BitE Nations CONF 18 Tenth Distr general United Nations Congress 3 February 2000 CM on the prevention of crime Original: english and the treatment of Offenders Vienna, 10-17 April 2000 Item 5 of the provisional agenda Effective crime prevention: keeping pace with new developments Crimes related to computer networks Background paper for the workshop on crimes related to the computer network ummary Effectively preventing and combating cyber crime requires a coordinated international approach at different levels. At the domestic level, the investigation of cyber crime requires adequate staff, expertise and procedures. States are encouraged to consider mechanisms that enable the timely and accurate securing of data from computer systems and networks, should data be required as evidence in legal proceedings. At the international level, investigating cyber crime requires timely action, facilitated by coordination between national law enforcement agencies and the enactment of appropriate legal authority n addition to and in support of the international initiatives already taken, the present paper considers the means for the exchange of technical and forensic expertise between national law enforcement authorities as well as the need for international deliberations on present and future legal measures for international cooperation in the investigation of cy ber crime A/CONF 187/ 99-90954(E)
* A/CONF.187/1. V.99-90954 (E) United Nations A/CONF.187/10 Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders Vienna, 10-17 April 2000 Distr.: General 3 February 2000 Original: English Item 5 of the provisional agenda* Effective crime prevention: keeping pace with new developments Crimes related to computer networks Background paper for the workshop on crimes related to the computer network Summary Effectively preventing and combating cyber crime requires a coordinated international approach at different levels. At the domestic level, the investigation of cyber crime requires adequate staff, expertise and procedures. States are encouraged to consider mechanisms that enable the timely and accurate securing of data from computer systems and networks, should data be required as evidence in legal proceedings. At the international level, investigating cyber crime requires timely action, facilitated by coordination between national law enforcement agencies and the enactment of appropriate legal authority. In addition to and in support of the international initiatives already taken, the present paper considers the means for the exchange of technical and forensic expertise between national law enforcement authorities, as well as the need for international deliberations on present and future legal measures for international cooperation in the investigation of cyber crime
A/CONF. 187/10 Contents I. Legislative background Il. Aim and scope of the paper 3-5 III. Categories of cyber crime 6-24 Criminal V. International cooperation among national law enforcement authorities A. Forms of cooperation and international initiatives B. Mutual legal assistance and other international treaties 12 V Conclusion
A/CONF.187/10 2 Contents Paragraphs Page I. Legislative background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 3 II. Aim and scope of the paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3 III. Categories of cyber crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 3 IV. Criminal investigations of cyber crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-47 7 V. International cooperation among national law enforcement authorities . . . . . . . 48-66 11 A. Forms of cooperation and international initiatives . . . . . . . . . . . . . . . . . . . 48-54 11 B. Mutual legal assistance and other international treaties . . . . . . . . . . . . . . . 55-66 12 VI. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 14
A/CONF. 187/10 I. Legislative background (a) Criminal behaviour can take pla ace in an electronic environment. Investigation of cyber crimes, that 1.The General Assembly, in its resolution 52/91 of is, any crime committed in an electronic network, requires 12 December 1997, decided that one of four workshops to particular expertise, investigating procedures and legal be held at the Tenth United Nations Congress on the powers that may not be available to law enforcement Prevention of Crime and the Treatment of Offenders authorities of the State concerned should be on the issue of crimes related to the computer b) International computer networks, such as the network. The Assembly, in its resolution 53/110 of Internet, are open environments that enable users to act 9 December 1998, endorsed the programme of work for the beyond the borders of the State in which they are located Tenth Congress, which included four technical workshops, However, investigative efforts of law enforcement one of them dealing with crimes related to the computer authorities in general should be restricted to the territory of network. In the resolution, the Assembly emphasized the their own State. This means that crime control in open importance of the workshops and invited Member States, computer networks requires intensified international non-governmental organizations and other relevant entities cooperation to support financially, organizationally and technically the (c) The open structures of international computer preparations for the workshops, including the preparation networks offer users the opportunity to choose the legal and circulation of relevant background material environment that best suits their purposes. Users may 2. In its resolution 54/125 of 17 December 1999, the choose a country where certain forms of behaviour capable Assembly encouraged States, other entities concerned and of being executed in an electronic environment have not the Secretary-General to work together in order to ensure been criminalized. This can attract criminal activity by that the four workshops to be held during the Tenth persons from other States where such activities are Congress focus clearly on the respective issues and achieve criminal under their domestic law. The occurrence ofdata practical results, and invited interested Governments to havens"States where reducing or preventing the misuse follow up with concrete technical cooperation projects or of computer networks is not a priority, or where no activities. In response to the resolution, the Asia and Far effective procedural laws have been developed-may East Institute for the Prevention of Crime and the impede the efforts of other countries to control crime Treatment of offenders organized two meetings of experts computer networks on crimes related to the computer network, at which most of the substantive preparations for the computer crime 4.. The focus of the following discussion is on how to achieve coordinated international action in order workshop were made. The Centre for International Crime facilitate, enhance and improve current methods of Prevention acknowledges the efforts of the Asia and Fat combating cyber crime. Of particular interest is the role East Institute for the Prevention of Crime and the that can be played by the United Nations or other Treatment of Offenders and the expert group in making international organizations. Background information is his workshop possible provided regarding the workshop on crimes related to the IL. Aim and scope of the paper 5. The following discussion outlines the types of crimes envisaged for international electronic networks and 3. The emergence of international computer networks, explores why such crimes need international attention and such as the Internet. enables users to engage in combined efforts. The definition of such crimes should communications. actions and transactions with other users bring a common international understanding and guide all over the world. Since legitimate and illicit use of national criminal policies in the field computers and networks can go hand in hand, it follows that those exploring the opportunities of the new medi include criminally motivated individuals and groups. III. Categories of cyber crime rime control in todays environment of international computer networks is complicated for three major reasons: 6. The terms computer systems or computer networks are used in the present paper to refer generally to the electronic environment. Although stand-alone systems still
A/CONF.187/10 3 I. Legislative background 1. The General Assembly, in its resolution 52/91 of 12 December 1997, decided that one of four workshops to be held at the Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders should be on the issue of crimes related to the computer network. The Assembly, in its resolution 53/110 of 9 December 1998, endorsed the programme of work for the Tenth Congress, which included four technical workshops, one of them dealing with crimes related to the computer network. In the resolution, the Assembly emphasized the importance of the workshops and invited Member States, non-governmental organizations and other relevant entities to support financially, organizationally and technically the preparations for the workshops, including the preparation and circulation of relevant background material. 2. In its resolution 54/125 of 17 December 1999, the Assembly encouraged States, other entities concerned and the Secretary-General to work together in order to ensure that the four workshops to be held during the Tenth Congress focus clearly on the respective issues and achieve practical results, and invited interested Governments to follow up with concrete technical cooperation projects or activities. In response to the resolution, the Asia and Far East Institute for the Prevention of Crime and the Treatment of Offenders organized two meetings of experts on crimes related to the computer network, at which most of the substantive preparations for the computer crime workshop were made. The Centre for International Crime Prevention acknowledges the efforts of the Asia and Far East Institute for the Prevention of Crime and the Treatment of Offenders and the expert group in making this workshop possible. II. Aim and scope of the paper 3. The emergence of international computer networks, such as the Internet, enables users to engage in communications, actions and transactions with other users all over the world. Since legitimate and illicit use of computers and networks can go hand in hand, it follows that those exploring the opportunities of the new medium include criminally motivated individuals and groups. Crime control in today’s environment of international computer networks is complicated for three major reasons: (a) Criminal behaviour can take place in an electronic environment. Investigation of cyber crimes, that is, any crime committed in an electronic network, requires particular expertise, investigating procedures and legal powers that may not be available to law enforcement authorities of the State concerned; (b) International computer networks, such as the Internet, are open environments that enable users to act beyond the borders of the State in which they are located. However, investigative efforts of law enforcement authorities in general should be restricted to the territory of their own State. This means that crime control in open computer networks requires intensified international cooperation; (c) The open structures of international computer networks offer users the opportunity to choose the legal environment that best suits their purposes. Users may choose a country where certain forms of behaviour capable of being executed in an electronic environment have not been criminalized. This can attract criminal activity by persons from other States where such activities are criminal under their domestic law. The occurrence of “data havens”—States where reducing or preventing the misuse of computer networks is not a priority, or where no effective procedural laws have been developed—may impede the efforts of other countries to control crime in computer networks. 4. The focus of the following discussion is on how to achieve coordinated international action in order to facilitate, enhance and improve current methods of combating cyber crime. Of particular interest is the role that can be played by the United Nations or other international organizations. Background information is provided regarding the workshop on crimes related to the computer network. 5. The following discussion outlines the types of crimes envisaged for international electronic networks and explores why such crimes need international attention and combined efforts. The definition of such crimes should bring a common international understanding and guide national criminal policies in the field. III. Categories of cyber crime 6. The terms computer systems or computer networks are used in the present paper to refer generally to the electronic environment. Although stand-alone systems still
A/CONF. 187/10 A/CONF. 187/10 exist, it is more the norm for one or more computer 9. Cyber crime refers to any crime that can be systems, including personal computers, to be committed by means of a computer system or network, in interconnected and form a network. No distinction is made a computer system or network or against a computer here between private and public networks, or based on system or network. In principle, it encompasses any crime whether they have permanent connections. In the present capable of being committed in an electronic environment paper, unless stated otherwise, telecommunication systems In this paper, "crime"refers to forms of behaviour are grouped in the same category as computer systems and generally defined as illegal, or likely to be criminalized networks within a short period of time. Certain conduct may be 7. At present, the Internet is a well-known example of State where it is not in others bi explosive growth in the last decade. It owes much of its developed in certain international forums about which Any system or network operator who applies such should be criminalized. This is the starting point for the protocols can easily become a link in the network as a following provider, referred to in the present paper as an Internet 10. The focus here is the criminal investigation and service provider. For commercial and technical reasons, prosecution of cyber crime. The designation "law he Internet service providers in some countries organize enforcement authorities refers to those charged by law themselves into associations or societies, developing with the investigation and prosecution of crime. Some common positions on certain issues. Estimates show that Member States have set up specialized units to investigate today over 200 million people in the world use the Internet, or assist in the investigation of computer-related crime of whom 112 million are in North America, 47 million in Internationally, the International Criminal Police Europe and 33 million in Asia and the Pacific region. At Organization(Interpol) is the coordinating organization for he end of 1995, statistics showed 26 million users, the registering and distributing police information that ajority of whom resided in the United States of America. concerns issues such as wanted persons and stolen In 1999, the monthly increase in users was estimated at property more than 3 per cent 11. In investigating cyber crime, the law enforcement 8. The core function of a computer system is the authorities of a State may seek the cooperation of processing of data. The term data is defined as facts, authorities from other States, both in the form of assistance instructions or concepts represented in a conventional with specific cases and in the sharing of general manner, in a form suitable for human understanding or information about criminal organizations and cases. They automated processing. Electronic data are represented by may, in the course of a particular investigation, request the a string of magnetic spots on a permanent or temporary use of materials available in other States. The scope of storage medium, or in the form of electric charges when cooperation among national law enforcement authorities is being transferred. When data can be identified and determined by the national law of each State, as well as by controlled by a particular data carrier, such as data stored international agreements, including agreements on mutual on a(set of) floppy disks they can, from a legal point of legal assistance view, be considered one tangible material object. In 12. Common examples of abuse of international general, data processed in a computer system can no longer computer networks include communicating expressions be qualified and controlled by means of their carrier. forbidden by law, offers of illegal products or false offers Operating systems autonomously move data files from one physical place on a storage medium to another. Inin order to obtain illegal financial profits.Here,the computer networks, distributed data processing makes it instrument or tool that may be used to commit a crime. The impossible for those in control of data to establish the network itself is the environment of the crime, rather than physical location of the whole or a part of a file without an indispensable attribute for its perpetration. The specific specific measures. Data as such can be controlled only qualities of the Internet may induce a perpetrator to use it through logical operations not physical acts, which makes it difficult to treat pure data, in law, as if they were instead of traditional means: it offers excellent communication facilities and the possibility of hiding ones tangible objects dentity, and the risk of being subjected to
A/CONF.187/10 A/CONF.187/10 4 exist, it is more the norm for one or more computer systems, including personal computers, to be interconnected and form a network. No distinction is made here between private and public networks, or based on whether they have permanent connections. In the present paper, unless stated otherwise, telecommunication systems are grouped in the same category as computer systems and networks. 7. At present, the Internet is a well-known example of a public computer network. It has gone through an explosive growth in the last decade. It owes much of its success to the use of common communication protocols. Any system or network operator who applies such protocols can easily become a link in the network as a “provider”, referred to in the present paper as an Internet service provider. For commercial and technical reasons, the Internet service providers in some countries organize themselves into associations or societies, developing common positions on certain issues.1 Estimates show that today over 200 million people in the world use the Internet, of whom 112 million are in North America, 47 million in Europe and 33 million in Asia and the Pacific region.2 At the end of 1995, statistics showed 26 million users, the majority of whom resided in the United States of America. In 1999, the monthly increase in users was estimated at more than 3 per cent. 8. The core function of a computer system is the processing of data. The term data is defined as facts, instructions or concepts represented in a conventional manner, in a form suitable for human understanding or automated processing.3 Electronic data are represented by a string of magnetic spots on a permanent or temporary storage medium, or in the form of electric charges when being transferred. When data can be identified and controlled by a particular data carrier, such as data stored on a (set of) floppy disks they can, from a legal point of view, be considered one tangible material object. In general, data processed in a computer system can no longer be qualified and controlled by means of their carrier. Operating systems autonomously move data files from one physical place on a storage medium to another. In computer networks, distributed data processing makes it impossible for those in control of data to establish the physical location of the whole or a part of a file without specific measures. Data as such can be controlled only through logical operations not physical acts, which makes it difficult to treat pure data, in law, as if they were tangible objects. 9. Cyber crime refers to any crime that can be committed by means of a computer system or network, in a computer system or network or against a computer system or network. In principle, it encompasses any crime capable of being committed in an electronic environment. In this paper, “crime” refers to forms of behaviour generally defined as illegal, or likely to be criminalized within a short period of time. Certain conduct may be criminalized in one State where it is not in others but, as explained in paragraph 13, a common understanding has developed in certain international forums about which behaviour in relation to computer systems and networks should be criminalized. This is the starting point for the following discussion. 10. The focus here is the criminal investigation and prosecution of cyber crime. The designation “law enforcement authorities” refers to those charged by law with the investigation and prosecution of crime. Some Member States have set up specialized units to investigate or assist in the investigation of computer-related crime. Internationally, the International Criminal Police Organization (Interpol) is the coordinating organization for registering and distributing police information that concerns issues such as wanted persons and stolen property. 11. In investigating cyber crime, the law enforcement authorities of a State may seek the cooperation of authorities from other States, both in the form of assistance with specific cases and in the sharing of general information about criminal organizations and cases. They may, in the course of a particular investigation, request the use of materials available in other States. The scope of cooperation among national law enforcement authorities is determined by the national law of each State, as well as by international agreements, including agreements on mutual legal assistance. 12. Common examples of abuse of international computer networks include communicating expressions forbidden by law, offers of illegal products or false offers in order to obtain illegal financial profits. Here, the Internet is being used in the same manner as any other instrument or tool that may be used to commit a crime. The network itself is the environment of the crime, rather than an indispensable attribute for its perpetration. The specific qualities of the Internet may induce a perpetrator to use it instead of traditional means: it offers excellent communication facilities and the possibility of hiding one’s identity, and the risk of being subjected to criminal
A/CONF. 187/10 investigation, in any of the jurisdictions involved, is possession, offering or distributing information by means relatively low. Apart from the forms of crime mentioned, of a computer system or network some Internet users gain illegal access to connected 15. As defined in the previous paragraph,computer systems, where they interfere with their functioning or content. Such activity has been termed "computer crime" crime concerns all illegal behaviour directed against The perpetrators of computer crime availed themselves of System and data security by means ofelectronic operations Computer systems and data security can be described by specific technical knowledge, expertise or instruments to three principles: the assurance of confidentiality, integrity carry out illicit activities. Computer systems can be easy or availability of data and processing functions. According targets because sufficient security measures have not been to the 1985 Organisation for Economic Cooperation and incorporated or taken, or because users are unaware of the Development list and the more elaborate 1989 Council of risks involved. In addition, factors that make a system Europe Recommendation, the confidentiality, integrity or user-friendly tend to make it unsecure. In addition, factors availability offences include that make a system user-friendly tend to make it unsecure Security flaws in commercially successful system software (a) Unauthorized access, meaning access without will often be publicly known right to a computer system or network by infringing 13. While interested countries have considered the ecurity measures problems arising from transnational cyber crime, there has (b) Damage to computer data or computer not been much attention paid to it at the global level. The programs, meaning the erasure, corruption, deteriorationor United Nations, for example, has not yet adopted policy suppression of computer data or computer programs specific to the criminalization of cyber crimes, national without right laws may apply to cyber crimes in a variety of ways, if they (c) Computer sabotage, meaning the input apply at all. Reasons for the lack of attention to cyber alteration, erasure or suppression of computer data or crime may include relatively low levels of participation in computer programs, or interference with computer systems international electronic communications, low levels of with the intent to hinder the functioning of a computer or law-enforcement experience and low estimations of the a telecommunication system damage to society expected to occur from electronic (d) Unauthorized interception, meaning the of one State has a direct influence on the international interception, made without authorization and by technical community. Cyber criminals may direct their electronic means, of communications to, from and within a computer activities through a particular State where that behaviour is not criminal and thus be protected by the law of that (e) Computer espionage, meaning the acquisition country. Even if a State has no particular national interest disclosure, transfer or use of a commercial secret without in criminalizing certain behaviour, it may consider doing authorization or legal justification, with intent either to so in order to avoid becoming a data haven and isolating cause economic loss to the person entitled to the secret or itself internationally. The harmonization of substantive to obtain an illegal advantage for themselves or a third criminal law with regard to cyber crimes is essential if person international cooperation is to be achieved between law 16. The first crime. unauthorized access. sometimes enforcement and the judicial authorities of different States. known as hacking, occurs frequently and often in 14. Two subcategories of cyber crime exist conjunction with the second, damage to data or computer (a) Cyber crime in a narrow sense ("computer espionage. A popular modern variant is hacking into a web crime"): any illegal behaviour directed by means of site and putting offensive or damaging information on it systems and the data processed by them. ity of computer Effective investigation ofhacking offences usually requires electronic operations that targets the sec cooperation by the victim and some means of catching the perpetrator in the act. Perpetrators are often brilliant young (b) Cyber crime in a broader sense technophiles, who may have little moral understanding of computer-related crime"): any illegal behaviour their actions or of the potential to do damage. In addition committed by means of, or in relation to, a computer to hacking offences, some countries have criminalized network, including such crimes as illegal activities such as trafficking in passwords or hacking devices
A/CONF.187/10 5 investigation, in any of the jurisdictions involved, is relatively low. Apart from the forms of crime mentioned, some Internet users gain illegal access to connected systems, where they interfere with their functioning or content. Such activity has been termed “computer crime”. The perpetrators of computer crime availed themselves of specific technical knowledge, expertise or instruments to carry out illicit activities. Computer systems can be easy targets because sufficient security measures have not been incorporated or taken, or because users are unaware of the risks involved. In addition, factors that make a system user-friendly tend to make it unsecure. In addition, factors that make a system user-friendly tend to make it unsecure. Security flaws in commercially successful system software will often be publicly known. 13. While interested countries have considered the problems arising from transnational cyber crime, there has not been much attention paid to it at the global level. The United Nations, for example, has not yet adopted policy specific to the criminalization of cyber crimes; national laws may apply to cyber crimes in a variety of ways, if they apply at all. Reasons for the lack of attention to cyber crime may include relatively low levels of participation in international electronic communications, low levels of law-enforcement experience and low estimations of the damage to society expected to occur from electronic crimes. In global computer networks, the criminal policy of one State has a direct influence on the international community. Cyber criminals may direct their electronic activities through a particular State where that behaviour is not criminal and thus be protected by the law of that country. Even if a State has no particular national interest in criminalizing certain behaviour, it may consider doing so in order to avoid becoming a data haven and isolating itself internationally. The harmonization of substantive criminal law with regard to cyber crimes is essential if international cooperation is to be achieved between law enforcement and the judicial authorities of different States. 14. Two subcategories of cyber crime exist: (a) Cyber crime in a narrow sense (“computer crime”): any illegal behaviour directed by means of electronic operations that targets the security of computer systems and the data processed by them; (b) Cyber crime in a broader sense (“computer-related crime”): any illegal behaviour committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession, offering or distributing information by means of a computer system or network. 15. As defined in the previous paragraph, computer crime concerns all illegal behaviour directed against system and data security by means of electronic operations. Computer systems and data security can be described by three principles: the assurance of confidentiality, integrity or availability of data and processing functions. According to the 1985 Organisation for Economic Cooperation and Development list,4 and the more elaborate 1989 Council of Europe Recommendation,5 the confidentiality, integrity or availability offences include: (a) Unauthorized access, meaning access without right to a computer system or network by infringing security measures; (b) Damage to computer data or computer programs, meaning the erasure, corruption, deterioration or suppression of computer data or computer programs without right; (c) Computer sabotage, meaning the input, alteration, erasure or suppression of computer data or computer programs, or interference with computer systems, with the intent to hinder the functioning of a computer or a telecommunication system; (d) Unauthorized interception, meaning the interception, made without authorization and by technical means, of communications to, from and within a computer system or network; (e) Computer espionage, meaning the acquisition, disclosure, transfer or use of a commercial secret without authorization or legal justification, with intent either to cause economic loss to the person entitled to the secret or to obtain an illegal advantage for themselves or a third person. 16. The first crime, unauthorized access, sometimes known as hacking, occurs frequently and often in conjunction with the second, damage to data or computer espionage. A popular modern variant is hacking into a web site and putting offensive or damaging information on it. Effective investigation of hacking offences usually requires cooperation by the victim and some means of catching the perpetrator in the act. Perpetrators are often brilliant young technophiles, who may have little moral understanding of their actions or of the potential to do damage. In addition to hacking offences, some countries have criminalized activities such as trafficking in passwords or hacking devices