QUESTION

 Law and Cybercrime    

Law and Cyber Crime:

Describe several possible Cybercrime objectives and operational methods that could be employed for abuse of Digital currencies, and the “Internet of Things”.
Examine and Describe laws and practices related to Computer Forensics. Will these laws and practices be effective for emerging cyber crimes you have described above? Explain your answer

Information security and cybercrime

Ian Brown, Lilian Edwards and Chris Marsden1

Introduction

Information systems are increasingly important to the efficient operation of government,

corporations and society in general. With that importance has come an increasing risk of

information security breaches, compounded by systems’ networked nature. That makes

effective information security a public policy issue of far broader impact than technical

information technology (IT) policy.

Network and Information Security (NIS) policy making and investment have evolved

rapidly, especially since 1999. This evolution has been punctuated at certain points where

the necessity of adequate or mature NIS policy has been sharply emphasised by

vulnerability to attack or shocks:

• The ‘Millennium Bug’ or Y2K programme of 1997-9, which led to a complete

inventory of computing inside large organisations, often for the first time since

the deployment of the enterprise Personal Computer (PC) in the mid-1980s;

• Denial of Service (DoS) attacks, beginning in 2001 against Yahoo! and eBay;

• Business continuity planning in the wake of the attacks in September 11th 2001;

• Corporate responses to the increasing financial returns for attackers (for example

the growth of ‘phishing’ and the 2004-5 cyber-extortion cases against gambling

websites).

• The continued tendency towards government action to directly confront

cybercrime, ‘cyber-terrorism’ and ‘cyberwar’, as for instance with the US 2009

appointment of a ‘cybersecurity czar’ (sic).

Legislation, policy, government spending and corporate response in the field of

information security have been examined by for instance the Organisation for Economic

Cooperation and Development (OECD)2 and the European Commission, which has

identified three key risks for Internet security:

1. Attackers are increasingly motivated by profit rather than the technical interest

that drove earlier “hackers” – with growing interest from organised crime and a

sophisticated underground economy in stolen information and hacking tools

2. Mobile devices and networks present a significant new threat landscape, where

security is so far less developed than on the personal computer

1 Respectively, Senior Research Fellow, Oxford Internet Institute; Professor of Internet Law, University of

Sheffield; Senior Lecturer in Law, University of Essex.

2 See OECD (2005) The Promotion Of A Culture Of Security For Information Systems And Networks In

OECD Countries DSTI/ICCP/REG(2005)1/FINAL of 16 December 2005 at

http://www.oecd.org/dataoecd/16/27/35884541.pdf

3. Ubiquitous computing will move computation and networking into the fabric of

buildings and everyday things (e.g. through RFID and sensor networks),

presenting new vulnerabilities.3

Malware, botnets and other tools for crime

The production of malicious software or “malware” used to attack systems and defraud

individuals has soared in recent years. In 2008 security software firm Symantec identified

1,656,227 distinct new malicious programs, an increase of 165% since 2007.4 This

growth has resulted from increasing opportunities for fraud, the vulnerability of online

services to attacks by “botnets” made up of huge numbers of compromised PCs, and an

underground economy driven by interest from organised crime.

The authors of this software, those using it to control networks of compromised

computers and acquire and sell on sensitive information, and their targets are located

around the globe. The Honeynet Project found in 2006/2007 that Brazil had the highest

number of observed “bots” or compromised machines, followed by China, Malaysia,

Taiwan, Korea and Mexico. The controlling servers were located principally in the

United States, followed by China, Korea, Germany and the Netherlands.5

However, the distributed criminal networks that have grown up around these tools often

include participants close to victims where they can (for example) more easily transfer

funds. As the UK Police Central e-Crime Unit’s Sgt. Bob Burls has commented: “It’s a

myth that hackers are 15-year olds in darkened rooms and similarly that all

cybercriminals are overseas. As with drugs, you have major traffickers but also street

dealers. Wherever there is criminality there are criminal hierarchies, there will also be

local pockets of criminality.”6

Conduits for attacks

Software: operating systems, browsers and other applications

Viruses, Trojan horses and other types of malware typically exploit weaknesses in

installed software to gain control of an Internet-connected machine and access data

entered by and available to users.

This code spreads mainly through e-mail attachments, websites and by directly

connecting to vulnerable machines. IT security company ScanSafe found in June 2008

that the number of legitimate websites being compromised and used to infect visitors’

3 Communication on a strategy for a Secure Information Society – “Dialogue, partnership and

empowerment” COM(2006) 251

4 Symantec (2009) Global Internet Security Threat Report: trends for 2008, vol. XIV, available at

http://eval.symantec.com/mktginfo/enterprise/white_papers/bwhitepaper_

internet_security_threat_report_xiv_04-2009.en-us.pdf

5 J. Zhuge, T. Holz, X. Han, J. Guo, & W. Zou (2007): Characterizing the IRC-based botnet phenomenon.

Informatik Tech. Report TR-2007-010. Available at http://honeyblog.org/junkyard/reports/botnet-china-

TR.pdf

6 I. Brown and L. Edwards (2008) McAfee Virtual Criminology Report, available at

http://resources.mcafee.com/content/NAMcAfeeCriminologyReport

machines accounted for 66% of all malware blocked,7 but distribution channels vary in

significance as vulnerable software is patched, security software is updated and new

weaknesses are found. Just one recent attack on Microsoft Internet Information Services

web servers hit around half a million websites.8

Software companies are in a constant arms race with hackers to fix vulnerabilities before

they are exploited. Microsoft for example claimed to have disinfected more than 526,000

PCs in the Storm botnet in the last quarter of 2007, but accepts that Storm botnet

controllers are “probably out there still making money with some other botnet.”9

The frequency with which security problems continue to be discovered in widely used

operating system and application software makes it extremely difficult for any adequate

level of Internet security to be achieved. Microsoft and other large software companies

have made many improvements in their security development processes, but the software

market does not seem to be driving the use of well-understood but little deployed security

engineering techniques – such as dramatic decreases in complexity of the security core of

operating systems and much more careful isolation of the potentially malicious code

present in Web pages and e-mails. Until software companies are properly incentivised to

make a step-change in the quality of their products, law enforcement agencies will be

unlikely to have the resources to deal with the resulting flood of e-crime.

The use of open source software10 is not a security panacea. While many programmers

may be examining source code for flaws, not all open source projects have the resources

available to patch vulnerabilities in a timely way once discovered. Attackers are also

more easily able to find flaws given the availability of source code.11

Networks

Botnets, networks of computers compromised by malicious software, are one of the key

vectors for online attacks and criminality. During 2008 Symantec identified 9,437,536

distinct machines in such networks. The largest networks contain hundreds of thousands

of machines and are capable of flooding the Internet with more than 100 billion spam

messages per day.12 These networks are also used to launch Distributed Denial of Service

(DDoS) attacks, where thousands of compromised machines send traffic to a target

machine, overwhelming it and sometimes its network connectivity.

We have continued to see DDoS attacks conducted against companies and governments,

some as part of nationalist political campaigns. The FBI/Computer Security Institute

7 Scansafe (2009) Annual Global Threat Report 2008, available at

http://www.scansafe.com/resources/global_threat_reports2

8 Gregg Keizer (2008) Huge Web hack attack infects 500,000 pages, Computerworld, 25 April

9 Gregg Keizer (2008) Microsoft: We took out Storm botnet, Computerworld, 22 April

10 See further discussion in Guadamuz, Chapter X

11 Ross Anderson (2002) Security in Open versus Closed Systems – The Dance of Boltzmann, Coase and

Moore, Open Source Software Economics, Toulouse

12 Joe Stewart (2008) Top Spam Botnets Exposed, SecureWorks, available at

http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets

Report 2007 report estimated that up to 10,000 DDoS attacks occur each day worldwide,

with the hourly cost of these attacks reckoned between $90,000 for a sales catalogue

company to $6.45m for a retail brokerage. Attackers commonly extort money from

targets by threatening attacks when they would be most costly – at gambling sites just

before a major sports event.

Presentation sharing site SlideShare was hit in April 2008 in apparent reprisal against

users’ presentations on corruption in China.13 Several tools were released early in 2008 to

enable attacks by disgruntled Chinese computer users against CNN in retaliation for their

coverage of issues in Tibet.14 During the conflict between Russia and Georgia, DDoS

attacks were observed against government and media sites in both countries.15 Attacks

were also observed at the end of 2007 between Russian and Ukrainian groups, and

against Russian political activist Gary Kasparov.16 We have even seen attacks on the

Church of Scientology by the “Anonymous” activist group.17

Payment services

Payment services are the route that almost all cybercriminals use to transfer fraudulent

gains. These include traditional bank transfers and direct debits; money services such as

Western Union; and new payment systems like PayPal. Financial regulation has not kept

up with innovations in payments systems, which makes the old policing mantra “follow

the money” decreasingly effective in the cybercrime era.

London’s Metropolitan Police have identified four key types of fraud facilitated by

payment services:

1. Online auction site frauds: money is transferred in payment for goods that are

never delivered, sometimes to fake escrow sites that do not provide the service

claimed of holding payments until delivery.

2. 419/advance fee frauds: Victims receive e-mails promising money in return for

helping a fraudster transfer money, upon the payment of a “small” fee that will

later be repaid. Once entrapped, victims have been persuaded to pay large fees

that are never reimbursed.

3. Lottery fraud: E-mail and letters are sent to victims claiming they have won a

lottery. Winnings can be claimed upon payment of a fee – sometimes substantial.

Victims, often elderly, are commonly further persuaded using telephone calls.

4. Criminal cashback: goods plus fees to a “shipping agent” are paid for using a

stolen bank draft or cheque. Once the seller has transferred these fees back to the

13 Mark Hendrickson (2008) SlideShare Slammed with DDOS Attacks from China, TechCrunch, 23 April

14 Jose Nazario (2008) NetBot Attackers Anti-CNN Tool, Arbor Networks Security, 23 April

15 Jose Nazario (2008) Georgia DDoS Attacks – A Quick Summary of Observations, Arbor Networks

Security, 12 August

16 Jose Nazario (2007) Political DDoS? Ukraine, Kasparov, Arbor Networks Security, 13 December

17 Jose Nazario (2008) Church of Scientology DDoS Statistics, Arbor Networks Security, 25 January

“shipping agent”, they commonly find the issuing bank recovers the draft or

cheque, having being duped out of both the goods and the “shipping fees”.18

Dupes (‘mules’) are commonly used as a middle-man to transfer money from victim to

fraudster. Recruited as an “international sales representative”, “shipping manager” or

other fake job, they are asked by fraudsters to receive “payments” that they then transfer

internationally after deducting a small “commission.” When apprehended by police, the

money has long since vanished through a payment system and cannot be retrieved – often

leaving both the mule and victim out of pocket.

A key concern of law enforcement agencies is services that do not allow payments that

are the proceeds of crime to be recovered. In a report19 for the US Federal Reserve, Ross

Anderson concluded:

“Online fraudsters use a variety of nonbank payment services to launder the

proceeds of crime. People had assumed that traceability was the key. However,

investigation reveals that revocability is more important. Fraudulent payments

within the banking system can be pursued and recovered with a reasonable

probability of success; but once stolen funds are used to buy transferable financial

assets such as eGold, recovery becomes much harder. This suggests that much of

the benefit that could be obtained from regulating nonbanks more closely can be

got by greater transparency about counterparty risks… The current [Financial

Action Task Force] rules impose unnecessary burdens, particularly on the poor,

while not doing enough to facilitate rapid recovery of stolen assets.”

Impersonation (‘identity fraud’) is the other main route by which cybercriminals have

committed fraud. By gaining access to the passwords required to log-in to online banking

services, fraudsters are able to directly withdraw funds from target accounts, or undertake

more sophisticated fraud such as “pump and dump” stock scams. By accessing

information such as individuals’ account details, dates of birth, social security and

passport numbers and addresses, fraudsters are able to gain access to funds in existing

accounts and new loan and credit facilities.

The US Federal Trade Commission in 2007 received 221,226 Internet-related fraud

complaints totalling $525,743,643.20 Javelin Strategy and Research have predicted that

identity fraud will decline between 2007 and 2013, but individual victims’ costs will rise

from $860 to $1,271 due to growing sophistication in criminal fraud techniques that use

elaborate social engineering schemes and multiple channels to evade detection for longer

periods of time.21

18 Metropolitan Police Service (2008) Money transfer fraud, available at

http://www.met.police.uk/fraudalert/money_transfer.htm

19 Ross Anderson (2007) Closing the Phishing Hole – Fraud, Risk and Nonbanks, US Federal Reserve.

Available at http://www.cl.cam.ac.uk/~rja14/Papers/nonbanks.pdf

20 Federal Trade Commission (2008) Consumer Fraud and Identity Theft Complaint Data January –

December 2007 p.10

21 Javelin Strategy and Research (2008) Consumer Identity Fraud Report.

Legal responses

UK Law: Computer Misuse Act 1990 amendments

Existing UK law specifically tailored to deal with computer crime is largely to be found

in the Computer Misuse Act of 1990 (CMA). As one of the earliest legislative attempts

to deal with computer crime, it was self-evidently not drafted for the Internet era. As a

result, although the Act deals fairly effectively with hacking and dissemination of viruses,

doubts have arisen as to whether the CMA adequately covers DoS.22

Two obvious routes existed within the CMA as originally drafted, which might be

explored by those seeking to criminalize DoS. The first was section 1, originally

designed to punish hacking, which prohibits “unauthorised” access to “any program or

data”. The other was section 3, designed to counteract the spreading of viruses, which

originally prohibited any “unauthorised modification of the contents of any computer”

which was intended “to impair the operation of any computer.” While s 3 was generally

seen as most appropriate to the offence, there was doubt as to whether an actual

“modification” was made since a server which is brought down by a DoS attack suffers

only temporary damage with usually no loss or corruption of data after the attack.

In 2004, Members of Parliament in the All-Party Internet Group (APIG) began a review

of the CMA, on the basis that this legislation was created before the emergence of the

Internet and therefore required updating. The Act was seen to focus too much on

standalone computers, and not enough on computer networks. In addition some of the

definitions used in the 1990 Act need updating. The final report outlined several

recommendations to the government for changes to the CMA. In March 2005, APIG

called for amendments to the CMA to address the threat from denial-of-service attacks.

An updated version of the CMA could be of greater benefit if it combined security

regulations relevant for standalone and network situations.

The Police and Justice Bill of 2005 thus amended section 3 by replacing the word

“modification” with “act”, which word is undefined save for including “a series of acts.”

In addition, section 3(2) of the CMA, as amended, specifies that the intent necessary to

commit the crime exists whether the intention is to produce temporary or permanent

impairment, or hindering or prevention of access to a computer, program or data.

Meanwhile DoS had finally arrived at the courts. In the unsatisfactory first UK

prosecution for DoS, R v Caffey,23 the charge was “unauthorised modification” under s 3

of the CMA, but there was no opportunity for argument as to the applicability as the case

fell on a dubious “Trojan virus” defense.24 The second reported prosecution was of

greater significance. In R v Lennon,25 a teenage hacker was accused of sending five

million emails to cause a DoS attack against his former employer. At first instance, the

judge refused to find there was an offence under section 3, not because of any doubts

22 See APIG report (discussed below) at 5 (regarding hacking and viruses); at 59‐75 at 11‐12 (discussing the

efficacy of the CMA in prosecutions of DoS and DDOS attacks).

23 (Southwark Crown Court Oct. 17, 2003) (unreported,).

24 The accused claimed that although his server had indeed launched the DoS attack, this had only been

because it had been taken over as a “zombie” by malicious code. Forensic experts however failed to fail any

evidence of such code. Remarkably however, the court still accepted the defense and acquitted.

25 Unreported, Wimbledon Magistrate’s Court, December 2005.

about the applicability of the word “modification” but because

“In this case, the individual emails caused to be sent each caused a modification

which was in each case an ‘authorised’ modification. Although they were sent in

bulk resulting in the overwhelming of the server, the effect on the server is not a

modification addressed by [the Act].”

In other words, the judge accepted the argument that an unsecured website impliedly

authorises the sending of emails to itself. DoS was merely different in volume but not in

essential character to the sending of email in the ordinary way.

On appeal, perhaps unsurprisingly the decision was reversed26. The Queens Bench held

that:

“the owner of a computer which is able to receive emails is ordinarily to be taken as

consenting to the sending of emails to the computer. His consent is to be implied

from his conduct in relation to the computer. Some analogy can be drawn with

consent by a householder to members of the public to walk up the path to his door

when they have a legitimate reason for doing so, and also with the use of a private

letter box. But that implied consent given by a computer owner is not without limit.

The point can be illustrated by the same analogies. The householder does not

consent to a burglar coming up his path. Nor does he consent to having his letter box

choked with rubbish. …It is enough to say that it plainly does not cover emails

which are not sent for the purpose of communication with the owner, but are sent for

the purpose of interrupting the proper operation and use of his system.”

Note that although the appeal court thus solved the particular problem of DoS, the

question of how “authorised” was to be interpreted was never raised in the CMA

amendments. Thus the CMA still leaves unresolved the scope of the standing

implied consent given by web servers to receive email and page requests. If five

million emails sent to a server are outside the bounds of implied consent, surely

millions or even thousands of spam emails face the same challenge? Does any

reasonable user impliedly consent to the receipt of even one spam email? It seems

possible therefore that in future spammers might also find themselves charged

effectively with DoS under s 3 – a result neither the judiciary nor the reformers

probably intended.

On other problems with the CMA as originally drafted, the maximum penalty for

some offences has also been increased to ten years. The bill doubles the maximum

jail sentence for hacking into computer systems from five years to ten years, a

provision that will classify hacking as a more serious offence and make it easier to

extradite computer crime suspects from overseas. Furthermore a new s3A contains

provisions to ban the development, ownership and distribution of hacker tools. Some

industry commentators considered the language used to be worryingly ambiguous,

possibly criminalising the use and sale of crucial security tools such as anti-DOS

intrusion detection software. In particular s 3A provides that it is an offence to

“supply or offer to supply [such a tool], believing that it is likely to be used to

26 DPP v Lennon [2006] EWHC 1201 (Admin).

commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]”.

Security experts have questioned how they cannot believe it is likely security tools

they create will be abused by hackers and cyber-criminals given the prevalence of

the black market economy. The Crown Prosecution Service has however issued

guidance on s 3A which seeks to reassure the security community.27

European law

The European Union (EU) is the world’s largest free trade area, and all twenty-seven

Member States must implement European law. Failing implementation, European law

can in certain circumstances take direct effect despite the lack of national law. Therefore

much over-arching NIS legislation and policy takes place at European level.

Table1: Summary of national legislation and European law implementing NIS28

Jurisdicti

on

Privacy

Law

Electronic Privacy

Law

Electronic

Commerce Law29

Cyber Crime

Law30

European

Union

Data

Protection

Directive

95/46 of

24

November

1995

Directive 2002/58/EC

repeals Directive

97/66/EC 15

December 1997,

Data Retention

Directive 2006 of 21

February

Electronic

Signatures:

Directive 99/93 of

13 December 1999

Electronic

Commerce:

Directive 2000/31

of 8 June 2000

Framework

Decisions and

Communication

s31; 2001

Council of

Europe

Convention on

Cybercrime is

harder law

27 Although with mixed success – see Richard Clayton’s response at

http://www.lightbluetouchpaper.org/2007/12/31/hacking‐tool‐guidance‐finally‐appears/

28 For a recent survey, see Mitrakas, Andreas (2006) Information security and law in Europe: Risks checked?

15:1 Information Communications Technology Law March at 33‐53; also ITU (2008) Global Cybersecurity

Agenda High Level Expert Group, Global Strategic Report, at http://www.cybersecuritygateway.

org/pdf/global_strategic_report.pdf

29A useful source of e‐banking legislation in English is http://rechtsinformatik.jura.uni‐sb.de/cbl/cblstatutes.

php

30 All countries in the Table have signed the Council of Europe Cyber Crime Convention.

31 See particularly Communication on cyber‐crime, COM (2007) 267 and Peers, S. (2009) Strengthening Security

and. Fundamental Freedoms on the Internet ‐. An EU Policy on the Fight. Against Cyber Crime, Report for the

European Parliament, Policy Department C: Citizens’ Rights and Constitutional Affairs, PE408.335 at

http://www.europarl.europa.eu/meetdocs/2004_2009/documents/dv/study_internet_security_freedoms_/Study

_Internet_Security_Freedoms_en.pdf

United

Kingdom

Data

Protection

Act 1998

Regulation of

Investigatory Powers

Act 2000,

Data Retention

Regulations 2007

No.219932 and 2009

No.85933

Electronic

Communications

Act 2000,

Electronic

Signature

Regulations 2002,

E-Commerce

Regulations 2003

Computer

Misuse Act

1990

Germany Federal

Data

Protection

Law(BDS

1. G) last

amended

2001;

G-10 law

applies to

communic

ations

secrecy

Information and

Communication

Services Act 1997,

Telecommunications

Act 2004 (Tele

kommunikationsgeset

z-TKG) last amended

14/03/2005

Digital Signature

Law 2001

Penal Code

Sections:

202a: Data

Espionage

303a: Alteration

of Data

303b: Computer

Sabotage

France Informatio

n

Technolog

y and

Liberty

Act (Loi

Informatiq

ue et

Libertés)

1978

Law 2004-801 of 6

August 2004 relating

to the Protection of

Data Subjects as

Regards the

Processing of

Personal Data

E-Signature Law:

Decree No. 2001-

272, 30 March 2001

in accordance with

article 1316-4 in the

civil code and

related to electronic

signatures

Law n°2004-575 of

21 June 2004 of

Confidence in the

Digital Economy

Godfrain Act

1988.

Penal Code

Chapter 3,

Articles 323-1

through 323-4:

Attacks on

Systems for

Automated Data

Processing

There has been harmonisation among countries based on both common European

legislation and cooperation in for instance police and Computer Emergency Response

Team (CERT) activities. The extent to which this harmonisation resulted in convergence

of national policies depended critically on:

• Whether national political responses to specific NIS problems34 produced strong

national legal and policy differences; and

• Whether pan-European policy preceded national response.

32 http://www.opsi.gov.uk/si/si2007/uksi_20072199_en_1

33 http://www.opsi.gov.uk/si/si2009/uksi_20090859_en_1

34 Including data protection failures and prevalence of viruses and other computer crimes

National responses to cybercrime date from the period around 1990 and also show

significant legislative and policing developments that pre-date the European response

(ENISA, the European Network and Information Security Agency, was only founded in

200435). In criminal law, pre-existing national legislation combined with a European

cooperative police force (Europol) led to harmonisation rather than convergence. In all

these cases, European legislation came after national legislative and institutional

arrangements, and national lawmakers had substantial initial room for independent policy

formation. In telecoms legislation, an area of longstanding European convergence, the

Data Retention Directive of 2006 signalled a greater convergence between national

regimes. The very late establishment of ENISA as the central NIS coordination

mechanism indicated a desire by Member States to maintain existing national

institutional arrangements in their current form. From 2010, Europol formally becomes

an agency of the European Union.36

The European Council Framework Decision on Attacks against Information Systems37

was adopted on 24 February 2005. Its objective is ‘to improve cooperation between

judicial and other competent authorities, through approximating rules on criminal law in

the Member States in the area of attacks against information systems’. The Framework

Decision indicates that attacks against information and computer systems are a tangible

and dangerous threat that requires an effective response. The Framework Decision and

the Cybercrime Convention have synchronised definitions of the relevant offences.

Council of Europe Convention on Cybercrime

One of the main international legislative instruments relevant to both global and

European regulation of cybercrime and security is the Council of Europe Convention on

Cybercrime. The final text of this was agreed on 23 November 2001 and it entered into

force on 1 July 2004.38 A further Protocol on racist and xenophobic acts in cyberspace

was signed on 28 January 2003 and entered into force on 1 March 2006.39 The

Convention is open for signature by both Council of Europe Member States (EU Member

States plus fifteen other countries) and those non-Member States that participated in its

drafting (including the United States). It is also open for accession by other non-Member

States.

35 Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the

European Network and Information Security Agency, OJ L 77, 13.3.2004

36 See IP/08/610 (2008) Europol to become EU agency in 2010, Brussels, 18 April 2008 at

http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/610

37 Council Framework Decision 2005/222/JHA on attacks against information systems.

38 Due to its article 36, which contains the conditions for entry into force. It specifies that the Convention

should first be ratified by five States, including three Member States of the Council of Europe. The Convention

would then enter into force on the first day of the month following the expiration of a three month period after

the fifth ratification. This condition was fulfilled with Lithuania’s ratification on 18 March 2004, triggering the

entry into force on 1 July 2004.

39 Additional Protocol to the Convention on cybercrime, concerning the criminalisation of acts of a racist and

xenophobic nature committed through computer systems CETS No.: 189 at

http://conventions.coe.int/Treaty/en/Treaties/Html/189.htm

The Convention is regarded as one of the most comprehensive documents on cyber-crime

available. Substantively, it focuses on efforts to outline common definitions for crimes

relating to computers and also measures to encourage international co-operation. It is the

only international agreement that covers all relevant aspects of cybercrime policing

(substantive criminal law, procedural law, and international cooperation). Since much

cybercrime is by its nature cross-jurisdictional, the most valuable contribution of the

Convention is to harmonise definitions of offences across states so that extradition and

co-operative policing are made much easier. Although the Convention is applicable only

to state governments and not to the private actors who de facto control many important

parts of the Internet infrastructure, guidelines for law enforcement by service providers

were issued in April 2008.40

How effective is the Cybercrime Convention? Some argue that the number of nations

who have signed up is not impressive.41 27 EC nations have joined to date but only 12

have ratified, six years on, leaving 15 to go. Outside the EU, the Convention is seen as

Western dominated, both in development and at the current time. Of the few non-EU

nations that have acceded, only the US and Ukraine have ratified. On the other hand the

Convention is often held up as a model law, even for countries unwilling to accede

because the treaty is seen as too Western, or too demanding of resources. Marco Gerke,

University of Cologne, a UN and CC cybercrime expert, states that “the impact of the

Convention is going beyond the number of countries that formally signed it. At least a

couple of dozen countries have used the Convention while updating their legislation to

bring themselves in line with international standards.”42

The key question for the success of the Cybercrime Convention is perhaps whether it can

entice into membership those countries known to harbour the ringleaders of organised

cybercrime – such as many countries in the former Soviet Union bloc – as well as those

that suffer the brunt of cyber attacks – the USA and Western Europe. Even where

developing world and Eastern European countries have the political will to take a stance

against cybercrime, it is often difficult to justify allocating resources for it, when the

beneficiaries will be not that state’s own citizens but those of other countries. Despite

this the ongoing success of the Cybercrime Convention can be seen at a micro as well as

macro level. Many countries are in the process of harmonising their law to meet

Cybercrime Convention standards whether or not they plan to join, e.g. many Latin

American countries. In other regions such as the Arab states, there may be a preference

to put together their own regional instruments rather than accede – but in most cases

these are very similar to the Convention. It is thus arguably a very successful instrument

for international harmonisation.

40 See

http://www.coe.int/t/DG1/LEGALCOOPERATION/ECONOMICCRIME/cybercrime/cy_activity_Interface2008/56

7_prov‐d‐guidelines_provisional2_3April2008_en.pdf

41 See R. Anderson et al, Security Economics and European policy, Proceedings of the Workshop on Economics

and Information Security, 2008, at http://weis2008.econinfosec.org/papers/MooreSecurity.pdf

42 Private conversation with Edwards during the research for the McAfee Virtual Criminology Report 2008,

supra.

The Council of Europe, who sponsor the treaty, also provide training in how to operate

against cybercrime and use the Convention, for both judiciary and police, as well as

assisting regions to move towards accession or developing their own instruments: see e.g.

workshops held in 2007/2008 for West Africa and Caribbean regions, as well as

programmes for the training of judges, e.g. by Cybex in Spain.

The Convention despite having only been in force since 2004 is however showing signs

of a need for updating. Specific problem areas such as phishing, identity theft and crime

in “virtual worlds” – e.g. fraud on virtual banks – are not covered as nominate crimes,

though they may be subsumed beneath broader categories, such as phishing beneath

online forgery and fraud (arts 7 and 8). New investigation instruments like key-loggers

(“Magic Lantern”) and identification instruments (“CIPAV”) are already in use in

countries like the US but not mentioned in the Convention either as permissible or not.

Renegotiating the treaty would likely be a Herculean task, so future additions are likely to

be made by ways of optional protocols, as with the existing example relating to hate

speech.

Will the Cybercrime Convention ever develop into a standing cyber crime police force,

much as NATO has developed a standing capacity to combat hostilities in its region? It is

clear that national police forces, whether standard operations or specially trained

“cybercops”, struggle to make any meaningful impact on cybercrime when so much of it

is directed from countries outside their jurisdictional competence. One-time co-operative

international policing operations have had some striking successes, notably in relation to

international paedophile rings, but these are very expensive, and extremely difficult and

time-consuming to mount. An argument for a standing international cyber security force

clearly exists, particularly as Interpol seems to have little or no profile in the field of

cybercrime. The political will (and funding) for such a force seem at the moment

however to be absent, and as noted at the start of this chapter, we seem instead to be

entering a phase of distinctly national cyber-security initiatives43 as states realise the full

potential impact of a cyber-infrastructure attack.

Specific legal problem areas

Phishing

Phishing is the use of social engineering and hacking techniques to gain information such

as financial or other personal data. Profit is usually achieved for “phishermen” by sending

emails which by some means or other extract login and password details from recipients

which can then be used to gain access to bank and similar accounts. Phishing is a fast

rising crime and has accelerated in particular since the current recession began. Figures

released in October 2008 in the UK by APACS, the UK clearing banks association,44

showed that from January to June 2008 phishing attacks rose by 186% on the same

period in 2007. In total there were more than 20,682 phishing incidents during that six

43 See e.g. the announcement of the UK’s first national Cyber Security Strategy launched in June 2009, reported at

http://news.bbc.co.uk/1/hi/uk_politics/8118348.stm. For the US equivalent, see infra n 73.

44 See http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm .

month period compared to 7,224 the previous year. Similarly the FTC issued a special

phishing warning for the USA, also in October 2008.45

There are two key reasons why phishing is a particularly growing threat at the current

time. First, as credit facilities become restricted and subject to detailed checking,

procuring personal data to open new accounts and acquire new credit cards loses appeal,

while using phishing data to clean out existing accounts becomes more attractive.

Secondly, the recession has brought in its midst vast confusion and loss of trust in the

consumer sector.46 As confusion around financial bust and merger (perhaps) clears,

phishing is likely to diversify into public sector websites (e.g TV and motor licensing

sites) with deleterious consequences for public confidence in e-government;47 and into

phishing of virtual currencies from virtual worlds48 – where law enforcement will have,

one suspects, not the first idea of where to start.49

In the previous and following sections we discuss what role (if any) law can play in

preventing the kind of cyber insecurity that engenders phishing. A key issue for the law,

however, is how to regulate the losses of users in this sphere, and in particular if banks

should be obliged to reimburse customers for phishing losses. It is a common myth in the

UK that banks are required to reimburse phishing losses where bank accounts are drained

by phishers. It seems that most consumers draw an analogy with the well known rights in

respect of misuse of credit card details under the Consumer Credit Act (CCA) ss 83 and

84. In fact, UK law here is unclear and antiquated.50 The CCA provides only that banks

issuing credit cards must reimburse cardholders where the card data is fraudulently

misused by a third party. In relation to debit fraud, remedies are purely conferred by the

voluntary Banking Code, and there have been disputes in the past even over

“conventional” misuse of debit card details, e.g., re “phantom” cashline/ATM

withdrawals where banks have refused to reimburse, claiming the customer is at fault or

lying.

Thus the commonest case of phishing, where a chequing or saving account is drained, is

not covered by hard law since no consumer credit arrangement is involved. Instead, the

matter appears to be covered only by banking practice as laid down in the Banking Code,

not in hard law. Historically, as Bohm et al have pointed out,51 under the Bills of

Exchange Act 1882, a bank that honoured a forged cheque was bound repay the amount

45 See http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt089.shtm .

46 BBC News 10 October 2008 “Bank turmoil fuels phishing boom”, at

http://news.bbc.co.uk/1/hi/technology/7663055.stm .

47 See http://blogscript.blogspot.com/search/label/phishing .

48 See ENISA Report “Virtual Worlds, Real Money”, November 2008, at

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_security_privacy_virtualworlds.pdf .

49 See amusing fictional account in Stross C Halting State (2007).

50 See N Bohm, I Brown and B Gladman ‘Electronic Commerce: Who Carries the Risk of

Fraud?’ 2000 (3) JILT at http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/ ; Anderson R

“Closing the Phishing Hole – Fraud, Risk and Nonbanks”, available

at http://www.kansascityfed.org/econres/PSR/PSRConferences/2007/pdf/Anderson.pdf .

51 Supra.

debited to the customer’s account. By analogy, a bank which allowed a phisherman to

withdraw the contents of an account using “forged” credentials should surely be equally

liable. Yet the latest edition of the Banking Code makes customers liable for unauthorised

online banking transactions unless they have taken “reasonable care” – defined as the use

of “up-to-date anti-virus and spyware software and a personal firewall” and that

customers keep passwords and PINs secret.52 In practice to date banks have usually paid

up, but it may be questioned if financial cutbacks combined with a rise in claims will not

put pressure on this gentleman’s agreement.

In other countries, a mishmash of legal and para-legal remedies has emerged, with little

harmonisation across borders. For example,

• in the US, claims by customers that they have suffered loss due to card fraud of

some kind are repaid under EFTA, the Electronic Fund Transfer Act, subject only

to the customer reporting the fraud properly. Fault on the part of the consumer is

not as relevant consideration.

• In Canada, losses are usually indemnified by banks but only according to

voluntary banking codes. Furthermore fault removes customer rights, and in

Canada, “fault” on part of customer to exclude bank liability has reportedly been

defined very widely e.g. if shoulder skimming has occurred, this might be “fault”,

similarly dropping card on floor revealing data, or having PIN stuck to back of

card.53

• In Costa Rica, the customer is left to carry the losses of bank frauds and ID fraud

on their own.54

This lack of harmonisation is a problem given the increasing ability of consumers to bank

outside their home jurisdictions, especially using Internet banks. In the event of consumer

losses due to phishing, difficult issues may arise both of identifying the relevant legal

system and the legal remedies available. It also indicates though the rise of a culture

where consumers are presumed at fault if losses occur due to phishing, and have to prove

their innocence to get their money back. This seems disturbing, given that it is the banks,

not the consumers, who are in the best place both to identify and warn against phishing

entreaties, and to improve banking security thereby safeguarding consumers against

foolhardy decisions – e.g. by implementing two factor authentication for consumer

withdrawals. Accordingly, as discussed below, the House of Lords Report on Personal

52 British Bankers’ Assocation, The Banking Code, March 2008 s12.9. Available at

http://www.bankingcode.org.uk/pdfdocs/PERSONAL_CODE_2008.PDF.

53 Personal conversation by Edwards with Mary Kirwan, Canadian security expert, while conducting

research for the Macafee Virtual Criminology Report 2008, supra.

54 With thanks to Andres Guadamuz for this information.

Internet Security recommended in 2007 and again in 2008 that banks should be

presumptively held liable for phishing losses as a matter of law.55

Buying zero day exploits

Exploits or “zero day exploits” are software vulnerabilities that allow a particular piece of

software to be hacked or in some way compromised. They are, basically, “bugs”, which

arise inevitably in the creation of software as it goes through its development life cycle.

Exploits which compromise widely used programmes such as Internet Explorer, Word,

Excel, Linux kernel programs, etc can be extremely valuable. They can be used to cripple

a commercial competitor or to open “back doors” in programmes allowing theft of

personal data e.g. bank account details. They can even in theory inflict significant

damage on the infrastructure of a nation state. They can also be used indirectly to

blackmail the vendor of the affected software.

The market for exploits is cloaked in secrecy but some details have emerged in the last

few years:

• “White” or legitimate market: Two main agencies exist which openly buy

exploits at market prices, using contracts and non disclosure agreements (NDAs) –

Tipping Point56 , and iDefense57 ; other players include Snosoft58 and a number

of small firms whose business model is to employ in-house vulnerability

researchers.

• Occasional examples also exist of security researchers attempting to sell exploits

on the open market by “bug auctions”. In 2005, a researcher “fearwall”

discovered a bug in Microsoft Excel that could have caused potentially enormous

damage, and after first contacting Microsoft, went public by putting it up for sale

on eBay. Bids reached $1,200 before the auction was pulled under pressure from

the vendor. “Fearwall” claimed he had really been seeking not money, but

publicity to pressurise Microsoft into patching the vulnerability.

• “Grey” market: sales of exploits to government agencies. This market is a “white

hat” market but little is known about it. It is rumoured the US National Security

Agency59 has purchased exploits, and that various government agencies employ

vulnerability experts to hunt for exploits as full time staff or on freelance

contracts.

55 House of Lords Science and Technology Committee, Personal Internet Security, HL 165-I, 5th Report of

Session 2006-07 – Volume I: Report

56 http://www.tippingpoint.com/ .

57 http://labs.idefense.com/ .

58 See http://snosoft.blogspot.com/2007/01/exploit-acquisition-program.html for an example of their terms

of purchase of exploits.

59 See C. Miller (2007) The legitimate vulnerability market, Proceedings of Workshop for Economics of

Information Security, , available at http://weis2007.econinfosec.org/papers/29.pdf and Sutton M and Nagle

F “Emerging economic models for vulnerability research”, Proceedings of Workshop for Economics of

Information Security, 2006, available at http://weis2006.econinfosec.org/docs/17.pdf .

• “Black” market: sales to criminals and corporations engaged in industrial sabotage

or espionage. Again revenue can then be gained directly by closing down a

system, or indirectly by attempts to blackmail a vendor by threatening release of

an exploit, resulting in bad PR and possible loss of market share. This market is

almost impenetrably difficult to research. However one known example occurred

in January 2006 when a Microsoft WMF exploit was sold by auction for $400060

– allegedly to more than one “black hat” buyer. Investigations showed the exploit

was later used by at least one buyer to capture machines to spread “pump and

dump” spam.

Legal issues around exploit sales

It might be surprising that there can be a white market in exploits at all. Discovered

exploits in their nature are primarily intended to impede or cripple software and, by

extension, to hurt users and vendors who make money from that product. Arguably their

sale should be illegal, or at least controlled, as the sale of weapons or dangerous goods

like dynamite, poisons or hand-guns are in most European countries. On the other hand it

can be argued that exploits are, rather like encryption, a “dual use” good. While their

primary purpose is to cause damage, they can also be used by security experts to provide

an early warning service of possible vulnerabilities (this is the business model of the likes

of iDefense), and studied to build safer, less vulnerable software.

From a legal perspective it is not at all clear what is being “bought” and “sold” in the

exploit market. A vulnerability is not a tangible object like a gun, so the first obvious

argument would be that it is a piece of intellectual property (IP), and this seems

anecdotally to be what some buyers and sellers claim. However the only appropriate IP

regime of protection would probably be copyright, and this analysis leads to severe

problems. The programme code that the exploit relies on, and will often incorporate, will

be the copyright of the vendor not the creator of the exploit – and the vendor will

certainly not have licensed his code to the zero day exploiter to use (or abuse) in this way.

Furthermore, sometimes what is sold may not be code as such, but merely a particular

word or an idea – knowledge about how or when a vulnerability operates – in which

case IP will not be appropriate, although trade secrets may be.

In fact, what is bought and sold mainly appears to be silence. Agreements in the exploit

market are notoriously hard to broker because if the exploit seller demonstrates that the

exploit works to the buyer, then he will often have given away the value of what was on

sale: even more so if he hands his code over to the buyers to test. As with all ideas, once

it has been explained, what is left to sell? The market thus appears to reply mainly on

non-disclosure agreements rather than transfer of property per se. Since sales will

normally be made under conditions of anonymity, there is also the problem of multiple

sales. An exploit might be traded under three different names to three different markets.

As a result the exploit market is de facto limited to a small group of experts who know

and trust each other with open auction sites partly filling the gap.

60 Cited in Miller, supra.

Finally, there remains a strong argument that an exploit market should not be valid in any

form. Vendors tend to argue that any exploits that exist should “belong” to them and thus

in law not be saleable either back to them, or worse still, to someone else. “It’s my code

and my mistake” said one unnamed programmer for a major software vendor. “Shouldn’t

I be entitled to fix it? If Shakespeare had made a spelling mistake in one of his plays

wouldn’t he expect just to be told about it, not to have to pay for it before he could fix

it?”61

Some security experts and economists argue however that a “white market” should be

allowed:

• In a professionalised world of organised cybercrime, security experts, just like

cyber criminals, increasingly work for financial reward not just glory.

Discovering an exploit is hard work and researchers should be paid for it, since

their work is for the public good.

• If a white market for vulnerabilities does not exist, researchers will sell to the

black market, probably for greater reward.

• Discovering vulnerabilities should be encouraged as otherwise software remains

insecure, adding to the instability of critical infrastructure and the growth of the

zombie bot population. An exploit market increases potential scrutiny.

Many commentators still however feel uneasy about this covert “arms trade”, with a

strong argument made that encouraging the discovery of software vulnerabilities simply

encourages illegal activity and produces insecurity (of both software and the market).62

Both the current major players on the white market respond that they engage in

“responsible disclosure” – that is, they disclose the vulnerability to the software vendor

after they have made it available to their own customers. The vulnerability is thus

eventually fixed (“patched”). They also claim to facilitate the procurement of exploit

information by having a larger range of sources than any one company normally would.

For example, iDefense reported in 2007 having a pool of about 400 contributors of

vulnerability information over the last four years.63 Given an inevitable time gap between

when a vulnerability has been found and when the vendor can patch it, the “white

market” business model is to provide advance disclosure to their own paying clientele

who are thus protected before patching is implemented. The fault if any can then be said

to lie with vendors for not patching sooner and more effectively.

Vendors, however, including major players such as Google and Microsoft, take the view

that best practice is to disclose software vulnerabilities straight to them so they can be

patched as fast as possible, and discourage an exploit market. Some vendors have been

known to offer bounty programmes for amateur “bug spotting” while discouraging the

61 Conversation quoted during personal interviews by Edwards with a spokesman for iDefense for McAfee

Virtual Criminology Report 2007, supra.

62 Kannan and Telang (2005) Markets for Vulnerabilities? Think again, Management Science, 51 (5).

63 As above

“professional” approach.64 Some support mandatory vulnerability disclosure. While

delayed disclosure of bugs in traditional software products such as Word or Excel may be

workable, and prevent collapse of confidence in a product, in relation to web services,

immediate disclosure to the service provider so the vulnerability can be patched is

regarded as vital, since silence leads to further infections being spread to multiple users.65

A distributed non-commercial scheme in which all Internet users work voluntarily

together to search and disclose exploits may also be a future model; a preliminary basis

for such already exists in the StopBadWare list of infected websites, which appears as

warnings against lists of Google search results.66

Future legal directions

In August 2007 the House of Lords Science and Technology Committee published the

results of their year-long inquiry into Personal Internet Security.67 Their investigation was

particularly concerned with the nature and scale of the security threat to individuals; how

these threats could best be tackled; what types of governance and regulation would be

most appropriate in this area; and how well the government is responding to cybercrime.

A wide range of individuals and organisations gave evidence to the inquiry, including

academic lawyers and computer scientists, trade bodies such as the British Computer

Society and Association of Payment and Clearing Services, Internet Service Providers,

law enforcement agencies and children’s charities.

The committee made recommendations in a number of areas, with the main aim being to

better align the security incentives of organisations, ISPs and users. They found that end

users rarely have the time or technical background to shoulder the responsibility pushed

onto them by the government for securing their own online activities. Financial services

institutions, ISPs and software vendors in particular are in a better position to manage

some security risks.68 The best way to encourage them to do this would be to carefully

reallocate to them some of the liability for fraudulent payments, traffic from infected

machines and insecure software.

Banks have been encouraging customers to switch to online services (which are much

cheaper to provide than branches and staff) while at the same time attempting to shift risk

for fraudulent transactions onto those same customers, as discussed above. Given the

continuing arms race between virus authors and anti-virus software companies, and the

ingenuity of those harvesting passwords from infected PCs and phishing sites, it will be

difficult for the average user to assess the risk and veracity of a transaction. Banks have

64 Eg Netscape’s Mozilla Foundation (http://www.mozilla.org/security/bug-bounty.html)

65 See Day O, Palmen B and Greenstadt R (2008) Reinterpreting the Disclosure Debate for Web Infection,

Proceedings of the Workshop for Economics and Information Security, at

http://weis2008.econinfosec.org/papers/Greenstadt.pdf

66 Project run by Harvard and Oxford Universities plus others in collaboration with Google: see

http://stopbadware.org/

67 Supra n 54.

68 This argument was first made in N. Bohm, I. Brown and B. Gladman, supra n 49.

been slow to develop and deploy the type of hardware authentication tokens69 that would

protect users, because the costs of their failure to do so fall partly on their customers.

Banks are also in a better position than their customers to profile and analyse transactions

for suspicious events. The Lords therefore recommended that banks be encouraged to

take more responsibility for their customers’ security by holding them liable for

electronic fraud losses. They also suggested that banks and other businesses should be

required to notify customers when security breaches occur, giving them advice on

practical steps to reduce the resulting risks.70

The committee similarly found that ISPs are in a better position than their customers to

protect against certain types of attack. In particular, they are able to monitor outgoing

traffic for and receive reports of spam, worm infections or Denial of Service attacks.

Once such traffic has been detected, ISPs are able to limit infected machines’ network

access to sites that will allow them to download the latest software patches and antivirus

signatures and hence remove the infection. The Lords recommend that the E-Commerce

Directive’s Article 12 “mere conduit” defence71 be removed once ISPs have detected or

been notified of such traffic, making them liable for damage done to third parties unless

they take preventative measures with a limited time period.

Finally, the committee noted that software companies have historically paid limited

attention to the security of their products and that “radical and rapid change” is needed.

This is partly due to their ability to dump liability onto customers using restrictive

licensing agreements that would be held void in many other markets (and partly due to

the preference seemingly shown by consumers for flashy new features over security and

stability in software). The committee therefore recommended that in the short term,

liability waivers should be ignored when vendors have been negligent. In the long term, a

framework for vendor liability and consumer protection should be developed. More

specifically, the committee suggested that users should receive better security advice

when first setting up new software; that patches should automatically be downloaded

when machines first go online; and that default security settings should be set as high as

practicable to give users time to understand risks and tradeoffs of reducing those settings.

These recommendations broke new ground in the debate on Internet security in the UK.

While they were almost completely rejected in the government’s initial response to the

report, 72 they have continued to generate discussion and further activity by the Lords

Science and Technology Committee. They were also echoed in a recent cybersecurity

review carried out by the US government, which further recommended attention to

69 See for example details of Barclays Bank’s new PINsentry device at

https://www.barclays.co.uk/pinsentry/.

70 Mandatory security breach disclosure is likely to be passed as part of the reform of the Privacy and Electronic

Communications Directive 2002 in 2009, but only for the telecommunications industries and not for the likes of

banks. See further, Edwards, Chapter DP1 at PP xx.

71 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal

aspects of information society services, in particular electronic commerce, in the Internal Market, OJ L 178,

17.7.2000, p. 1–16.

72 The Government reply to the Fifth Report from the House of Lords Science and Technology Committee

Session 2006-07 HL Paper 165, Cm 7234.

indemnification, tax incentives, and new regulatory requirements and compliance

mechanisms.73 While cybersecurity remains an enormous global problem, it does seem

some consensus on a holistic strategy to combat it, taking into account law, business

practice and technology or “code”, is finally beginning to emerge.

73 United States Government (2009) Cyberspace Policy Review: Assuring a Trusted and Resilient

Information and Communications Infrastructure, available at

http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

Related Samples