Notes on Discussion Guide for the Expert Meeting: Issues Relating to the Investigation of Computer Crime

Notes on Discussion Guide for the Expert Meeting: Issues Relating to the Investigation of Computer Crime

Peter Grabosky Australian Institute of Criminology GPO Box 2944 Canberra 2601 Australia

Views expressed herein are those of the author and not necessarily those of the Australian Government.


The following pages address issues raised in the document entitled “Discussion Guide for the Expert Meeting” This paper is divided into two main parts. Part One discusses generic issues relating to the detection and identification of an offender, and the search and seizure of evidence in electronic form. Part Two discusses issues specific to the transnational aspect of computer related crime.

Part One: Issues Relating to Detection, Search and Seizure

1.1 Securing the Assistance of Telecommunications Carriers, Service Providers, and Other “Third Parties” who Might Assist in the Detection and Reporting of Criminal Activity.

The availability of such assistance will reflect the telecommunications regulation and criminal procedure laws in various jurisdictions, as they are balanced with other laws for the protection of citizens’ privacy. Some nations may require carriers and/or service providers to be licensed, and to incorporate an interception capability into their service. Some may legally require carriers and providers to offer reasonable assistance to law enforcement agencies in the enforcement of the criminal law. In some nations, law enforcement agencies enjoy good informal relations with carriers and service providers and are able to enlist their assistance without invoking the law. This assistance can include disclosure of a suspect’s identity and address.

The question may still remain as to whether the co-operating person or persons have provided all relevant information, and have done so in a manner which preserves its evidentiary value.

1.2 Unilateral activities in furtherance of detection.

Laws relating to telecommunications interception and the conduct of criminal investigation within a jurisdiction will govern whether an investigator may enter a computer system to introduce software (sometimes referred to as “packet sniffers” and “hostile Java applets”) which may assist in identifying the source of a communication. Similar technologies can enable remote monitoring of a target computer. Whether its is legal for law enforcement agencies to engage in this activity to obtain information for criminal intelligence purposes (as opposed to evidentiary purposes) will depend on the law prevailing in each jurisdiction.

The extent to which a law enforcement officer may impersonate a prospective victim or co-offender will also vary. In some places, investigators have posed on-line as children in order to flush out suspected child molesters. In addition, law enforcement officers have sought to purchase illegal goods or services over the internet, with a view towards gathering evidence against a suspect.

1.3 Issues Relating to Search and Seizure.

In most modern legal systems, both the interception of telecommunications and the search and seizure of an individual’s property will require a warrant issued by a judicial official. The scope of these warrants, that is the duration of interception and the nature of materials to be seized, is generally precise and limited. A basic principle is that a warrant should be based on probable cause that an offence has been committed, that the search would discover evidence of the unlawful activity, and that the warrant should describe the location of the proposed search and the nature of the evidence to be seized. It is commonly prescribed that the scope of the warrant should be no wider than necessary.

Some jurisdictions may enact legislation which authorises access to information which is accessible through, rather than stored in, a target computer. A warrant may thus authorise an investigator to use a computer system to search any data contained in or available to the system. One notes that this is extremely broad, as it can include all information on the internet, on-line services, and indeed, data contained in any computer equipped with a modem and a telephone connection.

Legislation can also explicitly provide for copying evidential material in documentary form, or onto another storage medium, and removing that material from the premises.

Legislation may also permit securing computing equipment for a prescribed period pending the availability of expert assistance in obtaining evidence contained therein.

Whether the warrant should extend to the entire computer, software, or data contained in the computer will depend upon the role of the computer in the offence. It may only be appropriate to seize a computer when it is the instrumentality of the crime, as opposed to a mere storage device. The same principle may apply to other components of a computer system. Again, it is commonly prescribed that the scope of the warrant should be no wider than necessary. This is particularly important when the computer system in question is integral to the operation of an ongoing business.

In some instances, the question may arise whether to remove equipment or files from the premises. At issue here is the duration and intrusiveness of the process. It may be less of an infringement on the privacy of the suspect to remove files, rather than search them in situ if the search in question would require the presence of law enforcement officers over an extended period of time. In addition, investigators may be required to avoid unnecessary examination of non-relevant records.

One could envisage circumstances in which incriminating evidence has been intentionally disaggregated and dispersed across several computer systems. In such instances, warrants might include information which allows reconstruction of the information in question.

In some cases, a search may uncover incriminating evidence not originally envisaged or specified in a warrant. This new evidence may or may not be admissible depending upon the law prevailing in the given jurisdiction. Under Australian law, it is permissible to seize other things found at the premises in the course of the search that the executing officer or a constable assisting believes on reasonable grounds to be:

    (i) evidential material in relation to an offence to which the warrant relates; or

    (ii) evidential material in relation to another offence that is an indictable offence;

In some jurisdictions, exigent circumstances may justify seizure in the absence of a warrant if there is a risk that the evidence in question may be destroyed.

1.4 Encryption

The widespread availability of cryptographic technology poses new challenges for law enforcement. Responses to this challenge may entail one or more of the following:

  • Prohibition of the use of encryption in private communications.
  • Selective authorization for the use of cryptography by specified persons.
  • Requirement that the cryptographic key be held in escrow by the government or trusted third party, and accessible only in furtherance of a duly issued warrant.
  • Provision for compulsory decryption by the subject of an investigation
  • Additional penalties for the use of cryptography in furtherance of criminal activity
  • Use of technology to break the encryption code.

The availability of any of these options may depend upon the extent to which a nation’s constitution and laws provides for freedom of expression and/or safeguards against self-incrimination.

An additional consideration arising when evidence is decrypted relates to validation by judicial officers that the decrypted evidence was in fact the original of the encrypted data.

Part Two: Issues Relating to Transnational Aspects of Computer Crime

The digital age has created unprecedented opportunities to commit offences from one jurisdiction against victims in another jurisdiction. This poses unprecedented challenges to agencies of criminal justice and increases the necessity of inter-national co-operation.

2.1 Sovereignty

Nations differ in their approaches to sovereignty. In some jurisdictions, laws may bar foreign officials from investigating criminal activities or from performing judicial functions. In others, the law may permit foreign criminal justice officials on their soil under limited circumstances. These circumstances may be outlined in treaties or other instruments relating to mutual assistance in criminal matters.

Assertions of sovereignty by a given nation may vary over time. Increasing “hospitality” to foreign officials will depend upon the perceived self interest of the host nation. Governments might be encouraged to develop mechanisms to facilitate mutual assistance in all criminal matters, including computer-related crime.

2.2 Jurisdiction

Assertions of jurisdiction by a given nation may also vary over time. Some will define a specified act by its own citizens anywhere in the world as an offence punishable under its own criminal laws. An illustrative example of such extraterritorial jurisdiction is the Australian Crimes (Child Sex Tourism) Amendment Act of 1994, which makes it an offence for a citizen or resident of Australia to have sex with a child under the age of 16 anywhere in the world. Other nations will assert jurisdiction over activity adversely effecting its national interest or the well being of nationals, wherever it takes place. Others still may assert jurisdiction over an offence any element of which occurred on its own soil.

2.3 Supranational jurisdiction

The prospects for a supra-national jurisdiction for computer networks would appear to be constrained by the diversity of substantive and procedural laws currently existing around the world. A more realistic alternative would appear to entail the gradual accretion of bi-lateral and then multilateral agreements

These are unlikely to develop overnight, but rather after considerable education and consensus building. The global expansion of national measures to combat money laundering under the auspices of the Financial Action Task Force (FATF) may be a useful recent example.

2.4 Mutual Assistance

The existing framework of mutual assistance can provide a partial solution to issues of cross-border investigations of computer related crime. These can provide the foundation for agreement on a case-by case basis regarding how two jurisdictions will handle the investigation and prosecution of a trans-national offence.

2.5 Foreign Prosecution

As an alternative to cross-border investigation and extradition, arrangements may also be reached whereby an offender residing in Country A, having offended against a victim in Country B, may be prosecuted by authorities in Country A under the laws of Country A.

2.6 Joint investigation

The question of which rules of evidence and procedure will prevail in a case involving trans-national offending will depend upon the laws of those nations involved. It would appear that the enforced country would be in a position to specify the conditions for a joint investigation and the degree of protection accorded a suspect/accused. Similarly, the enforced country would be liable in the first instance for any damages suffered in the course of an investigation. Some enforcing nations accord less protection to foreign nationals on foreign soil than they would accord their own nationals at home.

2.7 A basic framework for international co-operation, and the endorsement of model laws.

The dual criminality test is almost always required for mutual assistance in criminal matters. International cooperation in the investigation of computer related crime would be facilitated by the existence of a basic legislative framework defining fundamental forms of conduct as criminal. These might include unauthorised access to or use of a computer, unauthorised destruction or alteration of data, unauthorised use possession or traffic in computer passwords. They might also include possession, manufacture or sale of devices to obtain computer services without authorisation.

It would also be desirable to develop of expertise in law enforcement agencies and justice ministries relating to mutual assistance in general, and computer related crime in particular. The importance of designating responsible personnel who are able to assist on a 24-hour round-the-clock basis is receiving increased recognition.