Ijustinfo.files.wordpress.com



International Cooperation in Criminal Matters and the Digitalised WorldBackground Paper for the Meeting of the CNCP and Heads of Central Authorities in the Commonwealth“The Internet has become the world’s principal medium for people to share ideas and communicate with each other. Like the telegraph, the telephone, and other inventions before it, people today put the Internet to use in a variety of ways – to do good and, at times, to inflict harm. This in effect defines the paradox of the Internet today. Technology is a tool. The Internet is a tool. And the good and bad uses to which this tool can be applied are limited only by people’s imagination. This is true at an individual level. It’s true at an organizational level. And it’s true of governments and nation- states.” Brad Smith - Microsoft General Counsel CONTENTSIntroduction …………………………………………………………………………………………………….4Part 1: Challenges……………………………………………………………………………………………..5Context…………………………………………………………………………………………………………………5Encryption…………………………………………………………………………………………………………….5Jurisdiction and Cloud Computing…………………………………………………………………………7The Dark Web……………………………………………………………………………………………………….7Future Technology………………………………………………………………………………………………..8Cryptocurrencies…………………………………………………………………………………………………..9Summary………………………………………………………………………………………………………………9Part 2: International Context…………………………………………………………………………….10United Nations……………………………………………………………………………………………………..10Council of Europe…………………………………………………………………………………………………11African Union………………………………………………………………………………………………………..12HIPCAR………………………………………………………………………………………………………………….12Harare Scheme and Commonwealth Network of Contact Persons……………………….13Part 3: Mutual Legal Assistance Best Practice……………………………………………………16Spontaneous Information……………………………………………………………………………………..16Joint Investigation Teams……………………………………………………………………………………..17Legislation…………………………………………………………………………………………………………….18Transmission…………………………………………………………………………………………………………19Monitoring……………………………………………………………………………………………………………20Emergency Requests…………………………………………………………………………………………….21Urgent Requests……………………………………………………………………………………………………22Direct Requests…………………………………………………………………………………………………….22Training…………………………………………………………………………………………………………………23Resources……………………………………………………………………………………………………………..24Part 4: MLA Treaty Reform………………………………………………………………………………..24The Microsoft Fix…………………………………………………………………………………………………..24Conclusion…………………………………………………………………………………………………………25Bibliography………………………………………………………………………………………………………27Introduction The aim of this paper is to provide an overview of challenges to Mutual Legal Assistance (MLA) and progressive development of cooperation in criminal matters in the Internet age in the Commonwealth. Virtually all terrorist and organized crime investigations will require digital evidence to be obtained through MLA. Equally, MLA can be important to investigations with only a domestic dimension. For example, a burglary of a computer may rely upon securing location data of the device from a Communication Service Provider (CSP) in another jurisdiction. The ever-expanding need for digital evidence means that the already over-burdened MLA process, is becoming overwhelmed.A paper referring to delays in the MLA process is not new. MLA practitioners are well aware of bureaucratic processes for issuing, transmitting and executing Letters of Request (LOR). Also, much has been spoken of in the media about encryption and ‘going dark’. This paper acknowledges that delays are inherent, but often, the challenges are used to over-shadow the real issues of outdated MLA legislation and MLA Treaties (MLAT), inefficient processes and insufficient knowledge about the processes to secure digital evidence. Information Communication Technology (ICT) and the internet are tools to enable a more efficient and effective MLA process to obtain digital evidence, through:Direct requests to Communication Service Providers (CSPs) to preserve and disclose digital evidenceAccessing content data in the CloudCentral Authorities (CA) using secure messaging, case management and case trackingThis paper will review how to use these opportunities to overcome obstacles to secure digital evidence. Part 1 will identify and discuss common technology challenges. In Part 2 the international MLA response for securing digital evidence will be reviewed, including the Revised Harare Scheme for Commonwealth States. Part 3 will highlight MLA best practice and Part 4 will address reform of MLATs.Part 1: ChallengesContextUse of the internet is growing exponentially, with 47 billion websites. Our appetite for social media is insatiable. Facebook alone has?1.86 billion users, which if it were a State, would make it the?most populated on earth. It is estimated that we will spend five years of our life on social media. This increasing use of the internet contributes to cybercrime being a global phenomenon. In 2016, it was estimated that the cost of cybercrime could be as high as $2.1 trillion USD globally by 2019. Upwards of 80 per cent of cybercrime acts are estimated to originate in some form of organized crime through cyber-dependent crimes, with cybercrime black markets established, computer infection, botnet management and harvesting of personal and financial data. The 12 May 2017 Wannacry ransomware attack demonstrated the global impact of cybercrime - estimated to have affected 200,000 computers in 150 States. The?internet?is also a conduit for?cyber-enabled crime. For example, terrorists, use?online message boards and chat rooms to share information, coordinate attacks, spread propaganda, raise funds, and recruit.?Online sexual exploitation of children continues to rise and the internet has made this easy, inexpensive, low-risk, profitable, and unhindered by geographic boundaries. For example, the Canadian Centre for Child Protection noted a marked increase in the number of reports received by its Cybertip online portal in the past few years. In 2015, the tipline processed 37,352 reports, and of these, 78.30% (34,133) of children in the images and videos were estimated to be younger than 12 years of age, and 63.40% (21,640) of those younger than 12 were under 8 years of age.EncryptionThere are 3.8 billion internet users worldwide, which accounts for almost?47 percent?of the global population. We increasingly use ICT and the internet for a range of daily activities. From online ‘open’ banking to the ‘Internet of Things’. Equally, law enforcement and Government agencies use encrypted messaging services to ensure confidentiality of sensitive information. Pretty Good Privacy programmes (PGP), as well as a range of messaging apps aimed at privacy-minded users are increasing. Pin locked devices and end-to-end encrypted messaging apps, enable users to have secure conversations. Some CSPs also delete messages upon sending, and others allow users to anonymize their identity. All of which inhibits law enforcement investigators accessing incriminating digital evidence.The Apple v U.S. Federal Bureau of Investigation (FBI) litigation to unlock an iPhone, following the San Bernardino terrorist attack in 2015, highlighted arguments for and against encryption. The FBI needed content data to confirm if there was a wider terrorist network. The FBI tried to hack into the iPhone, and after failing, asked?Apple to disable certain security features to enable access. After Apple refused to assist, due to its policy not to undermine its own security features, the FBI successfully applied for a court order mandating Apple to create and provide the requested software to extrapolate the data needed. Subsequently, without the litigation being fully heard, the FBI reported they had secured the necessary data after unlocking the iPhone with the assistance of an unknown company.It is significant that Apple had discussed with the FBI four methods to access data in the iPhone before the litigation commenced. This included accessing the content data in the Cloud. This was ruled out following a mistake during the investigation. After the terrorist’s phone had been recovered, the FBI asked San Bernardino County, the owner of the phone, to reset the password to the user’s iCloud?account in order to acquire data from the iCloud backup. However, this rendered the iPhone unable to back up recent data unless its pass-code was entered. The FBI v Apple litigation demonstrates that no matter how well encrypted, law enforcement can access data in unencrypted format by lawfully accessing a device or Cloud backups. It has been argued that due to encryption and the need to send a Letter of Request (LOR) for Cloud backups this is adding pressure to an already over-burdened MLA process. Further, this raises the issue of where to send an LOR to obtain digital evidence stored in the Cloud.Jurisdiction and Cloud ComputingIn the Microsoft Ireland litigation, the U.S. Court of Appeals of the Second Circuit issued a judgment on 14 July 2016 deciding that U.S. issued search warrants cannot compel the production of content data (such as emails) outside U.S. territorial jurisdiction. This would require an LOR, despite the fact that Microsoft could secure the return of the content data, held in its data centre located in Ireland, with the push of a button in the U.S.. As Microsoft successfully argued, there is no U.S. law which compels them to push this button to return the data from another State. On the issue of jurisdiction, the Second Circuit held that:U.S. law is silent as to its territorial reach, so it must be read consistent with the presumption against extraterritoriality, and therefore, does not apply to another State; and ?The relevant territorial question for the purposes of determining the warrant’s reach is “where is the data stored?” rather than other possible inquiries, such as “where is the company located when they are served with the warrant?” or “can the company access the data from the U.S.?” The U.S. Department of Justice are appealing to the Supreme Court to reverse the Second Circuit’s decision, so production orders under the Electronic Communications Privacy Act (ECPA) can compel U.S. firms to comply, regardless of where they choose to store customer data. How does a U.S. Supreme Court decision impact other States and in particular those in the Commonwealth? The implications of the decision are potentially wide reaching for MLA for all States. A decision by the Supreme Court in favour of Microsoft will mean that the U.S. will have to send LORs to secure incriminating data stored on CSPs foreign servers. It is the alternative that will be of interest to other States. If the court sides in favour of the U.S. Justice Department, it is in essence establishing the precedent that sovereign boundaries do not apply to data — enabling States around the world to seize data from CSPs in the U.S. through service of domestic process. The Dark WebAn additional challenge for law enforcement is the dark web, that enables users to sell weapons, narcotics and other illegal commodities anonymously. The most well-known example was Silk Road, an online?darknet market used to sell illegal drugs. It operated as a?Tor hidden service, enabling users to browse it anonymously and securely without potential monitoring by law enforcement. The creator of Silk Road, Ross Ulbricht, was convicted and sentenced to life in prison in 2015 without the possibility of parole. Despite use of the dark web and anonymization, this is a good example to demonstrate how a suspect was identified through Open Source Intelligence. FBI agents reviewed websites where Silk Road was promoted and one user named “Altoid” stood out for trying to make the site go viral on several websites. On one of these sites, Altoid sought an IT expert on bitcoin, and asked people to contact him via email at rossulbricht@. With this Gmail address the FBI linked Ulbricht to accounts on Google+, where his name, face and YouTube profile were visible. After identifying Ulbricht, a surveillance operation was commenced and he was arrested with his laptop open running Silk Road. This example shows, despite anonymization, Open Source Intelligence and traditional law enforcement techniques can be used to locate and secure digital evidence against an offender. Future TechnologyIn March 2017 police seized data from a suspect’s Amazon Echo. This Artificial Intelligence (AI) device had been installed in the suspect’s home and was believed to have recorded relevant information at the time of death. The proceedings were eventually dismissed, but there are sure to be many criminal investigations that rely upon evidence from AI devices installed in our homes in the future.There is a growing trend for the use of AI in crime prevention. Like a scene from a dystopian film, the Chinese facial recognition company Cloud Walk Technology, is using AI to predict if an individual will commit a crime before it happens. The company plans to use facial recognition and gait analysis technology, through AI, to find and track individuals.?The system will detect if there are any suspicious changes in behaviour or unusual movements. For example, if an individual seems to be walking back and forth in a certain area over and over indicating they might be a pickpocket or observing the area for a future crime.In response to the growing use of AI by the private sector and government agencies, the UN has established its Centre for Artificial Intelligence and Robotics to monitor developments. The Centre will enable a network of experts to assess how AI can assist UN projects, but equally predict the reality of any AI threats before they become reality.The use of AI will only increase as we develop driverless cars and automate ‘hands-free’ other everyday activities. There are also real fears of autonomous killer robots and use of AI to hack our personal data or to find vulnerabilities in ITC to commit cybercrimes. As major CSPs and other big businesses develop AI technology, this will mean more data stored in locations around the world. Domestic legal frameworks and MLA needs to enable processes to obtain digital evidence from AI. Knowing where data is stored, in what format and if the provider will accept direct requests are all matters that MLA networks and practitioners must consider now in order to mitigate future issues.AI or digital applications could also be harnessed to advance MLA. For example, could standardised forms be used by CAs – through the use of an automated process – to send requests directly to another CA. Often, in less complicated matters, determining the correct process to the U.S. could be a “tick box exercise.” Namely, preserve, seek direct disclosure, meet required legal standards for a judicial process in the U.S. (e.g. probable cause for content). The automation of this step-by-step process through ICT or AI would save time and technological research to determine viability should be encouraged.CryptocurrenciesWhilst cryptocurrencies are used by criminals, they are legal in all Commonwealth jurisdictions (other than Bangladesh). Bitcoin, one of the better-known cryptocurrencies is often believed to allow criminals to anonymously make transactions, therefore, fuelling money laundering activity. Law enforcement are able to monitor bitcoin transactions and because of this, criminals are using increasingly anonymous variations known as “altcoins”. Zcash, Monero and Dash are altcoins that use “zero-proof technology” to remove any identifying information (sender, recipient, and amount of a transaction). Equally, it is only when combining Bitcoin transactions with Tor, that transactions are anonymized. Despite these attempts to prevent identification of transactions, at some point a criminal will need to legitimize their altcoins or bitcoins using Tor into currency. Blockchain technology is used to create cryptocurrencies and law enforcement experts can review liquidity in blockchain ledgers to monitor and identify transactions. Due to the increased use of cryptocurrencies, the Commonwealth Secretariat held a Virtual Currencies Round table in 2015 and concluded the need to raise awareness on risks, updating of legislation to prevent exploitation by criminals, improving law enforcement capability in digital forensics and establishing a digital repository on best practice.SummaryWhilst ICT and the internet can be used as tools to anonymise criminal activity, a digital footprint can be left for investigators, with the relevant expertise, to gather incriminating evidence. If relevant digital evidence is stored overseas, investigators, prosecutors and Central Authorities must work together to prioritise MLA. This will require knowing where the data is located, preserving it and understanding the appropriate process to secure the data in the quickest way possible. In Part 3 this paper will consider how ICT and the internet can be tools to develop this knowledge and understanding Part 2: International ContextInvestigations involving MLA can be timely, complex and costly and criminals take advantage when the law has not adapted to the online environment. Part 2 will review the response of multilateral and regional networks to enhance efficient access to digital evidence stored in other jurisdictions, in an increasingly over-burdened MLA system.United NationsIn three very recent resolutions (2322 (2016), 2331 (2016), and 2341 (2017)), the Security Council called upon Member States that evidence shall be collected and preserved so that investigations and prosecutions may hold accountable those responsible for terrorist attacks. Resolution 2322 (2016) specifically noted the significant increase in the requests for cooperation in gathering digital evidence, and stressed the importance of considering the re-evaluation of methods and best practices, as appropriate, in particular, related to investigative techniques and digital evidence.To respond to this challenge, the United Nations Counter-Terrorism Executive Directorate (CTED), the United Nations Office on Drugs and Crime (UNODC) and International Association of Prosecutors (IAP) launched in February 2018 a global initiative for Strengthening the capacity of Central Authorities, Prosecutors and Investigators in Preserving and Obtaining Digital Evidence in counter-terrorism and organised crime cross-border investigations. The project revolves around a structured set of tailor-made and focused activities to enhance the efficiency of MLA involving digital evidence and strengthening the capacity of relevant authorities to interact in MLA practice and communication with CSPs. The overall purpose and goal of the project is to strengthen the capacity of CAs, prosecutors and law enforcement personnel regarding the most up-to-date procedures for requesting digital evidence in counter-terrorism and organised Crime cases. Specific objectives are to:Make best use of available resources for MLA involving digital evidence by ensuring that: MLA requests are prioritised only where information and evidence cannot be obtained through informal means of cooperation; Clear knowledge on types of tailor-made assistance is in place; Structured guidance on requesting and gathering digital evidence is available; useful information on contact points and available counterparts, as well as contacts points of CSPs, to allow for speedier communication Foster cooperation and promote communication among CAs, prosecutors and investigators from various jurisdiction, including with CSPs Council of EuropeIn 1996 the European Committee on Crime Problems established a committee of experts that between 1997 and 2000 drafted a Convention on Cybercrime. This became known as the Budapest Convention on Cybercrime and is the first international treaty on crimes committed via the internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures, such as the search of computer networks and interception. Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation. As of January 2018, 56 States have ratified the Budapest Convention, while a further four states signed but not ratified. The Convention is supported by international organizations, such as Interpol. Albeit, the Budapest Convention’s impact has been questioned with only eight states outside the Council of Europe having ratified and limitations on its application to the changing cybercrime environment, for example interception of voice-over-IP (VoIP) communication, jurisdiction issues with the cloud, the admissibility of digital evidence and procedures to deal with encryption technology. One of the fundamental aspects of the Budapest Convention is the provision of a 24/7 Network to enable effective investigation and preservation of evidence. Two studies in 2008 and 2009 showed that States that had ratified the Convention were still to establish contact points, despite this being a mandatory requirement. To support States with the implementation of the Budapest Convention, the European Union and the Council of Europe established GLACY (Global Action on Cybercrime). The?specific objective?of GLACY is: “to enable criminal justice authorities to engage in international cooperation on cybercrime and electronic evidence on the basis of the Budapest Convention on Cybercrime.” GLACY provides training, advice on drafting legislation and funds the Octopus Community - a platform for information sharing and cooperation on cybercrime and electronic evidence.African Union It was decided during the extra-ordinary conference of the African Union Ministers in charge of Communication and Information Technologies, in Johannesburg in 2009, that the African Union Commission should – jointly with the UN Economic Commission for Africa – develop a legal framework for African countries that addresses electronic transactions, cyber security and data protection.The African Union (AU) presented the Draft African Union Convention on the Establishment of a Credible Legal Framework for Cyber Security in Africa in 2011. In July 2014 the AU adopted the Convention on Cybersecurity and Personal Data Protection (AUC). By mid-2016, only 12 of the 54 African countries had basic substantive or procedural law provisions on cybercrime and electronic evidence in place. Many others were in the process of drafting legislation with the African Union and Budapest Conventions serving as guidance.A comparative analysis of the AUC shows that it criminalizes some, but not all of the conduct foreseen under the Budapest Convention. Most offences under the AUC are missing appropriate mens rea elements, and could criminalize legitimate conduct of law enforcement authorities and other conduct that should be lawful under international best practice. Moreover, the AUC does not provide for the full set of procedural powers for investigating and prosecuting cybercrime and securing electronic evidence in domestic investigations – for example production orders, which are crucial to obtain data from CSPs are not included. Further, the AUC does not constitute a legal basis for international cooperation on cybercrime and electronic evidence. HIPCARThe Enhancing Competitiveness in the Caribbean through the Harmonization of ICT Policies Legislation and Regulatory Procedures has provided model cybercrime legislation for 15 Commonwealth Caribbean countries in the Group of African, Caribbean and Pacific States (ACP). The project has been managed by the International Telecommunications Union (ITU) and a global steering committee with representatives from the European Commission. The model legislative texts were drafted following a legal analysis of national legislation, international best practice from the UN, OECD, EU and legislation from the UK, Australia, Malta and Brazil as benchmarks. Whilst the model legislative text has been drafted taking into account the specific needs of small island States, it is a useful guideline for those States with limited or no cybercrime legislation.Harare Scheme and Commonwealth Network of Contact Persons IntroductionThe Commonwealth States have adopted alternate schemes for international cooperation based on domestic legislation rather than treaties and these arrangements have been consolidated into the Scheme Relating to Mutual Assistance in Criminal Matters within the Commonwealth (the Harare Scheme). The Harare Scheme is not a legally binding instruments or treaty per se. It is a voluntary arrangement, which Commonwealth States are expected to implement through domestic legislation. The Harare Scheme was originally adopted by Commonwealth Law Ministers in 1986 and was subsequently revised in 1990, 2002 and 2005. At their meeting held 11-14 July 2011 in Sydney, Australia Law Ministers adopted amendments to the Scheme, including new provisions as to the preservation, interception and seizure of data (Revised Harare Scheme). The impact of cybercrime was considered at the Commonwealth Law Ministers Meeting in Botswana from 5–8 May 2014, where Law Ministers, adopted the Report of the Commonwealth Group of Experts on Cybercrime and, ‘stressed that cybercrime was a global matter and any weak link provided opportunities for criminals. Prevention was of crucial importance, and the effort to combat cybercrime required collaboration with a wide range of national, regional and international organisations and with the private sector and civil society.’ The Ministers also accepted the recommendations of the report, which included the proposal that ‘every Commonwealth jurisdiction should have an up-to-date and comprehensive legal framework to combat cybercrime’. Senior Officials of Commonwealth Law Ministries, at their meeting held in October 2004 first considered the possibility of creating a Commonwealth Network of Contact Persons (CNCP), including prosecutors and CAs, for effective co-operation in criminal matters across the Commonwealth. At their meeting held 17-20 October 2005 in Accra, Ghana, Commonwealth Law Ministers agreed to the establishment of the CNCP. OverviewThe Revised Harare Scheme provides for MLA:To preserve computer data Search for dataInterception of transmission data (i.e. transactional information)Interception of Communications Search and SeizureParagraph 19 of the Revised Harare Scheme, the provision on search and seizure, has removed the reference to computer data, which is now covered by the term “property”. ? Property is defined in Paragraph 2 (3) as, “assets of every kind, whether corporeal or incorporeal, movable or immovable, tangible or intangible, and includes legal documents or instruments evidencing title to, or interest in, such assets” Paragraph 19(2) provides that a search will be in compliance, “…under the law of the requested country…” This creates a difficulty if the Requested State does not have any cybercrime legislation and only provisions for search of a tangible object are applicable. It is noted that the Revised Harare Scheme: “Reflects the need for the mutual legal assistance regime to effectively respond to current forms and manifestations of transnational crime, including terrorism, and the inextricable linkages to technological innovations. The provisions are largely inspired from the European Union Convention and the Council of Europe Convention on Cyber Crime (sic Budapest Convention). Nevertheless, the proposed provisions are envisaged to be of a flexible and enabling nature, in keeping with the overall character of the Scheme.” ?Taking into account this requirement for flexibility, it is equally important to ensure the integrity and provenance of data to ensure its admissibility. Below are factors related to securing data applying the Revised Harare Scheme: Data cannot be seized and taken away in the same sense as a paper record. The physical medium on which data is stored (e.g., the computer hard-drive or disk) must be seized and taken away, or a copy of the data made in either tangible form (e.g., computer print-out) or intangible form on a physical medium (e.g. disk). Where such copies of the data are made, a copy of the data remains in the computer system or storage device. Whilst the definition of property does include intangible objects there is no power in the Revised Harare Scheme to make copies. To ensure copies are made of data, a Requesting State should ensure the domestic legislation in the Requested State provides for thisDue to the connectivity of computer systems, data may not be stored in the particular computer that is searched, but such data may be readily accessible to that system. It could be stored in an associated device that is connected directly to the computer, or connected to the computer via the internet. This would require permission for an extension of the search to where the data is actually stored (or the retrieval of the data from that site to the computer being searched), or the use of traditional search powers in a more co-ordinated and expeditious manner at both locations. This must be considered on a case-by-case basis, and it would be advisable for the Requesting State to contact the CA of the Requested State to ensure the LOR reflects the relevant law and operational capabilities. For example, Article 18(1)(a) of the Budapest Convention ensures that law enforcement authorities have the power to order a person in its territory to submit specified computer data stored in a computer system, or data storage medium that is in that person's possession or control. If a CSP offers a service in a State provision should be made to allow for the production of subscriber information in a CSP’s possession or control. Paragraph 28 of the Revised Harare Scheme allows a request for subscriber information. Article 18(1)(b) of the Budapest Convention goes further and refers to subscriber information in the CSP’s physical possession and to remotely stored subscriber information under the CSP’s control (for example at a remote data storage facility provided by another company or hosted in another State)The Revised Harare Scheme does not provide for emergency disclosure requests. In terrorism and other trans-border investigations the need to secure subscriber information, traffic data or content to prevent the immediate loss of life is critical. Only the U.S. and Canada have provision to directly secure disclosure from CSPs. Providing a process for emergency requests, either expedition of LORs or setting parameters for direct requests to CSPs is vital. JurisdictionIn the case of crimes committed by use of computer systems, there will be occasions in which more than one Commonwealth State has jurisdiction over some or all of the participants in the crime. For example, many virus attacks, frauds and copyright violations committed through use of the internet target victims located in multiple States (e.g. the 2017 Wannacry ransomware attack).If there is a conflict between jurisdictions consideration should be given to guidelines on determining the appropriate jurisdiction to try an offence – see the Eurojust Guidelines for Deciding Which Jurisdiction Should Prosecute (revised 2016).Part 3: MLA Best PracticeThe present system of MLA can be complex and bureaucratic, resulting in lengthy delays to secure evidence. This does not resonate with quick paced cyber and trans-border crime, where the internet has no borders. In addition, jurisdictional issues have been created through Cloud Computing, requiring careful consideration where formal MLA requests are sent for execution. Establishing procedures for immediate responses to emergency incidents, preservation of data, as well as urgent requests for international cooperation, are vital.This requires effective MLA networks, such as the CNCP, use of Joint Investigation Teams (JITs) to enable sharing of evidence, spontaneous sharing of information, cyber specific legislation and training of practitioners to overcome challenges. This Part will explore these topics in more detail and refer to best practice.Spontaneous InformationThis important procedure enables a State to assist another by disclosing intelligence to prevent a serious crime.There are several international instruments that provide for the spontaneous sharing of information:Article 18(4)-(5) of the UN Convention Against Transnational Organised Crime (UNTOC)Article 46 of the UN Convention Against Corruption (UNCAC)Article 26 of the Budapest Convention States may have enabling domestic legislation and others may be prohibited from spontaneously sharing information (e.g. Australia).Networks for law enforcement agencies, such as CARIN and Egmont, often share such intelligence. Although law enforcement agencies usually share spontaneous information rather than CAs, there is no reason why the CNCP cannot do this (subject to domestic legislation).The fast-moving nature of cybercrime and trans-border crime makes spontaneous information sharing an effective way to cooperate with other Commonwealth States. For example, State A sharing intelligence in the form of messages from an online chatroom about a paedophile ring in State B. This may lead to the commencement of an investigation in State B and sharing digital evidence on a police-to-police basis to prosecute offenders in both States, without the need of an LOR.Such investigations require effective coordination, which could be in the form of a JIT.Joint Investigation TeamsA JIT is an agreement between competent authorities – both judicial (judges, prosecutors, investigative judges) and law enforcement – of two or more States, established for a limited duration and for a specific purpose, to carry out criminal investigations in one or more of the involved States. There are two types of JIT:Coordinated investigations: This model consists of parallel and coordinated investigations with a common goal, assisted by a liaison officer network or through personal contacts and supplemented by LORs in order to obtain evidence. The officials involved are not co-located and are able to work jointly on the basis of long standing cooperative practices and/or existing MLA legislation depending on the nature of the legal system involved Integrated investigations: This model consists of integrated joint investigation teams with officers from at least two States. Integrated teams are usually co-located. These teams can be further divided and characterized either as passive or active. An integrated/passive team includes a foreign law enforcement officer integrated with officers from the host State in an advisory or consultancy role or, in a supportive role based on the provision of technical assistance to the host State. ?An integrated/active team would include officers from at least two States with the ability to exercise operational powers under host State control in the territory or jurisdiction where the team is operating. This model is a specially created infrastructure enabling officials from at least two States to work in one jurisdiction with at least some equivalent operational powers ?The legal basis for establishing JITs depends on the domestic context in each State and on the nature of the legal system. It can range from MLA legislation, legislation on international co-operation, including cross border use of special investigative techniques (surveillance and undercover officers), Criminal Procedure laws, specific legislation on JITs, standard operating procedures or long standing co-operative practices. International frameworks include:Article 13 of the European Convention on Mutual Legal Assistance in Criminal MattersArticle 19 of UNTOC Article 49 of UNCACEurojust coordinate JITs in the EU by facilitating the direct exchange of information and communication between its members and participants through a JIT agreement. Within the framework of a JIT agreement, and on the basis of operational action plans, JIT members can determine common investigation and prosecution strategies and plan joint actions, including coercive measures. JITs allow for the development of a common strategy, on-the-spot coordination and the informal exchange of specialised knowledge on serious cross-border crime cases. They also strengthen mutual trust and interaction between team members from different jurisdictions and work environments. The use of JITs is an effective model for international cooperation and their use is recommended for Commonwealth States. This is especially the case for trans-border crimes that impact more than one Commonwealth jurisdiction. It is important to note, that JITs facilitated by Eurojust, can also include a third-party State outside the 28 EU Member States. For example, following the investigation of Malaysia Airlines flight MH17, Eurojust hosted a coordination meeting with 12 States (including Australia, Malaysia, UK, Canada and New Zealand) to establish a JIT.LegislationOne of the more intractable problems faced by the existing MLA regime, is the lack of common elements in different nations’ laws. Domestic legislation needs to enable expedited preservation, production orders for transactional and content data, specific search and seizure provisions for data and interception of transactional and content data.The lack of definitive location of data in the “Cloud” means that data is in permanent migration process and parts of data may be located in different States at the same time. This can create difficulty knowing where LORs should be transmitted to.Another significant challenge underlying investigations and prosecutions is the non-applicability of legislation drafted before the Cloud became relevant. Often, such legislation refers to the traditional concept of territory of a State, which will not assist investigations to secure data in the Cloud. There is basis under Article 32 of the Budapest Convention for a user to provide voluntary consent to access data stored in another jurisdiction, Although, in the absence of consent, this provision has no enforcement mechanism and of course only applies to those who are State parties to the Convention.A solution is to evolve from the territoriality principle to identify and exercise jurisdiction and/or competence, allowing competent authorities in a Requesting State to issue a court order authorising law enforcement to investigate in Requested State where access to a device is known. This will of course require legislative amendment and possibly MLAT reform.TransmissionMLA needs to adapt to the internet age where speed is of the essence. The use of sending paper LORs should be a thing of the past. Bureaucratic systems and transmitting LORs through diplomatic channels is archaic and wastes valuable time. Whilst this transmission process can take weeks, if not months, the criminals have committed the crime, taken the profits and possibly deleted the data - making an LOR pointless.States have a responsibility to ensure they have systems in place so LORs can be prepared quickly, transmitted directly to the Requested State and executed without delay. Equally, informal consultation before transmission between CAs (i.e. through the CNCP) will ensure:The exchange of preliminary information and intelligence that can support a LOR; Review of a LOR by the Requested State to allow for the identification and correction of errors The Requested State is alerted of the LOR in advance of its receipt, so that it can ready appropriate resources; and Relationships of trust are built prior to executionThe Commonwealth Secretariat, has launched a blockchain-powered secure messaging service for the CNCP to use for these informal consultations, transmission of LORs and receipt of evidence. Confidentiality is of paramount importance and the use of a secure messaging service fundamental to protect sensitive information. The following matters should be considered to enable the secure messaging service to be used effectively:Consideration of any relevant domestic law of the Requesting State to confirm the requirements of the integrity of the message and attachments sent - for example:Messages should only be sent using an official government headerMessages and attachments should be securely saved to demonstrate a clear audit trailAn independent record should be made in a case tracking system of the date any LORs or evidence were received to ensure the chain of custody is establishedA generic statement by the supplier of the secure messaging service to confirm how the system works The messages should not be downloaded and sent to another email address (personal or government) to prevent breaches of sensitive informationIn advance of any evidence being transmitted the Requesting State should confirm if they also require an original copy of the evidence obtainedIn advance of transmission of evidence to the Requesting State, a decision should be made by the Requested State about the redaction of any third-party material in order to prevent any data protection breach of personal informationAgreements should be in place to confirm jurisdiction for any data protection breach or associated criminal offencesA policy should be established for 24/7 monitoring of urgent LORs so they are answered expeditiouslyInternational agencies already use secure messaging and they could be used as models for data protection. For example, operational agreement concluded between EUROPOL and a number of non-EU countries requires: Necessity of transmission of personal data; Limitations to onward transmission; Right of access to data; Data quality and assessment of the source and of the information; Storage, review, correction and deletion of personal data and Data security. ?Consideration should also be given to the Data Protection Directive for Police and Criminal Justice Authorities, which will come into law in EU Member States on 25 May 2018. The Directive aims to provide better cooperation between law enforcement authorities. It will also supply citizens with a better protection of their data and will protect everyone – regardless of whether they are a victim, criminal or witness. All law enforcement processing in the EU must comply with the principles of necessity, proportionality and legality, with appropriate safeguards for the individuals. MonitoringClosely related to the issue of efficiently transmitting and prioritising LORs is the need to monitor requests—both incoming and outgoing. This could be through issuing monthly reports on all outstanding incoming and outgoing requests, circulating progress reports or bringing together both law enforcement and lawyers/case officers at CAs to discuss outstanding LORs and to address any problems that may be occurring in the review, transmission, and execution process. ICT should be used to create a platform for managing incoming and outgoing LORs. For example, in Singapore a case management system, the Enterprise Legal Management System (ELMS), provides timelines for processing LORs, and monitoring mechanisms to prioritise and manage the inbound and outbound LORs. When a case is flagged as urgent in ELMS, it is marked and displayed at the top of each officer’s ELMS desktop. The reason for urgency and the required timeline are also stated. ELMS generates case reports, status reports, and reminder alerts to allow team leaders from the CA to closely monitor LORs. This generates statistics, such as the turnaround times and the number of LORs relating to particular offences, so trends can be identified and appropriate remedial action taken to reduce delays.Of course, there are some jurisdictions, where lawyers are handling criminal cases as well as MLA requests. Although such States may receive fewer LORs, case management is still important. This could be through face-to-face meetings with agencies executing incoming LORs and those agencies requesting evidence for outgoing LORs. A simple Excel spreadsheet can also be designed to monitor progress of LORs and ensure there is an audit trail of dates and action taken.Having a centralised electronic record of incoming and outgoing requests provides a way for individuals from the various agencies with an interest in the LOR to track its status. On the outgoing side, this could include the CA that issued the LOR as well as the investigator or prosecutor who ultimately needs the information or evidence. On the incoming side, this could include the CA that is in primary communication with the Requesting State as well as the individuals or agencies that are undertaking actions to fulfil the LOR. Case tracking can also prevent a loss of momentum or knowledge if personnel changes occur in the course of a case.Emergency RequestsEnsuring there is a clear line of responsibility for emergency requests to secure data directly from CSPs is important to prevent duplication of effort and delays. Emergency requests will involve those matters where securing data is needed immediately to prevent death or serious physical harm. States should have a SPOC who knows how and who to contact for swift response. Usually this will be a law enforcement officer, but in the event that an emergency request is refused by a CSP there may be an urgent need to transmit an urgent LOR. In those circumstances, the CA should also appoint a SPOC who can assist where necessary.The use of spontaneous information may also be appropriate so a Requested State can gather the required data expeditiously if there is a nexus to their jurisdiction and share with the Requesting State. For example, following the Charlie Hebdo terrorist attack, the French authorities contacted the FBI in the U.S. and they made an emergency request directly to Microsoft for emails of two accounts. The request arrived electronically before 6am and Microsoft were able to review, extract the relevant data and send to the FBI in 45 minutes. Urgent RequestsCAs will need clear procedures for prioritising urgent requests. For example, in Australia, the case officer prioritises incoming requests by evaluating factors such as whether there is a trial date or other critical deadline set for provision of the assistance, the seriousness of the alleged offending, on-going operational matters (e.g. covert action in the Requesting State), and the resources likely to be required to execute the LOR. The “first come first served” mechanism of prioritising incoming MLA requests, should be avoided. It should be a responsibility of the Requesting State to contact the Requested State and confirm why a LOR is urgent rather than simply mark URGENT on an LOR without justification. It should always be the case that the Requesting State explain the grounds for urgency in its LOR, so that the nature of the urgency can be assessed and the CA can prioritise accordingly. Direct RequestsDirect requests to CSPs can be used to secure evidence within a matter of days. Basic subscriber information (BSI) and transactional information can be obtained through a CSP’s online portal or a written request made on law enforcement headed paper to a CSP. Those U.S. CSPs that respond to direct requests, do on the basis of reciprocity. BSI and transactional information require an administrative subpoena that does not require judicial process. This means they will respond if there is an equivalent process in the Requesting State. The CSPs have differing policies, which makes it difficult to know which CSP will provide what. For this reason, training, MLA networks and access to online resources is essential to inform if direct requests are applicable. Direct requests can be useful as a first step to locate an offender. For example, a phishing email is sent to a victim requesting their banking details to pay a fictitious courier firm to send a cheque for winning a fraudulent lottery scheme. A direct request is sent to the CSP providing the email service who respond with the basic subscriber information and the IP address where the account was created. This IP address is then entered into an online IP search tool to locate the offenderIn some jurisdictions (such as Australia), a direct request to obtain admissible evidence is not permissible; requests for international cooperation must always go through the CA. In other jurisdictions, direct requests may not be considered a serious option because the information obtained is often inadmissible (e.g. hearsay). In many jurisdictions, direct requests must generally be followed by a LOR in order to obtain useable evidence (such as Malaysia).TrainingContinuous development is fundamental to:Understand trends, new ICT and how to address challenges to securing digital evidenceEnsure staff have confidence using case management systems and secure messaging Cascade knowledge of how to prepare LORs to key stakeholder agencies in-countryShare best practice from other StatesUnderstanding the importance of direct requests (if permissible)How to make emergency requestsThe use of the CNCP and other networks to pool resources for training and the use of e-learning should be advanced to reduce costs. Using existing training resources, such as the International Association of Prosecutors Global Prosecutors E-Crime Network - a global network that improves international cooperation among cybercrime prosecutors, should be encouraged. Equally training alongside CSPs, especially on emergency requests, could be an effective public-private partnership.ResourcesCAs maybe under resourced, through insufficient lawyers, support staff and access to legal texts and laws. Incoming LORs for digital evidence can be complex, requiring time to prepare court documents and then a sift of a significant amount of data after execution. This is one reason to consider direct requests to CSPs, JITs and police-to-police exchange of evidence. The MLA system can become swamped due to Requesting States sending LORs that are not compliant with domestic legislation or where the data is no longer preserved. There is an obligation upon Requesting States to ensure that LORs are only sent that are in a proper format and where the evidence is preserved. It is for this reason that training is essential. Requested States can monitor through a case tracker system where LORs are being sent from and where there are issues with LORs. Training can then be provided by the Requested State to remedy the errors and in- turn reduce the volume of LORs.The preparation of Guides on relevant procedures and standardised forms of requests online will improve quality. The European Judicial Network has developed the Fiches Belges. A series of country specific summaries of law and procedure for the 28 Member States, to assist the practitioner about processes to secure evidence through MLA. An online Commonwealth Fiches would be advantageous to ensure States are aware of:How to preserve digital dataIf data can be secured with a direct request to any CSP in the StateLegal standards to secureBSITransactional informationContentThe process to secure iii. a, b and c aboveProcess and legal standard for interception of transactional informationProcess and legal standard for interception of contentAny specific requirements for integrity, reliability and continuity of digital evidencePart 4: MLA Treaty ReformThe Microsoft FixThe Microsoft Ireland litigation, being heard in the Supreme Court on 27 February 2018, was heralded as the pre-cursor for much needed MLA reform in the U.S. In very recent developments, however, a “Microsoft Fix” has been proposed with the tabling of the Cloud Act in the U.S. The new Act would render the Microsoft argument moot that a strict reading of the Stored Communications Act (SCA) does not enable extraterritorial reach. The Act adds a section to the SCA that says CSPs must pass on data in their possession, even if it is held outside the U.S.:A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.The Cloud Act has the support of a broad range of legislators and also the major CSPs due to built-in safeguards, which include a “Comity Analysis”. This means that CSPs can file a motion to quash in a U.S. Court or modify the legal process if it believes the user isn't a U.S. citizen and that disclosure "creates a material risk" that the CSP would violate the laws of another government. It is unclear of the exact implication of this provision and only time will tell how often it is utilised by the CSPs. Significantly, the Cloud Act will provide for Executive Agreements with specific States to share data. An Executive Agreement must also have endorsement from the legislature to ensure compliance with human rights and privacy standards. The UK has already negotiated such an Executive Agreement when they are seeking data of a non-U.S. citizen located outside the U.S. — in cases where the only connection to the U.S. is that the data happens to be held here. The Cloud Act will allow UK legal process to be served on the CSPs directly for content data or interception. The agreement will be reciprocated for U.S. requests to the UK for non-UK nationals.A previously proposed law, the International Communications Privacy Act included a standardised LOR and an online docketing system to allow Requesting States to know the status of a request. Standardisation will create a speedier review with a more concise process. The Cloud Act does not have any such provision and maybe this was a missed opportunity.The Cloud Act is expected to be promulgated before the end of March 2018 and it is advisable to closely watch its progress to ensure colleagues are informed and knowledge cascaded.ConclusionThe speed and accessibility of ICT and the internet mean that they are tools for cyber-enabled crime and cyber-dependent crime. Increasingly, encrypted messaging apps, cryptocurrencies and use of the dark web are used by organised criminals and terrorists to further their criminality. The growth of ICT and the internet in our everyday lives, means crimes with no obvious connection to another State, may require LORs to collect relevant digital evidence stored overseas. All this criminal activity can leave a digital footprint that may produce substantially more incriminating evidence then may have been available before the use of ICT and the internet was so widespread. This requires law enforcement agencies, prosecutors and Central Authorities to coordinate to ensure:They know where the digital evidence is storedThe digital evidence is preserved If digital evidence can be obtained - despite encryption or other challengesThe appropriate procedure to obtain it is understood and usedThe availability of digital evidence, and the wide range of crimes where it is relevant, has inevitably meant an increase in the number of LORs. Despite this increase, ICT and the internet provide opportunities to enable quicker and more efficient processes to secure digital evidence. As our use of the internet continues to grow, and ICT advances, practitioners need to be in a position to ensure the legal framework and MLA system can respond to the needs of States to investigate and prosecute crime. It will be a crime itself if the data was available, but through a lack of knowledge, or delays in the MLA system, critical digital evidence is not obtained.This paper makes the following recommendations to ensure ICT and the internet are used effectively as tools to develop and enhance MLA: First: Commonwealth States’ Central Authorities need to use ICT to become more efficient and reduce delays through use of case management systems, case trackers, model or standardised forms and secure messaging Second: Commonwealth States need to ensure their legal framework applies to new technologies and addresses the jurisdictional issue of the CloudThird: Use the CNCP to prepare an online Commonwealth Fiches, dedicated to digital evidence, to inform MLA practitioners on legal standards and processes for each Commonwealth StateFourth: Increasing use of informal assistance, spontaneous sharing of information and joint investigation teams to prevent overload of the MLA process and enable investigations to be proactive rather than reactive Bibliography(In order of reference)Greg Nojeim, MLAT Reform: A Straw Man Proposal, 3 September 2015World Telecommunication/ICT Indicators Database online Year: 21st Edition, 2017 Kevin Peachey, Open Banking ‘revolution’ to challenge banks dominance, BBC, 2018Eric Brown "Who Needs the Internet of Things?" 13 September 2016).?Amy Nordrum "Popular Internet of Things Forecast of 50 Billion Devices by 2020 Is Outdated" 18 August 2016 Hsu, Chin-Lung; Lin, Judy Chuan-Chuan.?"An empirical examination of consumer adoption of Internet of Things services: Network externalities and concern for information privacy perspectives" Computers in Human Behavior.?62: 516–527Cade Metz, “Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People,” Wired, 5 April 2016, Andrew Blankstein "Judge Forces Apple to Help Unlock San Bernardino Shooter iPhone" NBC News, 16 February 2015Ellen Nakashima "FBI paid professional hackers one-time fee to crack San Bernardino iPhone" The Washington Post 14 April 2016Paresh Dave?"Apple and feds reveal San Bernardino shooter's iCloud password was reset hours after attack"?Los Angeles Times. 19?February 2016Lessons from the Mutual Legal Assistance Reform Effort Andrew K. Woods 22 May 2017A Primer on Microsoft Ireland, the Supreme Court’s Extraterritorial Warrant Case Andrew K. Woods 16 October 2017 The Simplest Cross-Border Fix: Removing ECPA’s Blocking Features Andrew K Woods 2017 In our opinion: Congress must act to determine international data sovereignty By Deseret News editorial board 23 October 2017Dave Lee, Silk Road: How FBI closed in on suspect Ross Ulbricht, BBC, 2 October 2013, Alex Hern, Five stupid things Dread Pirate Roberts did to get arrested, Guardian, 2013 Natasha Bertrand, The FBI staged a lovers' fight to catch the kingpin of the web's biggest illegal drug marketplace, Business Insider, 29 May 2015 The Commonwealth Working Group on Virtual Currencies, October 2015How Much Time Will the Average Person Spend on Social Media in their Life – Adweek 22 March 2017 - Terrorist and the Internet - Council on Foreign Relations - Framing Implementation - A Supplement to Child Pornography: Model Legislation and Global Review, International Centre for Missing and Exploited Children, 2017 1Canadian Centre for Child Protection, Child Sexual Abuse Images on the Internet: A Cybterip.ca Analysis 6, 14 January 2016 Gercke, 10 Years Convention on Cybercrime, Computer Law Review International, 2011Strategic Seminar "Keys to Cyberspace" Eurojust, The Hague, 2 June 2016 Outcome ReportLange/Nimsger, Electronic Evidence and Discovery and Whitcomb, An Historical Perspective of Digital Evidence: A Forensic Scientist’s View, International Journal of Digital Evidence, 2002, Vol. 1, No. 1.Explanatory Report to the Convention on Cybercrime, No. 298.Verdelho, The effectiveness of international cooperation against cybercrime, 2008The Functioning of 24/7 points of contact for cybercrime, 2009Strategic Seminar "Keys to Cyberspace" Eurojust, The Hague, 2 June 2016 Outcome Report Understanding Cybercrime: Phenomena, Challenge and legal Responses (ITU) EuroJust News June 2013 page 2 “What is JIT”Andrew K. Woods Data Beyond Borders Mutual Legal Assistance in the Internet Age Global Network InitiativeADB-OECD (2017), Mutual Legal Assistance in Asia and the Pacific: Experiences in 31 JurisdictionsDan Suter, Guide to Obtaining CSP Evidence from the U.S, 2015MLAT Reform: Who Decides Greg Nojeim 24 December 2015Mallory Locklear Google urges Congress to revise outdated overseas data laws 2017 Jennifer Daskal A New UK-US Data Sharing Agreement: A Tremendous Opportunity, If Done Right 8 February, 2016UK-US pact will force big tech companies to hand over data Financial Times 23 October 2017 Microsoft in his speech: Safety, Privacy, and the Internet Paradox: 2015 and the Need for New Trans-Atlantic Rules Brad Smith? Corporation Prepared Remarks at the Centre for European Policy Studies Brussels, Belgium 20 January 2015 Andrew K. Woods Data Beyond Borders Mutual Legal Assistance in the Internet Age Global Network Initiative ECPA Reform: Why Now? Digital Due Process: Modernizing Surveillance Laws for the Internet Age, available at ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download