Blog


Would you like to share an article on cybercrime? Please contribute!
 

These articles do not necessarily reflect official positions of the Council of Europe

Blogovi Blogovi

Internet delete button

Google's Schmidt: The Internet needs a delete button

http://news.cnet.com/8301-1023_3-57583022-93/googles-schmidt-the-in...

Transborder access to data - the Portuguese regulation

1. It is commonly recognised, regarding cybercrime investigations, that one of the most important issues is the access to information stored outside the borders of the country that manages the investigation. Most of the concrete investigations require information physically stored in a computer in another country.

Obtain that kind of information in each particular case requires, from law enforcement agents, one of two possible procedures: the first one, as classically, is to request formally mutual legal assistance to the authorities of the other State; the second is to ask informally and directly the data to those who have the power of disposal of that information. The first option is, in most cybercrime investigations, requiring highly volatile evidence, unreal and useless, because it is longstanding, making it inefficient. On the other hand, the second option is not always covered by national laws, regarding both the way of obtaining the information and the validity of the obtained evidence.

2. The provisions of Budapest Convention already provide some help, on Article 32, allowing to obtain “open source” information and, above all, allowing the access to “non open” information if the authorised person to disclose it gives a proper consent. However, it is nowadays felt that this 2001 provision need to be updated to the “cloud” reality, as it is limited to information stored within one of the Parties of the Convention and the legal requirement of obtaining the consent reduce the practical scope of the rule.

3. Portuguese legal provisions don’t cover all the aspects on cross-border access to data, leaving a wide range of questions open to the jurisprudence discussion. However, some important solutions were already described on the Portuguese Cybercrime Law (Law 109/2009, from 15 September).

It is there recognised the need that law enforcement agencies, the prosecution service and the courts feel to access data stored somewhere, on the Internet, in another country or in a physically unknown place. Besides, the legal internal text translates to the domestic regulation Article 32 of Budapest Convention: it is thus allowed, according to Portuguese law, to a Portuguese officer, to obtain information outside the country, if it is openly obtainable, or if it was obtained the consent of the legally authorised person to disclose the data. On the other hand, it is permitted to an officer from any other country (being or not a Party to Budapest Convention) to obtain information physically stored in Portugal (Article 25 of Law 109/2009), in equivalent situations (“open source” or with consent of the authorised person). The law does not clarify some details, which are left to the jurisprudence, such as who is and where physically must be the authorised person. Anyways, Article 32 of Budapest Convention is fully covered by Portuguese law.

4. However, Article 32 does not allow any kind of coercive access to data, against the will of the owner of those data – in other words, obtaining evidence under Article 32 requires the voluntary cooperation of the person who has the power of disposal of it. Besides, Article 32 just entitles law enforcement from a State to obtain evidence if that State is a Party from Budapest Convention and the data are also located within the territory of a Party. These are serious limitations – in fact, these are the reasons why the Committee of the Cybercrime Convention (T-CY) is developing efforts in view of drafting some kind of additional instrument to the Convention, updating this particular detail.

5. Concerning this aspect, Portuguese law goes beyond Budapest. In fact, Portuguese internal rules allow law enforcement to virtually access data stored in any other country in the world, even if the actual location of the data is unknown. Article 15, paragraph 1, from the Cybercrime Law allows the judicial authority (the prosecutor, during the investigation and the judge after that) to authorise a search to a computer if, during the investigation, it becomes necessary to the collection of evidence. Furthermore, paragraph 5 of Article 15 allows the same authority to extend that search to another computer or another computer system, if there are reasons to believe that the sought information is stored in the other computer or computer system and if they are legally accessible from the initially searched computer or computer system. The clear inspiration of this provision is Article 19, paragraph 2 of Budapest Convention. However, there is a remarkable difference between the Convention and Portuguese law: Article 19 allows the extension of the search just within the borders of the Party; Portuguese law does not include any geographic limit and entitles the competent authorities to extend the search both to systems located within the Portuguese borders or outside them. The provision also covers situations when the location of the computer system or of the data are unknown.

6. In practical terms, the extension of Article 15, paragraph 5, envisages primarily searches to big computer systems (for example, searches to a particular department of a large company, which can then be extended to other computers in the same company in another physical location). But it also covers, for example, access to webmail accounts. In both cases, as mentioned, it applies to access systems physically located inside or outside the Portuguese borders if, of course, the initial access to the system was legally authorized.

According to this regulation, it is clear that Portuguese law enforcement agents can access data physically stored on a remote system, even if that system is physically abroad. There is no specific rule regarding the validity of the evidence obtained by this particular process but, in the absence of specific regulation, the general rule of Article 125 of the Criminal Procedure Code applies: all evidence is admissible if it is not prohibited by law.

7. A final note, regarding safeguards: according to Portuguese system, all the investigative powers belong to the prosecutor, including the power to authorise searches and seizure of computer data. However, if in such a search email communications or records of communications of similar nature are found, the intervention of the investigative judge is required, to validate the seizure (Cybercrime Law, Article 17). The same requirement applies when during the search it is found data which content is likely to disclose personal or intimate information, that would jeopardize the privacy of its owner or a third party (Cybercrime Law, Article 16, paragraph 3). In both cases, the submission of the obtained evidence to the investigative judge is required under penalty of nullity.

The BYOD (Bring Your Own Device) Trend – The use of personal devices in the workplace.

The BYOD (Bring Your Own Device) Trend – The use of personal devices in the workplace.

 

The time has gone where those with access to cutting edge technology was limited to individuals working in enterprise environments. Today, information is freely available about the quality, robustness and efficiency of products, which enables ordinary users to receive and track news of what the domestic or international electronics market, has to offer.

On the other hand, many companies still operate more traditional forms of supply acquisition, with all the usual bureaucracy and delays. This, combined with volatile budget policies, leads to a tendency for a decrease in the pace of technological modernization in the workplace.

Thus, an increasing reality present in Brazil, is that often employees prefer to use their own devices, more modern and versatile, to conduct their activities than to use those offered by their employer. In this context, managers, rather than banning or ignoring this, may choose to cautiously take advantage of the model, known as BYOD - Bring Your Own Device.

As with many other day to day facts of life, this partnership between worker and employer can be productive, however, the following precautions should be considered and adhered to.

Firstly, with regard to the risks involved and to the terms of art. 2 of CLT, the company must define which activities may be carried out on the private equipment of their employees. Equally the employee should understand the necessity to use original software, tools and adequate security configurations as failure to do so would leave the company infrastructure vulnerable.

In fact, it is essential that each party understands from the outset their own responsibilities. An issue of some considerable controversy revolves around the issue of interference, by employers, into the equipment of its employees and the monitoring of such equipment.

It is important to note that, at present, there are no firm precedents regarding the legality of monitoring an employee’s own equipment, especially as it may contain their own private content, the manipulation of which could prove highly problematic.

Thus, where a company recognises, for its security, that personal equipment with access to its systems should be verified, it must be recognized that there is no legal provision or consolidated jurisprudential position on the point and that as such it is essential that the employer expressly negotiates, clarifies and formalizes this situation with its employees.

So, an essential step for the protection of all parties involved is to formalize in a specific document the settings and conditions that must be applied if any technological equipment is used.

Moreover, during this process, standards and minimum configurations can be set to grant access to the systems, whilst also demanding periodic verification that the employee is continuing to meet these requirements.

It is also important that rules be clarified regarding the working hours of the employee prior to the adoption of the BYOD model, it is a good idea to set timetables and to limit the availability of the worker through their devices, as, the use of such private property, should not necessarily be considered as overtime or being on duty.

Finally, to summarize, the principles governing this new facet of the employment relationship may be those that, not contrary to the law, create interesting situations for the parties, demonstrating the free and conscious choice of each to assume the risks of the proposal whilst avoiding the potential for future trouble. Anyhow, the equilibrium of work relationships, whatever the case, should always be preserved as we can have little doubt as to which side the law is most likely to favor.

 

Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.

Live Data Forensics - or - Why volatile data can be crucial for your cases

As I mentioned in my first blog post Digital Forensics can be the driving force in your cases. While in typical investigations evidence found on digital devices may only have a supportive character strengthening other traditional evidence, there are also cases where digital evidence may be the only proof of guilt or innocence. That is why it is crucial to seize and analyse electronic evidence according to the standard operation procedures (SOP) of your legislation and/or department. If there are no such SOPs in place or you want to test your procedures against international standards you might want to take a look at the Electronic Evidence Guide, published just recently by the Council of Europe. In this guide which can serve as a template to be adopted and customised by your department the topic "Live Data Forensics" plays an important part. In the following paragraphs you will see why this sub-branch of Digital Forensics is becoming more and more important any why Volatile Data can be crucial for your cases.

 

What is Live Data Forensics?

Live data forensics is one part of computer forensics which is a branch of digital forensic science pertaining to legal evidence found in computers. Computer forensics deals with the examination of computer systems in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts that might become evidence in a trial. Live data forensics follows this aim but is only focused on computer systems that are powered on. The main purpose is to acquire volatile data that would otherwise get lost if the computer system is turned off or would be overwritten if the computer system will stay turned on for a longer period.

 

What are Volatile Data?

Volatile Data are data that are digitally stored in a way that the probability is very high for their contents to get deleted, overwritten or altered in a short amount of time by human or automated interaction.

There are different kinds of volatile data that the investigator needs to know and to distinguish:

  1. Volatile Data on the physical computer like open network connections, running processes and services, arp- and dns caches.

  2. Transient Data that are not volatile in their nature but are only accessible on scene. Encrypted volumes as well as remote resources are examples for this kind of data. The characteristic of these data is that the contents of the data might get inaccessible, altered or deleted after the search, if the investigator might not be able to acquire them.

 

Why is Live Data Forensics becoming more and more important?

As the amount of Random Access Memory (RAM) is constantly raising in modern computer systems and the 64-bit operating systems use the whole array of this quick storage to cache and serve data more quickly the possibility of evidence being stored in this area is very high. RAM contents are fading very quickly as soon as the investigator cuts the power supply from a machine unless they are treated in a special way (e.g. Cold Boot Attack). In times where more and more data get stored either temporarely in RAM (think of e.g. private browsing modes) or remotely (think of cloud services) or the operating system does not store any data on the hard drive at all (think of Live DVDs) all these data would get lost without Live Data Forensics techniques.

 

Why can Volatile Data can be crucial for your cases?

If the suspect of your case stored the evidential documents on a cloud storage, if he used encrypted containers or even full disk encryption or if he used techniques to overwrite his traces on the physical hard disk you can still get information from Volatile Data. Encryption be sometimes be beaten by extracting the encryption key from RAM, cloud storage can be detected and acquired while the machine is still running and unsaved or even physically overwritten data might still have left traces in RAM.

 

 

All this data will get lost if Live Data Forensics is not performed while the computer system is running. This makes well-defined SOPs, professional training and preparation of specialists imperative.

Seguridad de la información: el bien juridico tutelado en la Convención de Budapest

La información es uno de los activos más valiosos para cualquier país, así como para cualquier persona u organización social. Precisamente por tal razón, me parece particularmente importante hacer una breve reflexión sobre la importancia de esta situación en el contexto social moderno, en especial por la forma como las modernas tecnologías impactan en los ciudadanos.

El Estado es el ente que posee la mayor cantidad de datos e información de sus ciudadanos, más aún que cualquier otra organización social. Dada esta delicada situación, una de las principales condiciones que debe cumplir el Estado es garantizar la seguridad de la información que obtenga de parte de la ciudadanía, como forma de lograr confianza de los administrados en el uso de los servicios automatizados que pone a su disposición y los datos que transitan en las redes públicas, todo ello como parte de la relación entre los organismos públicos y los ciudadanos. Lógicamente, dentro de las instituciones públicas se encuentran una gran cantidad de datos personales, confidenciales o no, de los habitantes del país. Esta es la base para considerar a la información como un patrimonio público de tipo intangible particularmente significativo por la trascendencia que tiene para el funcionamiento del aparato estatal.

Cuando aludimos al término “seguridad”, nos referimos de hecho a las políticas sobre seguridad informática. En este caso, es un tema que reviste muchísima importancia puesto que la información es un activo de gran valía, cuando no el mayor. Por eso hemos procurado hacer un énfasis especial dentro de este comentario que incluye no sólo un breve análisis de lo que debe entenderse por seguridad informática, sino también alusiones a sus diferentes perspectivas en cuanto a seguridad física y lógica, así como la forma como la seguridad es protegida penalmente dentro del Convenio de Budapest. Teniendo estos conceptos en cuenta, quizás sea posible lograr un grado mayor de confianza en las actividades que desarrolle una nación que desee llevar adelante un proyecto integral de seguridad de la información.

Concepto de seguridad de la información.-

La seguridad de la información la defino como una política institucional e integral de protección de los componentes lógicos y físicos de un sistema informático que busca salvaguardar la integridad de los equipos, programas de cómputo, y de los datos e información producidos u obtenidos por las personas, empresas privadas o instituciones públicas, así como su confidencialidad, sin impedir el acceso o disponibilidad sobre ellos a los legítimos interesados ni menoscabar la prestación de los servicios que brinde la entidad o empresa.

Este concepto de seguridad de la información o ciber-seguridad pretende ser comprensivo de los principales elementos que abarca la seguridad informática, esto es, integridad, confidencialidad y disponibilidad. Si bien en la actualidad se habla más de seguridad de la información, en cualquier caso, la seguridad buscada deberá consistir siempre en prácticas, procesos, aplicación de programas de cómputo y equipos que, en conjunto, logren asegurar al máximos los principales recursos de la organización.

El objetivo de la seguridad debe ser proteger la información valiosa de cualquier tipo de amenazas, de manera que se asegure la continuidad del servicio que preste una institución pública, se minimice cualquier daño a su continuidad y se maximice la confianza de sus usuarios en el contenido de la información de consulta.

Creemos que la seguridad informática debe ser ante todo una política institucional aplicable a cualquier entidad pública que tenga en operación sistemas automatizados de información. No se trata de un estado estático, sino dinámico y proactivo, pues deberá estar siempre en constante revisión, cambio y mejoramiento. Por eso, nuestra definición hace mención tanto de los componentes del sistema, refiriéndonos a la parte física (equipos de cómputo y todos sus componentes) como a la parte lógica (programas y registros magnéticos u ópticos que obren en cualquier soporte. En este caso, procuramos incluir las condiciones necesarias de integridad tanto de los equipos como de la información recogida, la confidencialidad de esa información (no sólo en cuanto a su acceso, sino también en su protección) y la disponibilidad que debe haber sobre ella en cualquier momento.

Seguridad física y seguridad lógica.-

Según hemos expuesto en nuestro concepto de seguridad informática, y de acuerdo con el criterio consensual entre los expertos, la seguridad informática representa ante todo una política integral de protección a la información institucional, y se manifiesta mediante un conjunto de buenas prácticas que tiene tres pilares fundamentales, cuales son, la integridad, confidencialidad y disponibilidad de la información. Precisamente, la anterior norma ISO 17799, en todas sus versiones, así como la norma ISO 27000 se ha reservado específicamente para asuntos de seguridad de la información, y ha reemplazado a las normas 17799. Se denomina precisamente Sistema de Gestión de Seguridad de la Información y hace hincapié en esos tres factores y el aseguramiento de la información como un recurso o activo estratégico para el ente. Dichos conceptos son considerados como “características” de la seguridad de la información. En realidad, son aspectos diferentes que se complementan entre sí dentro de un mismo proceso.

En esta materia existen dos tipos de seguridad: la seguridad física y la seguridad lógica, conceptos que son ampliamente conocidos e invocados a menudo por los usuarios o por todas las entidades que resguardan información, especialmente después de algún percance serio en contra de sus bienes informáticos.

Con el objeto de aplicar ambas formas de protección dentro de cada uno de los principios que hemos mencionado, definimos la seguridad lógica como la política y ejecución de labores prácticas de protección efectiva de los programas de cómputo, sistemas instalados, datos, procesos y en general del contenido de la información valiosa y pertinente que obre en una entidad y especialmente que sea tenida como un recurso vital dentro de la organización.

Por su parte, la seguridad física tiene una naturaleza similar, pues procura poner en funcionamiento políticas internas de la organización hacia todo tipo de usuarios, de manera que se regule la posibilidad de acceso a equipos de cómputo, espacios físicos, ejecución de respaldos periódicos de la información y otras prácticas más que se aplique de manera discriminatoria a los diferentes tipos de personas, en relación con la naturaleza de sus funciones, vinculación con la entidad, y la disponibilidad hacia ellos de la información protegida y resguardada.

Ambos tipos seguridad, si se quiere, son caras de una misma moneda, tanto así que la ejecución de algunas de estas prácticas de protección podría caer tanto dentro de la seguridad física como dentro de la seguridad lógica. Pensemos en el caso de los respaldos de información o el acceso a programas, que bien podrían ser consideradas acciones de protección física o lógica, tomando en cuenta que comparten mucha similitud y también guardan objetivos similares. Estos objetivos serán siempre coincidentes con los principios de integridad, confidencialidad y disponibilidad. De allí que afirmemos que entre ambos tipos de seguridad exista interdependencia y son igualmente necesarias y convergentes. Una no se concibe sin la otra, y carecería de sentido aplicar sólo un tipo en menoscabo del otro. Una vez más, la seguridad debe verse siempre de manera integral.

Empero, todo ello no es más que un ejercicio teórico, pues a fin de cuentas lo que interesa es que las acciones de seguridad de la información se lleven a cabo, independientemente de su denominación o clasificación. Este tema es particularmente sensible en las organizaciones modernas pues, infortunadamente, estas políticas de seguridad física y lógica no siempre existen dentro de ellas, o bien, se ejecutan en forma insuficiente. Una razón bien puede ser que la inversión económica en equipo tecnológico puede ser elevada, y las políticas de personal no siempre destinan a funcionarios de cómputo específicos para que se encarguen de labores de seguridad, sino que las funciones de éstos suele ser muy variada, desde mantenimiento de equipo hasta programación efectiva, según convenga al interés de la empresa o institución.

A pesar de todo, la creación de una política institucional de seguridad debería ser una meta para cualquier entidad, y su aplicación deberá ser un proceso constante, evolutivo y permanente. Por demás, siempre debe tenerse en consideración que la aplicación de una política sólida de seguridad informática, en sus aspectos físicos y lógicos, según vimos, no tiene que estar reñida con un plan servicio eficiente que el sistema de información preste a sus usuarios, ni debe sacrificarse la continuación del ejercicio funcional.

Protección de la información en el Convenio de Budapest.-

Además de la utilización de las soluciones técnicas que brindan la seguridad física y lógica, especialmente las que podemos encontrar en normas técnicas internacionales tan detalladas como la ISO 27000, existe otra forma eficaz de proteger el acervo de información, ya sea nacional o individual, pública o privada. Nos referimos a la utilización de normas jurídicas, especialmente la forma de prevención que brinda el Derecho Penal como alternativa de disuasión.

Así parece haberse entendido dentro del Convenio de Europa sobre Ciberdelincuencia, mismo que introduce, dentro de la parte sustantiva del Acuerdo, la protección de los datos informáticos (que es información propiamente dicha). No es casualidad que, en casi todos los artículos que conforman la parte penal sustantiva, se mencione la información y la necesidad de protegerla, entendida como “cualquier representación de hechos, información o conceptos de una forma que permita el tratamiento informático” (artículo 1, inciso b), esto es, información creada, modificada, transmitida o recibida en formato digital y por medios electrónicos, la cual a su vez deberá ser susceptible de ser almacenada en contenedores magnéticos u ópticos. Tal concepto excluiría, en principio, la información que conste en otro tipo de formato, como el papel, celuloide, cintas magnéticas u otro medio físico capaz de representar o demostrar algo. No obstante, estos otros formatos son susceptibles de ser transformados en documentos electrónicos mediante un proceso de digitalización, esto es, conversión de un formato físico en digital, con lo cual estaría igualmente protegido como datos informáticos.

De igual manera, el artículo 2, párrafo segundo, se prevé el acceso ilícito como una forma agravada en la cual se quebranten medidas de seguridad y con la intención de obtener datos informáticos. Una vez más, no se trata simplemente del acceso no autorizado a un sistema informático, sino la intención de obtener información que esté dentro de ese sistema, no importa si es pública o privada. Lógicamente, los datos informáticos son más importantes que la parte física de los equipos.

Quizás el artículo que mejor representa este deseo de proteger la información es el tercero, que trata de la interceptación ilícita. En este caso, nos encontramos ante una conducta consistente en la interceptación intencional e ilegítima de datos informáticos comunicados en transmisiones no públicas efectuadas a un sistema informático, desde un sistema informático o dentro del mismo, incluidas las emisiones electromagnéticas procedentes de un sistema informático que contenga dichos datos informáticos.

Además, como complemento esencial, el artículo 4 del Acuerdo europeo prevé la interferencia en los datos, esto es, una conducta dolosa y no autorizada que dañe, borre o altere datos informáticos, lo cual muestra una vez más cuán importante es la protección de la información que esté contenida en un soporte informático.

Como puede concluirse, los datos e información, en sus diferentes manifestaciones, conforman el bien jurídico tutelado que se protege en la parte sustantiva del Convenio sobre Ciberdelincuencia, lo que constituye una perspectiva que debe ser tomada en cuenta por los códigos penales a la hora de elaborar los tipos correspondientes. No se trata solamente de castigar accesos no autorizados o la destrucción de datos informáticos, sino de tener claro que, en el fondo, es la información el bien jurídico que debe ser protegido.

¿En su país se protege la información pública o privada mediante estándares ISO o alguna norma técnica similar?

¿Otorga el sistema jurídico de su país suficiente protección a los datos e información como una forma de patrimonio personal y nacional?

Information security: the protected legal value in the Budapest Convention

The information is one of the most valuable assets for any country, as well as any person or social organization. Precisely for this reason, I think is particularly important to make a brief reflection on the importance of this situation in the modern social context, especially for the way modern technologies impact on the people.

The State is the entity that possesses the largest amount of data and information of its citizens, more than any other social organization. Given this delicate situation, one of the main conditions that a modern State must comply is to ensure the security of the information obtained from its inhabitants. This is a way to achieve trust from the people while they make use of automated services and data that the State puts at their disposal, all as part of the relationship between public entities and citizens. Logically, within public institutions there is a lot of personal data, confidential or not, about the inhabitants of the country. This is the basis to consider the information as a public heritage of particularly significant and intangible type because of the importance it has for the functioning of the State system.

When I talk about "security", I mean in fact referring to policies on information security. In this case, is an issue which is of much importance since the information is an asset of great value, when not the greatest. So within this comment I have tried to make a special emphasis in a scenario that includes not only a brief analysis of what should be understood as computer security, but also references to their different perspectives in terms of physical and logical security as well as the mode the security is protected within the Convention of Budapest. With these concepts in mind, may be possible to achieve one higher degree of trust in activities which a nation develops to carry out a comprehensive project of information security.

Concept of information security.

I define information security as an institutional and comprehensive policy for the protection of the physical and logical components of a computer system that seeks to safeguard the integrity of the hardware, software, data and information produced or obtained from people, private companies or public institutions, as well as its confidentiality, but allowing access or availability for their legitimate stakeholders and without deny or restrict the provision of services that the State, entity or company provides.

This concept of information security (or cyber-security) is intended to be wide-ranging on the main elements that cover computer system security: they are integrity, confidentiality and availability. Even though nowadays refers more to safety of the information, in any case, security should consist always in practices, processes and application of computer systems, programs and equipment to achieve, all together, the maximum security of the main resources of the organization.

The goal of security must be protecting valuable information of any type from threats to ensure the continuity of the service provided by a public or private institution, to minimize any damage to its continuity and to maximize the users’ trust in the content of the information.

I believe that information security should be first and foremost an institutional policy applicable to any public or private entity that has automated its information systems in operation. This is not a static state, but a dynamic and proactive policy, because it must always be in constant review, change and improvement. For this reason, my definition makes mention to both system components, referring to the physical part (computer equipment and all of its components) and the logical part (programs and magnetic or optical records storage in any container). In this case, I try to include the necessary conditions of integrity of the collected information; the confidentiality of such information (not only in terms of access, but also their protection) and the availability that should have on it at any time.

Physical security and logical security.-

As I have exposed in my concept of security, and in accordance with the consensual approach between experts, computer security represents first and foremost a comprehensive protection policy to institutional information, and manifests itself through a set of good practices that has three pillars, which are integrity, confidentiality and availability of information. Precisely, the previous ISO 17799 standard, in all its versions, as well as the ISO 27000 standard has been reserved specifically for information security issues, and has replaced the old 17799 technical norms. It is called precisely Information Security Management System and emphasis on these three factors and assurance of information as a resource or strategic asset for the entity. These concepts are regarded as “characteristics” of the information security. Really, they are different aspects that complement each other within the same process.

In this regard, there are two types of security: physical security and logical security, concepts that are widely known and often invoked by users or by entities that protect information, especially after a serious mishap against their computer assets.

In order to implement both forms of protection within each one of the principles I have mentioned (integrity, confidentiality and availability of information), I prefer to define the logical security as a policy and implementation of practical tasks of effective protection on computer programs, installed systems, data, processes and in general the content of valuable and relevant information which an entity may has in its power, especially if is taken as a vital resource within the organization.

On the other hand, the physical security has a similar nature, because it seeks to establish an internal policy inside the organization for each kind of users, as a manner to regulate the possibility of access to computer equipment, physical spaces, implementation of periodic information backups and other practices that apply in a discriminatory manner to the different types of people according with the nature of their functions, the bonding with the entity and the availability to them of protected and safeguarded information.

Both security types could be seen as faces of the same coin, so much that the execution of some of these protection practices may fall both within the physical security and logical security. For example, in the case of information backups or access to computer systems I think they could be considered as physical or logical protection actions as well, taking into account that they share many similarities and also keep similar objectives. These goals will always be consistent with the principles of integrity, confidentiality and availability. That is why I affirm that between both types of security exists interdependence and they are equally necessary and convergent. One is not conceived without the other, and would be senseless to apply only one in detriment of the other. Once again, the security must be always seen as an integral policy.

However, all this is mostly a theoretical exercise because at the end what matters is that information security actions can be carried out, regardless of its name or classification. This issue is particularly sensitive in modern organizations because, unfortunately, these physical and logical security policies do not always exist within them or are running in an inadequate form. One reason may be that the economic investment in technological equipment can be elevated, and the human resources department guidelines not always destine computing personnel exclusively to security work, but the functions of these professionals tends to be very diverse, from maintenance of equipment up to effective programming or computer support, according with the appropriate interests of the company or institution.

Nevertheless, the creation of an institutional policy on security should be a goal for any entity, and its implementation must be a constant, evolutionary and permanent process. Notwithstanding the foregoing, always must be taken into consideration that the implementation of a solid information security policy, including physical and logical aspects as we saw, doesn't have to be in collision with a plan for efficient service that the information system provides its users, nor sacrificing the continuation of the functional operation.

The protection of information in the Convention of Budapest.

In addition to the use of technical solutions that provide physical and logical security, especially which can be found in international technical standards well detailed as the ISO 27000, there is another effective way to protect the amount of information, whether individual or national, public or private. I am referring to the use of legal norms, especially the prevention provided by the criminal law as an alternative to dissuasion.

So it seems to have been understood in the Convention of Europe on Cybercrime, which introduces, within the substantive part of the Agreement, the protection of “computer data” (which is itself information). It is not a coincidence that, in almost all the articles that constitute the substantive criminal part, they reference to information and the need to protect it, understood as "any representation of facts, information or concepts in a form suitable for processing in a computer system" (article 1, subparagraph (b), it means, information created, modified, transmitted or received in digital form and by electronic means, and capable of being stored in magnetic or optical containers. In principle, such concept would exclude information stating in another type of format such as paper, film, magnetic tapes or other physical medium able to represent or show something. However, these formats are susceptible to be converted into electronic documents through a scanning or similar process. This means a conversion from physical format to digital structure, which would be equally protected as computer data.

Similarly, the article 2, paragraph second, foresees the illicit access as an aggravated form of felony where security measures have been broken or circumvented with the intention of obtaining computer data. Once again, it is not simply an unauthorized access to a computer system, but the intention to obtain information contained in that system, no matter if it is public or private. Logically, the computer data (information) are more important than the physical part of the equipment.

Perhaps the article that represents best this desire to protect information is the article 3 of the Budapest Convention, about illegal interception. In this case, the conduct consists in the intentional and unlawful interception of computer data communicated in non-public transmissions from a computer system to a computer system or inside the same system, including electromagnetic emissions from a computer system carrying such computer data.

In addition, as an essential complement, the article 4 of the European Convention foresees the data interference, which is an unauthorized and fraudulent conduct that damages, erases or alters computer data. It shows once more how important is the protection of the information contained in digital format inside computer systems.

In conclusion, the data and information, in their different perspectives, constitute the protected legal value in the substantive part of the Convention on Cybercrime, which is an approach that should be taken into account by the penal legislator when preparing the corresponding criminal types. It means not only punish unauthorized access or destruction of computer data, but to have in mind that, at the end, is the information the legal value that must be protected.

Does your country protect the information, public or private, through ISO standards or any other similar technical norm?

Does your country’s legal system guarantee enough protection to data and information as a form of personal and national heritage?

How to deter Unsolicited Commercial Electronic Messages (UCEM) or such form of spamming which is persistently growing in number on the net today?

Commercial electronic mails needs to be regulated, if not such Unsolicited mails are more than harassment to users and cause much waste of time, consumption of storage space, very much of hassle to users , and may result in attacks such as phishing.

Commercial Electronic messages is meant here for “commercial activity” where any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does it for profit, or not.

The most important means of controlling or regulating UCEM is by having a legislation that will deter that, where ;

(i) It will require commercial electronic messages to include accurate information about the person who authorised the sending of the message and a functional unsubscribe facility in order to enable the recipient to instruct the sender that no further messages are to be sent to the recipient.

 

(ii) It will prohibit the alteration of transmission data and the installation of computer programs which can cause an electronic message to be sent from a person’s computer without the owner’s express consent.

 

(iii) It will prohibit address-harvesting software or a harvested-address list from being used in connection with sending unsolicited commercial electronic messages. This will bring in the Data protection provisions with regards to database of e-mail address for persons or legal entities.

 

Consent of the person receiving the mails would be the most debatable aspect in this piece of legislation as “consented to receiving” may be Express or Implied Consent such as ;

(i) Express consent - that needs to be set out clearly and simply by the party seeking it, and whether given by the relevant electronic address-holder or any other person who uses the relevant electronic address;

 

(ii) Implied consent - that can reasonably be inferred from the conduct and the business and other relationships of the persons concerned, or where consent has been given in an implied manner such as by publishing an electronic address in a business or official capacity relevant to the business or official capacity, and the publication of the address is not accompanied by a disclaimer to the effect that the relevant electronic address-holder does not want to receive unsolicited electronic address messages at that address.

The definition of electronic mail and message will be as important to determine if there are infringements to provisions of UCEM legislations.

For Electronic Mail” - any text, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;

For Electronic Message - a message sent using a telecommunications service and sent to an electronic address, and includes -

(a) a message which is sent to an electronic address, whether or not the electronic address exists or the message reaches its intended recipient;

(b) an electronic mail;

(c) a message sent using a short message service;

The law enforcement authority, their powers, penalties and jurisdiction issues for infringements would also form part of such legislation, and this part can surely be inspired from the Budapest convention on Cyber Crime.

The objective to deter UCEM through legislation would be to:

(a) promote a safer and more secure environment for the use of information and communication technologies;

(b) to avoid the hassle of unsolicited e-mails to users, and risks of attacks like phishing

(c) reduce the costs to businesses and the wider community that arise from unsolicited commercial electronic messages;

 

For countries that have not yet enacted legislation on Computer Misuse and Cyber Crimes, they can even consider having the UCEM within their Computer Misuse and Cyber Crimes Act at one go.

I request for comments from those that already have such provisions in their laws in their countries.

Grooming: a cybercrime with many conducts and few legislation

As part of the concerns we are dealing with those who participate in this new forum on Cybercrime, we have found that there is a conduct which, despite being more common than we might suppose, surprisingly has not yet received the importance that it deserves within the criminal legislation of different countries, especially in Latin America.

We are talking about the "grooming", conduct involving harassment or seduction of a minor by an adult to obtain some kind of sexual gratification, or as an act preparatory to a personal encounter with the victim.

The UNICEF Research Center Innocenti published in December 2011 a report called "Child Online Safety: Challenges and Global Strategies", where it provides a definition of grooming. The report designates also the purpose of the active subject (the groomer) which is the search for sexual exploitation and a mean to get pornographic material that then is shared in networks of paedophiles using common technologies and services:

“Online grooming is the process by which an individual befriends a young person for online sexual contact, sometimes with the involvement of webcams that can allow ‘sharing’ of the exploitation among networks of child sex abusers, and sometimes extending to a physical meeting to commit sexual abuse.” (page 2)

Indeed, the phenomenon of the grooming, as cybercrime against minors, covers certain behaviors that are well defined. On the one hand, the adult or groomer usually use a fake profile in a social network, chat rooms or website where he can appear as minor person, as a manner to try to break down any barrier of mistrust that the harassed child could present. In principle, that fake profile (impersonation or phishing), is not a crime, but a preparatory act (in accordance with the penal process of the iter criminis) to commit a possible crime. (However, impersonation is a crime in some countries, for example, Costa Rica, in accordance with article 230 of the Penal Code of 1970. In addition, the penalty increases to eight years when the victim is a minor, as happened recently).

Nowadays, the article 230, reformed last April 26, 2013 through law No.9135 of April 24, 2013, says:

"Article 230.- Impersonation.

The one who impersonate the identity of a natural person, legal or a trademark in any social network, website, electronic or technological means of information will be punished with prison of one to three years.” (Free translation)

Once the adult has created the fake profile which pretends to be a minor, he continues the process of seduction or harassment. This is the approach to the potential victim, especially with social engineering techniques such as stimulating obtaining information about the child, either about their personal interests, hobbies, books, music, education and others themes. Equally, the adult could use other means to get information indirectly, through social networks where the minor participates, friends of the child having contact in line with him; his education center, neighborhood, etc. Even here we could not say that we are facing a crime, but those behaviors will be also a part of the preparatory acts for the possible commission of a future crime. It must be taken into account that a groomer has an average of 200 children on his list of potential harassed, according with the UNICEF report.

A third detectable behavior is the approach to the child using any tactic of black-mail or seduction, as it can be the casual conversation by remote means (chats, IRC programs, social networks, etc.), manipulation of themes, exchange of files, games, text, movies, until the sending of erotic dialogues or pornographic images. This situation can degenerate then in a psychological domain on the child to achieve the manipulator adult’s desires, which may become the realization of acts of sexual nature, as show her naked body in front of the Web camera, obtain photos or films of the minor and eventually seek a personal encounter with him who may end up in sexual abuse or rape.

Now, note that we are not properly in front of a production or dissemination of pornography, corruption of minors or rape scenarios, but this is a process related to those other crimes. Grooming is not an innovative behavior (frequently there are visible cases and a black cypher) which mostly is not criminalized in the Penal Codes. Such conduct, as we have seen, is the seduction and sexual manipulation on a minor through computer systems, mainly for the purpose of production of pornography or sexual abuse. The existence of a figure of this nature is justified for several reasons and circumstances, among others, sexual child indemnity, access generalized to telematics media, the ease to access public places in the Internet that minors not see as dangerous, the lack of security and warnings to protect potential victims, as well as the proliferation of adults seeking for sexual satisfaction in the Internet or Web services that allow them to maintain their anonymity, and intentional behaviors that are directed against a particularly vulnerable age group.

It is good to indicate that the Council of Europe’s Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse (Convention of Lanzarote, October 25th, 2007), has taken into account this serious situation and for that reason it insists to the country-parties of this Agreement to take the corresponding legislative measures:

Article 23 – Solicitation of children for sexual purposes

Each Party shall take the necessary legislative or other measures to criminalise the intentional proposal, through information and communication technologies, of an adult to meet a child who has not reached the age set in application of Article 18, paragraph 2, for the purpose of committing any of the offences established in accordance with Article 18, paragraph 1.a, or Article 20, paragraph 1.a, against him or her, where this proposal has been followed by material acts leading to such a meeting.

In spite of this risky scenario for the minors, we have found that the countries who penalize grooming are very few, which is an obstacle to discourage this conduct among the paedophiles. It seems to be that the institutional tendency in the countries is rather to prevent its commission and to alert the parents, teachers and other ones in charge so they and the minors are who will learn to identify risk situations. The UNICEF’s report about the safety of children online previously mentioned makes echo of this preoccupation on the lack of legislation that punishes such conduct, and the lack of registries or data bases with details on the offenders:

In many countries, this activity is not yet a criminal offence and therefore no records are kept relating to such behaviour. Even among countries where grooming has been criminalized, there are no coordinated databases that provide details of the offenders. This represents not only a huge gap in knowledge, but also in child protection.” (Page 2)

We can find a good example of legislation on this matter in the article 183 bis of the Spain’s Penal Code. Its content, according with the reform made in June, 2010, responds without a doubt to the order contents in article 23 of the Convention of Lanzarote. Besides, it talks about the possible commission of other felonies such sexual abuses, sexual aggressions, exhibition, manufacture or distribution of pornography or possession of child pornography, among others behaviors:

“The one that through Internet, the telephone or any other technology of the information and the communication contacts a minor of thirteen years and proposes to arrange an encounter with him in order to commit anyone of the crimes described in arts. 178 to 183 and 189, whenever such proposal is accompanied by material acts directed to the approach, will be punished with penalty of one to three years of prison or fine of twelve twenty-four months, without prejudice of the punishment corresponding to the crimes in their case committed. The penalties will prevail in their superior half when the approach is obtained by means of coaction, intimidation or deceit.” (Free translation)

In Latin America we have found only two countries that incorporate grooming as a part of their penal legislation: Dominican Republic and Costa Rica.

Dominican Republic includes the sexual attack in the Law No.53-07 against Crimes and Offenses of High Technology:

Article 23. - Sexual Attack. The fact to exert a sexual attack against a boy, girl, adolescent, incapacitated or alienated mental, by means of the use of an information system or any of its components, will be sanctioned with the penalty of three to ten years of prison and fines from two hundred five times the minimum salary. (Free translation)

In Costa Rica there is a recent reform on article 167 of the Penal Code, by the law 9048 of July 10th, 2012. It is a reform of the penal type of minors corruption where is introduced a punishment in case of an adult who by means of the use of social networks or any computer system or telematic means looks for encounter of sexual character with minors or incapable people.

“Article 167. - Corruption

Who maintains or promotes the corruption of a minor or incapable person, with erotic, pornographic or obscene intentions, in exhibitions or public or private spectacles, will be sanctioned with prison of three to eight years, although the minor or incapable person allows it

The penalty will be prison of four to ten years, if the actor, using the social networks or any other computer system or telematic means, or another mass media, looks for encounter of sexual character for himself, a third person or groups, with a minor or incapable person; or if the offender uses these people to promote corruption or if he forces them to make perverse, premature or excessive sexual acts, although the victim allows to participate in them or to see execute them.” (Free translation)

Similarly, last April 26 was approved the law No.9135 of April 24, 2013, which clarifies more even grooming behavior:

"Article 167 bis.- Seduction or encounters with minors by electronic means.

The one who, by any means, establish communications of sexual or erotic content, either to include or not images, videos, text or audio, with a person under fifteen years of age or incapable, will be punished with prison from one to three years

The same penalty will be imposed to the one who impersonating the identity of a third person or through the use of a false identity, by any means, try to establish communications of sexual or erotic content, including or not images, video, text or audio, with a person under age or incapable.

In the behaviors described in the preceding two paragraphs, when the actor try to make a personal encounter in a physical place with a minor or incapable, the penalty will be of two to four years of prison.” (Free translation)

So this is the very few existing legislation in Latin America. Other countries as Chile still has the penalty of grooming like a draft law, whereas in the Argentine Republic the Senate of the Nation approved in November 2nd, 2011, a draft law to include an article 128 bis to the Argentine Penal Code where penalizes this form of harassment.

“The one that contacts with a minor person by means of Internet, the telephone or any other technology of data transmission, in order to execute any crime against the sexual integrity, will be punished with prison of six months to four years.” (Free translation)

However, in the Argentine Republic’s case, this initiative still must be ratified by the Chamber of Deputies, legislative body that has time until next October 2013 for the law’s definitive approval.

In conclusion, there are no sufficient legislative initiatives yet to penalize a cybercrime that more and more tends to grow up and to be more common.

Does your country consider grooming as a crime?

Is there at least a law project to punish this cybercrime?

 

 

Comment by Jose Francisco Salas-Ruiz on April 23, 2013 at 12:51am

As always, there is a Spanish version of this post.

Comment by Jose Francisco Salas-Ruiz on April 30, 2013 at 2:19am

I just added the Costa Rica's new reform about grooming, approved last April 26, 2013.

Nueva Fiscalía especializada en delitos informáticos de la Ciudad de Buenos Aires (New specialized Cybercrime prosecution office of Buenos Aires city)

El Ministerio Público Fiscal de la ciudad de Buenos Aires ha establecido una fiscalía especial para la investigación de delitos informáticos. La nueva unidad de investigación fiscal fue presentada como proyecto piloto. La fiscalía tendrá a su cargo de la investigación de delitos y contravenciones informáticas en la ciudad de Buenos Aires para perseguir de manera exclusiva los delitos que tengan por objeto los sistemas o programas informáticos (supuestos de daño informático) y relativos a la pornografía infantil (distribución y producción de pornografía infantil, y suministro de pornografía a menores de 18 años).

Entiendo que el proyecto puede ser un modelo interesante para la región de los países de América Latina

Ver abajo texto de la resolución

The General Prosecutor of Buenos Aires City has established as a pilot program “A Prosecution Team” that will be specialized in computer crimes in the city of Buenos Aires. It will pursue crimes against computer systems or software (computer damage) and crimes related to child pornography (distribution and production of child pornography.

See below text

http://boletinoficial.buenosaires.gob.ar/areas/leg_tecnica/boletinO...

“Grooming”: un delito informático con muchas conductas y escasa legislación

Como parte de las inquietudes que nos ocupan a quienes participamos de este novedoso foro sobre ciberdelincuencia, hemos encontrado que existe una conducta que, a pesar de ser más común de lo que podríamos suponer, sorprendentemente aún no ha recibido la importancia que merece dentro de la legislación penal de los diferentes países, especialmente en América Latina.

Nos referimos al “grooming”, conducta que consiste en el acoso o la seducción de un menor de edad por parte de un adulto para obtener algún tipo de gratificación sexual, o bien, como acto preparatorio para un encuentro personal con la víctima.

El Centro de Investigación Innocenti de la UNICEF publicó en diciembre de 2011 un informe denominado “Seguridad de los niños en línea: Retos y estrategias mundiales”, donde brinda una definición del grooming. El reporte señala además la finalidad del sujeto activo como es la búsqueda de la explotación sexual y un medio para conseguir material pornográfico que luego es compartido en redes de pedófilos utilizando tecnologías comunes:

“La captación de niños en línea (denominada grooming) es el proceso por el cual un individuo, por medio de Internet, trata de ganarse la amistad de un menor de edad con fines sexuales, a veces mediante cámaras web que permiten “compartir” la explotación sexual entre las redes de delincuentes sexuales, y a veces llega incluso a reunirse físicamente con el menor para perpetrar el abuso sexual.” (página 2)

Efectivamente, el fenómeno del grooming, como delito informático en contra de menores de edad abarca ciertas conductas que están bien delimitadas. Por una parte, el adulto o groomer usualmente utiliza un perfil falso en una red social o sitio de Internet donde puede presentarse como una persona menor de edad, de manera que procure romper cualquier barrera de desconfianza que pudiera presentar el menor acosado. Dado que se trata de una suplantación de identidad, no es, en principio, un delito, sino un acto preparatorio (de acuerdo con el proceso del iter criminis) para la comisión de un posible delito. No obstante, la suplantación de identidad sí es un delito en Costa Rica, de acuerdo con el artículo 230 del Código Penal de 1970. Además, la pena se incrementaba hasta ocho años cuando se trata de un menor de edad, como ocurrió recientemente).

El artículo 230, reformado el pasado 26 de abril de 2013 mediante la ley No.9135 de 24 de abril de 2013, señala:

“Artículo 230.-Suplantación de identidad.

Será sancionado con pena de prisión de uno a tres años quien suplante la identidad de una persona física, jurídica o de una marca comercial en cualquiera red social, sitio de Internet, medio electrónico o tecnológico de información."

Una vez que el adulto ha creado un perfil falso donde se hace pasar por un menor, se continúa con el proceso de seducción o acoso. Este consiste en el acercamiento hacia la posible víctima, especialmente con técnicas de ingeniería social tales como estimular la obtención de información sobre el menor, ya sea sobre sus intereses personales, pasatiempos, libros, música, educación y demás. Igualmente, el adulto podría utilizar otros medios para conseguir información de manera indirecta, mediante redes sociales donde el menor sea partícipe, amigos del menor que tengan contacto en línea con él; sitio de estudios, vecindario, etc. Aún aquí no podríamos decir que estemos ante un delito, sino que igualmente serán parte de los actos preparatorios para la posible comisión de un futuro crimen. Debe tenerse en cuenta que un groomer tiene un promedio de 200 niños en su lista de posibles acosados.

La tercera conducta detectable es el acercamiento al menor mediante alguna táctica de seducción, como puede ser la conversación casual por vías remotas (chats, programas IRC, redes sociales, etc.), manipulación de los temas, intercambio de archivos, de juegos, textos, películas, o bien, el envío de diálogos eróticos o imágenes pornográficas. Esta situación puede degenerar luego en el dominio psicológico sobre el menor para lograr los deseos del adulto manipulador, que puede llegar a la realización de actos de naturaleza sexual por la víctima, como mostrar su cuerpo desnudo frente a la cámara Web, obtener fotos o películas del menor y eventualmente procurar un encuentro personal con él que bien puede terminar en abuso sexual o hasta violación.

Ahora bien, obsérvese que no nos encontramos propiamente ante un tema de producción o difusión de pornografía, o de corrupción de menores de violación, pero es un proceso que tiene relación con esos otros delitos. El grooming es una conducta no tan novedosa (frecuentemente hay casos visibles y una cifra negra) que se encuentra muy poco tipificada en los códigos penales. Tal conducta, según vimos, es la seducción y manipulación sexual sobre un menor de edad a través de sistemas informáticos, mayormente con fines de producción de pornografía o de abuso sexual. La existencia de una figura de este tipo se justifica por varias razones, entre otras, la indemnidad sexual de los menores, el acceso generalizado de éstos a medios telemáticos, la facilidad para ingresar a sitios públicos de la Internet que ellos no visualizan como peligrosos, la falta de seguridad y advertencias para proteger a las posibles víctimas, así como la proliferación de adultos que buscan satisfacción sexual en sitios o servicios Web que les permiten mantener su anonimato, y conductas dolosas que se dirigen contra un grupo etario particularmente vulnerable.

Conviene señalar que el Convenio del Consejo de Europa para la Protección de los Niños contra la Explotación y el Abuso Sexual (Convención de Lanzarote de 25 de octubre de 2007) sí ha tomado en cuenta esta grave situación y por ello insta a las partes de este Acuerdo a tomar las medidas legislativas correspondientes:

"Artículo 23. Proposiciones a niños con fines sexuales. Cada Parte adoptará las medidas legislativas o de otro tipo que sean necesarias para tipificar como delito el hecho de que un adulto, mediante las tecnologías de la información y la comunicación, proponga un encuentro a un niño que no haya alcanzado la edad fijada en aplicación del apartado 2 del artículo 18 con el propósito de cometer contra él cualquiera de los delitos tipificados con arreglo al apartado 1.a del artículo 18 o al apartado 1.a) del artículo 20, cuando a dicha proposición le hayan seguido actos materiales conducentes a dicho encuentro."

A pesar de este escenario tan riesgoso para los menores, hemos encontrado que son pocos los países que penalizan el grooming, lo cual es un obstáculo para desestimular esta conducta en los pedófilos. Parece ser que la tendencia institucional en los países es más bien a prevenir su comisión y alertar a padres, maestros y otros encargados para que sean ellos y los menores quienes aprendan a identificar situaciones de riesgo. El informe de la UNICEF sobre seguridad de los niños en línea citado anteriormente hace eco de esta preocupación sobre la falta de legislación que castigue tal conducta y la falta de registros o bases de datos con detalles sobre los ofensores:

“En muchos países, esta actividad todavía no está tipificada como delito penal, por lo cual no existen registros relacionados con dicho comportamiento. Incluso en los países donde la captación de menores de edad en línea está penalizada, no existen bases de datos coordinadas que proporcionen detalles sobre los agresores sexuales. Esta carencia representa no solamente una enorme laguna de conocimiento, sino también un escollo para la protección de los niños.” (Página 2)

Un buen ejemplo de legislación sobre este tema la encontramos en el artículo 183 bis del Código Penal de España. Su contenido, según fue reformado en junio de 2010, responde sin duda a lo ordenado en el artículo 23 del Convenio de Lanzarote. Además, se refiere a la posible comisión de otras conductas tales como abusos sexuales, agresiones sexuales, exhibición, fabricación o distribución de pornografía, o tenencia de pornografía infantil, entre otros:

“Artículo 183 bis .- El que a través de Internet, del teléfono o de cualquier otra tecnología de la información y la comunicación contacte con un menor de trece años y proponga concertar un encuentro con el mismo a fin de cometer cualquiera de los delitos descritos en los arts. 178 a 183 y 189, siempre que tal propuesta se acompañe de actos materiales encaminados al acercamiento, será castigado con la pena de uno a tres años de prisión o multa de doce a veinticuatro meses, sin perjuicio de las penas correspondientes a los delitos en su caso cometidos. Las penas se impondrán en su mitad superior cuando el acercamiento se obtenga mediante coacción, intimidación o engaño.”

En América Latina sólo hemos encontrado dos países que incorporan el grooming como parte de su legislación penal: República Dominicana y Costa Rica.

En la República Dominicana, la Ley No.53-07 contra Crímenes y Delitos de Alta Tecnología tipifica el atentado sexual

"Artículo 23.- Atentado Sexual. El hecho de ejercer un atentado sexual contra un niño, niña, adolescente, incapacitado o enajenado mental, mediante la utilización de un sistema de información o cualquiera de sus componentes, se sancionará con las penas de tres a diez años de prisión y multa desde cinco a doscientas veces el salario mínimo."

En Costa Rica se efectuó recientemente una reforma sobre el artículo 167 del Código Penal, mediante la ley No.9048 de 10 de julio de 2012. Se trata de una reforma al tipo penal de corrupción de menores, en el cual se introduce además el castigo del grooming en caso de un adulto que mediante la utilización de redes sociales o cualquier otro medio informático o telemático busque encuentros de carácter sexual con personas menores de edad o incapaces.

“Artículo 167.- Corrupción.-

Será sancionado con pena de prisión de tres a ocho años quien mantenga o promueva la corrupción de una persona menor de edad o incapaz, con fines eróticos, pornográficos u obscenos, en exhibiciones o espectáculos públicos o privados, aunque la persona menor de edad o incapaz lo consienta.

La pena será de cuatro a diez años de prisión, si el actor, utilizando las redes sociales o cualquier otro medio informático o telemático, u otro medio de comunicación, busca encuentros de carácter sexual para sí, para otro o para grupos, con una persona menor de edad o incapaz; utiliza a estas personas para promover la corrupción o las obliga a realizar actos sexuales perversos, prematuros o excesivos, aunque la víctima consienta participar en ellos o verlos ejecutar.”

De igual manera, recientemente se aprobó la ley No.9135 de 24 de abril de 2013, que clarifica más aún la conducta del grooming:

"Articulo 167 bis.- Seducción o encuentros con menores por medios electrónicos.

Será reprimido con prisión de uno a tres años a quien, por cualquier medio, establezca comunicaciones de contenido sexual o erótico, ya sea que incluyan o no imágenes, videos, textos o audios, con una persona menor de quince años o incapaz.

La misma pena se impondrá a quien suplantando la identidad de un tercero o mediante el uso de una identidad falsa, por cualquier medio, procure establecer comunicaciones de contenido sexual o erótico, ya sea que se incluyan o no imágenes, videos, textos o audios, con una persona menor de edad o incapaz.

La pena será de dos a cuatro años, en las conductas descritas en los dos párrafos anteriores, cuando el actor procure un encuentro personal en algún lugar físico con una persona menor de edad incapaz."

Tal es la muy escasa legislación existente en América Latina. Otros países como Chile aún tienen la penalización del grooming como un proyecto de ley, mientras que en la República Argentina el Senado de la Nación aprobó, el 2 de noviembre de 2011 un proyecto de ley para incluir un artículo 128 bis al Código Penal Argentino que penaliza esta forma de acoso.

"Será penado con prisión de seis meses a cuatro años el que, por medio de Internet, del teléfono o de cualquier otra tecnología de transmisión de datos, contactare a una persona menor de edad, con el propósito de cometer cualquier delito contra la integridad sexual".

No obstante, en el caso de la República Argentina, parece que esta iniciativa aún tiene que ser ratificada por la Cámara de Diputados, cuerpo legislativo que tendría como plazo hasta octubre de 2013 para su aprobación definitiva.

En conclusión, aún no existen suficientes iniciativas legislativas en América Latina o en el resto del mundo para penalizar un delito informático que tiende a crecer y ser cada vez más común, y que además resulta ser particularmente repugnante.

¿En su país se considera el grooming como un delito?

¿Existe al menos un proyecto de ley para castigar este crimen informático?

Tools on Cybercrime & Electronic Evidence Empowering You!
Prikaz web sadržaja Prikaz web sadržaja

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects