CYBERCRIME

Dr. Tatiana Tropina, Max-Planck Institute for Foreign and International Criminal Law

Webinar27th of March, 2015

2

What is cybercrime?

New form? New medium?

• Migration of traditional crime on-line

• Cyber-offences: new type of crime (illegal access, illegal interference with data and system,…)

3

Underground economy

Moderator of the Silk Road after Utopia’s seizure: "is a serious blow to the darkweb marketplace

community…regroup, and do it again.” "Show them that you, we, are a hydra -- cut off one

head and ten more spring up”

4

Cybercrime: challenges

• Number of Users • International dimension • Missing mechanisms of control• Automation• Innovation• Availability of tools and information

5

Low impact

• High latency & lack of reporting

• Low impact on the victim hard to justify the violation of public order

6

Confusion and misconceptions

• Cybersecurity-related terms: “cybercrime”, “cyberwar”, “cyberattack”, “cyberterrorism” absence of a clear consensus

• Terms are used interchangeably, sometimes with little regard for what they actually mean

• Sensationalization and exaggeration • Overuse of such terms as ‘cyberwar’ and ‘cyber-weapons’

tendency to view the situation in catastrophic terms • Legal and regulatory responses: confusion and

misunderstanding

7

Legal domains

8

9

Cybercrime: legal aspects

A bit of history: the Love bug

10

• Created and launched in the Philippines, rapidly spread around the world within hours

• Affected 45 million users in more than 20 countries, inflicted a damage between $2 and 10 billion.

• Was traced to the Philippines, but Philippine law neither criminalize hacking nor the distribution of viruses

• Obtaining the warrant took several days, which allowed the suspect ample time to destroy key evidence

• Onel de Guzman, a former computer science student, was responsible for creating and disseminating the “Love Bug.”

• De Guzman was charged with theft and credit card fraud, but the charges were dismissed as inapplicable and unfounded

• De Guzman could not even be extradited to other country because extradition requires double criminality

Cross-border environment

• Safe havens: countries with no cybercrime legislation (cybercrime vs. “bread and butter” problem): impact on other countries

• Harmonisation of criminal law: computer crimes shall be criminalised in the same way (not necessary word-by-word) to allow collaboration

• On the surface: might seem easy, however: – Reaching consensus: what type of crimes?– Updating laws or applying existing laws? – How specific “cyber”-crimes should be?

11

Harmonisation?

• Sovereignty & control vs. borderless Internet• International instruments: fragmentation, no single

solution• The differences between the various legal systems • Religious, moral and cultural differences • Human rights concerns and different approaches to the

protection of privacy • Historical coincidences

12

Global solution?

• Which body is to take responsibility?

• Different needs?

• What is the level of standards, protection and safeguards?

• How to agree to disagree (e.g. content crimes)?

• A blame game – where we are?

Substantive and procedural law

• Substantive law (what crime is) is to the large degree harmonised

• Procedural frameworks: how we obtain evidence in digital environment: process of harmonisation started much later

• Which instruments to use? General or specific frameworks? How compatible are they in a cross-border environment?

• Encryption and innovation

14

Criminal procedure

• Computer artefacts and data are vulnerable• Old MLAT systems are slow• Sovereignty and jurisdiction• How to obtain data quickly?• Formal cooperation vs. informal information sharing:

admissibility issues

15

Way forward?

• Procedural frameworks: development and harmonisation• Mutual legal assistance• Transborder access to stored data• Privacy issues• Admissibility of electronic evidence obtained in different

jurisdiction

16

Human rights concerns

• How does the state achieve its criminal justice goal?• Investigative measures: simultaneously seamless and

very intrusive• Content-related crimes: restriction on freedom of

expression can possibly be turned into an instrument of oppression

• Difference between activism, hacktivism and…crime?

17

Privacy and investigations

• Data protection and privacy regulation in different countries

• Lowering the standards vs. minimal set of standards• Intrusiveness of investigations - who enables application

of the procedural instrument? • Some countries: little or no judicial oversight for the

most intrusive measures • Transborder access: privacy conflicts

18

Regulation: blurring borders

19

Criminal law Strictly regulated procedures

Specific safeguards

Law of war Intelligence lawPreventive police law

Private investigations

Safeguards?

20

Ecosystem of fighting cybercrime

Criminal law: limitations

Law: one of the most important components

However

• Criminal law can only react to the problem • Pro-active measures + reactive approaches• Capacity building, awareness raising, prevention, early

disruption, detection

21

Ecosystem: challenges

• Non-hierarchic network: missing mechanisms of control• Cybercrime: a fast-changing multi-faceted problem• No “one fits all” solution • Complex ecosystem: combination of top-down and bottom-

up approaches• Collaboration between public and private stakeholders• Need for transparency, accountability and human rights

protection

Industry role

• Starting in the 1990s with private hotlines for reporting child abuse and involvement of ISPs in blocking and removing illegal content

• Growing and developing in many areas, getting more private stakeholders involved in prevention, detection, investigation

• Different intermediaries (not only ISPs) are now considered as critical points for collaboration

Forms of collaboration

• Hotlines and reporting platforms (IWF, INHOPE)• Codes of conduct• Public awareness campaigns• Botnet mitigation projects• Capacity building programs (2 Centre, International

Centre for Missing and Exploited children) • Investigations: informal information sharing and ad hoc

collaboration towards structured approaches?

Industry: problems

• Investigating and prosecuting cybercrime: limitations (complement but never substitute proper legal frameworks)

• Clear frameworks , cost-effective solutions• Corruption, mishandling of investigations, transparency• Private censorship with no limits?• Deficit of control• Enforcement in a cross-border environment

Role of civil society

• Criminal law: the highest degree of governmental intervention

• Policy-making and law-making processes: still top-down? • Bottom up approaches: awareness raising, voluntary

initiatives, privacy discussions, human rights protection• National and international level

Finding balance

• Safeguarding the Internet

• Protecting human rights

• Protecting interests of all stakeholders

• Building capacity and trust

27

Thank you!

Tatiana TropinaSenior ResearcherMax-Planck-Institut für ausländischesund internationales StrafrechtGünterstalstr. 7379100 Freiburg i.Br. Tel.: +49 (761) 7081-0Fax: +49 (761) 7081-294t.tropina@mpicc.de

28