Comprehensive Studyon CybercrimeDraft—February 2013
Front cover photo credits (left to right): iStockphoto.com/TommL iStockphoto.com/mikewesson iStockphoto.com/polygraphus
UNITED NATIONS OFFICE ON DRUGS AND CRIMEViennaComprehensive StudyonCybercrimeDraftFebruary 2013UNITED NATIONSNew York, 2013
United Nations,February2013.OfficeAll rightsreservedCopyright2013, UnitedNationson Drugsandworldwide.CrimeACKNOWLEDGEMENTSThis report was prepared for the open-ended intergovernmental expert group on cybercrime by ConferenceSupport Section, Organized Crime Branch, Division for Treaty Affairs, UNODC, under the supervision ofJohn Sandage (Director, Division for Treaty Affairs), Sara Greenblatt (Chief, Organized Crime Branch), andGillian Murray (UNODC Senior Focal Point for Cybercrime and Chief, Conference Support Section).Study team:Steven Malby, Robyn Mace, Anika Holterhof, Cameron Brown, Stefan Kascherus, Eva Ignatuschtschenko(UNODC)Consultants:Ulrich Sieber, Tatiana Tropina, Nicolas von zur Mühlen(Max Planck Institute for Foreign and International Criminal Law)Ian Brown, Joss Wright(Oxford Internet Institute and Cyber Security Centre, University of Oxford)Roderic Broadhurst(Australian National University)Kristin Krüger(Brandenburg Institute for Society and Security)DISCLAIMERSThis report is a draft prepared for the second meeting of the open-ended intergovernmental expert group oncybercrime and should not be cited without permission of UNODC. This report has not been formally editedand remains subject to editorial changes.The contents of this report do not necessarily reflect the views or policies of UNODC or contributoryorganizations and neither do they imply any endorsement.The designations employed and the presentation of material in this report do not imply the expression of anyopinion whatsoever on the part of UNODC concerning the legal status of any county, territory or city or itsauthorities, or concerning the delimitation of its frontiers and boundaries.
CONTENTSABBREVIATIONS . vINTRODUCTION . ixKEY FINDINGS AND OPTIONS. xiEXECUTIVE SUMMARY . xviiCHAPTER ONE: CONNECTIVITY AND CYBERCRIME .11.1.The global connectivity revolution. 11.2.Contemporary cybercrime . 41.3.Cybercrime as a growing challenge . 61.4.Describing cybercrime. 11CHAPTER TWO: THE GLOBAL PICTURE . 232.1. Measuring cybercrime . 232.2. The global cybercrime picture . 252.3. Cybercrime perpetrators . 39CHAPTER THREE: LEGISLATION AND FRAMEWORKS.513.1. Introduction – The role of law . 513.2. Divergence and harmonization of laws . 563.3. Overview of international and regional instruments . 633.4. Implementing multilateral instruments at the national level . 72CHAPTER FOUR: CRIMINALIZATION . 774.1. Criminalization overview. 774.2. Analysis of specific offenses . 814.3. International human rights law and criminalization . 107iii
CHAPTER FIVE: LAW ENFORCEMENT AND INVESTIGATIONS . 1175.1. Law enforcement and cybercrime . 1175.2. Investigative powers overview . 1225.3. Privacy and investigative measures . 1345.4. Use of investigative measures in practice . 1425.5. Investigations and the private sector . 1445.6. Law enforcement capacity . 152CHAPTER SIX: ELECTRONIC EVIDENCE AND CRIMINALJUSTICE . 1576.1. Introduction to electronic evidence and digital forensics . 1576.2. Capacity for digital forensics and electronic evidence handling . 1626.3. Cybercrime and the criminal justice system. 1686.4. Criminal justice capacity. 1726.5. Capacity building and technical assistance . 178CHAPTER SEVEN: INTERNATIONAL COOPERATION . 1837.1. Sovereignty, jurisdiction and international cooperation . 1837.2. Jurisdiction . 1897.3. International cooperation I – formal cooperation. 1977.4. International cooperation II – informal cooperation. 2087.5. Extra-territorial evidence from clouds and service providers. 216CHAPTER EIGHT: PREVENTION .2258.1. Cybercrime prevention and national strategies . 2258.2. Cybercrime awareness . 2348.3. Cybercrime prevention, the private sector and academia. 239ANNEX ONE:ACT DESCRIPTIONS . 257ANNEX TWO:MEASURING CYBERCRIME. 259ANNEX THREE:PROVISIONS OF INTERNATIONAL AND REGIONALINSTRUMENTS . 267ANNEX FOUR:THE INTERNET . 277ANNEX FIVE:METHODOLOGY . 283iv
LIST OF ABBREVIATIONSLIST OF NSCURLUSBVGTWEFComputer Emergency Response TeamComputer Security Incident Response TeamEuropean Convention for the Protection of Human Rights and FundamentalFreedomsEuropean Court of Human RightsEuropean UnionEuropean Police OfficeGroup of EightGross domestic productHuman Development IndexInternational Covenant on Civil and Political RightsSecond Optional Protocol to the International Covenant on Civil and Political Rights,aiming at the abolition of the death penaltyInternational Convention on the Elimination of All Forms of Racial DiscriminationInternational Covenant on Economic, Social and Cultural RightsUnited Nations International Convention on the Protection of the Rights of AllMigrant Workers and Members of Their FamiliesInformation and communications technologyInternational Criminal Police OrganizationInternet protocolInternet service providerInformation technologyInternational Telecommunication UnionNear field communicationOptional Protocol to the Convention on the Rights of the Child on the sale of children,child prostitution and child pornographyPeer-to-peerShanghai Cooperation OrganisationShort message serviceAgreement on Trade Related Aspects of Intellectual Property RightsUnited Nations Educational, Scientific and Cultural OrganizationUnited Nations Office on Drugs and CrimeUnited Nations Security CouncilUniform Resource LocatorUniversal serial busVirtual global taskforceWorld Economic Forumv
List of international and regional instruments and short namesAfrican Union, 2012. Draft Convention on the Establishment of a Legal Framework Conductive toCybersecurity in Africa (Draft African Union Convention).Common Market for Eastern and Southern Africa (COMESA), 2011. Cybersecurity Draft ModelBill. (COMESA Draft Model Bill).The Commonwealth, 2002. (i) Computer and Computer Related Crimes Bill and (ii) Model Law onElectronic Evidence (Commonwealth Model Law).Commonwealth of Independent States, 2001. Agreement on Cooperation in Combating Offencesrelated to Computer Information (Commonwealth of Independent States Agreement).Council of Europe, 2001. Convention on Cybercrime and Additional Protocol to the Convention onCybercrime, concerning the criminalisation of acts of a racist and xenophobic naturecommitted through computer systems (Council of Europe CybercrimeConvention/Protocol).Council of Europe, 2007. Convention on the Protection of Children against Sexual Exploitation andSexual Abuse (Council of Europe Child Protection Convention).Economic Community of West African States (ECOWAS), 2009. Draft Directive on FightingCybercrime within ECOWAS (ECOWAS Draft Directive).European Union, 2000. Directive 2000/31/EC of the European Parliament and of the Council oncertain legal aspects of information society services, in particular electronic commerce, in theInternal Market (EU Directive on e-Commerce).European Union, 2001. Council Framework Decision 2001/413/JHA combating fraud andcounterfeiting of non-cash means of payment (EU Decision on Fraud andCounterfeiting).European Union, 2002. Directive 2002/58/EC of the European Parliament and of the Councilconcerning the processing of personal data and the protection of privacy in the electroniccommunications sector (EU Directive on Data Protection).European Union, 2005. Council Framework Decision 2005/222/JHA on attacks againstinformation systems (EU Decision on Attacks against Information Systems).European Union, 2006. Directive 2006/24/EC of the European Parliament and of the Council onthe retention of data generated or processed in connection with the provision of publiclyavailable electronic communications services or of public communications networks (EUDirective on Data Retention).European Union, 2010. Proposal COM(2010) 517 final for a Directive of the European Parliamentand of the Council on attacks against information systems and repealing Council FrameworkDecision 2005/222/JHA (EU Directive Proposal on Attacks against InformationSystems).European Union, 2011. Directive 2011/92/EU of the European Parliament and of the Council oncombating the sexual abuse and sexual exploitation of children and child pornography, andreplacing Council Framework Decision 2004/68/JHA (EU Directive on ChildExploitation).International Telecommunication Union (ITU)/Caribbean Community (CARICOM)/CaribbeanTelecommunications Union (CTU), 2010. Model Legislative Texts on Cybercrime/e-Crimesvi
LIST OF ABBREVIATIONSand Electronic Evidence (ITU/CARICOM/CTU Model Legislative Texts).League of Arab States, 2010. Arab Convention on Combating Information Technology Offences(League of Arab States Convention).League of Arab States, 2004. Model Arab Law on Combating Offences related to InformationTechnology Systems (League of Arab States Model Law).Shanghai Cooperation Organization, 2010. Agreement on Cooperation in the Field of InternationalInformation Security (Shanghai Cooperation Organization Agreement).United Nations, 2000. Optional Protocol to the Convention on the Rights of the Child on the saleof children, child prostitution and child pornography (United Nations OP-CRC-SC).vii
Page left intentionally blank
INTRODUCTIONINTRODUCTIONGeneral Assembly resolution 65/230 requested the Commission on Crime Prevention andCriminal Justice to establish an open-ended intergovernmental expert group, to conducta comprehensive study of the problem of cybercrime and responses to it by MemberStates, the international community and the private sector, including the exchange ofinformation on national legislation, best practices, technical assistance and internationalcooperation.In its resolution 65/230, the General Assembly requested the Commission on CrimePrevention and Criminal Justice to establish, in line with paragraph 42 of the Salvador Declarationon Comprehensive Strategies for Global Challenges: Crime Prevention and Criminal Justice Systemsand Their Development in a Changing World, an open-ended intergovernmental expert group, toconduct a comprehensive study of the problem of cybercrime and responses to it by Member States,the international community and the private sector, including the exchange of information onnational legislation, best practices, technical assistance and international cooperation, with a view toexamining options to strengthen existing and to propose new national and international legal orother responses to cybercrime.1In its resolution 67/189, the General Assembly noted with appreciation the work of theopen-ended intergovernmental expert group to conduct a comprehensive study of the problem ofcybercrime and encouraged it to enhance its efforts to complete its work and to present the outcomeof the study to the Commission on Crime Prevention and Criminal Justice in due course.The first session of the expert group was held in Vienna from 17 to 21 January 2011. At thatmeeting, the expert group reviewed and adopted a collection of topics and a methodology for thestudy.2The collection of topics for consideration within a comprehensive study on cybercrimeincluded the problem of cybercrime, legal responses to cybercrime, crime prevention and criminaljustice capabilities and other responses to cybercrime, international organizations, and technicalassistance. These main topics were further divided into 12 sub-topics.3 Within this Study, thesetopics are covered in eight Chapters: (1) Connectivity and cybercrime; (2) The global picture; (3)Legislation and frameworks; (4) Criminalization; (5) Law enforcement and investigations; (6)Electronic evidence and criminal justice; (7) International cooperation; and (8) Prevention.The methodology for the study tasked the United Nations Office on Drugs and Crime withdeveloping the study, including developing a questionnaire for the purposes of informationgathering, collecting and analyzing data, and developing a draft text of the study. Informationgathering in accordance with the methodology, including the distribution of a questionnaire toMember States, intergovernmental organizations and representatives from the private sector and123General Assembly resolution 65/230, Annex.E/CN.15/2011/19(1) Phenomenon of cybercrime; (2) Statistical information; (3) Challenges of cybercrime; (4) Common approaches to legislation; (5)Criminalization; (6) Procedural powers; (7) International cooperation; (8) Electronic evidence; (9) Roles and responsibilities ofservice providers and the private sector; (10) Crime prevention and criminal justice capabilities and other responses to cybercrime;(11) International organizations; and (12) Technical assistance.ix
academic institutions, was conducted by UNODC, from February 2012 to July 2012. Informationwas received from 69 Member States with regional distribution as follows: Africa (11), Americas (13),Asia (19), Europe (24), and Oceania (2). Information was received from 40 private sectororganizations, 16 academic organizations and 11 intergovernmental organizations. Over 500 opensource documents were also reviewed by the Secretariat. Further details on the methodology arecontained at Annex Five to this Study.Member State responses to the Study questionnaire (green) and Internet penetration (blue)Source: Study questionnaire responses and UNODC elaboration of MaxMind GeoCityLiteAs required by General Assembly resolution 65/230, this Study has been prepared with aview to ‘examining options to strengthen existing and to propose new national and internationallegal or other responses to cybercrime.’ The mandate comes within the context of a number of othermandates and activities related to cybercrime and cybersecurity within the United Nations system.4In this respect, the focus of the Study is limited to the crime prevention and criminal justice aspects ofpreventing and combating cybercrime.The Study represents a ‘snapshot’ in time of crime prevention and criminal justice efforts toprevent and combat cybercrime.It paints a global picture, highlighting lessons learned from current and past efforts, andpresenting possible options for future responses. While the Study is, by title, a study on ‘cybercrime’,it has unique relevance for all crimes. As the world moves into a hyper-connected society withuniversal internet access, it is hard to imagine a ‘computer crime’, and perhaps any crime, that willnot involve electronic evidence linked with internet connectivity. Such developments may wellrequire fundamental changes in law enforcement approach, evidence gathering, and mechanisms ofinternational cooperation in criminal matters.4Including work in the context of developments in the field of information and telecommunications in the context of internationalsecurity. See A/RES/66/24.x
KEY FINDINGS AND OPTIONSKEY FINDINGS AND OPTIONSGeneral Assembly resolution 65/230 requested the intergovernmental expert group toconduct a comprehensive study of the problem of cybercrime with a view to examiningoptions to strengthen existing and to propose new national and international legal or otherresponses to cybercrime. This Part presents the key findings from the Study together withsuch options.Key findings The key findings from the Study concern issues of: the impact of fragmentation at international level and diversity of national cybercrimelaws on international cooperation a reliance on traditional means of formal internationa
study.2 The collection of topics for consideration within a comprehensive study on cybercrime included the problem of cybercrime, legal responses to cybercrime, crime prevention and criminal justice capabilities and other responses to cybercrime, international organizations, and technical assistance.