Are International Cybercrime Laws a Hopeless Fantasy?

First and foremost, he correctly observes that current digital forensic techniques are limited to “local-to-the-network forensics and have little effect in the black box, heavily virtualized & sandboxed cloud environment.” He is absolutely accurate that the focal point of present-day forensics is the known physical device of the identifiable computer or network, not the nearly untraceable morass of cloud computing.

But more importantly, even if law enforcement could possess the most advanced tools and techniques in hand to adequately attack cloud-based cybercrime, they will, however, have virtually little effect if the laws are not in place to legally utilize these tools and techniques. As Gillen notes, “cloud computing introduces an ease of cross-border crime that presents unique challenges to the existing laws.”

A Decade-Old First Time Event

The need for an international response to cybercrime's ability to completely disregard traditional jurisdictional boundaries in advancing criminal activity has not gone completely unnoticed. A decade ago, the Council of Europe (COE) instituted the Convention on Cybercrime (COC), which is to date “the first and only treaty to deal with breaches of law 'over the Internet and other information networks.'” http://bit.ly/rMCADU. The COC attempts to level the playing field and create a uniform method, from one country to the next, by which law enforcement can acquire evidence of crime occurring in cyberspace.

The text of the treaty acknowledges the presence of specific criminal activity occurring over computer networks requiring international uniformity of legislation to attack effectively, particularly computer-related forgery, computer-related fraud, offenses related to child pornography, offenses related to infringements of copyright and related rights, and various offenses against the confidentially, integrity and availability of computer data and systems, such as illegal access, illegal interception, data interference, system interference, and misuse of data. See, “Convention on Cybercrime,” http://bit.ly/rH3hJM.

Beyond the recognition of several substantive cybercrimes, the COC also lays out a series of procedural goals to be met by the signatory nations. The procedural provisions are to govern, inter alia, such activities as:

• The expedited preservation of stored content of communications and the transmission data that accompanies such communications;
• The identification of authorized parties to acquire such stored information and the creation of procedures, such as “production orders,” that direct how such information will be acquired;
• Procedures for the authorized parties actually to go about conducting the searching and seizing of such information;
• The creation of procedures by computer network service providers to allow the real-time capturing of the contents of communications and the transmission data related to those communications (a sort of global Communications Assistance for Law Enforcement Act (CALEA), for those familiar with that piece of American legislation); and
• The establishment of procedures to facilitate how such acquired information and data will be transferred to law enforcement from one jurisdiction to the next.

On Nov. 23, 2001, the treaty was signed by 26 of the 47 COE member states and four non-member states (Canada, Japan, South Africa, and the United States). As of late November of last year, 17 additional member states had signed.

Ratification Not Universal

Signing a treaty, however, is only one step in the process ' a step that means little without ratification. As of late November, of the 43 member states that signed the COC, 12 have yet to ratify it (Armenia, Azerbaijan, Belgium, the Czech Republic, Georgia, Greece, Ireland, Latvia, Liechtenstein, Luxembourg, Poland, Sweden, and Turkey). Of the four non-member states that have signed, only the legislature of the United States has ratified, which happened with little public fanfare on Sept. 29, 2006. (To view the most updated listing of countries that have signed the COC and have ratified the treaty, go to http://bit.ly/w5fxMX.)

Incidentally, the COC requirements have generated neither the creation of new laws in this country nor the amendment of any existing laws, which is possibly the reason why U.S. involvement in the treaty process has gone unnoticed. The same cannot be said for other countries.

Recent Objections

Why is a 10-year-old treaty of any particular relevance today? Because over the past few months a couple of prominent countries that have yet to ratify the COC have suffered significant public debate over the need to comply.

The governments of Canada and Australia ' both non-COE-member signers ' have encountered objections from their constituents on substantially the same grounds. The concern revolves around the ability of law enforcement, particularly those of foreign countries, to perform certain activities without the use of prior judicial approval or oversight for the purpose of either securing data maintained by online services or to learn the identities of citizens involved in online activities.

More specifically, some Canadians and Australians fear two procedures rather commonly used in the U.S. for many years for the securing of data stored by online services:

1. The acquisition of subscriber information (name, address, phone number, Internet protocol address, length of Internet connection, etc.) through the use of administrative or grand jury subpoenas; and
2. The submission of law enforcement-generated preservation letters to online services to preserve stored data until a search warrant or other appropriate legal process can be secured. Also cited as objectionable is the requirement that online providers must develop the means to allow law enforcement to eavesdrop on communications when authorized by a proper legal process.

The Canadian statutes were most recently introduced by its parliament in 2010, the session prior to its current one. See, “Investigative Powers for the 21st Century Act,” Bill C-51 of 2010 at http://bit.ly/uFhLJV, and “Investigating and Preventing Criminal Electronic Communications Act,” Bill C-52 of 2010 at http://bit.ly/vlWJ0w. The proposed laws were sufficiently abhorrent to certain members of the media, the scholastic community, and various privacy organizations, that a letter objecting to the legislation was signed by 24 such individuals and organizations and sent to the prime minister. See, http://bit.ly/rzDMzv. Although the Canadian legislation was not passed in 2010, news reports over last summer and fall have expressed considerable concern that the same statutes will be part of an upcoming crime legislation package. See, “Lawful Access Bills Likely to Be Reintroduced in the Fall,” Coalition Against Unsolicited Commercial E-mail (CAUCE), http://bit.ly/tqed4O, and, “(Un)Lawful Access: Wiring Canada's Networks for Control,” Mediamorphis, http://bit.ly/sbTe7l.

Australia's bill is currently undergoing legislative consideration. See, Cybercrime Legislation Amendment Bill 2011, http://bit.ly/sHsvJp. It has faced similar public condemnation. See, “Dangerous Cybercrime Treaty Pushes Surveillance and Secrecy Worldwide,” activepolitic.com, http://bit.ly/w11Z3N.

Pros and Cons

Proponents of the treaty make the obvious assertion that there is much to gain in the fight against global cybercrime, and particular, such terrorist-driven criminal activity, when numerous countries share a common and familiar method of acquiring critical evidence. Additionally, the COC documents specific criminal activity commonly occurring in cyberspace, bringing an awareness of and a required response to such illegal conduct to several countries that may not be addressing such problems on their own individually absent this treaty.

COC opponents not only express the expected fear of loss of privacy and other personal freedoms, but also raise even darker concerns: They claim this is an exploitation of anti-terrorist mania to justify the spread of the United States' Patriot Act-driven paranoia to its typical gang of allies throughout Western Europe and other American-friendly countries.

Regardless of the positions taken by these proponents and opponents, the greatest deficiency of the treaty is that it does very little to address the root causes of global cybercrime and cyber-warfare. The countries in which the majority of cybercriminals reside ' those who are the most responsible for massive amounts of cyber-espionage, identity theft, and the damage done daily to critical data and computer networks ' not only have not signed the treaty, they are not even members of the COE, nor have they shown any willingness to ever get involved in a unified solution to the issues attempted to be addressed by the COC.

Conclusion

The Internet and connected computer networks have touched a vast majority of the world's landscape. These networks have played, and will continue to play, a major role in the daily financial and personal lives of those in countries both friendly and antagonistic to the goals of the proverbial free world. Even a portion of the recent trend toward the overthrow of dictatorships in the Middle East has been attributed to the easy flow of information made available through these networks.

And yet, the foreseeability of a day when users of computer networks can work with even minimal fear of being victims of criminal activity is nowhere in sight. It took four years for the COE just to find the common language the member and participating non-member countries could sufficiently agree upon to create the COC.

In the 10 years since, it is still a major struggle getting many of the signing nations to take even these first baby steps required by the COC. And there is no reason to believe that other major powers such as China or Russia, or those even more openly hostile and potentially violently dangerous nations such as North Korea or Iran, will ever want to seriously come to the negotiation table to work on a truly global solution.

When countries reasonably friendly to America and Western Europe encounter this much difficulty in reaching even the beginnings of a commonality of legislative approaches to fighting cybercrime, the prospect of a universal consensus throughout the world is virtually hopeless. It may take a worldwide cyber-tsunami of the proportions feared by Chicken Little (an intentional mixed metaphor) for there to ever be a chance at significant movement toward true cyber-security.

This is not the most comforting way to run such a globally interactive world for either the individual computer user or for those in business so dependent on operating in a safe and sensible cyber-environment.

The aspect of the Internet euphemistically described as “the cloud” has created a seemingly bountiful opportunity for the unscrupulous to acquire the means to attack innocent and vulnerable victims remotely and anonymously. And unlike the fictional portrayal of the apocalyptical children's tale of Chicken Little and his “The sky is falling!” warning, the current digital version is hardly a flight of fantasy.

The Impediments

As set forth earlier this year in his article for FedScoop.com entitled “Digital Forensics and the Cloud,” http://bit.ly/spVlyL. Rob Gillen alleges the cloud provides cybercriminals with new and varied methods of advancing illegal activity, a theory which he claims has been acknowledged by law enforcement as accurate, and one confirmed for this writer recently by security personnel of a major Internet service provider. More importantly, Gillen validly cites in his article two very serious impediments to law enforcement's ability to address this movement of criminal activity to the cloud.

First and foremost, he correctly observes that current digital forensic techniques are limited to “local-to-the-network forensics and have little effect in the black box, heavily virtualized & sandboxed cloud environment.” He is absolutely accurate that the focal point of present-day forensics is the known physical device of the identifiable computer or network, not the nearly untraceable morass of cloud computing.

But more importantly, even if law enforcement could possess the most advanced tools and techniques in hand to adequately attack cloud-based cybercrime, they will, however, have virtually little effect if the laws are not in place to legally utilize these tools and techniques. As Gillen notes, “cloud computing introduces an ease of cross-border crime that presents unique challenges to the existing laws.”

A Decade-Old First Time Event

The need for an international response to cybercrime's ability to completely disregard traditional jurisdictional boundaries in advancing criminal activity has not gone completely unnoticed. A decade ago, the Council of Europe (COE) instituted the Convention on Cybercrime (COC), which is to date “the first and only treaty to deal with breaches of law 'over the Internet and other information networks.'” http://bit.ly/rMCADU. The COC attempts to level the playing field and create a uniform method, from one country to the next, by which law enforcement can acquire evidence of crime occurring in cyberspace.

The text of the treaty acknowledges the presence of specific criminal activity occurring over computer networks requiring international uniformity of legislation to attack effectively, particularly computer-related forgery, computer-related fraud, offenses related to child pornography, offenses related to infringements of copyright and related rights, and various offenses against the confidentially, integrity and availability of computer data and systems, such as illegal access, illegal interception, data interference, system interference, and misuse of data. See, “Convention on Cybercrime,” http://bit.ly/rH3hJM.

Beyond the recognition of several substantive cybercrimes, the COC also lays out a series of procedural goals to be met by the signatory nations. The procedural provisions are to govern, inter alia, such activities as:

• The expedited preservation of stored content of communications and the transmission data that accompanies such communications;
• The identification of authorized parties to acquire such stored information and the creation of procedures, such as “production orders,” that direct how such information will be acquired;
• Procedures for the authorized parties actually to go about conducting the searching and seizing of such information;
• The creation of procedures by computer network service providers to allow the real-time capturing of the contents of communications and the transmission data related to those communications (a sort of global Communications Assistance for Law Enforcement Act (CALEA), for those familiar with that piece of American legislation); and
• The establishment of procedures to facilitate how such acquired information and data will be transferred to law enforcement from one jurisdiction to the next.

On Nov. 23, 2001, the treaty was signed by 26 of the 47 COE member states and four non-member states (Canada, Japan, South Africa, and the United States). As of late November of last year, 17 additional member states had signed.

Ratification Not Universal

Signing a treaty, however, is only one step in the process ' a step that means little without ratification. As of late November, of the 43 member states that signed the COC, 12 have yet to ratify it (Armenia, Azerbaijan, Belgium, the Czech Republic, Georgia, Greece, Ireland, Latvia, Liechtenstein, Luxembourg, Poland, Sweden, and Turkey). Of the four non-member states that have signed, only the legislature of the United States has ratified, which happened with little public fanfare on Sept. 29, 2006. (To view the most updated listing of countries that have signed the COC and have ratified the treaty, go to http://bit.ly/w5fxMX.)

Incidentally, the COC requirements have generated neither the creation of new laws in this country nor the amendment of any existing laws, which is possibly the reason why U.S. involvement in the treaty process has gone unnoticed. The same cannot be said for other countries.

Recent Objections

Why is a 10-year-old treaty of any particular relevance today? Because over the past few months a couple of prominent countries that have yet to ratify the COC have suffered significant public debate over the need to comply.

The governments of Canada and Australia ' both non-COE-member signers ' have encountered objections from their constituents on substantially the same grounds. The concern revolves around the ability of law enforcement, particularly those of foreign countries, to perform certain activities without the use of prior judicial approval or oversight for the purpose of either securing data maintained by online services or to learn the identities of citizens involved in online activities.

More specifically, some Canadians and Australians fear two procedures rather commonly used in the U.S. for many years for the securing of data stored by online services:

1. The acquisition of subscriber information (name, address, phone number, Internet protocol address, length of Internet connection, etc.) through the use of administrative or grand jury subpoenas; and
2. The submission of law enforcement-generated preservation letters to online services to preserve stored data until a search warrant or other appropriate legal process can be secured. Also cited as objectionable is the requirement that online providers must develop the means to allow law enforcement to eavesdrop on communications when authorized by a proper legal process.

The Canadian statutes were most recently introduced by its parliament in 2010, the session prior to its current one. See, “Investigative Powers for the 21st Century Act,” Bill C-51 of 2010 at http://bit.ly/uFhLJV, and “Investigating and Preventing Criminal Electronic Communications Act,” Bill C-52 of 2010 at http://bit.ly/vlWJ0w. The proposed laws were sufficiently abhorrent to certain members of the media, the scholastic community, and various privacy organizations, that a letter objecting to the legislation was signed by 24 such individuals and organizations and sent to the prime minister. See, http://bit.ly/rzDMzv. Although the Canadian legislation was not passed in 2010, news reports over last summer and fall have expressed considerable concern that the same statutes will be part of an upcoming crime legislation package. See, “Lawful Access Bills Likely to Be Reintroduced in the Fall,” Coalition Against Unsolicited Commercial E-mail (CAUCE), http://bit.ly/tqed4O, and, “(Un)Lawful Access: Wiring Canada's Networks for Control,” Mediamorphis, http://bit.ly/sbTe7l.

Australia's bill is currently undergoing legislative consideration. See, Cybercrime Legislation Amendment Bill 2011, http://bit.ly/sHsvJp. It has faced similar public condemnation. See, “Dangerous Cybercrime Treaty Pushes Surveillance and Secrecy Worldwide,” activepolitic.com, http://bit.ly/w11Z3N.

Pros and Cons

Proponents of the treaty make the obvious assertion that there is much to gain in the fight against global cybercrime, and particular, such terrorist-driven criminal activity, when numerous countries share a common and familiar method of acquiring critical evidence. Additionally, the COC documents specific criminal activity commonly occurring in cyberspace, bringing an awareness of and a required response to such illegal conduct to several countries that may not be addressing such problems on their own individually absent this treaty.

COC opponents not only express the expected fear of loss of privacy and other personal freedoms, but also raise even darker concerns: They claim this is an exploitation of anti-terrorist mania to justify the spread of the United States' Patriot Act-driven paranoia to its typical gang of allies throughout Western Europe and other American-friendly countries.

Regardless of the positions taken by these proponents and opponents, the greatest deficiency of the treaty is that it does very little to address the root causes of global cybercrime and cyber-warfare. The countries in which the majority of cybercriminals reside ' those who are the most responsible for massive amounts of cyber-espionage, identity theft, and the damage done daily to critical data and computer networks ' not only have not signed the treaty, they are not even members of the COE, nor have they shown any willingness to ever get involved in a unified solution to the issues attempted to be addressed by the COC.

Conclusion

The Internet and connected computer networks have touched a vast majority of the world's landscape. These networks have played, and will continue to play, a major role in the daily financial and personal lives of those in countries both friendly and antagonistic to the goals of the proverbial free world. Even a portion of the recent trend toward the overthrow of dictatorships in the Middle East has been attributed to the easy flow of information made available through these networks.

And yet, the foreseeability of a day when users of computer networks can work with even minimal fear of being victims of criminal activity is nowhere in sight. It took four years for the COE just to find the common language the member and participating non-member countries could sufficiently agree upon to create the COC.

In the 10 years since, it is still a major struggle getting many of the signing nations to take even these first baby steps required by the COC. And there is no reason to believe that other major powers such as China or Russia, or those even more openly hostile and potentially violently dangerous nations such as North Korea or Iran, will ever want to seriously come to the negotiation table to work on a truly global solution.

When countries reasonably friendly to America and Western Europe encounter this much difficulty in reaching even the beginnings of a commonality of legislative approaches to fighting cybercrime, the prospect of a universal consensus throughout the world is virtually hopeless. It may take a worldwide cyber-tsunami of the proportions feared by Chicken Little (an intentional mixed metaphor) for there to ever be a chance at significant movement toward true cyber-security.

This is not the most comforting way to run such a globally interactive world for either the individual computer user or for those in business so dependent on operating in a safe and sensible cyber-environment.