ABA Section of Business Law
Business Law Today
Cybercrime Havens
Challenges and Solutions
By Susan W. Brenner and Joseph J. Schwerha IV
In May 2000, the Love Bug virus raced around the world, shutting down
business and government computers in over 45 countries and causing billions
of dollars in damage. The FBI quickly traced the virus to the Philippines,
where they identified Onel de Guzman as its likely author. But since the
Philippines then had no cybercrime law, disseminating the virus was not a
crime in that country. De Guzman therefore could not be prosecuted in the
Philippines, and he could not be extradited for prosecution in the United
States because extradition treaties require that conduct have been
criminalized by the country seeking extradition and the country holding the
suspect. No one was ever prosecuted for the Love Bug.
Catch Me If You Can
Also in 2000, American businesses were being victimized by hackers who extorted money by threatening to release information stolen from the companies' computers. The hackers--Alexei Ivanov and Vasiliy Gorshkov--made no effort to conceal their identities because they were in Russia, which did not have a cybercrime extradition treaty with the United States. The FBI used a sting to lure them to the United States. The Russians were invited--and came at their own expense--to interview with "Invita," a fake computer security company in Seattle. Once there, they demonstrated their hacking skills using laptops on which the FBI had installed keystroke loggers, programs that record what is typed on a keyboard. These loggers recorded the usernames and passwords the hackers used to access a Russian server that held tools they needed to show their prowess. After the loggers captured the usernames and passwords, the FBI arrested both men and used the captured information to access the Russian server and download data that became evidence in the prosecution of the hackers.
Gorshkov moved to suppress this data, arguing that it was obtained in violation of the Fourth Amendment because the agents did not have a search warrant and that the agents violated Russian law by "hacking" the Russian computer. The court rejected his Fourth Amendment argument because it found that the search of and extraction of data from the Russian computer occurred outside the United States; the Supreme Court has held that the Fourth Amendment does not apply to extraterritorial searches directed at noncitizens. The court also found that Russian law did not apply to the actions of the U.S. federal agents. Gorshkov was convicted, served three years, and went home.
The most interesting development in the case came in 2002, when the Russian Federal Security Service charged FBI agent Michael Schuler with hacking for his role in accessing the Russian computer. The Russians said that while they did not expect the United States to turn Schuler over for prosecution (which has not happened), they felt the charges were necessary to assert Russian sovereignty. The Federal Security Service said that if the Russian hackers' sentences were based on information U.S. agents had obtained by hacking Russian computers, this would open the door for U.S. investigators to use such "illegal methods" in the future, against suspects in Russia and in other countries.
Cybercrime Havens
These two cases illustrate the challenges cybercrime poses for criminal law. Law is at base territorial; criminal laws are promulgated and enforced by nation-states, which use them to control crime and maintain the baseline of internal order a society requires to survive. Criminal law therefore has been purely domestic; external threats to order that came from nation-states were dealt with by the military, not by law enforcement.
Cyberspace erodes the viability of this model. Territorial boundaries become irrelevant as online crime bleeds across national borders. Law enforcement officers find themselves confronting attacks that come, or seem to come, from halfway around the world. The crime scene is no longer local or unitary; it is fragmented into shards that will be scattered through several continents if the attacker was clever enough to route the attack through servers in different countries. Domestic law enforcement officers have little, if any, expertise in conducting this kind of investigation, and even when they do, they can confront obstacles such as the extradition issues we saw above.
The Invita scenario illustrates a possibility that generates concern among those charged with enforcing criminal law: cybercrime havens. In the Love Bug case, the Philippines was an inadvertent cybercrime haven; its failure to have cybercrime laws was an oversight, one the country quickly remedied. The Invita case comes closer to the true haven scenario: Russia had laws criminalizing hacking, but they were only for domestic use; Russia did not have laws in place to extradite Russians who attacked computers in other countries. The combination creates a de facto cybercrime haven: a country that outlaws internal cybercrime but tolerates, or even encourages, external cybercrime. The resulting scenario is analogous to the pirate havens that flourished in the Caribbean in the eighteenth century: a sheltering base of operations for those who generate revenue by preying on outsiders.
The International Response
How do we deal with the prospect--or the reality--of cybercrime havens? The best possibility we currently have for a solution is the Council of Europe's Convention on Cybercrime. It is based on the premise that harmonizing national laws will facilitate cooperation between law enforcement officers investigating cybercrime and eliminate the haven scenario by ensuring that cybercriminals can be prosecuted and extradited for prosecution. To that end, it requires countries that sign and ratify the Convention to outlaw a core of cybercrime offenses, to ensure their law lets them assist officers from other countries with cybercrime investigations and extradite cybercriminals, and to ensure they have jurisdiction to prosecute cybercrimes.
The Council of Europe opened the Convention for signature on November 23, 2001. Forty-three countries have signed the Convention and 21 have ratified it: Albania, Armenia, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Denmark, Estonia, Finland, France, Hungary, Iceland, Latvia, Lithuania, the Netherlands, Norway, Romania, Slovenia, the former Yugoslav Republic of Macedonia, Ukraine, and the United States. Any member of the Council of Europe can sign and ratify the Convention; several nonmember states, including the United States, can do so because they were involved in drafting the Convention. And the parties to the Convention can allow other countries to sign and ratify it as well.
How successful will the Convention be in bringing countries together in the fight against cybercrime? That remains to be seen. Some may elect not to sign it because they reap certain benefits from cybercrime. Countries that have little experience with cybercrime may be deterred by the complex legal obligations the Convention imposes. Finally, while cybercrime is a high priority for "victim" countries like the United States, it is much less of a concern for nations that have yet to become the targets of cybercriminals.
Solutions
This is not an esoteric, academic concern. You must have at least basic knowledge in this arena if you are going to adequately counsel your clients. Remember, Ivanov and Gorshkov were extorting American businesses during their purely domestic endeavors.
What can you actually do for your client if it becomes the next victim of a cybercriminal? From a practical perspective, the first thing to do is make sure that your client's system is operational and as safe as possible. Once done, the next objective is to determine how you and your client should respond. Should you contact law enforcement or file a civil suit? "Hacking" and "data theft" are not only crimes; the acts constituting those actions also may give rise to a private cause of action. If a thief steals your computer's data, it is not only a crime; it also could give rise to a cause of action for misappropriation of trade secrets.
If you are able to bring a civil action, there are two factors that must be immediately considered: (1) do you have the resources to respond without involving law enforcement? and (2) where do you have the best chance of success? You should realistically discuss with your client whether it actually is able or willing to devote enough resources to the case to avoid involving law enforcement. The answers will naturally depend upon whether your client is financially able to hire a consultant to help with the case, taking into account the importance of the entire matter.
If you proceed with a civil action, you probably will hire computer forensic consultants to preserve the evidence on your side and stand ready to image whatever evidence the court allows them to preserve. The lawyer on the case, either you or someone you retain, will then probably draft a complaint and motion for temporary restraining order and for preliminary injunction. Sometimes this can be done ex parte, but, most of the time, you'll have to contact the other side before any relief will be granted. You will then most likely be forced to file a motion for expedited discovery. If the judge doesn't grant immediate relief, you will have to look to the standard civil discovery procedures, which normally means that it will be a few months before you get into any real discovery. Mere suspicion that the other side may destroy data will not likely convince a judge to let you go and get an image of the digital evidence from the other side. And after you consider the disparities in these processes, think about how you would obtain evidence in the possession of third parties. In that event, you could be forced to file a motion for letters rogatory or to take depositions out of state.
Now compare the alternative of involving law enforcement. In most cybercrimes, law enforcement has four general methodologies for obtaining evidence: (1) subpoena, (2) "D" order, (3) general investigation, and (4) search warrant. The subpoena process operates just as in civil proceedings but is not available as a tool in the initial stages of investigation in all states. For example, local law enforcement in Pennsylvania may not issue a subpoena prior to filing a case. The "D" order, also known as a "specific and material facts" order, allows law enforcement to compel certain providers of "electronic communications" services and "remote computing" services to turn over to law enforcement certain electronically stored information held by third parties. For example, law enforcement could use a "D" order to acquire the identity of the person who registered a particular nickname utilized on Yahoo! Of course, the general investigative record not only creates a document trail, but also provides a very reliable, trustworthy third party to testify at a later date.
The search warrant, however, is far and away the most effective tool that law enforcement may use in a case. By utilizing a search warrant, law enforcement can gain immediate access to evidence in a quick, well-defined process that generally is not available in any civil case. Once in possession of the warrant, the officer may then immediately and forcibly obtain the evidence set forth in the warrant. Moreover, all that is necessary to obtain a warrant is the officer's demonstration that it is more likely than not, under the totality of the circumstances, that evidence of the crime or contraband can be found at the place to be searched. This provides almost immediate access to evidence that would unlikely be obtained in a timely manner, if at all, through civil process.
You are therefore left with the stark contrast between the two choices. If you do involve law enforcement, you get access to direct, inexpensive methodologies for obtaining evidence. If you choose the civil courts, you may still get the evidence, but the procedures are much more burdensome. Nevertheless, there are still reasons to avoid handing the case directly over to law enforcement. If you respond to the incident without involving law enforcement, you have much greater control over the investigation. This point, in and of itself, is reason enough for some people. You also may choose the civil lawsuit route to preserve confidentiality. If a criminal action is filed, it is public. If, for example, you had a nonreportable data theft, this could hurt your public image. Clearly, it is much better if you involve someone with exacting knowledge of both criminal and civil procedures for investigating cybercrimes.
Conclusion
With no boundaries to stop them, cybercriminals may strike anywhere in the world at any time. While some nation-states may be taking affirmative actions to cooperate in the investigation and prosecution of cybercrime, other nations have taken a more lax approach to prosecution of cybercrime activities outside their boundaries. This creates an immense threat to businesses that depend upon their cyber-infrastructure for their very existence. You not only should be aware of this threat; you also must be cognizant of the proper way to seek redress of cybercrime if your client becomes the latest victim.
Catch Me If You Can
Also in 2000, American businesses were being victimized by hackers who extorted money by threatening to release information stolen from the companies' computers. The hackers--Alexei Ivanov and Vasiliy Gorshkov--made no effort to conceal their identities because they were in Russia, which did not have a cybercrime extradition treaty with the United States. The FBI used a sting to lure them to the United States. The Russians were invited--and came at their own expense--to interview with "Invita," a fake computer security company in Seattle. Once there, they demonstrated their hacking skills using laptops on which the FBI had installed keystroke loggers, programs that record what is typed on a keyboard. These loggers recorded the usernames and passwords the hackers used to access a Russian server that held tools they needed to show their prowess. After the loggers captured the usernames and passwords, the FBI arrested both men and used the captured information to access the Russian server and download data that became evidence in the prosecution of the hackers.
Gorshkov moved to suppress this data, arguing that it was obtained in violation of the Fourth Amendment because the agents did not have a search warrant and that the agents violated Russian law by "hacking" the Russian computer. The court rejected his Fourth Amendment argument because it found that the search of and extraction of data from the Russian computer occurred outside the United States; the Supreme Court has held that the Fourth Amendment does not apply to extraterritorial searches directed at noncitizens. The court also found that Russian law did not apply to the actions of the U.S. federal agents. Gorshkov was convicted, served three years, and went home.
The most interesting development in the case came in 2002, when the Russian Federal Security Service charged FBI agent Michael Schuler with hacking for his role in accessing the Russian computer. The Russians said that while they did not expect the United States to turn Schuler over for prosecution (which has not happened), they felt the charges were necessary to assert Russian sovereignty. The Federal Security Service said that if the Russian hackers' sentences were based on information U.S. agents had obtained by hacking Russian computers, this would open the door for U.S. investigators to use such "illegal methods" in the future, against suspects in Russia and in other countries.
Cybercrime Havens
These two cases illustrate the challenges cybercrime poses for criminal law. Law is at base territorial; criminal laws are promulgated and enforced by nation-states, which use them to control crime and maintain the baseline of internal order a society requires to survive. Criminal law therefore has been purely domestic; external threats to order that came from nation-states were dealt with by the military, not by law enforcement.
Cyberspace erodes the viability of this model. Territorial boundaries become irrelevant as online crime bleeds across national borders. Law enforcement officers find themselves confronting attacks that come, or seem to come, from halfway around the world. The crime scene is no longer local or unitary; it is fragmented into shards that will be scattered through several continents if the attacker was clever enough to route the attack through servers in different countries. Domestic law enforcement officers have little, if any, expertise in conducting this kind of investigation, and even when they do, they can confront obstacles such as the extradition issues we saw above.
The Invita scenario illustrates a possibility that generates concern among those charged with enforcing criminal law: cybercrime havens. In the Love Bug case, the Philippines was an inadvertent cybercrime haven; its failure to have cybercrime laws was an oversight, one the country quickly remedied. The Invita case comes closer to the true haven scenario: Russia had laws criminalizing hacking, but they were only for domestic use; Russia did not have laws in place to extradite Russians who attacked computers in other countries. The combination creates a de facto cybercrime haven: a country that outlaws internal cybercrime but tolerates, or even encourages, external cybercrime. The resulting scenario is analogous to the pirate havens that flourished in the Caribbean in the eighteenth century: a sheltering base of operations for those who generate revenue by preying on outsiders.
The International Response
How do we deal with the prospect--or the reality--of cybercrime havens? The best possibility we currently have for a solution is the Council of Europe's Convention on Cybercrime. It is based on the premise that harmonizing national laws will facilitate cooperation between law enforcement officers investigating cybercrime and eliminate the haven scenario by ensuring that cybercriminals can be prosecuted and extradited for prosecution. To that end, it requires countries that sign and ratify the Convention to outlaw a core of cybercrime offenses, to ensure their law lets them assist officers from other countries with cybercrime investigations and extradite cybercriminals, and to ensure they have jurisdiction to prosecute cybercrimes.
The Council of Europe opened the Convention for signature on November 23, 2001. Forty-three countries have signed the Convention and 21 have ratified it: Albania, Armenia, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Denmark, Estonia, Finland, France, Hungary, Iceland, Latvia, Lithuania, the Netherlands, Norway, Romania, Slovenia, the former Yugoslav Republic of Macedonia, Ukraine, and the United States. Any member of the Council of Europe can sign and ratify the Convention; several nonmember states, including the United States, can do so because they were involved in drafting the Convention. And the parties to the Convention can allow other countries to sign and ratify it as well.
How successful will the Convention be in bringing countries together in the fight against cybercrime? That remains to be seen. Some may elect not to sign it because they reap certain benefits from cybercrime. Countries that have little experience with cybercrime may be deterred by the complex legal obligations the Convention imposes. Finally, while cybercrime is a high priority for "victim" countries like the United States, it is much less of a concern for nations that have yet to become the targets of cybercriminals.
Solutions
This is not an esoteric, academic concern. You must have at least basic knowledge in this arena if you are going to adequately counsel your clients. Remember, Ivanov and Gorshkov were extorting American businesses during their purely domestic endeavors.
What can you actually do for your client if it becomes the next victim of a cybercriminal? From a practical perspective, the first thing to do is make sure that your client's system is operational and as safe as possible. Once done, the next objective is to determine how you and your client should respond. Should you contact law enforcement or file a civil suit? "Hacking" and "data theft" are not only crimes; the acts constituting those actions also may give rise to a private cause of action. If a thief steals your computer's data, it is not only a crime; it also could give rise to a cause of action for misappropriation of trade secrets.
If you are able to bring a civil action, there are two factors that must be immediately considered: (1) do you have the resources to respond without involving law enforcement? and (2) where do you have the best chance of success? You should realistically discuss with your client whether it actually is able or willing to devote enough resources to the case to avoid involving law enforcement. The answers will naturally depend upon whether your client is financially able to hire a consultant to help with the case, taking into account the importance of the entire matter.
If you proceed with a civil action, you probably will hire computer forensic consultants to preserve the evidence on your side and stand ready to image whatever evidence the court allows them to preserve. The lawyer on the case, either you or someone you retain, will then probably draft a complaint and motion for temporary restraining order and for preliminary injunction. Sometimes this can be done ex parte, but, most of the time, you'll have to contact the other side before any relief will be granted. You will then most likely be forced to file a motion for expedited discovery. If the judge doesn't grant immediate relief, you will have to look to the standard civil discovery procedures, which normally means that it will be a few months before you get into any real discovery. Mere suspicion that the other side may destroy data will not likely convince a judge to let you go and get an image of the digital evidence from the other side. And after you consider the disparities in these processes, think about how you would obtain evidence in the possession of third parties. In that event, you could be forced to file a motion for letters rogatory or to take depositions out of state.
Now compare the alternative of involving law enforcement. In most cybercrimes, law enforcement has four general methodologies for obtaining evidence: (1) subpoena, (2) "D" order, (3) general investigation, and (4) search warrant. The subpoena process operates just as in civil proceedings but is not available as a tool in the initial stages of investigation in all states. For example, local law enforcement in Pennsylvania may not issue a subpoena prior to filing a case. The "D" order, also known as a "specific and material facts" order, allows law enforcement to compel certain providers of "electronic communications" services and "remote computing" services to turn over to law enforcement certain electronically stored information held by third parties. For example, law enforcement could use a "D" order to acquire the identity of the person who registered a particular nickname utilized on Yahoo! Of course, the general investigative record not only creates a document trail, but also provides a very reliable, trustworthy third party to testify at a later date.
The search warrant, however, is far and away the most effective tool that law enforcement may use in a case. By utilizing a search warrant, law enforcement can gain immediate access to evidence in a quick, well-defined process that generally is not available in any civil case. Once in possession of the warrant, the officer may then immediately and forcibly obtain the evidence set forth in the warrant. Moreover, all that is necessary to obtain a warrant is the officer's demonstration that it is more likely than not, under the totality of the circumstances, that evidence of the crime or contraband can be found at the place to be searched. This provides almost immediate access to evidence that would unlikely be obtained in a timely manner, if at all, through civil process.
You are therefore left with the stark contrast between the two choices. If you do involve law enforcement, you get access to direct, inexpensive methodologies for obtaining evidence. If you choose the civil courts, you may still get the evidence, but the procedures are much more burdensome. Nevertheless, there are still reasons to avoid handing the case directly over to law enforcement. If you respond to the incident without involving law enforcement, you have much greater control over the investigation. This point, in and of itself, is reason enough for some people. You also may choose the civil lawsuit route to preserve confidentiality. If a criminal action is filed, it is public. If, for example, you had a nonreportable data theft, this could hurt your public image. Clearly, it is much better if you involve someone with exacting knowledge of both criminal and civil procedures for investigating cybercrimes.
Conclusion
With no boundaries to stop them, cybercriminals may strike anywhere in the world at any time. While some nation-states may be taking affirmative actions to cooperate in the investigation and prosecution of cybercrime, other nations have taken a more lax approach to prosecution of cybercrime activities outside their boundaries. This creates an immense threat to businesses that depend upon their cyber-infrastructure for their very existence. You not only should be aware of this threat; you also must be cognizant of the proper way to seek redress of cybercrime if your client becomes the latest victim.
Brenner is NCR Distinguished Professor of Law & Technology at the
University of Dayton School of Law in Dayton, Ohio. Her e-mail is
susanwbrenner@yahoo.com. Schwerha is an associate professor of business
law in the Department of Business & Economics at California University
of Pennsylvania in California, Pennsylvania. His e-mail is
schwerha@cup.edu.
