Copyright, 2002 © Michael Sonntag WWW: Mag. Dipl.-Ing. Dr. Michael Sonntag Convention on Cybercrime Legal and Technical Aspects of E-Commerce, Budapest, Substantive law and selected parts of procedure

Michael Sonntag2 Legal and Technical Aspects of E-Commerce Questions? Please ask them immediately! ? ? ? ? ? ?

Michael Sonntag3 Legal and Technical Aspects of E-Commerce Content l Why the need? l Current state of the treaty l Offences against data and systems itself l Computer- / content-related offences l Copyright-related offences l Sanctions l Jurisdiction l Collection & interception of data l International cooperation l Reservations

Michael Sonntag4 Legal and Technical Aspects of E-Commerce Why the need? l Problem of jurisdiction èWho is responsible for the trial? èHow to get hold of the accused person(s) / evidence? l Computer use is often a special case è“Deceiving” a computer is legally impossible èValue of data itself low, but enormous consequences èEvidence is easily lost (or forged!) l Crimes can be committed over long distances l Often hard to detect l Some detrimental behavior is currently not illegal

Michael Sonntag5 Legal and Technical Aspects of E-Commerce Examples l “Theft” of time èHacking into a computer (or extending the access) to use computational power and CPU-time èTime/service cannot be stolen èAt most indemnification possible l Computer “fraud” èA computer cannot be deceived, so no fraud èAt most indemnification possible l DECSS èReverse engineering / publication / … allowed?

Michael Sonntag6 Legal and Technical Aspects of E-Commerce Current state of the treaty l Signed by 34 countries èMost countries of the Council of Europe èPlus: Canada, Japan, South Africa, United States l Ratified by 1 country èAlbania NOT IN FORCE! Entry into force requires 5 ratifications including at least 3 member states of the Council of Europe

Michael Sonntag7 Legal and Technical Aspects of E-Commerce General definitions l Computer system èDevice or connected or related devices (=Hardware) èAutomatic processing of data »(=without direct human intervention) èPursuant to a program (=Software; set of instructions) l Computer data èAny representation of facts, information or concepts »Includes also programs èIn a form suitable for processing in a computer »Electronic or other; can be directly fed into a computer

Michael Sonntag8 Legal and Technical Aspects of E-Commerce Definitions: Criminal offence l “Criminal offence” èConvention knows civil, criminal and administrative liability (Art. 12 para 3) èOffences must be “criminal” offences, therefore administrative punishment is not enough! èPunishments must also include deprivation of liberty »This is usually the domain of criminal law, at least if longer sentences are involved l All offences are punishable only when committed intentionally, never by negligence! »Sometimes additional intentional elements required (e. g. Art. 8) »Countries MAY however be stricter and also punish negligence

Michael Sonntag9 Legal and Technical Aspects of E-Commerce Definitions: Without right l Most offences are punishable only, when committed “without right” èKind of “loophole” for countries l Examples of exclusion: èConsent, self defense, necessity, … èLawful government authority »For public order, national security, investigation of crimes, … èTools/acts for designing system, verifying security, … èCommon commercial practices (e. g. cookies, caches)

Michael Sonntag10 Legal and Technical Aspects of E-Commerce Illegal access (1) Accessing the whole or any part of a computer system èE. g. hacking password, using other’s passwords èThe intrusion itself is illegal (not only its consequences, e. g. damages, theft of data, …) l Optional: èBy infringing security measures èIntent of obtaining computer data èOther dishonest intent èIn a computer system that is connected to another system

Michael Sonntag11 Legal and Technical Aspects of E-Commerce Illegal access (2) l Access = Entering any part of the system èRetrieving some information (e. g. directory) from the system that would otherwise not be available èNOT: Mere sending of data TO the system (e.g. mail or file) »This is accepted by the system (or rejected) »Difficult: Sending mail reveals some information (= the computer accepts mails; version of MTA), which might be confidential (e. g. if it is not published anywhere: port-scanning) »Difference to sending a password and waiting for the response (valid/invalid)??? l Some security measures must exist and be infringed »Completely free computer is “free for access”!

Michael Sonntag12 Legal and Technical Aspects of E-Commerce Illegal interception (1) Interception by technical means of non-public transmissions of computer data to, from or within a computer system, including electromagn. emission l Violation of privacy, related to data protection laws l “Non-public” refers to transmission, not content èPublic data sent privately is protected èCommunication over public networks can be protected »Individually selected and closed group of recipients l Electromagnetic emission is not included in “computer data”, but nevertheless protected èRadiation of screens, wires,...

Michael Sonntag13 Legal and Technical Aspects of E-Commerce Illegal interception (2) l Technical means: Through access to the system or or through eavesdropping devices l Recording / using the information is not required l Optional: èDishonest intent èIn a computer system that is connected to another system

Michael Sonntag14 Legal and Technical Aspects of E-Commerce Data interference Damaging, deletion, deterioration, alteration or suppression of computer data l =Protecting the existence of computer data l Examples: Viruses, trojans, encrypting others data l Anonymizers: Allowed èUnless used to hide identity when committing a crime! l Optional: èResulting in serious harm

Michael Sonntag15 Legal and Technical Aspects of E-Commerce System interference Serious hindering of functioning of computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data l =Protecting the usability of computer systems l Applies to computers and communication alike l Hindering=Interfering with proper functioning l The level of harm required can be set by country l Examples: Viruses, DoS, Mail-bombs, … l Not included is ordinary Spam èIntention is NOT to hinder communication!

Michael Sonntag16 Legal and Technical Aspects of E-Commerce Misuse of devices (1) l Possession, production, sale, procurement for use, import, distribution, or otherwise making available of èa device (incl. program), designed or adapted primarily for purpose of committing any of the previous offences èa password, access code, or similar data by which the whole or any part of a computer system can be accessed with intent of committing any of the previous offences l NOT optional: èSale, distribution or otherwise making available of pass- words, access codes, or similar data for system-access l Optional: Possession requires a number of items

Michael Sonntag17 Legal and Technical Aspects of E-Commerce Misuse of devices (2) l Distribution: Active (e. g. sending to a mailinglist) l Making available: Passive (placing on a webpage) èIncludes link-lists to such devices l Device: Hardware or Software l Virus is such a device; possession illegal l “Primarily”: Dual-use devices are also included èBut: Objective view of the devices »Dual-use devices therefore usually not criminalized l “Similar data”: Private/secret keys,... èE. g. codes for decrypting Pay-TV (  Illegal access)

Michael Sonntag18 Legal and Technical Aspects of E-Commerce Computer-related forgery Input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered and acted upon for legal purposes as if it were authentic l Similar to forging (paper) documents l Minimum deception: Issuer èOptional: Genuineness of data (=data is from issuer) l Readability/Intelligibility of data unimportant l Optional: èIntent to defraud or other dishonest intent

Michael Sonntag19 Legal and Technical Aspects of E-Commerce Computer-related fraud Causing loss of property to another by èany input, alteration, deletion or suppression of data èany interference with functioning of a computer system with fraudulent or dishonest intent of procuring an economic benefit for oneself or another l “Interference”: Changing program, parameters, … l “Loss of property”: Everything of economic value l E. g.: èCredit card fraud è(Unauthorized) Comparison shopping bots: Intent missing

Michael Sonntag20 Legal and Technical Aspects of E-Commerce Content-related offences: Child pornography Production, offering, making available, distributing, transmitting, procuring, and possession of child pornography in a computer system or a computer- data storage medium l Child pornography= èMinor (=under 18) engaged in sexually explicit conduct èPerson appearing to be a minor èRealistic images depicting a minor l Optional: èProcuring and possession; not real minors involved èAt least 16 years as lowest age-limit

Michael Sonntag21 Legal and Technical Aspects of E-Commerce Infringement of copyright and related rights Infringement of copyright and related rights as defined in the Berne convention, TRIPS (and some others) when committed on a commercial scale and by means of a computer system l Only those parts of conventions in force in country! l Optional: èIn limited circumstances and only if other effective remedies are available

Michael Sonntag22 Legal and Technical Aspects of E-Commerce Sanctions and measures l Must be criminal law for natural persons èEffective, proportionate and dissuasive sanctions èMust include possibility for deprivation of liberty l Can be any type of sanction in case of corporate liability (legal persons, managers, …) èEffective, proportionate and dissuasive sanctions èMust include possibility for monetary sanctions Extent is not prescribed! l Other measures are possible èE. g. forfeiture of tools, probation,...

Michael Sonntag23 Legal and Technical Aspects of E-Commerce Jurisdiction (1) l Jurisdiction over offences committed in Êthe countries territory Ëon board a ship flying the flag of the country Ìon board an aircraft registered under laws of the country Íby a national: if the offence is punishable under criminal law where it was committed, or if committed outside jurisdiction of any state l Optional: 2-4, any other jurisdiction desired l Special jurisdiction related to extradition

Michael Sonntag24 Legal and Technical Aspects of E-Commerce Jurisdiction (2) l Multiple jurisdiction èConsultation SHALL be done, where prosecution would be most appropriate l Location of an offence: èExplanations only, but common understanding ÊWhere the act is done ËWhere the result is achieved »Example: Computer-related fraud: Person in A manipulates computer in B for loss of owner in C and benefit for person in D »4 countries would possess jurisdiction!

Michael Sonntag25 Legal and Technical Aspects of E-Commerce Expedited preservation l Competent authorities must be able to order expedited preservation of specified computer data (incl. traffic data), which is possessed or controlled èNO obligation for monitoring and collecting: Only already existing data must be preserved èMust be for specific case: Not generally or “just in case” èNO disclosure included: Separate laws! l Custodian of the data must keep this order confidential for the time of preservation èDisputed: Employer of the person receiving the order also may not know about it!

Michael Sonntag26 Legal and Technical Aspects of E-Commerce Production order l Competent authority must be able to order èa person in its territory to submit specified computer data in that person’s possession or control èa service provider offering services in its territory to submit subscriber information in its possession or control l Details: èApplies only to already existing data (no monitoring) èControl is more than “can access”; requires some right èMust be for specific case: Not generally or “just in case” èFormat of data can be set in order (e. g. disk or print-out); this must probably be rather easily possible »Extensive/Expensive conversions cannot be required

Michael Sonntag27 Legal and Technical Aspects of E-Commerce Search and Seizure (1) l Competent authorities must be able to search or access computer systems, computer data stored in such, and storage mediums in its territory èExtension to connected systems possible l Seizure must be possible of computer systems, storage mediums, copies of data. Also: maintaining its integrity and rendering inaccessible or removing it l Ordering any person with knowledge about the functioning of the system or measures for its protection, when reasonable, to disclose this information to enable search or seizure

Michael Sonntag28 Legal and Technical Aspects of E-Commerce Search and Seizure (2) l Refers to seizure of the data itself, not the medium l Disputed: Extension to other (national) systems èWhich are lawfully accessible from or available to initial system »No problem: External storage device (e. g. backup) »BUT also included: Any remote account anywhere! »Would be possible across several steps! l “Rendering inaccessible”: E. g. encrypting it èOwner should have (temporarily) no access to the data

Michael Sonntag29 Legal and Technical Aspects of E-Commerce Search and Seizure (3) l Ordering a person to cooperate: Many problems! èRight of non-self-incrimination èSearch orders: Customarily require only passivity »No resistance; but not obligation to cooperate èThe person who should help is often not involved »Similar to an order to “anyone must help”, which is otherwise very rare/restricted èPasswords/Keys are often not restricted to the specific data sought: Could be easily used for other things too èLegal obligation relieves administrator of contractual or other non-disclosure obligations èDepends fully on shaping of “reasonable”!

Michael Sonntag30 Legal and Technical Aspects of E-Commerce Realtime collection / Interception l Collection of traffic data: Itself or through service provider èTraffic data associated with specified communications l Interception of content data: Itself or through service provider èOnly for serious offences (determined by domestic law) l Service provider must keep both the fact and the information confidential Similar to conventional wiretapping

Michael Sonntag31 Legal and Technical Aspects of E-Commerce 24/7 network l Point of contact available 24 hours/7 days per week for immediate assistance in investigations and collection of evidence by èproviding technical advice èpreservation of data ècollection of evidence, giving legal information, and locating suspects l Either by carrying out the requests or facilitation èE. g. contacting judges for issuing orders Good idea, but rather costly: Highly trained (and expensive) personnel and equipment required!

Michael Sonntag32 Legal and Technical Aspects of E-Commerce Reservations l Reservations to the convention are enumerated: Only those explicitly provided for are possible »See the individual descriptions! l Common element of conventions to get many countries to agree (complete consensus impossible) èBut still require a smallest common base l Can only be made at signature or ratification èLater on only withdrawal of reservation is possible èConvention urges to withdraw, but no time-limit set èPeriodical inquiry, whether withdrawal is possible »To put some pressure for uniform application

Michael Sonntag33 Legal and Technical Aspects of E-Commerce Amendment, Denunciation, Federal clause l Amendment: èOnly possible if every single party of the convention agrees (  Rare) l Denouncement: èAt any time possible by simple notification èAbout three months time l Federal clause: èReservation possible that implementation will be split »Must be done according to its constitution »Only for areas substantive and procedural law, and jurisdiction

Michael Sonntag34 Legal and Technical Aspects of E-Commerce Additional protocol: Racism l Draft for an additional protocol exists l NOT an amendment, but addition (>=5 states) l Content: èRacist and xenophobic material »Race, color, descent, national-/ethnic origin, (religion) èDissemination, threat, public insult èDenial, gross minimization, approval, or justification of genocide or crimes against humanity l Preliminary draft: Feconomic%5Fcrime/Cybercrime/Racism_on_internet/Draft_Add_Protocol.asp

Michael Sonntag35 Legal and Technical Aspects of E-Commerce Literature/Links: (1) l Convention on Cybercrime: èSee also: l Explanatory report on Convention on Cybercrime: l Declan McCullagh: Cybercrime Solution has Bugs l Politechbot.com (Contains comments): l US DoJ FAQ on convention (DRAFT):

Michael Sonntag36 Legal and Technical Aspects of E-Commerce Literature/Links: (2) l American Civil Liberties Union - Comments: l Jay Fisher: Potential Constitutional Conflicts