “caching” defence – if child abuse
images found only in browser cache, did defendant
knowingly possess them?
• May depend on his/her level of technical
knowledge
33
36. • Lessig, The Search for a Moose
• http://blip.tv/lessig/the-search-for-a-moose-2131975
37. Art. I, Section 8, clause 8 of U.S. Constitution:
The Congress shall have power … to promote the Progress of
Science and useful Arts, by securing for limited Times to Authors
and Inventors the exclusive Right to their respective Writings and
Discoveries.
38. EU Charter of
Fundamental
Rights
Article 17
Right to property
1. Everyone has the right to own, use, dispose of
and bequeath his or her lawfully acquired
possessions. No one may be deprived of his or
her possessions, except in the public interest and
in the cases and under the conditions provided
for by law, subject to fair compensation being
paid in good time for their loss. The use of
property may be regulated by law in so far as is
necessary for the general interest.
2. Intellectual property shall be protected.
47. 0 Defamation is civil matter, not criminal
0 Criminal libel abolished by Defamation Act 2009
0 ‘Libel tourism’ phenomenon – plaintiffs may seek to
sue in a country where only a small number of readers
viewed the material
47
48. Hosting Defence
0 E-Commerce Directive (Directive 2000/31/EC)
0 S.I. No. 68 of 2003
0 Article 14 (paraphrased):
0 The service provider is not liable for the information, on
condition that:
a) the provider does not have actual knowledge of illegal
activity or information and, as regards claims for damages,
is not aware of facts or circumstances from which the illegal
activity or information is apparent; or
b) the provider, upon obtaining such knowledge or awareness,
acts expeditiously to remove or to disable access to the
information
0 This shall not apply when the recipient of the service is acting
under the authority or the control of the provider
48
49. Betfair Case
0 Mulvaney v Sporting Exchange (2013)
0 Forums/ Chatrooms operated by Betfair
0 Bookmakers alleged libel by forum members
0 Betfair sought to rely on hosting defence
0 Clarke J – Betfair could rely on hosting defence
(preliminary issue)
0 [Gambling exception to Directive did not apply as
forums not directly connected to gambling part of
site]
49
51. 0 Metropolitan International Schools v Designtechnica &
Google (2009)
0 English case suggesting Google not liable for
autocompletes
0 However, facts may vary: in some cases, Google may
be held to be a publisher of the autocomplete results
51
52. 52Image Source – Mark Collier - http://www.theopenalgorithm.com/seoleaks/google-in-irish-court/
54. Darius Whelan – d.whelan@ucc.ie
Twitter: @dariuswirl
LLM in Intellectual Property and E Law programme:
www.ucc.ie/en/law-postgrad/taughtprogrammes/
Creative Commons Ireland:
www.creativecommonsireland.org
54