Politech mailing list archives
FC: International update: Australia, Switzerland, G8 summit
From: Declan McCullagh <declan () well com>
Date: Fri, 26 May 2000 11:00:21 -0400
********** http://www.wired.com/news/politics/0,1283,36587,00.html Aussies Go After Crime Site by Stewart Taggart 3:00 a.m. May. 26, 2000 PDT SYDNEY, Australia -- The operator of a website specializing in criminal public records said he won't be bullied into closing it down after a murder trial was aborted because of material contained on the site. In Victoria Supreme Court on Wednesday, Justice George Hampel established what could be a legal precedent by aborting a murder retrial because jurors could learn details about the defendant's first trial through CrimeNet. [...] Jane Wilson, spokeswoman for Victorian Attorney General Hulls, remained unimpressed. "Anyone who publishes materials under certain circumstances about those on trial can be held in contempt," she said. "For instance, journalists operate under certain restraints. At risk here is the integrity of the entire justice system." ********** Also see: http://www.wired.com/news/print/0,1294,36345,00.html 11:00 a.m. May. 15, 2000 PDTBERN, Switzerland -- Big telecommunications companies bridled at a proposal from Swiss police to make Internet service providers block access to sites with suspected criminal content once investigators tip off the ISPs... Under the proposed rules, Swiss service providers who put clients onto the Internet would have to block access to sites with illegal content once investigators notified them... Hosting services which provide storage on Web servers were to conduct at least spot checks. They would also be asked to cut off access to sites with illegal content.
**********
Date: Sat, 20 May 2000 07:18:14 -0400 To: declan () well com From: David Banisar <banisar () bellatlantic net> Subject: Re: FC: G8 update: Global Internet Project report, more news from Paris Declan,FYI. We have put together a review of the G-8's and COE's work on cybercrime with all the relevant docs and press coverage.http://www.privacyinternational.org/issues/cybercrime/ Dave
***********
Date: Wed, 17 May 2000 14:04:48 -0700 To: declan () well com From: John Muller <johnmuller () earthlink net> Subject: Re: FC: G8 nations bar public from debate, Europeans want 1-year records Looks like the Europeans are ignoring the advice of the European Commission's own Working Party on Data Protection: "In view of the above, the Working Party considers that the most effective means to reduce unacceptable risks to privacy while recognising the needs for effective law enforcement is that traffic data should in principle not be kept only for law enforcement purposes and that national laws should not oblige telecommunications operators, telecommunications service and Internet Service providers to keep traffic data for a period of time longer than necessary for billing purposes." http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp25en.htm
**********
Internet Alliance CyberBrief; 26 May 2000 ****************Internet Alliance News********************* Yesterday, Jeff Richards, Executive Director at the Internet Alliance, testified at a Senate Judiciary Committee hearing titled 'Internet Security and Privacy.' The hearing was in the context of S. 2448, an omnibus security and privacy bill recently proposed by Chairman Hatch and Senator Schumer. The IA's message can be summarized in a paragraph taken from Richards' testimony: ...Coming as I did from last week's G8 meeting during which we released the Internet Alliance White Paper entitled "An International Policy Framework for Internet Law Enforcement and Security," I saw again that -- at least among the G8 members -- there was a clear belief that law enforcement and security issues are in fact shaping the consumer Internet marketplace more than any other. My message today is that, with this Committee, the Internet Alliance agrees that law enforcement and security issues are central to achieving consumer confidence and trust. At the same time, we are not enthusiastic about and do not today support proposals to legislate privacy. For reasons that we will touch on later, privacy legislation invites unintended consequences, increases tensions over jurisdiction, and distracts us all from the critical point of agreement - effective enforcement of current law. To read the entire testimony, please visit the Internet Alliance web site, at www.internetalliance.org/policy/000525_testimony.html <http://www.internetalliance.org/policy/000525_testimony.html>.
*********** Lambda Bulletin 6.03 May 24, 2000 lambda.eu.org Jerome Thorel, Paris ++++++++++++++++++ Contents: + MAJOR LESSONS FROM THE G8 CONFERENCE + UK DELEGATES OPEN THEIR MINDS + FRENCH STATS POOR TO ASSESS CYBERCRIME THREAT + SAME TREND IN THE NEDERLANDS, the UK and the US + CONTROVERSIAL SUGGESTIONS: COUNCIL OF EUROPE'S CONVENTION ON CYBER-CRIME ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Paris, 05.24.2000 -- During a 3-day conference here one week ago, the major industrialised nations were not in a position to assess with accuracy the reality of high-tech crime, they prefered to meet IT industry representatives for a diplomatic forum of internet security. Each country was represented with around 15 officials from security forces and the administration, along with 15 industry delegates from the computer, security and telecom sectors, plus a dozen of multinational officials. The legals systems should be harmonized, officials said. The 41-nations Council of Europe released a draft last April to build an international treaty. The draft would expand surveillance and limit encryption and anonymity, ban common security tools, and impose liability on Internet Service Providers. Privacy issues were not on the agenda. But this was a matter of concern for Vladislav Selivanov, the Russian delegate from the Interior Ministry. He made a quite honest statement: "When you enter a Church, you leave your hat, not your head." He meant too much hurdles remain for cops to fight cybercrime because of "the question of privacy", he said during the public press briefing, according to the real-time translation of his Russian statement. "A lot of colleagues I met here said they have limited investigative powers because of privacy rules. I'm not against protecting privacy, but we should be aware it won't protect criminals." Selivanov remained in clode-door meetings during the conference. Other delegates were authorized to break the silence, giving reporters informal press briefings. A French official told the Lambda that Mr Selivanov spoke a "fluent and smart English". But he refused to express himself in another langage than Russian. + Common Press Release by G8 Countries (in French): http://www.diplomatie.fr/actual/evenements/cybercrim/grlyon.html +++++++++++++++++++++++++++++++++++++++ MAJOR LESSONS FROM THE G8 CONFERENCE From Securityfocus, May 17, 2000: "...The G8 countries ... emphasized the importance of creating "an environment that fosters the growth of electronic commerce by balancing economic, privacy, human rights, social and other concerns with the need to maintain public safety and confidence in cyberspace," reads a slim two-page public statement issued at 1:00 p.m. on Wednesday. "The ability to locate and identify Internet criminals... is critical to deterring, investigating and prosecuting crime that has an electronic component." But this supposed consensus was not reflected in interviews with the industry and government delegates who occasionally broke with the closed- door arrangement of the conference. One particularly controversial idea discussed at the conference would be to oblige ISPs to store day-to-day IP log data for a still undefined period (from 15 to 90 days). The 41- nation Council of Europe's draft treaty on cybercrime proposes the figure of 40 days. John Finnell, the British government's delegate in the G8 high-tech subgroup on criminal activities expressed support for such an action, saying "forty days would be a sufficient period of time," and the European association of ISPs EuroISPA supports a 3 month period. But other delegates disagreed. "A totally ridiculous idea," said Austin Hill, president of Canadian cryptography firm Zero Knowledge, and an industry delegate to the conference. "This goes against one of the principles of democratic state, the presumption of innocence," he added. According to Intel Corp representative David Aucsmith, who spoke at the conference on behalf of U.S. industry, the proposed mandatory scheme "is a dangerous thing at this time," he told SecurityFocus.com in an interview Tuesday. ... The Council of Europe treaty (see the end of this buletin) will not be finalized until the end of this year, and it may take several more years for various countries to adopt it in their national laws. The US was "very active in drafting this text," said Peter Csonka, head of the Council of Europe's criminal division. Department of Justice representative James K. Robinson confirmed the U.S. collaboration, but added that the draft treaty "was not the aim of this conference," and declined to elaborate on the U.S. role. This slowness of the international process should be a great concern in the future, Robinson said during an informal interview with international reporters on Tuesday. "Speed is the rule of the game in high-tech crime." Controversy also remains over exactly how the public and private sector should work together. Europe's "co-regulation" approach collides with the "self-regulation" idea supported by major firms. The G8 statement issued on Wednesday does nothing to resolve that tension. A conclusion paper will be released in Japan next July for the G8 summit in Okinawa. The only measure currently under way is a network of "contact points " already in place among G8 high-tech crime police officers and seven other nations, including Scandinavia and Brazil. The Interpol organization should also play a role, said Toshinori Kanemoto, president of the 178-nation law enforcement organization. But the ability of old-style Interpol to fight new high-tech menace was questioned by some security experts. ..." + "Thin Consensus veils Conflict at G8" http://www.securityfocus.com/news/37 + Convention on cybercrime, Draft http://conventions.coe.int/treaty/en/projets/cybercrime.htm + Privacy International special page: http://www.privacyinternational.org/issues/cybercrime/ ----------------------------- UK DELEGATES OPEN THEIR MINDS The British government 's delegation from the Home Office decided to organize an informal press briefing on Tuesday, May 16th. This was the first public delegation to break with the close-door principle of the conference. The officials were: Lorna HARRIS, head of the UK delegation, from the Judicial Cooperation unit of the Home Office; John FINNELL, UK contact inside the "high-tech" working group of the 'organised crime unit' of the G8 (he was also presented as the UK official who helped the CoE convention draft); Kevin AKERMAN, assistant officer for computer crime, coordinator of the Internet Crime Forum. (From written notes) First LH expressed her opinion about this conference: "This is more than a dipomatic effort. Even if it's a first step : talking to each other [public and private people], cooperation is essential [for this matter]". About the prospect of 'what should the states do regarding computer security', regarding the iloveyou virus and so on, she said : "We don't need to reinvent the wheel, the G8 already have a "24/7" network of 'contact points' for assistance". She insisted that right now 15 countries are in this network. She added, "Each police forces in the UK have a dedicated person or contact point to deal with [high-tech crime alerts]". She insisted that Interpol, with their 178-nations network of alert, should be the natural body for coordination among police forces in the world. Asked if the G8 was a good choice to tackle worldwide cybercrime, JF said "G8 countries are first concerned, and they have the [power] to influence other countries". Regarding the CoE Convention, LH: "We are very supportive of the CoE draft convention." JF added : "This document was to be held confidential, but we tought it should be published. (...) For certain specific topics, we are very open to comments". JF insisted that the Convention "is open to other countries to sign out", including non-CoE G8 states of course (Japan, Canada, USA were consulted for this draft), but also others in less developed ones, in order to avoid, as French Interior Minister said, "cyber or internet havens" for criminals. The CoE convention says that countries should oblige ISPs to store log connexions up to 40 days (some police forces want 3 months). 40 days or 3 months? JF : "this point is still open to discussion. ... 40 days is a sufficient period [for the Home Office]". Who will pay? KA : "at the moment the ISP is paying" this data storage cost. But "anb active dialogue is under way [with ISPs], we could imagine some 'cost recovery'" shemes, he said. "But it should not be used to make a profit..." he added in a smile. ++ Asked about the prospect of the controversial RIP Bill, JF said the the CoE convention is not tackling right now the question of interceptions "still under discussion, it's a very sensitive issue". LH : "The RIP Bill is an effort to adapt our old policy [communication act] because today we cannot make an interception [after a, under a ...] foreign request". She added the UK needs a "real time response" regarding interception capabilities, and that today only telephone calls are concerned in the actual Act. About the reality of the "new menace" and the so-called "cyberterrorism threat", regarding the fact that neither the last DoS attacks, nor the iloveyou virus were reportedly created by "organised crime groups", the Lambda asked if alll this fuss was not too exagerated... KA said, "If you [the police] don't assume criminals could use this technology, [the risk is] you will be poorly prepared". + See also new details about the Rip Bill in this bulletin. ------------------------------------ FRENCH STATS POOR TO ASSESS CYBERCRIME THREAT The Police Judiciaire released last April its official figures related to IT-based criminal activities anf internet fraud. According to the wording of the French police, cybercrime has nothing to do with professional thieves, more with geek vandalism -- "amateurism" as they put it. And on the internet, the so-called "new menace" disappears: 93% of offenses are related to credit card frauds + Short abstract: "L'etude des informations disponibles montre que, de maniere generale, les auteurs des infractions ne sont pas, loin s'en faut, des informaticiens de formation. Il s'agit, dans la plupart des cas de "simples amateurs", phenomene qui peut s'expliquer par la vulgarisation des connaissances en matiere de micro-informatique et par le nombre croissant d'intemautes (plus de 6 % des foyers francais etant connectes sur l'Internet, ce qui facilite la diffusion de procedes et de programmes de piratage)." + IT-related offenses in 1999: 1300. Call card frauds = 753 (54%), mobile phone frauds = 379 (28%), intrusion on computer systems = 122 (9%), Counterfeiting = 105 (8%), privacy = 7 (1%). + Nb of frauds ("delinquancy") related to online services: Credit cards = offenses (93%), other frauds = 64 (3%), child abuse = 39 (2%), deffamation, libel, racial threat = 60 (2%)." + Complete Document (in French): http://lambda.eu.org/6xx/dcpj99.html -------------------------- SAME TREND IN THE NEDERLANDS, the UK and the US IN THE NEDS + From "Digital Detectives in Holland", Jelle van Buuren, Telepolis 10.04.2000. "... For some time now, the fight against cybercrime is a hot item on the political agenda all over the world. In the Netherlands, law enforcement agencies have also made the virtual world their hunting ground. New legislation gives the police the power to intercept the Internet and conduct investigations on the Internet. To avoid problems with encrypted communications, the police is allowed to placed bugs on the keybord of suspects. A report from the low lands. "In August 2000, Dutch Internet service providers are legally obliged to make their installations interceptible for the law enforcement agencies. (...)" The reality of cybercrime seems also difficullt to evaluate: "One thing however still seems to be very unclear: how real is the threat of cyber crime and the use of cryptography? Many wild stories circulate, but there's little proof. A recent study of a police consultancy (Bureau In pact), shows that there's little problem with the use of cryptography, for instance." + Telepolis: http://www.heise.de/tp/english/special/enfo/6727/1.html IN THE UK The British controversial RIP Bill has been under attack by cyberrights groups for a long time. Recently, the Home Office was advised by a private consultancy to assess how ISPs should modify their systems in order to be ready for "lawfull access" of private communications. This would be part of the GTAC (Government Technical Assistance Centre (GTAC), a body that will "help law enforcement bodies decrypt voice, text or data". + Critics from the Foundation for Information Policy Research http://www.fipr.org/rip/PRsmithreport.htm + Sunday Times article (April 30) http://www.sunday-times.co.uk/news/pages/sti/2000/04/30/stinwenws01034.html + IT Week article (January 17, 2000) "Decryption centre mooted" http://www.zdnet.co.uk/news/2000/2/ns-12699.html IN THE US President Clinton last January announced a $2 bn budget for 2001 (+16% from 2000) to fight cyberterrorism. From EPIC-Alert 7.02, Feb. 3, 2000: "EPIC also released a government memo at the hearing, obtained under the Freedom of Information Act, which indicates that the U.S. Department of Justice is aware that the FIDNET proposal may violate U.S. law. Other records obtained by EPIC show that the government will use credit card records and telephone toll records as part of its intrusion detection system. John Tritak, Director of the Critical Infrastructure Assurance Office, was unable to answer questions put to him by the committee members regarding what type of personal information would be collected by FIDNET. "Rotenberg charged that backers of the security plan were 'trying to apply twentieth century notions of national defense to twenty-first century problems of communications security.'..." + Epic-Alert 7.02 http://www.epic.org/alert/EPIC_Alert_7.02.html + EPIC special report http://www.epic.org/security/cip/ + National Plan For Information Systems Protection (PDF): http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105.pdf ++++++++++++++++++++++++++++++++++++++++++++ CONTROVERSIAL SUGGESTIONS: COUNCIL OF EUROPE'S CONVENTION ON CYBER-CRIME ++++++++++++++++++++++++++++++++++++++++++++ Released on April 27, this project is aimed at attracting all major countries to harmonize their penal codes and judicial cooperation. It sould also give new powers to law enforcement authorities that may be dangerous for privacy and the principle of presumption of innocence. Some abstracts of the draft: << Article 6 - Illegal Devices Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right: the production, sale, procurement for use, import, distribution or otherwise making available of: a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 - 5; a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing the offences established in Articles 2 - 5; the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 - 5. A party may require by law that a number of such items be possessed before criminal liability attaches. .../... Article 7 - Computer-related Forgery Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic (11), regardless whether or not the data is directly readable and intelligible. A Party may require by law an intent to defraud, or similar dishonest intent, before criminal liability attaches. .../... Section 2 - Procedural law Article 14 - Search and Seizure of Stored Computer Data 1. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access: a computer system or part of it and computer data stored therein; or a medium in which computer data may be stored [in its territory or other place over which it exercises its sovereign powers] for the purposes of criminal investigations or proceedings. .../... 4. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2 in view of their possible use in criminal investigations and proceedings. These measures shall include the power to : a/ seize or similarly secure a computer system or part of it or a medium in which computer data may be stored; b/ make and retain a copy of those computer data; c/ maintain the integrity of the relevant stored computer data; d/ render inaccessible or remove those computer data in the accessed computer system. 5. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to order for the purposes of criminal investigations and proceedings any person who has knowledge about the functioning of the computer system or measures applied to secure the computer data therein to provide all necessary information, as is reasonable, to enable the undertaking of the measures referred to in paragraphs 1 and 4. 6. Where measures referred to in paragraphs 1 and 2 have been taken in respect of a computer system or part of it, or computer data stored therein, the person in charge of the computer system shall as soon as reasonably practicable be duly informed about the executed measures. 7. The powers and procedures referred to in the present Article shall be subject to conditions and safeguards as provided for under national law. .../... Article 15 - Production Order 1. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to order a person in its territory or other place over which it exercises its sovereign powers to submit specified computer data under this person's control stored in a computer system or a medium (25) in which data may be stored in the form required by these authorities for the purposes of criminal investigations and proceedings. 2. The power referred to in paragraph 1 of the present Article shall be subject to conditions and safeguards as provided for under national law. Article 16 - Expedited preservation of data stored in a computer system 1. Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or otherwise obtain, for the purpose of criminal investigations or proceedings, the expeditious preservation of data that is stored by means of a computer system, at least where there are grounds to believe that the data is subject to a short period of retention or is otherwise particularly vulnerable to loss or modification. .../... 3. Each Party shall adopt such legislative or other measures as may be necessary to oblige a person to whom the procedures of preservation referred to in this Article are directed, to keep confidential the undertaking of such procedures for a period of time as permitted by national law. 4. The powers and procedures referred to in the present article shall be subject to conditions and safeguards as provided for under national law. Article 17 - Expedited preservation and disclosure of traffic data 1. Each Party shall, with respect to undertaking the procedures referred to under article 16 in respect of the preservation of traffic data concerning a specific communication, adopt such legislative or other measures as may be necessary to: ensure the expeditious preservation of that traffic data, regardless whether one or more service providers were involved in the transmission of that communication; and ensure the expeditious disclosure to the Party's competent authority, or a person designated by that authority, of a sufficient amount of traffic data in order to identify the service providers and the path through which the communication was transmitted. .../... + Complete draft here: http://conventions.coe.int/treaty/en/projets/cybercrime.htm The lambda bulletin 05.24.2000 lambda.eu.org J. Thorel -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ --------------------------------------------------------------------------
Current thread:
- FC: International update: Australia, Switzerland, G8 summit Declan McCullagh (May 26)