Remarks on Draft Convention on Cyber-crime (Draft N° 19)

EUROPEAN COMMITTEE ON CRIME PROBLEMS (CDPC)

COMMITTEE OF EXPERTS ON CRIME IN CYBER-SPACE (PC-CY)

Associazione Italiana per la Sicurezza Informatica: CLUSIT

Copyright 2000 – CLUSIT – http://www.clusit.it

CLUSIT analyzed the “Draft Convention on Cyber-crime” released by the Council of Europe, in order to evaluate both its applicability and its impact on the European computer security community. As a result of this process the following comments and suggestions have been elaborated. In the first section, we report some remarks about the Cybercrime draft and in the second section, referring to our experiences in the field, we report some general comments on the Cyber-crime phenomenon and the measures to be adopted for fighting it.

1. Draft Remarks

It is our belief that the points characterizing a law on computer crime are:

  • Clarity of the law and procedures;
  • Respect for the civil rights of both for victim and the alleged criminals, which means clear rules on evidence gathering, data seizing and computer searches;
  • Criminal liability even for culpa in the lack of adoption of security measures;
  • Flexible sanctions, so that kids and youngsters must not be indicted to jail but to alternative measures (social works, parole).

Based on these assumptions, we suggest a revision of the following articles:

Article 6 – Illegal devices

Most of the “devices” mentioned in this article actually belong to the standard kit of any ICT security professional. In this case such devices are indeed used to penetrate a system or a network yet with the legitimate goal of verifying the security level of the system under attack. Such a strategy has been common practice for many years and it has proved quite effective as a proactive security measure. For this reason many research efforts have been put forth by the ICT security community to identify and develop new intrusion techniques and tools.

Thus, it is important to stress in article 6 that creation, distribution and use of one of the devices there listed is a criminal act only if the act is clearly directed to produce damage. This way security professional experts, universities and all “white hat” officials can continue to study and find countermeasures.

Article 10 – Copyright and related offences

We suggest the introduction of the notion of “fair use” for intellectual property (IP) protected materials and to clearly state how to deal with these cases. While big criminal organisations involved in IP infringements must obviously be prosecuted and indicted, it is useless and contra jus to treat as criminal private of not-for-profit IP materials exchanges. The risk we foresee in these cases is that promoting laws that in order to protect particular interests, may turn into a limitation of the freedom of the citizens. Another issue that should be addressed is how to prove to a law enforcement agency to be a regular software user: users that buy software on the Internet have no legal evidence they can use to prove they have not infringed the law.

Article 12 Corporate liability

In some jurisdictions (like Italy) societas delinquere non potest, that is there are Constitutional limits to penal corporate liability.

Article 13 – Sanction and measures

We suggest to set up a general clause of liability for not adopting security measures. In this case superficial security measures should be the cause of penal liability even just for culpa.

Based on the criminological aspects of computer crime, the law should be more flexible so that kids or youngsters has not to be punished with prison, but with different sanctions such as social works, parole and similar.

Article 14 – Search and Seizure of Stored Computer Data

Our experience with computer intrusions taught us that in most situations computer seize is useless, in particular it is absolutely useless for many peripheral units such as printers, mice, videos, scanners. We would like to see a statement about this, which indicates computer seizing as the extreme measure to take in a prosecution phase. In situations where seizing a computer system is required, rules have to be established for granting people the right of having back at least a copy of the data seized in a reasonable amount of time.

Article 15 – Production Order

The production order should be Court authorised and not an act of the prosecutor or law enforcement agencies

2. General Comments on Cyber-crime

Computer Crimes have been quite numerous in the USA as well as in Europe since the early 70-80 (as prof. Ulrich Sieber remind in his “International Handbook on Computer Crimes, New York 1986). On the base of our experience we believe that besides the adoption of specific laws for dealing with it, further aspects need to be addressed for an effective fight to computer crime. These aspects are:

more synergy between legislators and security professionals: legislators often do not have a clear perception of legal issues related to technology; this implies a lack of precision in (criminal) laws and less chances, once in Court, to prosecute (and indict) actual criminals.

special measures for computer intrusion victims who report the intrusion to public authorities: a high number of entities (especially companies) suffer computer crime related damages without asking help to Public Authorities and law enforcement.

special training of law enforcement agencies and Public Prosecutor; criminal investigation laws are poorly coinceived. Prosecutors – with few bright exceptions –seize entire computers (included monitors, mouse, mousemat, printers, modem, loudspeakers), even in cases when just getting a copy of suspicious data or removing only the hard disk would be enough.

Development of forensic and investigative tools by security professionals: issues related to evidence collection are worth discussing. There are no clear rules for search, collect and store digital evidences. This uncertainty affects even wiretapping and digital interception means, especially when a Prosecutor must rely on evidence “generated” and handled by other subjects – like ISP. Under this light a log file is nothing more than a string of characters that may be edited, modified, created from scratch, without any evidence of truth. Allegations should not be based on such volatile data?

Development of a special programme on the diffusion of computer security culture: many experts in the field agree on the fact that the diffusion of cyber-crime is mainly due to the lack of proactive security measures adopted on Internet hosts, together with the lack of knowledge of the problem at all level of our society: universities, industries, public administrations, etc. Such a situation is even worse in Europe where very few institutions are concerned with the ICT security problem. We are strongly convinced that one of the aspects to consider for fighting the cyber crime phenomenon in the EU is the adoption of a special plan directed to promote and spread the computer security culture in our continent.

Conclusion

The problem of cyber-crime is a multi facets problem which cannot be solved only with legislative measures. It requires a series of coordinated actions at different levels of our society, in particular a much stronger cooperation between law enforcement and the various institutions involved in the field. In this document we reported the items which in our opinion need to be considered, our list does not pretend to be exhaustive.

CLUSIT is available for giving all assistance and suggestions he is able to provide.

Possibly Related Posts: