Providing Law Enforcement with the Legal Tools to Prevent, Investigate, and Prosecute Cybercrime

1. 1
DEVELOPING A LEGALDEVELOPING A LEGAL
FRAMEWORKTO COMBATFRAMEWORKTO COMBAT
CYBERCRIMECYBERCRIME
Providing Law Enforcement with the Legal ToolsProviding Law Enforcement with the Legal Tools
to Prevent, Investigate, and Prosecute Cybercrimeto Prevent, Investigate, and Prosecute Cybercrime
Marcelo Gomes FreireMarcelo Gomes Freire

2. 2
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

3. 3
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

4. 4
Balancing Privacy & Public SafetyBalancing Privacy & Public Safety
Privacy is a basic human rightPrivacy is a basic human right
““No one shall be subjected to arbitraryNo one shall be subjected to arbitrary
interference with his privacy, family, homeinterference with his privacy, family, home
or correspondence...”or correspondence...”
-- Art. XII, Universal Declaration of Human Rights-- Art. XII, Universal Declaration of Human Rights
Promotes free thought, free expression, andPromotes free thought, free expression, and
free association, building blocks of democracyfree association, building blocks of democracy
Supports competitive businesses and markets,Supports competitive businesses and markets,
cornerstone of a robust economycornerstone of a robust economy

5. 5
Balancing Privacy & Public SafetyBalancing Privacy & Public Safety
Privacy of computer networks is important:Privacy of computer networks is important:
Individuals, businesses, and governments increasinglyIndividuals, businesses, and governments increasingly
use computers to communicateuse computers to communicate
Sensitive personal information and business records areSensitive personal information and business records are
stored in electronic formstored in electronic form
Privacy of computer networks is importantPrivacy of computer networks is important
for human rights, individual freedoms, andfor human rights, individual freedoms, and
economic efficiencyeconomic efficiency

6. 6
Balancing Privacy & Public SafetyBalancing Privacy & Public Safety
Threats to online privacy:Threats to online privacy:
IndustryIndustry
Gathering marketing informationGathering marketing information
GovernmentGovernment
Investigating crime, espionage, or terrorismInvestigating crime, espionage, or terrorism
Misusing legal investigative authoritiesMisusing legal investigative authorities
CriminalsCriminals
Stealing government or business secrets or financialStealing government or business secrets or financial
informationinformation
Obtaining private information from individuals’ computersObtaining private information from individuals’ computers

7. 7
Balancing Privacy & Public SafetyBalancing Privacy & Public Safety
Need to investigate all kinds of crimes thatNeed to investigate all kinds of crimes that
involve computer networksinvolve computer networks
E.g.: communications of terrorists or drug dealersE.g.: communications of terrorists or drug dealers
Need to investigate attempts to damageNeed to investigate attempts to damage
computer networkscomputer networks
E.g.: “I love you” virusE.g.: “I love you” virus
Need to investigate invasions of privacyNeed to investigate invasions of privacy
E.g.: hackers working for organized crime stealingE.g.: hackers working for organized crime stealing
credit card numberscredit card numbers

8. 8
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

9. 9
Limited Law Enforcement AuthorityLimited Law Enforcement Authority
Striking the Balance:Striking the Balance:
Government investigative authority subject toGovernment investigative authority subject to
appropriate limits and controls in the form ofappropriate limits and controls in the form of
procedural laws will increase privacy and publicprocedural laws will increase privacy and public
safety, but . . .safety, but . . .
Uncontrolled government authority mayUncontrolled government authority may
diminish privacy and hinder economicdiminish privacy and hinder economic
development.development.

10. 10
Intrusiveness
of the
Investigative
Power
Safeguards to Prevent Governmental Abuse
Limited Law Enforcement AuthorityLimited Law Enforcement Authority

11. 11
Limited Law Enforcement AuthorityLimited Law Enforcement Authority
Ways to limit law enforcement authorities:Ways to limit law enforcement authorities:
Define specific predicate crimes/classes of crimeDefine specific predicate crimes/classes of crime
Require law enforcement to demonstrate factualRequire law enforcement to demonstrate factual
basis to independent judicial officerbasis to independent judicial officer
Limit the breadth and scope, the location, or theLimit the breadth and scope, the location, or the
durationduration
Offer only as “last resort”Offer only as “last resort”
Prior approval or subsequent review by seniorPrior approval or subsequent review by senior
official or politically accountable bodyofficial or politically accountable body

12. 12
Limited Law Enforcement AuthorityLimited Law Enforcement Authority
Penalizing abuse:Penalizing abuse:
Administrative discipline of officer involvedAdministrative discipline of officer involved
Inability to use evidence in prosecutionInability to use evidence in prosecution
(“suppression”)(“suppression”)
Civil liability for officer involvedCivil liability for officer involved
Criminal sanction of officer involvedCriminal sanction of officer involved

13. 13
Limited Law Enforcement AuthorityLimited Law Enforcement Authority
Limiting Economic Burdens on Third PartyLimiting Economic Burdens on Third Party
Service Providers:Service Providers:
Should laws require providers to have certainShould laws require providers to have certain
technical capabilities?technical capabilities?
Who is responsible for costs of collecting dataWho is responsible for costs of collecting data
for law enforcement?for law enforcement?

14. 14
OtherPolicy ConsiderationsOtherPolicy Considerations
Each country should approach this complex balancingEach country should approach this complex balancing
question, taking into consideration:question, taking into consideration:
The scope of its crime and terrorism problem;The scope of its crime and terrorism problem;
Its existing legal structures;Its existing legal structures;
Its historical methods of protecting human rights; and,Its historical methods of protecting human rights; and,
the need to assist foreign governments.the need to assist foreign governments.
Each country should decide the “means” forEach country should decide the “means” for
obtainingobtaining electronic evidence within its existing legalelectronic evidence within its existing legal
framework (e.g., constitutions, statutes, courtframework (e.g., constitutions, statutes, court
decisions, rules of procedure)decisions, rules of procedure)

15. 15
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

16. 16
Information Obtained fromComputerNetworksInformation Obtained fromComputerNetworks
in Cybercrime Investigationsin Cybercrime Investigations
ContentContent Non-ContentNon-Content
Real-TimeReal-Time
CommunicationsCommunications
11 22
Information StoredInformation Stored
on a Computeron a Computer
NetworkNetwork
33 44

17. 17
ContentContent Non-ContentNon-Content
Real-TimeReal-Time
CommunicationsCommunications
11 22
Information StoredInformation Stored
on a Computeron a Computer
NetworkNetwork
33 44
Information Obtained fromComputerNetworksInformation Obtained fromComputerNetworks
in Cybercrime Investigationsin Cybercrime Investigations

18. 18
Intercepting Electronic Communications onIntercepting Electronic Communications on
ComputerNetworksComputerNetworks
Obtaining the content of a communication as theObtaining the content of a communication as the
communication occurscommunication occurs
Similar to intercepting what’s being said in a phoneSimilar to intercepting what’s being said in a phone
conversationconversation
E.g.: collect the content of e-mail passing between twoE.g.: collect the content of e-mail passing between two
terrorists or drug dealersterrorists or drug dealers
E.g.: collect the commands sent by a hacker to a victimE.g.: collect the commands sent by a hacker to a victim
computer to steal corporate informationcomputer to steal corporate information

19. 19
Intercepting Electronic Communications onIntercepting Electronic Communications on
ComputerNetworksComputerNetworks
Many countries use the same (or very similar) rules asMany countries use the same (or very similar) rules as
phone wiretapsphone wiretaps
Authority should include the ability to compel providersAuthority should include the ability to compel providers
to assist law enforcement officialsto assist law enforcement officials
Sometimes does not require law enforcement expertiseSometimes does not require law enforcement expertise
May depend on particular technology and infrastructureMay depend on particular technology and infrastructure
Art. 21, Council of Europe Convention on CybercrimeArt. 21, Council of Europe Convention on Cybercrime

20. 20
Intercepting Electronic Communications onIntercepting Electronic Communications on
ComputerNetworksComputerNetworks
Law enforcement needs this authority because:Law enforcement needs this authority because:
Criminals and terrorists increasingly use electronicCriminals and terrorists increasingly use electronic
communications to plan and execute crimescommunications to plan and execute crimes
Many crimes are committed mostly (or entirely) usingMany crimes are committed mostly (or entirely) using
computer networkscomputer networks
Distribution of child pornography, internet fraud, hackingDistribution of child pornography, internet fraud, hacking
Communications may not be storedCommunications may not be stored

21. 21
Intercepting Electronic Communications onIntercepting Electronic Communications on
ComputerNetworksComputerNetworks
This authority should be limited because:This authority should be limited because:
Interception of communications can be a grave invasionInterception of communications can be a grave invasion
of privacyof privacy
Can allow access to the most private thoughts, harmingCan allow access to the most private thoughts, harming
freedoms of speech and associationfreedoms of speech and association
Fear of overly intrusive interception may stifleFear of overly intrusive interception may stifle
competitive markets, economic development, andcompetitive markets, economic development, and
foreign investmentforeign investment

22. 22
Examples of Limitations on InterceptionExamples of Limitations on Interception
Authorities – AustraliaAuthorities – Australia
Independent judicial reviewIndependent judicial review
Facts in support of anFacts in support of an
application showing thatapplication showing that
intercepted communicationsintercepted communications
would “be likely to assist” inwould “be likely to assist” in
an investigationan investigation
Investigation of a seriousInvestigation of a serious
crime (generally 7+ yearscrime (generally 7+ years
maximum incarceration)maximum incarceration)
90 day maximum (renewable)90 day maximum (renewable)
Information interceptedInformation intercepted
unlawfully cannot be used asunlawfully cannot be used as
evidence in courtevidence in court
Intercepted information hasIntercepted information has
certain disclosure restrictionscertain disclosure restrictions
and destruction after purpose isand destruction after purpose is
completecomplete
Judge must balance surroundingJudge must balance surrounding
circumstances:circumstances:
Whether other investigativeWhether other investigative
techniques would not be justtechniques would not be just
as effectiveas effective
The value of the informationThe value of the information
Gravity of the conductGravity of the conduct
The privacy invasionThe privacy invasion

23. 23
Examples of Limitations on InterceptionExamples of Limitations on Interception
Authorities – the United StatesAuthorities – the United States
30 day time limit (plus30 day time limit (plus
extensions)extensions)
““Probable cause” to believe aProbable cause” to believe a
crime is being committedcrime is being committed andand
that the facility is being usedthat the facility is being used
in furtherance of that crimein furtherance of that crime
All other options have beenAll other options have been
tried or are unlikely totried or are unlikely to
succeedsucceed
Independent judicial reviewIndependent judicial review
Report to intercepted partiesReport to intercepted parties
(at conclusion of case)(at conclusion of case)
Inability to use evidence inInability to use evidence in
court if violate the lawcourt if violate the law
Administrative investigationAdministrative investigation
of misuse of the law requiredof misuse of the law required
Civil and criminal sanctionsCivil and criminal sanctions
for violationsfor violations
Approval by high-levelApproval by high-level
officialofficial
Minimize collection of non-Minimize collection of non-
criminal communicationscriminal communications
Limitations on disclosure ofLimitations on disclosure of
intercepted communicationsintercepted communications

24. 24
Possible Exceptions to the RulePossible Exceptions to the Rule
Might not require legal process if:Might not require legal process if:
The communication is publicly accessibleThe communication is publicly accessible
E.g.: public “chat” roomsE.g.: public “chat” rooms
Party/all parties to the communication consentParty/all parties to the communication consent
Actual consent (CI), bannerActual consent (CI), banner
Emergency involving risk of deathEmergency involving risk of death
No reason to believe communication is privateNo reason to believe communication is private
Hackers communication with target computerHackers communication with target computer

25. 25
Intercepting Electronic Communications:Intercepting Electronic Communications:
OtherConsiderationsOtherConsiderations
Limits on ISP’s interceptionLimits on ISP’s interception
Possible exceptions for consent, interceptions necessaryPossible exceptions for consent, interceptions necessary
to run or secure a networkto run or secure a network
Voluntary disclosure of intercepted communicationVoluntary disclosure of intercepted communication
Only if legal interception (i.e. subject to exception)Only if legal interception (i.e. subject to exception)

26. 26
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

27. 27
Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
ContentContent Non-ContentNon-Content
Real-TimeReal-Time
CommunicationsCommunications
11 22
Stored InformationStored Information
on a Networkon a Network 33 44

28. 28
Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
Interception of non-content informationInterception of non-content information
Similar to phone number called to/fromSimilar to phone number called to/from
E.g.: “To” and “From” on an e-mailE.g.: “To” and “From” on an e-mail
E.g.: Source and destination IP address in a packet headerE.g.: Source and destination IP address in a packet header
Less intrusive than intercepting content, so lessLess intrusive than intercepting content, so less
restrictions on law enforcement userestrictions on law enforcement use
Art. 20, Council of Europe Convention on CybercrimeArt. 20, Council of Europe Convention on Cybercrime

29. 29
Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
Law enforcement needs this authority because:Law enforcement needs this authority because:
Criminals and terrorists increasingly use electronicCriminals and terrorists increasingly use electronic
communications to plan and execute serious crimescommunications to plan and execute serious crimes
Helps locate suspects, identify members of conspiracyHelps locate suspects, identify members of conspiracy
Useful tool to assist foreign investigations where aUseful tool to assist foreign investigations where a
country is used only as a “pass-though”country is used only as a “pass-though”
Provides a less intrusive and therefore less restrictedProvides a less intrusive and therefore less restricted
alternative to content interceptionalternative to content interception

30. 30
Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
This authority should be limited because:This authority should be limited because:
Although less intrusive than content interception, stillAlthough less intrusive than content interception, still
implicates privacyimplicates privacy
Individuals don’t expect government to keep track of whoIndividuals don’t expect government to keep track of who
they’re calling, even if government does not listen to whatthey’re calling, even if government does not listen to what
they’re sayingthey’re saying
To/From information may be revealing (e.g., repeated e-To/From information may be revealing (e.g., repeated e-
mails to a psychiatrist; receiving information from a militantmails to a psychiatrist; receiving information from a militant
organization)organization)

31. 31
Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
Sample Laws – United KingdomSample Laws – United Kingdom
Information must be “necessary” for theInformation must be “necessary” for the
investigation of crime, protection of nationalinvestigation of crime, protection of national
security, public health, other specified purposessecurity, public health, other specified purposes
Approval by a designated high-level governmentApproval by a designated high-level government
official, but no independent judicial reviewofficial, but no independent judicial review
Collection must be “proportionate to what isCollection must be “proportionate to what is
sought to be achieved”sought to be achieved”
30 day time limit30 day time limit

32. 32
Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
Sample Laws – United StatesSample Laws – United States
Information collected must be “relevant” to anInformation collected must be “relevant” to an
ongoing criminal investigationongoing criminal investigation
Can only be applied for by an attorney for theCan only be applied for by an attorney for the
government (not a police officer)government (not a police officer)
Limited to 60 days (plus extensions)Limited to 60 days (plus extensions)
Disciplinary, civil, and criminal penalties forDisciplinary, civil, and criminal penalties for
misusemisuse

33. 33
Possible Exceptions to the RulePossible Exceptions to the Rule
Might not require legal process if:Might not require legal process if:
Party/all parties to the communication consentParty/all parties to the communication consent
E.g.: witness cooperating with the governmentE.g.: witness cooperating with the government
allows officers to determine where conspirators’ e-allows officers to determine where conspirators’ e-
mail is sent frommail is sent from
No reason to believe communication is privateNo reason to believe communication is private
Hackers communication with target computerHackers communication with target computer
Interception is by provider of computing serviceInterception is by provider of computing service
in order to run the system or provide securityin order to run the system or provide security

34. 34
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

35. 35
Obtaining Content InformationObtaining Content Information
Stored on a ComputerNetworkStored on a ComputerNetwork
ContentContent Non-ContentNon-Content
Real-TimeReal-Time
CommunicationsCommunications
11 22
Information StoredInformation Stored
on a Computeron a Computer
NetworkNetwork
33 44

36. 36
Obtaining the Content of StoredObtaining the Content of Stored
Information on ComputerNetworksInformation on ComputerNetworks
Information stored on the system of a third-partyInformation stored on the system of a third-party
providerprovider
Computer network not owned by the target of anComputer network not owned by the target of an
investigationinvestigation
E.g.: e-mail sent to an individual that is stored by anE.g.: e-mail sent to an individual that is stored by an
Internet service providerInternet service provider
E.g.: calendar kept on a remote serviceE.g.: calendar kept on a remote service

37. 37
Obtaining the Content of StoredObtaining the Content of Stored
Information on ComputerNetworksInformation on ComputerNetworks
Laws may be similar to those for searching or seizingLaws may be similar to those for searching or seizing
computers in the possession of the target of ancomputers in the possession of the target of an
investigationinvestigation
But because the information is held by a neutral thirdBut because the information is held by a neutral third
party, physical coerciveness of regular search proceduresparty, physical coerciveness of regular search procedures
may not be necessarymay not be necessary
Also, because the data is not in the immediate control (e.g.Also, because the data is not in the immediate control (e.g.
home) of the individual, he or she may have less of ahome) of the individual, he or she may have less of a
privacy interest in itprivacy interest in it
Art. 18, Council of Europe Convention on CybercrimeArt. 18, Council of Europe Convention on Cybercrime

38. 38
Obtaining the Content of StoredObtaining the Content of Stored
Information on ComputerNetworksInformation on ComputerNetworks
Law enforcement needs this authority because:Law enforcement needs this authority because:
Without it, serious crimes will go unpunished andWithout it, serious crimes will go unpunished and
undeterredundeterred
Just as law enforcement has needed coercive power toJust as law enforcement has needed coercive power to
gather evidence in “real world” contexts, so it must begather evidence in “real world” contexts, so it must be
able to do so in online contextsable to do so in online contexts
For the many crimes committed over the Internet,For the many crimes committed over the Internet,
stored information is the “crime scene”stored information is the “crime scene”

39. 39
Obtaining the Content of StoredObtaining the Content of Stored
Information on ComputerNetworksInformation on ComputerNetworks
This authority should be limited because:This authority should be limited because:
As our countries enter the “Information Age,”As our countries enter the “Information Age,”
more and more of the most sensitive data is beingmore and more of the most sensitive data is being
stored on computersstored on computers
Businesses are increasingly using computer networks toBusinesses are increasingly using computer networks to
store datastore data
Individuals are increasingly storing information andIndividuals are increasingly storing information and
communications remotely on third-party networkscommunications remotely on third-party networks

40. 40
Obtaining Stored ContentObtaining Stored Content
Sample Laws – United StatesSample Laws – United States
To compel disclosure of most kinds of e-mail:To compel disclosure of most kinds of e-mail:
““Probable cause” to believe it contains evidence of aProbable cause” to believe it contains evidence of a
crime (same standard as to search a package or a house)crime (same standard as to search a package or a house)
Review of evidence by an independent judgeReview of evidence by an independent judge
Administrative sanctions against officers who abuse theAdministrative sanctions against officers who abuse the
authorityauthority
Civil suit against the government for misuseCivil suit against the government for misuse
Disclosure restrictionsDisclosure restrictions

41. 41
Obtaining Stored ContentObtaining Stored Content
Do some categories of data deserve extra protection?Do some categories of data deserve extra protection?
Greater expectation that data will remain privateGreater expectation that data will remain private
Has the user any choice about whether theHas the user any choice about whether the
information is stored on the network?information is stored on the network?
Example of graduated system of requirements – UnitedExample of graduated system of requirements – United
StatesStates
Unopened e-mail requires a search warrant based uponUnopened e-mail requires a search warrant based upon
“probable cause”“probable cause”
E-mail accessed by the user and other information the userE-mail accessed by the user and other information the user
chooses to store on a remote server requires a court orderchooses to store on a remote server requires a court order
with only a showing of “relevance”with only a showing of “relevance”

42. 42
Obtaining Stored ContentObtaining Stored Content
Consider allowing voluntary disclosure to lawConsider allowing voluntary disclosure to law
enforcement under some circumstances:enforcement under some circumstances:
Unrestricted disclosure by 3Unrestricted disclosure by 3rdrd
-party providers may-party providers may
infringe upon privacy and have economic impact,infringe upon privacy and have economic impact,
but disclosure may be justifiedbut disclosure may be justified
To protect public health or safetyTo protect public health or safety
To allow the provider to protect its property (e.g., byTo allow the provider to protect its property (e.g., by
reporting unauthorized use)reporting unauthorized use)

43. 43
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

44. 44
Obtaining Non-Content InformationObtaining Non-Content Information
Stored on a ComputerNetworkStored on a ComputerNetwork
ContentContent Non-ContentNon-Content
Real-TimeReal-Time
CommunicationsCommunications
11 22
Information StoredInformation Stored
on a Computeron a Computer
NetworkNetwork
33 44

45. 45
Obtaining Non-Content Information Stored onObtaining Non-Content Information Stored on
a ComputerNetworka ComputerNetwork
Computers create logs showing whereComputers create logs showing where
communications came from and where they wentcommunications came from and where they went
Generally less sensitive than contentGenerally less sensitive than content
E.g.: a list of all of the e-mail addresses to whichE.g.: a list of all of the e-mail addresses to which
a user sent e-maila user sent e-mail
E.g.: a log showing the phone numbers by whichE.g.: a log showing the phone numbers by which
a user accessed an Internet service providera user accessed an Internet service provider

46. 46
Obtaining Non-Content Information Stored onObtaining Non-Content Information Stored on
a ComputerNetworka ComputerNetwork
Law enforcement needs this authority because:Law enforcement needs this authority because:
 Logs showing what occurred on a network mayLogs showing what occurred on a network may
be the best evidence of a computer crime; maybe the best evidence of a computer crime; may
identify the suspect or reveal criminal conductidentify the suspect or reveal criminal conduct
This authority should be limited because:This authority should be limited because:
 Although less sensitive than content, theseAlthough less sensitive than content, these
records still contain private informationrecords still contain private information

47. 47
Obtaining Stored Non-Content InformationObtaining Stored Non-Content Information
Laws Can Distinguish Between Kinds of RecordsLaws Can Distinguish Between Kinds of Records::
Subscriber information generally less sensitiveSubscriber information generally less sensitive
Name, street address, user nameName, street address, user name
Might include method of payment, i.e., credit card orMight include method of payment, i.e., credit card or
bank account (important because ISPs may not checkbank account (important because ISPs may not check
users’ identities)users’ identities)
Logs showing with whom a user hasLogs showing with whom a user has
communicated generally more sensitivecommunicated generally more sensitive

48. 48
Obtaining Stored Non-Content InformationObtaining Stored Non-Content Information
Examples of Different StandardsExamples of Different Standards
Art. 18, Council of Europe Convention on Cybercrime:Art. 18, Council of Europe Convention on Cybercrime:
Treats “Subscriber Information” differently from other dataTreats “Subscriber Information” differently from other data
 United States:United States:
 Basic subscriber records require a mere showing ofBasic subscriber records require a mere showing of
“relevance” to a criminal investigation without prior review by“relevance” to a criminal investigation without prior review by
a court (subpoena)a court (subpoena)
 E-mail logs require a prior finding of “specific and articulableE-mail logs require a prior finding of “specific and articulable
facts” that would justify disclosure of the recordsfacts” that would justify disclosure of the records

49. 49
Preservation of EvidencePreservation of Evidence
Problem: many stored records last only for weeks orProblem: many stored records last only for weeks or
daysdays
Obtaining legal process is often slowObtaining legal process is often slow
Investigators may not even know the significance of evidenceInvestigators may not even know the significance of evidence
until weeks or days after the commission of a crimeuntil weeks or days after the commission of a crime
Critical tool: request by law enforcement to preserveCritical tool: request by law enforcement to preserve
evidence (content or non-content)evidence (content or non-content)
Request does not compel the disclosure of the records,Request does not compel the disclosure of the records,
but freezes them pending legal processbut freezes them pending legal process

50. 50
Preservation of EvidencePreservation of Evidence
Must be very fast (not require prior judicialMust be very fast (not require prior judicial
approval or even written process)approval or even written process)
Few privacy concerns because no disclosureFew privacy concerns because no disclosure
occursoccurs
COE Convention: does not require dualCOE Convention: does not require dual
criminality because of need to preserve datacriminality because of need to preserve data
quickly (disclosure, however, requires dualquickly (disclosure, however, requires dual
criminality)criminality)

51. 51
Preservation of EvidencePreservation of Evidence
Sample Laws – United StatesSample Laws – United States
A provider of … communication services,A provider of … communication services,
upon the request of a government entity, shallupon the request of a government entity, shall
take all necessary steps to preserve records ortake all necessary steps to preserve records or
other evidence in its possession pending theother evidence in its possession pending the
issuance of a court order or other process.”issuance of a court order or other process.”
 Lasts for 90 days and can be renewedLasts for 90 days and can be renewed

52. 52
OverviewOverview
I.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety
II.II. Limits on Law Enforcement Investigative AuthorityLimits on Law Enforcement Investigative Authority
III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications
IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time
V.V. Obtaining Content Stored on a Computer NetworkObtaining Content Stored on a Computer Network
VI.VI. Obtaining Non-Content Information Stored on aObtaining Non-Content Information Stored on a
Computer NetworkComputer Network
VII.VII. Compelling the Target to Disclose ElectronicCompelling the Target to Disclose Electronic
EvidenceEvidence

53. 53
Compelling Disclosure of Electronic EvidenceCompelling Disclosure of Electronic Evidence
in the Possession of the Targetin the Possession of the Target
Generally rules that pertain to search of a home orGenerally rules that pertain to search of a home or
office applyoffice apply
Have to assure that the law is broad enough to coverHave to assure that the law is broad enough to cover
collection of intangible data and not just physical itemscollection of intangible data and not just physical items
Compare:Compare:
E.g.: Computer used to store child pornography or otherE.g.: Computer used to store child pornography or other
evidenceevidence
E.g.: Computer used to break into bank to steal accountE.g.: Computer used to break into bank to steal account
information or move funds from one account to anotherinformation or move funds from one account to another

54. 54
Seizing ComputerHardwareSeizing ComputerHardware
Council of Europe Convention, Article 19Council of Europe Convention, Article 19
Often investigators need to seize the computerOften investigators need to seize the computer
itselfitself
Easy to apply traditional rules for objectsEasy to apply traditional rules for objects
Not clear why a computer should get greater orNot clear why a computer should get greater or
lesser protection than a filing cabinetlesser protection than a filing cabinet

55. 55
Searches and Seizures of Stored DataSearches and Seizures of Stored Data
and Intangible Evidenceand Intangible Evidence
Investigators could simply copy computer filesInvestigators could simply copy computer files
after entering an individual’s homeafter entering an individual’s home
Data stored at home can be extremely sensitive (e.g.,Data stored at home can be extremely sensitive (e.g.,
a diary, a will)a diary, a will)
Recommendation: treat data as a “thing” to beRecommendation: treat data as a “thing” to be
seized, even if only a copy is madeseized, even if only a copy is made
But: “imaging” a drive should be a permissibleBut: “imaging” a drive should be a permissible
search techniquesearch technique
Technical considerations, e.g., OSTechnical considerations, e.g., OS
Slack space and deleted filesSlack space and deleted files

56. 56
Considerations forSearches and SeizuresConsiderations forSearches and Seizures
of Intangible Evidenceof Intangible Evidence
Applying the traditional rules provides balanceApplying the traditional rules provides balance
and certaintyand certainty
Unwise not to protect that data from over-intrusiveUnwise not to protect that data from over-intrusive
governmental searchesgovernmental searches
Also unwise not to give law enforcement the powerAlso unwise not to give law enforcement the power
to obtain that evidenceto obtain that evidence
Easier for investigators to learnEasier for investigators to learn
Use existing exceptions as wellUse existing exceptions as well
E.g.: consent, emergency circumstancesE.g.: consent, emergency circumstances

57. 57
Considerations forSearches andConsiderations forSearches and
Seizures of Intangible EvidenceSeizures of Intangible Evidence
Why computer searches are different:Why computer searches are different:
Computers hold huge amounts of dataComputers hold huge amounts of data
10 gigabyte drive = 5 million pages10 gigabyte drive = 5 million pages
Requires expertise and tools, e.g. deleted files,Requires expertise and tools, e.g. deleted files,
familiarity with Operating Systemfamiliarity with Operating System
Information can be stored remotelyInformation can be stored remotely
Computers are multi-functional – interminglingComputers are multi-functional – intermingling
of innocent and privileged informationof innocent and privileged information

58. 58
ConclusionConclusion
Countries must have laws that allow lawCountries must have laws that allow law
enforcement to compel disclosure of evidence ofenforcement to compel disclosure of evidence of
crimecrime
These powers in part enhance privacy by deterringThese powers in part enhance privacy by deterring
criminal invasions of privacycriminal invasions of privacy
Overly intrusive powers can harm the privacy ofOverly intrusive powers can harm the privacy of
citizens and chill economic developmentcitizens and chill economic development
Law makers must consider many factors whenLaw makers must consider many factors when
deciding what is appropriate for themdeciding what is appropriate for them
Models from other jurisdictions can assist countriesModels from other jurisdictions can assist countries
in designing appropriate lawsin designing appropriate laws

59. 59
Questions?Questions?

60. 60
Todd M. HinnenTodd M. Hinnen
Department of JusticeDepartment of Justice
Computer Crime & Intellectual PropertyComputer Crime & Intellectual Property
SectionSection
Phone: (202) 305-7747Phone: (202) 305-7747
E-mail: todd.m.hinnen@usdoj.govE-mail: todd.m.hinnen@usdoj.gov