UNITED NATIONS EXPERT MEETING ON

UNITED NATIONS EXPERT MEETING ON
“INVESTIGATION OF COMPUTER NETWORK CRIME”

Asia and Far East Institute for the Prevention of Crime and the Treatment of Offenders (UNAFEI) Tokyo, Japan

October 5-9, 1998

SCOPE AND UNDERLYING ISSUES OF THE WORKSHOP TO BE HELD DURING THE TENTH UNITED NATIONS CONGRESS

ON THE PREVENTION OF CRIME AND THE TREATMENT OF OFFENDERS

Donald K. Piragoff*

A. Background

Examination of computer-related crime questions has already occurred to some degree at the international and regional levels. A number of recommendations have been made by various international organizations. In 1986, the OECD published Computer-related Crime: Analysis of Legal Policy,1 a report that surveyed the existing laws and proposals for reform in a number of Member States and recommended a minimum list of abuses that countries should consider prohibiting and penalizing by criminal laws.

In 1989, Recommendation R(89)9 of the Council of Europe2 adopted a set of guidelines for national legislatures in which the “minimum list” of OECD was expanded considerably by adding other types of abuses that were recommended as deserving of the application of the criminal law. The report of the Select Committee of Experts on Computer-Related Crime of the Committee on Crime Problems, which examined these questions, also addressed other areas, such as privacy protection, victims, prevention, procedural issues such as the international search and seizure of data banks, and international cooperation in the investigation and prosecution of computer crime.

In 1990, the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders adopted a resolution in which it, inter alia, called upon Member States to intensify their efforts to combat computer crime by considering, if necessary, the following measures:

– Modernization of national criminal laws and procedures;

– Improvement of computer security and prevention measures;

– Adoption of adequate training measures;

– Elaboration of rules of ethics in the use of computers.

In its resolution, the Eighth Congress also recommended that the United Nations Committee on Crime Prevention and Control should promote international efforts in the development and dissemination of a comprehensive framework of guidelines and standards that would assist Member States in dealing with computer-related crime and that it should initiate and develop further research and analysis in order to find new ways in which Member States may deal with the problem of computer-related crime in the future. It also recommended that these issues should be considered by an ad hoc meeting of experts and requested the Secretary-General to consider the publication of a technical publication on the prevention and prosecution of computer-related crime.

Canada, with the assistance of a multi-national group of authors, produced a manual for the United Nations that is designed to assist states in understanding the problems, becoming aware of a number of solutions that have been recommended and fostering international cooperation. The United Nations Manual on the Prevention and Control of Computer-Related Crime was published in all official United Nations’ languages in 1994.3 The Manual examines the phenomenon of computer crime, substantive criminal law protections, procedural law, crime prevention and international cooperation.

In 1992, OECD developed a set of guidelines for the security of information systems, which is intended to provide a foundation on which States and the private sector may construct a framework for the security of information system.4 The framework includes laws, codes of conduct, technical measures, management and user practices, and public education and awareness.

In 1994, the Association Internationale de droit pénal adopted a resolution on computer-related crime that elaborated some of the points of the Council of Europe Recommendation No. R(89)9, and suggested that the list of the Council of Europe required further refinement and the addition of other types of abuses as candidates for criminalization in light of advances in information technology.

In 1995, Interpol held the First International Conference on Computer Crime which confirmed that a high level of concern exists in the law enforcement community over the spread of computer crime. One of the main concerns of the conference was the lack of a worldwide mechanism or structure to deal effectively and efficiently with computer crime.

In 1995, the Council of Europe adopted Recommendation No. R(95)13 concerning Problems of Criminal Procedural Law Connected with Information Technology.5 The report analyzes a number of problems regarding procedural law and international cooperation and makes a number of recommendations regarding search and seizure of computerized data and computer systems, technical surveillance of computer-system telecommunications, obligations to cooperate with investigating authorities, electronic evidence, encryption, research, statistics and training, and international cooperation. With respect to the latter issue, the report specifically recommended that international agreements be negotiated as to how, when and to what extent transborder search and seizure of data should be permitted. It also recommended improved liaison between investigating authorities and improved mutual assistance instruments and relations in order to expeditiously collect computerized evidence, search and seize, provide traffic data related to the source or destination of a telecommunication and intercept a telecommunication. The report examines the question of problems from the perspective of the investigation of both computer-related crimes and traditional crimes where evidence may be found or transmitted in an electronic form.

In 1997, the Council of Europe struck a new Committee of Experts on Crime in Cyberspace (PC-CY) with a specific mandate to draft an international convention on computer-related crime. The proposed scope of the convention is broad and would criminalize particular forms of conduct and ensure that states enact adequate investigative powers that could be used for both domestic and international investigations. The proposed convention would build on the previous work of the Council of Europe in 1989 and 1995. The Committee is also examining some new areas, such as trafficking in passwords and computer-hacking software, and the liability of Internet service providers for illegal content of communications. It is proposed that the draft convention be finalized by the end of 1999 and would also be open for signature to non-member states.

At the G7 Summit, held in Lyon, France, in July 1996, Heads of Government approved 40 recommendations on transnational organized crime. Recommendation #16 states:

16) States should review their laws in order to ensure that abuses of modern technology that are deserving of criminal sanctions are criminalized and that problems with respect to jurisdiction, enforcement powers, investigation, training, crime prevention and international cooperation are adequately addressed. Liaison between law enforcement and prosecution personnel of different states should be improved, including the sharing of experience in addressing these problems. States are urged to negotiate bilateral or multilateral agreements to address the problems of technological crime and investigation.

The G7 summit in Lyon also mandated officials to work together to implement the recommendations, and in January 1997 a specific subgroup on High-Tech Crime was created to address recommendation #16.

On December 9-10, 1997, Ministers of Justice and Interior of the Eight (ie. G7 states and Russia) met in Washington, D.C. to discuss a number of issues related to organized crime, with particular focus on High-Tech Crime. The Communiqué contains a set of Principles and an Action Plan on High-Tech Crime, the highlights of which include the following:

  • enhancing abilities to investigate and prosecute High-Tech Crime;
  • strengthening international regimes for extradition and mutual legal assistance;
  • recognition that computer systems create legitimate opportunities, but also opportunities for criminal disruption of the new systems and criminal misuse of the systems to commit traditional offences; and
  • the need for a common and co-ordinated approach to the problem which includes:

– ensuring adequate domestic laws dealing with offences and investigative procedures,

– ensuring adequate and available domestic technical experts,

– within the limits of national sovereignty, ensuring the ability to collect and exchange information, including transborder search and seizure, within the time limits required by the nature of High-Tech Crime,

– participation by both government and industry in developing and implementing new systems to prevent crime, facilitate its detection and investigation, preserve evidence and assist in locating offenders,

– ensuring that mutual legal assistance and extradition provisions apply to High-Tech Crimes by ensuring that offences meet minimum standards for dual-criminality and seriousness, and,

– facilitating investigation and prosecution of transnational offences by making video-link evidence available.

The subgroup on High-Tech Crime is currently implementing the Action Plan, and has established a network of high-tech contacts in each state, who are available 24 hours a day, and is inviting other states to join the network. It has also developed some principles for initiating dialogue with industry, and each state of the Eight is conducting consultations with their domestic industry. Work is also progressing on developing principles for transborder search and seizure of computer systems and for determining the source and destination of communications. This latter work is being shared with the Council of Europe committee that is mandated to draft a convention on computer-related crime. The subgroup is also desirous of making contacts with other international organizations to further implementation of the Principles and Action Plan.

G7/P8 Summits in Denver, USA (June 1997) and Birmingham, United Kingdom (May 1998) have re-affirmed the priority to address High-Tech Crime.

The European Union (through DG XIII of the Commission) is conducting a study of computer crime laws in Europe, USA, Japan and Canada, and has also commissioned a number of studies, particularly regarding illegal and harmful content on the Internet. In July 1997, the Council of Ministers of the European Union adopted an Action Plan on organized crime that was developed by a High Level Working Group. Point 5 of the Action Plan recommends that the EU undertake a study to develop a policy on high technology crime. At present, the working group is monitoring the work of the Council of Europe and the G8, and developing a work plan.

The International Organization for Computer Evidence was founded in 1995 as an international forum for law enforcement agencies to exchange information concerning computer investigation and computer forensic issues. It has recently accepted an invitation from the High-Tech Crime subgroup of the Eight to develop forensic standards in the collection and preservation of computerized evidence.

Law Ministers of Small Commonwealth Jurisdictions, at their meeting in Barbados in 1997, considered the subject of computer-related crime and stressed the need for Commonwealth action. The Secretariat, was requested, in cooperation with a group of advisers from a number of members participating at the meeting, to study the problem and examine the development of regulatory frameworks, a model law and effective co-operation mechanisms.

In May 1997, the United Nations Commission on Crime Prevention and Criminal Justice decided to hold a two day workshop on investigation of computer network crime, as part of the Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, to be held in April 2000, in Vienna, Austria. The workshop is being organized by the Asia and Far East Institute for the Prevention of Crime and the Treatment of Offenders (UNAFEI) in Japan, with the assistance of a number of states.

B. Purpose of the Congress workshops

The workshops at the Tenth United nations Congress on the Prevention of Crime and The Treatment of Offenders are to be practically oriented and provide a forum for policy makers and practitioners to discuss particular issues. Policy formulation, in the nature of setting new norms and standards is to be avoided, as this is the mandate of the Commission on Crime Prevention and Criminal Justice.

C. Scope of the Congress workshop on “Crimes related to the computer network”

The workshop will be for a duration of two days. Rather than address all issues regarding substantive and procedural law, it would be more productive to focus on several issues, with a view to arriving at some type of product or outcome at the end of the workshop.

Currently, at both the national and international levels, there is significant political interest in a number of substantive law issues related to computer systems, particularly the distribution of illegal or offensive material, such as pornography and hate propaganda. Various legal and technological techniques have been discussed, nationally and internationally, to address the problem. However, to a significant degree, the type of conduct impugned is already prohibited by national penal laws (e.g. distribution of child pornography), although national definitions of such legality may differ. Many other traditional crimes, such as fraud, can be committed through the use of computer networks, such as the Internet. In many countries, the existing traditional proscriptions of crime would adequately apply to conduct committed on or through the Internet. In other countries, legal problems may exist with respect to the application of these crimes to a technological environment (e.g., in some countries, the traditional offence of fraud cannot apply where only machines are deceived, as opposed to persons). Likewise, computer hacking, unauthorised access to computer systems, destruction or alteration of data or interference with use of computer systems or data are also of grave concern, particularly where economic or other harm is threatened or caused, including to life or property. Not all countries in the world have adequate substantive laws to address these types of abuses, which many countries regard as crimes. One option for the workshop would be to focus on persuading countries to criminalize various forms of activity.

However, an equally important problem is procedural law. As noted above, in many cases there is little difficulty to apply traditional crimes to computer networks. The major problem facing investigators is not the lack of applicable criminal offences (although this is clearly a problem for many states in regard to some types of traditional crimes and computer-specific crime), but a universal problem of lack of adequate procedural powers, both nationally and internationally, to address the problem. For example, the problem for many countries is not the lack of laws to proscribe the distribution of pornography or financial fraud, but rather the legal and technological inability to trace the origin or destination of such communications on computer networks and to execute search or seizure of the evidence of such crimes. Many countries are aware that abuses are being committed within their territory through computer networks, and many of these countries have laws to proscribe those abuses as crimes. However, law enforcement agencies in these countries are not empowered with the legal or technological tools required to conduct investigations. Improving the ability of law enforcement agencies around the world to investigate computer-related crimes, both nationally and internationally, would assist greatly in stemming computer-related crimes.

With respect to the scope of issues to be addressed, UNAFEI has proposed that the workshop should not address issues of substantive law and, instead, focus on procedural law related to investigation, particularly search and seizure. Given the shortage of time at the workshop, to address both substantive and procedural law problems would result in only a cursory treatment of each. While this type of overview of the problem might be extremely useful for educational purposes, it would not result in any meaningful final product other than education and may not attract knowledgeable participants to the workshop. The present writer would, therefore, propose that UNAFEI’s proposal be accepted, and that the Congress workshop focus on procedural law issues.

Focusing on procedural law issues, however, does not preclude having one introductory session at the workshop on substantive law so that participants have a common information-base about the various international efforts to harmonise substantive law in this area. This session could identify the various types of abuses that have been identified as worthy of criminal proscription. Additionally, substantive law issues, particularly hacking and distribution of offensive content, tend to favour greater public interest and would make the workshop more interesting to other participants of the Congress.

Search and seizure is one very important aspect of computer investigation. However, in a technological environment many of the distinctions between search and other forms of investigative techniques, such as interception of communications, begin to dissipate. Is the obtaining of an e-mail that is stored on a server, whether opened or unopened by its recipient, a search and seizure or a form of interception? If the communication is temporarily stored as part of the transmission process of telecommunications, is an obtaining of the communication at this moment a search and seizure or an interception? How do law enforcement officials know where to execute a search and seizure in respect of a bulletin board (BBS) or an Internet Service Provider (ISP) if they are not first able to identify the points of either origin or destination where the material may be located? Some types of investigations, such as misuse of a company’s computer system, might require monitoring of the communications of particular suspected users.

In result, the compulsory measures or tools that law enforcement requires in order to address properly the various forms of computer-related crime are multi-faceted. They include the ability to search and seize not only tangible computer equipment and peripherals, but intangible computer data. The ability to search and seize intangible data is also required in respect of an entire network and not merely one computer. These requirements also include the ability to determine the source or destination of computer communications and telecommunications, both from past records as well as by prospective monitoring of a communication line to determine this traffic data. At times, it also requires the ability to intercept communications for their informational content in cases where that content reveals evidence of the past or intended commission of traditional crimes or crimes against the confidentiality, integrity or availability of computer systems. Additionally, subject to legal safeguards to protect suspects from self-incrimination, it also requires the ability to legally compel persons to provide technological assistance to law enforcement where that assistance is reasonably required in order to give effect to judicial authorisations or warrants to search, seize or intercept. Therefore, an adequate arsenal of legal tools within a state’s national laws to investigate computer-related and other high-tech crimes would, subject to adequate safeguards, include powers to:

  • search and seize computer equipment and peripherals, such as hard-drives and software;
  • search and seize data (i.e., copy data), without the necessity to seize the medium upon which it is stored;
  • determine the source or destination of computer communications and telecommunications, both retrospective and prospective;
  • intercept computer communications and telecommunications for the purpose of acquiring their informational content; and
  • obligate person to provide assistance that is reasonably required in order to give effect to the above-mentioned powers.

Internationally, these same powers must be available to national authorities in order to enable them to assist other countries in their investigations through mutual assistance mechanisms and procedures. In some circumstances, it might be appropriate for some of these powers to be executed directly across a border into another country.

Therefore, the question arises whether the workshop should address all of these issues? Would there be sufficient time to address these issues in a meaningful way? Can the workshop give primary attention to one or two of these issues, but still give some attention to the other issues? If so, which issues should be the focus of attention? What should be the object of the workshop, and would answering this question assist in determining its scope?

D. Object of the Congress workshop on “Crimes related to the computer network”

What should be the objective or objectives of the workshop? Some of the possible objectives could include any of the following:

  • Provide information on national experiences and international co-operation in the investigation of computer-related crimes.
  • Encourage critical examination by states of their criminal legislation and procedures.
  • Promote co-operation in the exchange of information and expertise between and among states, which may have unequal or varying degrees of expertise.
  • Encourage technical co-operation activities among states with the aim to transfer knowledge and expertise from developed to developing states.
  • Provide a forum where technical co-operation projects could be arranged between states in terms of practical training for officials.
  • Promote harmonisation of legal and technical standards for the collection and preservation of evidence.
  • Provide information and exchange experiences on the establishment of specialised computer crime units in law enforcement agencies.
  • Promote greater co-operation between law enforcement and the computer and telecommunication industry with respect to investigation issues.
  • Develop a plan to strengthen international co-operation in the investigation of computer-related crimes.
  • Propose recommendations on the types of national procedural laws that states should have to investigate computer-related crime.
  • Propose recommendations to guide states in enacting laws or negotiating agreements concerning trans-border search and seizure of computer systems.
  • Propose recommendations to guide states in enacting laws or negotiating agreements concerning the determination of the source or destination of trans-border computer communications or telecommunications.
  • Provide information on the above issues for the purposes of education and to encourage states to enact the necessary legislation.

The above-list is only exemplary, and other objectives could be posed. Whatever may be the extent of the list, the workshop cannot attempt to meet or satisfy all of the above objectives. The duration of the workshop is only two days, and it is not known whether there will be other preparatory meetings in addition to the present meeting at UNAFEI in order to prepare for the workshop.

Some of the objectives, such as developing a set of principles or recommendations to govern multi-lateral relationships in trans-border search and seizure or in the determination of the source or destination of communications, have been under significant study (numerous days, amounting weeks to be exact) in other multilateral groups or organisations, such as the G8 and the Council of Europe. This is due to the novelty of the issues and the need to balance national sovereignty with practical law enforcement necessity. Two days within a United Nations forum, with greater state representation and political views, is not likely to produce concrete results in this area. If one or more of these international organisations or groups makes public their work prior to the Congress, such could be the subject of an information exchange and discussion at the workshop. It is unlikely that other states from other regions of the world would merely endorse the solutions proposed by such organisations or groups without significant examination and input from these other regions. Two days is insufficient to achieve that type of consensus. Nevertheless, the presentation and discussion of recommendations proposed by other groups serves an educational function and sensitises other states about the need for action.

Would the workshop be meaningful if it were to provide merely a forum for the recounting of national experiences in the area of procedural laws and practices? Such a structure has the danger of the workshop becoming a long litany of recounts of national experience, without any meaningful product at the end other than diffuse knowledge about what other states are doing? On the other hand, a sharing of national experiences by some states would have clear educational benefits for other states. The problem is to ensure that the entire workshop is not merely a collection of recounts by each participant.

Can the workshop deal effectively with technical or forensic issues related to how to undertake investigations and preserve evidence? The primary participants of the Congresses may not be technical specialists. The most that could be achieved in this regard might be to publicise the work of the International Organisation of Computer Evidence (which is undertaking the development of common forensic standards in the collection and preservation of electronic evidence), and promote technical co-operation in terms of training, etc.

Promotion of greater co-operation between law enforcement and the computer and telecommunications industry could be a useful product of the workshop, if some portion of the workshop were devoted to the role and need for such co-operation. Participation of representatives of some of the major Internet Service Providers could increase the public visibility of the workshop and increase distribution of the results of the workshop. Work is currently underway in the G8 subgroup and the OECD to improve co-operation, and the results of these efforts could be presented at the workshop.

A recommendation on the types of national laws or investigative legal tools that states should possess might be an achievable product, so long as there is international development of the recommendation and not mere endorsement of work achieved by some regional groups.

Likewise, a recommendation might be achievable concerning the need for national laws and international agreements, with a statement of some guiding principles, regarding trans-border search and seizure and the determination of the source and destination of communications.

One must not forget that the overall purpose of the Congress workshops is to be practical oriented, and not to develop more norms and standards. Any recommendations or principles would need to be developed and couched in a format such that they would not be perceived as proposing a new norm and standard in this area, but rather a set of legal and practical measures that states are invited to consider.

E. Results of the Congress workshop on “Crimes related to the computer network”

To a significant extent, the results of the Congress workshop will be dictated by the objectives chosen and achieved for the workshop. Nevertheless, there are some possible results that should be discussed by the experts’ meeting at UNAFEI. The information collected and exchanged could be collated as a report of the workshop. The information could also be used to update the United Nations Manual on Preventing and Controlling Computer-related Crime, first prepared by Canada and published by the United Nations Secretariat in 1994. The results of the workshop, and updating of the manual, could be used to enhance practical co-operation among states by facilitating a common understanding of the problem and possible solutions. It could be employed in future training and technical assistance projects by the United Nations and other organisations. Depending on the nature of the workshop’s product (e.g., a set of recommendations), the product could be considered as part of a resolution to be discussed and adopted by the ninth session of the United Nations Commission on Crime Prevention and Criminal Justice, which immediately follows the Congress.

*General Counsel, Canadian Department of Justice, Ottawa, Canada. The views expressed herein are those of the author, and do not necessarily reflect the position of the Department of Justice, Canada.

1OECD, Computer-related Crime: Analysis of Legal Policy (Paris, 1986).

2Council of Europe, Computer-Related Crime: Recommendation No. R(89)9 on Computer-Related Crime and Final Report of the European Committee on Crime Problems (Strasbourg, 1990

3United Nations Manual on the Prevention and Control of Computer-Related Crime, 1994, 43&44 International Review of Criminal Policy (United Nations, New York, 1994).

4OECD, Recommendation of the Council concerning Guidelines for the Security of Information Systems, OECD/GD(92)10 (Paris, 1992).

5Council of Europe, Problems of Criminal Procedural Law connected with Information Technology: Recommendation No. R(95)13 and explanatory text, (Strasbourg, 1996).

September 30, 1998