“The limits of hacking as a criminal
investigation-method in the fight against
cybercrime.”
How far can the state entity go in order to maintain public
safety and national security?
Etienne Boonen
Master International and European Law: Track Public International Law
Student number: 11384131
Email address: etienneboonen@gmail.com
Year: 2016-2017
University of Amsterdam
1. Abstract 2. Definitions
2.1. Cloud-Computing of “The cloud” 2.2. Phishing 2.3. DDos Attacks 2.4. Ransome ware 2.5. Darknet 2.6. Proxy server 2.7. hacking 2.8. information warfare 2.9. cybercrime 2.10. cyber terrorism
3. Criminalization of cyber attacks 3.1. Sources of law
3.1.1. Recommendation R(89) on Computer related crime
3.1.2. Recommendation R(95) 13 concerning problems of criminal procedural law connected with information technology
3.1.3. Budapest Convention on Cybercrime 3.1.4. European steps towards a safer cyberspace
3.1.4.1. Council framework decision of 2005 3.1.4.2. Directive 2013/40/EU
3.1.4.3. A (legislative) way forward? 3.2. Criminal offences
3.2.1. Illegal access to information systems 3.2.2. Illegal system interference
3.2.3. Illegal data interference 3.2.4. Illegal interception
4. Criminal investigation in cybercrime-cases 4.1. Current difficulties 4.1.1. Anonymity 4.1.2. Encryption 4.1.3. Jurisdiction 4.2. Digital Forensics 4.3. Investigation methods 4.3.1. Proactive investigation
4.3.1.1. Interception of electronic communication 4.3.2. Reactive investigation
4.3.2.1. Commonly used techniques 4.3.2.1.1. Open Source Intelligence
4.3.2.1.2. Production and preservation orders 4.3.2.1.3. Online undercover investigation
5. Limitations to state interference 5.1. Power- and Privacy shifts 5.2. Data protection
5.2.1. European Convention of Human Rights 5.2.1.1. In accordance with law
5.2.1.2. Necessary in a democratic society 5.2.1.3. Proportionality
5.2.2. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
5.2.3. Regulation (EU) 2016/679 5.2.4. Directive (EU) 2016/680
5.3. The correct way to investigate
5.3.1. Use of proactive interception of electronic communication 5.3.1.1. Use of deep packet inspection and data mining 5.3.2. Use of digital forensics
5.3.3. Use of OSINT
6. Limitations on the use of hacking as an investigation method 6.1.1. Network searches 6.1.1.1. Accessibility 6.1.1.2. Foreseeability 6.1.1.3. Quality of law 6.1.2. Remote searches 6.1.2.1. Accessibility 6.1.2.2. Foreseeability 6.1.2.3. Quality of law
6.1.3. Computer monitoring software 6.1.3.1. Accessibility
6.1.3.2. Foreseeability 6.1.3.3. Quality of law
1. Abstract
In past years we have seen a lot of cyber-related crimes come by. These have seem to be spread around the world in many ways and forms: the foreign involvement in the US elections and the worldwide infection with “ransomware” to give some examples. Cybercrime however is different from other crimes, it’s different by its very nature. Cybercrime is able to evolve in a way so fast that legislative powers are struggling to keep up, establish law that is up-to-date and effective. Even as law enforcement agencies try to maintain order en peace within their territory, they are confronted with grave cyber-related problems such as anonymity, territoriality and encryption.
The content of this thesis will be divided into three sections in which I will focus on answering my research questions. In the first section I will focus on defining all of the digital terms and put them into legal perspective, analyze current and future legislation and lastly to briefly shine a light on the different crimes within cybercrime. Therefor hoping to answer: (1) What is cybercrime and what’s the
legal protection against it?
The second part will consist out of an analyzation of current criminal investigation methods in cybercrime cases and the challenges and conflicts that brings with it. I hope to find an answer to the question: (2) What are the
possibilities from a criminal investigation point of view?
The last part of this thesis will focus on boundaries of cyber investigation methods and the limitations on the use of hacking as a special investigation method in particular. Hereby I hope to give a clear answer on the question: (3) How far can
the state go in the use of cyber investigation methods? What are the boundaries or safeguards?
2. Definitions
In view of the complete autonomy of cyberspace in today’s society and to be able to understand the following chapters, it’s necessary to dedicate a substantial part of this thesis to explain and clarify some definitions.
2.1.1. Cloud-Computing of “The cloud”
Cloud computing is a model of Internet-based computing that provides on-demand access to a shared pool of resources. These resources can be networks, servers, storage, data, applications, etc. Simplistically seen, it’s as a “cloud”, one can simply tap into, whenever and wherever.1
2.1.2. Phishing
Phishing is commonly active in the form of emails that lead to fraudulent websites that look exactly like the interfaces of online-banking websites, social security websites, etc. This way the person that is directed to this website, unaware of the fact that it’s false, will be asked to log into his account or to reset his password and/or financial information. That information is later used to commit a variety of crimes such as identity theft or even to rob the victim of his entire bank savings. The real problem, aside from the fact that the victim loses actual money, is that the victim and the people in its direct environment lose their trust in online-services provided by the brands that the criminals are using for their scams. Not to mention all of the extra costs and services these companies have to invest in to fight this type of cybercrime. 2
2.1.3. DDoS Attacks
Denial-of-service or Dos-attacks, are attacks that attempt to overload specific web servers on order for them to shut down or to be temporarily unavailable. The hackers do this by running a program that overwhelms the site with commands from a high amount of different sources.3
1 (Mell and Grance, 2009) 2 (Ramzan, 2010)
2.1.4. Ransomeware
There are different types of ransomeware, but they all have something in common: they block the user from having access to their computer system and ask the victim the pay a ransom, an amount of money in order to regain access.4
2.1.5. Darknet
The internet that is known to the average internet-user is only a small fraction of the actual size. It’s what we can see on the “surface”. However, Darknet is the part of the Internet that is not visible to a normal web surfer, the part that is hidden away from search engines, etc. It’s a network with restricted access (usually access is given by authorization, specific software or configuration) that is commonly used for illegal peer-to-peer file sharing and black markets.5
2.1.6. Proxy server
A proxy server is a computer server that acts as an intermediary for requests from clients seeking resources from other servers.6 For example: students at the University of Amsterdam can link their laptop to a proxy-server, no mater where they are in the world. That server will give them full-access to the university server and thus access to read all the documents and data stored in the digital library. However, sadly enough this is also uses by a lot of cybercriminals to avoid localization.7 Connecting to open proxies can re-root their location through different locations all over the globe and thus making their conduct nearly untraceable. The simplistic way to see it, is to look at it as trying to catch a shadow while thinking it is the perpetrator himself.
4 (Lopez, 2017)
5 (Techopedia.com, 2017) 6 (Holt, 2015)
2.1.7. Hacking
Although hacking has a negative connotation in today’s society, it was once a term that could be interpreted as a compliment. “ A person was originally called a “hacker” when he or she was considered a gifted computer programmer. Hacking can better be defined as “the
unauthorized use of computer and network resources.”8
There is however a tremendous difference between unethical and ethical hacking. Contrary to the wrongdoing un-ethical hacker, the ethical hacker can be seen as one of the “good guys”, who tests all sorts of security systems and servers for weak spots and reports this to the organization. In the light of this research we’re going to look at hacking from another perspective. Hacking in this context can be seen as accessing a computer or network of an alleged wrongdoer (whether this is covert or not) by law enforcement officials in criminal investigations.
2.1.8. Information warfare
Usually the purpose of hacking is to obtain specific information. One of the clearest examples of that is the establishment of the content of Wikileaks. As publicly known, the owner of the site had a couple of contacts within the US military that downloaded classified files and handed them over enabling the owner to publish files that were never meant to see the light of day.9
There is also the example of the notorious hacking group “Team poison” who hacked into several UN-servers and got away with password-information to give clearance to classified files. However, the above can also be classified as something more severe then hacking: information warfare can be described as:
“Warfare consisting of both offensive and defensive operations against resources and its main purpose is to exploit and control information”10
8 (Sabadash, 2017) 9 (Domscheit-Berg, 2013) 10 (Synnestvedt Jensen, 2013)
2.1.9. Cybercrime
Cyber criminality can be defined as criminal acts that are committed by using electronic communications networks and information systems.1112 Cyber crime can be divided into 3 subcategories.13 The first one is crimes specific to the Internet, committed against computers or information systems. The computers are the actual targets of the crime. The classic example for this category is an email that will direct you to a fake bank website. The second category is crimes committed by the use of the internet, computers and/or information systems. The computers are the substantial tools to commit the crime. Online fraud and forgery through phishing14 are examples of crimes that fits into this category.
The last category is crimes in which computers are in some way involved as environmental factor. The computers are seen a non-substantial tool to commit the crime. For example: having child pornography or other illegal online content on your computer.
2.1.10. Cyber terrorism
As confusing as the terminology of Cybercrime is, a combination with “terrorism” doesn’t make it any clearer. For example: the NATO defined cyber terrorism as: “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or to intimidate a society into an ideological goal”15
One can see that within the 21st century human kind has put a lot of faith and effort into the process of digitalization. For instance; there is a decrease of manual labour at industrial sites, nuclear plants, stock markets, etc. We have trusted upon wires and lamps to do the job. However at the same time, we have also trusted upon the government and our military forces to protect us from foreign terrorist attacks.
11 (European Commission (Migration and Home Affairs), 2017)
12 (The National Information Infrastructure Protection Act of 1996: Legislative Analysis, 1996) 13 (Hof et al., 2014)
14 Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication
However, looking at these two elements aside, one can see a huge vulnerability in today’s society. A cyber attack on a nation’s most important infrastructure would also mean an end to the faith people have in the protection they were promised.
Because within international law, the meaning of terrorism differs from document to document, so does the meaning of cyber terrorism. However, one can differentiate two categories. The first one is a rather broad category that contains every conduct of terrorist groups that is established using technology. For instance, the creation of funds through online fraud/phishing. The second category is considered to be much more narrow, meaning that cyber terrorism only entails: “the use of computer network tools to harm or shut down critical national infrastructures.”16 We see this last category in the domestic legislation of several states. By formulating cybercrime is the narrowest meaning of the word, it seems to co-exist best with existing legislation on terrorism. A terrorist offense has one of the following objectives: 1) Intentional committed with the purpose of inflicting fear upon the states population. 2) To force a State entity or an international Organization into taking action or abstaining from any action. 3) To seriously disrupting or destroy the political, constitutional, economic or social base structures of a country or an international organization.17
16 (Clough, 2015)
3. Criminalization of Cyber attacks 3.1. Sources of law
After two non-binding recommendations, the council of Europe developed a binding instrument with the aim to stimulate and harmonize the legislation on cybercrime.
3.1.1. Recommendation R (89) on Computer related crime18
Within this document the council of Europe took baby steps towards a safer online environment. The core of the recommendation is divided into two elements. The states should, when reviewing or initiating legislation, take into account the computer-related crime report commented by the European committee on crime problems at the time. The report dealt with a variety of computer-related crimes, more specific: defining those offences. For example: “Computer forgery” is defined as “the input, alteration, erasure or suppression of computer data or computer programs, or other interference with the course of data processing, in a manner or under such conditions, as prescribed by national law, that it would constitute the offence of forgery if it had been committed with respect to a traditional object of such an offence. The second element of the recommendation is that states should report to the secretary general of the council of Europe on their initiatives in terms of legislation, judicial practice, etc. in their fight against cybercrime.
3.1.2. Recommendation R (95) 13 concerning problems of criminal
procedural law connected with information technology19
Where as the first recommendation on this subject is more focused on the actual creation of legislation on computer related crime, the second recommendation is about updating existing legislation. The Council of Europe recommends that all member states should be guided by the principles appended to the recommendation when reviewing their legislation and presses upon the member states to ensure full publicity and transparency for these principles.
The first element it touches upon is the fact that member states should make sure that all legislation on criminal investigation techniques, search and seizure and technical surveillance is amended. By amending the existing law, the council of Europe wanted to make sure that the law is up to date with the digital evolution at that point and therefor decrease the amount of problems revolving around criminal procedure.
The second core-point that is dealt with in the appendix is the need for international cooperation in the field of cross-border cyber criminality. This opens up an entirely different problem: Authorities should have the power to, in the event of a need for immediate action, search computer systems within a foreign jurisdiction. This however leads to a clear violation of that states sovereignty and international law in general. Therefor there is a need for a general international agreement on how, when and to what extent a state entity can take these actions.
19 (Recommendation R (95) 13 concerning problems of criminal procedural law connected with information technology, 1995)
3.1.3. Budapest Convention on Cybercrime20
The Convention on Cybercrime, established on the 23th of November in 2001, was the first instrument that had an actual harmonizing effect in the ‘fight’ with cybercrime. The convention is divided into 4 categories of cybercrimes: (1) offences against the confidentiality, integrity and availability of computer data and systems; (2) computer-related offences; (3) content-related offences; (4) offences content-related to infringements of copyright and related rights. Although this convention uses terms that are defined rather broadly and includes a huge variety of different offences, it can be said that it had a huge impact on the world. It introduced definitions that were highly appreciated in a time where the legislative power had difficulties keeping up with the digital evolution. Aside from “labeling the wrong”, it was also used by many countries as a model for their domestic legislation.21
3.1.4. European steps towards a safer cyberspace22
Not all European member states have ratified the Convention on cybercrime. Therefor, some states within the European union stated it was important to create further legislation on the EU-level. The goal of the EU cyber security legislation is to protect European Citizens, administrations and economies against cyber attacks. Because cyber security is intertwined with so many different aspects of todays society such as; internal market, justice and home affairs, domestic and global economy it’s necessary to create an entire range of legislative, organizational and security measures on the EU-level to minimize the different approaches of member states and establish a harmonized approach towards cyber security measures.
20 (Convention on Cybercrime, 2001) 21 (Jamil, 2009)
3.1.4.1. Council framework decision of 200523
A year after the Council of Europe adopted the Budapest convention, the EU council adopted its first legislation in the battle against cybercrime: a framework decision of their own. Although it has a lot of resemblance with the Budapest convention, there seems to be an important difference: where the Budapest convention defines cyber criminality rather broad, the institutions on the EU level felt like It was best to make a distinction between two types of cybercrime. The first category are the cybercrimes
sensu stricto, the second category are crimes in which the use of a
computer system can be seen as non-substantial.
3.1.4.2. Directive 2013/40/EU24
Contrary to its predecessors, this directive focuses mostly on cybercrimes
sensu stricto. Looking at this piece of legislation one can conclude that the
legislative branch wanted to get away form a general “cybercrime-approach” where everything that’s even remotely connected to computers or information systems is included and strived for separate legislation on, among others; child pornography, cyber attacks, etc. The European Legislator however, did mention that this directive should be seen as complimentary: it builds upon the Budapest convention and thus does not try to “overrule” it.
This directive also contains some interesting information on cybercrimes that are committed by states. The directive is based on a system of criminal liability of legal persons. However, article 2 (C) defines a legal person as: “An entity having the status of legal person under the
applicable law, but does not include States or public bodies acting in the exercise of State authority, or public international organizations;”
23 (Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, 2005)
24 (DIRECTIVE 2013/40/EU on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, 2013)
The fact that a State cannot be seen as a legal person in the context of this directive is looked upon with mixed feelings: it can be s aid that the chances of an interstate dispute involving cybercrime will be resolved in court are small. But on the other hand this choice of subject can be perceived as strange. For example: The monitoring of European communication by the NSA25, can be perceived as cybercrime, more specific, illegal data interference.26 However, this research will focus on cybercrimes that are committed by a non-state actor.
3.1.4.3. A (legislative) way forward?
Due to jurisdiction-restrictions, the most important point on the legislative agenda is harmonization. Not only the crucial need to harmonize criminalization so that there are no hiding places for criminals, but also harmonization of investigation methods in cybercrime cases within the EU, more specific undercover investigations.27
There are numerous occasions where hackers or even terrorist groups target critical infrastructures such as industrial systems, power grids or air traffic control-centers.2829 However, these are all in the hands of private owners, and the governing power must not go to far in its interference. A respected way to protect the society against future threats is for governments to make mandatory security standards and make provisions that are solely aimed at the protection of these critical infrastructures. Lastly, all member states should give their best effort to implement the Budapest convention to the fullest extent. Reports have shown that a lot of states have poorly implemented domestic legislation or worse: domestic legislation that is contradictory to the convention.30
25 The National Security Agency (NSA) is a military intelligence organization and a constituent of the United States Department of Defense (DOD). NSA responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes, a discipline known as signals intelligence
26 (Iglezakis et al., 2016)
27 (European Law Enforcement Agency (EUROPOL), 2016) 28 (Natter and Chediak, 2017)
29 (Sherlock, 2016)
3.2. Criminal offences
3.2.1. Illegal access to information systems Article 3 of Directive 2013/40/EU states:
“Member States shall take the necessary measures to ensure that, when committed intentionally, the access without right, to the whole or to any part of an information system, is punishable as a criminal offence where committed by infringing a security measure, at least for cases which are not minor.”
When analyzing this article, one can conclude that the keyword is “consent”. One can only be held accountable if he did not have the consent of the person that owns the information system. This brings us to the grey area of cybercrime: the so-called “white hats”. This term is Internet slang for an ethical computer hacker31. In contradiction to the black hats, malevolent
individuals that only on the basis of self-interest, white hats try to penetrate security- and information systems to point out their weaknesses. This can be considered as a grey area because these white hats do not have consent prior to perpetrating the information system. But because these hackers do not mean to do any harm and simply point out the weaknesses in security systems, (and make a living out of it), they are tolerated.
3.2.2. Illegal system interference
According to article 4 of Directive 2013/40/EU:
“Member States shall take the necessary measures to ensure that seriously hindering or interrupting the functioning of an information system by inputting computer data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor.”
When analyzing this article, the first thing that catches the eye is the amount of margin the member states have with regards to what is qualified as “seriously hindering or interrupting”. Member states have the possibility not to apply the European legal framework in case they are of the opinion that the crime that committed is a negligible small incident.32
However, if a state does want to rely on the EU legislation in order to prosecute the alleged there are some criteria that need to be met. Art 9 (3) of Directive 2013/40/EU states that in order to prosecute there has to be: (1) proof of intent. (2) Factual evidence that a significant number of information systems have been affected and (3) that those systems have been affected through the tools referred to in article 7 of the Directive. Aside from these criteria Art 9 (4) of the directive introduces some additional aggravating circumstances. A prison sentence of at least 5 years is required when there is: (1) cybercrime committed by a criminal organization as defined in Framework decision 2008/841/JHA. (2) A serious damage is caused. (3) The offences are committed against a critical infrastructure information system.
Looking at the criteria and aggravating circumstances mentioned above, one can conclude that not all of them are working in favor of the government. To begin with, referring to article 7 as a limited list of tools that are qualified as “hacking tools” is literally putting a time limit on this directive. As soon as digital evolution has found a new way, this article will be outdated and thus the conduct considered “legal”. Furthermore the wording “serious damage” is far too vague. What is considered serious?33
32 (Iglezakis et al., 2016) 33 (Iglezakis et al., 2016)
3.2.3. Illegal data interference
According to Article 5 of Directive 2013/40/EU:
“Member States shall take the necessary measures to ensure that deleting, damaging, deteriorating, altering or suppressing computer data on an information system, or rendering such data inaccessible, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor.”
Data interference has always been perceived as most dangerous. Most of the people now it by the name “malware”, a software that infects our computer systems with unwanted pop-ups, searches for sensitive information such as passwords and login codes or even gains full access to the computer itself. I will refer to this type of interference as “personal data interference” and will come back to the protection thereof later in this research.
For the sake of completeness it’s important to realize that data interference can also take place on the inter-state level. There are countless examples there is proof of state-involvement in data interference. A classic example would be the involvement of the Russian Government in the American elections. It’s influenced voters by releasing stolen emails that would make the democratic elective, Hillary Clinton, look bad.34
However, Art 2 (C) and Art 10 of the directive point out that criminal liability for state entities is not yet established on the European level. Nonetheless there are other options to turn to. For example: one can argue that the mere fact that a state has authorized cyber operations against another state violates international law, more specific the principle of state sovereignty. As described in his book, Shaw states that the external aspect of state sovereignty means equality and non-intervention.35 One can also plead the principle of neutrality, though this legally is categorized in another branch of International Law: Humanitarian Law.
34 (Diamond, 2016) 35 (Shaw, 2016)
3.2.4. Illegal interception
For the sake of completeness this offence will also be mentioned. Further attention is will not be paid.
According to article 6 of the directive:
“Member States shall take the necessary measures to ensure that intercepting, by technical means, non-public transmissions of computer data to, from or within an information system, including electromagnetic emissions from an information system carrying such computer data, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor.”
4. Criminal investigation in cybercrime-cases 4.1. Current difficulties
The Internet, Darknet more in particular has it’s own environment, rules and difficulties. The main challenges governing powers face in their battle against cybercrime are: anonymity, encryption and jurisdiction-uncertainties.36
4.1.1. Anonymity
Due to the fact that the alleged perpetrator is using nicknames, fake identities, proxy-servers, etc. law enforcement officials are delayed in linking the crime with the perpetrator instantly.37
4.1.2. Encryption
Just like old-fashioned Da Vinci with his Cryptex, today’s criminals have their ways to encipher their communication, thus making it harder to gather any proof of criminal activity.38 However, the use hacking as a covert investigation method by law enforcement officials can be extremely useful while gathering evidence. These covert investigation methods such as installing computer monitoring software or remote search of a computer system enable the law enforcement official to gather the data at the source, before it’s encrypted. 4.1.3. Jurisdiction
When looking at the fundamentals of crime, whether it’s on a domestic, European or International level, one always gets confronted with the concept of jurisdiction. Normally, a perpetrator (active personality principle) or victim’s nationality (passive personality principle) will be sufficient to clarify which state has jurisdiction on the matter. When this is not the case, other forms of jurisdiction easily pop-up39: there is the principle of territoriality, which means that the actual soil the crime is committed on is the crucial factor. Another principle is the principle of universality: let’s say when digital
36 (European Law Enforcement Agency (EUROPOL), 2015) 37 (Franken and Bergfeld, 2004)
38 (Franken and Bergfeld, 2004) 39 (Franken and Bergfeld, 2004)
instruments are used to commit a crime against humanity. For example by shutting down the security/cooling systems of a power plant.
However, dealing with cybercrime seems to test the entire concept of jurisdiction. The only thing that is required is a computer, working internet-connection and a perpetrator can do harm to people from the other side of the world, thus enter that specific jurisdiction. Crimes are committed through multiple devices, mostly encrypted, using different servers and proxies scattered across the globe. And then we haven’t even included the digital creation of “the cloud” 40, where evidence can reside borderless in cyberspace
while the actual psychical servers are spread around the world. 41
4.2. Digital forensics
Computer forensics42 is defined as the use of computer science to recover evidence from computerized-devices and to use this evidence in criminal prosecution. This is usually done after police-officials obtain these devices by a search and seizure. A simplistic rendition of digital forensics is file allocation analysis of a computer disk and search files sometimes already deleted or tampered with.43
41 (Iglezakis et al., 2016)
42 In my opinion the word “computer” seems outdated, given the up rise in the use of smartphones, tablets and other electronic devices.
4.3. Investigative methods used in cybercrime cases 4.3.1. Proactive investigation
In this section I will focus on the investigation that takes place before the criminal activity actually takes place, usually based on suspicion. This category of investigation is more commonly referred to as “surveillance”.
4.3.1.1. Interception of electronic communications
4.3.1.1.1. Deep packet inspection
Deep packet inspection is defined as a technique used by Internet service providers to route data through a specific checkpoint between the sender and the recipient, for instance when sending an email. Normally when this email is send, the only element these providers analyze is the IP-address. When deep packet inspection is used, not only “the address” to which it is sent, is analyzed but also the content of the packet. Internet service providers use this technique to avoid viruses, spam and malware.44 A typical example of this method used in daily life is the labeling of mail as “unwanted” or spam by mailboxes as Gmail. This type of inspection occurs in different layers of intrusion. State entities have a close cooperation with Internet service providers to make use of this inspection as a surveillance-measure. It needs to be mentioned that in this stage of investigation, government officials also have the ability to use the OSINT-technique and data mining, which will be discussed in the chapter “reactive investigation.”
4.3.2. Reactive investigation
4.3.2.1. Commonly used techniques
The classic starting point for a criminal investigation when the crime has already been committed would be the actual crime scene. However, when dealing with cybercrime there is nothing physical to grasp: no actual crime scene, no eyewitnesses and no actual physical perpetrators. The common way to start an investigation in cybercrime cases is by IP-address tracking or by online handles. 45 Of course the government officials can also use standard criminal investigation methods such as search and seizure of suspects, but in order to stay on topic I will not elaborate further on these methods.
IP-address stands for “internet protocol address” and is and identifying pinpoint which is assigned to each computer (or other device that uses internet networks)46 They are usually shown as 8-digit combination in IPv4, for instance: 213.127.22.13 is the IP-address my laptop is using while I’m writing this. However, in the case of actual “IP-tracking” done by government officials, there will never be a specific individual device identification. The IP-tracking will only locate the specific network the alleged hacker is using. After that, the government officials will most likely send a “data production order” to an Internet access provider to identity the person using that IP-address. In case of public servers such as library or university network-servers, government officials usually communicate directly with the organization to get information on students/users/subscribers, etc.47 How perfectly all of the above sounds in theory, the truth is that most of these cybercriminals are that skilled that they usually use a proxy-server in order to avoid localization.
45 (Oerlemans, 2017) 46 (Beal, 2017) 47 (Oerlemans, 2017)
However, besides the actual tracking of alleged perpetrators by the use of high tech equipment, government officials also investigate on the basis of “online handles”. An online handle is a name someone goes by on the internet, usually referred to as a “nickname”, either reflecting their actual real name or not at all. Irrespective of the fact that these names are usually made up, these online handles can become helpful in three stages of the identifying process: gathering of information, data production orders to internet/service- providers and when performing an online undercover investigation. 48
4.3.2.1.1. Open Source Intelligence
One of the most prominent sentences in the education of young adults is “be careful what you put online, because once it’s on the internet, it’s out there forever”’ and how freighting this might sound, it holds a core of harsh truth.
The first reflex that government officials have when starting a criminal investigation, either performed by intelligence services or police, is collection of open source intelligence (OSINT). It needs to be mentioned that this technique is also often used in proactive investigations. This intelligence is gathered through: newspapers, governmental reports, public data, maps, blogs, social media sites, apps and web-based communities.49 If this method is used correctly is susceptible to discussion, therefore I will analyze it more thorough in further on in my research.
48 (Oerlemans, 2017)
When this information is obtained, either through OSINT or deep packet inspection, government officials will most likely try data mining. This is a technique of cross-referencing data sets of information in order to facilitate automated profiling of individuals. There are two categories of data mining. On the one hand you have descriptive data mining where the main goal is the discovery of unknown relationships between data objects. On the other hand you have predictive data mining where one tries to predict events based on patterns using specific information. 5051
4.3.2.1.2. Production and preservation orders
When government officials have tracked someone by IP-locating or by his online handle and there is a link to a certain service provider, government officials will order the production of data.52 A simple
example could be that the internet-provider is the Dutch company “Ziggo”. The investigation judge will order Ziggo to give access to all the data about their client. Within Dutch law, there are 3 types of data that can be ordered53:
• Identifying data: name, address, date of birth, etc. 54 • Other data collected or even future data.55
• Sensitive data: when the investigating judge comes to the conclusion that there has been a serious infringement of the rule of law or in case of pre-trail detention crime, he can order “sensitive” data. This includes data about someone’s sexual preference, religion, political orientation, health union membership etc.56
50 (Stalla-Bourdillon, Phillips and Ryan, n.d.) 51 (Schermer, 2011)
52 Basis can be found in art. 18 of the Cybercrime convention, although this needs to be implemented into domestic legislation.
53 (Knoops, 2005)
54 Art. 126nc Nederlands wetboek van Strafvordering 55 Art. 126nd Nederlands wetboek van Strafvordering 56 Art. 126nf Nederlands wetboek van Strafvordering
It’s also quite peculiar that within the Dutch criminal code, there is no distinction between public en private data providers. This means that a private person that process date for their personal use can also be order to provide data. However, the suspect himself can never be order to provide data, this would obviously breach the international respected principle of probation on self-incrimination.57
4.3.2.1.3. Online undercover investigation
There are three types of online undercover investigations methods government officials use when investigating cybercrime-cases: Online pseudo-purchases, online undercover interactions and online infiltration operations.58
57 Art. 6 European Convention of Human Rights; Fifth Amendment to the United States Constitution. 58 (Oerlemans, 2017)
4.3.3. Hacking as an investigation method
Now we’ve seen some of the standard cyber-investigation methods that are commonly used in a criminal investigation, I’m going to elaborate more on the actual use of hacking as an investigation method. To give a clear view upon the practical use of these investigation methods I’m going to analyze this use within The Netherlands. There we can distinguish 3 ways in which government officials use hacking: (1) network searches, (2) remote searches and (3) use of computer monitoring software.59
4.3.3.1. Network searches
A network search is an investigation method in which government officials gain access to an interconnected computer that is connected to a computer that is previously seized, for instance during a search of the house of the suspect. To give an example:
During the search of the house of suspect A by police officials, his computer along with videos and photos of child pornography were taken. Specialists later located an external hard drive that was connected to the computer that was seized. This hard drive was used as a storage unit for child pornography as well.
When analyzing the legality of such investigation method in the Netherlands, we turn to art. 125 j of the Dutch code of Criminal procedure: • “In the event of a search, stored data from the place where the
search takes place can be investigated elsewhere, If there is reasonably necessity to reveal the truth. If such data is found, it can be secured.
• The investigation shall not go further than the content that the
persons who work or reside at the place where the search is made have access to. “60
59 (Oerlemans, 2017)
4.3.3.2. Remote searches
A remote search is an investigation method in which government officials remotely gain access to a computer and the data on it. In contradiction to a network search, this search is done completely covert. Due to this covert-character, this investigation method is a lot more privacy intrusive and therefor asks for more procedural safeguards.61
Given the fact that there is no specific mentioning of remote searches within Dutch criminal law, the use remains open for discussion. Either this special investigative method: (1) is dealt with as an already regulated special investigation method and its legal basis. (2) Is dealt with under the provision of art 3 of the Dutch police act, which states a general obligation to investigate. (3) Does currently not have a legal basis under Dutch criminal law.
However some suggest that the use of remote searches falls perfectly within the scope of art 125i of the Dutch code of Criminal procedure. I will continue analyzing the legality of this method more thorough in chapter 5.
4.3.3.3. The use of computer monitoring software
Computer monitoring software is software that is installed upon the computer of a suspect. With this software, government officials are able to remotely and secretly turn certain functions of the computer on, thereby enabling them to gather evidence.62 To give an example:
During a Skype session of suspect A, police officials secretly turn on the computers microphone and log all his keyboard activity.
The legal basis for the use of this software could supposedly be art 126 l (1). This is however criticized. The legality of this use will be further analyzed in chapter 5.3.
5. Limitations to state interference
After dealing with the specific legislation, crimes and investigative methods, I will now analyze the state limitation on this investigative conduct. Before getting into all of the protection-mechanisms, it is crucial that one distinguishes between what interests are at stake when balancing rights: national security, public security and prevention of crimes all have a different weight in their balance with individual privacy interests.63
5.1. Power- and privacy-shifts
Before government authorities can start any type of conduct in the context of a criminal investigation they must always check if the conditions for each specific investigative method are fulfilled. If these conditions are made more severe and certain methods can only be used in a limited amount of circumstances one can see a “privacy-shift” in legislation. If however these conditions are loosened and easily fulfilled, one can observe an “investigation-shift”. Therefor these conditions can be seen as the weights in a scale: on the one hand we have privacy and on the other criminal investigation.
The first element that needs to be analyzed is the legal authority that is competent to authorize the government officials to use their power. There is a clear correlation between the level of authority and the chance of privacy infringements. For example: in the Belgian system, the investigative judge (onderzoeksrechter) and public prosecutor (openbaar ministerie) have a watchdog-function upon the conduct of the police forces.
The second element is the crimes for which the investigation power (read techniques/methods) is allowed.
The third element revolves around the subjects: the requirement of a relationship with the suspect or the crime. For instance: can the investigative power only be targeted at suspects or also non-suspects? For instance: there can only be an interception and/or monitoring of texts-messages when there is a strong believe that these are being send to one of the suspects. Therefor one can conclude that if there is no requirement of a relationship, the changes of privacy infringement are quit high.
The forth element that needs to be looked at is the requirement of subsidiarity. Looking at this element from a practical point of view, the government officials have to determine whether or not other, less intrusive powers (read techniques/methods) can be used. Although subsidiarity is a cornerstone-condition within criminal law, some legislative powers have built in extra provisions regarding this principle. For example: the powers can only be used if it’s “urgently necessary”.
The fifth element deals with the object of the investigation power. It simply comes down to how broad or narrow terms or phrases are defined by law. For instance: if there’s a power to intercept digital communications, that power is much broader defined than only email-traffic.
The sixth and last element would be the requirement of “need”. The police officials are usually “covered” by the requirement or relationship with the suspect or the requirement of subsidiarity but sometimes there is an extra requirement of “need”. For example: it’s reasonably necessary to uncover the truth.64
5.2. Data protection
5.2.1. European Convention on Human rights
When it comes to the state offering protection to it’s citizens or to track down a cybercriminal, there are certain sacrifices to be made in terms of individual freedom. There are a lot of different views upon the stand that the right to privacy and national security and public order are opposites of each other. However the state cannot initiates a criminal investigation and thus starts “digging” into the private life of the individual at random. It can only do so on the basis of a specific set of rules and guidelines, art 8 ECHR being the beating heart of this legislative protection.6566
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
5.2.1.1. In accordance with the law
The states conduct must be “in accordance with law”. Case law has given a rather broad meaning to the concept of law, meaning that written law but also unwritten law including case-law will fall into this category and thus needs to be taken into consideration when acting in an a criminal investigation.67 A further requirement of this law is that is it is of decent quality: it’s compatible with the rule of law, must be formulated with precision and needs to be foreseeable and accessible.68
65 (Rauhofer, 2009)
66 Art 8 European Convention on Human Rights 67 (Malone V United Kingdom, [1984])
5.2.1.2. Necessary in a democratic society
There is a need for this conduct to maintain a democratic, safe society. In the specific case of cybercrime linked with terrorism or cyber terrorism itself, case law has already given clarity. The ECtHR states in Klass that two important facts needs to be taken into consideration: on the one hand the development of terrorism and real threats and on the other hand the technical evolution in surveillance and investigation methods. The court finally concluded that a state entity must, at all times, be able to defend itself against future threats.69
5.2.1.3. Proportionality
In needs to determine whether or not the state conduct was proportionate: was there a decent balance between the rights of the individual and the interest of the public society? It also needs to be evaluated if maybe the authorities could have used a less restrictive alternative.70
69 (Klass and others v Federal Republic of Germany, [1978]) 70 (Rauhofer, 2009)
5.2.2. Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
This convention can be considered the first binding international document that embodies protection against data abuse in the collecting and processing of personal data. One of the main objectives of this convention is make sure the quality of the data obtained is guaranteed. This is done by: fair and lawful obtaining and processing, data must be kept up to date, the time limit of identification of subjects must not be held more then necessary, etc. Furthermore the convention states that special categories of data such as sexual preference, criminal conviction or political orientation should not be allowed to be processed unless there is sufficient domestic protection. The rights enshrined in this convention can only be restricted under certain circumstances. Linking this to the concept of cybercrime or cyber terrorism we can see that a state can choose to derogate from this convention if he wishes to. However this can only be done when two conditions are fulfilled: (1) such derogation must be provided by the domestic legislation of that state. (2) It must constitute a necessary measure needed in a democratic society in the interest of:
§ “Protecting State security, public safety, the monetary interests of the
State or the suppression of criminal offences;
§ Protecting the data subject or the rights and freedoms of others.” Another thing this convention regulates is the trans border flow of information. For instance when security and intelligence services of states share data. Sending states however, can choose not to share personal data when there isn’t an equivalent level of protection in the receiving state.
5.2.3. Regulation (EU) 2016/679: protection of natural persons with regard to the processing of personal data and the free movement of such data
It is important to realize that this regulation and the directive which will be dealt with below are parts of the EU data protection reform package. This regulation will apply as of the 5th of may 2018. When looking at the regulation one can see two subjects, which are protected by this regulation: Individuals and businesses.
Individuals are getting a cleared and more transparent look upon their already existing rights: easier access to their data, the clarification of the right to erasure or “to be forgotten” and the right to know then their personal data has been hacked. This last right entails an obligation on organizations or businesses to inform the individual when their security has been breached.
Businesses themselves are also getting a lot of benefits from this EU-protection. For example: businesses only have to deal with one supervisory authority instead of every country they are based in. there has also been an estimation of 2.4 billion euro per year when this data protection has been enforced.71
5.2.4. Directive (EU) 2016/680: protecting individuals with regard to the processing of their personal data by police and criminal justice authorities, and on the free movement of such data
This directive aims to construct a higher level of protection when personal data is processed by the police and criminal justice authorities and to improve trans border cooperation by making sure the information exchange between states goes more efficiently.
Furthermore the individuals are categorized into different groups, depending on the classification, rights shall be granted to the subjects. There are 4 groups: individuals who have been convicted of a crime, those for whom there are serious grounds to believe they have committed or are about to commit a crime, victims of criminal offences and lastly other parties to the criminal offence such as witnesses.
5.3. The ‘correct’ way to investigate
5.3.1. Use of proactive interception of electronic communication
Considering the fact that this action, taking place pro-active, might interfere with fundamental human rights, effective supervisory control is of most importance. The ECtHR mentioned in its case law that it’s most desirable to give this position of control to a judge. 72 The judicial review of pro-active surveillance takes place at three stages: when the surveillance is ordered, when it’s carried out and after it is brought to an end. Given the fact that these two first stages are by their nature secret and the individual has no knowledge of this conduct, the procedures that streamline these operations need to provide effective protection of the individual’s human rights.73
5.3.1.1. Use of deep packet inspection and data mining
It’s rather hard to answer the question if packet inspection by a service provider can be seen as an unlawful interception of communication the way telephone tapping is. It could be seen as unlawful if it targets the content of specific communication, communication that might be considered confidential. However the inspection takes place when data is in transit, which makes it hard to qualify it as “traffic data” or “communication content”.74 Case law from Ireland stated that deep packet inspection does not seek information by its nature; it simply identifies the nature of transmissions.75
The above discussed inspection can however also be used by security and intelligence services. There is proof that the leading states in the world such as China and the US are using this technique, however the content of this inspection is classified.76
72 (Klass and others v Federal Republic of Germany, [1978]) 73 (Rauhofer, 2009)
74 (Stalla-Bourdillon, Phillips and Ryan, n.d.)
75 (MI Records (Ireland) Ltd and others v UPC Communications Ireland Ltd, [2010]) 76 (Marsan, 2017)
5.3.2. Use of digital forensics
At the beginning of computer forensics, there had been a lot of disagreement on whether or not evidence obtained by a computer forensics investigator should be accepted as legally valid in court. The argument made was that due to the very flexible nature of the evidence, alterations could be made very easily or some even deleted. After some years and countless of issues raised in court however, criminal courts had come to a consensus: evidence obtained by computer forensics investigators will be seen as legally obtained. The court stated that there are several ways to ensure the obtained evidence is not tampered with. For example, by the use of hash values.77
5.3.3. Use of OSINT
Coming back to one of the ways government official starts their criminal investigation: Open Source intelligence. One can argue that since all of this information is publically available and accessible for everyone that, in contrast with phone and Internet tapping, there is no need to initiate a legislative process to give guidelines to this sort of conduct. However one must make a clear-cut distinction between a normal person accessing this information separately and a government official using specific software to access this information with the aim of using it for further possible prosecution.
Looking at it from a Human Rights perspective: the fact that information is publically available or was obtained in public domain, does not nullify the right to privacy.78 The ECtHr also confirms that an individual has a reasonable expectation to privacy when using the Internet.79 However, the European Convention of Human rights does state a variety of justification grounds on which the state is allowed to perform this sort of conduct.80 Possible grounds that could justify the violation in this situation are “national security” and “prevention of crime”. Nonetheless, there is a demand for international and national legislators to determine what the limits of OSINT are and how subjects can seek redress and OSINT software-development should be monitored.81
78 (Von Hannover v. Germany, [2004]) 79 (Copland V United Kingdom, [2007])
80 Art. 8 European Convention of Human Rights. 81 (Eijkman and Weggemans, 2013)
6. Limitations on the use of hacking as an investigation method
When analyzing hacking as an investigation method, the first thing one will find is a huge lack of relevant and specific legislation. This has of course, everything to do with the fast growing and evolving character of cyberspace and cybercrime. One of the possibilities to deal with this issue is by analogy with already existing legislation.
Therefor the wordings and phrasing of computer searches have been used on multiple occasions. However, one must remember that when dealing with a computer search one is referring to a special investigation method that is very intrusive and therefor needs strong procedural safeguards, for instance a warrant signed off by an investigative judge. However, network searches are even more intrusive do to the fact that law enforcement officials are investigating interconnected computers elsewhere. Using even more intrusive methods like remote searches or Computer monitoring software brings an even higher risk of privacy violation due to the fact that they are both conducted covertly.
As previously mentioned, to analyze whether or not these methods are to be seen as privacy infringements I will determine if each of these investigation methods meet the criteria set out in legality criterion of art 8 of the ECHR, “in accordance with law”: accessibility, foreseeability and quality of the law.82
6.1. Network searches 6.1.1. Accessibility
As previously stated, Network searches are recognized as a special investigation method within Dutch Criminal law and has its own legal basis. However, by wording of the article “in the event of a search” one can conclude that this legal basis must always be combined with the standard “search and seizure”- legislation and it’s associated procedures and conditions. It is therefor considered to be accessible.
6.1.2. Foreseeability
When looking at the Khan-case, the interference by the government in this case was not to been as a breach of article 8 due to the fact that this conduct was justified: “in accordance with the law and necessary in a
democratic society for the prevention of crime.” However this case echo’s
what is already been said before: when using covert- investigation methods, procedural legislation must contain a significant level of clarity on the use and boundaries of these methods.83
When looking at the procedural safeguards that have been set in place in case of a search and seizure, there seems to be no indication whatsoever about the scope of network searches. This being one of the main questions that interests me: how far can the law enforcement officials actually go? They have the authority to search the computer, but can they access iPhone-backups? Can they log into social media accounts? Can they check webmail-accounts?
Since there is no indication in either case-law or public guidelines on the actual use of this investigation method, the only reference we have is a statement by the Dutch Ministry of Security and Justice saying that Dutch law enforcement officials can go rather for in their network search: login into a server such as Gmail or Dropbox will be seen as falling within the legal boundaries.84 Given all the written above I conclude that this method is considered not foreseeable.
83 (Case of Khan v.The United Kingdom, [2000]) 84 (Oerlemans, 2017)
6.1.3. Quality of law
When analyzing the articles in Dutch criminal law that cover regular searches one can see a peculiar distinction in legal regime, based on location. For instance: when a car is being stopped, (in contradiction to a search of a residence) the law enforcement officials do not need a warrant signed by an investigative judge.85 This means, in theory that law
enforcement officials can obtain data that’s on a laptop or cellphone, after the search of vehicle. This difference in legal regime is not compatible with the position of cyberspace in today’s society.86 This again can be explained by the fact that this legislation is outdated and the legislator at the time could never had imagined computers that could be carried around, let alone pocket-size. However, this does not justify the possibility of arbitrary use of this special investigation method and one can therefor conclude that this legislation does not meet a sufficient level of quality. 6.2. Remote searches
6.2.1. Accessibility
As I mentioned in the chapter four, remote searches in never specifically mentioned within Dutch criminal legislation, therefor leaving doubts about its legality. The Dutch minister of Security and Justice however, stated in his letter of response to a question asked by the parliament that Dutch law enforcement agencies indeed have the authority to use remote searches of computers.87 This conduct is to be seen as falling within the scope of art 125I of the Dutch code of Criminal procedure.88
85 Art. 96 Nederlands wetboek van Strafvordering 86 (Koops, 2012)
87 (Rijksoverheid: Ministerie van Veiligheid en Justitie, 2014)
88 In contradiction to what the minster stated in his letter, I do not think this legal basis can be used for the use of remote searches. this simply because of the fact that this article does not in any way refer to the meaning or wording “remote”. This article simply refers back to the general articles about search and seizure.
“The investigative judge, the prosecutor, the deputy public prosecutor and the investigating law enforcement officials shall have the authority to search a place in order to secure data located at this place that is stored or recorded on a data carrier. In the interest of the investigation, this data can be secured.”89
Despite the fact that an actual, specific legal basis is lacking within Dutch law and the tendency within case law to keep the used legal basis vague90, the Minister has stated that this special investigation method falls within the arsenal of methods. Therefor I consider this to be accessible.
6.2.2. Foreseeability
As already mentioned above, the Dutch minister of Security and Justice states that art 125 (1) of the Dutch code of Criminal procedure can be used as a valid legal basis. However, this simply refers back to the powers of search and seizure. Given the fact that this method is used covertly, the existence of complementary guidelines and procedural safeguards is lacking. In the letter the Dutch minister elaborates on the use of this method, stating that it’s only used in ‘special circumstances’. However, these circumstances have never been discussed therefor not clarifying the scope of this investigation method. Given the fact that Dutch law seems to be based on the statement of a minister and a legal basis that gives no substantial safeguards against privacy infringements, I consider this method not foreseeable.
6.2.3. Quality of law
Given the fact that Dutch law does not provide supplementary procedural safeguards that are essential when conducting a covert investigation I consider this investigation method not meeting the desired quality of law.
89 125 (1) Nederlands wetboek van Strafvordering (vrije vertaling)
6.3. Computer Monitoring software 6.3.1. Accessibility
As been stated above, a possible legal basis for the use of computer monitoring software is art 126 l of the Dutch code of criminal procedure.
“In the case of suspicion of a crime as defined in article 67, paragraph 1, which, in its nature or the coherence with other crimes committed by the suspect, results in a serious breach of the legal order, the prosecutor may, if deemed necessary for the investigation, recommend that a law enforcement official records confidential communication with a technical tool.”91
However, this article must be read with caution: it gives permission to physically install a technical tool to record private communications. This view has been supported by explanatory memorandums and letter of the Dutch minster of Security and Justice.
The memorandums explained that Dutch law enforcement was legally able to install a device on a keyboard or computer mouse to intercept keystrokes and mouse clicks. Later on the Letter the minister went even further by including software as a technical device that police officials were permitted to physically install software.92
6.3.2. Foreseeability
The fact that the legal basis that is used is outdated seems to be causing a problem in interpretation: Dutch criminal law does not define “technical device” and although the Minister of Security and Justice stated in 2014 that physically installing software is permitted, it still leaves a lot of state conduct in a grew area. Also the fact that this method is used covertly and, more important, remotely does not seem to be covered by this legal basis. Therefor I consider this method not foreseeable.
91 126 l Nederlands wetboek van Strafvordering (vrije vertaling)
6.3.3. Quality of law
One can conclude that while there are procedural safeguards in place when law enforcement officials use technical devices to record private communications, it’s not clear if the legislator at the time would have meant for software to be included a technical device. Even if this would be seen as a technical device, Dutch law still doesn’t give enough clarity on the scope of the use of this software. Therefor in conclude that this method does not meet the required standard of law.
