BitE Nations CONF 18 Tenth Distr general United Nations Congress 3 February 2000 CM on the prevention of crime Original: english and the treatment of Offenders Vienna, 10-17 April 2000 Item 5 of the provisional agenda Effective crime prevention: keeping pace with new developments Crimes related to computer networks Background paper for the workshop on crimes related to the computer network ummary Effectively preventing and combating cyber crime requires a coordinated international approach at different levels. At the domestic level, the investigation of cyber crime requires adequate staff, expertise and procedures. States are encouraged to consider mechanisms that enable the timely and accurate securing of data from computer systems and networks, should data be required as evidence in legal proceedings. At the international level, investigating cyber crime requires timely action, facilitated by coordination between national law enforcement agencies and the enactment of appropriate legal authority n addition to and in support of the international initiatives already taken, the present paper considers the means for the exchange of technical and forensic expertise between national law enforcement authorities as well as the need for international deliberations on present and future legal measures for international cooperation in the investigation of cy ber crime A/CONF 187/ 99-90954(E)
* A/CONF.187/1. V.99-90954 (E) United Nations A/CONF.187/10 Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders Vienna, 10-17 April 2000 Distr.: General 3 February 2000 Original: English Item 5 of the provisional agenda* Effective crime prevention: keeping pace with new developments Crimes related to computer networks Background paper for the workshop on crimes related to the computer network Summary Effectively preventing and combating cyber crime requires a coordinated international approach at different levels. At the domestic level, the investigation of cyber crime requires adequate staff, expertise and procedures. States are encouraged to consider mechanisms that enable the timely and accurate securing of data from computer systems and networks, should data be required as evidence in legal proceedings. At the international level, investigating cyber crime requires timely action, facilitated by coordination between national law enforcement agencies and the enactment of appropriate legal authority. In addition to and in support of the international initiatives already taken, the present paper considers the means for the exchange of technical and forensic expertise between national law enforcement authorities, as well as the need for international deliberations on present and future legal measures for international cooperation in the investigation of cyber crime
A/CONF. 187/10 Contents I. Legislative background Il. Aim and scope of the paper 3-5 III. Categories of cyber crime 6-24 Criminal V. International cooperation among national law enforcement authorities A. Forms of cooperation and international initiatives B. Mutual legal assistance and other international treaties 12 V Conclusion
A/CONF.187/10 2 Contents Paragraphs Page I. Legislative background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 3 II. Aim and scope of the paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3 III. Categories of cyber crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 3 IV. Criminal investigations of cyber crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-47 7 V. International cooperation among national law enforcement authorities . . . . . . . 48-66 11 A. Forms of cooperation and international initiatives . . . . . . . . . . . . . . . . . . . 48-54 11 B. Mutual legal assistance and other international treaties . . . . . . . . . . . . . . . 55-66 12 VI. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 14
A/CONF. 187/10 I. Legislative background (a) Criminal behaviour can take pla ace in an electronic environment. Investigation of cyber crimes, that 1.The General Assembly, in its resolution 52/91 of is, any crime committed in an electronic network, requires 12 December 1997, decided that one of four workshops to particular expertise, investigating procedures and legal be held at the Tenth United Nations Congress on the powers that may not be available to law enforcement Prevention of Crime and the Treatment of Offenders authorities of the State concerned should be on the issue of crimes related to the computer b) International computer networks, such as the network. The Assembly, in its resolution 53/110 of Internet, are open environments that enable users to act 9 December 1998, endorsed the programme of work for the beyond the borders of the State in which they are located Tenth Congress, which included four technical workshops, However, investigative efforts of law enforcement one of them dealing with crimes related to the computer authorities in general should be restricted to the territory of network. In the resolution, the Assembly emphasized the their own State. This means that crime control in open importance of the workshops and invited Member States, computer networks requires intensified international non-governmental organizations and other relevant entities cooperation to support financially, organizationally and technically the (c) The open structures of international computer preparations for the workshops, including the preparation networks offer users the opportunity to choose the legal and circulation of relevant background material environment that best suits their purposes. Users may 2. In its resolution 54/125 of 17 December 1999, the choose a country where certain forms of behaviour capable Assembly encouraged States, other entities concerned and of being executed in an electronic environment have not the Secretary-General to work together in order to ensure been criminalized. This can attract criminal activity by that the four workshops to be held during the Tenth persons from other States where such activities are Congress focus clearly on the respective issues and achieve criminal under their domestic law. The occurrence ofdata practical results, and invited interested Governments to havens"States where reducing or preventing the misuse follow up with concrete technical cooperation projects or of computer networks is not a priority, or where no activities. In response to the resolution, the Asia and Far effective procedural laws have been developed-may East Institute for the Prevention of Crime and the impede the efforts of other countries to control crime Treatment of offenders organized two meetings of experts computer networks on crimes related to the computer network, at which most of the substantive preparations for the computer crime 4.. The focus of the following discussion is on how to achieve coordinated international action in order workshop were made. The Centre for International Crime facilitate, enhance and improve current methods of Prevention acknowledges the efforts of the Asia and Fat combating cyber crime. Of particular interest is the role East Institute for the Prevention of Crime and the that can be played by the United Nations or other Treatment of Offenders and the expert group in making international organizations. Background information is his workshop possible provided regarding the workshop on crimes related to the IL. Aim and scope of the paper 5. The following discussion outlines the types of crimes envisaged for international electronic networks and 3. The emergence of international computer networks, explores why such crimes need international attention and such as the Internet. enables users to engage in combined efforts. The definition of such crimes should communications. actions and transactions with other users bring a common international understanding and guide all over the world. Since legitimate and illicit use of national criminal policies in the field computers and networks can go hand in hand, it follows that those exploring the opportunities of the new medi include criminally motivated individuals and groups. III. Categories of cyber crime rime control in todays environment of international computer networks is complicated for three major reasons: 6. The terms computer systems or computer networks are used in the present paper to refer generally to the electronic environment. Although stand-alone systems still
A/CONF.187/10 3 I. Legislative background 1. The General Assembly, in its resolution 52/91 of 12 December 1997, decided that one of four workshops to be held at the Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders should be on the issue of crimes related to the computer network. The Assembly, in its resolution 53/110 of 9 December 1998, endorsed the programme of work for the Tenth Congress, which included four technical workshops, one of them dealing with crimes related to the computer network. In the resolution, the Assembly emphasized the importance of the workshops and invited Member States, non-governmental organizations and other relevant entities to support financially, organizationally and technically the preparations for the workshops, including the preparation and circulation of relevant background material. 2. In its resolution 54/125 of 17 December 1999, the Assembly encouraged States, other entities concerned and the Secretary-General to work together in order to ensure that the four workshops to be held during the Tenth Congress focus clearly on the respective issues and achieve practical results, and invited interested Governments to follow up with concrete technical cooperation projects or activities. In response to the resolution, the Asia and Far East Institute for the Prevention of Crime and the Treatment of Offenders organized two meetings of experts on crimes related to the computer network, at which most of the substantive preparations for the computer crime workshop were made. The Centre for International Crime Prevention acknowledges the efforts of the Asia and Far East Institute for the Prevention of Crime and the Treatment of Offenders and the expert group in making this workshop possible. II. Aim and scope of the paper 3. The emergence of international computer networks, such as the Internet, enables users to engage in communications, actions and transactions with other users all over the world. Since legitimate and illicit use of computers and networks can go hand in hand, it follows that those exploring the opportunities of the new medium include criminally motivated individuals and groups. Crime control in today’s environment of international computer networks is complicated for three major reasons: (a) Criminal behaviour can take place in an electronic environment. Investigation of cyber crimes, that is, any crime committed in an electronic network, requires particular expertise, investigating procedures and legal powers that may not be available to law enforcement authorities of the State concerned; (b) International computer networks, such as the Internet, are open environments that enable users to act beyond the borders of the State in which they are located. However, investigative efforts of law enforcement authorities in general should be restricted to the territory of their own State. This means that crime control in open computer networks requires intensified international cooperation; (c) The open structures of international computer networks offer users the opportunity to choose the legal environment that best suits their purposes. Users may choose a country where certain forms of behaviour capable of being executed in an electronic environment have not been criminalized. This can attract criminal activity by persons from other States where such activities are criminal under their domestic law. The occurrence of “data havens”—States where reducing or preventing the misuse of computer networks is not a priority, or where no effective procedural laws have been developed—may impede the efforts of other countries to control crime in computer networks. 4. The focus of the following discussion is on how to achieve coordinated international action in order to facilitate, enhance and improve current methods of combating cyber crime. Of particular interest is the role that can be played by the United Nations or other international organizations. Background information is provided regarding the workshop on crimes related to the computer network. 5. The following discussion outlines the types of crimes envisaged for international electronic networks and explores why such crimes need international attention and combined efforts. The definition of such crimes should bring a common international understanding and guide national criminal policies in the field. III. Categories of cyber crime 6. The terms computer systems or computer networks are used in the present paper to refer generally to the electronic environment. Although stand-alone systems still
A/CONF. 187/10 A/CONF. 187/10 exist, it is more the norm for one or more computer 9. Cyber crime refers to any crime that can be systems, including personal computers, to be committed by means of a computer system or network, in interconnected and form a network. No distinction is made a computer system or network or against a computer here between private and public networks, or based on system or network. In principle, it encompasses any crime whether they have permanent connections. In the present capable of being committed in an electronic environment paper, unless stated otherwise, telecommunication systems In this paper, "crime"refers to forms of behaviour are grouped in the same category as computer systems and generally defined as illegal, or likely to be criminalized networks within a short period of time. Certain conduct may be 7. At present, the Internet is a well-known example of State where it is not in others bi explosive growth in the last decade. It owes much of its developed in certain international forums about which Any system or network operator who applies such should be criminalized. This is the starting point for the protocols can easily become a link in the network as a following provider, referred to in the present paper as an Internet 10. The focus here is the criminal investigation and service provider. For commercial and technical reasons, prosecution of cyber crime. The designation "law he Internet service providers in some countries organize enforcement authorities refers to those charged by law themselves into associations or societies, developing with the investigation and prosecution of crime. Some common positions on certain issues. Estimates show that Member States have set up specialized units to investigate today over 200 million people in the world use the Internet, or assist in the investigation of computer-related crime of whom 112 million are in North America, 47 million in Internationally, the International Criminal Police Europe and 33 million in Asia and the Pacific region. At Organization(Interpol) is the coordinating organization for he end of 1995, statistics showed 26 million users, the registering and distributing police information that ajority of whom resided in the United States of America. concerns issues such as wanted persons and stolen In 1999, the monthly increase in users was estimated at property more than 3 per cent 11. In investigating cyber crime, the law enforcement 8. The core function of a computer system is the authorities of a State may seek the cooperation of processing of data. The term data is defined as facts, authorities from other States, both in the form of assistance instructions or concepts represented in a conventional with specific cases and in the sharing of general manner, in a form suitable for human understanding or information about criminal organizations and cases. They automated processing. Electronic data are represented by may, in the course of a particular investigation, request the a string of magnetic spots on a permanent or temporary use of materials available in other States. The scope of storage medium, or in the form of electric charges when cooperation among national law enforcement authorities is being transferred. When data can be identified and determined by the national law of each State, as well as by controlled by a particular data carrier, such as data stored international agreements, including agreements on mutual on a(set of) floppy disks they can, from a legal point of legal assistance view, be considered one tangible material object. In 12. Common examples of abuse of international general, data processed in a computer system can no longer computer networks include communicating expressions be qualified and controlled by means of their carrier. forbidden by law, offers of illegal products or false offers Operating systems autonomously move data files from one physical place on a storage medium to another. Inin order to obtain illegal financial profits.Here,the computer networks, distributed data processing makes it instrument or tool that may be used to commit a crime. The impossible for those in control of data to establish the network itself is the environment of the crime, rather than physical location of the whole or a part of a file without an indispensable attribute for its perpetration. The specific specific measures. Data as such can be controlled only qualities of the Internet may induce a perpetrator to use it through logical operations not physical acts, which makes it difficult to treat pure data, in law, as if they were instead of traditional means: it offers excellent communication facilities and the possibility of hiding ones tangible objects dentity, and the risk of being subjected to
A/CONF.187/10 A/CONF.187/10 4 exist, it is more the norm for one or more computer systems, including personal computers, to be interconnected and form a network. No distinction is made here between private and public networks, or based on whether they have permanent connections. In the present paper, unless stated otherwise, telecommunication systems are grouped in the same category as computer systems and networks. 7. At present, the Internet is a well-known example of a public computer network. It has gone through an explosive growth in the last decade. It owes much of its success to the use of common communication protocols. Any system or network operator who applies such protocols can easily become a link in the network as a “provider”, referred to in the present paper as an Internet service provider. For commercial and technical reasons, the Internet service providers in some countries organize themselves into associations or societies, developing common positions on certain issues.1 Estimates show that today over 200 million people in the world use the Internet, of whom 112 million are in North America, 47 million in Europe and 33 million in Asia and the Pacific region.2 At the end of 1995, statistics showed 26 million users, the majority of whom resided in the United States of America. In 1999, the monthly increase in users was estimated at more than 3 per cent. 8. The core function of a computer system is the processing of data. The term data is defined as facts, instructions or concepts represented in a conventional manner, in a form suitable for human understanding or automated processing.3 Electronic data are represented by a string of magnetic spots on a permanent or temporary storage medium, or in the form of electric charges when being transferred. When data can be identified and controlled by a particular data carrier, such as data stored on a (set of) floppy disks they can, from a legal point of view, be considered one tangible material object. In general, data processed in a computer system can no longer be qualified and controlled by means of their carrier. Operating systems autonomously move data files from one physical place on a storage medium to another. In computer networks, distributed data processing makes it impossible for those in control of data to establish the physical location of the whole or a part of a file without specific measures. Data as such can be controlled only through logical operations not physical acts, which makes it difficult to treat pure data, in law, as if they were tangible objects. 9. Cyber crime refers to any crime that can be committed by means of a computer system or network, in a computer system or network or against a computer system or network. In principle, it encompasses any crime capable of being committed in an electronic environment. In this paper, “crime” refers to forms of behaviour generally defined as illegal, or likely to be criminalized within a short period of time. Certain conduct may be criminalized in one State where it is not in others but, as explained in paragraph 13, a common understanding has developed in certain international forums about which behaviour in relation to computer systems and networks should be criminalized. This is the starting point for the following discussion. 10. The focus here is the criminal investigation and prosecution of cyber crime. The designation “law enforcement authorities” refers to those charged by law with the investigation and prosecution of crime. Some Member States have set up specialized units to investigate or assist in the investigation of computer-related crime. Internationally, the International Criminal Police Organization (Interpol) is the coordinating organization for registering and distributing police information that concerns issues such as wanted persons and stolen property. 11. In investigating cyber crime, the law enforcement authorities of a State may seek the cooperation of authorities from other States, both in the form of assistance with specific cases and in the sharing of general information about criminal organizations and cases. They may, in the course of a particular investigation, request the use of materials available in other States. The scope of cooperation among national law enforcement authorities is determined by the national law of each State, as well as by international agreements, including agreements on mutual legal assistance. 12. Common examples of abuse of international computer networks include communicating expressions forbidden by law, offers of illegal products or false offers in order to obtain illegal financial profits. Here, the Internet is being used in the same manner as any other instrument or tool that may be used to commit a crime. The network itself is the environment of the crime, rather than an indispensable attribute for its perpetration. The specific qualities of the Internet may induce a perpetrator to use it instead of traditional means: it offers excellent communication facilities and the possibility of hiding one’s identity, and the risk of being subjected to criminal
A/CONF. 187/10 investigation, in any of the jurisdictions involved, is possession, offering or distributing information by means relatively low. Apart from the forms of crime mentioned, of a computer system or network some Internet users gain illegal access to connected 15. As defined in the previous paragraph,computer systems, where they interfere with their functioning or content. Such activity has been termed "computer crime" crime concerns all illegal behaviour directed against The perpetrators of computer crime availed themselves of System and data security by means ofelectronic operations Computer systems and data security can be described by specific technical knowledge, expertise or instruments to three principles: the assurance of confidentiality, integrity carry out illicit activities. Computer systems can be easy or availability of data and processing functions. According targets because sufficient security measures have not been to the 1985 Organisation for Economic Cooperation and incorporated or taken, or because users are unaware of the Development list and the more elaborate 1989 Council of risks involved. In addition, factors that make a system Europe Recommendation, the confidentiality, integrity or user-friendly tend to make it unsecure. In addition, factors availability offences include that make a system user-friendly tend to make it unsecure Security flaws in commercially successful system software (a) Unauthorized access, meaning access without will often be publicly known right to a computer system or network by infringing 13. While interested countries have considered the ecurity measures problems arising from transnational cyber crime, there has (b) Damage to computer data or computer not been much attention paid to it at the global level. The programs, meaning the erasure, corruption, deteriorationor United Nations, for example, has not yet adopted policy suppression of computer data or computer programs specific to the criminalization of cyber crimes, national without right laws may apply to cyber crimes in a variety of ways, if they (c) Computer sabotage, meaning the input apply at all. Reasons for the lack of attention to cyber alteration, erasure or suppression of computer data or crime may include relatively low levels of participation in computer programs, or interference with computer systems international electronic communications, low levels of with the intent to hinder the functioning of a computer or law-enforcement experience and low estimations of the a telecommunication system damage to society expected to occur from electronic (d) Unauthorized interception, meaning the of one State has a direct influence on the international interception, made without authorization and by technical community. Cyber criminals may direct their electronic means, of communications to, from and within a computer activities through a particular State where that behaviour is not criminal and thus be protected by the law of that (e) Computer espionage, meaning the acquisition country. Even if a State has no particular national interest disclosure, transfer or use of a commercial secret without in criminalizing certain behaviour, it may consider doing authorization or legal justification, with intent either to so in order to avoid becoming a data haven and isolating cause economic loss to the person entitled to the secret or itself internationally. The harmonization of substantive to obtain an illegal advantage for themselves or a third criminal law with regard to cyber crimes is essential if person international cooperation is to be achieved between law 16. The first crime. unauthorized access. sometimes enforcement and the judicial authorities of different States. known as hacking, occurs frequently and often in 14. Two subcategories of cyber crime exist conjunction with the second, damage to data or computer (a) Cyber crime in a narrow sense ("computer espionage. A popular modern variant is hacking into a web crime"): any illegal behaviour directed by means of site and putting offensive or damaging information on it systems and the data processed by them. ity of computer Effective investigation ofhacking offences usually requires electronic operations that targets the sec cooperation by the victim and some means of catching the perpetrator in the act. Perpetrators are often brilliant young (b) Cyber crime in a broader sense technophiles, who may have little moral understanding of computer-related crime"): any illegal behaviour their actions or of the potential to do damage. In addition committed by means of, or in relation to, a computer to hacking offences, some countries have criminalized network, including such crimes as illegal activities such as trafficking in passwords or hacking devices
A/CONF.187/10 5 investigation, in any of the jurisdictions involved, is relatively low. Apart from the forms of crime mentioned, some Internet users gain illegal access to connected systems, where they interfere with their functioning or content. Such activity has been termed “computer crime”. The perpetrators of computer crime availed themselves of specific technical knowledge, expertise or instruments to carry out illicit activities. Computer systems can be easy targets because sufficient security measures have not been incorporated or taken, or because users are unaware of the risks involved. In addition, factors that make a system user-friendly tend to make it unsecure. In addition, factors that make a system user-friendly tend to make it unsecure. Security flaws in commercially successful system software will often be publicly known. 13. While interested countries have considered the problems arising from transnational cyber crime, there has not been much attention paid to it at the global level. The United Nations, for example, has not yet adopted policy specific to the criminalization of cyber crimes; national laws may apply to cyber crimes in a variety of ways, if they apply at all. Reasons for the lack of attention to cyber crime may include relatively low levels of participation in international electronic communications, low levels of law-enforcement experience and low estimations of the damage to society expected to occur from electronic crimes. In global computer networks, the criminal policy of one State has a direct influence on the international community. Cyber criminals may direct their electronic activities through a particular State where that behaviour is not criminal and thus be protected by the law of that country. Even if a State has no particular national interest in criminalizing certain behaviour, it may consider doing so in order to avoid becoming a data haven and isolating itself internationally. The harmonization of substantive criminal law with regard to cyber crimes is essential if international cooperation is to be achieved between law enforcement and the judicial authorities of different States. 14. Two subcategories of cyber crime exist: (a) Cyber crime in a narrow sense (“computer crime”): any illegal behaviour directed by means of electronic operations that targets the security of computer systems and the data processed by them; (b) Cyber crime in a broader sense (“computer-related crime”): any illegal behaviour committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession, offering or distributing information by means of a computer system or network. 15. As defined in the previous paragraph, computer crime concerns all illegal behaviour directed against system and data security by means of electronic operations. Computer systems and data security can be described by three principles: the assurance of confidentiality, integrity or availability of data and processing functions. According to the 1985 Organisation for Economic Cooperation and Development list,4 and the more elaborate 1989 Council of Europe Recommendation,5 the confidentiality, integrity or availability offences include: (a) Unauthorized access, meaning access without right to a computer system or network by infringing security measures; (b) Damage to computer data or computer programs, meaning the erasure, corruption, deterioration or suppression of computer data or computer programs without right; (c) Computer sabotage, meaning the input, alteration, erasure or suppression of computer data or computer programs, or interference with computer systems, with the intent to hinder the functioning of a computer or a telecommunication system; (d) Unauthorized interception, meaning the interception, made without authorization and by technical means, of communications to, from and within a computer system or network; (e) Computer espionage, meaning the acquisition, disclosure, transfer or use of a commercial secret without authorization or legal justification, with intent either to cause economic loss to the person entitled to the secret or to obtain an illegal advantage for themselves or a third person. 16. The first crime, unauthorized access, sometimes known as hacking, occurs frequently and often in conjunction with the second, damage to data or computer espionage. A popular modern variant is hacking into a web site and putting offensive or damaging information on it. Effective investigation of hacking offences usually requires cooperation by the victim and some means of catching the perpetrator in the act. Perpetrators are often brilliant young technophiles, who may have little moral understanding of their actions or of the potential to do damage. In addition to hacking offences, some countries have criminalized activities such as trafficking in passwords or hacking devices
A/CONF. 187/10 A/CONF. 187/10 17. Corrupting computer data and programs includes forgery if it had been committed with respect to a launching worms"or computer viruses. A worm may traditional object of such an offence eventually cause the computer to stop functioning entirely, Its purpose is to criminalize forgery with respect to while a virus can cause the loss of all data stored in the computer data, in a manner functionally equivalent to unaware of the risk connected with open electronic 20. Two other types of related crime should be networks and receiving unsolicited messages For financial mentioned here. The first concerns a number of forms of reasons, commercially available virus scanning programs deceit in relation to telecommunication services. In such may not be applied. Criminal investigators may find it cases, to obtain services without payment, the perpetrator difficult to prove who was responsible for launching a attempts by means of technical manipulation of devices or virus that has caused damage. Hackers may also misuse electronic elements of the devices. Such conduct is usually temporary) security flaws in frequently used system criminalized by means of specific criminal provisions, but programs and may obtain access to, or(in exceptional it can sometimes be subsumed under the classical cases)control over, the computer systems of others by provisions for deceit or forgery. The second group relates storing specific program functions in those systems. to the misuse of payment instruments. The perpetrator, by Internet users may not be adequately informed or up to manipulating or forging an electronic banking card,or date about the possible risks and additional security using false codes, attempts to make an illegal financial measures offered by system software manufacturers gain. This may be covered by specific criminal provisions 18. Computer-related fraud is defined by the Council of the sense described in paragraph/o Isions,or amended in or by classical fraud and forge Europe(see para. 15 above)as 21. Computer-assisted offences include making The input, alteration, erasure or suppression of computer data or computer programs, or other available, communicating and disseminating certain material, and sometimes merely being in possession of it interference with the course of data processing, Such offences do not require electronic networks, here, thereby causing economic or possessory loss o networks are used by the perpetrator to increase the effect property of another person with the intent of procuring of the crime and to attempt to elude justice. With regard to an unlawful economic gain for himself or for another content-related offences a distinction should be made between content that is illegal owing to its character or This provision refers to the situation where a perpetrator meaning, and content which is not necessarily illegal by interferes with the proper functioning of the data itself, but becomes criminal under the circumstances of its processing of a computer-with or without right-with the distribution. The latter category includes infringement of effect specified in the definition of fraud. It does not copyright and sale of forbidden goods or services, such as encompass well-known schemes to defraud people that are weapons, drugs, stolen goods, unprescribed medicines and carried out by means of electronic representations or access to gambling facilities. The other category of communications through the Internet, such as offers for the content-related offences concerns messages that are sale of favourably priced shares; investments in real estate defamatory, that entice subversion or other illegal in a foreign State; lending money with an exceptionally activities or are offensive because of their religious or high interest return; prepayment of vaguely described racially discriminatory nature or because of their goods; or enticement to enter a pyramid scheme. It is likely pornographic nature. The extent to which national that traditional fraud provisions will apply to such legislators have criminalized such behaviour varies considerably. In most cases, the offences have long been 19. Computer forgery is defined by the Council of part of existing law, raising the question of whether the Europe(see para. 15 above)as laws apply to the new electronic environment The input, alteration, erasure or suppression of 22. There is global agreement in attitudes and rules computer data or computer programs, or other condemning the distribution of child pornography interference with the course of data processing in a International bodies. such as the United Nations manner or under such conditions which would Educational, Scientific and Cultural Organization according to national law, constitute an offence of European Union, have recommended that countries enact
A/CONF.187/10 A/CONF.187/10 6 17. Corrupting computer data and programs includes launching “worms” or computer viruses. A worm may eventually cause the computer to stop functioning entirely, while a virus can cause the loss of all data stored in the hard disk. A modern way of distributing viruses is through unsolicited e-mail messages. Internet users may be unaware of the risk connected with open electronic networks and receiving unsolicited messages. For financial reasons, commercially available virus scanning programs may not be applied. Criminal investigators may find it difficult to prove who was responsible for launching a virus that has caused damage. Hackers may also misuse (temporary) security flaws in frequently used system programs and may obtain access to, or (in exceptional cases) control over, the computer systems of others by storing specific program functions in those systems. Internet users may not be adequately informed or up to date about the possible risks and additional security measures offered by system software manufacturers. 18. Computer-related fraud is defined by the Council of Europe (see para. 15 above) as: “The input, alteration, erasure or suppression of computer data or computer programs, or other interference with the course of data processing, thereby causing economic or possessory loss of property of another person with the intent of procuring an unlawful economic gain for himself or for another person.” This provision refers to the situation where a perpetrator interferes with the proper functioning of the data processing of a computer—with or without right—with the effect specified in the definition of fraud. It does not encompass well-known schemes to defraud people that are carried out by means of electronic representations or communications through the Internet, such as offers for the sale of favourably priced shares; investments in real estate in a foreign State; lending money with an exceptionally high interest return; prepayment of vaguely described goods; or enticement to enter a pyramid scheme. It is likely that traditional fraud provisions will apply to such schemes. 19. Computer forgery is defined by the Council of Europe (see para. 15 above) as: “The input, alteration, erasure or suppression of computer data or computer programs, or other interference with the course of data processing in a manner or under such conditions which would, according to national law, constitute an offence of forgery if it had been committed with respect to a traditional object of such an offence.” Its purpose is to criminalize forgery with respect to computer data, in a manner functionally equivalent to criminalization of the forgery of conventional documents. 20. Two other types of related crime should be mentioned here. The first concerns a number of forms of deceit in relation to telecommunication services. In such cases, to obtain services without payment, the perpetrator attempts by means of technical manipulation of devices or electronic elements of the devices. Such conduct is usually criminalized by means of specific criminal provisions, but it can sometimes be subsumed under the classical provisions for deceit or forgery. The second group relates to the misuse of payment instruments. The perpetrator, by manipulating or forging an electronic banking card, or using false codes, attempts to make an illegal financial gain. This may be covered by specific criminal provisions or by classical fraud and forgery provisions, or amended in the sense described in paragraph 19. 21. Computer-assisted offences include making available, communicating and disseminating certain material, and sometimes merely being in possession of it. Such offences do not require electronic networks; here, networks are used by the perpetrator to increase the effect of the crime and to attempt to elude justice. With regard to content-related offences a distinction should be made between content that is illegal owing to its character or meaning, and content which is not necessarily illegal by itself, but becomes criminal under the circumstances of its distribution. The latter category includes infringement of copyright and sale of forbidden goods or services, such as weapons, drugs, stolen goods, unprescribed medicines and access to gambling facilities. The other category of content-related offences concerns messages that are defamatory, that entice subversion or other illegal activities or are offensive because of their religious or racially discriminatory nature or because of their pornographic nature. The extent to which national legislators have criminalized such behaviour varies considerably. In most cases, the offences have long been part of existing law, raising the question of whether the laws apply to the new electronic environment. 22. There is global agreement in attitudes and rules condemning the distribution of child pornography. International bodies, such as the United Nations Educational, Scientific and Cultural Organization and the European Union, have recommended that countries enact
A/CONF. 187/10 criminal provisions where the distribution of such material 26. Criminal investigations in an electronic environment is not already illegal. Many States are preparing or have require technical expertise, appropriate procedures and enacted child pornography laws. National and international sufficient legal authority. The 1989 and 1995 police authorities have also given high priority to the Recommendations of the Council of Europe(r(1989)9en investigation of child pornography R(95)13)stressed the need for national law enforcement 23. As regards offences that involve material relating to authorities to deploy specialized computer crime units the incitement of hate or discrimination. for various These units should be adequately staffed and provided with reasons, there is less global consensus about whether the appropriate equipment and software tools. Training distribution. The situation may change as the awareness of personnel and with up-to-date technical knowledge. Many the international community is raised about the negative kind. A number have produced manuals with technical, effects of such behaviour forensic and procedural instructions on how an 24. The distribution of illegal materials has caused a investigation should be carried out to reduce loss of discussion about the role and responsibilities of Internet evidence and to secure its admissibility in court service providers. Apart from a few legislative initiatives to define and to delineate the duties of care of providers 27. Some national police units"patrol"the Internet and there is a tendency internationally as well as nationally, to specific software tools have been developed to detect give Internet service providers a legal status similar to that crimes such as hacking or distributing child pornography of traditional telecom operators. This means that Internet The European Union partly funded the development by providers generally have no legal obligation to monitor or Swedish police of software to trace child pornography(see possiblyblocktrafficthatistransferredbymeansoftheir).giventheenormousamount computer systems. Nevertheless, an Internet service f information available in international computer provider generally is required to take all reasonable steps networks, the development of software tools such as those to prevent further distribution of illegal material once based on pattern recognition seems indispensable aware of its nature. Other aspects of the application of 28. There are two methods of obtaining data from a domestic law to Internet service providers may also be computer system, based on technical and legal criteria. In unclear. This includes the extent of possible civil liability the first, data are obtained as part of a search of premises for the transmission of illegal content, and the extent to or the place where the system is located. The second which an Internet service provider has an obligation to involves the interception or monitoring of data transmitted cooperate with law enforcement authorities by providing from, to or within the system. Legal powers for searching information for a particular criminal investigation or other premises are not discussed here. It is assumed that the legal assistance powers will encompass the authority to search a computer system at a given location. Interception may be done by technical means from the outside of a system or by means IV. Criminal investigations of cyber of elements incorporated within the system for that crime 29. Generally, traditional criminal procedural law 25. As stated, cyber crime can be any crime committed provides for the seizure and freezing of entire computer by electronic means, or committed in part or entirely in an systems, as it provides for any other evidence. Where this electronic environment. Criminal investigations in an is not feasible, however, there may not be adequate legal electronic environment are directed against such crimes. powers to investigate the content of a computer system Other crimes, however, can also leave traces or evidence against the will of the right holder(s). The seizure of an in the electronic environment. Criminal investigations in entire computer system may not be technically feasible, or lectronic environments will therefore not be limited to it may be disproportionate owing to a multi-user cyber crime in the sense used in the previous chapter, but environment and a multi-user interest in the data content will encompass the investigation of any crime for which Attempts to secure data for particular investigations may (potential) evidence needs to be secured in an electronic find traditional powers insufficient owing to: (a) problems nvironment related to obtaining access to the computer system; (b)the
A/CONF.187/10 7 criminal provisions where the distribution of such material is not already illegal. Many States are preparing or have enacted child pornography laws. National and international police authorities have also given high priority to the investigation of child pornography. 23. As regards offences that involve material relating to the incitement of hate or discrimination, for various reasons, there is less global consensus about whether the criminal laws should be used against expression or distribution. The situation may change as the awareness of the international community is raised about the negative effects of such behaviour. 24. The distribution of illegal materials has caused a discussion about the role and responsibilities of Internet service providers. Apart from a few legislative initiatives to define and to delineate the duties of care of providers, there is a tendency internationally as well as nationally, to give Internet service providers a legal status similar to that of traditional telecom operators. This means that Internet providers generally have no legal obligation to monitor or possibly block traffic that is transferred by means of their computer systems. Nevertheless, an Internet service provider generally is required to take all reasonable steps to prevent further distribution of illegal material once aware of its nature.6 Other aspects of the application of domestic law to Internet service providers may also be unclear. This includes the extent of possible civil liability for the transmission of illegal content, and the extent to which an Internet service provider has an obligation to cooperate with law enforcement authorities by providing information for a particular criminal investigation or other assistance. IV. Criminal investigations of cyber crime 25. As stated, cyber crime can be any crime committed by electronic means, or committed in part or entirely in an electronic environment. Criminal investigations in an electronic environment are directed against such crimes. Other crimes, however, can also leave traces or evidence in the electronic environment. Criminal investigations in electronic environments will therefore not be limited to cyber crime in the sense used in the previous chapter, but will encompass the investigation of any crime for which (potential) evidence needs to be secured in an electronic environment. 26. Criminal investigations in an electronic environment require technical expertise, appropriate procedures and sufficient legal authority. The 1989 and 1995 Recommendations of the Council of Europe (R (1989) 9 en R (95) 13) stressed the need for national law enforcement authorities to deploy specialized computer crime units. These units should be adequately staffed and provided with appropriate equipment and software tools. Training programmes should ensure the availability of trained personnel and with up-to-date technical knowledge. Many States have already created computer crime units of this kind. A number have produced manuals with technical, forensic and procedural instructions on how an investigation should be carried out to reduce loss of evidence and to secure its admissibility in court. 27. Some national police units “patrol” the Internet and specific software tools have been developed to detect crimes such as hacking or distributing child pornography. The European Union partly funded the development by Swedish police of software to trace child pornography (see ). Given the enormous amount of information available in international computer networks, the development of software tools such as those based on pattern recognition seems indispensable. 28. There are two methods of obtaining data from a computer system, based on technical and legal criteria. In the first, data are obtained as part of a search of premises or the place where the system is located. The second involves the interception or monitoring of data transmitted from, to or within the system. Legal powers for searching premises are not discussed here. It is assumed that the legal powers will encompass the authority to search a computer system at a given location. Interception may be done by technical means from the outside of a system or by means of elements incorporated within the system for that purpose. 29. Generally, traditional criminal procedural law provides for the seizure and freezing of entire computer systems, as it provides for any other evidence. Where this is not feasible, however, there may not be adequate legal powers to investigate the content of a computer system against the will of the right holder(s). The seizure of an entire computer system may not be technically feasible, or it may be disproportionate owing to a multi-user environment and a multi-user interest in the data content. Attempts to secure data for particular investigations may find traditional powers insufficient owing to: (a) problems related to obtaining access to the computer system; (b) the
A/CONF. 187/10 A/CONF. 187/10 intangible nature of data; and(c)the fact that data may be investigation. To deal with this, laws may provide powers stored in a connected system, located outside the premises allowing the investigating authority to erase data or searched prevent their further use. To protect the data, copying may 30. If a computer system is found at searched premises, be required in order to restore them to their original state the law generally permits law enforcement authorities to when ordered by a judge. If the person concerned gain access to it and inspect its content. This will be complains about the copying and further use of the data, possible if the system is already running, the person the law could require the issue of an official statement concerned opens it voluntarily or a means of access is about the data taken found on the premises. When none of these circumstances 33. The search of a computer system will generally take occurs, the question is whether the law provides the right place as part of a search of premises or places. The legal to enable law enforcement authorities to gain access to the power to search is usually limited to the physical system against the will of the individual concerned boundaries of the searched place. A computer network may 31. Computer systems, programs or data files may be not be located in one single place, but be connected with secured in order to prevent unauthorized access. Access is ther parts of the network by means of fixed or switched then usually gained by identification and authentication communication lines. The question in such cases is whether procedures, whereby the user provides a password- the law allows searches in connected systems, when the manually, embedded in a chip card, or both-or has to systems are not located at the premises searched.Without allow the checking of biometrical marks. Security of data an extended search, there is a risk that the data will be usually involves encryption, which provides for deleted before an additional search warrant can be authentication and protects confidentiality, and which obtained for the place where the data are physically involves the use of an encryption algorithm and located In large networks, it may be practicall more keys. It raises the serious risk that, without the to establish the precise physical location of the data voluntary assistance of the system keeper or the entitled 34. The following outlines the legal basis for an authority person, no access will be obtained to the computer system to conduct an extensive search. The person who resides at or the data being sought. Some laws, therefore, require the premises to be searched is entitled to gain access to the system keepers to allow access to the system or the data, connected computer system and to use its functions and punishing non-compliance by using contempt of court storage capacity. He or she can control the data without the rules. Such laws may not apply where a system operator is necessity of going elsewhere. When searched, this person also the suspect of the crime, however, because this would is put under a legal obligation to submit to a search of the violate rules or principles against self-incrimination. premises that are physically under his or her control. It can Individuals who have other legal reasons not to cooperate, be argued that the same rules should apply to the data that such as being related to the suspect or those who have the person in question has factual access to, even though professional obligations to keep secrets, may also be they may be located elsewhere. It would follow that the exempt. In some cases, if there is no one present to whom scope of such an extended search would be limited an order to assist can be given, any other person (usually activities that the person in question is authorized to an external expert) may be ordered to assist. Allowing undertake with regard to the connected system and data mere access to the data may not be sufficient if it is and that the individual's rights are not infringed to any encrypted. In such cases, laws may compel further greater degree than permitted by the basic search. It would cooperation to transform the data into a readable format. be possible to restrict such powers to investigations of 32. Data as such are intangible, so traditional powers of Serious crimes or to cases where immediate action is seizure generally do not apply. In the course of a criminal required in order to prevent the loss of evidence, or both investigation, tangible objects will either be seized ar Other limitations might apply when the ted system taken away,or measures will be taken to ensure that no one or data sought is located in a foreign Jurisdiction(see except the investigating authorities can dispose of the ara.59 below) objects. With data, it is usually sufficient to make a copy. 35. The searching and selection of data in a computer Additional steps are required, however, where data are system raises a number of additional legal problems. The hazardous, illegal or valuable, or where there is a first is how specific the judicial order needs to be about the possibility of further harm to victims or to the nature and format of the data sought in order to be lawful
A/CONF.187/10 A/CONF.187/10 8 intangible nature of data; and (c) the fact that data may be stored in a connected system, located outside the premises searched. 30. If a computer system is found at searched premises, the law generally permits law enforcement authorities to gain access to it and inspect its content. This will be possible if the system is already running, the person concerned opens it voluntarily or a means of access is found on the premises. When none of these circumstances occurs, the question is whether the law provides the right to enable law enforcement authorities to gain access to the system against the will of the individual concerned. 31. Computer systems, programs or data files may be secured in order to prevent unauthorized access. Access is then usually gained by identification and authentication procedures, whereby the user provides a password— manually, embedded in a chip card, or both—or has to allow the checking of biometrical marks. Security of data usually involves encryption, which provides for authentication and protects confidentiality, and which involves the use of an encryption algorithm and one or more keys. It raises the serious risk that, without the voluntary assistance of the system keeper or the entitled person, no access will be obtained to the computer system or the data being sought. Some laws, therefore, require system keepers to allow access to the system or the data, punishing non-compliance by using contempt of court rules. Such laws may not apply where a system operator is also the suspect of the crime, however, because this would violate rules or principles against self-incrimination. Individuals who have other legal reasons not to cooperate, such as being related to the suspect or those who have professional obligations to keep secrets, may also be exempt. In some cases, if there is no one present to whom an order to assist can be given, any other person (usually an external expert) may be ordered to assist. Allowing mere access to the data may not be sufficient if it is encrypted. In such cases, laws may compel further cooperation to transform the data into a readable format. 32. Data as such are intangible, so traditional powers of seizure generally do not apply. In the course of a criminal investigation, tangible objects will either be seized and taken away, or measures will be taken to ensure that no one except the investigating authorities can dispose of the objects. With data, it is usually sufficient to make a copy. Additional steps are required, however, where data are hazardous, illegal or valuable, or where there is a possibility of further harm to victims or to the investigation. To deal with this, laws may provide powers allowing the investigating authority to erase data or prevent their further use. To protect the data, copying may be required in order to restore them to their original state when ordered by a judge. If the person concerned complains about the copying and further use of the data, the law could require the issue of an official statement about the data taken. 33. The search of a computer system will generally take place as part of a search of premises or places. The legal power to search is usually limited to the physical boundaries of the searched place. A computer network may not be located in one single place, but be connected with other parts of the network by means of fixed or switched communication lines. The question in such cases is whether the law allows searches in connected systems, when the systems are not located at the premises searched. Without an extended search, there is a risk that the data will be deleted before an additional search warrant can be obtained for the place where the data are physically located. In large networks, it may be practically impossible to establish the precise physical location of the data. 34. The following outlines the legal basis for an authority to conduct an extensive search. The person who resides at the premises to be searched is entitled to gain access to the connected computer system and to use its functions and storage capacity. He or she can control the data without the necessity of going elsewhere. When searched, this person is put under a legal obligation to submit to a search of the premises that are physically under his or her control. It can be argued that the same rules should apply to the data that the person in question has factual access to, even though they may be located elsewhere. It would follow that the scope of such an extended search would be limited to activities that the person in question is authorized to undertake with regard to the connected system and data, and that the individual’s rights are not infringed to any greater degree than permitted by the basic search. It would be possible to restrict such powers to investigations of serious crimes or to cases where immediate action is required in order to prevent the loss of evidence, or both. Other limitations might apply when the connected system or data sought is located in a foreign jurisdiction (see para. 59 below). 35. The searching and selection of data in a computer system raises a number of additional legal problems. The first is how specific the judicial order needs to be about the nature and format of the data sought in order to be lawful
A/CONF. 187/10 National laws may impose different restricting conditions to be carried out by making use of system functions or here. In addition, the faithful and precise execution of the specific computer programs. Searching for data in judicial order may take a disproportionate amount of time, transmission can be done by system facilities (monitoring), leading law enforcement authorities to make a copy of as if provided for, or by technically intercepting the data flow much data as seems relevant for later analysis. National somewhere in the transmission facilities. Since data are in laws may or may not allow such a practice. Another many cases both stored and in transmission, or move important question is whether the person concerned should frequently from one status to the other, it will often be be informed about the data that are copied and taken away, possible for investigators to choose between seizure and how much detailed information should be provided and interception to obtain the same data. This may raise legal whether he or she should have a right to challenge the concerns, because the standards or safeguards which apply seizure legally. A further problem arises if data are under to the interception of communcations and the seizure of privilege or other legal protection. The question is how to stored materials are not the same in many States. The identify and protect such data in cases where authorities interception of data in transmission is often subject to a copy large amounts of data for later examination stricter standard because interception is a covert operation, 36. In addition, it should be noted that data are of a it may target data that did not exist when the search was volatile nature. They can be easily moved, erased or authorized or when it commenced and, in most cases,the altered without clear traces remaining. Distributed data parties concerned would not be aware of the interception processing is not the only factor that makes data volatile. and might not be informed of it, if at all, until long after it Electronic data processing involves the processing oflarge had taken place. The fact that network data can be either amounts of data of an ephemeral nature that are subject to seized or intercepted may erode the rights of suspects in erasure as soon as they are no longer necessary. Examples some cases, since it would allow law enforcement to apply of such data are log files and communication traffic data less restrictive legal search powers to some operations that Without knowledge of the"original "data set (if the term were more in the nature of interceptions has any meaning in data processing), it is difficult to detect 38. Electronic data, copied from data files or registere manipulations and restoring deleted files will be from data flows, usually demand special precautions and mpossible unless underlying back-up information was measures in order to serve as evidence in court, if it may be kept. The nature of data raises problems when physical used as such at all. In many justice systems, the principle searches are involved of immediateness that is. that all evidence should be (a) The search for data, electronically stored or presented in court, requires that the evidential material being transferred, in most cases needs to be carried out meet a very high standard. Some countries may have quickly and in a timely er in order to prevent formal requirements that impede or prevent the use of interference with the search or tampering with the data electronic data as evidence. Some laws require that the material be in writing so that it can be read in court, for (b)Special precautions need to be taken in order to example. In some countries, data representing sound or enable data to be presented as evidence in court. The images would not meet this condition and would therefore integrity of the data must be established from the point of not be admissible. Any doubt about the reliability of downloading or copying from the searched computer evidential material will also generally make it system to use in court inadmissible Since electronic data can easily be modified 37. The technical and legal distinctions between the without leaving traces, this puts a heavy burden on law seizure of stored data and the interception of data flowing enforcement authorities to gather such evidence according through the network have also become blurred. Data are to transparent and secure procedures that enable them to processed by means of a computer system, sometimes establish its authenticity. To verify authenticity, the court described as an automated data-processing device. Data must be able to review the reliability of the process of processing includes input, transfer to peripheral equipment copying and registering the evidence from the original data (e.g. video screen)and intermediate storage media, actual carrier or data channel. It must also be able to test the processing, transmission of the results to peripheral validity of( a)the preservation procedure and security of devices for storage and output or further transmission to the preservation itself, (b)any analysis of the material; and other system components. Intercepting data in a computer (c)whether the material presented in court matches the system generally comes down to the search for stored data. material originally seized and secured
A/CONF.187/10 9 National laws may impose different restricting conditions here. In addition, the faithful and precise execution of the judicial order may take a disproportionate amount of time, leading law enforcement authorities to make a copy of as much data as seems relevant for later analysis. National laws may or may not allow such a practice. Another important question is whether the person concerned should be informed about the data that are copied and taken away, how much detailed information should be provided and whether he or she should have a right to challenge the seizure legally. A further problem arises if data are under privilege or other legal protection. The question is how to identify and protect such data in cases where authorities copy large amounts of data for later examination. 36. In addition, it should be noted that data are of a volatile nature. They can be easily moved, erased or altered without clear traces remaining. Distributed data processing is not the only factor that makes data volatile. Electronic data processing involves the processing of large amounts of data of an ephemeral nature that are subject to erasure as soon as they are no longer necessary. Examples of such data are log files and communication traffic data. Without knowledge of the “original” data set (if the term has any meaning in data processing), it is difficult to detect manipulations and restoring deleted files will be impossible unless underlying back-up information was kept. The nature of data raises problems when physical searches are involved: (a) The search for data, electronically stored or being transferred, in most cases needs to be carried out quickly and in a timely manner in order to prevent interference with the search or tampering with the data; (b) Special precautions need to be taken in order to enable data to be presented as evidence in court. The integrity of the data must be established from the point of downloading or copying from the searched computer system to use in court. 37. The technical and legal distinctions between the seizure of stored data and the interception of data flowing through the network have also become blurred. Data are processed by means of a computer system, sometimes described as an automated data-processing device. Data processing includes input, transfer to peripheral equipment (e.g. video screen) and intermediate storage media, actual processing, transmission of the results to peripheral devices for storage and output or further transmission to other system components. Intercepting data in a computer system generally comes down to the search for stored data, to be carried out by making use of system functions or specific computer programs. Searching for data in transmission can be done by system facilities (monitoring), if provided for, or by technically intercepting the data flow somewhere in the transmission facilities. Since data are in many cases both stored and in transmission, or move frequently from one status to the other, it will often be possible for investigators to choose between seizure and interception to obtain the same data. This may raise legal concerns, because the standards or safeguards which apply to the interception of communcations and the seizure of stored materials are not the same in many States. The interception of data in transmission is often subject to a stricter standard because interception is a covert operation, it may target data that did not exist when the search was authorized or when it commenced and, in most cases, the parties concerned would not be aware of the interception and might not be informed of it, if at all, until long after it had taken place. The fact that network data can be either seized or intercepted may erode the rights of suspects in some cases, since it would allow law enforcement to apply less restrictive legal search powers to some operations that were more in the nature of interceptions. 38. Electronic data, copied from data files or registered from data flows, usually demand special precautions and measures in order to serve as evidence in court, if it may be used as such at all. In many justice systems, the principle of immediateness, that is, that all evidence should be presented in court, requires that the evidential material meet a very high standard. Some countries may have formal requirements that impede or prevent the use of electronic data as evidence. Some laws require that the material be in writing so that it can be read in court, for example. In some countries, data representing sound or images would not meet this condition and would therefore not be admissible. Any doubt about the reliability of evidential material will also generally make it inadmissible. Since electronic data can easily be modified without leaving traces, this puts a heavy burden on law enforcement authorities to gather such evidence according to transparent and secure procedures that enable them to establish its authenticity. To verify authenticity, the court must be able to review the reliability of the process of copying and registering the evidence from the original data carrier or data channel. It must also be able to test the validity of (a) the preservation procedure and security of the preservation itself; (b) any analysis of the material; and (c) whether the material presented in court matches the material originally seized and secured
A/CONF. 187/10 A/CONF. 187/10 9. In addition to conventional powers to search time, duration and date of any communication, the parties premises, many national legal systems allow courts to involved and the type of service or activity. (See the make production orders for tangible objects. In some cases, parallel to the example of the log file of a computer system parallel powers to order the production of specified data in paragraph 37 above. ) Such data are generally kept for a may also be provided. Such powers may be subject to limited period of time, depending on the commercial needs restrictions and specific conditions that do not apply to of the operator or provider and legal (in the European conventional production orders, to prevent them from Union)or commercial requirements for privacy protection being used as a means to obtain information other than that Many national laws allow law enforcement authorities or specified. Without such controls, for example, an order judicial authorities to order the collection of traffic data of could oblige an individual to collect, process or select any future communications. In cases where traffic data is part other kind of data that is not stored and under his or her of the communication such as the "header information " of control. Such an obligation would exceed the scope and e-mail messages, however, the collection of such traffic leaning of a production order. When seeking and using data may be considered an interception of the production orders, it may be useful for law enforcement to communication itself and subject to legal restrictions on include the log files of a computer system along with other that basis. In other cases, the collection of traffic data data being sought. Such files register all transactions on the without intercepting the contents of the communication system in chronological order, recording information about itself may be deemed less intrusive to the privacy of those such things as times, durations and terminals from which concerned and therefore subject to a lower legal threshold data were accessed or altered 43. Cases of hacking or electronic intrusion raise a 40. Under the traditional laws of many countries, it is particular need for the prompt interception of an electronic possible for a judicial or other authority to order the communication, as well as prompt availability of traffic interception and recording oftelecommunications in public and subscriber data in order to track down the source of the networks. Some countries have extended that authority to communication, preserve the data and eventually catch the private networks, to specifi of perpetrator in the act for evidential reasons. If telecommunications such as mobile systems or satellite criminalized, hacking may not be considered under some communication systems and to computer networks. The laws a crime serious enough to justify the application of rationale behind such legislative measures is that if interception measures. Generally, a hacking scheme communications can be intercepted in one network and not involves other more serious acts than can be established at in another, criminals will use the system with the lowest the time of detection of hacker activities. This may be seen risk of interception by law enforcement authorities. The as another reason to allow interception for electronic lawful interception of specified communications requires intrusion cases particular technical facilities, including a clear legal basis 44. Interception of electronic communications may be for the installation of the facilities and the prompt hampered by the fact that the communication is encrypted execution of a judicial order to intercept Encryption is used to allow the authentication of a 41. To identify the communications to be intercepted and message, identifying the sender and establishing the the persons engaged in an intercepted communication, the integrity of the message. A second function of encryption cooperation of operators of networks, such as telecom is to ensure the confidentiality of the message(by operators and Internet service providers, is indispensable. protecting it from third persons). Possible cryptography Only such operators have the necessary subscriber policies have been the subject of recent debate in a number information. Where appropriate, national law may impose of international organizations. Those interested in a legal obligation on operators and providers to give facilitating law enforcement and crime control are subscriber data promptly when so ordered by the concerned about diffculties in gaining legal access to competent authorities. Clear legal obligations of this kind encrypted data, while those concerned about privacy and should also protect individuals and companies from civil commercial interests want cryptography to protect personal liability to their subscribers and commercial information 42. Telecom operators and Internet service providers 45. Much of the debate is beyond the scope of the present usually have traffic data from past communications, paper, but two specific issues do warrant consideration generated by equipment that records details including the here. Some cryptography-producing countries have
A/CONF.187/10 A/CONF.187/10 10 39. In addition to conventional powers to search premises, many national legal systems allow courts to make production orders for tangible objects. In some cases, parallel powers to order the production of specified data may also be provided. Such powers may be subject to restrictions and specific conditions that do not apply to conventional production orders, to prevent them from being used as a means to obtain information other than that specified. Without such controls, for example, an order could oblige an individual to collect, process or select any other kind of data that is not stored and under his or her control. Such an obligation would exceed the scope and meaning of a production order. When seeking and using production orders, it may be useful for law enforcement to include the log files of a computer system along with other data being sought. Such files register all transactions on the system in chronological order, recording information about such things as times, durations and terminals from which data were accessed or altered. 40. Under the traditional laws of many countries, it is possible for a judicial or other authority to order the interception and recording of telecommunications in public networks. Some countries have extended that authority to private networks, to specific new forms of telecommunications such as mobile systems or satellite communication systems and to computer networks. The rationale behind such legislative measures is that if communications can be intercepted in one network and not in another, criminals will use the system with the lowest risk of interception by law enforcement authorities. The lawful interception of specified communications requires particular technical facilities, including a clear legal basis for the installation of the facilities and the prompt execution of a judicial order to intercept. 41. To identify the communications to be intercepted and the persons engaged in an intercepted communication, the cooperation of operators of networks, such as telecom operators and Internet service providers, is indispensable. Only such operators have the necessary subscriber information. Where appropriate, national law may impose a legal obligation on operators and providers to give subscriber data promptly when so ordered by the competent authorities. Clear legal obligations of this kind should also protect individuals and companies from civil liability to their subscribers. 42. Telecom operators and Internet service providers usually have traffic data from past communications, generated by equipment that records details including the time, duration and date of any communication, the parties involved and the type of service or activity. (See the parallel to the example of the log file of a computer system in paragraph 37 above.) Such data are generally kept for a limited period of time, depending on the commercial needs of the operator or provider and legal (in the European Union) or commercial requirements for privacy protection. Many national laws allow law enforcement authorities or judicial authorities to order the collection of traffic data of future communications. In cases where traffic data is part of the communication, such as the “header information” of e-mail messages, however, the collection of such traffic data may be considered an interception of the communication itself and subject to legal restrictions on that basis. In other cases, the collection of traffic data without intercepting the contents of the communication itself may be deemed less intrusive to the privacy of those concerned and therefore subject to a lower legal threshold. 43. Cases of hacking or electronic intrusion raise a particular need for the prompt interception of an electronic communication, as well as prompt availability of traffic and subscriber data in order to track down the source of the communication, preserve the data and eventually catch the perpetrator in the act for evidential reasons. If criminalized, hacking may not be considered under some laws a crime serious enough to justify the application of interception measures. Generally, a hacking scheme involves other more serious acts than can be established at the time of detection of hacker activities. This may be seen as another reason to allow interception for electronic intrusion cases. 44. Interception of electronic communications may be hampered by the fact that the communication is encrypted. Encryption is used to allow the authentication of a message, identifying the sender and establishing the integrity of the message. A second function of encryption is to ensure the confidentiality of the message (by protecting it from third persons). Possible cryptography policies have been the subject of recent debate in a number of international organizations. Those interested in facilitating law enforcement and crime control are concerned about diffculties in gaining legal access to encrypted data, while those concerned about privacy and commercial interests want cryptography to protect personal and commercial information. 45. Much of the debate is beyond the scope of the present paper, but two specific issues do warrant consideration here. Some cryptography-producing countries have
