• United States



by Tim Mendham

A Legal Matter

Oct 07, 200420 mins
Technology Industry

There is no question that international, or “crossborder” cybercrime is a rapidly growing – and potentially, enormously expensive – phenomenon. Damages in amounts that read like international phone numbers are readily bandied around, and most governments are working desperately towards understanding and dealing with the problem.

The questions that arise most often are: How do you get your hands on the culprits? Who has the right to prosecute? How cooperative are the legislatures and enforcement agencies of the various (often numerous) countries involved? And what do you need to know about gathering and managing evidence?

The following cases pretty well sum up the issues.

In 1994, Vladimir Levin, a Russian hacker operating out of St Petersburg, accessed the computers of Citibank’s central wire transfer department. He transferred funds from large corporate accounts to accounts that had been opened by accomplices in the US, Netherlands, Finland, Germany and Israel.

One of his victims, based in Argentina, notified the bank and their account located in San Francisco was frozen. The relevant accomplice was arrested, as well as a second in Rotterdam trying to withdraw funds.

However, Levin himself could not be arrested, as Russian law precluded his extradition to the US. Surprisingly, therefore, Levin visited the UK, which does have such extradition laws. He was arrested and extradited to the US where he was convicted and imprisoned.

Not so successful was the case of the ILOVEYOU worm.

First detected in Hong Kong on May 4, 2000, it gradually spread westward to the rest of the world as that day dawned. In all, at least 45 million e-mail users were supposedly affected. Authorities quickly traced the alleged culprit, locating and interviewing a 23-year-old student in Manila, the Philippines, within four days (although some reports say a 27 and a 23-year-old couple were also involved).

But despite this early success, authorities could go no further. Criminal law in the Philippines at the time did not prohibit writing or releasing viruses, and the lack of any “dual criminality” – whereby a defendant from one country can be charged with an offence in another country if both jurisdictions share equivalent legislation – precluded extradition to the US.

According to cybercrime expert Prof Peter Grabosky of the Australian National University, had they been able to take him back to the US, “he would have been dealt with very severely”.

“The best charge that Philippine authorities could come up with was under the Access Devices Regulation Act,” adds Grabosky (who is also Deputy Secretary-General of the International Society of Criminology), “which made it a criminal offence to use a computer to obtain a credit card or other personal information for a fraudulent purpose. When it became apparent that this bore no relationship to the acts that the suspect was alleged to have committed, charges were dropped.”

Finding the offender is one thing; successfully bringing him or her to court and eventually punishing them is totally another matter.

The Cybercrime Threat

The size of the cybercrime problem for Australia is yet to be determined. Grabosky, in an article on “The Global Dimension of Cybercrime” (Global Crime, 2004), asserts that “The global reach of digital technology means that transnational offending is becoming more common. The cross-national nature of much cybercrime poses significant problems for law enforcement and prosecuting authorities.”

The recent 2004 AusCERT survey reveals that organizations experienced more externally-sourced attacks (88 percent of respondents) compared with 36 percent internally, but how many of those were sourced internationally is not made clear. Viruses, etc, commonly sourced from overseas, were the most common form of attack (88 percent of respondents) and accounted for 45 percent of total financial losses. More specifically targeted attacks were lower on the scale: denials of service (33 percent), system penetrations by outsiders (13 percent), and Web site defacements (7 percent).

An item in the Sunday Telegraph back in September 2000 reported that there are at least 20 readily identifiable unauthorized attempts to access Australia’s defence systems through firewalls each day. But again, no indication of the source.

Rod McKemmish, a director at KPMG and practice leader for its forensic technology team and coordinator of Asia/Pacific forensics, suggests that, as far as he knows, there are far fewer cases of criminal activity than more prosaic stuff-ups. “Most of those [criminal acts] are internal thefts, with only about two or three external cases in the last few years, all Australia to Australia,” he says.

Mike Phelan, director of the Australian High Tech Crime Centre, says the AHTCC “proactively investigates many instances of high-tech crimes which originate both overseas and in Australia”, with “a number of people before the courts charged with offences”, but feels it would be “inappropriate” to elaborate “due to ongoing operational activity”.

So is the threat of crossborder cybercrime a non-event in this country? Certainly we have fewer of the high-profile cases, but they do exist. Anyone who has suffered from inconvenience (at best) through damage, loss of data and financial loss from malicious virus writers would argue that we are just as vulnerable as anyone else.

The problem then is how to deal with it.

Find the Perpetrator

The rapid locating of the ILOVEYOU author aside, tracking down perpetrators is not always easy. While most activists either innocently or arrogantly leave an evidence trail that may eventually lead to a location, that trail may be repeatedly rerouted and the location eventually turn out to be an Internet cafe.

Actual identification is hampered by readily-available encryption, steganographic and anonymizing technology is readily available. And the ease of obtaining free e-mail addresses without supporting identification led one submission to the PJC inquiry to suggest doing away with free Internet accounts such as AOL and Hotmail or instituting a 100-point check list to open an account with an ISP.

Unless there is global agreement on such requirements, however, most of these suggestions will only affect specific nations, and even then impose a bureaucratic burden that might not be warranted.

Once you do locate a perpetrator, however, you then have to charge them and bring them to justice. In crossborder cases, this raises issues of international cooperation, correct procedure for computer forensics and the volatility of evidence, as well as Bills of Rights and the legality of investigations (see sections below). Sometimes, however, a little creativity can be brought to bear.

Vasily Gorshkov and Alexey Ivanov were two residents of Chelyabinsk, Russia, who between 1999 and 2000 exploited a vulnerability in Windows NT and launched a number of intrusions against ISPs, online banks and e-commerce sites in the United States and online bookmakers in the UK. They succeeded in stealing over 56,000 credit card numbers and other personal financial information, sought to extort money from the victims by threatening to publish customers’ data and damage companies’ computers, manipulated E-Bay auctions by using anonymous e-mail accounts to be both seller and winning bidder in the one auction, and defrauded the online payments system PayPal by using cash generated from the stolen credit cards to pay for various products.

US authorities were, understandably, keen to get their hands on the culprits, but their Russian equivalents would not cooperate. In response, FBI agents executed an undercover operation.

Grabosky takes up the story: “Posing as representatives of a security firm called Invita, the agents made contact with Gorshkov and Ivanov in mid 2000, ostensibly to discuss employment opportunities in the United States. At the invitation of the agents, the two Russians demonstrated their hacking skills from Russia against a test network that had been established for the purpose. They were then invited to Seattle with the prospects of employment. The two flew to Seattle, all expenses paid, and were ‘interviewed’ about their computing skills. In the course of their presentation, Gorshkov accessed his computer system back in Russia. The interview took place in offices that were equipped with technologies that enabled the FBI to record their interviewees’ keystrokes. The two were then arrested and charged with a spate of offences including fraud, extortion, and unauthorized computer intrusions. FBI investigators downloaded additional incriminating evidence remotely from Gorshkov’s computer in Russia.”

Gorshkov was sentenced to three years jail in 2002, and ordered to pay about $US700,000 to companies he had hacked. Ivanov was sent to the East Coast to face further charges and eventually sentenced to four years jail in 2003.

In what could be seen as a case of legalistic retribution, an FBI agent involved in the sting operation was charged by the Russian counterintelligence service, the Federal Security Service, with computer hacking for obtaining unauthorized access to the pair’s computers in Russia.

As the last move indicates, the legality of the US’s actions in this case has been called into question, which further emphasizes the issues in crossborder cybercrime prosecution – finding the perpetrator is by no means the end of your problems.

Who Will Prosecute?

By its very nature, crossborder cybercrime involves a number of different countries – at least two, and in the cases of less discriminating attacks such as viruses it could be every country with an Internet connection. The question authorities ask, therefore, is who has the right to prosecute the perpetrators?

Nations normally assert their jurisdiction according to one or more of four principles, Grabosky says. These are territorial (within their own borders), nationality (or extraterritoriality – the offender is a citizen of the nation, regardless of location), effects (the offence affects the national interests, regardless of location) and universal jurisdiction (covering crimes against humanity, such as genocide or slavery).

Nonetheless, the USA has taken the lead in both investigations and global prosecutions, particularly since an increase in resources and anti-terrorist sentiment following the 9/11 attacks.

“The US is saying it doesn’t matter where [the offence] is sourced,” says Adrian Lawrence, senior associate for law firm Baker McKenzie. “The place where the offence originates is irrelevant. The issue is where the crime took place.”

He adds that it is not clear why one country should have precedence over another. It often comes down to what’s known as “forum shopping”, he says, which means looking for the best place to bring a case, taking into account the likelihood of success and the potential punishments.

It doesn’t always work in the US’s favour, however. Though not specifically a cybercrime, the defamation case of Joseph Gutnick versus the Dow Jones news service indicates that the boot is sometimes on the other foot. Here a Victorian court found that a wrong had occurred in Victoria and the US-based online service was found guilty.

But would-be prosecutors please note: Lawrence believes you cannot prosecute the same person for the same crime in multiple locations; “double jeopardy” issues preclude a cybercriminal being passed from one nation to the next for a daisy-chain of prosecutions.

Is the Law Up to It?

Having found your alleged criminal and made a determination that the crime falls within your jurisdiction, can you get a hold of the offender?

As the ILOVEYOU and Gorshkov/Ivanov cases indicate, all nations are not always equally determined or set up to bring criminals to justice. Much of the success in prosecuting cybercriminals relies on formal and informal relations between nations.

“Informal assistance can be more expeditious,” says Grabosky,” and is the preferred method of approach where compulsory powers (i.e. search warrants) are not required. Formal mutual assistance, on the other hand, is a more cumbersome process traditionally invoked pursuant to treaty arrangements between the countries, and involving the exchange of formal documents. It almost always requires that the offence in question be over a certain threshold of severity, and be a crime in both the requesting and the requested countries [‘dual criminality’].” It should be noted, however, that legislation precludes Australia from offering assistance in cases where the death penalty may be imposed. To date, that severity of punishment has not been called upon.

Phelan says the AHTCC is able to investigate matters originating from international jurisdictions by using links with such bodies as the UK National Hi-Tech Crime Unit, the FBI and USSS, as well as the Australian Federal Police’s international liaison officer network, which has connections to all key international law enforcement agencies.

The United States is party to over 20 bilateral mutual legal assistance treaties (MLATs), and has entered into bilateral extradition treaties with over 100 countries. These treaties are either “list treaties” containing a list of offences for which extradition is available, or they require dual criminality and that the offence be punishable by a specified minimum period. If one country does not criminalize computer misuse (or provide for sufficient punishment), extradition may be prohibited. (And possibly lead to actions such as the Russian sting.)

Several multilateral groups are currently addressing high-tech and computer-related crime. Of these groups, the Council of Europe (COE), and the Group of Eight (G-8) countries are the most active, according to a report from the US President’s Working Group on Unlawful Conduct on the Internet. In addition, the United Nations General Assembly has issued a resolution (“Combating the Criminal Misuse of Information Technologies”), the OECD has developed guidelines, and the Committee of APEC has run workshops in developing economies to develop cybercrime legislation, with an APEC conference on cybercrime held in Vietnam as recently as August.

Within Australia, the PJC report, quoting a submission from the Attorney General’s Department, regrets that there is no single Australian law enforcement or policy body which has responsibility for cybercrime matters. Further, cybercrime enforcement is the responsibility of a diverse group of organizations – nine groups by the AGD’s count – including law enforcement, regulatory authorities and research bodies, most of which handle a range of activities of which cybercrime is just one element.

“The Committee notes that much unacceptable Internet activity originates outside Australia, which makes detection and prosecution difficult without some form of international cooperative detection and prosecution system. Tracing and eliminating cybercrime requires a legislative framework that is consistent both domestically and internationally.”

With a range of Commonwealth (at least 13 Acts which have some relevance) and state and territory-based legislation, and a plethora of international laws, this might be seen to be an understatement, but it is something that international authorities are working towards.

How Good Is Your Evidence?

The key to successful prosecutions is valid and legal computer forensic practices.

The case of Stephen Dendtler, the “Optus Hacker”, is a good example of the intricacy of forensic methods and trails left by hackers. In mid-December 2001, telecommunications company Optus noticed that there had been an intrusion. Checking SSH records, they found a trojan.

A company spokeswoman says that it is standard practice not to touch the evidence when an intrusion is noted, but to call in the police and let them handle the matter. In the case of Stephen Dendtler, this is what they did, immediately calling in the Australian Federal Police and the case was consequently handled by them with assistance from an independent consultant.

Dendtler’s case is of interest for this article because, despite being Australian-based attacking an Australian system, he used machines in Sydney, Japan, the US and Germany to provide multiple points of entry to Optus’s systems and compromise 435,000 customer usernames and passwords.

He was identified using a honeypot sting, which isolated a string of links (the password SeNiF among them) leading eventually to a Web site and a person who identified himself on the Net as FiNest. (Reverse the letters and drop the ‘t’ and you have SeNiF, as well as SeN, the name found in some of the rootkit files – such is the egotism of hackers that often leads to their undoing.)

Dendtler was charged, and initially only received a suspended sentence, leading to an appeal by the prosecutors. In May 2003 he received a stronger conviction – a two-year good behaviour bond, a $4000 fine and a criminal conviction on his record.

Computer crime forensic evidence is not always without controversy, as the Gorshkov/Ivanov case indicates. Worrisome areas include privacy, unauthorized access and entrapment, all of which have created fertile ground for defence lawyers.

“The fundamental concepts of computer forensics don’t change from country to country,” McKemmish says. “The use of commercially available forensic tools, such as Encase, is introducing a standard approach. The question is the admissibility of evidence between countries – can you legally use the information obtained in another country, does it meet the requirements in your own country?”

Jennifer Granick is well aware of these problems, having practised as a criminal defence lawyer specializing in hacker defence. Now director of Stanford University Law School’s Center for Internet Society, she warned a recent AusCERT conference of the dangers of improperly collected evidence and techniques that can violate privacy laws.

“Additionally, some investigative techniques may be defined as attacks or intrusions themselves.” She quotes unauthorized access provisions in a range of local and overseas legislation, including the Australian Cybercrime Act (section 478.1), the COE Cybercrime Treaty, and the US’s Computer Fraud Abuse Act.

“There is little legal guidance in this area,” she warns. The rule of thumb is, call in the experts straight away.

Drink or Die – the Way of the Future?

One particular example of crossborder cybercrime that involves Australia is perhaps indicative of how prosecutions are effectively moving into truly international mode.

The software piracy group known as Drink or Die (DOD), who were intent on stealing and copying software to the Net, is an example of truly crossborder hacktivism.

In March 2003, a Grand Jury sitting in the state of Virginia returned an indictment for Hew Griffiths, an Australian member of DOD, on two counts of violation of US law. The counts charged that the offences took place in the US, although Griffiths himself had never been there.

According to the indictment, DOD was a highly structured organization consisting of approximately 60 people. Griffiths is said to have been a long-time DOD member and to have become a co-leader from early 2001. From November 2000 to December 2001 (when DOD was dismantled by US authorities) the group is said to cracked and released more than 275 software programs worth more than $US1 million, and in the three years before December 2001 it is estimated that DOD “caused the reproduction and distribution of more than $US50 million worth of pirated software”. There is no indication that Griffith or DOD were motivated by financial gain.

A warrant was issued and Griffiths came before an Australian magistrate in March this year. The magistrate determined that Griffiths was not eligible for surrender to the US for four reasons:

– That the charge against Griffiths is Internet fraud involving “modern technical matters concerning computers and the internet”.

– That Griffiths had never visited the US, and so he was not “a fugitive fleeing and hiding from the extradition country”.

– Most significantly, that the case did “not involve the usual situation where another country . . . seeks the return of a person convicted, or charged with, an offence physically committed in that other country”. According to the magistrate, the physical acts committed by Griffiths took place in New South Wales and not the US.

– The magistrate also considered that the offences of copyright infringement were not the usual grounds for extradition which came before the Court. The magistrate had done his own research, and said that he had not found a case with “even a broad similarity to the circumstances” to the Griffiths case.

Disappointed by this result, the US authorities then took the case to a higher court – the Federal Court of Australia – where on July 7 of this year Justice Jacobson found that the original magistrate “approached the matter with a number of fundamental misconceptions” and consequently quashed the original order and found that Griffiths was eligible for surrender to the US.

He disagreed that Internet fraud was too modern to judge on, saying that it “involves nothing more than an application of the legal principles applicable to communication by post and telegraph”. On the second and fourth reasons, he found that Griffiths’ lacking fugitive status was irrelevant, and also quoted precedents for extradition based on copyright infringement.

The most important issue – that of where the offence took place – relies on the concept of dual (or double) criminality.

“The effect of the double criminality test as stated in the authorities is that the conduct constituting the offence, when transposed to Australia and viewed through Australian eyes, would constitute an offence under the law of New South Wales. In the present case, the conduct constituting the offences seems to me to plainly satisfy that test.”

Justice Jacobson agreed with Griffiths’s counsel “that the charge is conspiracy to infringe copyright and, under the law of NSW, the offence of copyright infringement is limited to acts done in Australia. But it does not follow that the conduct constituting the offence with which Mr Griffiths is charged, namely conspiracy to infringe copyright in the United States cannot be transposed here for the purpose of the double criminality rule.”

In fact, he goes on to say that the elements of the offences are virtually identical in the United States and in New South Wales. Consequently, he found that “the conduct of Mr Griffiths constituting each of those offences in relation to the United States, if it had taken place in New South Wales, would have constituted an extradition offence here. Thus the double criminality requirement . . . is satisfied for each of the offences.” Justice Jacobson thus found in favour of the US.

Baker McKenzie’s Lawrence thinks this is a significant result, and “a lead to where some of these cases might go”. In other words, the truly global crossborder nature of international cybercrime is increasingly being matched by the crossborder nature of international prosecutions.

As Grabosky puts it, “The borderless nature of cyberspace and the exponential takeup of digital technology throughout the world guarantee that transnational cybercrime will remain a challenge. Fortunately, many nations are rising to this challenge, individually and collectively. Nevertheless, the web of international cooperation does have its holes. There are among the world’s nations those whose substantive criminal laws and whose criminal procedure laws are still not attuned to the digital age. Those nations that lag behind the leaders risk becoming havens for cyber criminals of the future.”

Greater cooperation, greater alignment, and greater effort are all required to deal with global cybercrime. It won’t stop it – traditional forms of crime still exist – despite hundreds of years of anti-crime activity – but it can go some way towards dealing with an ever-increasing problem.

The first issue tackling cybercrime is to know what you’re dealing with

Everyone has a definition of cybercrime; unfortunately, from a legal perspective, these aren’t always the same. Adrian Lawrence, senior associate for law firm Baker McKenzie, says: “Cybercrime is a new area, and everyone is struggling to come to grips with it from the enforcement end, policing, operations, etc.”

That includes simply defining it. In Australia alone there are wide variations.

A recent report on cybercrime of the Australian Parliamentary Joint Committee on the Australian Crime Commission (March 2004) notes that there is no statutory definition of cybercrime, despite there being a Cybercrime Act.

The PJC report quotes definitions from the Attorney General’s Department (“a variety of offences associated with the use of information and communications technology . . . synonymous with the term electronic crime”) and the Australian Bankers’ Association (“any crime effected or progressed using a public or private telecommunications service”), both of which are fairly broad-ranging.

The most generally accepted definition is that held by the Australian Centre for Police Research: “offences where a computer is used as a tool in the commission of an offence, as the target of an offence, or used as a storage device in the commission of an offence”.

There is little in the definitions to differentiate between nuisance incidents and attention seeking activity, non-discriminatory events (such as viruses, trojans, worms), more targeted attacks such as phishing, identity fraud, piracy, child pornography, and specifically-targeted events such as denials of service, fraud, theft, forgery, stalking, espionage, revenge, vandalism, hacktivism and cyberterrorism (although most experts are still waiting for evidence of actual cases for the last one on that list).