Rodney D. Ryder Crime and the Internet: [Challenging] Criminal behaviour in the Information Age

Introduction - Structure Part 1 – Crime and the Internet Cyberspace: an introduction Understanding the impact of the new media Parameters of destruction: the “logic bomb” versus the “truck bomb” Part 2 – Theories on Cyber crime [Solutions and Perspectives] Cyber crime theory Notes on Best Practice

Part 1 – Crime and the Internet

Cyberspace: an introduction

Understanding the impact of the new media

Parameters of destruction: the “logic bomb” versus the “truck bomb”

Part 2 – Theories on Cyber crime [Solutions and Perspectives]

Cyber crime theory

Notes on Best Practice

Crime and the Internet Understanding the impact of the medium

Regulating Communications: “the layers” of a networked environment The physical layer [the wires, cables, fibres and the radio frequency spectrum] The Code [the software and the standards] The Content

The physical layer [the wires, cables, fibres and the radio frequency spectrum]

The Code [the software and the standards]

The Content

The Rise [and fall?] of Cyberspace <Cyberspace> as introduced by William Gibson [A place governed by its own laws] “ Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review] “ a consensual hallucination” [William Gibson, Neuromancer] <Cyberspace> as derived from <cyberkinetics> [the science of communications and control theory] Greek <kybernetes> means ‘steersman’ of a ship

<Cyberspace> as introduced by William Gibson [A place governed by its own laws]

“ Law and Borders”: the ‘independent’ theory of cyberspace law [David Post and David Johnson, Stanford Law Review]

“ a consensual hallucination” [William Gibson, Neuromancer]

<Cyberspace> as derived from <cyberkinetics> [the science of communications and control theory]

Greek <kybernetes> means ‘steersman’ of a ship

The ‘law of the net’: legal consensus in cyberspace Cyberspace as a distinct market place Minimising liability in the new medium [Dow Jones v. Gutnick] ‘ Targeting’ as the norm in cyberspace Jurisdiction and you: YAHOO!

Cyberspace as a distinct market place

Minimising liability in the new medium [Dow Jones v. Gutnick]

‘ Targeting’ as the norm in cyberspace

Jurisdiction and you: YAHOO!

The shift to the new media: putting challenges in perspective Restructuring global commerce: the intense volume of information; simplicity of transfer Ownership of information increasingly hard to protect Evolving business methods: change or die

Restructuring global commerce: the intense volume of information; simplicity of transfer

Ownership of information increasingly hard to protect

Evolving business methods: change or die

What is Science? [Science and the Scientific Process] “ There are no forbidden questions in science, no matters too sensitive or delicate to be probed, no sacred truths. That openness to new ideas, combined with the most rigorous, skeptical scrutiny of all ideas, sifts the wheat from the chaff. It makes no difference how smart, august, or beloved you are. You must prove your case in the face of determined expert criticism.” -Carl Sagan

“ There are no forbidden questions in science, no matters too sensitive or delicate to be probed, no sacred truths. That openness to new ideas, combined with the most rigorous, skeptical scrutiny of all ideas, sifts the wheat from the chaff. It makes no difference how smart, august, or beloved you are. You must prove your case in the face of determined expert criticism.”

-Carl Sagan

What is Computer Forensics? Computer forensics is forensics applied to information stored or transported on computers It “Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis” There should be a process and that process should be followed, but flexibility is essential, because the unusual will be encountered.

Computer forensics is forensics applied to information stored or transported on computers

It “Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis”

There should be a process and that process should be followed, but flexibility is essential, because the unusual will be encountered.

Cyber Crime: Issues and Categories Issues relating to ‘the machine’ and computer forensics David Carter’s categories Computer as the target of a criminal act [intrusion, data theft] Computer as an instrumentality of the crime [credit card fraud] Computers as incidental to the crime [cyberstalking] Crime enhanced by computers [software piracy]

Issues relating to ‘the machine’ and computer forensics

David Carter’s categories

Computer as the target of a criminal act [intrusion, data theft]

Computer as an instrumentality of the crime [credit card fraud]

Computers as incidental to the crime [cyberstalking]

Crime enhanced by computers [software piracy]

Crime, the device and the medium Three situations where you might find evidence on a digital device: Device used to conduct the crime Child Pornography/Exploitation Threatening letters Fraud Embezzlement Theft of intellectual property Device is the target of the crime Incident Response Security Breach Device is used to support the crime

Three situations where you might find evidence on a digital device:

Device used to conduct the crime

Child Pornography/Exploitation

Threatening letters

Fraud

Embezzlement

Theft of intellectual property

Device is the target of the crime

Incident Response

Security Breach

Device is used to support the crime

The nature of the evidence [medium, device, volume and relevance] Can be anything! As small as a few bytes Could be, and hopefully will be complete files Could be Deleted Could be Encrypted Likely will be fragments of files A few Words A couple of sentences Hopefully some paragraphs Registry entries, or log entries!

Can be anything!

As small as a few bytes

Could be, and hopefully will be complete files

Could be Deleted

Could be Encrypted

Likely will be fragments of files

A few Words

A couple of sentences

Hopefully some paragraphs

Registry entries, or log entries!

The ‘scene of crime’: handling evidence Three A’s of Computer Forensics A cquire the evidence without altering or damaging the original. A uthenticate that your recovered evidence is the same as the originally seized data. A nalyze the data without modifying it.

Three A’s of Computer Forensics

A cquire the evidence without altering or damaging the original.

A uthenticate that your recovered evidence is the same as the originally seized data.

A nalyze the data without modifying it.

Acquiring and handling the evidence How do we seize the computer? How do we handle computer evidence? What is chain of custody? Evidence collection Evidence Identification Transportation Storage Documenting the Investigation

How do we seize the computer?

How do we handle computer evidence?

What is chain of custody?

Evidence collection

Evidence Identification

Transportation

Storage

Documenting the Investigation

Authenticate the evidence Prove that the evidence is indeed what the criminal left behind. Contrary to what the defense attorney might want the jury to believe, readable text or pictures don’t magically appear at random. Calculate a hash value for the data MD5 SHA-1,256,512

Prove that the evidence is indeed what the criminal left behind.

Contrary to what the defense attorney might want the jury to believe, readable text or pictures don’t magically appear at random.

Calculate a hash value for the data

MD5

SHA-1,256,512

Analyse the Evidence Always work from an image of the evidence and never from the original. Prevent damage to the evidence Make two backups of the evidence in most cases. Analyze everything, you may need clues from something seemingly unrelated.

Always work from an image of the evidence and never from the original.

Prevent damage to the evidence

Make two backups of the evidence in most cases.

Analyze everything, you may need clues from something seemingly unrelated.

Cyber Crime: Incident Handling [I] Continuing Operations v. Preservation of Evidence Identify the Incident Manager and Team – usually department heads or officers Assess Systems Impaired and Damages Review Adequate Logging/Tracking Note Unusual Activities By Employees or on Computer Network

Continuing Operations v. Preservation of Evidence

Identify the Incident Manager and Team – usually department heads or officers

Assess Systems Impaired and Damages

Review Adequate Logging/Tracking

Note Unusual Activities By Employees or on Computer Network

Cyber Crime: Incident Handling [II] Identify your LOSS, HARM, or DAMAGE – lost asset, revenues, expenses, repair cost Identify Capture or Quarantine Electronic or Computerized Equipment, Logs and Files Maintain a “Chain of Custody” for Evidence Begin a written chronology of events Who may have to testify Identify one or two individuals to be your main point of contact with law enforcement

Identify your LOSS, HARM, or DAMAGE – lost asset, revenues, expenses, repair cost

Identify Capture or Quarantine Electronic or Computerized Equipment, Logs and Files

Maintain a “Chain of Custody” for Evidence

Begin a written chronology of events

Who may have to testify

Identify one or two individuals to be your main point of contact with law enforcement

Cyber Security: Management Issues #7 Pretend the problem will go away if they ignore it. #6 Authorize reactive, short-term fixes so problems re-emerge rapidly #5 Fail to realize how much money their information and organizational reputations are worth. #4 Rely primarily on a firewall. #3 Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed #2 Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. #1 Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

#7 Pretend the problem will go away if they ignore it.

#6 Authorize reactive, short-term fixes so problems re-emerge rapidly

#5 Fail to realize how much money their information and organizational reputations are worth.

#4 Rely primarily on a firewall.

#3 Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed

#2 Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security.

#1 Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

Cyber Crime: Preventive Steps Use anti-virus software and firewalls - keep them up to date Keep your operating system up to date with critical security updates and patches Don't open emails or attachments from unknown sources Use hard-to-guess passwords. Don’t use words found in a dictionary. [Remember that password cracking tools exist] Back-up your computer data on disks or CDs often Don't share access to your computers with strangers If you have a Wi-Fi network, password protect it Disconnect from the Internet when not in use Reevaluate your security on a regular basis Make sure your employees and family members know this info too!

Use anti-virus software and firewalls - keep them up to date

Keep your operating system up to date with critical security updates and patches

Don't open emails or attachments from unknown sources

Use hard-to-guess passwords. Don’t use words found in a dictionary. [Remember that password cracking tools exist]

Back-up your computer data on disks or CDs often

Don't share access to your computers with strangers

If you have a Wi-Fi network, password protect it

Disconnect from the Internet when not in use

Reevaluate your security on a regular basis

Make sure your employees and family members know this info too!

From the Internet to Convergence The future is integrated!

The future is integrated!

Crime and the Internet Theories on Cyber crime [Solutions and Perspectives]

The ‘Act’: Offences and Classification [Information Technology Act, 2000] Hacking [S. 66], Source code attacks [S. 65], Obscenity and Pornography [S. 67], Accessing designated protected systems [S. 43], Making available Digital Signature for fraudulent purpose Severe punishments prescribed for offences. Police granted extensive powers of investigation, search and seizure.

Hacking [S. 66], Source code attacks [S. 65],

Obscenity and Pornography [S. 67],

Accessing designated protected systems [S. 43],

Making available Digital Signature for fraudulent purpose

Severe punishments prescribed for offences.

Police granted extensive powers of investigation, search and seizure.

Intermediaries: Internet Service Provider Liability Intermediary liability under tort law Distribution of content: [a] copyright violations [music, films, images]; [b] prohibited content [hate, racism, pornography] Departure from global practice on liability. Extent of third party liability left ambiguous ‘ Borrowings’ from the Singapore Electronic Transactions Act, 1998

Intermediary liability under tort law

Distribution of content: [a] copyright violations [music, films, images]; [b] prohibited content [hate, racism, pornography]

Departure from global practice on liability.

Extent of third party liability left ambiguous

‘ Borrowings’ from the Singapore Electronic Transactions Act, 1998

Theorizing Pornography The concept of harm from ‘sexual speech’: 1868 [English] Queen’s Bench decision, Regina v. Hicklin [the famous Hicklin test, set the standard for the twentieth century, the ‘deprave and corrupt’ test] Ginsberg v. New York [1968]: ‘harm to minors’; ‘ethical and moral development’ American Civil Liberties Union v. Reno: no one accesses pornography ‘by accident’ The Indian Penal Code [1860] and the Information Technology Act [2000]: ‘old wine in a new bottle’

The concept of harm from ‘sexual speech’: 1868 [English] Queen’s Bench decision, Regina v. Hicklin [the famous Hicklin test, set the standard for the twentieth century, the ‘deprave and corrupt’ test]

Ginsberg v. New York [1968]: ‘harm to minors’; ‘ethical and moral development’

American Civil Liberties Union v. Reno: no one accesses pornography ‘by accident’

The Indian Penal Code [1860] and the Information Technology Act [2000]: ‘old wine in a new bottle’

Cyberstalking: Obsessional Criminal behaviour Stalking is by no means a recent development now in an online form online stalking as an extension or variant of physical stalking Stalking: the elements unwanted attention and/or pursuit persons may be stalked or followed harassment intimidation often associated with a threat to life Case Studies For the love of Julie Mrs. Ritu Kohli The reach of the Internet in these case present a range of physical, emotional and psychological consequences to the victim.

Stalking is by no means a recent development

now in an online form

online stalking as an extension or variant of physical stalking

Stalking: the elements

unwanted attention and/or pursuit

persons may be stalked or followed

harassment

intimidation often associated with a threat to life

Case Studies

For the love of Julie

Mrs. Ritu Kohli

The reach of the Internet in these case present a range of physical, emotional and psychological consequences to the victim.

Privacy and the Internet: Orwell’s <1984> or Bentham’s <Panopticon> The dangerous developments relate to: surveillance of communications surveillance of computer systems and networks monitoring of employees - internet, phone, drugs testing, genetic testing etc satellite surveillance biometrics and other identification technologies genetic testing E.g. in UK: - Human Rights Act 1998 - Telecommunications (Data Protection and Privacy) Regulations 1999 - Regulation of Investigatory Powers Act 2000 - Telecoms Lawful Business Practice Interception of Communication Regs 2000

The dangerous developments relate to:

surveillance of communications

surveillance of computer systems and networks

monitoring of employees - internet, phone, drugs testing, genetic testing etc

satellite surveillance

biometrics and other identification technologies

genetic testing

E.g. in UK:

- Human Rights Act 1998

- Telecommunications (Data Protection and Privacy) Regulations 1999

- Regulation of Investigatory Powers Act 2000

- Telecoms Lawful Business Practice Interception of Communication Regs 2000

Growth of importance of Privacy Overview - major International and US regulations 1948 UN Universal Declaration of Human Rights 1970 US Fair Credit Reporting Act 1974 US Privacy Act 1976 International Covenant on Civil and Political Rights 1980 OECD Guidelines on Protection of Privacy 1980 US Privacy Protection Act 1995 European Commission Directive on Data Protection 1994 US Communications Assistance to Law Enforcement Act 1996 US Health Insurance Portability and Accountability Act 1998 US Children's Online Privacy Protection Act 1998 European Member States implement Directive 1999 US Financial Services Modernization Act BUSINESS ISSUES HUMAN RIGHTS

Overview - major International and US regulations

1948 UN Universal Declaration of Human Rights

1970 US Fair Credit Reporting Act

1974 US Privacy Act

1976 International Covenant on Civil and Political Rights

1980 OECD Guidelines on Protection of Privacy

1980 US Privacy Protection Act

1995 European Commission Directive on Data Protection

1994 US Communications Assistance to Law Enforcement Act

1996 US Health Insurance Portability and Accountability Act

1998 US Children's Online Privacy Protection Act

1998 European Member States implement Directive

1999 US Financial Services Modernization Act

Current law in India There is no general data protection or privacy law in India: Constitution Article 21 Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone” International Covenant on Civil and Political Rights 1966 Article 17: No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. Law of privacy (Tort Law) – Action for unlawful invasion of privacy

There is no general data protection or privacy law in India:

Constitution Article 21

Right to life and liberty, interpreted by Supreme Court as including the “right to be let alone”

International Covenant on Civil and Political Rights 1966 Article 17:

No one shall be subject to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Law of privacy (Tort Law) – Action for unlawful invasion of privacy

Current law in India Information Technology Act 2000 Section 43 (a) Penalty for unauthorised access to a computer system Section 43 (b) - Penalty for unauthorised downloading or copying of data without permission Section 72 - Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned , disclosing such information to another person

Information Technology Act 2000

Section 43 (a)

Penalty for unauthorised access to a computer system

Section 43 (b) -

Penalty for unauthorised downloading or copying of data without permission

Section 72 -

Offence of accessing any electronic record, book, register, correspondence, information, document or other material and, without the consent of the person concerned , disclosing such information to another person

Current law in India Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions ISPs prohibited from violating privacy rights of subscribers by virtue of the license to operate granted by the Department of Telecommunications A general data protection law in India? National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date

Public Financial Institutions Act of 1993 codifies confidentiality of bank transactions

ISPs prohibited from violating privacy rights of subscribers by virtue of the license to operate granted by the Department of Telecommunications

A general data protection law in India?

National Task Force on IT and Software Development 1998 Submitted “IT Action Plan” calling for “National Policy on Information Security, Privacy and Data Protection Act for handling of computerised data” but no Act introduced to date

Is the future to be ‘aided’ or ‘dictated’ by technology?

Any questions?

Rodney D. Ryder Technology, Media and Communications