Blog


Would you like to share an article on cybercrime? Please contribute!
 

These articles do not necessarily reflect official positions of the Council of Europe

Blogy Blogy

Companies Attacked Every Three Minutes

This Week in Cybercrime: Companies Attacked Every Three Minutes zite.to/XlvPmt

Report of Independent Review Group on U.S. Surveillance Practices

On December 12, the U.S. Government publicly released the Report and Recommendations of the President's Review Group on Intelligence and Communications Technologies, which can be found online here. I would be very interested in hearing your reactions to this report, which contains 46 recommendations. Among the more interesting topics, from an international cyber crime perspective, are Recommendation 5 (suggesting that the telephony metadata currently being retained by the NSA instead be stored by private communications providers), Recommendation 6 (a study on the difference between metadata and other types of data), and Recommendations 13-20.

The Brazilian right to be forgotten

For some time there has been considerable international discussion about the so called "right to be forgotten" on the internet. The right for people to have removed, information about them, be it accurate or not, circulated on the internet has been the subject of increased debate.

Technical issues aside, Brazil is still dragging its feet passing even basic legislation regarding the protection of personal data, the issue regarding this right to be forgotten is beginning to grow in importance within the country. The issue was recently addressed by the 6ª Jornada de Direito Civil da Justiça Federal/2013, a Brazilian legal committee, which concluded that such a right would strengthen the protection of human dignity. The issue was analyzed in some depth and symbolically the STJ, the Brazilian Supreme Court for federal law infringements, took the position that this seems to be a trend in the country.

In any event, an analysis of this issue is far from simple, from the beginning we have faced a conflict between those that advocate the right to anonymity (regarding intimacy, private life and social rehabilitation) and those in favor of the unrestricted right to access information. On one hand it is desirable to protect the private lives of individuals on the other it is necessary to guarantee that information of unquestionable public interest is always freely accessible.

Thus, material and public facts, whose effects directly impact society need to remain accessible as they form part of the history of the nation. However every person should have guaranteed the right that their personal life and information is protected.

Photos from college days, controversial views expressed during adolescence and events of everyday private life that ordinarily would fade with the passing of time should be removed if the subject so desires.

The situation becomes more complicated when information circulating on the net finds its way into the news media, in publications, journals or in the comments or opinions of others. This is because, clearly, in any democracy, the freedom of the press, freedom of speech and expression are rights that, exercised responsibly, should be preserved. In the event that information is false, libelous or defamatory without doubt this must be withdrawn immediately or at least corrected where information is not false but exaggerated.

However, where uncomfortable but true facts in the public interest are published, criminal convictions for instance, then it is necessary to reflect upon whether it is appropriate to be able to impact people´s lives in this way ad infinitum.

Indeed on one side we have veracity of the facts, right to information, freedom of the press and thought. On the other, the damaging consequence of indefinitely maintaining information about individuals, and their families, despite their having perhaps paid for their wrongdoing as provided by the law (prison, other restrictions of liberty, payment of fines etc).

It seems that Brazilian legislation has already provided guidance to resolve this issue. In the field of criminal law, the criminal code and criminal procedure make clear that the individual has the absolute right to rehabilitation and social reintegration. (art.93 of the Brazilian Penal Code and art.748 of the Brazilian Criminal Procedural Code).

Those rehabilitated are afforded the right to confidentiality regarding individual records of prosecution and conviction. The criminal enforcement system must also provide conditions that allow for a more harmonious reintegration of offenders into society under Art.1 LEP, the Brazilian Sentencing Enforcement Code, the object being to reduce criminal reoffending.

Given that a fundamental principle of sentencing is ultimately to return those convicted to more productive lives in society, then in order to facilitate this, the right to forget previous wrongdoings should at least be understood.

Furthermore, Brazilian civil legislation also provides that the exercise of personal rights cannot be restricted (art. 11:12 - Civil Code), thus, in any situation, facts of the past, although true, can completely disappear from the future of a man or woman.

To conclude, although it is in the public interest that we have free access to certain types of information about people, it may often be more important that certain facts are overlooked, for the benefit of rescuing the dignity of individuals, who, left in peace can get on with their lives.

 

Renato Opice Blum - Lawyer, economist, professor and president of the IT Council of the Sao Paulo Federation of Commerce.

Brazil pushes e-commerce protection

On March 15th, International Consumers Day, Federal Decree 7962/2013 was published. It provides additions to the Brazilian Consumer Code, Código de Defesa do Consumidor, (CDC) - regarding e-commerce. The decree issues a number of benefits and renovates a proposal to reinforce the responsibilities of parties in online platforms.

The decree has recognisable merits, especially through the application of concepts relevant to the CDC which did need revising for online business, such as the right to information, efficient customer service and the right to return goods the consumer decides after purchase that they simply do not want.

In truth the decree can be summed up in three words, efficiency of communication. This appears to be the decree's central idea, and is essential to be effective in the current scenario of both growing e-commerce activity and increased complaints by consumers to consumer protection bodies regarding that activity. In relation to the evolution of virtual medias, an old subject that had been previously scheduled in other bills Under the new rules, it was established that sites should disclose their details, especially, their corporate name, CNPJ or CPF, physical address and any other necessary contact information.

This simple security measure, is clearly a positive development for good faith companies as it facilitates transparent access between the parties and thus allows customers to more effectively check the suitability of merchants. It also reiterates the responsibility imposed upon entrepreneurs in the online marketplace to follow the same rules of tax and customer service as those in the traditional physical marketplace. This vendor identification will encourage healthy competition in the market which to date has been tainted by some online cowboys who have used the anonymity of the internet to avoid the burden of Brazilian laws.

Also, the decree provides that in cases of collective purchasing the company should provide clearly important details such as the minimum number of buyers, the deadline to join the offer and the full details of the offerer and collective shopping site.

In order to encourage clarity, it was also determined that to complement the above that the principal rights and obligations resulting before closure of a contract should be presented in an easier way to consumers. As for post closure these rights should also be made available so consumers can refer to them after the sale. The supplier should maintain a proper channel of electronic customer service for the consumer. Furthermore, the decree rightly provides that the appropriate means to exercise the right of cancelation is by way of Article 49 of the CDC and that as such this must be made clear to the buyer.

Although the decree does not address the issue directly, the creation of simple channels of communication for consumers, the CDC Consolidated guidance could also be extended to social networks given their huge growth within the Brazilian media. Furthermore the theme of IP log stores as discussed in the debates surrounding the Civil Regulatory Framework should be considered appropriate in relation to consumer protection. It should also be mentioned, that companies seeking an adjustment in the terms of information security under ABNT (27001 and 27002, for example), must remain in accordance with current legislation and therefore should comply meticulously with the provisions of the decree.

As noted, all the information required by the decree to be disclosed by the vendor may have another effect, that being to empower consumers to be able to evaluate effectively the supplier and the products he is offering, the legislation emphasises the principle that consumers should have choices in their consumption decisions. So, Although the law applies to everyone, sometimes the Law itself needs to remember its application in certain environments, especially in pioneering developments, in order to be most effective. This seems to be the case the with decree 7962/2013, it's considerations are well timed and will serve as a foundation for the positive development of online business in Brazil.

 

Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.

The BYOD (Bring Your Own Device) Trend – The use of personal devices in the workplace.

The time has gone where those with access to cutting edge technology was limited to individuals working in enterprise environments. Today, information is freely available about the quality, robustness and efficiency of products, which enables ordinary users to receive and track news of what the domestic or international electronics market, has to offer.

On the other hand, many companies still operate more traditional forms of supply acquisition, with all the usual bureaucracy and delays. This, combined with volatile budget policies, leads to a tendency for a decrease in the pace of technological modernization in the workplace.

Thus, an increasing reality present in Brazil, is that often employees prefer to use their own devices, more modern and versatile, to conduct their activities than to use those offered by their employer. In this context, managers, rather than banning or ignoring this, may choose to cautiously take advantage of the model, known as BYOD - Bring Your Own Device.

As with many other day to day facts of life, this partnership between worker and employer can be productive, however, the following precautions should be considered and adhered to.

Firstly, with regard to the risks involved and to the terms of art. 2 of CLT, the company must define which activities may be carried out on the private equipment of their employees. Equally the employee should understand the necessity to use original software, tools and adequate security configurations as failure to do so would leave the company infrastructure vulnerable.

In fact, it is essential that each party understands from the outset their own responsibilities. An issue of some considerable controversy revolves around the issue of interference, by employers, into the equipment of its employees and the monitoring of such equipment.

It is important to note that, at present, there are no firm precedents regarding the legality of monitoring an employee’s own equipment, especially as it may contain their own private content, the manipulation of which could prove highly problematic.

Thus, where a company recognises, for its security, that personal equipment with access to its systems should be verified, it must be recognized that there is no legal provision or consolidated jurisprudential position on the point and that as such it is essential that the employer expressly negotiates, clarifies and formalizes this situation with its employees.

So, an essential step for the protection of all parties involved is to formalize in a specific document the settings and conditions that must be applied if any technological equipment is used.

Moreover, during this process, standards and minimum configurations can be set to grant access to the systems, whilst also demanding periodic verification that the employee is continuing to meet these requirements.

It is also important that rules be clarified regarding the working hours of the employee prior to the adoption of the BYOD model, it is a good idea to set timetables and to limit the availability of the worker through their devices, as, the use of such private property, should not necessarily be considered as overtime or being on duty.

Finally, to summarize, the principles governing this new facet of the employment relationship may be those that, not contrary to the law, create interesting situations for the parties, demonstrating the free and conscious choice of each to assume the risks of the proposal whilst avoiding the potential for future trouble. Anyhow, the equilibrium of work relationships, whatever the case, should always be preserved as we can have little doubt as to which side the law is most likely to favor.

 

Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.

The New Face of Brazilian Democracy vs Technology

The Constitution of the Federal Republic of Brazil, promulgated in 1988 begins; "all power emanates from the people, who exercise it through their representatives." A governance model of representative democracy has been established by the constitution and statute, the effectiveness of which is achieved through universal suffrage.

The Constitution provides limited forms of direct participation by the people by way of plebiscite, referendum or popular initiative (art. 14-CF). However, the significant bureaucratic obstacles to such forms of direct participation have resulted in, today, such forms having become far removed from the everyday reality of Brazilian politics.

Over the years citizens appear to have become accustomed to participating in politics only through the electoral process. The responsibility of each voter being to choose a representative who, from that point onwards, is mandated to make decisions regarding policy in the federal bodies on their behalf. Thus, the role of the vast majority of Brazilians ends with the casting of their vote at the polls.

However, in recent years it appears that, in Brazil, technological development and the resulting growth of digital inclusion, notably through the popularity of social media, has allowed individuals to broaden their participation in the political life of the country, thus returning to them, power, influence that should have never relinquished given that the Constitution has always guaranteed their freedom of expression, of thought (section IV, art. 5 °-CF), including political thought, of course, within the limits of the law.

One might therefore consider that the somnolence of Brazilian people towards political affairs, apparent for many years, existed through a lack of tools, present today for example in social networks, which now provide opportunity to give scale to ideas and concerns, making it viable to share information between people with similar views that might live far from each other in what is a vast nation with many remote locations.

 

In fact the internet not only offers channels for the exchange of information and a possibility to mobilise society, which by the way caught politicians by surprise in recent months, but in fact also offers instruments to control and supervise the activities of the Three Powers, which have slowly forced a consolidation of electronic government, opening channels previously never accessible to the ordinary citizen. Pressure from the public led to legislation being passed to provide access to public information (Law 12.527/2011) which itself gave effect to subsection XXXIII of art. 5th-CF, that provides for the constitutional right to information. The legislation formalised that the state should guarantee efficient access to information through agile, objective measures that are transparent, clear and in language that is easily understandable. In addition, public authorities must use all means and instruments to meet their obligation to "disclose through official sites on the world wide web" (internet).

 

The aim of Complementary Law 131/2009 is to impose transparency in public finances, so that today, applying the two laws, one can find online, amongst other things, official information regarding public accounts, salaries and contracting. Thus, the technology not only enables easier access to this important information, but also allows Brazilians to form their own opinions about it, to criticise and to share it, with the opportunity to ally themselves ideologically with other people interested in the topic.

It is also worth mentioning that the traditional media seems to have lost its monopoly on communication, with a veritable insurgency of amateur journalism by the public, highlighted in recent street demonstrations that attracted a massive audience on the web. The approach of these non-professionals was clearly more combative, but contributed in a different way to democracy, the internet providing objective, real content with a wide range of narrative.

It should however be noted that although these demonstrations and disruption through this virtual democracy is necessary in democratic society, there is of course a limit to them, the criminal law provides that people may and will be held accountable for their actions. There has been a crackdown on the crimes of slander, libel or defamation (Articles 138-140 of the Penal Code), published on Internet, which still apply, with a concrete possibility of increased punishment when such practices are directed against the President, Foreign Secretary or public officials, in relation to the execution of their duties (Article 141 of the Criminal Code).

Equally, those that either incite or condone criminal acts (Articles 286 and 287- CP ) relating to damage, for example, aggravated when committed against public property, are also unacceptable and constitute criminal conduct and is punishable in through the same system as the socially repudiated suspects of corruption.

Thus, it is argued that in order that digital channels be utilised healthily in today´s democracy, that the process should play a fundamental role in informing and educating Brazilians who in turn will be able to more effectively exercise their rights and contribute to the growth of their nation.

Finally, it has long been said that ¨knowledge is power¨, it might be said that todays technology has helped the process of empowering, politically, the general public which gradually, with access to education and the ability to audit the government and then share through electronic tools has had the power "eminating from the people" which once slipped from their hands, restored, albeit subtly in a balanced way and absolutely in the best interest of the country.

 

Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.

Published in te newspaper "Valor Econômico" http://www.valor.com.br/legislacao/3361314/democracia-e-popularizac...

European Union approves harsher punishments for cyber crimes

European Union approves harsher punishments for cyber crimes

http://www.theverge.com/2013/7/4/4493832/eu-approves-harsher-punish...

The PRISM scandal, a not to be missed opportunity for the Council of Europe

The PRISM scandal is touching on a lot of sensitive and complex topics, from privacy to international politics and critical infrastructure, but there is at least one thing which is clear: the situation is totally confused.

Not only we don’t know what actually happened, but even the Washington Post which broke the news has significantly adjusted its initial article, as spotted by Zdnet in its article “The real story in the NSA scandal is the collapse of journalism”. While it is a fact that the Washington Post does not pretend anymore that the technology companies “participated knowingly in PRISM operations”, we have no indication why the newspaper changed its article in a favorable way for these companies.

Interviewed two days ago by the French news site Atlantico on what is behind PRISM (you can read it here), I thought that actually the questions and my answers could be relevant for the Octopus community.

 

The first question was about what happened in practice.

On June 11, it was impossible to understand what actually happened in the PRISM program, and as of today we still don’t know. It is nevertheless useful to put this issue of direct access to data by the NSA in perspective with the daily reality of the companies allegedly involved.

We shall keep in mind that in all companies – whether they are US, European or whatever - the teams in charge of handling legal requests from police forces and intelligence units are cost centers. In some countries ISPs can charge law enforcement, but this is an exception, not the rule. So these teams don’t generate any money, they only damage the bottom line. Therefore, the visceral reaction of any business is to minimize the volume of response to legal requests. This being understood, an initiative like PRISM is basically perceived by companies as a threat to their freedom of action and good management of their infrastructure.

Among the companies involved, namely AOL, Apple, Facebook, Google (and YouTube), Microsoft (and Skype), Paltank and Yahoo!, none has ever been owned by the U.S. government. At most, some have better connections with the White House than others. Therefore, imposing PRISM on these companies would require U.S. authorities to use an absolute coercive power, which is not proved yet, or to overcome the issue of the cost by providing money in addition to the political/legal pressure. The amount of money necessary for an effective implementation of PRISM by all the tech companies can be estimated to be in the hundreds of millions of dollars. This is not small money, even for the USA, and even if we ignore the “fiscal cliff”.

Finally, let us remember the FBI's Carnivore program, which in the early 2000s created as much anxiety as PRISM, but proved ultimately to be ineffective in processing the massive flow of information circulating on the Internet.

The second question was about President Obama’s quote on June 07, 2013 on the balance between security and privacy.

It's important to recognize that you can't have 100 percent security and also then have 100 percent privacy and zero inconvenience," said Obama, before adding "We're going to have to make some choices as a society."

This is quite an intriguing statement, to say the least. Obama seems to suggest that our society has yet to choose between security and privacy. Until now, it was assumed that our democratic societies had already made their choice. We thought that we had reach a balance – certainly imperfect – according to which the State had investigative and intelligence capabilities in exchange of a limitation of these capacities within legally fixed boundaries.

Of the nine companies involved in PRISM, none guarantees 100% safety and none wants 100% privacy for its customers. As for the inconvenience, companies like Microsoft and Facebook have voluntarily implemented automatic detection, deletion and report of child abuse material found on their platform to the National Center for Missing and Exploited Children, a proactive measure which apply to their customers worldwide. This program, called PhotoDNA is public and did not raise any controversy to date. So implying that ISPs would not tolerate any inconvenience is also incorrect.

This said, Obama is right on the need to constantly readjust the balance between security and privacy. If we look at the issue of child abuse material, and how mobile phones facilitate the recording of videos of scenes of abuse, it is a fact that the ability to distribute material exceeds the capacity of law enforcement to track and stop the offenders. Without more advanced analysis tools and automated processes such as PhotoDNA, we will not be able to at least limit the dissemination of such contents. These tools and processes will in turn become even worse than the disease it cures if States are unable to operate under the rule of law.

For the time being, PRISM seems to prove that a country like the United States do not have yet the surveillance tools they need, and the persistent confusion shows that reaching the balance between privacy and security is a very long journey.

What attitude should adopt European countries in face of massive surveillance programs?

The instinctive reaction of European authorities will be to raise concerns, ask for clarifications, and it has already started. Given the total lack of trust among governments and between citizens, industry and governments, whatever will be responded will not reassure anyone.

So the path towards trust will not be to understand what has been done, but rebuild trust from zero. The boldest and most useful reaction would be that countries which embrace the Cybercrime Convention engage in a healthy competition on providing more transparency on their own practices and processes. The countries which would provide the best balance between security and privacy would not only gain the confidence of their own citizens, they would give a clear competitive advantage to their own cloud providers.

Guess what happens when an industry takes advantage of a trusted national legal framework? It create jobs, charge VAT to their customers and pay taxes… all things badly need in Europe these days.

The Cybercrime Convention is much more than a set of legal rules, it is about rule of law, trust, balance between security and privacy, and a well-defined cooperation between industry and authorities, i.e. exactly what is missing in the PRISM scandal. The Council of Europe should not be shy to remind how useful it can be to the community of States which signed the Convention, including of course the USA. The next Octopus conference on 4th to 6th December looks very promising!

Obtaining the identification of the user of an IP address and Budapest Convention

1. I learnt a couple of decades ago, at the university, that law in books is not the same as law in action. Recently, I found the real evidence of that, reading the “Assessment Report on Implementation of the Preservation Provisions of the Budapest Convention on Cybercrime” (adopted by the T-CY at its 8th Plenary, 5-6 December 2012 - http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/T-CY...). According to this report (pages 77 and 78), most of the Parties to Budapest Convention have already implemented the rules referring preservation and expedited disclosure of traffic data. Within the 31 responding States to the questionnaire that was in the origin of the report, 27 of them have already implemented Article 17 of the Convention and 24 of them have implemented Article 30.

However, in practical terms, in some countries, obtaining the disclosure of traffic data is subject to conditions that are not compatible with the expedited character required by those rules of the Convention.

I would like to bring to the discussion the question of obtaining an IP Address detail, in relation to a concrete case, and the eventual legal constraints, in the light of the Convention.

2. When an ISP provides to a law enforcement agent the identification of the user of a determined IP address, in a particular day and time (probably, the time details were already known by the investigators); or when an ISP provides the identification of an IP number used by an already identified person, this is not likely to disclose private or confidential information. In fact, these data do not disclose any sensitive information about the route of the communications or any other traffic information of the person concerned.

In practical terms, this kind of information only will confirm that an already identified communication was established – it is just a confirmation of the identity of someone that the law enforcement agents already knew, but whose name and details didn’t knew. In other words, this information only establishes the connection between a particular communication, which is already known, and its point of origin.

Of course, the same does not occur when information is required referring to an extended period of time or to multiple communications established by a suspect.

3. The legal conditions to obtain this type of information depend on the national regulations. And national regulations, among the Parties of Budapest Convention, have different solutions. Some countries include the IP address related information within traffic data; besides, they only allow law enforcement agents to obtain traffic data in serious crimes investigations and require a judge order allowing it. Other countries adopt a more simple procedure, assuming that the above mentioned IP related information is a part of subscriber information, that can be obtained in any investigation (regardless it is or not serious crime) and by mere initiative of the police.

Even if it is an option of the States, to decide the formal requirements of obtaining that kind of information, this question is relevant within the community of the Parties of the Budapest Convention.

In fact, if this type of request refers to cross border investigations, for example because the IP address belongs to a foreign ISP, than, the request must be addressed to that foreign ISP. Eventually, in this case, expedited preservation of data (as described in Article 16 of the Budapest Convention) and expedited disclosure of traffic data (as described in Article 17) need to be used.

4. Normally, in the real life, the procedural measure of expedited disclosure of traffic data refers only to the IP address. In fact, the expedited disclosure of traffic data aims to allow the investigating authority to identify the service providers and the path through which a communication was transmitted (Article 17, 1, b of the Budapest Convention). And the identification of the origin of the communication is normally given by the IP address. Still according to Article 17 (number 2), this procedure will be implemented, in each one of the domestic legislations, subject to Article 15, which means that its “establishment, implementation and application (…) are subject to conditions and safeguards provided for under its domestic law”.

If the domestic law limits the disclosure of traffic data (and many European countries do that), to serious crime and require a judge order, probably, the concerned country will not be able to comply in an expedited manner and in all cases, with this article of the Budapest Convention. This can jeopardize concrete criminal investigations.

Unless, the mentioned information regarding the IP address has not the same treatment as traffic data.

5. The Budapest Convention does not include a definition or a particular statute of the IP address. Besides, it is not also expressly provided if the IP address is – or it is not -, traffic data. However, the definition of traffic data, as described in Article 1, d, of the Convention is very broad and comprehensive, covering “any computer data relating to a communication by means of a computer system, generated by a computer system (…) indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service”. In this context, in a first approach, the interpreter could think that the IP address used in a particular communication could be traffic data.

The fact is that this theoretical discussion about whether the IP address is - or is not -, traffic data, is not decisive for the definition of its status, as Article 18, 3 of the Convention expressly provides particular rules that point out a clear solution, including the IP Address in the category of subscriber information.

6. According to that provision, “subscriber information” means any information held by a service provider, relating to subscribers of its services (other than traffic or content data) and by which it can be established, among other, “the subscriber’s identity, postal or geographic address, telephone and other access number”. Even if the IP address is not expressly mentioned (which is normal, in a technological neutral Convention), this "access number" is precisely the IP address. In digital communications there is no other "access number" or even any other reality that can correspond to this concept, being legitimate to conclude that this reference was expressly stated in the Convention to refer to the IP address.

In the Explanatory Report of the Convention (paragraph 179 - http://conventions.coe.int/Treaty/en/Reports/Html/185.htm) it is explained that this provision refers to all technical measures that enable the subscriber to obtain the communication service. Thus, the provision includes all the technical numbers or addresses (telephone number, web site address or domain name, email address, etc.). The Explanatory Report adds (paragraph 180) that subscriber information (...) also means any information, other than traffic data or content data, by which it can be established the user's identity, postal or geographic address, telephone and other access number. And it concludes that (paragraph 182), for example, on the basis of the provision of a particular name (...) a particular associated telephone number or private email address may be requested. On the basis of a particular telephone number or email address, the name and address of the subscriber concerned may be requested.

In this context, it is irrelevant whether the IP address is a fixed address, assigned permanently to a single user, or a dynamic address, successively assigned to multiple users: both of them are the "access number" and in none of the cases the sought information is able to disclose personal or private information.

About the Cybercrime Prosecutor´s Office in Buenos Aires-Argentina

I-Introduction

The city of Buenos Aires organized an adversarial system, as specifically provided in article 13, 3 of the Constitution of CABA.

 

Thus, the new procedural system has been established in the city from 2307-law enacted on 3/29/07, promulgated on 8/5/07 and and published on 30/4/07.

 

Essentially, this involves the acceptance of basic rules such as the following: there can not be allegation prior to conviction, the court is unable to investigate and its supposed to be neutral and guarantee the process, the parties have the same guarantees, orality from the beginning of instruction, the judge's decision is limited to the information given from the parties during oral hearings; deformalization of the investigation, expansion of the powers of prosecutors -who have transformed into the real protagonists of the system-. They are in charge of criminal investigation from the beginning until the case is brought to trial.

 

In this context, in 2008, law 26.388 was passed. This law included a number of cybercrimes, updating the Argentine Criminal Code. That’s because the legal guarantees that were supported by certain rules, responded to the technological age of the time in the which our code was approved.

While progress is important, there is still much to be done in criminal and procedural law.

 

Theres no crime without a previous law, that’s a constitutional rule (art. 18 CN). Altough, criminal interpretation by analogy is prohibited. The development of new technologies left many legal rules useless, to the point that, in some cases, there were judges who had declared the luck of penalty of certain behaviors that deserve legal protection. In other cases, judges had to stretch its interpretation in order to convict the conducts developed.

The characteristics of cybercrime warrant specialized treatment. This is due to the frequent international nature of these offenses, the facility to commit them, the difficulties to investigate them and to collect and preserve digital evidence. Also, practice shows a difficulty to identify the perpetrators.

 

Take charge of investigating such crimes efficiently, implies the need to adjust the laws of those special substantive rules on cybercrime that today require an autonomous mode. It is required to adapt procedural rules; train prosecutors and judges in the essence of this new way of designing a case. It is also necessary to count on a technical staff in the police department and in the prosecutor´s office in order to help the prosecutors in the cases mentioned.

 

II.-The need to specialize

The expertise in cybercrime is a need in the usual practices of prosecutors. There has been a progressive increase in the number of criminal investigations related to the use of new technologies, which will increase with the next transfer of crimes from the ordinary National Justice to the Justice of the Autonomous City of Buenos Aires.

 

It is a reality that the generalization of those instruments in the development of social relations, has determined the emergence of new forms of crime, also enabling dynamics and mechanisms, as yet unknown, in the commission of illegal acts of a more traditional nature. Likewise, today's technology provides important tools for the investigation of crimes that require expertise and constant training.

 

In order to respond to this situation, it is thought that the need to create a Special Prosecutor Office on Cybercrime is essential, according to the principle of unity of action and in order to ensure efficient and coordinated intervention of the Local Public Prosecutor Office. Also, to strengthen the constitutional principle of equality of all citizens and legal certainty.

 

In fact, Resolution 501/2012 of the General Prosecutors Office, approved –at the beginning for a period of one year- the implementation of a team specialized on cybercrimes, with special competence only in the city of Buenos Aires, providing exclusive jurisdiction since November 15, 2012, team that I lead.

 

III. - Functions

 

The objectives of the Specialized Cybercrime Prosecutors Office are:

a) Investigate cybercrime where CABA justice is competent and crimes committed using computer technology.

b) Coordinate investigating strategies appropriate to the special units of various specialized security forces -Argentina Federal Police and Metropolitan Police, National Gendarmerie, and the Judicial Investigation Corps- as well as establishing links with other organizations whose coordination in certain aspects can be determinant for the development of investigations -National Personal Data, Central Bank, Ministry of Justice of the Nation, ministries, and others-.

c) Development of action protocols to facilitate and standardize the criteria of action in the investigation of crimes that require investigation of digital evidence, which will be coordinated with the Department of Crime Policy, who will evaluate the needs and realities that impact in the subject.

d) To promote institutional cooperation agreements with the private sector to achieve efficiently the fulfillment of the requirements made by the justice. (Google, Microsoft, free market, FiberTel, etc..) And the various cameras that nucleate those companies.

e) Coordinate with the Judicial Training Centre, the training of the Specialized Team on Cybercrime in the investigation of crimes committed via the Internet and basic courses of action for all members of the Public Prosecutors Office.

f) Generate training exchanges and cooperation between the different provinces and CABA on computer crime, with the aim of guaranteeing a similar performance and maintenance of similar criteria in the interpretation and application of standards, and to facilitate proper coordination in those investigations in this area, in which criminal activity is developed and / or produces its effects in different geographic locations of the country. Likewise, exchange experiences among prosecutors from different provinces, about ongoing procedures, analysis and evaluation of legal problems.

g) Promote the organization and training activities with countries with experience in investigating cybercrimes.

h) Prepare and submit annually to the General Prosecutor a statistical report on the procedures and cases investigated by prosecutors specializing in computer crime, both quantitative and qualitative aspects.

i) Celebrate cooperative agreements with non-governmental organizations and foreign nationals, especially with regard to the fight against child pornography on the Internet.

 

In this line, it was necessary to define the area where the activity of the specialized team on cybercrime would work, since the development of information technologies increases every day, developing new forms of crimes that require legal protection and consequently present difficulties for the purposes of their investigation.

However, this fact should not lead us to consider that any criminal conduct related to the use of these technologies, or common crimes that require digital evidence, should be included in the category in question. As this would lead to a distortion of the concept and overflow even own approach of specialization. It is necessary to define the object of activity in this area of ​​work in order to give greater operational and effectiveness. So, the specialized team will only intervene when the use of these technologies prove to be decisive in the development of criminal activity, or that circumstance involving greater complexity of investigation and difficulties in identifying the authors of the crime.

 

It is not easy to define the objective framework of activity of this specialty, since the rapid development of science and technology, advise against a closed catalog that limits the types of crimes that can fall under this category of cybercrimes. This, because it is likely the next appearance of new forms of crime or committing new means of existing crimes, in which the key element is also the use of information technology.

 

The circumstances described above, indicated that the initial catalog of computer crime offenses, are then divided into three categories exposed, necessarily remain open and their inclusion will be assessed prior to time by the Department of Crime Policy.

 

III A) Crimes in which the objects of criminal activity are computer systems:

 

- Crime of damage: 26.388 law incorporated in its second paragraph -article 183 CP: "The same penalty shall be incurred by anyone who alters, destroys or mutilates data, documents, programs or systems, or sells, distributes, puts or make circulate or in a computer system, any program designed to cause harm"

- Damage compounded: 26388 law adds two new aggravating to art. 184 CP: 5) "run in files, records, libraries, .... or data, documents, programs or systems of government"; 6) "run on computer systems for the provision of health services, communications, provision or transportation of energy, transportation or other public service "

 

III B) Crimes in which criminal activity is run through computer media.

 

- Child pornography: art. 128 CP punishes anyone who produces, who finances, offer, trade, publishes, facilitates, bruits or distributes, by any means, any representation of a child under 18 years engaged in explicit sexual activities or any representation of their genitals predominantly sexual purposes, like who organizes live shows explicit sexual representations where these children participate offering and distribution of images related to child pornography possession and distribution purposes. Shall be punished with imprisonment from four months to two years if he was in possession of representations of those described in the previous paragraph, unequivocal purpose of distribution or marketing.

- Shall be punished with imprisonment from one month to three years the person who facilitates access to pornographic or provides any pornographic material to minors of 14 years.

- Crime of threats (art.149bis CP) committed by computer and / or media when the importance and complexity of the conduct made the need for special treatment.

- Supply of pornography: The art 62 CC punishes anyone who provides or permits a person under 18 access to pornographic material.

 

 

The reality of computer crimes is that they are uncontrollable and their effects can produce devastating results.

In this awareness, the creation of the team specialized on cybercrime, represents a major institutional challenge for the team that materialize this problem every day.

 

 

Daniela Dupuy

Prosecutor – Specialized Office on Cybercrime

Tools on Cybercrime & Electronic Evidence Empowering You!
Zobrazenie webového obsahu Zobrazenie webového obsahu

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects