The document discusses cybercrime and digital investigation. It begins with defining cybercrime and listing its common forms. It then discusses the underground economy of cybercrime, describing how criminal networks operate similarly to legitimate businesses. Several specific cybercrimes are examined in depth, including malware, data theft, identity theft, phishing, and botnets. The document also profiles some case studies of major cybercriminal groups and hacking incidents to illustrate how crimes are committed. It aims to outline the scope and techniques of cybercrime threats.

1. Cybercrime,
Digital
Inves4ga4on
and
Public
Private
Partnership
2° INFOSEC DAY – OCTOBER 2, 2012 – LISBON
Francesca Bosco and Giuseppe Vaciago

2. Agenda
• What is Cybercrime?
• The Underground Economy
• Crimes & Techniques Focus
• Who are the Criminals?
• Addressing the Problem
• Digital Forensics
• Digital Investigation
• Data Retention
• Cloud Computing

3. Every new technology opens the doors to new
criminal approaches
3

4. CYBERCRIME
WHAT DO YOU KNOW?

5. CYBERCRIME
WHAT DO YOU WANT TO KNOW?

6. What is cybercrime?
Many possible definitions - no widely accepted one
Any conduct proscribed by legislation and/or jurisprudence that
(a) is directed at computing and communications technologies themselves;
(b) involves the use of digital technologies in the commission of the
offence; or
(c) involves the incidental use of computers with respect to the
commission of other crimes.
Forms
• crimes against the confidentiality, integrity or availability of computer
systems (e.g. theft of computer services)‫‏‬
• crimes associated with the modification of data (e.g. theft of data)‫‏‬
• content-related crimes (e.g. dissemination of illegal and harmful
material, child pornography)‫‏‬
• relation between terrorism and the Internet (e.g. terrorist propaganda,
recruitment for terrorist organizations)‫‏‬
6

7. Brazil
United States
China
Germany
India
Italy
Taiwan
Russia
Poland
United Kingdom
Major Threats and Countries Subjected to Attacks
• Malware (Malicious Code)
• Botnets
• Phishing
• Spam
• SQL-Injection
Malicious
Ac+vity
18
%
Threat Rank
Malware 1
Spam 10
Phishing 1
Botnets 1
SQL-injection 2
Malicious
Ac+vity
7
%
Threat Rank
Malware 8
Spam 1
Phishing 9
Botnets 3
SQL-injection 6
Malicious
Ac+vity
7
%
Threat Rank
Malware 3
Spam 9
Phishing 4
Botnets 5
SQL-injection 1
Malicious
Ac+vity
6
%
Threat Rank
Malware 15
Spam 7
Phishing 3
Botnets 6
SQL-injection 5
Malicious
Ac+vity
5
%
Threat Rank
Malware 2
Spam 2
Phishing 18
Botnets 19
SQL-injection n/a
Malicious
Ac+vity
4
%
Threat Rank
Malware 13
Spam 12
Phishing 12
Botnets 4
SQL-injection n/a
Malicious
Ac+vity
3
%
Threat Rank
Malware 22
Spam 20
Phishing 16
Botnets 2
SQL-injection 7
Malicious
Ac+vity
3
%
Threat Rank
Malware 11
Spam 4
Phishing 7
Botnets 13
SQL-injection n/a
Malicious
Ac+vity
3
%
Threat Rank
Malware 19
Spam 5
Phishing 10
Botnets 7
SQL-injection n/a
Malicious
Ac+vity
3
%
Threat Rank
Malware 4
Spam 22
Phishing 6
Botnets 15
SQL-injection 4

8. Most Targeted Industry Sector 1° Quarter ‘12
Source APWG - Phishing Activity Trends Report

9. Top 20 countries with the highest rate
of cybercrime attacks
Source: Symantec - Last update 7/26/12

10. Complaints of online crime, 2011
at the Internet Crime Complaint Center (USA)
The 2011 IC3 Internet Crime Report reveals both the scope of online crime and IC3’s battle against it. The most common
victimcomplaintsincludedFBI-relatedscams,identitytheftandadvancefeefraud.2
IC3receivedandprocessedmorethan
26,000 complaints per month. Based on victim complaints, the top five states were California (34,169), Florida (20,034),
Texas (18,477), New York (15,056) and Ohio (12,661). Victims in California reported the highest dollar losses with a total
of $70.5 million. For victims reporting financial losses, the average was $4,187.
IC3servesasapowerfulconduitforlawenforcementtoshareinformationandpursuecasesthatoftenspanjurisdictional
boundaries.Collaborationwithinthispartnershiphasproducedanumberoftechnologicaladvancementstostreamline
how the public’s complaints are processed and referred to investigators. Initially established as simply a convenient
method for citizens to report Internet crime information, IC3 has evolved into a vital resource for both victims of
online crime and for law enforcement across the country that investigate and prosecute a wide range of cases.
1
Methodology of evaluating loss amounts: FBI IC3 Unit staff reviewed for validity all complaints that reported a loss of more than $100,000. Analysts also converted losses reported
in foreign currencies to dollars. The final amounts of all reported losses above $100,000 for which the complaint information did not support the loss amount were excluded from
the statistics.
2
Complaint category statistics that are based on the perceptions of the complaints are not typically accurate for statistical purposes. The statistics pulled from the complaints
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
16,838
50,412
75,064
124,449
207,449
231,493
207,492 206,884
275,284
336,655
303,809
314,246
314,246
336,655
Yearly Comparison of Complaints3
Total loss in 2011: $ 485.253,871
Source: Internet Compliant Centre

11. Why has Cybercrime become so pervasive?
① Extremely profitable
② Very low infrastructure cost and readily available attack
tools
③ Barriers to prosecution combined with weak laws and
sentencing
④ Anonymity and financial lure has made cyber-crime
more attractive
⑤ Separation between the physical and virtual world
⑥ Organized cybercrime groups can conduct operations
without ever making physical contact with each other

12. Trends of organized crime:
Transnational, Adaptive, Multifaceted
A. Drug trafficking
B. Illicit arms trade
C. Trafficking and smuggling of human beings
D. Traffic of human organs
E. Counterfeiting
F. Environmental-related crimes
G. Maritime piracy
H. Cyber crime
I. Financial crimes: corruption, money laundering

13. Cybercrime today

14. Organized Crimes Activities Shift
Original Activity Modern Version
Local numbers gambling Internet gambling (international
sites)
Street prostitution Internet prostitution
Heroin, cocaine trafficking Synthetic drugs (less vulnerable to
supply problem)
Extortion of local businesses for
protection
Extortion of corporations,
kidnappings
Loansharking Money laundering, precious
stones, commodities.
Fencing stolen property Theft of intellectual property

15. How the black market works

16. The black market: what they offer6*+,-$($)>-Z8#0-8[,-5# )"G-5#>-"#8%"8#0-8:;1"-#
4.2")0%50660"#7+%80.9#.+%: ;)*<"+,'%="#>)"?
-.,"#2<*,+#. &'()"%1M0,W ;,"0,)C+)?%%%%%%%%%%%%4"+?+.C%-??<)? ;*).0"+#?

17. Underground Economy Business Model
Organised crime borrows and copies business models from the
legitimate economy sector. Cyber-criminals employ models similar to
the B2B (business-to-business) for their operations, such as the
highly sophisticated C2C (criminal-to-criminal) models, which use very
effective crime tools available through digital networks.

18. Underground Economy Cooperation Model

19. CRIMES & TECHNIQUES
FOCUS

20. 1. Malware/spam and the underground economy
§ Players in the underground economy include:
Ø Malware writers and distributors (trojans, spyware,
keyloggers, adware, riskware, …)
Ø Spammers, botnet owners, drops
Ø Various middlemen
§ Emergence of institutional arrangements to enhance
“trust” in the underground economy
Ø Service level agreements, warranties, etc.
§ Steady stream of new attacks
E.g.: spear-phishing, chained exploits, exploitation of social
media.

21. Hardware,
software
Security
service
providers
Fraudsters,
criminals
ISPs
Individual
users
Business
users
1
2
13
5
3
8 9
4
10
1211
67
Government
Society at large
1. Example of possible financial flows
14
Society at large
1:
Extortion payments, click fraud,
compensated costs of ID theft and phishing
2:
Uncompensated costs of ID theft and
phishing, click through, pump and dump
schemes, Nigerian 419 scams, and other
forms of consumer fraud
3, 4, 5, 6:
Hardware purchases by criminals,
corporate and individual users
7, 8, 9, 10:
Security service purchases by hardware
manufacturers, corporate and
individual users, ISPs
11, 12, 13:
ISP services purchased by corporate and
individual users, criminals
14:
Payments to compensate consumers for
damages from ID theft (if provided)
Legal financial flows
Potentially illegal financial flows

22. 2. Data Theft
(what data are we talking about?)
Personally Identifiable Information (PII):
Identifying information means any name or
number that may be used alone or with other
information to identify a specific person:
Name, social security number, date of birth,
official State or government issued driver’s
license or identification number, alien
registration number, government passport
number, employer or taxpayer identification
number, biometric data, etc.
Likely one of the most valuable assets that we
have and one that businesses need to protect.
Why? Information is exponential and reusable.
Information can be sold to multiple buyers and
be can be used in many profitable ways.

23. 3. ID Theft
• ID Theft is the fastest growing crime
in the world.
• Over 9 million victims a year on
average worldwide
• Studies on the total cost of identity
theft vary. One study indicates that
identity theft cost U.S. businesses
and consumers $50 to $60 billion
dollars a year
• Individual victims lose an average of
$1,500.00 each in out of pocket
expenses and require tens or
hundreds of hours to recover – some
never do.

24. Use of email to trick someone into
providing information or to go to a
malicious Web sites by falsely
claiming to be from a known entity.
These attacks are becoming more
and more sophisticated. Use of
social networking sites will become
an issue.
4. Phishing

25. 5. Botnet Definition
A Botnet is a network of compromised machines (bots) remotely
controlled by an attacker.
B ot
Key
U ncompromised
Host
B
Attacker
B
B
B
U
U
Commands
Commands
Attacks
Attacks

26. .
Botnet Breakdowns
Overall messaging botnet growth jumped up sharply from last quarter. Infections rose in Colombia,
Japan, Poland, Spain, and the United States. Indonesia, Portugal, and South Korea continued to de
0
1,000,000
2,000,000
3,000,000
4,000,000
5,000,000
MAR
2012
FEB
2012
JAN
2012
DEC
2011
NOV
2011
OCT
2011
SEP
2011
AUG
2011
JUL
2011
JUN
2011
MAY
2011
APR
2011
Global Botnet Infections
New Botnet Senders
40,000
45,000
50,000
Argentina
12,000
14,000
16,000
Australia
5. Botnet Statistics
Source: McAfee Threats Report: First Quarter 2012

27. WHO ARE THE CRIMINALS ?

28. Who are the criminals?
28
Are financially-motivated cyber-criminals actively working with
traditional organized crime groups?
Or are they opportunistically organizing among themselves?
Or, still, are they simply passively working with O.C. groups for
support tasks eg: money laundering?
Four case-studies

29. • Formed around 2002
• 2008 revenue estimated at $180 million
• Estimated to employ 200-500 staff (HR, call center operators to dissuade
victims and avoid credit complaints, malware & scareware developers,
etc…) in Ukraine, India, and the United States
• Criminal activities: Scareware (or “Ransomware”, meant to frighten users
into providing their credit card data in order not to lose their data), Adware,
Credit Card Fraud (Reselling of the credit cards “customers” were
ransomed into providing to IMU). Early activities included the selling of
pirated media (music, pornography) and software as well as
pharmaceuticals such as Viagra
• 2010: F.T.C. persuades a U.S. federal judge to fine IMU and two associated
individuals $163 million USD
Case Study:
1. Innovative Marketing Ukraine
29

30. • The bank is using a OTP system to authorize large transactions
• A Trojan is used to steal IMEI (international mobile equipment identity)
numbers from account holders when they login to their online banking
application
• Once they have acquired the IMEI number, the criminals contact the victim’s
wireless service provider, report the mobile device as lost or stolen, and
request a new SIM card.
• With this new SIM card, all OTPs intended for the victim’s phone are sent to
the fraudster-controlled device.
Case Study:
2. Banking Fraud Scheme
30

31. • An IT company employs some engineers after they resigned from a
competitor; the day before their resignation, they download some
confidential files from competitor’s laptops
• The mere existence of industrial secrets and their potential access by a
former employee is not sufficient to raise civil and/or criminal responsibility.
In both cases you need to prove the transfer of documents or the disclosure
of info’s directly to the competitor
• The crime of unlawful access to an IT system is made by the person who
violates owner’s prescriptions and limits to access and maintain himself on
the system, no matter what is the aim or target of the unlawful access, but in
this case the access was made the day before the resignation, so that
engineers were still in right to access the files.
Case Study:
3. Mix between cyber and non-cyber crime
31

32. Friend posts
update on FB
You click in to
the update
You’re
redirected to
a website run
by Koobface
“Video can’t
load,
Download
latest version
of flash
You
download/
install the
software
Case Study:
4. Koobface – The value of “Big Data”
32
• Social Networks are so attractive as they potentially contain information useful for:
cyber stalking, industrial espionage, private data used in a Pay per Click (PPC)
system, cyber terrorims.
• Koobface is a worm that targeted Facebook and other social media sites. Its goal
was to gather login information for purposes of building a peer to peer botnet
• Originally appeared in May 2008, after 2 year the Koobface botnet was composed of
400.000 to 800.000 PCs worldwide and earned more that 4 million dollar
• The mechanism was very simple:

33. • The botnet master made - namely using his
personal email for registering a domain parked
within Koobface's infrastructure
• The same email krotreal@gmail.com was used
to advertise the sale of Egyptian Sphynx kittens
on 05.09.2007.
• The following telephone belonging to the
suspected person was provided. The interesting
part is that the same telephone was also used in
another advertisement, this time for the sale of a
BMW
• The final result was that Facebook on January
2012 identified Anton Nikolaevich Korotchenko
and other 4 subject as the authors of Koobface.
Case Study:
4. Koobface – The investigation

34. HOW TO COMBAT CYBERCRIME?
WHAT DO YOU KNOW ABOUT
DIGITAL FORENSICS?

35. Digital forensics is concerned with how to store, identify, acquire, record
or interpret the data on a digital device. On a general level it’s about
finding the best way to:
• get hold of evidence without modifying the IT system in which that
evidence is found;
• ensure that the evidence acquired in another medium is identical to
the original;
• analyse data without modifying it.
Corporate forensics is nothing more than the steps taken in order to
preserve any digital evidence to be submitted in court proceedings and
to ensure that it isn’t modified when the techniques of digital forensics
are put into play.
Digital Forensics - Definition

36. During the forensic analysis of modifiable media, the Hash guarantees
the intangible nature of the data that it contains.
The Hash is a unique function that operates in one direction
(meaning that it cannot be reversed), by means of which a document
of random length is converted into a limited and fixed length string.
This string represents a sort of ‘digital fingerprint’ of the non-encrypted
text, and is called the Hash Value or the Message Digest.
If the document is modified even to the slightest extent, then the
fingerprint changes as well. In other words, by calculating and
recording the fingerprint, and then recalculating it, it can be shown
beyond all doubt whether the contents of the file, or the medium, have
been altered, even accidentally.
Two Rules for Digital Forensics:
Hash Functions

37. Anyone wanting to validate the content of an e-mail or an entire
hard-disk has to take a particular type of copy by taking a bit-
stream image that can ‘clone’ the entire hard-disk.
The bit-stream copy is a particular form of duplication in which
the content of the physical unit is read sequentially loading the
minimum quantity of data that can from time to time be
directed, then recording it in the same sequence on a standard
binary file, generating a physical image of the original medium.
Two Rules for Digital Forensics:
Bit-Stream Copy

38. Italian Case Law on Digital Forensics
Digital evidence could be altered and can contain countless pieces of
information. The “Garlasco” case is a clear example of this.
Alberto Stasi was acquitted of murder of his girlfriend, Chiara Poggi, by the Court
of first Instance In December 2009 and the judgement was confirmed in the
Appeal court in December 2011.

39. The “Garlasco” case: the “IT alibi”
Chiara Poggi died
between 10.30 and
12.00
Stasi voluntarily
hands over his PC to
the Police
After working on the PC the
Police hands it over to the
Scientific Investigation Group
Judge Vitelli
acquits Stasi of
murder
14/08/07 29/08/07 17/12/0913/08/07
-­‐ Stasi wakes up at 9
-­‐ Telephones Chiara Poggi
-­‐ Works on his thesis
13/08/07
The expert report requested by the judge
shows that Stasi was working on his thesis
during the period when Chiara Poggi was killed
17/03/09

40. HOW TO COMBAT CYBERCRIME?
WHAT DO YOU KNOW ABOUT
DIGITAL INVESTIGATIONS?

41.
Digital Investigation – 6 Steps

42. With a warrant, the location Is searched, any computer system and
media are seized and the media are examined for any digital evidence
With the IP address, the Law Enforcement can obtain customer’s
address from the Access Provider
The Law Enforcement uses the court system to compel an ISP to
obtain IP address del suspected user
1. Identify the Suspect
When investigating cybercrimes committed online, the “traditional”
approach is as follows:

43. No connection between what is observed and
what is found in the search and seizure
procedure
Difficult to identify a seized machine as the
same on that was investigated remotely
Difficult to identify a user (multiple User ID or
multiple IP Address over time, particularly
driving around open Wifi, proxy, botnet, TOR)
1. Identify the Suspect – Challenges
The challenges are as follows:

44. Understanding social engineering techniques
means knowing where any digital traces might be
found
Immediate action means more information being
gathered (data retention)
Public-Private Partnership between Law
Enforcement/ISPs/Internet Companies/Academia
can be of enormous help in complex investigations
You cannot (always…) identify a cybercriminal on Google ;)
1. Identify the Suspect – Solutions?

45. 1. Identify the Suspect – Solutions?

46. The results of this investigative activity have been
excellent, but what about Privacy?
Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was
discovered by monitoring his facebook profile.
1. Identify the Suspect – Solutions?

47. Face
Recogni4on
Project
Alessandro
Acquis/
CCTV
Fair
Fax
Media
1. Identify the Suspect – Solutions?

48. 2. Detecting Illegal Contents
An investigating tool most frequently used for carrying out an on line
investigation is hashing techniques.
For example, starting with a file containing ille, it is possible to convert
it into a message digest and to carry out a fast search inside a
storage support (hard drive, flash disk) or within the network (P2P
networks).
Ferrari.jpg Ferrari_copy.jp
g
HASH SHA-1
051ed4dbdb9bcd7957
aa7cbb5dfd0e94605cd
887

49. What happens if I just change the file in an infinitesimal way?
Ferrari.jpg Ferrari_copy2.jp
g
HASH:
051ed4dbdb9bcd7957aa7cbb5df
d0e94605cd887
HASH:
a9fa2933484f828b95c1dde824dea
28f35b509d6
The hash does not match and the search will not generate
results
2. Detecting Illegal Contents - Challenge

50. For this reason, there are techniques (i.e. fuzzy hashing) or
various types of algorithms that allow a “certain degree of
similarity” to be identified.
A good software used is SSDEEP written by Andrew Tridgell
and used for detecting spamming.
Online is available: pHash (The open source perceptual hash
library)
2. Detecting Illegal Contents – Solutions?

51. 2. Detecting Illegal Contents - Solutions
The more complex techniques have a 20% degree of error
What does it means?
No problem if there are false positives. Human checking is
sufficient.
But in the case of false
negatives?
False Negative=
(i.e., illegal content incorrectly deemed as non-illegal
False positives=
(i.e., non-illegal content incorrectly deemed as illegal

52. 2. Detecting Illegal Contents - Solutions
Internet Surveillance Plans

53. On December 20, 2006: Article 5.2(11) of the Law
on the Protection of the Constitution in North
Rhine-WestFalia was amended with the
introduction of provisions on remote intelligence-
gathering, both online and by accessing
information technology systems.
Private computer systems could be covertly
accessed “remotely”, thanks to software
(keylogger and sniffer programs) installed on the
target system without the owner’s knowledge, for
instance, in the form of Trojans incorporated within
or disguised as harmless content, by convincing
the owner to voluntarily upload the relevant
spyware or disclose passwords through cleverly
devised social engineering initiatives.
2. Detecting Illegal Contents - Solutions

54. On February 27, 2008 The German Constitutional Court determined
that the amendment of NordWestfalia Law was unconstitutional as it
violated:
The Constitutional Court establishes a new “Right to the
Confidentiality and Integrity of Information Technology
Systems” (right to the free development of one’s personality), read in
conjunction with Article 1.1 GG (right to human dignity).
2. Detecting Illegal Contents - Solutions

55. Just three years after the ruling by the German Constitutional
Court, Germany’s Justice Minister has called for an
investigation after authorities in at least four German states
acknowledged using computer spyware to conduct surveillance
on citizens (Bavaria, Baden-Wurttemberg, Brandenburg and
Lower Saxony)
2. Detecting Illegal Contents - Solutions

56. 3. Validating Digital Evidence
In order for digital data to be admitted as evidence at trial, law
enforcement officers handling the same must respect the “two
fundamental digital forensics rules” mentioned above
But, what happens if the digital data is in the Cloud?
Bitstream Copy
Hash function

57. 3. Validating Digital Evidence - Challenge
The new challenge with Cloud computing is a loss of data
location due to:
-­‐ “Data at rest” does not reside on the device.
-­‐ “Data in transit” cannot be easily analysed because of
encryption.
-­‐ “Data in execution” will be present only in the cloud instance
The investigator who wants to capture the bit-stream data of a
given suspect image will be in the same situation as someone
who has to complete a puzzle, whose pieces are scattered
randomly across the globe

58. 3. Validating Online Digital Evidence - Solution
How is it possible to validate online digital evidence and
immediately show that a particular piece of data on a particular
online site is certain?

59. 4. Chain of Custody of the digital evidence
• When digital evidence can be used in court, it must be
handled in a careful manner to avoid later allegations of
tampering or misconduct which can compromise the case.
• Digital storage media last less than analogue media and
devices to read such media last even less.
• Domesday Book (1086): legible after over 900 years.
• Domesday Book 2 (1983): LaserDisc: illegible after 15
years.

60. 5. Analysis of Digital Evidence
• Text searches: aimed at scanning files, directories and even
entire file systems for specific text terms
• Image searches: aimed at identifying image files in various
formats, and at generating still frames of digitally stored
video
• Data recovery and identification: this technique is aimed
to recover all files stored, including deleted or damaged data
• Data discovery: it is targeted at accessing hidden,
encrypted or otherwise protected data
• Data carving: it focused on reconstructing damaged files by
retrieving portions of their content.
• Metadata recovery and identification: this digital forensic
tool is particularly useful for retracing the timeline of web
accesses and file changes

61. 6. Reporting of Digital Evidence Findings
This stage is of key importance for Prosecutors, Judges and
lawyers, as the outcome of the trial will depend not only on
results achieved, but also the degree of clarity and
comprehension of the report.

62. HOW TO COMBAT CYBERCRIME?
DATA RETENTION AND ROLE OF
ISP PROVIDERS

63. Data Retention - Definition
• Data retention (or data preservation) generally refers to
the storage of call detail records (CDRs) of telephony and
internet traffic and transaction data (IPDRs) by
governments and commercial organisations.
• The digital data usually requested from ISPs during
investigations can generally be divided up between data
identifying a potential offender (the IP address) and data
demonstrating activity on line (the log files).

64. Data Retention – Legal Framework
• In the wake of the terrorist attacks in Madrid and London
(2004 and 2005 respectively), the European Parliament
issued Directive 2006/24/EC.
• Legislating over data retention, the Directive sets out how
traffic data can be stored by the providers and the grounds
on which the courts can access that data.
Directive 97/66/EC
Directive 2002/58/EC
Directive 2006/24/EC

65. Data Retention – Directive 2006/24/EC
• Scope of application: serious crime
• Retention period: from 6 month to 24 months
• Type of data:
a) data necessary to trace and identify the source, destination of
a communication
b) data necessary to identify the date, time, duration type of a
communication:
c) data necessary to identify users' communication equipment
d) data necessary to identify the location of mobile
communication equipment:

66. Data Retention – Open Issues
1) There is no consistent approach across the EU of the
period of retention among Member States
2) No defined list of parties entitled to request such data
3) ‘Serious crime’ is a generic term
It is for these reasons that the Constitutional Court in certain
Member States (Germany, Romania and the Czech Republic)
have declared national law implementing the Directive to be
unconstitutional, resulting in a legislative lacuna that does
absolutely nothing to assist investigations. In addition, Austria
and Sweden have decided against implementing the Directive,
with heavy penalties being imposed by the European
Commission as a result.

67. Data Retention – Retention Period
Of the twenty-two Member States that have implemented the Directive:
• Thirteen MS have decided that data may be kept for twelve months
• Five MS have established a longer period
• Four MS have gone for a shorter time limit
***
• Seven MS have established two periods of time for which data may
be held: one for telephone traffic and the other for electronic data

68. Data Retention – Serious Crime
Of the twenty-two Member States that have implemented the Directive:
• Ten MS (Bulgaria, Estonia, Ireland, Greece, Spain, Lithuania,
Luxembourg, Hungary, Netherlands, Finland) have defined 'serious
crime', with reference to a minimum prison sentence, to the
possibility of a custodial sentence being imposed, or to a list of
criminal offences defined elsewhere in national legislation.
• Eight MS (Belgium, Denmark, France, Italy, Latvia, Poland, Slovakia,
Slovenia) require data to be retained not only for investigation,
detection and prosecution in relation to serious crime, but also in
relation to all criminal offences
• Four MS (Cyprus, Malta, Portugal, United Kingdom) refers to
‘serious crime’ or ‘serious offence’ without defining it.

69. Data Retention – Reimburse of Cost and ISP Role
• The cost of setting up a system for retaining data for an internet
service provider serving half a million customers to be around €
375.240 in the first year and € 9.870 in operational costs per
month thereafter. The costs of setting up a data retrieval system to
be € 131.190, with operational costs of € 28.960 per month
• The Directive does not regulate the reimbursement of costs incurred
by operators as a result of the data retention requirement.
• Of the twenty-two countries that have implemented the Directive only
2 Member States reimburse both operational and capital
expenditure (Finland, United Kingdom) and 6 Member States
reimburse only operational expenditure (Belgium, Denmark, Estonia,
France, Lithuania, Netherlands)

71. Data Retention – Conclusions
• The practical repercussion of this scenario is the following: when
faced with a U.S., German, Austrian or Romanian ISP, law
enforcement officers could never be sure if the data they are
after has long been cancelled or is still in storage.
• The conflict is even more acute in this case, since law
enforcement not only insist that the Data Retention Directive is
crucial to digital investigation, but would also like to see it
applied to non-EU ISPs offering internet services in Europe.
• In light of this, Directive 2006/24/EC should be put under review,
in full compliance with Articles 7 and 8 of the Charter of
Fundamental Rights of the European Union

72. CLOUD COMPUTING

73. Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable resources (e.g.,
networks, servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal effort or
management service provider interaction
Cloud computing has five essential characteristics: (i) On-
demand self-service, (ii) Broad network access, (iii) Resource
pooling, (iv) Rapid elasticity, (v) Measured service
Definition

74. And it has four
deployment models:
Definition
It has three service
models:

75. From a Legal Standpoint Cloud Computing services have to face these two
distinct issues:
1) Jurisdiction: The “loss of location” of digital evidence in the cloud world
creates problem of jurisdiction. With cloud computing, are the documents
governed by the law of the state in which they are physically located or by
the location of the company possessing them or by the laws of the state
where a person resides? Over the last few years, various approaches have
been offered to solve this problem.
2) Privacy: The “lack of control” over the data (cloud clients may no longer
be in exclusive control of this data and cannot deploy the technical and
organisational measures necessary to respect Data Protection Law), and
the “absence of transparency” (insufficient information regarding the
processing operation itself) are the main data protection risk of cloud
computing
Legal Aspect of the Cloud

76. • August, 23, 2011, Vivian Reding
(E-006901/2011 – Answer to
parliamentary question):
• “In accordance with international
public law, and in the absence of a
recognised jurisdictional link, a
foreign law or statute cannot directly
impose legal obligations on
organisations or undertakings
established in a third country
regarding the activities performed
within the territory of that third
country”
1. Jurisdiction – “The Patriot Act” issue
Viviane Reding - Vice-President of the
European Commission

77. 1. Jurisdiction – “The Patriot Act” issue
• The Patriot Act is extraterritorial in
application (Section 215 and
Section 505).
• Under this Act, U.S. authorities are
entitled to subpoena personal data
related to non-US citizen from any
company that has “minimum
contacts” with the U.S.
The Director of the Federal Bureau of
Investigation or a designee of the Director
(whose rank shall be no lower than Assistant
Special Agent in Charge) may make an
application for an order requiring the
production of any tangible property (including
books, records, papers, documents, and other
items) for an investigation for protecting
against international terrorism or clandestine
intelligence activities, provided that such
investigation of a United States person is not
conducted solely upon the basis of activities
protected by the first amendment of the
Constitution [...]
Patriot Act, Sec. 215. Access To Records And
Other Items Under The FISA

78. • “CloudSigma is operated and controlled by
a Swiss AG, which is not subject to direct
or indirect U.S. control”
• “City Cloud and Several Nines offer a
partnership safe-haven from the Patriot
Act in Sweden”
• Amazon Web Services (AWS) is subject to
the US Patriot Act but the chief technology
officer, Werner Vogels, encrypts private
data for transit to the Cloud — and for
employing best practice when it comes to
classifying data
1. Jurisdiction – “The Patriot Act” issue

79. December 6, 2011 Vivian Reding -
2nd Annual European Data Protection and
Privacy Conference - Brussels:
“I am reading in the press about a Swedish
company whose selling point is that they
shelter users from the US Patriot Act and
other attempts by third countries to access
personal data”
“I do encourage cloud computing centres in
Europe, but this cannot be the only solution.
We need free flow of data between our
continents. And it doesn't make much sense
for us to retreat from each other”
1. Jurisdiction – “The Patriot Act” issue

80. We have 4 different possible principle to solve the “loss of location” in a cloudy
world:
• Territorial principle: the Court in the place where the data is located
has jurisdiction
• Nationality principle by virtue of which the nationality of the perpetrator is
the factor used to establish criminal jurisdiction.
• “Flag principle”, which basically states that crimes committed on ships,
aircraft and spacecraft are subject to the jurisdiction of the flag state.
• “Power of Disposal Approach”. From a practical point of view, a
regulation based on the power of disposal approach would make it feasible
for law enforcement to access a suspect’s data within the cloud.
1. Jurisdiction – “The Patriot Act” issue

81. Lack of
control
over the
data
Lack of
Integrity
caused by the
sharing of
resources
Lack of
availability
due to lack of
interoperability
Lack of
intervenability
due to the
complexity and
dynamics of
the outsourcing
chain
Lack of
information on
processing
(transparency)
Lack of isolation
A cloud provider
may use its
physical control
over data from
different clients to
link personal data.
Lack of
confidentiality
in terms of law
enforcement
requests made
directly to a
cloud provider
Lack of
intervenability
(data subjects’
rights)
2. Privacy – The WP29 Opinion

82. 1. Compliance with basic data protection principles
2. Transparency
3. Purpose specification and limitation (isolation)
4. Erasure of data
5. Technical and organisational measures of data protection and
data security
6. Availability
7. Integrity
8. Confidentiality
2. Privacy – Possible solutions

83. Article 25 and 26 of the Directive 95/46/EC provide for free flow of personal
data to countries located outside the EEA only if that country has an
adequate level of data protection. The instruments are:
1. Safe Harbor: US organizations adhering to the principles can take place
lawfully under EU law since the recipient organizations are deemed to
provide an adequate level of protection to the transferred data. and
adequate countries
2. Binding Corporate Rules: constitute a code of conduct for companies
which transfer data within their group
3. Exemptions: that exemptions shall apply only where transfers are neither
recurrent, nor massive or structural
4. Standard Contractual clauses: adopted by the EU Commission for the
purpose of framing international data transfers between two controllers or
one controller and a processor are based on a bilateral approach.
2. Privacy – Possible solutions

84. 2. Privacy – Possible solutions
Proposal of
Regulation
on Data
Protection
The right to be
forgotten
EU citizens are to be
entitled to require
information online to
be deleted
Privacy Officer
Public bodies and
businesses having a
minimum number of
employees are obliged
to establish a data
protection officer
Security
Where information is
lost (which is described
as a serious breach),
this will have to be
reported, and even
more complex security
models will be required
One-Stop-Shop
Businesses and
individuals must be
able to deal with one
single point of contact
Cookies
The use of cookies on
line is regulated further,
in line with the recent
Cookies Law directive.
Privacy by design:
The regulation
introduces an
obligation to use
technological means to
ensure that personal
data is automatically
processed only to the
extent that is
absolutely necessary.

85. HOW TO COMBAT CYBERCRIME?
PUBLIC PRIVATE PARTNERSHIP

86. Addressing the Problem-I
• Fighting cybercrime has always been a complex problem due to
the number of ICT network users, the transnational nature of the
Internet and its decentralised architecture. Cyber-criminals, and
especially organised criminal groups, have been and probably
would always remain several steps ahead of legislators and law
enforcement agencies.
• Criminal to criminal (C2C) networks benefit from anonymous
communications, automation of attacks and the difficulties that law
enforcement agencies experience in determining the location:
servers with crime-ware could be in one country, while members
of the network could be in another one, targeting victims across
the world

87. Addressing the Problem-II
• In addition to strengthening the current legal frameworks,
updating old legislation, harmonising laws on an
international level, what is needed is also the cross-sector
cooperation on national level as well as international
cooperation in detecting, investigating and preventing e-
crimes committed by organised criminal groups.
• Law enforcement agencies often find it difficult to keep
abreast of the dynamic technical knowhow &
toolsèEffective “Public Private Partnership” is
recommended to circumvent this problem.

88. How to develop an effective PPP
Main examples:
• operational cooperation in specific cases,
• cooperation in case of websites containing illegal
content such as child pornography or hate speech,
• private self-regulation through codes of conduct,
• sharing of necessary and relevant information across
the private and public sector,
• setting up networks of contact points in both the
private and the public sector.

89. Questions?

90. Contacts
Mr. Giuseppe Vaciago,
University of Insubria,
giuseppe.vaciago@uninsubria.it
Ms. Francesca Bosco,
UNICRI Project Officer
bosco@unicri.it