Cooperating with Internet Service Providers OSCE, Vienna, 24 th October 2008

2

Upcoming activities around public/private partnerships Law Enforcement trainings Germany (March), Egypt (H2), Europol (Dec.) Cybercrime legislation Guidelines on industry/LE cooperation (European Commission, Sept.), Judges trainings Romania (Oct.), Turkey (Oct), Egypt (H2) Child Online Safety events Italy (Nov.), Council of Europe (Dec.), Estonia (March) 3

Main next steps Enforcement against Lottery Scams International conference, October European Financial Coalition Combating sale of pictures of sexual abuse of children, Q2 Industry visit to University College Dublin Creating a curriculum for law enforcement, Industry visit Council of Europe Cybercrime Conference Global cybercrime conference 4

Microsoft Services Microsoft Confidential For Law Enforcement Use Only

Microsoft Services Many different domains: Country specific domains:.co.uk,.fr,.it,.de,.es,.th,.tk,.co.jp Currently all service data is stored in the U.S. even for country specific domain name accounts. Microsoft Confidential For Law Enforcement Use Only

Windows Live Messenger : Instant messaging or chat Microsoft Confidential For Law Enforcement Use Only

Office Live Set of online services for small businesses – Office Live Small Business – Office Live Workspace Provides: – A domain name Example: – accounts with the domain name : – Web hosting and website design tools Web address: Microsoft Confidential For Law Enforcement Use Only

Evidence to solve a computer crime is often in the possession of ISPs Computer crime is frequently committed through the Internet, over equipment owned by Internet Service Providers ISPs posses evidence regarding the travel-path of data and who received it or stored it. 9

TYPES OF INTERNET SERVICE PROVIDERS 10

Access providers Providers of access to the Internet. Traditionally the Access Providers are phone companies that provide internet access over the phone network through dial-up service or DSL connections Access providers may provide evidence as to who was using a particular Internet address to connect to other computers Example : 11

Web hosting providers Web hosts provide space on an Internet server for clients to host a website or a file storage. The hosting company can provide evidence regarding who rented the web server and who accessed it Example : 12

hosting providers companies store the content of users They will be able to provide evidence on who owns the account and who accessed it Because of secrecy of correspondence the content of the boxes can only be obtained through a Court Order Example: 13

Evidence identifying a network end- point IP (Internet protocol) numbers – Designate a network location which is often a geographical location but not necessarily a user identification. Proxy servers and NAT Network Address Translation Open access Wifi networks Internet Cafés 14

Reading Account Records – Registration Records 15 The “Registered From IP Address” is not provided by the user, but is captured by Microsoft’s systems. 15

Reading Account Records – IP Connection History 16  Microsoft retains account Internet Protocol (IP) connection history for 60 days.

Record Retention Policy, some examples 17

CASE STUDY: MICROSOFT CRIMINAL COMPLIANCE 18

ISP jurisdiction The ISP will have to take into consideration the laws of the jurisdiction under which it operates even when the legal request come from a different jurisdiction. Additionally ISPs need to consider the laws of the jurisdiction in which its servers are located should it not be the same as the jurisdiction of incorporation. 19

Obtaining evidence from ISPs like Microsoft Most ISPs have designated employees to respond to criminal compliance requests When receiving a request, a criminal compliance department will examine legal obligations under the jurisdiction of where the data is located and under the jurisdiction of the petitioner Because of the nature of MLATs, ISPs will usually receive court order from both of these jurisdictions Microsoft is following the recommendations of the Guidelines on cooperation between law enforcement and industry of the Council of Europe (April 2008) and of the European Commission (September 2008) 20

International Criminal Compliance 21

Legal Documentation Required Electronic Communications – Contents of Communications – To obtain electronic communications content ( , including subject line), foreign law enforcement must follow the Mutual Legal Assistance Treaty (MLAT) or Letters Rogatory process. – Upon request, Microsoft will preserve content while the foreign government seeks disclosure through the MLAT/Letters Rogatory process. – Microsoft will accept a written request, signed by the international law enforcement agency, which specifies the information to be preserved. Upon receipt of an official preservation request, Microsoft will preserve data for 180 days. Microsoft will allow an extension of the original preservation for an additional 180 day period. Microsoft Confidential For Law Enforcement Use Only

CASE STUDIES International police cooperation Civil actions Criminal referrals

Zotob virus Zotob was a computer virus affecting hundreds of companies. It was allegedly written as a work for hire by two Moroccan individuals and used for economic gain by a Turkish individual. Arrests of the suspects was made possible by the exemplary cooperation between Moroccan, Turkish, and American law enforcement together with Microsoft investigations teams.

The Spam King Microsoft initiates civil proceedings against Robert Soloway, a.k.a. The Spam King. A civil judgment was rendered in 2005 awarding Microsoft $7.8 million in damages. Microsoft supplied evidence for the criminal proceeding and on March 14 th, 2008, Robert Soloway pleads guilty during a criminal procedure and faces 26 years in prison and $625,000 in fines. He is currently in prison awaiting sentencing.

 Thank you!  Laurent MASSON  Director for Anti-Piracy and Internet Safety, Microsoft EMEA 