Blog


Would you like to share an article on cybercrime? Please contribute!
 

These articles do not necessarily reflect official positions of the Council of Europe

Phishing: Need to create more accurate criminal legislation

In a brief comparative study I have made on the legislation of various Latin American countries in order to make it known in this blog, I have found an almost complete absence of criminal laws that punish as a crime the phishing or capture personal data, especially financial type, using social engineering techniques, in order to obtain economic benefits against the victim’s economic interests.

Phishing, as its name implies, is the action of "fishing" or pick up economic data from people who, due ignorance or gullibility, are lured to provide credit information, bank account numbers, credit cards’ numbers, key access, user names, and in general any financial data that an unscrupulous third person could use to obtain an economic advantage on the victim’s monetary assets.

From a legal point of view, such conduct could be described as a form of traditional fraud (although it is not exactly computer-related forgery or computer-related fraud because they require other precisions) where certain elements that are common to both figures concur. Thus, the basic elements of the traditional fraud are the deception to the victim and the asset transfer, as we can saw in a recent post. If any of both elements are absent, we could not say that there is a crime. There are undeniable similarities with the fraud figure in the recollection of financial data. It was understood that way in the Penal Code of Spain which, in its article 248, paragraph 2, states:

"Article 248:

1.- (…)

2.- Also will be considered as prisoners of fraud:

 

a) Those who, for profit and using any computer manipulation or such artifice, obtain an unconsented transfer of any patrimonial asset, with prejudice of another.

 

b) Those who build, introduce, held or facilitate computer programs specifically intended for the commission of frauds referred in this article."

 

The deception occurs when the offenders present a problematic scenario to the victim in which his actions are required to correct the difficulties. The typical case is an apparently official email sent to the possible victim that indicates, for example, that his bank has closed his bank account, or else, that he should provide some financial data of special importance, such his user name and password access, the credit card numbers, along with the expiration date and the three digits identification numbers on the back. Similarly, the email could include a hyperlink to send the user to an identical page like the bank’s official website, but in this case we would be rather facing a case of pharming or illicit spoofing of Web pages, which also lies within these categories of fraud through the use of electronic means.

Another very common way to achieve this distorted objective is through the use of programs that capture the activity of the user keypad (called keylogger programs) in which it is easy to see the websites visited by the victim, his username and passwords to access the Web or emails programs, whereupon the offender manages confidential information through the record of the keys that the user has pressed. Subsequently, the information thus obtained is sent automatically to another computer or Web site controlled by the offender, who may access the bank accounts of the victim without problem. Phishing can be done even by a simple phone call.

Here are several considerations that contribute to ease the offence perpetration. First, there is much naivety and lack of malice of the victims (those who come to believe indeed that their financial data delivery responds to a normal or official bank transaction). Secondly, for some people to use the Internet to carry out bank transactions can still classified as innovative. A third element is that phishing is clearly a criminal conduct committed with relative ease because even the banks not always bother to put sufficient knowledge or security measures to their customers nor provide education to potential victims.

Given this situation, and despite to face a typical computer crime, the Latin American laws have maintained a passive attitude to punish this criminal offence, perhaps by ignorance of the legislator or lack of actions of practitioners in law or the investigative police, who may think that such conduct is duly punished by the crime of traditional fraud or forgery. But that point of view is not so accurate. From the study carried out in various laws system in South America, I conclude that the creation of specific and more precise criminal types to give a punitive response to a conduct that is fairly common is really necessary.

In this sense, perhaps the oldest example of criminal legislation that tries to penalize this misconduct is in the Dominican Republic, issued by Law No.53-07 Against Crimes and Offences of High Technology, where is typified by high-tech theft, illicit fund-raising, electronic transfer of funds and fraud via electronic ways:

Article 14.-Illicit fund raising. The fact of obtain funds, credits or values through the constraint of the legitimate user of an electronic, telematics or telecommunication financial service, shall be punished with a penalty of 3 to 10 years of imprisonment and a fine of one hundred to five hundred times the minimum wage.

Paragraph.-Electronic funds transfers. The realization of electronic funds transfers through the illegal use of codes of access or any other similar mechanism shall be punished with the penalty of one to five years of imprisonment and a fine of two to two hundred times the minimum wage.

Article 15.- Fraud. The fraud carried out through the use of electronic, computer, telematics or telecommunications means, shall be punished with a sentence of three months to seven years in prison and a fine of ten to five hundred times the minimum wage.

A second example of criminal norm is the Penal Code of the Argentinian Republic, where we could interpret that the phishing is include as a form of traditional fraud:

"Article 173.- Without prejudice of the preceding article’s general provision, shall be considered as special cases of forgery and will suffer the penalty that it establishes:

1.- (...)

2.- (…)

15.- Those who defraud through the use of a purchase, credit or debit card, when it has been falsified, adulterated, taken, stolen, lost or obtained from the legitimate sender by ruse or deception, or the unauthorized use of their data, although the fact had been done through automatic operation.”

In Latin America, I have found that perhaps the more precise criminal norms where phishing is punished are included in the Penal Code of Colombia, by two criminal types that were added by law No.1273 of 2009. This law penalizes the theft by electronic means and the unconsented transfer of assets through technological artifices:

"Article 269I: Theft by computer and similar means. The one who, overcoming measures of informatics security, perform the conduct referred in article 239 manipulating a computer system, a network of electronic or telematics system, or other similar method, or impersonating a user in systems of authentication and authorization, will incur in the penalties indicated in article 240 of this code."

"Article 269J: Unconsented transfer of assets. The one who, with aim of profit and using any computer manipulation or such artifice, get a not consent transfer of any asset with detriment of a third person, while the conduct does not constitute a crime punishable by a more severe penalty, shall incur a prison sentence of forty-eight (48) to one hundred twenty (120) months and fine from 200 to 1,500 monthly minimum wages. The same sanction will be imposed to the one who manufactures, enter, possess or provide computer program aimed to the commission of the offence described in the preceding incise, or for a fraud."

 

Other norm relatively recent that seeks to penalize the unlawful obtaining of financial data (although is not so accurate as it should be because it confuses phishing and pharming) is in article 233 of the Penal Code of Costa Rica, which was modified through law No.9048 of 2012 in the form we can see:

"Article 233- Supplantation of electronic Websites.-

Will be imposed a prison sentence of one to three years to the one who to supplant legitimate sites from the Internet network in detriment of a third person

The penalty shall be three to six years in prison when, as a consequence of the legitimate Website supplantation and through deception or incurring in error, capture confidential information from a person or legal entity for its own or a third person benefit."

 

These are examples of norms that I've found in the Latin American criminal legislation that somehow punishes the phishing as cybercrime. I did not find similar criminal types in the laws of Brazil, Ecuador, Paraguay, Bolivia, Peru, Mexico or Chile.

In the case of Mexico, there is a major initiative of law presented in March 2012, which has not been incorporated yet in the Federal Penal Code. The draft legislation aims to match the crime of fraud and to punish with a penalty of six months to three years of imprisonment and 100 to 400 days fine to the one

"who using the error in which the victim is, provoke to reveal or put at its disposal information or personal, patrimonial or financial data that does not have right of access, using sites or email addresses or other electronic media created by himself or by a third person for such purposes."

 

This situation leads us to conclude that still it takes more legislative efforts to include the new criminal types that current technological reality requires. Suppose that such cybercrime is located within the traditional penal type of forgery or fraud is not enough.

What criminal type is used in your country to punish phishing?

If there is no a criminal type to punish it, is there any legislative initiative to criminalize such conduct?

Want a job in the cybercrime fighting area? Invent it!

Two apparently unrelated op-ed published on the New York Times a few weeks ago provide good food for thought to our community of cybercrime fighters.

The first one, “Cybersecurity: A View From the Front” is by Toomas Hendrik Ilves, President of Estonia, and delivers two messages:

- Cybersecurity should be seen as an enabler of our society, not a cost.

- “A small, poor East European country can be a world leader in e-governance and cybersecurity”.

In other words, anyone who is agile and work to be useful to his community has unprecedented opportunities.

The second article, “Need a job? Invent it” by the columnist Thomas L. Friedmann talks about the skills that young people – and more broadly people of all ages - need to acquire. He rightly stresses that what we most need is not so much knowledge but skills: critical thinking, communication and collaboration, all of this driven by motivation, and aiming at innovation. This statement brings nothing new fundamentally, as the French philosopher Montaigne in the 16th century was already urging parents to choose a tutor “who has rather a well-made than a well-filled head “ (and Montaigne himself had probably found something similar in his library of Greek and Roman philosophers). But it reminds us how similar our modern times are to the European Renaissance, when suddenly people had access to an unprecedented volume of information, and could get drowned into it. Mr Friedmann highlights one country where students leave high-school “innovation ready”, which means that they have the ability to add value to whatever they do. And this country is Finland, another small country, which is just on the other side of the Gulf of Finland, a hundred kilometres North of Estonia.

All of us in this Octopus Community share the same passion for fighting cybercrime. For the rest, we have very little in common, our expertise (mainly law or forensics), our professional career (professors, investigators, magistrates, lawyers, experts), our culture, all these parameters contribute to make difficult for us to work together as we come from different perspectives and pursue different objectives in our career. Oh yes, I forgot something that brings us together: we are a very small community, which works within a relatively small international organization (no offence to Alexander, as we love the Council of Europe and its commitment to fighting cybercrime!) and we are facing the daunting challenge of protecting our countries, our industry, our family from a sophisticated enemy with very little resources.

So, what’s the future for us a community? Be the committed experts that are on the path to lose the war against cybercrime? Or do for cybercrime what Estonia does for cybersecurity? Shall this community be a place where we deliver our expertise, or shall it be a place where we invent our job?

We can do both of course, but I would propose we try to do the latter. Now I expect your next question : “- What do you mean in practice”? In our job, I think we should aim at innovating. This means work differently so we can become more efficient. It may be as simple as sharing more information with different teams on the new trends we have seen, or the latest case we have been working on. In this community, it may be as simple as bringing our questions, very much like Victor Voelzow did a few days ago with his excellent post “Thoughts on the benefits of cross-country cooperation and communica...”.

We have the motivation to fight cybercrime, the Octopus Cybercrime Community provides us with a place to communicate and collaborate, we are a solid group of people with critical thinking.

What we need now is to innovate. Let’s invent together how tomorrow we will fight cybercrime! We are experts, but we should rather define ourselves as innovators.

At the next Octopus conference, on the badge where we have our name, I suggest the Council of Europe should replace the title “Expert” by “Innovator”. Because this is what we are in this Community, right?

Phishing: Necesidad de crear legislación penal más precisa

En un breve estudio comparativo que he efectuado en la legislación de diversos países de América Latina con el objeto de darlo a conocer en este blog, he encontrado una ausencia casi absoluta de normas penales que castiguen el delito de phishing o captura de datos personales, especialmente de tipo financiero, mediante técnicas de ingeniería social, con el objeto obtener beneficios patrimoniales en contra de los intereses económicos de la víctima.

El phishing, como su nombre lo indica, es la acción de “pescar” datos económicos de personas que, por ignorancia o credulidad, son engañadas para brindar información crediticia, números bancarios de cuenta, números de tarjetas bancarias, claves acceso, nombres de usuario, y en general cualquier dato de orden financiero que un tercero inescrupuloso podría utilizar para obtener alguna ventaja económica sobre los bienes monetarios de la víctima.

Desde el punto de vista jurídico, podría calificarse tal conducta como una forma de defraudación tradicional (aunque no es estafa informática pues ésta requiere de otras precisiones) donde concurren ciertos elementos que son comunes a ambas figuras. Así, tenemos que los elementos básicos de la estafa son el engaño a la víctima y el traspaso patrimonial. Si alguno de estos dos elementos está ausente, no podríamos decir que estamos ante un delito, según pudimos ver en un artículo reciente. En la recolección de datos financieros existen similitudes innegables con esa figura. Así se ha entendido en el Código Penal de España el cual, en su artículo 248, párrafo 2, señala:

“Artículo 248:

1. (…)

2.- También se consideran reos de estafa:

a) Los que, con ánimo de lucro y valiéndose de alguna manipulación informática o artificio semejante, consigan una transferencia no consentida de cualquier activo patrimonial, en perjuicio de otro.

b) Los que fabricar, introduzcan, poseyeren o facilitar en programas informáticos específicamente destinados a la comisión de las estafas previstas en este artículo.”

El engaño sobre la víctima se produce en el momento de presentarle un panorama problemático en el cual se requiere de su accionar para ser corregido. El caso típico es el correo electrónico aparentemente oficial donde se le indica a la posible víctima que, por ejemplo, su banco le ha cerrado su cuenta bancaria, o bien, que debe proporcionar algún dato financiero de especial importancia, tal como su nombre de usuario y palabra clave de acceso, los números de la tarjeta de crédito, junto con la fecha de vencimiento y el número identificador de tres dígitos del reverso. Igualmente, puede ser que se inserte un hipervínculo para enviar al usuario a una página similar a la oficial de la entidad bancaria, pero en este caso estaríamos más bien ante un caso de pharming o suplantación ilícita de páginas Web, situación que también se ubica dentro de estas categorías de estafas mediante el uso de medios electrónicos.

Otra forma muy común de lograr este torcido objetivo es mediante la utilización de programas que capturan la actividad del teclado del usuario (llamado programa keylogger) en la cual es sencillo ver los sitios a los que accede la víctima, su nombre del usuario y la palabra clave de acceso al sitio Web o a programas de correo electrónico, con lo cual el delincuente logra obtener información confidencial mediante el registro de las teclas que oprima. Posteriormente, dicha información así obtenida es enviada automáticamente a otro equipo de cómputo o sitio Web controlado por el delincuente, quien podrá acceder sin problema a las cuentas bancarias de la víctima. El phishing puede ser efectuado incluso mediante una simple llamada telefónica.

En este punto caben varias consideraciones que contribuyen a la facilitar la comisión del delito. En primer lugar, existe mucha ingenuidad o falta de malicia de las víctimas (quienes llegan a creer efectivamente que la entrega de sus datos financieros responde a una transacción bancaria normal u oficial). En segundo lugar, aún puede catalogarse como novedoso para algunas personas utilizar la Internet para realizar operaciones bancarias. Un tercer elemento es que se trata de una conducta evidentemente delictuosa que se comete con relativa facilidad pues aún las propias entidades bancarias no siempre se preocupan por poner suficientes medidas de seguridad a disposición de sus clientes ni dar educación adecuada a las víctimas potenciales.

Así las cosas, y a pesar de encontrarnos ante un típico delito informático, las legislaciones de América Latina han mantenido una actitud pasiva para castigar esta infracción penal, quizás por ignorancia del legislador o falta de accionar de los profesionales en Derecho o de la policía de investigación, quienes pueden pensar que tal conducta sí está debidamente castigada mediante el delito de fraude o estafa tradicional. Pero ello no es tan exacto. Del estudio efectuado en diversas legislaciones de Sudamérica, considero que sí es necesaria la creación de tipos penales específicos, más precisos, que den una respuesta punitiva ante una conducta que es bastante común.

En este sentido, quizás el ejemplo más antiguo de legislación penal que trata de penalizar esta conducta se encuentra en la República Dominicana, emitidas por la Ley No.53-07 contra Crímenes y Delitos de Alta Tecnología, donde se tipifican el robo mediante alta tecnología, obtención ilícita de fondos, transferencia electrónica de fondos y estafa mediante vías electrónicas:

Artículo 14.- Obtención Ilícita de Fondos. El hecho de obtener fondos, créditos o valores a través del constreñimiento del usuario legítimo de un servicio financiero informático, electrónico, telemático o de telecomunicaciones, se sancionará con la pena de tres a diez años de prisión y multa de cien a quinientas veces el salario mínimo.

Párrafo.- Transferencias Electrónica de Fondos. La realización de transferencias electrónicas de fondos a través de la utilización ilícita de códigos de acceso o de cualquier otro mecanismo similar, se castigará con la pena de uno a cinco años de prisión y multa de dos a doscientas veces el salario mínimo.

Artículo 15.- Estafa. La estafa realizada a través del empleo de medios electrónicos, informáticos, telemáticos o de telecomunicaciones, se sancionará con la pena de tres meses a siete años de prisión y multa de diez a quinientas veces el salario mínimo.

Un segundo ejemplo de normas penales son las de la Código Penal de la República Argentina, en el cual podríamos interpretar que ubica al phishing dentro de la modalidad de las defraudaciones tradicionales:

“Artículo 173.- Sin perjuicio de la disposición general del artículo precedente, se considerarán casos especiales de defraudación y sufrirán la pena que él establece:

1.- (…)

2.- (…)

15. El que defraudare mediante el uso de una tarjeta de compra, crédito o débito, cuando la misma hubiere sido falsificada, adulterada, hurtada, robada, perdida u obtenida del legítimo emisor mediante ardid o engaño, o mediante el uso no autorizado de sus datos, aunque lo hiciere por medio de una operación automática.”

En América Latina he encontrado que las normas penales quizás más precisas que castigan el phishing se encuentran en el Código Penal de Colombia, en dos tipos penales que fueron adicionados mediante ley No.1273 de 2009. Esta ley penaliza tanto el hurto por medios informáticos como la transferencia no consentida de activos mediante artificios tecnológicos:

“Artículo 269I: Hurto por medios informáticos y semejantes. El que, superando medidas de seguridad informáticas, realice la conducta señalada en el artículo 239 manipulando un sistema informático, una red de sistema electrónico, telemático u otro medio semejante, o suplantando a un usuario ante los sistemas de autenticación y de autorización establecidos, incurrirá en las penas señaladas en el artículo 240 de este Código.”

“Artículo 269J: Transferencia no consentida de activos. El que, con ánimo de lucro y valiéndose de alguna manipulación informática o artificio semejante, consiga la transferencia no consentida de cualquier activo en perjuicio de un tercero, siempre que la conducta no constituya delito sancionado con pena más grave, incurrirá en pena de prisión de cuarenta y ocho (48) a ciento veinte (120) meses y en multa de 200 a 1.500 salarios mínimos legales mensuales vigentes. La misma sanción se le impondrá a quien fabrique, introduzca, posea o facilite programa de computador destinado a la comisión del delito descrito en el inciso anterior, o de una estafa.”

Otra norma relativamente reciente que procura penalizar la obtención ilegítima de datos financieros (aunque es no tan precisa como debería ser, pues confunde el phishing con el pharming) se encuentra en el artículo 233 del Código Penal de Costa Rica, el cual fue modificado mediante la ley No.9048 de 2012 en la forma que se verá:

“Artículo 233.- Suplantación de páginas electrónicas.-

Se impondrá pena de prisión de uno a tres años a quien, en perjuicio de un tercero, suplante sitios legítimos de la red de Internet.

La pena será de tres a seis años de prisión cuando, como consecuencia de la suplantación del sitio legítimo de Internet y mediante engaño o haciendo incurrir en error, capture información confidencial de una persona física o jurídica para beneficio propio o de un tercero.”

Tales son ejemplos de normas que he encontrado en la legislación penal latinoamericana que de alguna manera castigan el phishing como delito informático. No logré encontrar tipos penales similares en las legislaciones de Brasil, Ecuador, Paraguay, Bolivia, Perú, México o Chile.

En el caso de la República Mexicana, existe una importante iniciativa de ley presentada en marzo de 2012, la cual aún no ha sido incorporada aún dentro del Código Penal Federal. Dicho proyecto de ley pretende equiparar al delito de fraude y sancionar con pena de seis meses a tres años de prisión y de 100 a 400 días multa,

“a quien valiéndose del error en que se encuentra la víctima provoque que revele o ponga a su disposición información o datos de carácter personal, patrimonial o financiero a los que no tenga derecho a acceder, utilizando para tales fines sitios o direcciones de correo u otros medios electrónicos creados por él mismo o por un tercero.”

Tal situación nos lleva a concluir que aún hacen falta más esfuerzos legislativos por incluir los nuevos tipos penales que exige la realidad tecnológica actual. Suponer que tal delito informático está ubicado dentro del tipo penal tradicional de estafa o fraude no es suficiente.

¿Cuál tipo penal se utiliza en su país para castigar el phishing?

Si no existe un tipo penal, ¿hay alguna iniciativa legislativa para penalizar esa conducta?

Brazil pushes e-commerce protection

Brazil pushes e-commerce protection

 

 

On March 15th, International Consumers Day, Federal Decree 7962/2013 was published. It provides additions to the Brazilian Consumer Code, Código de Defesa do Consumidor, (CDC) - regarding e-commerce. The decree issues a number of benefits and renovates a proposal to reinforce the responsibilities of parties in online platforms.

The decree has recognisable merits, especially through the application of concepts relevant to the CDC which did need revising for online business, such as the right to information, efficient customer service and the right to return goods the consumer decides after purchase that they simply do not want.

In truth the decree can be summed up in three words, efficiency of communication. This appears to be the decree's central idea, and is essential to be effective in the current scenario of both growing e-commerce activity and increased complaints by consumers to consumer protection bodies regarding that activity. In relation to the evolution of virtual medias, an old subject that had been previously scheduled in other bills Under the new rules, it was established that sites should disclose their details, especially, their corporate name, CNPJ or CPF, physical address and any other necessary contact information.

This simple security measure, is clearly a positive development for good faith companies as it facilitates transparent access between the parties and thus allows customers to more effectively check the suitability of merchants. It also reiterates the responsibility imposed upon entrepreneurs in the online marketplace to follow the same rules of tax and customer service as those in the traditional physical marketplace. This vendor identification will encourage healthy competition in the market which to date has been tainted by some online cowboys who have used the anonymity of the internet to avoid the burden of Brazilian laws.

Also, the decree provides that in cases of collective purchasing the company should provide clearly important details such as the minimum number of buyers, the deadline to join the offer and the full details of the offerer and collective shopping site.

In order to encourage clarity, it was also determined that to complement the above that the principal rights and obligations resulting before closure of a contract should be presented in an easier way to consumers. As for post closure these rights should also be made available so consumers can refer to them after the sale. The supplier should maintain a proper channel of electronic customer service for the consumer. Furthermore, the decree rightly provides that the appropriate means to exercise the right of cancelation is by way of Article 49 of the CDC and that as such this must be made clear to the buyer.

Although the decree does not address the issue directly, the creation of simple channels of communication for consumers, the CDC Consolidated guidance could also be extended to social networks given their huge growth within the Brazilian media. Furthermore the theme of IP log stores as discussed in the debates surrounding the Civil Regulatory Framework should be considered appropriate in relation to consumer protection. It should also be mentioned, that companies seeking an adjustment in the terms of information security under ABNT (27001 and 27002, for example), must remain in accordance with current legislation and therefore should comply meticulously with the provisions of the decree.

As noted, all the information required by the decree to be disclosed by the vendor may have another effect, that being to empower consumers to be able to evaluate effectively the supplier and the products he is offering, the legislation emphasises the principle that consumers should have choices in their consumption decisions. So, Although the law applies to everyone, sometimes the Law itself needs to remember its application in certain environments, especially in pioneering developments, in order to be most effective. This seems to be the case the with decree 7962/2013, it's considerations are well timed and will serve as a foundation for the positive development of online business in Brazil.

 

Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.

Advances in Cyberspace Legislation and Possible Impacts in Business in Brazil

Advances in Cyberspace Legislation and Possible Impacts in Business in Brazil

 

As we all know, Brazil is a country going through a developing process, with highly promising market and, as is common for countries in such circumstances, Brazil has been facing some difficulties to adapt its legal system to this new reality.

 

In this context, there have been countless initiatives to legislate on cyberspace. The computer science control of remote working, the crime of infantile pornography through the Internet, the computerization of the judicial process and the electronic monitoring of prisoners, among many other subjects have already been drawn up.

 

In fact, the legal world has always been permeated by technological advance, which constantly imposes the legislator the challenge of reformulating the laws conceived up to then, especially in countries that adopt the Civil Law system.

 

In December of the year 2012, Act No. 12.737/2012 that typifies some computer offenses as crime was at last enacted. It is interesting to note the origin of this legislation, which was passed after the personal computer of a famous Brazilian actress was hacked and her photographs in intimate situation had been disclosed on the Internet.

 

The new legislation addresses important issues such as hacking of electronic device, unauthorized remote access, interruption of telematic services, among others.

 

It is undeniable that all these issues should have been inserted in the Brazilian criminal legislation long ago. The harmfulness of the conducts and complete revulsion demonstrated by society with regard to the cases occurred were notorious. Evidently, to complete the three-dimensionality of the Law adopted by the Brazilian system, just the much needed rule was missing.

 

 

Rule enacted, although untimely, we must analyze some of its elements, especially in the aspect of the impact that it can originate to business done in Brazil.

 

 

 

Regarding the invasion of device and derived forms, we find the first point for reflection: the new Act restricted the typicality of conduct in cases where there is undue violation of security mechanisms. Thus, we can understand that all computing devices not equipped with protection tool would be excluded from the scope of such legal application.

 

 

Furthermore, it is worth to point out that, as the terms "security mechanism" and "computing device" (only hardware and software?) have not been defined in the law, and there may be doubts on the complete classification of certain criminal cases.

 

To clarify the concept of "mechanisms", perhaps it is the case of interpretation similar to the Brazilian jurisprudential indicative of "obstacle", used for the configuration of qualified larceny. Following this reasoning, the accessories might be considered like this, not integral parts of the regular functionalities of the asset protected, whose purpose is to prevent access to them. This would be one of several possibilities of interpretation.

 

It is also important to analyze the assumptions of the conduct "to invade. This verb conceptually brings the idea of forcibly entering, hostile entry, barrier violation. Therefore, cases of undue obtaining of data through social engineering techniques and other means (password disclosure of the asset to third parties by the holder himself, for example) in theory would not be covered by the newborn classification. This is because there would be no violation, but only unauthorized access.

 

 

It is inferred, therefore, that all the hypotheses of increased punishment related to the practice to invade, set forth in the paragraphs of article 154-A (obtaining of private communications, data disclosure.) shall be preceded by the violation of security mechanism. Thus, there will be no crime in case of obtaining and undue disclosure of data, when the agent has free access to the electronic device of the victim (for instance, technician of Information Technology company, co-worker).

 

The impact on the conduction of business is evident: those that allocated in Brazilian territory, held electronic devices connected to the Internet or not, must implement security mechanisms to such devices, so that in case of invasion, the classification of the unlawful conduct to the crime set forth by law is possible. It is, ultimately, a strategic decision that companies should adopt in the ambit of Information Technology.

 

Furthermore, companies in the technology field that provide services such as conducting safety tests in their clients’ computer systems whose invasion is a necessary conduct to assess the possible existence of vulnerabilities in security mechanism, also suffer direct impacts in their business. It will be essential that the contracts entered into in order to authorize the violation of the security mechanism for the purpose of testing are written.

 

 

It is also mandatory to mention that, concerning the penalties of disclosure of trade secrets obtained by invasion (§ § 3 and 4 of art.154-A) there is an apparent duplicity of such legal provision since undue disclosure was already considered independent crime by the Industrial Property Protection Act (item XII of article. 195, of Act 9.279/96).

 

Further on the fruitful caput of article. 154-A, it is possible to foresee ample discussion on who would be the "holder of the device" invaded. May the mere holder of the device and the possible user appear as victims of this offense? The text of the law does not specify, but there is the slight impression that the crime refers only to the owner.

 

Here lies another point that gives rise to impact in the business, for the employer may have the seek for the offender’s liability harmed, if he is not the actual owner of the device invaded precisely because the law is not clear as to the victim of the offence ( device owner or user). This issue is further aggravated by the growing corporate policy of BYOD - Bring Your Own Device, which encourages employees to use their own devices for corporate purposes.

 

Finally, it seems that the low penalties applied by the new legislation will not have the potential to achieve the intended purpose, mostly in cases of practice, reportedly, with ideological purposes. By the way, in general, the penalties to which a penalty is prescribed by this Law are little inhibitory, since they allow the application of the facilities provided by small claims courts procedures.

 

Unlikely, it seems that the international trend is exactly the opposite: recently it was reported that the Judicial System of the State of California (USA) sentenced a hacker accused of subtracting celebrity photos by the Web to 10 year imprisonment, besides the payment of damages in the amount of $ 76,000 (seventy six thousand dollars).

 

Of course, it is not advocated here the multiplication of Brazilian prison population only for the punishment of computer crimes. However, it is difficult to understand how the creation of a law, after so many years of discussion, can establish symbolic penalties which do not discourage the offender.

 

Let us compare: in Brazil, for the crime of theft of a wallet with rupture of obstacle (door breaking, etc.), the Law provides from 2 to 8 years of imprisonment For embezzlement the basic penalty is from 1 to 5 years of imprisonment. In both cases, the damage may be only material, with the probability of arresting the offender and even the recovery of the goods stolen. And, most times such goods are fungible.

 

On the other hand, in great part of cybercrimes the material losses are only a small part of the problem. Furthermore this is precisely the great differential of these occurrences: the damage can be on of individuals’ aspects of intimacy and private life, sensitive business information, etc. That is: intangible data and, naturally of incalculable value!

 

For these reasons and in view of frequent news regarding bankrupted companies and jobs lost due to the practice of computer crimes, it seems a shy criminal punishment for such conducts - with such grievous consequences - the payment of basic food, provision of services to community and other benefits directed at minor offenses.

 

Given these considerations, it is concluded that foreigners wishing to do business in Brazil should be aware of meanders of Brazilian legislation, especially regarding the Electronic Law so that in the future, they do not suffer negative consequences due to lack of preparation.

 

Renato Opice Blum, lawyer, economist and professor. Pioneer in studies of Law of Cyberspace in Brazil.

 

Camilla do Vale Jimene, lawyer and professor. Performing in Law of Cyberspace area in Brazil.

Mobile Payment regulated in Brazil

Brazil has released the first ever set of guidelines to regulate mobile payment. zd.net/16PcMql

Peru: Draft of law allow the use of undercover agents in online child pornography cases (English and Spanish)

The draft of Law (see text bellow) n ° 2196/2012 CR establishes the possibility that the prosecutor shall authorize the use of undercover agent in online child pornography cases.

The task may be performed, provided the prosecutor’s authorization, through the minor victim’s email and the social network access, as well as the defendant ´s, in both cases, in order to impersonate them to collect information for the criminal file. This law could be controversial in terms of safeguards because the decision hasn’t previous judicial control.

 

Perú: proyecto de ley permite la utilización de agentes encubiertos en la investigación de distribución de pornografía infantil en internet

El proyecto de ley n° 2196/2012 CR establece la posibilidad de que el fiscal autorice el empleo de la controvertida figura del agente encubierto en casos de pornografía infantil en Internet. Asimismo, le ley implícitamente puede permitir que el agente encubierto actué también como “agente provocador”

Su actuación podrá ser autorizada por el fiscal y permitirá que a través del correo electrónico o acceso a la red social de un menor víctima, y del imputado, en ambos casos con el objeto de suplantarlo para obtener información para la investigación.

La ley puede generar controversia teniendo en cuenta que se permite un grado de intervención estatal profunda con la sola decisión del fiscal sin contar con autorización judicial previa.

 

http://www2.congreso.gob.pe/Sicr/TraDocEstProc/Contdoc01_2011.nsf/d...

Combating High Tech Crimes ; Harmonizing and valuing the the work of Cyber Crime Investigators and Digital Forensic Analysts in Law Enforcement.

The trend of cyber crimes is evolving as fast as it has been in the last two decades but now with more people connected. Besides DOS Attacks, Child Pornography and Phishing, today there are much more activities on Internet that only specialized investigators can recognize such as:-

1. Cyber-based terrorism,
2. Espionage,
3. Sex offenders targeting minors using Identity Theft
4. Computer network intrusions,
5. Online dating to attack vulnerable people
6. Scams driven by ‘’ransom-ware’’ install easily, locks computers, and demands payment
7. Other cyber fraud – e.g using newest tricks to get bank credentials.
8. New types of Internet Scams with intent to commit fraudulent acts.
9. Money laundering activities

Whilst more and more crimes are being committed using latest technology, the need of Cyber crime Investigators and Digital Forensic Experts in Law Enforcement is becoming very important for search and seizure, acquisition of evidence media and for giving evidence in court of law.

Enacting Cyber Laws alone is not sufficient. Law enforcement should create the capacity to handle cyber crimes.

Law enforcement officers are known for the plurality of knowledge and working abilities to attend to different types of tasks that might be expected from them. However with the emergence and development of Information Technology so rapidly in the last two decades, many Law Enforcement organizations that have engaged in capacity building to combat computer crimes and cyber crimes realize that Cyber crime investigators and Digital Forensics Analysts are people that require lot of IT Skills, as well as specialists in the domain of computer forensics to do the work. They are the rare birds in the departments that should be identified successfully before being put on track to develop the right skills to do the job. Very often inmates with long years of service have turn up with a blend of traditional investigative skills and high tech crime investigation knowledge through learning and using innovative technologies.

In little time, we have seen that there are multiple types of devices that are connecting to the internet, and this has resulted in segregation of tasks within the digital forensic department where now these experts are becoming specialist in Network Forensics, Computer Forensics, Mobile Device Forensics (Smart Phones / Mobile phones), and Video Forensics ( for CCTV images/ sounds etc..). They are all focusing on the retrieval of evidence beyond reasonable doubt to build up a case.

Different training / certifications are also available making the candidates a subject matter expert that is recognized. However the Certification exams eligibility demands for a certain minimum qualification in Computer Science. In developing countries it is not easy to have such potentials in the department unless the organization put in place a scheme. As regards certification, where there is no scheme in the department to help those interested in taking computer forensics certification exams which is quite costly, the financial constraints cause a gap in achieving such certification.

Nowadays Police Departments or any other Law enforcement entity can only operate efficiently to attend to cyber crimes and any other type of crimes where computers and other digital devices are used only if they have in place a proper Digital Forensic Lab, and a good team of Cyber Crime Investigators and Digital Forensic analysts.

The Council of Europe and the European Union Global Project on Cyber Crime have published a “Specialized Cyber Crime - Good Practice Study” Document on internet , the purpose of which I believe is to set examples to Countries / Law Enforcement Authorities that have not yet realized the importance of having such a structure, which would otherwise be detrimental to their own law enforcement work and reputation.

Two things that are important to address in this respect are :

1. Provide necessary training to Law enforcement officers for investigating cyber crimes.
2. Provide necessary tools ( Hardware and Specialized Software) , which demand an important investment for the investigators to do the work.

Besides providing these facilities, to retain and motivate such investigators the job should be valued within the organization as it is a new category of skill (a hybrid investigator with high tech skills) where qualifications, knowledge and expertise coupled with investigative skills are require.

Germany tells Google to tidy up auto-complete

http://www.bbc.co.uk/news/technology-22529357

Cell users have no expectation of privacy in geolocations, says US judge

http://rt.com/usa/no-cell-privacy-expectation-399/
Tools on Cybercrime & Electronic Evidence Empowering You!
Useful links Useful links

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects