Cybercrime,digitalinves3ga3ons&cloudcompu3ng

Professor Ian Walden Institute of Computer and Communications Law

Centre for Commercial Law Studies, Queen Mary, University of London

Multi-disciplinary Cooperation for Cyber Security, Legal and Digital

Forensics Education Project

December2014-March2016

Introductoryremarks

•  Cybercrimes–  Criminalisingbehaviours

•  Digitalinves3ga3ons–  Computer&deviceforensics–  Networkforensics

•  Inves3gatoryPowersBill

•  Cloudcompu3ng–  Contracts–  Servicelevelagreements

CYBERCRIMES

Definingcybercrime

•  CouncilofEuropeCybercrimeConven3on(2001)–  ‘BudapestConven3on’:some56signatories,fromEurope&beyond

•  Harmonisa3onofoffences&criminalprocedure•  Enhanceinterna3onalco-opera3on

•  ‘oldwineinnewboQles’or‘newwineinnoboQles’?–  Computer-relatedcrimes,e.g.fraud–  Computer-integritycrimes,e.g.hacking–  Content-relatedcrimes,e.g.childsexualabuseimages–  Contact-relatedcrimes,e.g.harassment

Computerintegrityoffences

•  Cybercrimes–  Unauthorisedaccess,e.g.‘hacking’–  Unauthorisedinterference,e.g.viruses&malware–  Unauthorisedintercep3on:e.g.‘snooping’–  Illegaldevices

•  Criminalizingconduct&fault,notthetechnology•  Legalanalogies&physicalreality•  Over-criminaliza3on•  Imposingobliga3onson(poten3al)vic3ms

–  Preven3onbeingbeQerthancure......

‘Unauthorised’•  Legaldefini3ons

–  Limitsofen3tlement

•  Impliedlimits–  Byconductofperpetrator–  Byconductofvic3m,e.g.‘controller’ofresource

•  Code-based

•  Opera3onoflaw–  Publiclaw

•  Jurisdic3onallimits

–  Privatelaw•  Employeeusage,termsofservice,licencecondi3ons

Authorisa3on•  UK:ComputerMisuseAct

–  “en3tledtocontrolaccessofthekindinques3ontotheprogramordata”s.17(5)

•  DPPvBignell(1998)•  RvBowStreetMagistrates’Court,exparteAllison(1999)3WLR620•  DPPvLennon[2006]AllER(D)147(May)

–  Lawenforcement:s.10Savings•  Amendmentsforaccess(1994)&interference(2015)•  CDPA,s.296ZB(3)re:circumven3onoftechnologicalmeasures

•  US:CFAA18USC§1030(e)(6)–  "exceedsauthorizedaccess"meanstoaccessacomputerwithauthoriza3onand

tousesuchaccesstoobtainoralterinforma3oninthecomputerthattheaccesserisnoten3tledsotoobtainoralter;”

•  USvDrew(2009)U.S.Dist.259F.R.D449;(CDCal.Aug28,2009)–  “ifeverysuchbreachdoesqualify,thenthereisabsolutelynolimita3onor

criteriaastowhichofthebreachesshouldmeritcriminalprosecu3on.“•  So‘voidforvagueness’,as‘ordinarypeople….wouldnotexpectcriminalpenal3es..’

•  Legalnatureofthestatement–  Contractual

•  e.g.termsofserviceincontractsofadhesion•  Statutorycontrolsmayrendertheagreementinvalid:afirstissuetobedecidedupon

•  Direc3ve13/40/EU,recital17–  “contractualobliga3onsoragreementstorestrictaccesstoinforma3onsystems

bywayofauserpolicyortermsofservice,…shouldnotincurcriminalliability”

Unauthorised by statements

Accesswhat?•  CybercrimeConven3on–Art1(a)defines‘computersystem’and‘computerdata’–  anydeviceoragroupofinterconnectedorrelateddevices,oneormore

ofwhich,pursuanttoaprogram,performsautoma3cprocessingofdata;

•  GuidanceNote#1,‘Ontheno3onof“computersystem”–Ar3cle1.aBudapestConven3ononCybercrime’,T-CY(2012)21

–  Direc3ve13/40/EU

•  Devices,programmes&data(electricity)–  ‘withoutright’

•  “access,interference,orintercep3on,whichisnotauthorisedbytheownerorbyanotherrightholderofthesystemorofpartofit”

–  Impactoflicencebreach?

IllegalAccess-Mereaccess:ComputerMisuseAct1990,s.1:“unauthorisedaccess”–  elements

-actusreus:“..causesacomputertoperformanyfunc3on(withintenttosecureaccesstoanyprogramordataheldinanycomputer;”)

-mensrea:intenttosecureaccess&knowsatthe3meoftheactusreusthatintendedaccessisunauthorised

–  caselaw•  SeanCropp(1991):AAorney-General’sReference(No.1of1991)[1992]3WLR432

IllegalAccess+

•  ‘byinfringingsecuritymeasures’–  e.g.Germany,Brazil,Switzerland,Finland,Japan

•  Informa3on-related–  e.g.DataProtec3onAct1998,s.55

•  Obtainingpersonaldatawithouttheconsentofthedatacontroller

•  Connectedsystems–  Budapest:‘inrela3ontoacomputersystemthatisconnectedtoanothercomputersystem’

•  e.g.Japan:‘specificcomputer…..viaatelecommunica3onsline’

•  Targetorfacility-related–  18USC.§1030(e)(2):‘ProtectedComputer’

Illegalinterference•  Integrity

–  ComputerMisuseAct1990,s.3•  impairtheopera3onofanycomputer;•  preventorhinderaccesstoanyprogramordataheldinanycomputer;or

•  impairtheopera3onofanysuchprogramorthereliabilityofanysuchdata

–  Inten3on&recklessness(since2006)–  From‘unauthorisedmodifica3on’to‘unauthorisedacts’

•  From‘contentsofthecomputer’(internal)to‘inrela3ontothecomputer’(external)perspec3ve

–  Denial-of-ServiceaQacks(‘DDoS’)•  But,s.17(6):re:removabledatamedia

Illegalinterference+

•  Target–  e.g.‘Cri3calinforma3oninfrastructure’

•  EUDirec3ve,art.9(4)(c):‘againstacri3calinfrastructureinforma3onsystem

•  Mo3va3on–  Organisedcrime

•  EUDirec3ve,art.9(4)(a):‘commiQedwithintheframeworkofacriminalorganisa3on’

–  TerrorismAct2000•  “designedseriouslytointerferewithorseriouslydisruptanelectronicsystem”(s.1(2)(e))

Illegalinterference+

•  Harm-related–  EUDirec3ve,art.9(4)(b):‘seriousdamage’

•  2015amendmenttoComputerMisuseAct1990:Sec3on3ZA:‘unauthorisedacts

•  Damageofa‘materialkind’–  Tohumanwelfare,environment,economyorna3onalsecurity–  “ofanycountry”

•  ‘Humanwelfare’–  Including‘disrup3onofasupplyofmoney,food,water,energyorfuel’,‘systemofcommunica3on’,‘facili3esfortransport’&‘servicesrela3ngtohealth’

•  Tariff–  14yearstolifeimprisonment(forseriouslossoflifeorinjury)

Illegalintercep3on

•  Intercep3onor‘networkaccess’–  Tocontent(data),notcommunica3onaQributes

•  Data‘intransmission’(-ish)–  Storage–  Issuesofconfiden3alityandprivacy(rela3onalnotsubjectmaQer)

•  Ascriminalconduct–  Orcommercialprac3ce

•  Ascriminalprocedure–  Controllinglawenforcementinves3ga3ons

‘Withoutright’

•  Authorisa3on(posi3ve)–  ofthe‘systemcontroller’

•  Fromcriminaltocivilliability•  US:‘owneroroperatorofthe‘protectedcomputer’

–  ofthenetworkusers•  Consentofbothpar3es(UK:RIPA,s.3(1),since2011)

–  EUdataprotec3onlaw•  Consentofoneparty(US:18U.S.C.§2511(2)(c)-(d))

–  oflawenforcementagencies•  e.g.warrant

‘Withoutright’

•  Lawfulexcuse(nega3ve)–  oftheserviceprovider

•  Technicalneedvcommercialdesire,e.g.Spam&malwaredetec3on;behaviouraltargetedadver3sing

–  RIPA,s.3(3):“forpurposesconnectedwiththeprovisionoropera3onofthatserviceorwiththeenforcement,inrela3ontothatservice,ofanyenactmentrela3ngtotheuseofpostalservicesortelecommunica3onsservices.”

–  “inthecourseoflawfulbusinessprac3ce”•  Direc3ve02/58/EC,art.5(2)

–  ‘Lawfulbusinessprac3ce’Regula3ons2000

Transmissions

•  ‘inthecourseoftransmission’–  Intermediatestorage

•  S.2(7):“....shallbetakentoincludeany3mewhenthesystembymeansofwhichthecommunica3onisbeing,orhasbeen,transmiQedisusedforstoringitinamannerthatenablestheintendedrecipienttocollectitorotherwisetohaveaccesstoit.”

–  Edmondson&orsvR[2013]EWCACrim1026

•  Inves3gatoryPowersBill,s.3(4):‘relevant3me’,includesstoreddata‘whetherbeforeoraweritstransmission’

Illegalintercep3on

•  Regula3onofInves3gatoryPowersAct2000–  Offencesofunauthorisedintercep3on–  ‘Publictelecommunica3onsystems’

•  Inten3onal&withoutlawfulauthority:s.1(1)–  2yrsimprisonment–  DPPconsentrequired,butnoexpresspublicinterestdefence

•  e.g.CPS&Ofcom(SkyNews&theDarwins)

•  Uninten3onalbutwithoutlawfulauthority:s.1(1A)(2011)–  Direc3ve02/58/EC,Art.5(1)&Recital21

•  OnlyapplicabletoCSPs?–  OfficeoftheIntercep3onofCommunica3onsCommissioner:‘monetarypenaltyno3ce’&procedure:£50,000max.

–  ‘Privatetelecommunica3onsystems’•  Inten3onal&withoutlawfulauthority:s.1(2)

–  2yrsimprisonment

•  Statutorytort:s.1(3)–  Ifsystemcontrollerorhasauthorityofsystemcontroller

–  ‘Systemcontroller’•  “apersonwiththerighttocontroltheopera3onoruseofthesystem”

–  Stanford[2006]EWCACrim258•  “morethenmerelytherighttoaccessortooperatethesystem.Itmeant

therighttoauthoriseorforbidtheopera3onortheuseofthesystem”

Illegalintercep3on

Illegaldevices

•  Toolsdesignedtofacilitatecybercrimes –  Devices&data

•  e.g.‘zero-exploits’,‘rootkits’,‘botnets’,‘key-logging’sowware•  Lowersthresholdofskillrequired

•  Crimepreven3on–  “prohibitspecificpoten3allydangerousactsatthesource,precedingthecommissionofoffences”(CCEM,atpara.71)

•  ‘Maliciousmarketplace’–  Organisedcrime

Legalissues

•  Criminalisingwhat?–  Device&data

•  Criminalconduct?–  Inchoateoffences

•  AQempt,conspiracy&incitement

–  Supply&possession•  Exportcontrols:dualuse

•  Dis3nguishinglawfulfromunlawful–  Scien3ficresearch…

UKlaw

•  Computer-integrityoffences–  ComputerMisuseAct1990,s.3A(2006amendment)

•  ‘Ar3cle’includes“anyprogramordataheldinelectronicform”•  3offences:(i)supplieswithintent;(ii)supplies‘believingthatitislikely’and(iii)obtainsintendingtouseorwithaviewtosupplying

–  InvictaPlasNcsLtdvClare[1976]RTR251•  CPSGuidance(requestedbyGovernment)

–  Isthear3clewidelyavailable?–  Isitsoldthroughlegi3matechannels?–  Doesithaveasubstan3alinstalla3onbase?

•  Maximum2yrsimprisonment