1 DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME Providing Law Enforcement with the Legal Tools to Prevent, Investigate, and Prosecute Cybercrime

1

DEVELOPING A LEGAL DEVELOPING A LEGAL FRAMEWORK TO FRAMEWORK TO

COMBAT CYBERCRIMECOMBAT CYBERCRIME

Providing Law Enforcement with the Providing Law Enforcement with the Legal Tools to Prevent, Investigate, Legal Tools to Prevent, Investigate,

and Prosecute Cybercrimeand Prosecute Cybercrime

2

OverviewOverviewI.I. Balancing Privacy and Public SafetyBalancing Privacy and Public Safety

II.II. Limits on Law Enforcement Investigative Limits on Law Enforcement Investigative AuthorityAuthority

III.III. Intercepting Electronic CommunicationsIntercepting Electronic Communications

IV.IV. Collecting Traffic Data Real Time Collecting Traffic Data Real Time

V.V. Obtaining Content Stored on a Computer Obtaining Content Stored on a Computer NetworkNetwork

VI.VI. Obtaining Non-Content Information Stored Obtaining Non-Content Information Stored on a Computer Network on a Computer Network

VII.VII. Compelling the Target to Disclose Compelling the Target to Disclose Electronic EvidenceElectronic Evidence

3








4

Balancing Privacy & Public SafetyBalancing Privacy & Public Safety

Privacy is a basic human rightPrivacy is a basic human right““No one shall be subjected to arbitrary No one shall be subjected to arbitrary

interference with his privacy, family, homeinterference with his privacy, family, homeor correspondence...”or correspondence...”

-- Art. XII, Universal Declaration of Human Rights-- Art. XII, Universal Declaration of Human Rights

Promotes free thought, free expression, Promotes free thought, free expression, and free association, building blocks of and free association, building blocks of democracydemocracy

Supports competitive businesses and Supports competitive businesses and markets, cornerstone of a robust markets, cornerstone of a robust economyeconomy

5


Privacy of computer networks is Privacy of computer networks is

important:important:Individuals, businesses, and governments Individuals, businesses, and governments

increasingly increasingly use computers to communicateuse computers to communicate

Sensitive personal information and business Sensitive personal information and business records are records are stored in electronic formstored in electronic form

Privacy of computer networks is Privacy of computer networks is important for human rights, individual important for human rights, individual freedoms, and economic efficiencyfreedoms, and economic efficiency

6


Threats to online privacy:Threats to online privacy: IndustryIndustry

Gathering marketing informationGathering marketing information

GovernmentGovernment Investigating crime, espionage, or terrorismInvestigating crime, espionage, or terrorism

Misusing legal investigative authorities Misusing legal investigative authorities

CriminalsCriminals Stealing government or business secrets or Stealing government or business secrets or financial financial informationinformation

Obtaining private information from Obtaining private information from individuals’ computersindividuals’ computers

7


Need to investigate all kinds of crimes Need to investigate all kinds of crimes that that involve computer networksinvolve computer networks

E.g.: communications of terrorists or drug E.g.: communications of terrorists or drug dealersdealers

Need to investigate attempts to Need to investigate attempts to damage damage computer networkscomputer networks

E.g.: “I love you” virusE.g.: “I love you” virus

Need to investigate invasions of Need to investigate invasions of privacyprivacy

E.g.: hackers working for organized crime E.g.: hackers working for organized crime stealing credit card numbersstealing credit card numbers

8








9

Limited Law Enforcement Limited Law Enforcement AuthorityAuthority

Striking the Balance:Striking the Balance:

Government investigative authority Government investigative authority subject to subject to appropriate limits and appropriate limits and controls in the form of controls in the form of procedural procedural laws will increase privacy and public laws will increase privacy and public

safety, but . . . safety, but . . .

Uncontrolled government authority Uncontrolled government authority may may diminish privacy and hinder diminish privacy and hinder economic economic development.development.

10

Intrusiveness of the

Investigative Power

Safeguards to Prevent Governmental Abuse


11


Ways to limit law enforcement Ways to limit law enforcement authorities:authorities:

Define specific predicate crimes/classes of Define specific predicate crimes/classes of crimecrime

Require law enforcement to demonstrate Require law enforcement to demonstrate factual factual basis to independent judicial officerbasis to independent judicial officer

Limit the breadth and scope, the location, or Limit the breadth and scope, the location, or the the durationduration

Offer only as “last resort”Offer only as “last resort”

Prior approval or subsequent review by Prior approval or subsequent review by senior senior official or politically accountable body official or politically accountable body

12


Penalizing abuse:Penalizing abuse:

Administrative discipline of officer Administrative discipline of officer involvedinvolved

Inability to use evidence in Inability to use evidence in prosecution prosecution (“suppression”) (“suppression”)

Civil liability for officer involvedCivil liability for officer involved

Criminal sanction of officer involvedCriminal sanction of officer involved

13


Limiting Economic Burdens on Third Limiting Economic Burdens on Third Party Party Service Providers:Service Providers:

Should laws require providers to Should laws require providers to have certain have certain technical capabilities? technical capabilities?

Who is responsible for costs of Who is responsible for costs of collecting data collecting data for law for law enforcement?enforcement?

14

Other Policy ConsiderationsOther Policy Considerations

Each country should approach this complex Each country should approach this complex balancing balancing question, taking into question, taking into consideration:consideration:

The scope of its crime and terrorism problem;The scope of its crime and terrorism problem;

Its existing legal structures;Its existing legal structures;

Its historical methods of protecting human rights; Its historical methods of protecting human rights; and,and,

the need to assist foreign governments.the need to assist foreign governments.

Each country should decide the “means” for Each country should decide the “means” for obtaining obtaining electronic evidence within its electronic evidence within its existing legal existing legal framework (e.g., constitutions, framework (e.g., constitutions, statutes, court statutes, court decisions, rules of procedure)decisions, rules of procedure)

15








16

Information Obtained from Computer Information Obtained from Computer Networks in Cybercrime InvestigationsNetworks in Cybercrime Investigations

ContentContent Non-ContentNon-Content

Real-TimeReal-Time

CommunicatioCommunicationsns

11 22

Information Information Stored on a Stored on a Computer Computer NetworkNetwork

33 44

17


Real-TimeReal-Time


11 22


33 44

Information Obtained from Computer Information Obtained from Computer Networks in Cybercrime InvestigationsNetworks in Cybercrime Investigations

18

Intercepting Electronic Intercepting Electronic Communications on Computer Communications on Computer

NetworksNetworks

Obtaining the content of a communication Obtaining the content of a communication as the communication occursas the communication occurs

Similar to intercepting what’s being said in a Similar to intercepting what’s being said in a phone conversationphone conversation

E.g.: collect the content of e-mail passing E.g.: collect the content of e-mail passing between two terrorists or drug dealersbetween two terrorists or drug dealers

E.g.: collect the commands sent by a hacker to E.g.: collect the commands sent by a hacker to a victim computer to steal corporate a victim computer to steal corporate informationinformation

19


NetworksNetworks

Many countries use the same (or very similar) Many countries use the same (or very similar) rules as phone wiretaps rules as phone wiretaps

Authority should include the ability to compel Authority should include the ability to compel providers to assist law enforcement officialsproviders to assist law enforcement officials

Sometimes does not require law enforcement Sometimes does not require law enforcement expertise expertise

May depend on particular technology and May depend on particular technology and infrastructureinfrastructure

Art. 21, Council of Europe Convention on Art. 21, Council of Europe Convention on Cybercrime Cybercrime

20


NetworksNetworks

Law enforcement needs this authority Law enforcement needs this authority because:because:

Criminals and terrorists increasingly use Criminals and terrorists increasingly use electronic communications to plan and execute electronic communications to plan and execute crimescrimes

Many crimes are committed mostly (or entirely) Many crimes are committed mostly (or entirely) using computer networksusing computer networks

Distribution of child pornography, internet fraud, Distribution of child pornography, internet fraud, hackinghacking

Communications may not be storedCommunications may not be stored

21


NetworksNetworks

This authority should be limited because:This authority should be limited because:

Interception of communications can be a Interception of communications can be a grave invasion of privacygrave invasion of privacy

Can allow access to the most private Can allow access to the most private thoughts, harming freedoms of speech and thoughts, harming freedoms of speech and associationassociation

Fear of overly intrusive interception may Fear of overly intrusive interception may stifle competitive markets, economic stifle competitive markets, economic development, and foreign investmentdevelopment, and foreign investment

22

Examples of Limitations on Examples of Limitations on Interception Authorities – AustraliaInterception Authorities – Australia

Independent judicial Independent judicial reviewreview

Facts in support of an Facts in support of an application showing that application showing that intercepted intercepted communications would “be communications would “be likely to assist” in an likely to assist” in an investigationinvestigation

Investigation of a serious Investigation of a serious crime (generally 7+ years crime (generally 7+ years maximum incarceration)maximum incarceration)

90 day maximum 90 day maximum (renewable)(renewable)

Information intercepted Information intercepted unlawfully cannot be used unlawfully cannot be used as evidence in courtas evidence in court

Intercepted information has Intercepted information has certain disclosure certain disclosure restrictions and destruction restrictions and destruction after purpose is completeafter purpose is complete

Judge must balance Judge must balance surrounding circumstances: surrounding circumstances:

Whether other Whether other investigative techniques investigative techniques would not be just as would not be just as effectiveeffective

The value of the The value of the informationinformation

Gravity of the conductGravity of the conduct

The privacy invasionThe privacy invasion

23

Examples of Limitations on Examples of Limitations on Interception Authorities – the United Interception Authorities – the United

StatesStates

30 day time limit (plus 30 day time limit (plus extensions)extensions)““Probable cause” to Probable cause” to believe a crime is being believe a crime is being committed committed andand that the that the facility is being used in facility is being used in furtherance of that furtherance of that crimecrimeAll other options have All other options have been tried or are been tried or are unlikely to succeed unlikely to succeed Independent judicial Independent judicial reviewreviewReport to intercepted Report to intercepted parties (at conclusion of parties (at conclusion of case)case)

Inability to use evidence Inability to use evidence in court if violate the lawin court if violate the lawAdministrative Administrative investigation of misuse of investigation of misuse of the law requiredthe law requiredCivil and criminal Civil and criminal sanctions for violationssanctions for violationsApproval by high-level Approval by high-level officialofficialMinimize collection of Minimize collection of non-criminal non-criminal communicationscommunicationsLimitations on disclosure Limitations on disclosure of intercepted of intercepted communicationscommunications

24

Possible Exceptions to the Possible Exceptions to the RuleRule

Might not require legal process if:Might not require legal process if:

The communication is publicly accessibleThe communication is publicly accessibleE.g.: public “chat” roomsE.g.: public “chat” rooms

Party/all parties to the communication Party/all parties to the communication consentconsent

Actual consent (CI), bannerActual consent (CI), banner

Emergency involving risk of deathEmergency involving risk of death

No reason to believe communication is No reason to believe communication is privateprivate

Hackers communication with target computerHackers communication with target computer

25

Intercepting Electronic Intercepting Electronic Communications: Communications:

Other ConsiderationsOther Considerations

Limits on ISP’s interceptionLimits on ISP’s interceptionPossible exceptions for consent, Possible exceptions for consent, interceptions necessary to run or secure a interceptions necessary to run or secure a network network

Voluntary disclosure of intercepted Voluntary disclosure of intercepted communicationcommunication

Only if legal interception (i.e. subject to Only if legal interception (i.e. subject to exception)exception)

26




IV.IV. Collecting Traffic Data Real TimeCollecting Traffic Data Real Time




27

Collecting Traffic Data Real TimeCollecting Traffic Data Real Time


Real-TimeReal-Time


11 22

Stored Stored Information on Information on

a Networka Network33 44

28


Interception of non-content informationInterception of non-content information

Similar to phone number called to/fromSimilar to phone number called to/from

E.g.: “To” and “From” on an e-mail E.g.: “To” and “From” on an e-mail

E.g.: Source and destination IP address in a E.g.: Source and destination IP address in a packet headerpacket header

Less intrusive than intercepting content, so Less intrusive than intercepting content, so less restrictions on law enforcement useless restrictions on law enforcement use

Art. 20, Council of Europe Convention on Art. 20, Council of Europe Convention on CybercrimeCybercrime

29


Law enforcement needs this authority because:Law enforcement needs this authority because:

Criminals and terrorists increasingly use Criminals and terrorists increasingly use electronic electronic communications to plan and communications to plan and execute serious crimes execute serious crimes

Helps locate suspects, identify members of Helps locate suspects, identify members of conspiracyconspiracy

Useful tool to assist foreign investigations where Useful tool to assist foreign investigations where a a country is used only as a “pass-though”country is used only as a “pass-though”

Provides a less intrusive and therefore less Provides a less intrusive and therefore less restricted restricted alternative to content interceptionalternative to content interception

30


This authority should be limited because:This authority should be limited because:

Although less intrusive than content Although less intrusive than content interception, still interception, still implicates privacyimplicates privacy

Individuals don’t expect government to keep Individuals don’t expect government to keep track of who they’re calling, even if government track of who they’re calling, even if government does not listen to what they’re sayingdoes not listen to what they’re saying

To/From information may be revealing (e.g., To/From information may be revealing (e.g., repeated e-mails to a psychiatrist; receiving repeated e-mails to a psychiatrist; receiving information from a militant organization) information from a militant organization)

31

Collecting Traffic Data Real TimeCollecting Traffic Data Real TimeSample Laws – United KingdomSample Laws – United Kingdom

Information must be “necessary” for the Information must be “necessary” for the investigation of crime, protection of investigation of crime, protection of

national national security, public health, other security, public health, other specified purposesspecified purposes

Approval by a designated high-level Approval by a designated high-level government government official, but no independent official, but no independent judicial reviewjudicial review

Collection must be “proportionate to Collection must be “proportionate to what is what is sought to be achieved”sought to be achieved”

30 day time limit30 day time limit

32

Collecting Traffic Data Real TimeCollecting Traffic Data Real TimeSample Laws – United StatesSample Laws – United States

Information collected must be Information collected must be “relevant” to an “relevant” to an ongoing criminal ongoing criminal investigationinvestigation

Can only be applied for by an attorney Can only be applied for by an attorney for the for the government (not a police officer) government (not a police officer)

Limited to 60 days (plus extensions)Limited to 60 days (plus extensions)

Disciplinary, civil, and criminal Disciplinary, civil, and criminal penalties for penalties for misusemisuse

33

Possible Exceptions to the Possible Exceptions to the RuleRule

Might not require legal process if:Might not require legal process if:

Party/all parties to the communication Party/all parties to the communication consentconsent

E.g.: witness cooperating with the government E.g.: witness cooperating with the government allows officers to determine where allows officers to determine where conspirators’ e-mail is sent fromconspirators’ e-mail is sent from

No reason to believe communication is No reason to believe communication is privateprivate

Hackers communication with target computerHackers communication with target computer

Interception is by provider of computing Interception is by provider of computing service in order to run the system or service in order to run the system or provide securityprovide security

34








35

Obtaining Content Obtaining Content Information Stored on a Information Stored on a

Computer NetworkComputer Network


Real-TimeReal-Time


11 22


33 44

36

Obtaining the Content of Stored Obtaining the Content of Stored Information on Computer Information on Computer

NetworksNetworksInformation stored on the system of a Information stored on the system of a third-party providerthird-party provider

Computer network not owned by the Computer network not owned by the target of an investigationtarget of an investigation

E.g.: e-mail sent to an individual that is E.g.: e-mail sent to an individual that is stored by an Internet service provider stored by an Internet service provider

E.g.: calendar kept on a remote serviceE.g.: calendar kept on a remote service

37


NetworksNetworksLaws may be similar to those for searching or Laws may be similar to those for searching or seizing computers in the possession of the seizing computers in the possession of the target of an investigationtarget of an investigation

But because the information is held by a neutral But because the information is held by a neutral third party, physical coerciveness of regular third party, physical coerciveness of regular search procedures may not be necessarysearch procedures may not be necessary

Also, because the data is not in the immediate Also, because the data is not in the immediate control (e.g. home) of the individual, he or she control (e.g. home) of the individual, he or she may have less of a privacy interest in itmay have less of a privacy interest in it

Art. 18, Council of Europe Convention on Art. 18, Council of Europe Convention on CybercrimeCybercrime

38


NetworksNetworksLaw enforcement needs this authority Law enforcement needs this authority

because:because:

Without it, serious crimes will go Without it, serious crimes will go unpunished and undeterredunpunished and undeterred

Just as law enforcement has needed coercive Just as law enforcement has needed coercive power to gather evidence in “real world” power to gather evidence in “real world” contexts, so it must be able to do so in online contexts, so it must be able to do so in online contextscontexts

For the many crimes committed over the For the many crimes committed over the Internet, stored information is the “crime Internet, stored information is the “crime scene”scene”

39


NetworksNetworksThis authority should be limited because:This authority should be limited because:

As our countries enter the “Information As our countries enter the “Information Age,” more and more of the most Age,” more and more of the most sensitive data is being stored on sensitive data is being stored on computerscomputers

Businesses are increasingly using computer Businesses are increasingly using computer networks to store datanetworks to store data

Individuals are increasingly storing Individuals are increasingly storing information and communications remotely information and communications remotely on third-party networkson third-party networks

40

Obtaining Stored ContentObtaining Stored ContentSample Laws – United StatesSample Laws – United States

To compel disclosure of most kinds of e-To compel disclosure of most kinds of e-mail:mail:

““Probable cause” to believe it contains Probable cause” to believe it contains evidence of a crime (same standard as to evidence of a crime (same standard as to search a package or a house)search a package or a house)

Review of evidence by an independent judgeReview of evidence by an independent judge

Administrative sanctions against officers Administrative sanctions against officers who abuse the authoritywho abuse the authority

Civil suit against the government for misuseCivil suit against the government for misuse

Disclosure restrictionsDisclosure restrictions

41

Obtaining Stored ContentObtaining Stored Content

Do some categories of data deserve extra Do some categories of data deserve extra protection? protection?

Greater expectation that data will remain Greater expectation that data will remain privateprivate

Has the user any choice about whether the Has the user any choice about whether the information is stored on the network?information is stored on the network?

Example of graduated system of requirements – Example of graduated system of requirements – United StatesUnited States

Unopened e-mail requires a search warrant based Unopened e-mail requires a search warrant based upon “probable cause”upon “probable cause”

E-mail accessed by the user and other information the E-mail accessed by the user and other information the user chooses to store on a remote server requires a user chooses to store on a remote server requires a court order with only a showing of “relevance”court order with only a showing of “relevance”

42

Obtaining Stored ContentObtaining Stored Content

Consider allowing voluntary disclosure to Consider allowing voluntary disclosure to law enforcement under some law enforcement under some circumstances:circumstances:

Unrestricted disclosure by 3Unrestricted disclosure by 3rdrd-party -party providers may infringe upon privacy and providers may infringe upon privacy and have economic impact, but disclosure have economic impact, but disclosure may be justifiedmay be justified

To protect public health or safetyTo protect public health or safety

To allow the provider to protect its property To allow the provider to protect its property (e.g., by reporting unauthorized use)(e.g., by reporting unauthorized use)

43






VI.VI. Obtaining Non-Content Information Stored Obtaining Non-Content Information Stored on a Computer Networkon a Computer Network


44

Obtaining Non-Content Obtaining Non-Content Information Stored on a Information Stored on a

Computer NetworkComputer Network


Real-TimeReal-Time


11 22


33 44

45

Obtaining Non-Content Information Obtaining Non-Content Information Stored on a Computer NetworkStored on a Computer Network

Computers create logs showing where Computers create logs showing where communications came from and where communications came from and where they wentthey went

Generally less sensitive than contentGenerally less sensitive than content

E.g.: a list of all of the e-mail E.g.: a list of all of the e-mail addresses to which a user sent e-mailaddresses to which a user sent e-mail

E.g.: a log showing the phone E.g.: a log showing the phone numbers by which a user accessed an numbers by which a user accessed an Internet service providerInternet service provider

46

Obtaining Non-Content Information Obtaining Non-Content Information Stored on a Computer NetworkStored on a Computer Network

Law enforcement needs this authority Law enforcement needs this authority because:because:

Logs showing what occurred on a network Logs showing what occurred on a network may be the best evidence of a computer may be the best evidence of a computer crime; may identify the suspect or reveal crime; may identify the suspect or reveal criminal conductcriminal conduct

This authority should be limited because:This authority should be limited because: Although less sensitive than content, these Although less sensitive than content, these

records still contain private informationrecords still contain private information

47

Obtaining Stored Non-Content Obtaining Stored Non-Content InformationInformation

Laws Can Distinguish Between Kinds of Laws Can Distinguish Between Kinds of RecordsRecords::

Subscriber information generally less Subscriber information generally less sensitive sensitive

Name, street address, user nameName, street address, user name

Might include method of payment, i.e., Might include method of payment, i.e., credit card or bank account (important credit card or bank account (important because ISPs may not check users’ because ISPs may not check users’ identities)identities)

Logs showing with whom a user has Logs showing with whom a user has communicated generally more sensitivecommunicated generally more sensitive

48

Obtaining Stored Non-Content Obtaining Stored Non-Content InformationInformation

Examples of Different StandardsExamples of Different Standards

Art. 18, Council of Europe Convention on Art. 18, Council of Europe Convention on Cybercrime:Cybercrime:

Treats “Subscriber Information” differently from Treats “Subscriber Information” differently from other dataother data

United States: United States: Basic subscriber records require a mere showing Basic subscriber records require a mere showing

of “relevance” to a criminal investigation without of “relevance” to a criminal investigation without prior review by a court (subpoena)prior review by a court (subpoena)

E-mail logs require a prior finding of “specific and E-mail logs require a prior finding of “specific and articulable facts” that would justify disclosure of articulable facts” that would justify disclosure of the recordsthe records

49

Preservation of EvidencePreservation of Evidence

Problem: many stored records last only for Problem: many stored records last only for weeks or daysweeks or days

Obtaining legal process is often slowObtaining legal process is often slow

Investigators may not even know the Investigators may not even know the significance of evidence until weeks or days significance of evidence until weeks or days after the commission of a crimeafter the commission of a crime

Critical tool: request by law enforcement to Critical tool: request by law enforcement to preserve evidence (content or non-content)preserve evidence (content or non-content)

Request does not compel the disclosure of Request does not compel the disclosure of the records, but freezes them pending legal the records, but freezes them pending legal processprocess

50

Preservation of Evidence Preservation of Evidence

Must be very fast (not require prior Must be very fast (not require prior judicial approval or even written judicial approval or even written process)process)

Few privacy concerns because no Few privacy concerns because no disclosure occursdisclosure occurs

COE Convention: does not require COE Convention: does not require dual criminality because of need to dual criminality because of need to preserve data quickly (disclosure, preserve data quickly (disclosure, however, requires dual criminality)however, requires dual criminality)

51

Preservation of EvidencePreservation of EvidenceSample Laws – United Sample Laws – United

States States

A provider of … communication A provider of … communication services, upon the request of a services, upon the request of a government entity, shall take all government entity, shall take all necessary steps to preserve necessary steps to preserve records or other evidence in its records or other evidence in its possession pending the issuance of possession pending the issuance of a court order or other process.” a court order or other process.”

Lasts for 90 days and can be renewedLasts for 90 days and can be renewed

52








53

Compelling Disclosure of Electronic Compelling Disclosure of Electronic Evidence in the Possession of the Evidence in the Possession of the

TargetTarget

Generally rules that pertain to search of a Generally rules that pertain to search of a home or office applyhome or office apply

Have to assure that the law is broad Have to assure that the law is broad enough to cover collection of intangible enough to cover collection of intangible data and not just physical itemsdata and not just physical items

Compare:Compare:E.g.: Computer used to store child E.g.: Computer used to store child pornography or other evidence pornography or other evidence

E.g.: Computer used to break into bank to E.g.: Computer used to break into bank to steal account information or move funds from steal account information or move funds from one account to anotherone account to another

54

Seizing Computer HardwareSeizing Computer Hardware

Council of Europe Convention, Article Council of Europe Convention, Article 1919

Often investigators need to seize the Often investigators need to seize the computer itselfcomputer itself

Easy to apply traditional rules for objectsEasy to apply traditional rules for objects

Not clear why a computer should get Not clear why a computer should get greater or lesser protection than a greater or lesser protection than a filing cabinetfiling cabinet

55

Searches and Seizures of Stored Searches and Seizures of Stored Data and Intangible EvidenceData and Intangible Evidence

Investigators could simply copy computer Investigators could simply copy computer files after entering an individual’s homefiles after entering an individual’s home

Data stored at home can be extremely Data stored at home can be extremely sensitive (e.g., a diary, a will)sensitive (e.g., a diary, a will)

Recommendation: treat data as a “thing” Recommendation: treat data as a “thing” to be seized, even if only a copy is madeto be seized, even if only a copy is madeBut: “imaging” a drive should be a But: “imaging” a drive should be a permissible search techniquepermissible search technique

Technical considerations, e.g., OSTechnical considerations, e.g., OSSlack space and deleted filesSlack space and deleted files

56

Considerations for Searches and Considerations for Searches and Seizures of Intangible EvidenceSeizures of Intangible Evidence

Applying the traditional rules Applying the traditional rules provides balance and certaintyprovides balance and certainty

Unwise not to protect that data from Unwise not to protect that data from over-intrusive governmental searchesover-intrusive governmental searches

Also unwise not to give law enforcement Also unwise not to give law enforcement the power to obtain that evidencethe power to obtain that evidence

Easier for investigators to learnEasier for investigators to learn

Use existing exceptions as wellUse existing exceptions as wellE.g.: consent, emergency circumstancesE.g.: consent, emergency circumstances

57

Considerations for Searches Considerations for Searches and Seizures of Intangible and Seizures of Intangible

EvidenceEvidenceWhy computer searches are different:Why computer searches are different:

Computers hold huge amounts of dataComputers hold huge amounts of data

10 gigabyte drive = 5 million pages10 gigabyte drive = 5 million pages

Requires expertise and tools, e.g. Requires expertise and tools, e.g. deleted files, familiarity with Operating deleted files, familiarity with Operating SystemSystem

Information can be stored remotelyInformation can be stored remotely

Computers are multi-functional – Computers are multi-functional – intermingling of innocent and privileged intermingling of innocent and privileged informationinformation

58

ConclusionConclusion

Countries must have laws that allow law Countries must have laws that allow law enforcement to compel disclosure of enforcement to compel disclosure of evidence of crime evidence of crime

These powers in part enhance privacy by These powers in part enhance privacy by deterring criminal invasions of privacydeterring criminal invasions of privacy

Overly intrusive powers can harm the Overly intrusive powers can harm the privacy of citizens and chill economic privacy of citizens and chill economic developmentdevelopment

Law makers must consider many factors Law makers must consider many factors when deciding what is appropriate for when deciding what is appropriate for themthem

Models from other jurisdictions can assist Models from other jurisdictions can assist countries in designing appropriate lawscountries in designing appropriate laws

59

Questions?Questions?

60

Todd M. HinnenTodd M. Hinnen

Department of JusticeDepartment of Justice

Computer Crime & Intellectual Computer Crime & Intellectual Property SectionProperty Section

Phone: (202) 305-7747Phone: (202) 305-7747

E-mail: [email protected]: [email protected]

Documents

1 DEVELOPING A LEGAL FRAMEWORK TO COMBAT CYBERCRIME Providing Law Enforcement with the Legal Tools to Prevent, Investigate, and Prosecute Cybercrime