Seminar on Evidence and Proving of Cybercrime Philippe Van Linthout and Jan Kerkhofs ©
Who are we? Philippe Van Linthout n n Investigating Judge at Mechelen Court, Belgium Former Deputy Public Prosecutor, Dendermonde Court of First Instance Former lawyer (with H. Rieder law firm) Holder of the European Certificate on Cybercrime and Electronic Evidence (ECCE) Jan Kerkhofs n n Deputy Public Prosecutor, Dendermonde Court of First Instance Former lawyer (with H. Rieder law firm)
Programme - content n n Relevance: (why) do we need special training in the fight against cybercrime? Court proceeding of cyber crimes: n n First problem: How to get before court – part one? the problem of locating the cybercriminal Second problem: How to get before court – part two? the problem of locating the competent court n Competence of Belgian Courts ratione loci – Are we n n always competent? Belgian competence for collection of evidence (in another country) – What about the sovereignty of the foreign state? Third problem: How to bring proof before court? – the examination of evidence and the matter of bringing proof to court proceedings on cybercrime
Programme - content n n Conclusions: What are the challenges of our international context; how to learn from each other; do you feel provoked? Round table: the experience of Ukraine and EU countries.
Purpose Awareness n Sharing know-how n To ask the right question n To avoid the wrong answer n n Do not only ask what we can do for you, but also ask what you can do for us
Relevance n n n Old crimes, new tools New tools, new crimes What and who are we dealing with? Some examples
Incest Teens School girl illegal free
Rave parties
EXTENUATION OF WARCRIMES
DISCRIMINATION AND RACISM
HOW TO MAKE EXPLOSIVES? « Héhéhé, un petit trip a moi: TOUT FAIRE PETER Alors si un prof vous emmerde, venez ici, g vous apprend comment le trucider proprement et même comment faire peter votre bahut. »
NIGERIAN SCAMS – 419 SCAMS Jan DE CLERCQ en Philippe VAN LINTHOUT 13
VIRTUAL CASINO
COPYRIGHT FILM GAMES FILMS COMICS MUSIC
Jan DE CLERCQ en Philippe VAN LINTHOUT 16
Relevance: Definitions n Convention on Cybercrime, Budapest, 23. XI. 2001: n Offences against the confidentiality, integrity and availability of computer data and systems: n Illegal access n Illegal interception n Data interference n System interference n Misuse of devices
Relevance: Definitions n Computer-related offences: n Computer-related forgery n Computer-related fraud n Content-related offences: n Offences related to child pornography n Offences related to infringements of copyright and related rights
Relevance: Definitions n Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems, Strasbourg, 28. I. 2003: n n Dissemination of racist and xenophobic material through computer systems Racist and xenophobic motivated threat Racist and xenophobic motivated insult Denial, gross minimisation, approval or justification of genocide or crimes against humanity
Relevance: SKIMMING CASE n Computer-related fraud n Computer-related forgery
Relevance: PHISHING CASE n Pasword Harvesting Fishing: Illegal access n Data interference n System interference n Computer-related fraud n Computer-related forgery n n Spear Phishing = new
How to get before court – part one? n First problem is a practical problem: the problem of locating the cybercriminal Where is he? n Who is he? n … and how do we prove who and where he is? n
History n 1969 – ARPANET Militaire Advanced Research Projects Agency (ARPA) – cold war n Dynamic Rerouting n ARPANET anno 1974
Dynamic Rerouting AZ AZ
Dynamic Rerouting AZ -> A en Z ->AZ
Locating the cybercriminal n Mission impossible in cyberspace? TOR – www. torproject. org n IP-spoofing n Proxies (TORPIG – bank fraud) n
Identification in bank fraud case: impossible? !
How to get before court – part two? n Second problem is a judicial problem: the problem of locating the competent jurisdiction and court Which flag to plant in cyberspace? n Where is the cybercrime committed? n Cyberspace has no boundaries n Cybercrime is crime without frontiers n Investigation without frontiers doesn’t exist? n A Belgian solution… n
Competence of Belgian Courts ratione loci n Belgian Criminal Law Code: Article 3: Courts shall be competent for all crimes on Belgian territory, whether committed by Belgians or foreigners n Article 4: Courts shall only be competent for crimes abroad when the Belgian Criminal Procedure Code so determines (e. g. Article 10 ter of the Preliminary Title: sexual exploitation, rape, indecent assault – April 13, 1995) n
Competence of Belgian Courts ratione loci n Advantages of the application of Article 3: Based on the sovereignty of Belgium n No conditions attached n Nationality of the offender or victim are irrelevant (even when both are foreigners or even when not punishable in another country! (e. g. bigamy)) n Judgment on the same facts in another country is no obstacle n
Competence of Belgian Courts ratione loci n Advantages of the application of Article 3: Foreign legislation is not taken into consideration (no double criminalisation required) n Article 13 Preliminary Title of the Belgian Criminal Procedure Code is not applicable: NO “ne bis in idem” (only for crimes abroad) – EXCEPT Schengen (Article 54 a. f. ) n
Competence of Belgian Courts ratione loci n Localisation of the offence n Not regulated by law but by legal doctrine n Different theories: n Criminal event theory (beginning) n Theory of the instrument (where it happens – everything in between) n Direct consequence theory (where it ends)
November 26, 2008 Ph. Van Linthout - Investigating Judge at Mechelen Court 49
Competence of Belgian Courts ratione loci n Localisation of the offence n Not regulated by law but by legal doctrine n Different theories: n Criminal event theory (The Netherlands) n Theory of the instrument (Belgium) n Direct consequence theory (Germany)
November 26, 2008 Ph. Van Linthout - Investigating Judge at Mechelen Court 51
Hacker Mailserver Enduser November 26, 2008 Ph. Van Linthout - Investigating Judge at Mechelen Court 52
Competence of Belgian Courts ratione loci n Localisation of the offence Not regulated by law but by legal doctrine n Different theories: n Criminal event theory (The Netherlands) n n Theory of the instrument (Belgium) n Direct consequence theory (Germany) Different countries: combination of theories n USA: theory of effects (also distant effects: more extensive) n
Competence of Belgian Courts ratione loci n In Belgium: Theory of objective ubiquity (“théorie de l’ubiquité objective”): the offence is situated in all places where there is a constitutive element of the infraction n Combination of the three theories n
Competence of Belgian Courts ratione loci n In Belgium: n n n Theory of indivisibility: Courts can take into consideration all elements that are indivisibly connected with an offence in Belgium Comparable with theory of effects Court of Cassation (Supreme Court) January 23, 1979 (Ghavami-Lahidji case): cheque without funds written in Teheran (constitutive elements), but money is taken from Belgian bank account (NO constitutive element): competence of Belgian courts
Competence of Belgian Courts ratione loci n In Belgium: n Dendermonde Court of First Instance September 29, 2008: n Hacker and site hacked not on territory within the jurisdiction of the Dendermonde Court; n Effect: consultation of the website by victim within the jurisdiction of the Dendermonde Court (that alone!)
Competence of Belgian Courts ratione loci n Question asked? n Is activating a computer and logging on to the internet in Belgium sufficient in order to be competent?
Competence of Belgian Courts ratione loci n It seems that the practical problem is also a judicial one: do we really know in cyberspace? TOR – www. torproject. org n IP-spoofing n Proxies (TORPIG – bank fraud) n
Competence for collection of evidence in cyberspace n Convention on Cybercrime November 23, 2001: n Article 19 -2: Each Party shall adopt such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, pursuant to paragraph 1. a, and have grounds to believe that the data sought is stored in another computer system or part of it in its territory, and such data is lawfully accessible from or available to the initial system, the authorities shall be able to expeditiously extend the search or similar accessing to the other system.
Competence for collection of evidence in cyberspace n Convention on Cybercrime November 23, 2001: n Article 32: A Party may, without the authorisation of another Party: a access publicly available (open source) stored computer data, regardless of where the data is located geographically; or b access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.
Competence for collection of evidence in cyberspace n Convention on Cybercrime November 23, 2001: Belgium signed November 23, 2001 n Has not yet ratified (November 17, 2008) n n Belgian Law on Informatics Crime: November 28, 2000 (B. S. , February 3, 2001): Article 88 ter Belgian Criminal Procedure
Competence for collection of evidence in cyberspace n Article 88 ter Belgian Criminal Procedure Code: Competence of the Investigating Judge n Can order search in computer system n Can extend the search to another computer system or to a part of another computer system which is located elsewhere n
Competence for collection of evidence in cyberspace n Conditions: n Necessary to find truth in investigation AND n Other investigation measures are not proportionate OR n Risk that proof would disappear n Restricted to the parts of another computer system to which the users of the initial system have access
Competence for collection of evidence in cyberspace The person responsible for the computer system is informed by the investigation judge if he/she can reasonably be identified n When it seems that the data which is discovered is not stored on Belgian territory, the data is only copied: n n Investigating Judge informs the Ministry of Justice through the Public Prosecutor n Ministry of Justice informs the State involved, if it can reasonably be determined n Are we welcome in other countries?
Competence for collection of evidence in cyberspace n Competence and compliance in cyberspace The sky is the limit, … if you are not in law enforcement! n Example of YAHOO INC!: n n Correctional Court Dendermonde, 2/3/09: n n Obligation to obey the prosecutor’s request Economical presence = judicial presence n Court of Appeal Gent 30/6/2010: n Yahoo doesn’t have to obey to the Belgian prosecutor n Court of Cassation Brussels 18/1/2011: n Even foreign ISP’s which provide services on Belgian territory have to obey
How to bring proof before court? n Third problem: the examination of evidence and the matter of bringing proof in court proceedings on cybercrime Know-how & who knows (lawyers, judges, prosecutors, police…) n The challenges of electronic evidence n
Characteristics of E-evidence Specialized knowledge n Volatility n Easy to manipulate n Difficult tot prove the authenticity n Difficult tot prove the origin n Difficult to store n
Characteristics of E-evidence n Specialized knowledge: n Do we know and / or find them?
Characteristics of E-evidence n Specialized knowledge: n Specialized police forces (In Belgium: Federal Computer Crime Unit (FCCU), Regional Computer Crime Units (RCCU). . . ) n Specialized magistrates? = perhaps n Basic knowledge of the computer? n Basic knowledge of the internet, and how it works? n Basic knowledge about internauts? Specialized lawyers? = perhaps n Specialized criminals = sure! n
Characteristics of E-evidence n Volatility: n Data retention: n Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006: “Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication. ” n Prescription > period of data retention n Let’s throw away some evidence! n World Wide Web ≠ World Wide Rules (example: Microsoft = 90 days data retention)
Characteristics of E-evidence n Easy to manipulate: n Anonymizers: n TOR (www. torproject. org) n IP-spoofing n Proxies (ex. www. proxy 4 free. com - www. stopkinderporno. com) n Encryption is free: evidence in a vault!
5 maart 2010 Philippe Van Linthout 73
Characteristics of E-evidence n Easy to manipulate: n Identity theft (ex. www. sendanonymousemail. net, www. armsms. com, …) n Volatile + easy to manipulate = difficult tot prove the authenticity
Characteristics of E-evidence n Difficult to prove the origin: n Currently: IPv 4 4 x 109 IP-addresses 4. 000 IP-adresses 178. 119. 155 n Future (2015): IPv 6 3, 4 x 1038 IP-addresses > grains of sand in the Sahara each person on earth will have 50. 000 quadrillion IP -adresses 3 ffe: 6 a 88: 85 a 3: 08 d 3: 1319: 8 a 2 e: 0370: 7344
Characteristics of E-evidence n Meanwhile: Carrier Grade Network address translation Carrier Grade NAT: an approach to dealing with the problem of IPv 4 address exhaustion and easing the transition to IPv 6
Characteristics of E-evidence n Carrier-grade NAT n Judicial horror: Is an approach to IPv 4 network design where end sites (for example homes) are not given public IPv 4 addresses. They are instead given private addresses that are translated to public by middle boxes embedded in the network operator's network. This allows the network operator to share one public address among several end sites. Internet Access Providers don’t keep the logs one identified IP-address = 12, 24, 36 persons?
Characteristics of E-evidence
Characteristics of E-evidence n Difficult to store: How do we treat our e-evidence? n Stocked by the registrar… n Do we guarantee authenticity? n
Conclusions n Globalisation of (cyber)crime n Need of specialisation - expertise n Broad competence rules are necessary n No international agreements yet n Clear legal rules are required in order to obtain evidence stored abroad quickly n Personal experience does not seem promising
Conclusions n Competence of Courts n Lack of legal rules and international “ne n Always competent: “Il est bien connu bis in idem” que les magistrats français ont horreur de se déclarer incompétents” (P. Y. GAUTHIER) n Collection of evidence in cyberspace is not sufficiently well regulated
Thank you for your attention! philippe. vanlinthout@just. fgov. be jan. kerkhofs@just. fgov. be
Скачать презентацию Seminar on Evidence and Proving of Cybercrime Philippe
2e814f171966e2f984d94eb487d720b7.ppt