Aug 032013
 

During cybercrime investigations it’s common to find that a suspect has used technology in a country outside of the territorial jurisdiction of Law Enforcement investigating the case. The suspects themselves may also be located outside of the territory of the investigating group. A country may be able to claim jurisdiction over a suspect or device that is located outside of their territory [1], however, foreign Law Enforcement would not have jurisdiction within the territorial jurisdiction of another country unless explicitly granted. This means that if a suspect or digital device is located in another territory, the investigating country may need to request assistance from the country that has territorial jurisdiction. This request could be in the form of mutual legal assistance requests, international communication channels such as INTERPOL and United Nations networks, through a personal contact within the country of interest, etc.

ID-10023344

It appears to be increasingly common that Law Enforcement will use personal contacts to quickly begin the investigation process in the country of interest and request data be preserved, while at the same time making an official request for cooperation through official channels. This is simply because official channels are currently far too slow to deal with many types of cybercrime that rely on preserving data before the records are overwritten or deleted; a problem that has been communicated by Law Enforcement for over a decade.

For similar reasons, Law Enforcement in many countries commonly access data stored on servers in countries outside of their jurisdiction. When and how they access this data is usually not well defined because law too, in most — if not all — countries, is failing to keep up with changes in cross-border digital crime. However, a recent work by the NATO Cooperative Cyber Defence Centre of Excellence — Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual) — attempted to explicitly state some of these issues and their practical implications, albeit in the context of Cyber Warfare.

In the Tallinn Manual the expert group considered issues of jurisdiction applied to cyber infrastructure. Of these considerations, they claim that “… States may exercise sovereign prerogatives over any cyber infrastructure located on their territory, as well as activities associated with that cyber infrastructure” [2] with some exceptions. Further, Rule 1 paragraph 8 stipulates that:

A State may consent to cyber operations conducted from its territory or to remote cybercrime operations involving cyber infrastructure that is located on its territory.

In this rule, the expert group gives the explicit example that a State may not have the technical ability to handle a situation within their territory, and thus may give permission for another State to conduct cyber activities within their jurisdiction.

Much of the discussion on sovereignty, jurisdiction and control stipulate the scope of control a State possesses; however, Rule 5 specifies the obligation of the State to other states. Specifically that “the principle of sovereign equality entails an obligation of all States to respect the territorial sovereignty of other States”. The expert group elaborates with Rule 5 paragraph 3 claiming that:

The obligation to respect the sovereignty of another State… implies that a State may not `allow knowingly its territory to be used for acts contrary to the rights of other States’.

Rule 5 paragraph 3 has interesting implications in cyber space. For example, the infrastructure of many different countries may be used in an attack against a single victim. Because of this rule, each country whose infrastructure was involved is obliged to not allow these attacks to continue once they are aware of such attacks. A State, however, is not necessarily obliged to actively look for attacks against other countries from its infrastructure.

In other words, if an attack is made from (or through) State A to State B, and State B makes State A aware of the attack, then State A is normally obliged to help in stopping — and presumably helping to investigate — the attack on State B, if possible.

The Tallinn Manual goes on with Rule 7 stating that an attack originating from a State is not proof of a State’s involvement, but “… is an indication that the Sate in question is associated with the operation”. However, instead of assuming that the State could be guilty, in this work we propose to assume the innocence of the state whose infrastructure is being used in an attack.

Let’s assume State B is affected by a cyber attack apparently originating from State A. State B then attempts to make State A aware of the attack. There is essentially one of three responses that State B will receive from State A: Response to collaborate, Response to not collaborate, or no response. In the case of no response if there is an assumption of innocence of State A, then State B may also assume that State A — being obliged to help — cannot stop the attacks because of lack of technical ability, resources, etc. In this way, consent to conduct remote cyber investigations on infrastructure within State A could potentially also be assumed.

In this way, when requests for assistance are made between States, if one State does not, or cannot, respond to the request, then cyber investigations can continue. Under this assumption, countries with intention to collaborate but limited investigation capacity, convoluted political and/or communication processes, or just no infrastructure will gain increased capacity to fight abuses of their infrastructure from countries that have more resources.

By assuming innocence of a state, at least four current problem areas can be improved. First, by assuming a State’s consent for remote investigation upon no reply to international assistance requests, this will lead to a reduction in delay during cross-border investigations for all involved countries despite weaknesses in bureaucratic official request channels. Second, such an assumption will force States to take a more active role in explicitly denying requests, if so desired, rather than just ignoring official requests, which is a waste of time and resources for everyone involved. Third, depending on the reason for the denial, such an explicit denial to investigate attacks against other countries would be slightly more conclusive proof of State A’s intention to attack, or allow attacks, on State B, and could potentially help where attack attribution is concerned. And finally, such an assumption may also hold where mutual legal assistance currently — and oftentimes — breaks down; when dual criminality does not exist between two countries [3].

Essentially, if an attack on Country B occurs from infrastructure in Country A, Country A will either want to help stop the attack or not. By assuming that Country A does want to help but is simply unable to, this forces Country A to be explicit about their stance on the situation while at the same time ensuring that international cybercrime investigations can be conducted in a timely manner.

James, J. I. (2013) “An Argument for Assumed Extra-territorial Consent During Cybercrime Investigations”. VFAC Review. Issue 25. [PDF]

Bibliography

  1. Malanczuk, P. (1997). Akehursts modern introduction to international law (7th ed.). Routledge.
  2. Schmitt, M. N. (Ed.). (2013). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press.
  3. Harley, B. (2010). A Global Convention on Cybercrime?. Retrieved from http://www.stlr.org/2010/03/a-global-convention-on-cybercrime/

 

Image courtesy of jscreationzs / FreeDigitalPhotos.net

Mar 262013
 

shutterstock_113062921The United States government, via the “We the People” portal (petitions.whitehouse.gov), was petitioned by Dylan K. [1] to “Make, distributed denial-of-service (DDoS), a legal form of protest”. The petition states that:

With the advance in [Internet technology], comes new grounds for protesting. Distributed denial-of-service (DDoS), is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a web page. It is, in that way, no different than any “occupy” protest. Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time…

The petition hits on a number of topics that are currently not well defined in terms of a `physical reality’, let alone a `digital reality’. This work will attempt to examine different concepts proposed within the petition (as we interpret them), and informally compare such concepts to existing legislation. Note, this work should be considered merely as points for discussion, not academic definition or legal advice.

First, let’s begin by defining what each part of the petition means. The first sentence could be taken to mean that Internet technologies have provided new ways to communicate and interact that has enabled the creation of new social groups with their own unique beliefs and cultures (cyber cultures). Further, these cyber cultures should have the same rights as those afforded in the physical world (i.e. in the U.S.), and thus be able to protest when those rights have been denied.

The second and third sentences propose that Distributed Denial-of-Service is not inherently hacking, but instead sending data, as intended, over a public network to a publicly accessible host.

The fourth sentence proposes that intentionally accessing a publicly accessible Internet resource is similar to assembling at a publicly accessible space in physical reality.

The final sentence proposes that having a group of people collectively access a publicly accessible Internet resource (digital space) with the intention of slowing or denying access to other users is equivalent to a group of people assembling in a public physical space.

Rights of Cyber Cultures

There are a growing number of works dealing with the definition, evolution and understanding of cyber cultures [2, 3]. Effectively, the proposed claim is that cyber cultures should be afforded the same rights that citizens enjoy in physical reality. The assumption in this case is that these rights are as defined by legislation in the United States.

Herein lies the first challenge: jurisdiction. Under what circumstances should rights to citizens on the Internet (netizens) be extended, and to what extent? For example, assume a cyber culture exists within an online Internet game. If the server for the game is hosted in the U.S., and the netizens that make up the cyber culture are U.S. citizens in physical reality, then their rights in physical reality should extend to digital reality since the digital reality is a media in which he or she is exercising their freedom of expression, etc. These freedoms may be limited by the policies of the game, but rights should be extended nonetheless.

Alternatively, if the game is hosted in a server that is physically located in China, and a U.S. citizen accesses the game from the U.S., there would not likely be any expectation of the U.S. citizen’s physical reality rights (as protected in the U.S.) to be extended to the digital reality geographically hosted in China.

By considering rights of citizens based on jurisdiction, countries may begin to assign rights to netizens in a digital reality similar to the way that rights are protected in that country’s physical reality. Essentially, a netizen that is from the host country is afforded the same rights (or lack of) they enjoy as a local citizen. A netizen that is from another country may be afforded the same rights (and restrictions) as an immigrant to that country.

Instead of considering dividing the Internet up by jurisdiction, this work will assume that rights as defined by the Universal Declaration of Human Rights (UDHR) [4] – Article 20 – are also extended to netizens in digital reality. This claim also appears to be held by, then Secretary of State, Hillary Clinton, who said, “The freedom to assemble and associate is applicable to cyberspace” [5]. The author presumes this right is extended to all netizens. When basic rights are guaranteed for all netizens regardless of geographic location, jurisdiction becomes (slightly) less of an issue.

The Legality of Distributed Denial of Service

For a definition of hacking, we can look at the U.S. Computer Fraud and Abuse Act [6]. In this act, many sections explicitly state that a system must be `accessed’. As access is defined, however, it seems to imply gaining access into a system, e.g. gaining rights to a system through authentication or exploitation. Further, protected systems are defined, such as financial and critical communication systems, which are explicitly protected from any form of tampering.

Section 5A, however, says: “[Whoever] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer…shall be punished”. Further, the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information. The argument could be made that DDoS is the intentional transmission of information/code that impairs the availability of data. By this standard, DDoS should be considered illegal.

In this case the transmission of data with malicious intent may be illegal, while the transmission of the same data with non-malicious intent may not be illegal. Since intent of the transmission of data is being considered, so too could data transmission with the intent to protest. This work will assume that the intentions behind protesting are non-malicious, and the intentions of sending data is not with malicious intent, but instead with the intent to convey a message protected under UDHR Article 19, which states that everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

Public Spaces in a Digital Reality

The next question is whether visiting a publicly accessible website is like visiting a public space. Webster’s Online Dictionary defines a public space as a place where anyone has a right to come without being excluded because of economic or social conditions. Indeed, any person can walk on a sidewalk, which is generally considered a public space. And from the public space a person may look at or into private property, with certain restrictions.

The online parallel could be that the Internet is a series of sidewalks that lead to a house. A website’s landing page would be the exterior of the house. In more technical terms, making an HTTP request to the web host for the landing page would be like observing the house from the sidewalk. Arguably, if a user does not need to authenticate to access the landing page, then making a request of the server would be similar to walking down a sidewalk and observing a house. The question is, is making a request for a public web page similar to observing a building from a public space?

In this work it will be assumed that the Internet is a public space, and each server (website) is similar to a building. Passers-by may observe the house (server), either intentionally or not, as a consequence of it being connected to the public space. If, however, the user attempts to enter the server/website, they are then entering a private space. With this assumption, making a valid request for public information from a server should be considered as making a request (or an observation) from a public space. If the request can be made from a public space, then, as previously described, netizens should have the right to assemble on this public space.

Right to DDoS

The final question addressed in this work is whether assembly on a public space with the express intention of slowing to denying access is a legal form of protest. To answer this question, first we must look at how protest is defined. Specifically, (in our opinion) the petition sounds analogous to a picket line.

Picketing is a form of protest in which a person or group of people attempt to dissuade or prevent workers or customers from entering a business or other location. In many countries there is no explicit “right to picket”, but peaceful protest is normally accepted under the right to assembly, with some restrictions. In the United Kingdom, “[t]he only purposes of picketing declared lawful in statute are peacefully obtaining and communicating information, and peacefully persuading a person to work or not to work” [7]. In many countries picketing is generally accepted as legal if the following conditions are met:

  1. Local laws are followed, and police are obeyed
  2. Local authorities are pre-notified
  3. Picketing is done only on public property, or private property with permission
  4. Entrances to businesses are not blocked
  5. Employees and/or customers are not harassed
    1. Should not restrict the rights and movements of other people
    2. Non-violent

Violence in this case will be defined as rough or injurious physical force, action, or treatment; an unjust or unwarranted exertion of force or power, as against rights or laws. Harassment will be defined as to disturb persistently; bother continually; pester; persecute.

At this point, this work will need to make another assumption. Namely, that a botnet legally exists. For the sake of brevity, a legal botnet will be defined as one where all nodes are knowingly part of the network, and actively agreed to have their resources used for the collective purpose. While DDoS may not explicitly be hacking, computers infected with viruses are commonly used to commit DDoS attacks. In this case if a botnet is created through illegal means, then the action should also be considered illegal (regardless of overall intent). The assumption is that a collective of protesters are willingly donating their computing resources for the purpose of slowing or denying some service.

Assume that a botnet legally exists, the computing resources collectively assemble on a target public space with the purpose of protesting, and authorities were notified of the `protest’ ahead of time. According to the general rules for legal protest as given, there are still a number of challenges. First and foremost, entrances to businesses should not be blocked. In terms of DDoS, if sustained denial of service takes place, then access (entrance) to the server (business) is effectively blocked. This means that, at a minimum, sustained denial of service should be considered as a non-legal approach to protesting.

Next, we can consider denial of service that is not sustained. For example, if DDoS occurs every 10 minutes and is sustained for 30 seconds. This approach would result in degraded service, but not a complete denial of service. The challenge here comes from the definition of harassment. If a user (customer) were attempting to use a service, non-sustained denial of service would repeatedly affect that user’s ability to use the service, but not block access to the service. This could be compared to continually, and forcefully, hindering the customer from accessing a business. Indeed, many Internet users may define dropped service connections to be disturbing, intentional or otherwise. In other words, intentionally and repeatedly affecting the user’s connection could be considered harassment.

The final, and potentially most important factor is that DDoS does not explicitly communicate information. Picketers in physical reality can carry signs, handouts and have conversations to let the public and the companies understand why the group is picketing. The reasons for DDoS protests may be published somewhere, but there is little guarantee that the business – let alone the customers – would be able to determine why degradation of service was happening, and how to differentiate a protest DDoS from a non-protest attack. This is somewhat similar to a group of protesters congregating in front of a business, and without giving any reason, randomly restricting customers from entering. Protest should involve communication, and with DDoS communication to both the protested organization and its customers is not guaranteed.

Conclusions

By extending the UDHR to apply to all netizens, the right to assembly and right to expression online would allow protesters to congregate on a public space, which, we believe, can be defined as a publicly-accessible IP address. The result of this assembly may naturally result in degraded or even a denial of service to other customers. However, if the intention of the assembly is to degrade or deny service to customers, then the protesters have chosen to use threat to the business, and harassment of it’s customers as its form of protest. In our opinion, protest should (normally) be about education and convincing the public (and the organization) that the protesters’ cause is valid. Protesting, even in a digital reality, should not about forcing people. Convincing people takes communication, and DDoS is exactly the opposite; it is the denial of communication, and domination by force.

Bibliography

  1. Make distributed denial-of-service (DDoS) a legal form of protesting. 2013 [cited 2013 11 Jan.]; Available from: https://petitions.whitehouse.gov/petition/make-distributed-denial-service-ddos-legal-form-protesting/X3drjwZY.
  2. Bell, D., An introduction to cybercultures2001: Routledge.
  3. Escobar, A., et al., Welcome to Cyberia: Notes on the Anthropology of Cyberculture [and comments and reply]. Current anthropology, 1994. 35(3): p. 211-231.
  4. Assembly, U.N.G., Universal declaration of human rights. Resolution adopted by the General Assembly, 1948. 10(12).
  5. Rao, L. Secretary Clinton: The Internet Has Become The World’s Town Square. 2011 15 Feb. [cited 2013; Available from: http://techcrunch.com/2011/02/15/secretary-clinton-the-internet-has-become-the-worlds-town-square/.
  6. Computer Fraud and Abuse Act, in 18 U.S.C. § 10301986: United States of America.
  7. Taking part in industrial action and strikes. n.d. [cited 2013 15 Jan.]; Available from: https://http://www.gov.uk/industrial-action-strikes/going-on-strike-and-picketing.

 

James, J.I. (April, 2013) “Legal Protest and Distributed Denial of Service”. Virtual Forum Against Cybercrime. Issue 22. [PDF]