Blog


Would you like to share an article on cybercrime? Please contribute!
 

These articles do not necessarily reflect official positions of the Council of Europe

Щоденники Щоденники

There is need of improvements on international cooperation on Cybercrime

1. Being kindly invited to attend a regional workshop on effectiveness of legislation and on international judicial cooperation, within the CyberCrime@IPA Project (Istanbul, 10-12 April 2013), I had the privilege to join an interesting exercise regarding practical aspects of fighting cybercrime. States from Southern Europe discussed their legislations and the way they face, in the real life, criminal investigations and international cooperation on cybercrime. It was an interesting exercise because it was detected that good part of the noise, creating difficulties in concrete cybercrime investigations and jeopardising international cooperation efforts, would be avoid if some small problems were fixed – for example, some small alterations were introduced in details of the national legal frameworks and in some routines.

2. The first topic was the effectiveness of legislation. The aim of the meeting was to detect if the represented States have an updated legislation on cybercrime and digital evidence and it was concluded that, in fact, most of the countries have improved and modernised their legislations in the recent years. However, some gaps were still related, for example referring to preservation of data, retention of traffic data or interception of digital communications. Some difficulties were also mentioned in the moment of using, in court, digital evidence.

3. If the general picture was very interesting regarding legislation, it cannot be said the same with respect to the effectiveness of international cooperation, the second topic.

4. It was mentioned that States do not use very often Budapest Convention, even if they are a Party, using instead the traditional and less efficient classic cooperation instruments. The problem here is that the central authorities, competent to receive and send the classic mutual legal assistance requests showed themselves clearly overburdened and not able to satisfy, in due time (and even less, in an expedite manner) requests on cybercrime or digital evidence, as Article 31 of Budapest Convention states.

Some possible solutions were discussed, mainly the possibility of adopt multi-language forms that would make easier to send, receive and execute requests on obtaining digital evidence, avoiding, for example, the cost (in money and time) of translation. Another option mentioned was the possibility of increasing the already existing mechanisms (but not currently used) of direct contacts between judicial authorities (for example, exploring the possibilities of Article 4 of the 2nd Additional Protocol to the 1959 Convention on Mutual Legal Assistance in Criminal Matters).

5. Still regarding direct contacts, one of the most interesting conclusions respects some lack of effectiveness of the existing 24/7 contact points: this interesting operative tool is not being used as it could be. Sometimes, it is not sufficiently known internally. In other cases, does not have regular contact with the authorities in charge of international cooperation – thus, cannot follow up next steps of the incoming informal cooperation requests.

6. Another interesting conclusion regards the need that investigators (police or prosecutors) underline of obtaining data from Internet service providers or web service providers from abroad, in an expedited manner. It seems clear that ISPs are not included in the concept of authorised person, included on Article 32, b, of Budapest Convention. Thus, it is not possible to States to use this legal ground on this context.

This is not an isolated question, as it was clearly noted that beyond formal international cooperation, many times, in concrete investigations, there is need of informal cooperation (both informal police to police cooperation and informal cooperation provided by multinational ISP or web services providers). At this point, it was detected an important paradox: some of the represented States don’t see with good eyes informal cooperation. At least at the moment of using evidence in court, some legal systems don’t accept evidence that was obtained by “alternative” means, other than formal international cooperation. On the other side of the coin, some States will not allow, at all, any kind of contact from foreign authorities with their nationals, within their territory.

7. As mentioned, this is a strange paradox, as most of the law enforcement agencies from the region (as from the rest of the world, in fact) claim the need of flexible access to information stored by multinational (global) service providers and web services providers.

Besides, it is nowadays clear the receptivity from some of the major US based web services providers to provide information to law enforcement agencies from different countries, directly, without the need of a formal request – the official policy of the US Government is to encourage providers to send directly non-content information (subscriber and traffic data) to those who directly ask for it, even if it will not be an obligation to providers to respond.

8. In these matters, there is room for initiatives from the Council of Europe, supporting the efficiency of the 24/7 network or providing technical assistance, for example, developing multi-language forms and model requests. Efforts can be made helping the different countries to revisit the views they may have on subscriber information and on the required proceedings to obtain it. And it would be interesting to implement a landscape facilitating multilateral dialogue, for instance, between the Parties from Budapest Convention and the major multinational ISPs and web services providers, helping the States to send requests to the providers with respect by their formal requirements and internal policies.

Brazilian Superior Court of Justice obliges google to reveal emails

Brazilian Superior Court of Justice obliges google to reveal emails -in Portuguese http://ow.ly/kbZEv

New Brazilian Cyberlaw

Brazil's new cyberlaw is not tough enough to fight electronic crimes.

By Renato Opice Blum

After 15 years of discussion, Brazil's government has enacted a law that typifies computer-related crimes and covers important issues such as electronic device invasion, unauthorized remote access and interruption of web services.
This article intends to analyze some aspects of the long-awaited Law 12.737/2012.

The text of this short law is as follows:

Article 1: This Act provides for the classification of criminal offences and other matters involving computers.

Article 2: Decree-Law 2848 of December 7, 1940 - Criminal Code, is now amended by the
addition of the following Articles, 154-A and 154-B.

Article 154-A, Unauthorized access of computer devices: Accessing computer devices, be they connected or not to a network, violating without authorization security mechanisms, to obtain, tamper or destroy data or information without the express or implied consent of the owner of the device or to install programs or data intending to gain an unfair advantage: Penalty - detention of 3 (three) months to one (1) year and a fine.

i) The same penalty shall apply to those who produce, deliver, distribute, sell or disseminate a device or computer program in order to facilitate the commission of the conduct defined above.

ii) The penalty will be increased by one sixth to one third if the unauthorized access results economic loss.

iii) In the event that the access results in the obtaining of private electronic communications, commercial or industrial secrets, confidential information, as defined by law, or the unauthorized control remotely of a computer device: Penalty - imprisonment of six (6) months to two (2) years and a fine, where the conduct does not constitute a more serious crime.

iv) In the case of iii) above, the penalty shall be increased by one third to two thirds
if any disclosure by any means of the data or information obtained is sold or transferred to a third party.

v) The penalty shall be increased by one third to a half if the offense is committed against:
a. the President, governors or mayors;
b. the Chairman of the Supreme Court;
c. Chairman of the Chamber of Deputies, the Senate, the State Legislative Assembly, the Legislative Chamber of a Federal District or Municipality;
d. the head of a direct or indirect federal, state, local or Federal District administration."

Article 154-B, Criminal prosecution: The offenses defined in article 154-A, will be brought by
request unless the offense is committed against the direct or indirect administration of the
Union, States, Federal District and Municipalities or against Utilities or Public Services."

Article 3: Articles. 266 and 298 of Decree Law 2848 of December 7, 1940 - Criminal Code,
become effective with the following wording:
"Interruption or disruption of telegraph, telephone, computer, telematic or public information
service”

Article 266. .................................................. ......................
i) The same penalty shall apply to those who interrupt telematic or public information services, or prevent or hinder their recovery.
ii) Penalties shall be doubled if the crime is committed during a time of public crisis."(NR)

Counterfeiting of Private Documents

Section 298. .................................................. ......................
Counterfeiting of a card
Single paragraph. For purposes of this head, will mean any personal card, credit card or debit card.

Article 4: This Law shall enter into force 120 (one hundred twenty) days after official publication.

Brasilia, 30 November 2012; 191st and 124th Independence of the Republic.

The first point to mention is the fact that the law limits the typifying of invasion to cases in which an “infringement of security mechanisms” occurs, excluding computer devices without protection mechanisms from the enforcement. Moreover, the expressions “security mechanism” and “computer device” (Only hardware, what about software?) are not defined by the law, raising doubts about the legal framework in certain cases.

Furthermore, since the conduct “to invade” gives the idea of “entering forcefully”, cases
of inappropriate acquisition of data through social engineering techniques and other means (e.g. disclosure of password by the owner to third parties) theoretically would not be included in the newly born classification. This is because such actions would not constitute violation, but merely unauthorized access.

Additionally, it is possible to foreseen a broad debate about who would be the “owner of the
dispositive” invaded – expression used to designate the victim. The legal text seems to refer only to the owner, not clarifying if an eventual possessor or user could also be protected.
It is also important to mention that, concerning the penalization of disclosure of industrial secrets obtained by invasion, there is an apparent duplicity of legal prediction: the improper disclosure was already considered crime by the Protection of Industrial Property Law (Law 9.279/96).

It’s true enough that the new law comprises many other interesting topics. However, the sentences imposed appear to be too soft, allowing the enforcement of the conditions of Special Courts’ proceedings. This when the international trend is precisely the opposite: recently it became news the fact that the State of California (USA) condemned to 10 years of prison a hacker accused of stealing pictures from celebrities through the web - in addition to the payment of a compensation for the sum of 76 thousand dollars.

Obviously, we are not advocating the sudden increase of Brazil’s prison population just to punish computer crimes. Nevertheless, it is hard to understand how the creation of a law after so many years of debate, can establish punishments with such a weak deterrent effect. Such aspect of the penalties is disconcerting since in the majority of computer crimes the material loss is just a small part of the problem: the damage occurs within the intimate sphere of private lives or concerning sensible business information – what makes the lost data invaluable for the victim.

For these reasons, it seems lenient to punish such conducts with the concession of benefits directed to minor crimes. If technology achieved a relevant role in the daily life of the Brazilian citizen, the law should follow this change, recognizing in practice its gigantic potential to affect people’s lives – for better or, unfortunately, for worse.


Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.

New Brazilian Cyberlaw

Brazil's new cyberlaw is not tough enough to fight electronic crimes.

By Renato Opice Blum

After 15 years of discussion, Brazil's government has enacted a law that typifies computer-related crimes and covers important issues such as electronic device invasion, unauthorized remote access and interruption of web services.
This article intends to analyze some aspects of the long-awaited Law 12.737/2012.

The text of this short law is as follows:

Article 1: This Act provides for the classification of criminal offences and other matters involving computers.

Article 2: Decree-Law 2848 of December 7, 1940 - Criminal Code, is now amended by the
addition of the following Articles, 154-A and 154-B.

Article 154-A, Unauthorized access of computer devices: Accessing computer devices, be they connected or not to a network, violating without authorization security mechanisms, to obtain, tamper or destroy data or information without the express or implied consent of the owner of the device or to install programs or data intending to gain an unfair advantage: Penalty - detention of 3 (three) months to one (1) year and a fine.

i) The same penalty shall apply to those who produce, deliver, distribute, sell or disseminate a device or computer program in order to facilitate the commission of the conduct defined above.

ii) The penalty will be increased by one sixth to one third if the unauthorized access results economic loss.

iii) In the event that the access results in the obtaining of private electronic communications, commercial or industrial secrets, confidential information, as defined by law, or the unauthorized control remotely of a computer device: Penalty - imprisonment of six (6) months to two (2) years and a fine, where the conduct does not constitute a more serious crime.

iv) In the case of iii) above, the penalty shall be increased by one third to two thirds
if any disclosure by any means of the data or information obtained is sold or transferred to a third party.

v) The penalty shall be increased by one third to a half if the offense is committed against:
a. the President, governors or mayors;
b. the Chairman of the Supreme Court;
c. Chairman of the Chamber of Deputies, the Senate, the State Legislative Assembly, the Legislative Chamber of a Federal District or Municipality;
d. the head of a direct or indirect federal, state, local or Federal District administration."

Article 154-B, Criminal prosecution: The offenses defined in article 154-A, will be brought by
request unless the offense is committed against the direct or indirect administration of the
Union, States, Federal District and Municipalities or against Utilities or Public Services."

Article 3: Articles. 266 and 298 of Decree Law 2848 of December 7, 1940 - Criminal Code,
become effective with the following wording:
"Interruption or disruption of telegraph, telephone, computer, telematic or public information
service”

Article 266. .................................................. ......................
i) The same penalty shall apply to those who interrupt telematic or public information services, or prevent or hinder their recovery.
ii) Penalties shall be doubled if the crime is committed during a time of public crisis."(NR)

Counterfeiting of Private Documents

Section 298. .................................................. ......................
Counterfeiting of a card
Single paragraph. For purposes of this head, will mean any personal card, credit card or debit card.

Article 4: This Law shall enter into force 120 (one hundred twenty) days after official publication.

Brasilia, 30 November 2012; 191st and 124th Independence of the Republic.

The first point to mention is the fact that the law limits the typifying of invasion to cases in which an “infringement of security mechanisms” occurs, excluding computer devices without protection mechanisms from the enforcement. Moreover, the expressions “security mechanism” and “computer device” (Only hardware, what about software?) are not defined by the law, raising doubts about the legal framework in certain cases.

Furthermore, since the conduct “to invade” gives the idea of “entering forcefully”, cases
of inappropriate acquisition of data through social engineering techniques and other means (e.g. disclosure of password by the owner to third parties) theoretically would not be included in the newly born classification. This is because such actions would not constitute violation, but merely unauthorized access.

Additionally, it is possible to foreseen a broad debate about who would be the “owner of the
dispositive” invaded – expression used to designate the victim. The legal text seems to refer only to the owner, not clarifying if an eventual possessor or user could also be protected.
It is also important to mention that, concerning the penalization of disclosure of industrial secrets obtained by invasion, there is an apparent duplicity of legal prediction: the improper disclosure was already considered crime by the Protection of Industrial Property Law (Law 9.279/96).

It’s true enough that the new law comprises many other interesting topics. However, the sentences imposed appear to be too soft, allowing the enforcement of the conditions of Special Courts’ proceedings. This when the international trend is precisely the opposite: recently it became news the fact that the State of California (USA) condemned to 10 years of prison a hacker accused of stealing pictures from celebrities through the web - in addition to the payment of a compensation for the sum of 76 thousand dollars.

Obviously, we are not advocating the sudden increase of Brazil’s prison population just to punish computer crimes. Nevertheless, it is hard to understand how the creation of a law after so many years of debate, can establish punishments with such a weak deterrent effect. Such aspect of the penalties is disconcerting since in the majority of computer crimes the material loss is just a small part of the problem: the damage occurs within the intimate sphere of private lives or concerning sensible business information – what makes the lost data invaluable for the victim.

For these reasons, it seems lenient to punish such conducts with the concession of benefits directed to minor crimes. If technology achieved a relevant role in the daily life of the Brazilian citizen, the law should follow this change, recognizing in practice its gigantic potential to affect people’s lives – for better or, unfortunately, for worse.


Renato Opice Blum - Attorney, Economist and President of the IT Advisory Board of Fecomercio.

The experience of the Cybercrime Office of the Portuguese Prosecution Service

1. Portugal ratified Budapest Convention in 2009, but had already adopted legislation on computer crime since 1991. There is thus some experience combating this type of criminality, within the Prosecution Service, particularly after 1994, when the first specialised section on computer crime was created (and specialised prosecutors where assigned), within the Lisbon District Department of Investigation and Prosecution.

However, the diffusion of computers and the Internet expanded, like never before, the cases where digital evidence is required, besides of the traditional cybercrime cases. Digital evidence can be crucial in many criminal investigations and nowadays, potentially, any prosecutor must handle cases referring to some sort of digital evidence. This enormous latitude in a new and difficult area has created the need to deepen and consolidate understandings about the legal issues, both in domestic laws and in international frameworks. In fact, it was felt that not all the prosecutors with criminal investigative functions were able to correctly understand how to obtain, gather and preserve this kind of evidence. Besides, recent and sometimes not completely consistent pieces of legislation have raised, within the prosecutors, different opinions, which in concrete cases have led to different practical solutions in similar cases.

2. Within this landscape it was raised the need of the creation of the Office for the Coordination of the Activities of the Prosecution Service on ​​Cybercrime – Cybercrime Office, directly dependent upon the General Prosecutor of the Republic. The office was created by Order of 7 December 2011 and aims to reach internal coordination within the Prosecution Service, in this area of ​​criminality, to develop specific training and good practices in concrete investigations and to establishment expedited communication channels, mainly with the private sector, in view of facilitating the cooperation with criminal investigations.

3. Coordination within the Prosecution means to adopt, at the national level, equal solutions to equal problems. Coordination requires knowledge of the real life and the real investigations on cybercrime. In view of that, the option was to establish a network of specialised prosecutors on cybercrime and on digital evidence, spread by all the territory. A network of almost 70 prosecutors was established, covering all the national territorial departments. Meetings where held, with training purposes and also with the objective of exchanging points of view, so as in tendency the same facts and situations are treated in a coordinated and consistent way by all the prosecutors. Aside, it was also foreseen the objective of having an overview of the effective reality of cybercrime in view of detecting trends, foresee probable developments and assess the effectiveness of the reaction. In general terms, the prosecutors strongly supported these meetings and welcomed the initiative.

4. Regarding training, it was felt the need of providing to the most enlarged number of prosecutors in the country basic knowledge on cybercrime and digital evidence. Training sessions were developed. Besides, advanced training was delivered to some of the contact points of the network and also to prosecutors in some of the specialised departments, handling cibercrime investigations.

5. It was recognised that modern criminal investigations require very often cooperation from private entities (for example Internet service providers). Such entities are the only owners of important information to many criminal investigations. Contacts were established with the major Portuguese Internet Service Providers, in view of rendering easier their collaboration with authorities. Expedited channels of communication were created and a cooperation Protocol was signed, in July 2012. Besides other objectives, this protocol established that all the requests from prosecutors to the providers should be made using a commonly adopted form. This agreement was seen as a good step forward, in the development of cooperation from the private sector with the prosecutors.

Time to bring the rule of law into the biggest Internet attack ever?

The 300 Gb/sec Distributed Denial of Service attack launched on March 19 against Spamhaus and which lasted for a good 9 days, was certainly the biggest attack ever faced by this most efficient and influent antispam organisation in its 12 years of operations.

It may also qualify as the attack which generated the most sensational headlines : “Behind The Largest Internet Attack Ever” (Forbes), “The Nine-Day Cyber Attack That Broke the Internet” (CNBC, a blog post by Pat Calhoun, Sr. Vice President, Network Security McAfee), “Record-breaking cyberattack hits anti-spam group” (AP), “How the world's largest cyberattack slows down your Internet use” (PCWorld), and so on.

Very quickly the real magnitude of this attack started to be questioned and its impact was reassessed to more reasonable proportions. According to the Internet Storm Center on March 28 : “The attack did reach upwards of 300 Gb/sec and is the largest recorded DDoS to date” but “(…) the Internet did not come close to coming down, not much real impact was felt outside the victims and those in close Internet-proximity to them (…). The attack was significant, but not globally so despite the media reports to the contrary.”

Even more interestingly, this time the attacker had a name - the hosting provider Cyberbunker, located in an ex-NATO shelter in the Netherlands - and it has a spokesperson : Sven Olaf Kamphuis who has a Facebook page and appeared on Russia Today on March 27. On this interview Mr Kamphuis denies being behind the attack, blames Spamhaus for being a threat to internet freedom and he makes this particularly interesting quote: “Spamming is against the law but Spamhaus is not the authoritative instance to handle that”.

It is so unusual to put a face and a name on adversaries of well-established entities that the media and the blog posts could not miss the opportunity to talk about Cyberbunker and let Mr Kamphuis share their views. As a human being, I understand - and to a certain point I share - the frustration expressed by the North-American antispam organisation CAUCE on March 28 that “some press outlets and bloggers have given equal time to the criminals”. But as a lawyer, I like that. I find very important that adversaries are given the opportunity to say what they have to say, even if this is unpleasant or simply not true.

I would go even further: it’s not enough to give adversaries equal time, the law community has a duty to give them the opportunity to address their dispute in an organised fashion.

For the first time in history, we have been the witness of a huge cyberattack between adversaries who are publicly fighting each other, and who have arguments which can potentially be assessed and discussed in a reasonable fashion.

It is uncertain whether our Spamhaus and its adversaries would feel safe enough to sit down and explore how the rule of law could help address their case, but the opportunity is there. Given the core values it represents, what is the role of the Council of Europe in resolving the challenges around the biggest internet attack ever?

Argentina: New precedent of the "Camara de Casación" related to chain of custody in digital evidence

Argentina.

The "Cámara Nacional de Casación Penal", Sala IV (Casation Court), on March 22, 2013, upheld a conviction for threats and coercion, on the basis of the content of an email. The court analyzed the chain of custody of the notebook. The sentence states that if a notebook sealed in an envelope is opened in front of witnesses and an actuary it is appropriately protected. It states, as well, that information held in the notebook that was copied bit for bit it is a true copy of the original disk.

See text

http://www.diariojudicial.com/contenidos/2013/03/25/noticia_0005.html

The CoE Electronic Evidence Guide has been released

The "Electronic Evidence Guide" (EEG) that has been developed by the Council of Europe for over a year has been released just a few days ago. Many of you might have heard about this document on different occasions like the last Octopus Conference or the International Workshop in Struga last year.

The guide has been developed within the framework of the CyberCrime@IPA project and is intended for use by law enforcement and judicial authorities only. The purpose of the guide is to provide support and guidance in the identification and handling of electronic evidence using methods that will ensure that the authenticity of evidence will be maintained throughout the process.

The EEG has been prepared for use by countries that are developing their response to cybercrime and establishing rules and protocols to deal with electronic evidence. Most of the existing guides have been created for the law enforcement community, some of them already being outdated. This guide is for a wider audience and includes also judges, prosecutors and others in the justice system such as private sector investigators, lawyers, notaries and clerks.

The guide also covers state-of-the-art technology such as mobile devices and cloud storage and even has a section about live data forensics raising awareness for the importance of acquiring volatile data. Another very useful part of the guide is its Appendix section where you can find flowcharts for quick reference as well as an extensive glossary and a broad range of different model forms.

Please note that each version of the Electronic Evidence Guide has a "time to live" on it. It is intended that the guide will be updated before that date to take into account any relevant changes in technology, procedures and practices that are relevant to the content of this guide. To keep you updated about changes to the guide the Council of Europe secured the document with a password and has implemented a procedure for the distribution.

If you are interested in the Electronic Evidence Guide you just have to follow the instructions that the Council of Europe provide on their EEG website:

 

Electronic Evidende Guide on CoE website

 

Please feel free to share your comments and impressions regarding the Electronic Evidence guide with us!

La evidencia digital en la jurisprudencia de los países de América latina.

Estimados Colegas y amigos,

Tal como hemos debatido ampliamente en diferentes foros, tanto académicos como políticos, uno de los problemas principales que afronta el sistema de justicia penal en la investigación en entornos digitales es la falta de normas procesales que regulen adecuadamente la evidencia digital. Los códigos procesal penales siguen atados a las viejas normas pensadas para la evidencia "física".

Los denominados “delitos informáticos” han significado desde su surgimiento un desafío para el sistema penal, que se ha profundizado con el constante avance tanto de las tecnologías informáticas como de las telecomunicaciones. Este desafío requirió y aún requiere de adecuaciones normativas tanto en el ámbito del Derecho penal material como del Derecho procesal penal. En los países de América Latina ha habido mayor celeridad en adecuar las normas penales de fondo a fin de tipificar los delitos informáticos que no estaban alcanzadas por los tipos penales tradicionales que en modificar los códigos procesal penales. Resulta evidente de una simple lectura de los códigos procesales que todo el sistema de prueba fue diseñado teniendo en cuenta la evidencia física y no la evidencia digital y que este esquema no se ha modificado salvo escasas excepciones. Prevalece en la jurisprudencia la posibilidad de aplicar por "analogía" las normas que regulan la evidencia física a los nuevos desafíos que plantea la evidencia digital. Así, a modo de ejemplo, si es necesario obtener archivos o documentos contenidos en un soporte informático, se utiliza para realizar la medida las normas de "registro y Secuestro" diseñadas para el allanamiento de espacios físicos.

Al mismo tiempo, advierto falencias en la capacitación de los operadores del sistema penal de América Latina sobre estas nuevas herramientas tecnológicas de investigación, aún cuando resulta creciente su influencia determinante como medio de prueba en la mayoría de las causas penales ( Desde causas por homicidio a simples amenazas y especialmente delitos complejos como cohecho, fraude contra la administración pública, lavado de dinero, evasión tributaria requieren hoy, para una eficiente persecución, de evidencia digital).

Estos dos factores, la falta de una adecuada regulación normativa sumada a problemas en la capacitación de los operadores confluyen generando serios inconvenientes en la práctica de los tribunales.

Conceptos como el de dirección IP, datos de tráfico y contenido, alojamiento de información en la nube, registro y secuestro de datos en soportes informáticos, búsquedas en redes sociales, etc. se han hecho comunes en el lenguaje de las investigaciones penales aún cuando la ley no los ha regulado de manera adecuada y jueces, fiscales y abogados no han recibido capacitación sobre esta materia.

De esta manera, se produce una utilización poco eficiente de estas herramientas tecnológicas y, en algunos casos, un uso abusivo de ellas, violando garantías individuales (los medios de prensa han dado cuenta de importantes investigaciones que se pierden por nulidades en la adquisición de la evidencia digital).

Desde el sentido común parece evidente que el intento de aplicar las normas pensadas para la evidencia física a entornos digitales no puede arribar a buenos resultados.

El objetivo de este blog es compartir experiencias jurisprudenciales de diferentes países de América Latina con el fin de advertir falencias y promover buenas prácticas.

Sin intención de agotar la lista de temas, propongo como primera aproximación, compartir antecedentes jurisprudenciales sobre los temas siguientes:

- evidencia deigital y principio de libertad probatoria.

- registro y secuestro de datos en entornos digitales.

- cadena de custodia en evidencia digital.

- acceso remoto a datos.

- secuestro de mails.

 

Espero contar con vuestra colaboración.

Elusión de medidas tecnológicas de protección como delito informático

Sin duda alguna, la elusión o quebranto de una medida tecnológica efectiva de protección a una obra intelectual podría considerarse como un delito informático en la legislación internacional. Se trata de un tema con vinculaciones tanto en el campo de la propiedad intelectual como en el Derecho Penal y en las tecnologías de información y telecomunicaciones.

Entendemos por medidas tecnológicas de protección cualquier dispositivo o artificio técnico que tenga como objetivo controlar o impedir el uso, duplicación o acceso no autorizado al contenido de una obra sin el permiso del titular, el abuso sobre la autorización concedida o en general para proteger sus derechos patrimoniales sobre un producto intelectual.

Como justificación de su existencia, precisamente como una consecuencia práctica de los privilegios de que goza el titular de una obra presentada en formato tecnológico, y para evitar un uso no permitido de ella, existe la posibilidad de incorporar mecanismos de protección contra uso o copia no autorizada o algún otro tipo de conducta que pueda vulnerar los derechos patrimoniales del titular.

En este sentido, el artículo 10 del Convenio sobre Ciberdelincuencia de 2001 contempla la protección de la propiedad intelectual como una materia susceptible de ser protegida mediante normas penales, de manera que los respectivos países, tanto partes como observantes, elaboren las normas jurídicas necesarias para que dicho factor sea incluido en su Ordenamiento Jurídico, en caso de no existir. En igual sentido, la Directiva 2001/29 del Parlamento y del Consejo de la Unión Europea (Capítulo III, artículo 6) insta a las partes a incluir y regular las medidas tecnológicas dentro de su legislación interna.

“Artículo 10 - Delitos relacionados con infracciones de la propiedad intelectual y de los derechos afines

1.- Cada Parte adoptará las medidas legislativas y de otro tipo que resulten necesarias para tipificar como delito en su derecho interno las infracciones de la propiedad intelectual, (…) a excepción de cualquier derecho moral otorgado por dichos Convenios, cuando esos actos se cometan deliberadamente, a escala comercial y por medio de un sistema informático.

2.- (…)

3.- (…)”

Esta misma Directiva 2001/29, artículo 6, párrafo 3, define las medidas tecnológicas como “toda técnica, dispositivo o componente que, en su funcionamiento normal, esté destinado a impedir o restringir actos referidos a obras o prestaciones protegidas que no cuenten con la autorización del titular de los derechos de autor o de los derechos afines a los derechos de autor establecidos por ley (…).”

La legislación sobre propiedad intelectual de diferentes países ha reconocido expresamente las medidas tecnológicas para proteger los programas de cómputo contra el uso libre y gratuito de ellos, con fundamento principalmente en la tutela los derechos de autor, tales como las contraseñas de acceso, la encriptación del contenido, las marcas de agua, logotipos de identificación, cantidad de tiempo de uso, y en general cualquier dispositivo técnico que impida la duplicación o acceso no autorizado al contenido de los programas que vulnere el derecho patrimonial del titular, y sin autorización de éste. En todo caso, tales conductas atraen a su vez sanciones (principalmente de orden penal) contra quienes infrinjan dichas prevenciones técnicas. Se trata de medidas ideadas principalmente para obras digitales que por su naturaleza son susceptibles de incorporar estas barreras técnicas.

Es importante tener claro que debe tratarse siempre de una medida tecnológica eficaz que incluya métodos o dispositivos tecnológicos que, funcionando tal y como fueron diseñados, controlen el acceso a una obra protegida, lo que significa que esa protección que no pueda quebrantarse accidentalmente. Es decir, se requiere que la acción de esquivar la protección sea intencional. La Directiva Europea 2001/29 del Parlamento y del Consejo de la Unión Europea, en su artículo 6 párrafo 3, explica qué es una medida tecnológica “eficaz”:

“Las medidas tecnológicas se considerarán "eficaces" cuando el uso de la obra o prestación protegidas esté controlado por los titulares de los derechos mediante la aplicación de un control de acceso o un procedimiento de protección, por ejemplo, codificación, aleatorización u otra transformación de la obra o prestación o un mecanismo de control del copiado, que logre este objetivo de protección.”

Según explica la Organización Mundial sobre Propiedad Intelectual (OMPI), las medidas tecnológicas de protección son variadas y sus características cambian a menudo. Además, las divide en dos grupos, según se utilicen a) para limitar el acceso al contenido de la obra intelectual y para que sólo sea accedido por personas autorizadas, o bien, b) para controlar el uso de los consumidores permitidos, de manera que no se vaya más allá de la autorización concedida.

“En general, los titulares de los derechos tratan de controlar el uso de sus obras en el entorno digital utilizando tecnologías especializadas. Las medidas tecnológicas de protección adoptan distintas formas y sus características cambian continuamente.

Estas medidas pueden agruparse por lo general en dos categorías: en primer lugar, las medidas desplegadas para limitar el acceso al contenido protegido únicamente a los usuarios autorizados a acceder al mismo. Los mecanismos habituales de control del acceso son, por ejemplo, la criptografía, las contraseñas y las firmas digitales que garantizan el acceso a la información y al contenido protegido.

El segundo gran grupo de tecnologías está destinado a controlar el uso del contenido protegido una vez que los usuarios tienen acceso a la obra. Según el correspondiente acuerdo de licencia, están autorizados determinados usos de contenido protegido con determinados fines. A fin de garantizar que se cumplan estas obligaciones y que no se efectúen reproducciones no autorizadas, las medidas tecnológicas correspondientes intentan rastrear y controlar la copia, impidiendo de esta manera al usuario excederse en los derechos que le han sido concedidos. Ejemplos de este tipo de medidas de control de la copia son los sistemas de gestión de copias en serie para los mecanismos de grabación audiodigital y los sistemas de aleatorización para los DVD que impiden a terceros reproducir el contenido sin la autorización debida.”

Organización Mundial de la Propiedad Intelectual; sección FAQ’s. “Cómo funcionan las medidas tecnológicas de protecciónhttp://www.wipo.int/enforcement/en/faq/technological/faq03.html [Consulta: 31 de Marzo de 2013].

Como el lector puede concluir, la elusión de cualquiera de esas medidas tecnológicas de protección puede requerir de un nivel de experticia, destrezas y conocimiento tecnológico que suele ser poco común, por lo que no puede dejar de sancionarse como un típico delito informático. Implica además el uso de programas de cómputo o equipos técnicos sofisticados que bien podrían haber sido creados por el mismo sujeto activo con el fin de eludir las medidas tecnológicas.

De hecho, este panorama tiene una estrecha relación con el artículo 6 del Convenio sobre Ciberdelincuencia, pues se trataría del abuso de dispositivos técnicos para la comisión de delitos informáticos.

Artículo 6 - Abuso de los dispositivos

1 Cada Parte adoptará las medidas legislativas y de otro tipo que resulten necesarias para tipificar como delito en su derecho interno la comisión deliberada e ilegítima de los siguientes actos:

a) la producción, venta, obtención para su utilización, importación, difusión u otra forma de puesta a disposición de:

i) un dispositivo, incluido un programa informático, diseñado o adaptado principalmente para la comisión de cualquiera de los delitos previstos de conformidad con los anteriores artículos 2 a 5;

ii) una contraseña, un código de acceso o datos informáticos similares que permitan tener acceso a la totalidad o a una parte de un sistema informático,

con el fin de que sean utilizados para la comisión de cualquiera de los delitos contemplados en los artículos 2 a 5; y

b) la posesión de alguno de los elementos contemplados en los anteriores apartados a.i) o ii) con el fin de que sean utilizados para cometer cualquiera de los delitos previstos en los artículos 2 a 5. Cualquier Parte podrá exigir en su derecho interno que se posea un número determinado de dichos elementos para que se considere que existe responsabilidad penal.

2.- No podrá interpretarse que el presente artículo impone responsabilidad penal en los casos en que la producción, venta, obtención para su utilización, importación, difusión u otra forma de puesta a disposición mencionadas en el apartado 1 del presente artículo no tengan por objeto la comisión de un delito previsto de conformidad con los artículos 2 a 5 del presente Convenio, como es el caso de las pruebas autorizadas o de la protección de un sistema informático.

3.- Cualquier Parte podrá reservarse el derecho a no aplicar lo dispuesto en el apartado 1 del presente artículo, siempre que la reserva no afecte a la venta, la distribución o cualquier otra puesta a disposición de los elementos indicados en el apartado 1.a.ii) del presente artículo.

No obstante, el contenido de este numeral no se haya relacionado con la protección de la propiedad intelectual. Por ello debemos descartar la aplicación del artículo 6 del Convenio sobre Ciberdelincuencia pues su contenido, referente al abuso de dispositivos, no se refiere a las medidas tecnológicas sino al derecho penal de fondo de los artículos 1 al 5 del Tratado, tales como acceso ilícito, interceptación ilícita, interferencia en los datos o interferencia en el sistema, ninguno de los cuales se refiere a la protección de las obras intelectuales. A pesar de esa omisión, no encontraremos diferencias entre crear un virus informático, quebrar el proceso de autenticación de un programa de cómputo, instalar un archivo trucado en un firmware o violar la protección de un video juego. Todas esas conductas implican acciones muy similares que son igualmente delictivas. La única diferencia radicará en si existen elementos de propiedad intelectual involucrados.

Resultaría conveniente que el artículo 6 del Convenio sobre Ciberdelincuencia, que trata del abuso de dispositivos, incluyera también la referencia al artículo 10, de forma tal que la elusión de las medidas de protección también estuviese contemplada expresamente como un delito informático contra la propiedad intelectual en productos tecnológicos.

Finalmente, deseo preguntar al lector:

1.- ¿Regula su país el tema de las medidas tecnológicas en su legislación nacional?

2.- Si es así, ¿se considera un delito informático o sólo un quebranto de la propiedad intelectual?

3.- Si no está incluido en la legislación, ¿existe alguna iniciativa para incorporarlo como delito informático o al menos como violación de la propiedad intelectual?

- * -

Tools on Cybercrime & Electronic Evidence Empowering You!
Відображення мережевого вмісту Відображення мережевого вмісту

This tool is co-funded  by the GLACY  and Cybercrime@Octopus projects