Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: International update: Australia, Switzerland, G8 summit

From: Declan McCullagh <declan () well com>
Date: Fri, 26 May 2000 11:00:21 -0400
**********
http://www.wired.com/news/politics/0,1283,36587,00.html

   Aussies Go After Crime Site
   by Stewart Taggart

   3:00 a.m. May. 26, 2000 PDT
   SYDNEY, Australia -- The operator of a website specializing in
   criminal public records said he won't be bullied into closing it down
   after a murder trial was aborted because of material contained on the
   site.

   In Victoria Supreme Court on Wednesday, Justice George Hampel
   established what could be a legal precedent by aborting a murder
   retrial because jurors could learn details about the defendant's first
   trial through CrimeNet. [...]

   Jane Wilson, spokeswoman for Victorian Attorney General Hulls,
   remained unimpressed.

   "Anyone who publishes materials under certain circumstances about
   those on trial can be held in contempt," she said. "For instance,
   journalists operate under certain restraints. At risk here is the
   integrity of the entire justice system."

**********
Also see:
http://www.wired.com/news/print/0,1294,36345,00.html
11:00 a.m. May. 15, 2000 PDT
BERN, Switzerland -- Big telecommunications companies bridled at a proposal from Swiss police to make Internet service providers block access to sites with suspected criminal content once investigators tip off the ISPs... Under the proposed rules, Swiss service providers who put clients onto the Internet would have to block access to sites with illegal content once investigators notified them... Hosting services which provide storage on Web servers were to conduct at least spot checks. They would also be asked to cut off access to sites with illegal content. 
**********


Date: Sat, 20 May 2000 07:18:14 -0400
To: declan () well com
From: David Banisar <banisar () bellatlantic net>
Subject: Re: FC: G8 update: Global Internet Project report, more news from
Paris

Declan,
FYI. We have put together a review of the G-8's and COE's work on cybercrime with all the relevant docs and press coverage. 
http://www.privacyinternational.org/issues/cybercrime/
Dave


***********


Date: Wed, 17 May 2000 14:04:48 -0700
To: declan () well com
From: John Muller <johnmuller () earthlink net>
Subject: Re: FC: G8 nations bar public from debate, Europeans want
  1-year  records

Looks like the Europeans are ignoring the advice of the European
Commission's own Working Party on Data Protection:

"In view of the above, the Working Party considers that the most effective
means to reduce unacceptable risks to privacy while recognising the needs
for effective law enforcement is that traffic data should in principle not
be kept only for law enforcement purposes and that national laws should not
oblige telecommunications operators, telecommunications service and
Internet Service providers to keep traffic data for a period of time longer
than necessary for billing purposes."

http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp25en.htm


**********


Internet Alliance CyberBrief; 26 May 2000
****************Internet Alliance News*********************
Yesterday, Jeff Richards, Executive Director at the Internet Alliance,
testified at a Senate Judiciary Committee hearing titled 'Internet Security
and Privacy.' The hearing was in the context of S. 2448, an omnibus
security and privacy bill recently proposed by Chairman Hatch and Senator
Schumer. The IA's message can be summarized in a paragraph taken from
Richards' testimony:
...Coming as I did from last week's G8 meeting during which we
released the Internet Alliance White Paper entitled "An International Policy
Framework for Internet Law Enforcement and Security," I saw again that -- at
least among the G8 members -- there was a clear belief that law enforcement
and security issues are in fact shaping the consumer Internet marketplace
more than any other. My message today is that, with this Committee, the
Internet Alliance agrees that law enforcement and security issues are
central to achieving consumer confidence and trust. At the same time, we
are not enthusiastic about and do not today support proposals to legislate
privacy. For reasons that we will touch on later, privacy legislation
invites unintended consequences, increases tensions over jurisdiction, and
distracts us all from the critical point of agreement - effective
enforcement of current law.
To read the entire testimony, please visit the Internet Alliance web site,
at www.internetalliance.org/policy/000525_testimony.html
<http://www.internetalliance.org/policy/000525_testimony.html>.


***********

Lambda Bulletin 6.03
May 24, 2000
lambda.eu.org
Jerome Thorel, Paris
++++++++++++++++++

Contents:
+ MAJOR LESSONS FROM THE G8 CONFERENCE
+ UK DELEGATES OPEN THEIR MINDS
+ FRENCH STATS POOR TO ASSESS CYBERCRIME THREAT
+ SAME TREND IN THE NEDERLANDS, the UK and the US
+ CONTROVERSIAL SUGGESTIONS: COUNCIL OF EUROPE'S
CONVENTION ON CYBER-CRIME
++++++++++++++++++++++++++++++++++++++++++++++++++++++


Paris, 05.24.2000 -- During a 3-day conference
here one week ago, the major
industrialised nations were not in a position to
assess with accuracy the
reality of high-tech crime, they prefered to meet
IT industry
representatives for a diplomatic forum of
internet security.

Each country was represented with around 15
officials from security forces
and the administration, along with 15 industry
delegates from the computer,
security and telecom sectors, plus a dozen of
multinational officials.

The legals systems should be harmonized,
officials said. The 41-nations
Council of Europe released a draft last April to
build an international
treaty. The draft would expand surveillance and
limit encryption and
anonymity, ban common security tools, and impose
liability on Internet
Service Providers.

Privacy issues were not on the agenda. But this
was a matter of concern for
Vladislav Selivanov, the Russian delegate from
the Interior Ministry. He
made a quite honest statement: "When you enter a
Church, you leave your
hat, not your head." He meant too much hurdles
remain for cops to fight
cybercrime because of "the question of privacy",
he said during the public
press briefing, according to the real-time
translation of his Russian
statement. "A lot of colleagues I met here said
they have limited
investigative powers because of privacy rules.
I'm not against protecting
privacy, but we should be aware it won't protect
criminals."

Selivanov remained in clode-door meetings during
the conference. Other
delegates were authorized to break the silence,
giving reporters informal
press briefings. A French official told the
Lambda that Mr Selivanov spoke
a "fluent and smart English". But he refused to
express himself in another
langage than Russian.

+ Common Press Release by G8 Countries (in
French):
http://www.diplomatie.fr/actual/evenements/cybercrim/grlyon.html

+++++++++++++++++++++++++++++++++++++++

MAJOR LESSONS FROM THE G8 CONFERENCE

 From Securityfocus, May 17, 2000:

        "...The G8 countries ... emphasized the
importance of creating "an
environment that fosters the growth of electronic
commerce by balancing
economic, privacy, human rights, social and other
concerns with the need to
maintain public safety and confidence in
cyberspace," reads a slim two-page
public statement issued at 1:00 p.m. on
Wednesday. "The ability to locate
and identify Internet criminals... is critical to
deterring, investigating
and prosecuting crime that has an electronic
component."

But this supposed consensus was not reflected in
interviews with the
industry and government delegates who
occasionally broke with the closed-
door arrangement of the conference. One
particularly controversial idea
discussed at the conference would be to oblige
ISPs to store day-to-day IP
log data for a still undefined period (from 15 to
90 days). The 41- nation
Council of Europe's draft treaty on cybercrime
proposes the figure of 40
days. John Finnell, the British government's
delegate in the G8 high-tech
subgroup on criminal activities expressed support
for such an action,
saying "forty days would be a sufficient period
of time," and the European
association of ISPs EuroISPA supports a 3 month
period. But other delegates
disagreed. "A totally ridiculous idea," said
Austin Hill, president of
Canadian cryptography firm Zero Knowledge, and an
industry delegate to the
conference. "This goes against one of the
principles of democratic state,
the presumption of innocence," he added.

According to Intel Corp representative David
Aucsmith, who spoke at the
conference on behalf of U.S. industry, the
proposed mandatory scheme "is a
dangerous thing at this time," he told
SecurityFocus.com in an interview
Tuesday. ...

The Council of Europe treaty (see the end of this
buletin) will not be finalized until the end of
this year, and it may take several more years for
various countries to adopt it
in their national laws. The US was "very active
in drafting this text,"
said Peter Csonka, head of the Council of
Europe's criminal division.
Department of Justice representative James K.
Robinson confirmed the U.S.
collaboration, but added that the draft treaty
"was not the aim of this
conference," and declined to elaborate on the
U.S. role.

This slowness of the international process should
be a great concern in the
future, Robinson said during an informal
interview with international
reporters on Tuesday. "Speed is the rule of the
game in high-tech crime."

Controversy also remains over exactly how the
public and private sector
should work together. Europe's "co-regulation"
approach collides with the
"self-regulation" idea supported by major firms.
The G8 statement issued on
Wednesday does nothing to resolve that tension.

A conclusion paper will be released in Japan next
July for the G8 summit in
Okinawa.

The only measure currently under way is a network
of "contact points "
already in place among G8 high-tech crime police
officers and seven other
nations, including Scandinavia and Brazil. The
Interpol organization should
also play a role, said Toshinori Kanemoto,
president of the 178-nation law
enforcement organization. But the ability of
old-style Interpol to fight
new high-tech menace was questioned by some
security experts. ..."

+ "Thin Consensus veils Conflict at G8"
http://www.securityfocus.com/news/37
+ Convention on cybercrime, Draft
http://conventions.coe.int/treaty/en/projets/cybercrime.htm
+ Privacy International special page:
http://www.privacyinternational.org/issues/cybercrime/

-----------------------------

UK DELEGATES OPEN THEIR MINDS

The British government 's delegation from the
Home Office decided to
organize an informal press briefing on Tuesday,
May 16th. This was the
first public delegation to break with the
close-door principle of the
conference.

The officials were: Lorna HARRIS, head of the UK
delegation, from the
Judicial Cooperation unit of the Home Office;
John FINNELL, UK contact
inside the "high-tech" working group of the
'organised crime unit' of the
G8 (he was also presented as the UK
official who helped the CoE convention draft);
Kevin AKERMAN, assistant
officer for computer crime, coordinator of the
Internet Crime Forum.

(From written notes)

First LH expressed her opinion about this
conference: "This is more than a
dipomatic effort. Even if it's a first step :
talking to each other [public
and private people], cooperation is essential
[for this matter]".

About the prospect of 'what should the states do
regarding computer
security', regarding the iloveyou virus and so
on, she said : "We don't
need to reinvent the wheel, the G8 already have a
"24/7" network of
'contact points' for assistance". She insisted
that right now 15 countries
are in this network. She added, "Each police
forces in the UK have a
dedicated person or contact point to deal with
[high-tech crime alerts]".

She insisted that Interpol, with their
178-nations network of alert, should
be the natural body for coordination among police
forces in the world.

Asked if the G8 was a good choice to tackle
worldwide cybercrime, JF said
"G8 countries are first concerned, and they have
the [power] to influence
other countries".

Regarding the CoE Convention, LH: "We are very
supportive of the CoE draft
convention." JF added : "This document was to be
held confidential, but we
tought it should be published. (...) For certain
specific topics, we are
very open to comments".

JF insisted that the Convention "is open to other
countries to sign out",
including non-CoE G8 states of course (Japan,
Canada, USA were consulted
for this draft), but also others in less
developed ones, in order to avoid,
as French Interior Minister said, "cyber or
internet havens" for criminals.

The CoE convention says that countries should
oblige ISPs to store log
connexions up to 40 days (some police forces want
3 months). 40 days or 3
months? JF : "this point is still open to
discussion. ... 40 days is a
sufficient period [for the Home Office]".

Who will pay? KA : "at the moment the ISP is
paying" this data storage
cost. But "anb active dialogue is under way [with
ISPs], we could imagine
some 'cost recovery'" shemes, he said. "But it
should not be used to make a
profit..." he added in a smile.

++ Asked about the prospect of the controversial
RIP Bill, JF said the the
CoE convention is not tackling right now the
question of interceptions
"still under discussion, it's a very sensitive
issue". LH : "The RIP Bill
is an effort to adapt our old policy
[communication act] because today we
cannot make an interception [after a, under a
...] foreign request". She
added the UK needs a "real time response"
regarding interception
capabilities, and that today only telephone calls
are concerned in the
actual Act.

About the reality of the "new menace" and the
so-called "cyberterrorism
threat", regarding the fact that neither the last
DoS attacks, nor the
iloveyou virus were reportedly created by
"organised crime groups", the
Lambda asked if alll this fuss was not too
exagerated... KA said, "If you
[the police] don't assume criminals could use
this technology, [the risk
is] you will be poorly prepared".

+ See also new details about the Rip Bill in this
bulletin.

------------------------------------

FRENCH STATS POOR TO ASSESS
CYBERCRIME THREAT

The Police Judiciaire released last April its
official figures related to
IT-based criminal activities anf internet fraud.
According to the wording
of the French police, cybercrime has nothing to
do with professional
thieves, more with geek vandalism -- "amateurism"
as they put it. And on
the internet, the so-called "new menace"
disappears: 93% of offenses are
related to credit card frauds

+ Short abstract: "L'etude des informations
disponibles montre que, de
maniere generale, les auteurs des infractions ne
sont pas, loin s'en faut,
des informaticiens de formation. Il s'agit, dans
la plupart des cas de
"simples amateurs", phenomene qui peut
s'expliquer par la vulgarisation des
connaissances en matiere de micro-informatique et
par le nombre croissant
d'intemautes (plus de 6 % des foyers francais
etant connectes sur
l'Internet, ce qui facilite la diffusion de
procedes et de programmes de
piratage)."

+ IT-related offenses in 1999: 1300. Call card
frauds =  753 (54%), mobile
phone frauds = 379 (28%), intrusion on computer
systems = 122 (9%),
Counterfeiting = 105 (8%), privacy = 7 (1%).
+ Nb of frauds ("delinquancy") related to online
services: Credit cards =
offenses (93%), other frauds = 64 (3%), child
abuse = 39 (2%), deffamation,
libel, racial threat = 60 (2%)."

+ Complete Document (in French):
http://lambda.eu.org/6xx/dcpj99.html

--------------------------
SAME TREND IN THE NEDERLANDS, the UK and the US

IN THE NEDS

+ From "Digital Detectives in Holland", Jelle van
Buuren, Telepolis 10.04.2000.

        "... For some time now, the fight against
cybercrime is a hot item
on the political agenda all over the world. In
the Netherlands, law
enforcement agencies have also made the virtual
world their hunting ground.
New legislation gives the police the power to
intercept the Internet and
conduct investigations on the Internet. To avoid
problems with encrypted
communications, the police is allowed to placed
bugs on the keybord of
suspects. A report from the low lands.

"In August 2000, Dutch Internet service providers
are legally obliged to
make their installations interceptible for the
law enforcement agencies.
(...)"

The reality of cybercrime seems also difficullt
to evaluate:

        "One thing however still seems to be very
unclear: how real is the
threat of cyber crime and the use of
cryptography? Many wild stories
circulate, but there's little proof. A recent
study of a police consultancy
(Bureau In pact), shows that there's little
problem with the use of
cryptography, for instance."

+ Telepolis:
http://www.heise.de/tp/english/special/enfo/6727/1.html


IN THE UK
 The British controversial RIP Bill has been
under attack by cyberrights groups for a long
time. Recently, the Home Office was advised by a
private consultancy to assess how ISPs should
modify their systems in order to be ready for
"lawfull access" of private communications. This
would be part of the GTAC (Government Technical
Assistance Centre (GTAC), a body that will "help
law enforcement bodies decrypt voice, text or
data".
+ Critics from the Foundation for Information
Policy Research
http://www.fipr.org/rip/PRsmithreport.htm
+ Sunday Times article (April 30)
http://www.sunday-times.co.uk/news/pages/sti/2000/04/30/stinwenws01034.html
+ IT Week article (January 17, 2000) "Decryption
centre mooted"
http://www.zdnet.co.uk/news/2000/2/ns-12699.html

IN THE US

President Clinton last January announced a $2 bn
budget for 2001 (+16% from 2000) to fight
cyberterrorism.

 From EPIC-Alert 7.02, Feb. 3, 2000:

        "EPIC also released a government memo at the
hearing, obtained
under the Freedom of Information Act, which
indicates that the U.S.
Department of Justice is aware that the FIDNET
proposal may violate U.S.
law. Other records obtained by EPIC show that the
government will use
credit card records and telephone toll records as
part of its intrusion
detection system. John Tritak, Director of the
Critical Infrastructure
Assurance Office, was unable to answer questions
put to him by the
committee members regarding what type of personal
information would be
collected by FIDNET.

"Rotenberg charged that backers of the security
plan were 'trying to apply
twentieth century notions of national defense to
twenty-first century
problems of communications security.'..."

+ Epic-Alert 7.02
http://www.epic.org/alert/EPIC_Alert_7.02.html
+ EPIC special report
http://www.epic.org/security/cip/
+ National Plan For Information Systems
Protection (PDF):
http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105.pdf


++++++++++++++++++++++++++++++++++++++++++++
CONTROVERSIAL SUGGESTIONS:
COUNCIL OF EUROPE'S CONVENTION ON CYBER-CRIME
++++++++++++++++++++++++++++++++++++++++++++

Released on April 27, this project is aimed at
attracting all major countries to harmonize their
penal codes and judicial cooperation. It sould
also give new powers to law enforcement
authorities that may be dangerous for privacy and
the principle of presumption of innocence.
Some abstracts of the draft:

<< Article 6 - Illegal Devices
Each Party shall adopt such legislative and other
measures as may be necessary to establish as
criminal offences under its domestic law when
committed intentionally and without right:
the production, sale, procurement for use,
import, distribution or otherwise making
available of:
a device, including a computer program, designed
or adapted [specifically] [primarily]
[particularly] for the purpose of committing any
of the offences established in accordance with
Article 2 - 5;
a computer password, access code, or similar data
by which the whole or any part of a computer
system is capable of being accessed with intent
that it be used for the purpose of committing the
offences established in Articles 2 - 5;
the possession of an item referred to in
paragraphs (a)(1) and (2) above, with intent that
it be used for the purpose of committing the
offenses established in Articles 2 - 5. A party
may require by law that a number of such items be
possessed before criminal liability attaches.
.../...
Article 7 - Computer-related Forgery
Each Party shall adopt such legislative and other
measures as may be necessary to establish as
criminal offences under its domestic law when
committed intentionally and without right the
input, alteration, deletion, or suppression of
computer data, resulting in inauthentic data with
the intent that it be considered or acted upon
for legal purposes as if it were authentic (11),
regardless whether or not the data is directly
readable and intelligible. A Party may require by
law an intent to defraud, or similar dishonest
intent, before criminal liability attaches.
.../...
Section 2 - Procedural law
Article 14 - Search and Seizure of Stored
Computer Data
1. Each Party shall take such legislative and
other measures as may be necessary to empower its
competent authorities to search or similarly
access:
a computer system or part of it and computer data
stored therein; or
a medium in which computer data may be stored
[in its territory or other place over which it
exercises its sovereign powers] for the purposes
of criminal investigations or proceedings.
.../...
4. Each Party shall take such legislative and
other measures as may be necessary to empower its
competent authorities to seize or similarly
secure computer data accessed according to
paragraphs 1 or 2 in view of their possible use
in criminal investigations and proceedings. These
measures shall include the power to :
a/ seize or similarly secure a computer system or
part of it or a medium in which computer data may
be stored;
b/ make and retain a copy of those computer data;

c/ maintain the integrity of the relevant stored
computer data;
d/ render inaccessible or remove those computer
data in the accessed computer system.
5. Each Party shall take such legislative and
other measures as may be necessary to empower its
competent authorities to order for the purposes
of criminal investigations and proceedings any
person who has knowledge about the functioning of
the computer system or measures applied to secure
the computer data therein to provide all
necessary information, as is reasonable, to
enable the undertaking of the measures referred
to in paragraphs 1 and 4.
6. Where measures referred to in paragraphs 1 and
2 have been taken in respect of a computer system
or part of it, or computer data stored therein,
the person in charge of the computer system shall
as soon as reasonably practicable be duly
informed about the executed measures.
7. The powers and procedures referred to in the
present Article shall be subject to conditions
and safeguards as provided for under national
law.
.../...
Article 15 - Production Order
1. Each Party shall take such legislative and
other measures as may be necessary to empower its
competent authorities to order a person in its
territory or other place over which it exercises
its sovereign powers to submit specified computer
data under this person's control stored in a
computer system or a medium (25) in which data
may be stored in the form required by these
authorities for the purposes of criminal
investigations and proceedings.
2. The power referred to in paragraph 1 of the
present Article shall be subject to conditions
and safeguards as provided for under national
law.
Article 16 - Expedited preservation of data
stored in a computer system
1. Each Party shall adopt such legislative and
other measures as may be necessary to enable its
competent authorities to order or otherwise
obtain, for the purpose of criminal
investigations or proceedings, the expeditious
preservation of data that is stored by means of a
computer system, at least where there are grounds
to believe that the data is subject to a short
period of retention or is otherwise particularly
vulnerable to loss or modification.
.../...
3. Each Party shall adopt such legislative or
other measures as may be necessary to oblige a
person to whom the procedures of preservation
referred to in this Article are directed, to keep
confidential the undertaking of such procedures
for a period of time as permitted by national
law.
4. The powers and procedures referred to in the
present article shall be subject to conditions
and safeguards as provided for under national
law.
Article 17 - Expedited preservation and
disclosure of traffic data
1. Each Party shall, with respect to undertaking
the procedures referred to under article 16 in
respect of the preservation of traffic data
concerning a specific communication, adopt such
legislative or other measures as may be necessary
to:
ensure the expeditious preservation of that
traffic data, regardless whether one or more
service providers were involved in the
transmission of that communication; and
ensure the expeditious disclosure to the Party's
competent authority, or a person designated by
that authority, of a sufficient amount of traffic
data in order to identify the service providers
and the path through which the communication was
transmitted.

.../...
+ Complete draft here:
http://conventions.coe.int/treaty/en/projets/cybercrime.htm

The lambda bulletin
05.24.2000
lambda.eu.org
J. Thorel


--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: