faculty of law, dept. of public and int. law cybercrime: issue spotting - e-commerce law course 2008...

Faculty of Law, Dept. of Public and Int. Law

Cybercrime: Issue Spotting- e-Commerce Law Course 2008

Inger Marie Sunde, Research Fellow


What is cybercrime?

• Why is cybercrime part of the e-commerce law course?– Impact on internet security

– Impact on considerations of what is lawful business

– May be carried out for profit

– May cause economic damage

– May have an impact on service provider liability (accessory liability)

– May have an impact on issues relating to data protection

– ….and may be wholly unrelated to e-commerce issues / interests


What is cybercrime?

• Criminologic view

• Legal view: Principle of legality– Foreseeability. Democracy (public sovereignty) and separation of

powers.

– A restriction for the court - ECHR art. 7.

– An impetus for the lawmaker => Cyber crime convention (and more) => national criminal law

– A restriction for the police: Any interference in the legal sphere of the individual (incl. Legal persons) must have basis in law.


My working definition of Internet crime

• An act committed by use of the internet (one host communicating with another host) which is classified as a criminal offence according to national law.

• Problems of:– Legal jurisdiction: Which criminal law apply?

– Executive jurisdiction: How far do the powers of national police reach on internet? When is international cooperation a legal requirement for collecting evidence?

– Fundamental human rights: Infringements on internet communication in order to fight internet crime => freedom of speech / privat life / corrrespondence (ECHR art. 8 , 10).


Cybercrime convention (ETS 185) November 2001

• A ”European convention” (ETS), but is open to third parties (art. 37).

• Three chapters regulating:– Criminal law

– Procedural rules (”computer investigation”)

– Principles of International cooperation

• Supplementary to other conventions (art. 39) such as the European convention on Extradition, and

• On Mutual Assistance in Criminal Matters, and

• The Additional Protocol to the abovementioned convention.


Cybercrime convention: Criminal law:

• Art.2: Illegal Access (computer intrusion)• Art.3: Illegal interception• Art.4: Data interference• Art.5: System interference• Art.6: Misuse of devices (exploits and passwords)• Art.7: Computer-related forgery• Art.8: Computer-related fraud• Art.9: Offences related to child pornography• Art.10: Offences related to infringements of copyright

and related rights.• Art.11-12: Attempt / aiding / abetting and corporate

liability.


What is not covered by the convention?

• Information theft.

• Information fencing (laundering) and selflaundering.

• Scanning activities.

• Identity theft.

• Spam.

• Phishing.


Why break into a computer?

• Hack for pride and fame

• Steal information

• Erase data

• Cause malfunction on the system

• Obtain storage space for pirated goods


Why break into a computer? More significant motives:

• Obtain anonymity in order to:

– Break into another computer (fame&pride / steal info / erase data / cause malfunction etc.)

– Distribute illegal material

– Launch a DOS-attack

– Send spam

– Phishing attacks

• Create an unathorized net in order to:– Launch a DDOS-attack

– Manipulate lotteries and games by sheer frequency


Accordingly: The computer can be the target as such or be targeted in order to be used as a tool for further activities

• An unauthorized net:

– De facto ability to control resources on other computers without consent from the owners, by commands submitted over an electronic network.

– Colloq: ”Zombie net”, ”Botnet”.


The ”backdoor case”: Rt. 2004 s. 1619

• The case is about the creation of an unauthorized net.

• 2 male Norwegians broke into 437 computers world wide and performed the following modifications:

– Added themselves as authorized users in the password file, and/or– Replaced a programfile with another seemingly identical file (”trojan”) which

had the not insignificant additional feature that it left the computer open (vulnerable) for new penetrations (”back door”).

• The computers where chosen by broad scan of IP-adresses + criteria related to o/s and version.

• Targeting and penetration was automatized by use of a worm.


What can we learn from the case?

• That targeting hits more or less randomly.

– Targeted attacks are relatively rare as compared to instances of accidental victimization. It does not matter who you are but which kind of system you run, and the security measures that you use.

• It matters for the risk or threat assessment.

– Targeting is often a result of mechanics (automated processes) and not of individual considerations in each case. It matters when you consider

• the design of criminal statutes

• provisions of culpability

• burden of proof – evidence


Going back to the ”back door case”: Which provisions of the convention are applicable?

• Scanning for vulnearbilities? No article.• Release of worm within a given IP-range.

– The release in itself not covered. It all depends on the functioning when it gets in contact with the system.

• Exploitation of vulnerability: Illegal access (art. 2 - § 145 para2).• Modification of password file: Data interference (art.4) § 291.• Modification of program file: System interference (art 5 – or

data interference art. 4 - § 291).

• Note: The modifications did not have any impact on the user functionality of the system. It only had security impacts. However: Unauthorized modification should be considered as a criminal act as such. Reason: Causes damage to the system integrity, undercuts user confidence, reliability and trustworthiness of computer services (detrimental to development of e-commerce).


Another point: The level of the attack.

• Most hackers tries to get access to the ”root”, i.e. the top level / administrator’s level.

• Purpose: Gaining control over the resources: – Configuration control – can install new software / alter existing set up /

steal secret passwords / add or exclude users / alter web pages etc.

– Mere access to the user level does not give the same possibilities.

– Escalation of user privileges => an internal ”hack” from user level to administrator’s level

• The level of attack should be taken into account when the penalty is measured.


Information theft: Issues• The economic value of information is increasingly important.

There is a huge market for ”information brokers” of all shades. Information should be a protected object under criminal law.

• The legal concept of ”theft” might require: – An act of removal. Move a thing from A to B. ”Info theft”: An act of copying

and / or transmitting information. The original file is left in place unaltered.– The object must be a thing. Only things can be removed.

• General or special provisions?– Information = computer data? => general clause.– Electronic copyrighted material cannot be considered as information in

general. And information society services needs special regulation. – Only information of a qualified type – such as business secrets - can be

subject to theft.


Information theft: Issues• Norway:

– Today: No general criminal provision that covers information theft.

– The traditional theft provision in § 257 not applicable.

• (”removal” / ”thing”).

• NOU 2007: 2: Recommendation:– Unauthorised copying, transmission or interception of electronic

data and information should be criminalised.

– The provisions should apply indiscriminately to electronic data as such no matter the content of the data.

– i.e: A general provision covering all data including but not limited to data containing copyrighted material, information society services and qualified information.


Information fencing and self-laundering

• UN Conventions against money laundering and selflaundering etc.

• Can information be considered to be proceeds of a criminal offence?– Rt. 1995 s.1872 (stolen pincode to telephone service traded for a

certain amount: Norwegian Supreme Court: ”The pin code is of economic value and may be traded => is proceed of a criminal offence within the meaning of § 317”

– ”password case” from 2003: 650 000 passwords leaked / copied form internet service provider.

– Trading of credit card numbers, passwords etc is common.


Scanning activities

• Is done regularly as preparation to the commission of the offence.

• Arguments: – It is not a offence to watch a house from the outside and notice an

open window that can be used to climb through. Why should it be an offence to watch a computer from the outside?

– The analogy is false. Computer scanning implies direct electronic contact between the the observer and the observed and vulnerabilities can be exploited instantly.

– How can a system security guard check the system if he is not allowed to scan for weaknesses? Answer: Such conduct is authorised and cannot be considered illegal.

– It is impossible to protect against scan. Answer: Normative/preventive argument: At least a prohibition makes it clear that the conduct is not acceptable.


Identity theft: More precisely: Use of false identity: Issues• Theft: Use the identity of another person or corporation etc.

– Is a usual part of phishing– Can also be used in order to smear anothers reputation

• Use of completely fake identities can also be detrimental, e.g. when used to get in contact with kids for sexual purposes.

– What about nicknames, i.e. common practice?

• Norway: Rec: to criminalise illegal use of false identity. Whether illegal or not depends on context, sound recommendations (e.g. from Save the Children) and context in the electronic environment).


Spam - (”ViA_Gr_A”)

• Threatens to undermine the functioning of email– Up to 80 % of all email traffic is spam. – OECD Anti-Spam Toolkit of recommended Policies and Measures of 13.

April 2006

• Why use spam: – The most cost effective marketing tool– No cost – large scale distribution - long distance reach.

• Norway: Rec: – To transfer the current prohibition from the Unfair Marketing Practices Act

to the Criminal Act, and make the prohibition general and not linked to the existence of a commercial activity or that the recipient be a private consumer.


Phishing (i.e. fraudulent information harvesting)

• Involves identity theft for economic gain. Surfs on the good reputation of another individual. Fraudulent activity.

• Usually distributed as spam

• Problem: The act represent information harvesting on false premises. But the actual use of the information happens later. Therefore: Phishing cannot necessarily be considered as fraud, or criminal attempt to defraud.

• The information harvested can be sold (information fencing), used to empty accounts etc.


Additional Protocol (ETS 189) January 2003

• Racist and xenophobic material should be as criminal when distributed in an electronic network as when distributed on paper or by broadcasting.

• Controversial provision: Article 6: ”Denial, gross minimisation, approval or justification of genocide or crimes against humanity”– Protected by the US Constitution – First Amendment. – Protected by the Human Rights convention art 10, but can be

criminalised by law if necessary and not against the principle of proportionality.

– Norway: No such criminal provision as per today. It has been recommended to make a reservation to art. 6. (NOU 2007: 2 chapter 7).


Anonymity

• Very useful for criminal purposes.

• Why not use an anonymizer which is a legal service?– Because the commands you need to use will not be allowed under

the rules of the anonymizer, whose purpose it normally is to enable free unimpeded speech, not to facilitate criminal acts.

– And an anonymizer might keep logs that can be given to the police, even if the header is stripped off the datapackets and emails.

• Remember to be anonymous at all stages. From the scanning activity to the actual offence (e.g: SMS-case Rt.

2004 s. 94).


Aiding / abetting – corporate liability

• Directive on electronic commerce: 2000/31/EC• Service provider has no liability for information

submitted (art 12 - mere conduit), temporarily stored (art 13 - caching) or stored (art 14 – hosting).

• Except (art 14) when it has actual knowledge and does not act expeditously to remove or disable access to the information.

• Art 15: No general obligation to monitor– But special obligations can be imposed – i.e. to scan for child porn

faculty of law, dept. of public and int. law cybercrime: issue spotting - e-commerce law course 2008...

Documents

faculty of law

national law

national criminal law

law cybercrime convention

ecommerce law course

democracy public sovereignty

abovementioned convention

computerrelated forgery