Sovereignty and Cybercrime

I spent the early part of this week at the London Conference on Cyberspace, organised by the UK Foreign Office.

Besides feel-good sessions on how wonderful the Internet can be for social engagement and economic growth, the two themes that had really drawn the participants were cybercrime and cyberwar (the latter being rebranded as ‘cyber security’ to avoid frightening the horses).

There was predictably little progress on the latter topic to be seen in public — Russia wants to strengthen national borders in cyberspace (and Evgeny Kaspersky spoke approvingly of strong online identity) and China’s position is similar (albeit their main intervention from the floor was an offer to investigate hacking attacks that came from their country).

Cybercrime was more straightforwardly condemned (which would not have surprised Calvin Coolidge) but the same fault-lines showed up in this topic as well.

In particular the 2001 Convention on Cybercrime (now often called the Budapest Convention) is endorsed by Europe and the US, but is unacceptable to others (notably Russia and China). Competing legal regimes are the Commonweath Cybercrime Initiative with its Model Law and the ITU (and now UN) Global Cybersecurity Agenda (they address Cybercrime, not Cyberwar) with its toolkit for legislation.

An important sticking point for many countries with the Budapest regime, is Article 32B, which says:

A Party may, without the authorisation of another Party [..] access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.

The problem for cybercrime investigators is that the data they need to progress their investigation is often held in another country. Accessing the data via a Mutual Legal Assistance Treaty (MLAT) can take months (at the London Conference, Scott Charney said that he’d once got the data five years after it was asked for), but having foreign law enforcement officers tramp around “your territory” is generally seen as an infringement of sovereignty.

For the last decade or so, the practical fix for email records has been a two stage process. The service provider (usually in the US) is asked for the relevant data (for example the IP addresses used to operate the account) and this is provided within a few hours on an “intelligence” basis. If the data will be needed for a trial then a formal application is made under the MLAT process and with a following wind (and the usual delay of most of a year before the case is listed) the data will arrive in time to be disclosed to the defence and used as “evidence” in the courtroom. This all falls under the voluntary consent scheme envisaged in 32B.

It gets a bit more complex with a search warrant. Imagine an investigation where a company in Cambridge has been served and a sysadmin is accessing centrally stored files to an officer up from the Met who is investigating a complex fraud. If the sysadmin stays silent then there is no problem. If she volunteers the information that the downloading of the files is slow because the server is miles away in Manchester then all is fine because the London issued warrant is good throughout England. If the sysadmin explains that this is Manchester, New Hampshire then the Met officer must immediately call a halt to the download (to avoid a diplomatic incident) and use MLAT to ask the US authorities to obtain the data for her.

If the data was stored “in the cloud” it would be even more complicated. It might take some time to establish which country (or countries) that the data was stored in, so an MLAT approach might not even be possible.

In the “cloud” session on Wednesday morning, Baroness Neville-Jones (recently the Security Minister), suggested that the Government might consider how they could regulate to discourage the use of clouds where data was stored in countries without MLAT arrangements with the UK!

My own view is that we need to completely rework the MLAT arrangements and extend 32B to permit compelled access across borders (ie not just voluntary regimes) provided that the data was lawfully available before the compulsion occurred — ie: the sysadmin can be compelled to download the files from the cloud, but the regime would not permit law enforcement to ‘hack’ into systems on foreign territory.

Now of course those countries that already reject 32B are not going to sign up for this extended version, but it does not seem that much of a stretch for this limited extension to the existing voluntary regime. Unfortunately, the Baroness told me, the UK is one of the countries which is ultra-sensitive — hence we have the European Investigation Order (whereby UK police act on behalf of foreign forces) rather than allowing foreign officers to operate on our soil. However, if we’re serious about tackling cybercrime then we’re going to have to be rather less sensitive — the criminals don’t stop at borders and so any small steps we can take to remove barriers for the police will be well worth tackling.

4 thoughts on “Sovereignty and Cybercrime

  1. Dear Richard,

    as a court expert with some experience about CERTs/CSIRTs I would prefer a cooperation among the countries and in 1st place between the experts of the information systems…as they are faster than the historical offices and bureaucratic processes…

    time is one of the key elements for successful investigation, and CERTs may be the best contact points of the net in emergency cases.


  2. Dear Richard,

    Several UK universities have moved some of their mail services to “the cloud” (which actually means particular data centres owned by the service provider). In many cases, academic staff have raised concerns about the applicability of the USA’s so-called “PATRIOT” act. These members of staff are concerned that the USA government could demand access to university e-mail data. (As opposed to requesting that the UK government get the data and pass it to the USA). Are you advocating the same sort of arrangement, or is your suggestion something different?


  3. @Dave

    No I’m not suggesting that the US should have access to you and your colleagues’ data — but that (when properly authorised by the UK courts) that the UK police should.

Leave a Reply

Your email address will not be published. Required fields are marked *