(1) An individual located in country A with control over cloud data. Access may be obtained either because (i) the individual consents; or (ii) authorities make use of an existing live connection from the individual’s device. (2) An individual located in country B with control over cloud data. Access may be obtained due to the consent of the individual. (3) The cloud service provider in country B. Access may be obtained either because (i) the cloud service provider consents; or (ii) data access credentials have been obtained by law enforcement. (4) The cloud service provider’s offices in country A. Access may be obtained through local informal arrangements between law enforcement and the cloud service provider.
Investigating cybercrime at the United Nations
INVESTIGATINGCYBERCRIME AT THEUNITED NATIONSDR IAN BROWN, OXFORD UNIVERSITY@IANBROWNOII / OII.OX.AC.UK
UNODC COMPREHENSIVESTUDY ON CYBERCRIMEGeneral Assembly resolution 65/230requested the Commission onCrime Prevention and CriminalJustice to establish an open-endedintergovernmental expert group, toconduct a comprehensive study ofthe problem of cybercrime andresponses to it by Member States,the international community and theprivate sector, including theexchange of information on nationallegislation, best practices, technicalassistance and internationalcooperation.
STUDY TEAMSteven Malby, Robyn Mace, Anika Holterhof,Cameron Brown, Stefan Kascherus, EvaIgnatuschtschenko (UNODC)Ulrich Sieber, Tatiana Tropina, Nicolas von zurMühlen (Max Planck Institute for Foreign andInternational Criminal Law)Ian Brown, Joss Wright (Oxford Internet Institute)Roderic Broadhurst (Australian NationalUniversity)Kristin Krüger (Brandenburg Institute for Societyand Security)
SCOPE“As the world moves into a hyper-connected society with universal internetaccess, it is hard to imagine a „computercrime‟, and perhaps any crime, that will notinvolve electronic evidence linked withinternet connectivity. Such developmentsmay well require fundamental changes inlaw enforcement approach, evidencegathering, and mechanisms of internationalcooperation in criminal matters.” (p.x)
PROCESSSalvador Declaration on Comprehensive Strategies forGlobal Challenges: Crime Prevention and Criminal JusticeSystems and Their Development in a Changing World (2010)UN GA resolution 65/230 (2010)1st session of intergovernmental expert group (Vienna 17-21Jan 2011) approved topics and methodology(UNODC/CCPCJ/EG.4/2011/3)Information gathering H1 20122nd session (Vienna 25-28 Feb 2013)
PROCESSTopics selected: (1) Phenomenon of cybercrime; (2)Statistical information; (3) Challenges of cybercrime; (4)Common approaches to legislation; (5) Criminalization; (6)Procedural powers; (7) International cooperation; (8)Electronic evidence; (9) Roles and responsibilities of serviceproviders and the private sector; (10) Crime prevention andcriminal justice capabilities and other responses tocybercrime; (11) International organizations; and (12)Technical assistance.UNODC developed questionnaires for Member States (69responded), IGOs (11), private sector (40) and academicinstitutions (16). Also undertook extensive interviews andcomparative legal analysis
INTERNATIONALINSTRUMENTS“82 countries have signed and/or ratified a binding cybercrimeinstrument…multilateral cybercrime instruments have influenced nationallaws indirectly, through use as a model by non-States parties, or via theinfluence of legislation of States parties on other countries.” (p.xix)
NATIONAL APPROACHESInvestigative measures (cyber-specific, general, both,none) p.xxiiOffences (cyber-specific, general, both, none) p.xx
JURISDICTIONIn many countries, provisions reflect the idea that the „whole‟offence need not take place within the country in order toassert territorial jurisdiction. Territorial linkages can be madewith reference to elements or effects of the act, or thelocation of computer systems or data utilized for the offenceWhere they arise, jurisdictional conflicts are typicallyresolved through formal and informal consultations betweencountriesCountry responses do not reveal, at present, any need foradditional forms of jurisdiction over a putative „cyberspace‟dimension. Rather, forms of territoriality-based andnationality-based jurisdiction are almost always able toensure a sufficient connection between cybercrime acts andat least one State
EXTRA-TERRITORIALEVIDENCEKey issue for further international cooperation (p.xxv)
ACCESSING CLOUD DATACoE CC §32: “A Party may, without the authorisation ofanother Party…access or receive, through a computersystem in its territory, stored computer data located inanother Party, if the Party obtains the lawful andvoluntary consent of the person who has the lawfulauthority to disclose the data to the Party through thatcomputer system.”
KEY FINDINGS(a) …divergences in the extent of procedural powers and international cooperationprovisions may lead to the emergence of country cooperation „clusters‟ that are notalways well suited to the global nature of cybercrime(b) Reliance on traditional means of formal international cooperation in cybercrimematters is not currently able to offer the timely response needed for obtaining volatileelectronic evidence.(c) …the role of evidence „location‟ needs to be reconceptualized, including with a viewto obtaining consensus on issues concerning direct access to extraterritorial data bylaw enforcement authorities(d) Analysis of available national legal frameworks indicates insufficient harmonizationof „core‟ cybercrime offences, investigative powers, and admissibility of electronicevidence. International human rights law represents an important external referencepoint for criminalization and procedural provisions;(e) Law enforcement authorities, prosecutors, and judiciary in developing countries,require long-term, sustainable, comprehensive technical support and assistance for theinvestigation and combating of cybercrime;(e) Cybercrime prevention activities in all countries require strengthening, through aholistic approach involving further awareness raising, public-private partnerships, andthe integration of cybercrime strategies with a broader cybersecurity perspective.
OPTIONSModel provisions (on core cybercrime acts; investigativepowers; jurisdiction; international cooperation)Limited or comprehensive multilateral agreementsTechnical assistance
CORE CYBERCRIME ACTS(i) The provisions could maintain the approach of existinginstruments regarding offences against the confidentiality,integrity and accessibility of computer systems and data;(ii) The provisions could also cover „conventional‟ offencesperpetrated or facilitated by use of computer systems, onlywhere existing criminalization approaches are perceived not tobe sufficient;(iii) The provisions could address areas not covered by existinginstruments, such as criminalization of SPAM;(iv) The provisions could be developed in line with the latestinternational human rights standards on criminalization,including in particular, treaty-based protections of the right tofreedom of expression;(v) Use of the provisions by States would minimize dualcriminality challenges in international cooperation;
INVESTIGATIVE POWERS(i) The provisions could draw on the approach of existinginstruments, including orders for expedited preservation ofdata, and orders for obtaining stored and real-time data;(ii) The provisions could offer guidance on the extension oftraditional powers such as search and seizure to electronicevidence;(iii) The provisions could offer guidance on the applicationof appropriate safeguards for intrusive investigativetechniques based on international human rights law,including treaty-based protections of the right to privacy;
JURISDICTION(i) The provisions could include bases such as those derivedfrom the objective territoriality principle and the substantialeffects doctrine.(ii) The provisions could include guidance for addressingissues of concurrent jurisdiction.
INTERNATIONALCOOPERATION(i) The provisions would focus on practical cooperationmechanisms that could be inserted in existing instrumentsfor the timely preservation and supply of electronic evidencein criminal matters;(ii) The provisions could include obligations to establishelectronic evidence fast response focal points and agreedtimescales for responses;
MULTILATERALAGREEMENT ON EVIDENCEi) By way of complementarity to existing international cooperationtreaties, such an instrument could focus primarily on a mechanism forrequesting expedited preservation of data for a specified time period;(ii) The instrument may also include specific cooperation provisions forfurther investigative measures, including supply of stored data, andreal-time collection of data;(iii) The scope of application would need to be defined, but should notbe limited to „cybercrime‟ or „computer-related‟ crime;(iv) The instrument could require response within a specified timeperiod and establish clear focal point to focal point communicationchannels, building upon rather than duplicating existing 24/7 initiatives;(v) The instrument could include traditional international cooperationsafeguards, as well as appropriate human rights exclusions;
COMPREHENSIVEMULTILATERAL AGREEMENT(i) The instrument could include elements from all of theoptions above in a binding, multilateral form;(ii) The instrument could draw on existing corecommonalities across the current range of binding and non-binding international and regional instruments;
TECHNICAL ASSISTANCE(i) Technical assistance could be delivered based onstandards developed through model provisions as set out inthe options above;(ii) Technical assistance could be delivered through a focuson multi-stakeholder delivery, including representatives fromthe private sector and academia.
NEXT STEPS22nd Session of the Commission on Crime Prevention andCriminal Justice took note of study, requested Secretariat totranslate and disseminate, and expert group to continueeffortsCouncil of Europe Cybercrime Convention Committee isdeveloping optional protocol on transborder access to dataOngoing battles at ITU and elsewhere in UN system overInternet governance