300 likes | 374 Views
Nodal points of cybersecurity. A COMMENT ON CROSS-BORDER EVIDENCE GATHERING P J Louw 23 October 2012.
E N D
Nodal points of cybersecurity A COMMENT ON CROSS-BORDER EVIDENCE GATHERING P J Louw 23 October 2012
“the ability to gather timely evidence has become increasingly important to successful outcomes. The ability to facilitate such evidence gathering by way of international comity is vital” A COMMENT ON CROSS-BORDER EVIDENCE GATHERING: Vitapharm v. F. Hoffmann-LaRoche Ltd. C. Scott Ritchie Q.C. J.J. Camp Q.C. Sharon Matthews Andrea DeKay
Gathering Evidence We must always ensure pre-trial fairness and protect the integrity and trustworthiness of the evidence
The truth-seeking mission of the criminal justice system is to get the correct and accurate information and not to get the suspect
Cross border Scenarios since 2005 • 2005 bank fraud scenario • Spyware – Russian server • Trade secret and the Yahoo account • Social media
Transborder acquisition of evidence Three truths
‘Everything old is new again” We must acknowledge that we are litigating in the digital age
What in heaven’s name brought you to Casablanca? My health, I came for the waters. • Waters? what waters? We are in the desert! I was misinformed • Don’t be misinformed when it comes to electronic evidence
we will not be successful if we do not secure steady stream of evidencefrom abroad.
“Thus, such as in other international investigations, the investigating officer can easily be put in a situation where it is impossible to investigate a transnational cybercrime if the officer cannot do any search or investigate beyond his country’s borders without specific involvement of the law enforcement authorities in the country within which the sought after data resides.” Joseph J. Schwerha IV “Law Enforcement Challenges In Transborder Acquisition Of Electronic Evidence From “Cloud Computing Providers”
Key questions: • How to ensure security while maintaining due process, freedom of expression and privacy in a global, online environment? • How to ensure security and privacy in the clouds? (Alexander Seegers COE)
The law enforcement challenge • LEA need to investigate cybercrime and secure electronic evidence in relation to ANY crime • Procedure: Search, seizure, preservation, production of data stored on a computer system • Rule of law safeguards in country of LEA investigation • MLA and provisional measures for international investigations (including safeguards) (Alexander Seegers COE)
The law enforcement challenge • Search for evidence: where is the computer system, where is the data? • Jurisdiction to enforce? • Territoriality or power of disposal? • Exigent circumstances? • Limitations of international cooperation • What procedural safeguards? (Alexander Seegers COE)
Access to data on the territory of the LEA (articles 16 -21 Budapest Convention) (Alexander Seegers COE)
Access to data on a foreign territory by cooperation with foreign authorities: Provisional measures • Article 29/30 – Expedited preservation Mutual legal assistance • Article 31 – MLA to access stored data • Article 33/34 – MLA to collect traffic and • intercept content data • Article 35 – 24/7 Network of contact points (Alexander Seegers COE)
Access to data on a foreign territory without cooperation of foreign authorities: • Transborder access to stored data • Article 32a – Publicly available • Article 32b – With consent (Alexander SeegersCOE)
Gathering evidence in the cloud? • It can be impossible to know where the data resides • What Law Applies When You Do Not Know Where Data Was Stored • Getting Data via Consent Creates Many Issues • The Data Obtained from the Suspect’s Custodial Computer May Have Little Meaning • There Could be Significant Evidentiary Issues in Certain Scenarios • Joseph J. Schwerha IV “Law Enforcement Challenges In Transborder Acquisition Of Electronic Evidence From “Cloud Computing Providers”
Practical suggestions: USA • Most U.S. providers will disclose information directly to foreign law enforcement in the case of an emergency (e.g. kidnapping, bomb threat, threat against someone’s life) without legal process. • There is normally a 24-hour hotline to make these types of request. I would suggest contact to be initially by phone and followed up with an email from an official email address (.gov.za). • (Agent Phil Slinkard FBI)
Practical suggestions: USA • Problem: countries who did not maintain a country specific TDL (e.g. .za, .uk, etc). • The law enforcement officers were using free email services and were unable to convince the ISP that they were actually a law enforcement officer. • At that point, the FBI’s Legat office in the host country stepped in and established contact with the ISP on behalf of the local agency. • The lesson learned here is to make sure the officer or prosecutor makes the initial contact with the ISP via an official email account. (Agent Phil Slinkard FBI)
Practical suggestions: USA • smaller ISPs may choose to provide information to a foreign country based on the foreign country’s legal process. • Typically, the company will require an order signed by a Magistrate or Judge requesting the information. • I know some countries allow a Police Officer or Prosecutor to request this information directly, however since U.S. laws require a court order, most ISPs who choose to work directly with a foreign government will often want an order / request signed by a Magistrate.
Yahoo • Yahoo can sometimes be a challenge to get information from. If Yahoo has a local presence (i.e. a branch office) in South Africa, legal process can be served directly to Yahoo using South Africa’s laws. • The problem is how Yahoo does the setup of accounts. Since Yahoo is a global company, they have entire divisions in other countries. If a Yahoo user who is physically located in the United States, sets up a Yahoo.co.uk email account and agrees to the Yahoo.co.uk user agreement, any legal process requesting information about the account or content, has to be served via Mutual Legal Assistance Treaty (MLAT) request through the British government. Because the user’s account is located in the U.K., the account falls under the laws of the U.K. and the E.U.(Agent Phil Slinkard FBI)
The Yahoo.com email addresses are a particular headache. These can be located in a variety of locations. Yahoo will localize the user agreement based on the location of the person signing up. There is no easy way to know if a @yahoo.com email is U.S. based or another country. Yahoo has been fairly good at responding informally on where to serve legal process.
Twitter Twitter is another company with an interesting response to law enforcement request. Any legal process served on Twitter will result in Twitter immediately notifying the subscriber. Because of this, I will only serve legal process on Twitter in the last phase of an investigation. Most the information I have needed, I have been able to screen capture.
Social media sites With most social media sites, my first step is normally to collect as much information that is publicly available as I can. In many cases, this requires me to setup an account with the social media site first. Depending on the type investigation, I will first make a preservation request, then follow with legal process. The exception being Twitter since their policy is to notify the subscriber. Most social media sites will respond / behave similarly to ISPs.
conclusion • Technology leaps but the law creeps – adapt to your environment • Case –by-case approach • Cover your bases step by step – always be able to show your bona fides