cyber crime and security discussion

profilejboss3886
cybercrime_legislation_ev6.pdf

09 /2

01 2

U N

D E

R S

TA N

D IN

G C

Y B

E R

C R

IM E

: P

H E

N O

M E

N A

, C

H A

L L

E N

G E

S A

N D

L E

G A

L R

E S

P O

N S

E

S e p t e m b e r

2 0

1 2

UNDERSTANDING CYBERCRIME: P H E N O M E N A , C H A L L E N G E S A N D L E G A L R E S P O N S E

CYBERCRIME

S e p t e m b e r 2 0 1 2 te l e c o m m u n i c a t i o n D e v e l o p m e n t S e c t o rPrinted in Switzerland

Geneva, 2012

International Telecommunication Union

Telecommunication Development Bureau

Place des Nations

CH-1211 Geneva 20

Switzerland

www.itu. int

Understanding cybercrime: Phenomena, challenges and

legal response

September 2012

The ITU publication Understanding cybercrime: phenomena, challenges and legal response has been prepared by Prof. Dr. Marco Gercke and is a new edition of a report previously entitled Understanding Cybercrime: A Guide for Developing Countries. The author wishes to thank the Infrastructure Enabling Environment and E-Application Department, ITU Telecommunication Development Bureau.

This publication is available online at: www.itu.int/ITU-D/cyb/cybersecurity/legislation.html

 ITU 2012

All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU.

Understanding cybercrime: Phenomena, challenges and legal response

i

Table of contents Page

Purpose ......................................................................................................................................... iii

1. Introduction ........................................................................................................................ 1 1.1 Infrastructure and services ............................................................................................... 1 1.2 Advantages and risks ........................................................................................................ 2 1.3 Cybersecurity and cybercrime .......................................................................................... 2 1.4 International dimensions of cybercrime ........................................................................... 3 1.5 Consequences for developing countries ........................................................................... 4

2. The phenomena of cybercrime ............................................................................................ 11 2.1 Definitions ......................................................................................................................... 11 2.2 Typology of cybercrime .................................................................................................... 12 2.3 Development of computer crime and cybercrime ........................................................... 12 2.4 Extent and impact of cybercrime offences ....................................................................... 14 2.5 Offences against the confidentiality, integrity and availability of computer

data and systems .............................................................................................................. 16 2.6 Content-related offences .................................................................................................. 21 2.7 Copyright and trademark related offences ...................................................................... 27 2.8 Computer-related offences .............................................................................................. 29 2.9 Combination offences ....................................................................................................... 33

3. The challenges of fighting cybercrime .................................................................................. 74 3.1 Opportunities .................................................................................................................... 74 3.2 General challenges ............................................................................................................ 75 3.3 Legal challenges ................................................................................................................ 82

4. Anti-cybercrime strategies .................................................................................................. 97 4.1 Cybercrime legislation as an integral part of a cybersecurity strategy ............................ 97 4.2 A cybercrime policy as starting point ............................................................................... 98 4.3 The role of regulators in fighting cybercrime ................................................................... 101

5. Overview of activities of regional and international organizations ....................................... 114 5.1 International approaches ................................................................................................. 114 5.2 Regional approaches ......................................................................................................... 123 5.3 Scientific and independent approaches ........................................................................... 144 5.4 The relationship between regional and international legislative approaches ................. 144 5.5 The relationship between international and national legislative approaches ................. 145

6. Legal response .................................................................................................................... 169 6.1 Definitions ......................................................................................................................... 169 6.2 Substantive criminal law ................................................................................................... 177 6.3 Digital evidence ................................................................................................................ 225 6.4 Justisdiction ...................................................................................................................... 234 6.5 Procedural law .................................................................................................................. 238 6.6 International cooperation ................................................................................................. 266 6.7 Liability of Internet providers ........................................................................................... 280

7. [Keyword Index] .................................................................................................................. Error! Bookmark not de

Understanding cybercrime: Phenomena, challenges and legal response

iii

Purpose The purpose of the ITU report Understanding Cybercrime: Phenomena, Challenges and Legal Response is to assist countries in understanding the legal aspects of cybersecurity and to help harmonize legal frameworks. As such, the report aims to help developing countries better understand the national and international implications of growing cyberthreats, to assess the requirements of existing national, regional and international instruments, and to assist countries in establishing a sound legal foundation.

This report provides a comprehensive overview of the most relevant topics linked to the legal aspects of cybercrime and focuses on the demands of developing countries. Due to the transnational dimension of cybercrime, the legal instruments are the same for developing and developed countries. However, the references used were selected for the benefit of developing countries, in addition to a broad selection of resources provided for a more in-depth study of the different topics. Whenever possible, publicly available sources were used, including many free-of-charge editions of online law journals.

The report contains six main chapters. After an introduction (Chapter 1), it provides an overview of the phenomena of cybercrime (Chapter 2). This includes descriptions of how crimes are committed and explanations of the most widespread cybercrime offences such as hacking, identity theft and denial-of- service attacks. An overview of the challenges is also provided, as they relate to the investigation and prosecution of cybercrime (Chapters 3 and 4). After a summary of some of the activities undertaken by international and regional organizations in the fight against cybercrime (Chapter 5), it continues with an analysis of different legal approaches with regard to substantive criminal law, procedural law, digital evidence, international cooperation and the responsibility of Internet service providers (Chapter 6), including examples of international approaches as well as good-practice examples from national solutions.

This publication addresses the first of the seven strategic goals of the ITU Global Cybersecurity Agenda (GCA), which calls for the elaboration of strategies for the development of cybercrime legislation that is globally applicable and interoperable with existing national and regional legislative measures, as well as addressing the approach to organizing national cybersecurity efforts under ITU-D Study Group 1 Question 22/1. Establishing the appropriate legal infrastructure is an integral component of a national cybersecurity strategy. The related mandate of ITU with regard to capacity building was emphasized by Resolution 130 (Rev. Guadalajara, 2010) of the ITU Plenipotentiary Conference, on Strengthening the role of ITU in building confidence and security in the use of information and communication technologies. The adoption by all countries of appropriate legislation against the misuse of ICTs for criminal or other purposes, including activities intended to affect the integrity of national critical information infrastructures, is central to achieving global cybersecurity. Since threats can originate anywhere around the globe, the challenges are inherently international in scope and require international cooperation, investigative assistance, and common substantive and procedural provisions. Thus, it is important that countries harmonize their legal frameworks to combat cybercrime and facilitate international cooperation.

Disclaimer regarding hyperlinks

The document contains several hundred links to publically available documents. All references were checked at the time the links were added to the footnotes. However, no guarantee can be provided that the up-to-date content of the pages to which the links relate are still the same. Therefore the reference – wherever possible – also includes information about the author or publishing institution, title and if possible year of the publication to enable the reader to search for the document if the linked document is not available anymore.

Understanding cybercrime: Phenomena, challenges and legal response

1

1. Introduction Bibliography (selected): Barney, Prometheus Wired: The Hope for Democracy in the Age of Network Technology, 2001; Comer, Internetworking with TCP/IP – Principles, Protocols and Architecture, 2006; Dutta/De Meyer/Jain/Richter, The Information Society in an Enlarged Europe, 2006; Gercke, The Slow Wake of a Global Approach Against Cybercrime, Computer Law Review International 2006, page 141 et seq.; Hayden, Cybercrime’s impact on Information security, Cybercrime and Security, IA-3; Kellermann, Technology risk checklist, Cybercrime and Security, IIB-2; Masuda, The Information Society as Post-Industrial Society, 1980; Sieber, The Threat of Cybercrime, Organised crime in Europe: the threat of Cybercrime, 2005; Tanebaum, Computer Networks, 2002; Wigert, Varying policy responses to Critical Information Infrastructure Protection (CIIP) in selected countries, Cybercrime and Security, IIB-1; Yang, Miao, ACM International Conference Proceeding Series; Vol. 113; Proceedings of the 7th International Conference on Electronic Commerce, page 52-56; Zittrain, History of Online Gatekeeping, Harvard Journal of Law & Technology, 2006, Vol. 19, No. 2.

1.1 Infrastructure and services

The Internet is one of the fastest-growing areas of technical infrastructure development.1 Today, information and communication technologies (ICTs) are omnipresent and the trend towards digitization is growing. The demand for Internet and computer connectivity has led to the integration of computer technology into products that have usually functioned without it, such as cars and buildings.2 Electricity supply, transportation infrastructure, military services and logistics – virtually all modern services depend on the use of ICTs.3

Although the development of new technologies is focused mainly on meeting consumer demands in western countries, developing countries can also benefit from new technologies.4 With the availability of long-distance wireless communication technologies such as WiMAX5 and computer systems that are now available for less than USD 2006, many more people in developing countries should have easier access to the Internet and related products and services.7

The influence of ICTs on society goes far beyond establishing basic information infrastructure. The availability of ICTs is a foundation for development in the creation, availability and use of network-based services.8 E-mails have displaced traditional letters9; online web representation is nowadays more important for businesses than printed publicity materials;10 and Internet-based communication and phone services are growing faster than landline communications.11

The availability of ICTs and new network-based services offer a number of advantages for society in general, especially for developing countries.

ICT applications, such as e-government, e-commerce, e-education, e-health and e-environment, are seen as enablers for development, as they provide an efficient channel to deliver a wide range of basic services in remote and rural areas. ICT applications can facilitate the achievement of millennium development targets, reducing poverty and improving health and environmental conditions in developing countries. Given the right approach, context and implementation processes, investments in ICT applications and tools can result in productivity and quality improvements. In turn, ICT applications may release technical and human capacity and enable greater access to basic services. In this regard, online identity theft and the act of capturing another person’s credentials and/or personal information via the Internet with the intent to fraudulently reuse it for criminal purposes is now one of the main threats to further deployment of e-government and e-business services.12

The costs of Internet services are often also much lower than comparable services outside the network.13 E-mail services are often available free of charge or cost very little compared to traditional postal services.14 The online encyclopaedia Wikipedia15 can be used free of charge, as can hundreds of online hosting services.16 Lower costs are important, as they enable services to be used by many more users, including people with only limited income. Given the limited financial resources of many people in developing countries, the Internet enables them to use services they may not otherwise have access to outside the network.

Understanding cybercrime: Phenomena, challenges and legal response

2

1.2 Advantages and risks

The introduction of ICTs into many aspects of everyday life has led to the development of the modern concept of the information society. 17 This development of the information society offers great opportunities.18 Unhindered access to information can support democracy, as the flow of information is taken out of the control of state authorities (as has happened, for example, in Eastern Europe and North Africa).19 Technical developments have improved daily life – for example, online banking and shopping, the use of mobile data services and voice over Internet protocol (VoIP) telephony are just some examples of how far the integration of ICTs into our daily lives has advanced.20

However, the growth of the information society is accompanied by new and serious threats.21 Essential services such as water and electricity supply now rely on ICTs.22 Cars, traffic control, elevators, air conditioning and telephones also depend on the smooth functioning of ICTs.23 Attacks against information infrastructure and Internet services now have the potential to harm society in new and critical ways.24

Attacks against information infrastructure and Internet services have already taken place.25 Online fraud and hacking attacks are just some examples of computer-related crimes that are committed on a large scale every day.26 The financial damage caused by cybercrime is reported to be enormous.27 In 2003 alone, malicious software caused damages of up to USD 17 billion.28 By some estimates, revenues from cybercrime exceeded USD 100 billion in 2007, outstripping the illegal trade in drugs for the first time.29 Nearly 60 per cent of businesses in the United States believe that cybercrime is more costly to them than physical crime. 30 These estimates clearly demonstrate the importance of protecting information infrastructures.31

Most of the above-mentioned attacks against computer infrastructure are not necessarily targeting critical infrastructure. However, the malicious software “Stuxnet” that was discovered in 2010 underlines the threat of attacks focusing on critical infrastructure.32 The software, with more than 4 000 functions33, focused on computer systems running software that is typically used to control critical infrastructure.34

1.3 Cybersecurity and cybercrime

Cybercrime and cybersecurity are issues that can hardly be separated in an interconnected environment. The fact that the 2010 UN General Assembly resolution on cybersecurity35 addresses cybercrime as one major challenge underlines this.

Cybersecurity36 plays an important role in the ongoing development of information technology, as well as Internet services. 37 Enhancing cybersecurity and protecting critical information infrastructures are essential to each nation’s security and economic well-being. Making the Internet safer (and protecting Internet users) has become integral to the development of new services as well as government policy.38 Deterring cybercrime is an integral component of a national cybersecurity and critical information infrastructure protection strategy. In particular, this includes the adoption of appropriate legislation against the misuse of ICTs for criminal or other purposes and activities intended to affect the integrity of national critical infrastructures. At the national level, this is a shared responsibility requiring coordinated action related to prevention, preparation, response and recovery from incidents on the part of government authorities, the private sector and citizens. At the regional and international level, this entails cooperation and coordination with relevant partners. The formulation and implementation of a national framework and strategy for cybersecurity thus requires a comprehensive approach.39 Cybersecurity strategies – for example, the development of technical protection systems or the education of users to prevent them from becoming victims of cybercrime – can help to reduce the risk of cybercrime.40 The development and support of cybersecurity strategies are a vital element in the fight against cybercrime.41

The legal, technical and institutional challenges posed by the issue of cybersecurity are global and far- reaching, and can only be addressed through a coherent strategy taking into account the role of different stakeholders and existing initiatives, within a framework of international cooperation.42 In this regard, the World Summit on the Information Society (WSIS)43 recognized the real and significant risks posed by inadequate cybersecurity and the proliferation of cybercrime. The provisions of §§ 108-110 of the WSIS Tunis Agenda for the Information Society44, including the Annex, set out a plan for multistakeholder

Understanding cybercrime: Phenomena, challenges and legal response

3

implementation at the international level of the WSIS Geneva Plan of Action, 45 describing the multistakeholder implementation process according to eleven action lines and allocating responsibilities for facilitating implementation of the different action lines. At WSIS, world leaders and governments designated ITU to facilitate the implementation of WSIS Action Line C5, dedicated to building confidence and security in the use of ICTs.46

In this regard, the ITU Secretary-General launched the Global Cybersecurity Agenda (GCA)47 on 17 May 2007, alongside partners from governments, industry, regional and international organizations, academic and research institutions. The GCA is a global framework for dialogue and international cooperation to coordinate the international response to the growing challenges to cybersecurity and to enhance confidence and security in the information society. It builds on existing work, initiatives and partnerships with the objective of proposing global strategies to address today’s challenges related to building confidence and security in the use of ICTs. Within ITU, the GCA complements existing ITU work programmes by facilitating the implementation of the three ITU Sectors’ cybersecurity activities, within a framework of international cooperation.

The Global Cybersecurity Agenda has seven main strategic goals, built on five work areas: 1) Legal measures; 2) Technical and procedural measures; 3) Organizational structures; 4) Capacity building; and 5) International cooperation.48

The fight against cybercrime needs a comprehensive approach. Given that technical measures alone cannot prevent any crime, it is critical that law-enforcement agencies are allowed to investigate and prosecute cybercrime effectively.49 Among the GCA work areas, “Legal measures” focuses on how to address the legislative challenges posed by criminal activities committed over ICT networks in an internationally compatible manner. “Technical and procedural measures” focuses on key measures to promote adoption of enhanced approaches to improve security and risk management in cyberspace, including accreditation schemes, protocols and standards. “Organizational structures” focuses on the prevention, detection, response to and crisis management of cyberattacks, including the protection of critical information infrastructure systems. “Capacity building” focuses on elaborating strategies for capacity-building mechanisms to raise awareness, transfer know-how and boost cybersecurity on the national policy agenda. Finally, “International cooperation” focuses on international cooperation, dialogue and coordination in dealing with cyberthreats.

The development of adequate legislation and within this approach the development of a cybercrime- related legal framework is an essential part of a cybersecurity strategy. This requires first of all the necessary substantive criminal law provisions to criminalize acts such as computer fraud, illegal access, data interference, copyright violations and child pornography.50 The fact that provisions exist in the criminal code that are applicable to similar acts committed outside the network does not mean that they can be applied to acts committed over the Internet as well.51 Therefore, a thorough analysis of current national laws is vital to identify any possible gaps.52 Apart from substantive criminal law provisions53, the law-enforcement agencies need the necessary tools and instruments to investigate cybercrime.54 Such investigations themselves present a number of challenges.55 Perpetrators can act from nearly any location in the world and take measures to mask their identity.56 The tools and instruments needed to investigate cybercrime can be quite different from those used to investigate ordinary crimes.57

1.4 International dimensions of cybercrime

Cybercrime often has an international dimension.58 E-mails with illegal content often pass through a number of countries during the transfer from sender to recipient, or illegal content is stored outside the country.59 Within cybercrime investigations, close cooperation between the countries involved is very important.60 The existing mutual legal assistance agreements are based on formal, complex and often time-consuming procedures, and in addition often do not cover computer-specific investigations.61 Setting up procedures for quick response to incidents, as well as requests for international cooperation, is therefore vital.62

Understanding cybercrime: Phenomena, challenges and legal response

4

A number of countries base their mutual legal assistance regime on the principle of “dual criminality”.63 Investigations on a global level are generally limited to those crimes that are criminalized in all participating countries. Although there are a number of offences – such as the distribution of child pornography – that can be prosecuted in most jurisdictions, regional differences play an important role.64 One example is other types of illegal content, such as hate speech. The criminalization of illegal content differs in various countries.65 Material that can lawfully be distributed in one country can easily be illegal in another country.66

The computer technology currently in use is basically the same around the world.67 Apart from language issues and power adapters, there is very little difference between the computer systems and cell phones sold in Asia and those sold in Europe. An analogous situation arises in relation to the Internet. Due to standardization, the network protocols used in countries on the African continent are the same as those used in the United States.68 Standardization enables users around the world to access the same services over the Internet.69

The question is what effect the harmonization of global technical standards has on the development of the national criminal law. In terms of illegal content, Internet users can access information from around the world, enabling them to access information available legally abroad that could be illegal in their own country.

Theoretically, developments arising from technical standardization go far beyond the globalization of technology and services and could lead to the harmonization of national laws. However, as shown by the negotiations over the First Protocol to the Council of Europe Convention on Cybercrime (the “Convention on Cybercrime”),70 the principles of national law change much more slowly than technical developments.71

Although the Internet may not recognize border controls, there are means to restrict access to certain information.72 The access provider can generally block certain websites and the service provider that stores a website can prevent access to information for those users on the basis of IP-addresses linked to a certain country (“IP-targeting”).73 Both measures can be circumvented, but are nevertheless instruments that can be used to retain territorial differences in a global network.74 The OpenNet Initiative75 reports that this kind of censorship is practised by about two dozen countries.76

1.5 Consequences for developing countries

Finding response strategies and solutions to the threat of cybercrime is a major challenge, especially for developing countries. A comprehensive anti-cybercrime strategy generally contains technical protection measures, as well as legal instruments.77 The development and implementation of these instruments need time. Technical protection measures are especially cost-intensive.78 Developing countries need to integrate protection measures into the roll-out of the Internet from the beginning, as although this might initially raise the cost of Internet services, the long-term gains in avoiding the costs and damage inflicted by cybercrime are large and far outweigh any initial outlays on technical protection measures and network safeguards.79

The risks associated with weak protection measures could in fact affect developing countries more intensely, due to their less strict safeguards and protection.80 The ability to protect customers, as well as firms, is a fundamental requirement not only for regular businesses, but also for online or Internet-based businesses. In the absence of Internet security, developing countries could encounter significant difficulties promoting e-business and participating in online service industries.

The development of technical measures to promote cybersecurity and proper cybercrime legislation is vital for both developed countries and developing countries. Compared with the costs of grafting safeguards and protection measures onto computer networks at a later date, it is likely that initial measures taken right from the outset will be less expensive. Developing countries need to bring their anti- cybercrime strategies into line with international standards from the outset.81

Understanding cybercrime: Phenomena, challenges and legal response …