Observations on a Possible Agenda for a Workshop in Conjunction with the Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders

Observations on a Possible Agenda for a Workshop on Computer-Related Crime, to be held in Conjunction with the Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders

P.N. Grabosky Australian Institute of Criminology GPO Box 2944 Canberra 2601 Australia

Peter.Grabosky@aic.gov.au

Views expressed herein are those of the author and not necessarily those of the Australian Government.

Introduction

The field of computer related crime is so vast that it cannot be dealt with comprehensively in a two-day Workshop. The following pages suggest some issues which might serve as the focus of such a gathering. Following a brief statement of the global setting and the context of the Workshop, a selection of possible issues is presented for consideration.

The Global Setting

The takeup of information technology may be expected to continue its dramatic trajectory overall, but the nature of this trajectory will vary substantially within and between nations. At an international forum such as the one proposed, it might be best to devote some time to some of the issues which might be of interest to those nations whose technological capacities are in the relatively early stage of development.

Despite the trends towards convergence and harmonisation which characterise the globalizing process, strong differences in culture and values still persist across nations. It might thus be preferable to focus on generic questions rather than more cultural specific issues such as the definition of pornography.

The context

The Workshop participants are likely to be drawn primarily from policy and operational backgrounds, rather than from academia. As such, the content should be as practical as possible. This is not to suggest that certain basic human rights issues should be ignored, but rather that one should not dwell too long on theoretical matters. It is suggested in general that case-study material might be a useful medium for imparting basic ideas and principles.

Although the first line of defence against computer related crime should be prevention, the world of information security would arguably be better addressed in other fora. The limited time available at the proposed Workshop would be better spend addressing issues of investigation and prosecution.

Possible Issues for Consideration

1. Privacy vs Law Enforcement

The balance between the interests of individual privacy and the imperatives of law enforcement is an issue confronting every nation. Privacy becomes an increasingly important consideration as developments in information technology permit tracing and matching of identities and transactions to an extent heretofore unprecedented. The challenges faced by law enforcement become even greater with the increasing availability of cryptography. While sovereign states will strike their own balances between individual rights and the interests of the state, it may be useful for participants to be exposed to a variety of perspectives, and the experience of those nations which have addressed the issue more fully.

2. International Best Practice in Investigation

The digital age has already seen a number of large scale investigations of trans-national computer-related crime. Among the more recent was Operation Cathedral, led by Britain’s National Crime Squad, which entailed simultaneous raids on suspects in fourteen nations in September 1998. The degree of co-operation and co-ordination involved in such an undertaking may be atypical, but it may provide a good illustration of how jurisdictions can collaborate to interdict crime in cyberspace. It may also provide an interesting picture of how different jurisdictions deal with similar offences.

A more common transnational offence may only involve two nations. In order to illustrate the dynamics of bi-lateral cooperation, it may be useful to revisit one or more typical cases step by step to see how the parties handled the matter, in terms of division of labour in the processes of detection, investigation and prosecution.

3. International Best Practice in Harmonisation of Law and Policy

Considerable achievements have already been realised in the development of international agreements. Work of the OECD in encryption policy and content regulation is illustrative. In addition, a good deal of progress is being made in other specific policy areas, such as consumer protection, where agencies have begun to cooperate in the sharing of information and enforcement techniques. A descriptive overview of the growth of international co-operation in one such policy area might be instructive.

4. Hybrid models of investigation

The capacity of many, if not most, law enforcement agencies to deal with computer- related crime is limited. In some jurisdictions, this may be compounded by the ease with which a technically competent law enforcement officer may be able to earn a much higher salary in the private sector. For law enforcement agencies to keep abreast of developments in computer-related crime may thus require some harnessing of non-governmental resources in furtherance of investigation. This might entail outsourcing, subcontracting, the engagement of temporary consultants, or receiving personnel on loan or secondment from other organisations in the public or private sector. Some attention could be devoted to how this is done, and with what success. Those who have travelled down this path might also be in a position to identify potential pitfalls.

5. Responsibilities of Telecommunications Carriers and Service Providers

The extent to which the telecommunications industry may be required to assist in the control of computer related crime will vary depending on the law enforcement and regulatory philosophies of respective nations. These will vary from the laissez faire to those which require carriers and service providers to be alert for, and to report, suspected criminal activity or to facilitate telecommunications interception by law enforcement agencies. An overview of basic models of law enforcement and regulation may assist some nations in developing their regulatory policy.

6. Noticeable failures

Few people like to dwell on their mistakes. But those who forget the past may be condemned to relive it. A review of selected policies or investigations which have met with failure can be instructive. We do not investigate aircraft accidents because we wish to discourage people from flying; on the contrary, we investigate because we want to enhance aviation safety. So too with unsuccessful investigations of computer related crime.

Many policy interventions have unintended consequences. Some of these consequences may be very disadvantageous. A review of some of the downside risks of some policies aimed at the control of computer-related crime might be informative.

7. Case studies of computer crime.

One could select one or more computer-related crimes and analyse them in accordance with the following framework

  • The nature of the crime and the degree of harm it produced
  • Organisational and regulatory shortcomings which facilitate the commission of the crime in question
  • Difficulties arising in the detection, investigation, and prosecution of the offence
  • The outcome of the legal process;
  • Countermeasures which would minimise future risk of the crime in question, without inflicting collateral harm.

This would provide an introductory perspective to those participants who might lack advanced knowledge of the subject.

8. A model framework for the control of computer crime.

What would the ideal array of countermeasures look like? Is there a basic legal framework which is adequate to cover the basic types of computer crime? Is there anything approaching an international benchmark for rules of evidence? Is the law relating to search and seizure adequate? Is there one jurisdiction which embodies the best set of solutions, or does exemplary wisdom reside in a numbers of nations?

9 Encryption

The “democratisation” of cryptography has placed this powerful technology, once the monopoly of governments, in the hands of ordinary citizens. While cryptography is arguably essential for the flourishing of electronic commerce, destined to become the dominant medium of commerce in the new millennium, it is also a boon to criminals and thereby a formidable challenge to law enforcement. A review of national policies relating to the use of cryptography, for legal and illicit purposes, may assist a number of nations in policy development.

10. Emerging technologies

The pace of technological change is such that new technologies may be expected to emerge which will have significant bearing on the facilitation of computer crime and/or its control. Some discussion of what we might expect from the future might enable policy makers to engage in anticipatory planning.

11. Models for training

The uneven development of expertise across nations in matters relating to computer crime and its control suggests the desirability of programs to facilitate technology transfer. While a complete inventory of governmental and non-governmental opportunities for training of criminal justice professionals might not be feasible, some of the more comprehensive and established programs could be described for the benefit of prospective participants.

12. Lessons from “low technology” cases

Issues of jurisdiction, foreign prosecution, cross border search and seizure, and the like are by no means confined to computer-related crime. A number of lessons may be learned from those more “conventional” criminal matters which have arisen in recent years, such as the bombing of the US Embassy building in Nairobi, and proposals for the trial in the Netherlands of those accused of the Lockerbie bombing. A review of issues arising in these and lesser-known cases which may have applications to the prosecution of computer-related crime may be instructive.

13. Potential abuse of power

The new technologies for the investigation of crime may not always lend themselves to the pursuit of justice. Technologies of surveillance and monitoring are in some nations, currently without precedent, and their potential for abuse is real. Some attention might be accorded the risk of abuse of power through computer-related technology, and mention made of those institutions and other safeguards which have been introduced in some nations to safeguard human rights.

14. Mechanisms for Expediting Assistance

The rapidity of contemporary telecommunications is such that cross-jurisdictional assistance in detecting and investigating computer-related crime may be required almost instantaneously. The importance of designating responsible personnel who are able to assist on a 24-hour round-the-clock basis is receiving increased recognition. Case material illustrating the importance of prompt response, and a review of models of “hotline” services will further raise awareness of this issue.

Conclusion

The above list is by no means exhaustive. It was compiled with a view towards informing a fairly cosmopolitan Workshop audience, and towards steering a course between broad generalities and minute detail.