Public hearing on transborder access to data. Written contributions

Cybercrime Convention Committee (T-CY) Public hearing on transborder access to data Written contributions Hearing preceding the 9 th Plenary of the T-CY 3 June 2013, Strasbourg, France

Contents 1 APWG... 3 2 Ciberdelincuencia... 10 3 Cisco... 13 4 Google... 15 5 Leaseweb... 17 6 ICMEC... 20 7 University of Canberra... 25 2

1 APWG Introduction and Prefatory Remarks The APWG is pleased and honored to submit comments on the Transborder Access to Data hearing. Our commentary is divided into three parts. First, there is an institutional biography of the APWG, followed by a few examples of how industrial cybercrime responders and investigators manage transborder data access between their peers. The third part answers the direct questions based on our examples and experiences from an industry perspective which have coloured our views on the transborder data access matters being engaged by the ad hoc committee. The institution s motivation for submitting this commentary is to broaden committee s understanding of the specific needs of industry and NGOs who routinely and, in many cases in 24/7 automated programs, exchange data related directly to active cybercrimes and criminal activities in order to protect the members of the public. APWG hopes the examples prove instructive to the ad hoc committee as to the role of industry in exchange schemes and again denying the larger society the benefits of unified responses to common, predictable threats. APWG Institutional Profile The APWG, founded in 2003 as the Anti Phishing Working Group, is a US based NGO with over 2000 member enterprises from a majority of the countries around the globe. Its mission is to identify common problems in responding to and managing Internet-- based fraud and other electronically mediated crimes; operate data clearinghouses where e crime related machine event data can be shared amongst APWG members and law enforcement; and to provide non public for a to share best practices and techniques for reducing the number of e-- crime events and therefore victims. Noteworthy projects with global user constituencies include the URL Block List (a clearinghouse for reports of phishing websites and related meta data that distributes report records in real time to responders and technology companies around the world on a 24/7 basis); the STOP. THINK. CONNECT. Messaging Convention (a universal cybersecurity slogan, logo and related online safety advisories composed for a persistent, borderless cybersecurity public awareness campaigns by public and private enterprises worldwide); the APWG/CMU-- CyLab phishing redirection pages (an education program that directs credulous computer users to a warning and education page); and the ecrime Exchange Network a meeting place and data exchange platform for APWG member responders to discover each others forensic interests and exchange data related to cybercrime events. The APWG s membership includes financial institutions, online retailers, ISPs and Telcos, international, national and local enforcement agencies, technology solutions providers, multilateral treaty organizations, research centers, trade associations and government agencies. APWG s directors, members and research correspondents have served as advisors and expert witnesses to national governments the world over and international treaty organizations such as the United Nations Office of Drugs and Crime, Organization of American States, the European Comm ission, the OECD and the Council of Europe s Budapest Convention on Cybercrime. Examples of Industry s Everyday Interventions Against Cybercrime A good deal of the data exchange required to respond persistently and effectively to cybercrime is embedded in security software products developed by industry and mounted on consumers computing devices, more often than not employing a continually refreshed reserve of data to guard users devices, and personal data, from new threats as they emerge. Further, in regards forensic enterprises, many are 3

surprised to find out that most all initial ecrime investigation, and response is performed by private parties, in most all cases commercial enterprises and NGOs not sworn law enforcement. As such, clarification and guidance exclusively for law enforcement operations misses the largest base of actual investigators and responders who are largely employed in industry, and the technology sectors that programmatically exchange data for security applications that are used to neutralize cybercrime events before they become damaging to people and enterprises. Automated Data Exchanges for Programmatic Security Schemes Embedded data exchange routines are a key component of computer security software. In fact, computer security software companies programmatically exchange copies of malware with each other that is routinely recovered from customer machines operated by individuals, as well as networked computers managed by commercial enterprises, to update the threat signatures on their security software products. As well, these companies and cybercrime investigators also subscribe to commercial and NGO managed services and government sponsored resources that supply such data as malware samples (and abstractions of them expressed as mathematical fingerprints for quick identification of known malevolent code), attack information, WHOIS data related to cybercrime schemes and events and the network numbers of Internet Protocol (IP) addresses that have been associated with cybercrime and other malevolent or anti-- social behavior. Figure 1: Data table of phishing reports in CSV format These resources inform the security products that consumers use to protect their devices and data from cybercrime and the systems enterprises employ to detect and neutralize cybercrime before it can cause harm to customers. Still, industrial security technologies comprise only part of the story of private law enforcement on the Internet. Brand holders staff security teams and contract with private security companies to investigate cybercrime and, when possessing enough information, make criminal case referrals to public sector law enforcement agencies. These professionals trade all of the data described above and more through automated systems, and manually through trusted networks of peers when forensic narratives emerge from the datasphere and they need assistance in tracing and profiling the actual perpetrators. Industrial Cybercrime Investigator s Work Profile We will examine a relatively simple phishing operation as an example that illustrates the workaday tasks completed by private industry interveners, their roles and responsibilities and, as importantly for the committee s work, the kinds of data that they have to exchange, examine and process (most automatically) every day to complete the counter-- cybercrime tasks that are normal parts of their professional briefs. 4

Phishing is an activity where a criminal sends out an email or other message ( the lure ) to a set of potential victims. The lure asks the recipient to enter their banking or other username and credentials into a fraudulent webpage ( the collector ) for some spurious rationale (e.g. system update; emergency account closure). The victim s credentials are harvested and stored for later retrieval by the criminal ( the credential database ). Once captured, the banking credentials are used to steal funds from the victim, used as an account to launder money, or as a basis for further identity theft. The phishing operation has three specific phases: 1) the sending of the lure; 2) collecting credentials submitted by credulous ma rks at a counterfeit website imitating the appearance of a trusted brand and 3) abusing the captured credentials for cashing out somehow against the victim s accounts via withdrawals or payment routines. In general practice, the phishing operation is usually detected by a private party, such as a bank s remote channel security team or a security services company working for victimized brand holders, watching for suspicious activity. The observing party could be technicians monitoring the targeted financial institution s online banking services hosted at banks own site or searching for and detecting counterfeit websites spoofing the bank s brand. Or it could be a contracted security monitoring organization, or even reported by the general public, as is the case with the APWG s clearinghouse that has been receiving and redistributing phishing reports from the public since 2003. Once detected and verified, an attempt is made to disable the web page (the collector) by contacting the domain owner, if the website has been planted on an existing legitimate website. As most phishing collector web sites domain names and hosting resources are registered with fraudulent or stolen identities attempting to notify the web site owner is a fruitless adventure. Escalating the disablement request to the web server operator or to the domain registrar will result in success but responders first need to verify the request and to attempt to contact the party whom their counsel will accept as the web server owner before proceeding. Reducing the lifetime of the website is crucial to minimizing victimization since the longer the collector and database are available means more time for harvesting new victims. A workable way to enable disablement of the collector server when the actual owner of a website cannot be determined and offer consent needs to be developed. A different set of issues arises for the phishing database system. After the collector is disabled, the phished organization may wish to gather the list of victims to perform mitigation. The same fraudulent identity information used in the collector was probably used for the database system, i.e., there is no real, identifiable, person to give consent for the organization to recover its own data (the account numbers and passwords) to identify and assist victims. An additional challenge is to delete, corrupt, or otherwise render useless the actual data in that database before it can be used by the criminal. Once the collector servers and database systems have been disabled, the initial investigator may exchange details such as tactics, software used, or geographic location -- of the servers, owner identity or characteristics with other investigators to attempt to identify the criminal(s) behind the activity. Once enough actionable infor mation is compiled, this data not evidence but background or intelligence data may be turned over to law enforcement to initiate an operation to track, identify and capture the criminal(s). The data exchange needs to be performed in a way that protects sensitivity of the data but does not signal the criminal(s) that they have been discovered. Most times the three components the lure, collector, and database - are in different jurisdictions, but that fact does not add any real additional complexity to an already complex situation. 5

A number of the points raised in this example may be mitigated with the proper wording in users agreement between website owners and the service providers who respond to cybercrime events, although we have found many providers legal counsel reluctant to be the first to actually add that language. In some jurisdictions, finding the right words to balance the privacy versus investigative principles is still a challenge. Actual guidance with concrete language, pointing to use cases may influence the adoption into more user agreements. Correspondents Conception of Article 32b Operational Aspects: Using the current Article 32b of the Budapest Convention on transborder access, the correspondents, viewing its language from an industrial perspective, understand: a. The notion of consent in this Article We understand the concept of consent to imply that an easily identifiable entity that owns or controls private or sensitive data ( the owner ) may voluntarily or upon request produce a copy of that data to aid in an investigation. Said investigation may be conducted by a law enforcement or private investigative group. b. The notion of a private entity being a person who lawfully can provide access or disclose data One shortcoming of the consent principle is that criminals will use known stolen, fictional, fraudulent, opaque, or obtuse identifying information in order to hide their true identity and thwart the consenting activity. Currently, if the true identity of the data owner cannot be ascertained there is no consistent way to escalate the request to the service operator to gain access to the data. In the fast- paced world of e- crime, these delays are costly. One of the issues that arises periodically is when the identifying information is accurate but the data owner intentionally impairs the consent request so they can destroy the offending data. Although the data owner may be charged with spoilage, the actual data which may include victim identification or transaction logs is now lost. Jurisdictions should have some mechanism for a service provider to capture the data requested (much like a preservation request) when the consent requests are ex pected to be troublesome. If consent is not assented, the copy of the data could be destroyed. c. The type of data that can be disclosed by a private sector entity The data that cybercrime responders routinely seek are the logs of a collector, or otherwise compromised server, and the actual victim identifications from the phishing database. The victim identifications can be returned to the credential owner for victim assistance. The log files which will not normally contain personally identifiable information are a great resource in identifying the criminal parties. No operational personnel encountered by the correspondents ever subscribed to the idea that an unenriched Internet Protocol (IP) Address number by itself is considered personally identifiable information, since they change regularly and identify a system not a person. Overwhelmingly, operations personnel regard this interpretation as an impediment to organization of shared data resources that could help scale efforts to detect, halt and investigate cybercriminals. The correspondents believe there are two types of data accesses that should be addressed by 32b: evidentiary data recovered by law enforcement to be used as evidence in a recognized court and often including PII related to real living people and suspects (and subject to all the protections afforded by the data privacy and protection statutes of the EU), as defined by law or treaty; and technical background data, which is used to better understand the criminals illicit activities, their movements through network 6

or their techniques. In many cases the background data is correlated and reduced to a specific data set that is turned over to law enforcement for a formal, evidence-- based investigation. This is not to say that the background data is magically turned into evidence, but rather the correlated background data is used as a starting point for formal evidence collection that would provide information admissible to a court. APWG and its data-- exchange correspondents are exploring the concept of machine event data to be shared amongst our members, which is a new term for automatically generated technical background data that can be shared and correlated extremely quickly through computer programs. This type of data is automatically generated by networked computers and security systems (such as intrusion detection or firewall devices) when they discover malicious activity. The ability to correlate multiple sets of machine event data is invaluable when trying to ascertain malicious or distinguish criminal intent from generic user errors -- or to determine criminals attack techniques and assist in identifying likely candidates for further investigation. The correspondents do not believe a consent option is required for this type of data. d. The conditions for disclosing data or prov iding access Private entities should be able to provide access to system logs and other non-- personal data for security applications in which common databases of event data provide greater efficacy or when they suspect criminal activity or when consent is not expected to be given in a timely manner. This type of data access should be considered technical background data as its collection and handling will normally not meet the requirements of actual evidence. Whether law enforcement could request the data or the private entity must start the exchange is an issue that may never get resolved. e. The notion of the person consenting to provide access or disclose data, especially in the situation where that person is somewhere else then in the territory of the requesting state. With the ease at which data can flow and separate into multiple servers in multiple jurisdictions, we follow guidance that says the owner of the data can provide the necessary consent, irrespective of where the data is. If I, as owner or controller of the data, move the data around to gain cost or operational advantage, I m still the owner or controller. This guidance works fine for the small, specific data sets that cybercrime responders and investigators seek, but may not work in all situations. Regarding the proposal to allow for enhanced possibilities for transborder access through an Additional Protocol to the Budapest Convention a. The option of transborder access with consent but without the limitation to data stored in another Party This situation seems analogous to that in section e, above. The data owner s consent should carry wherever the owner s data resides. Since the data disclosure is with consent, if the another Party objects to the transfer, the data owner could just duplicate their data in a more friendly Party and get around the objection. (This brief response does not take into account the data import/export regulations that will significantly impact the duplication operation.) b. The option of transborder access without consent but with lawfully obtained credentials This is a common tactic amongst private investigators. No laws are broken and the resultant data speeds up the identification of the perpetrators. Use of a stronger word than obliged is suggested, though. c. The option of transborder access without consent in good faith or in exigent or other circumstances 7

The quick pace of Internet crime makes this an important consideration. As in the non-- Internet world some legal follow-- up should be required if this activity is undertaken. d. The option of extending a search from th e original computer to connected systems without the limitation in its territory (Article 19.3 Budapest Convention) Many Internet applications use multiple servers to implement their services. For example, there may be a web server (front-- end), a java language server to process the web pages, and a database server to hold user input. For cost or disaster recovery purposes the three (or more) physical servers may be scattered across multiple data centers or jurisdictions. Cloud computing is a fine example of this multiple server architecture. If the search is expecting to gather all the related data, it seems odd to limit the data returned to be the data that is only resident in one territory, or one server. As more and more data is scattered across multiple data centers (or jurisdictions) it seems odd to only allow legal search accesses to a portion of the data. A request for data should return the entire requested data set irrespective of where the data is. e. The power of disposal as connecting legal factor We agree with the position stated in Proposal #5 in the protocol v2 paper. It speaks to the reality of distributed data schemes that are increasingly the mode of deployment for computer databases. f. Conditions and safeguards required Current law and multi-- lateral treaty language was in some ways prescient but sometimes falls short in addressing the reality of industrial and NGO responders as the primary investigative agents protecting consumers and enterprises against cybercrime, leaving uncertainty in areas and leaving interpretation open and subject to restrictive and limiting recitations by corporate counsels believing they are managing liabilities that may not be contained in these legal codes. The Convention needs to address the spectrum of data that interveners exchange and the scenarios in which they are traded, as well as the nature of the roles that the interveners play. At one end of this spectrum are real identity data, subject to the protections of the European data privacy laws; and at the other, unenriched machine event data that represents only transactions or data movements between Internet-- connected devices at a specific moment, betraying no content or communications data. g. Other situations that should be covered by an Additional Protocol The trouble is not what is explicit in the laws and regulations regarding data privacy and data protection but lack of instruction regarding safe harbor for usage of different kinds of electronic data in security and forensic applications. Most all of the data that security personnel acquire and use have no connection at all to real, living people. Most all of it refers only to machine events, such as the scanning of an IP address range or the shifting of the network address of a maliciously registered domain name. We posit that these kind of "ʺmachine event data"ʺ as completely separate from and formally distinguished from personally identifiable information that requires an association of an event, address or value to a real person. Machine event data, we posit, may be established as a category of data that can be mobilized with the certainty of its and maintenance of machine event databases of WHOIS data associated with cybercrime events only and having no association with named real, living people. Conclusion Industrial management of cybercrime is a workaday reality that needs to be accommodated in law and regulation as much as law enforcement s role in pursuing cybercriminals, given the roles industry immovably inhabit in its position as custodian of customers interests. The recommendations that the ad hoc committee is formulating would do well to recognize and codify these realities to assure industrial actors that their workaday efforts do not conflict with treaty language. 8

APWG gives thanks to the Convention for being invited to submit this commentary and offers any and all of its resources to help the ad hoc committee in the further development of its recommendations and additional protocol. 9

2 Ciberdelincuencia The following document contains some personal views of the authors on the issue of transborder access and jurisdiction currently under consideration by the TC-Y Committee of the Budapest Convention. We d like to thank the Chair and the members of the TC-Y Committee for offering the opportunity to provide brief views on this important public hearing. With regards to the three solutions contained in the final report of the TC-Y to be pursued in parallel, we fully support the proposal of further developing a Guidance Note on the scope and effect of Article 32 in the investigation of conduct and access to data by law enforcement authorities (LEAs) in other jurisdictions. Such Guidance Note should reflect further detailed practices and description on how LEAs of countries that have ratified the Budapest Convention are accessing and obtaining data in other countries to investigate crime and obtain evidence to prosecute offenders whose crime has effects on the territory of another country based on the international principles of jurisdiction and mutual legal assistance since this a global issue that might have tremendous repercussions in the field of public international law. Further, we believe such Guidance Note should also reflect practices occurring in other countries, including a description of the technical and legal limitations that prevent countries that are not signatories of the Budapest Convention in order to guide and help them deal with the issue appropriately. We believe such task would bring certainty for a number of non-european countries if they wish to become signatories of such treaty in the future. LEAs in Europe are better positioned in terms of technical and financial resources and operate under established cooperation paths and channels to carry out cybercrime investigations in comparison to LEAs in other countries. This situation is gradually changing in some countries of Latin America and the Caribbean through the Organization of the American States, but unfortunately for many countries of that region the investigation and prosecution of cybercrime is not yet a a priority. As noted in the final report of the TC-Y, the issue of transborder access to data and jurisdiction is not new and has been discussed for more than two decades including during the negotiations of the Budapest Convention 1. With the current decentralization of servers and the deployment of data centers worldwide through cloud computing, the issue of transborder access, the location of data, and the different criteria and current practice of Internet access providers to disclose information and data to LEAs is getting extremely complex and the rules differ significantly from one country to another. Based on these concerns, we firmly believe that the Council of Europe -with the support of national expertsshould facilitate resources to provide capacity and training to LEAs in other countries, on the one hand, to make LEA s aware of the importance of complying with the technical and legal frameworks on access to data and the existing international assistance channels to carry out transborder investigations in other countries, and on the other hand to ensure the compliance with the international and national frameworks on data protection and access to information. With regard to views on the notion of consent under Article 32 b of the Budapest Convention, as far as countries in Latin America are concerned, there is currently no uniform set of practices or guidance for LEAs in the region, therefore LEAs operate under full discretionary powers. 1 Cybercrime Convention Committee (T-CY) Transborder access and jurisdiction: What are the options? Report of the Transborder Group adopted by the T-CY on 6 December 2012, p. 19 10

In many countries of Latin America, the rules on interception of private communications and access to data and disclosure might either fall under the scope of substantial and procedural criminal laws, data protection laws or access to information legislation. For instance in Mexico, Articles 16 28 of the Federal Law Against Organized Crime (FLAOC) provide the legal hypothesis, modalities and procedures to authorize the interception and access of private communications by law enforcement and judicial authorities in national territory. Article 16 of the FLAOC establishes that activities such as those carried out orally, in writing, by signs, signals or through the use of electronic, wired and wireless devices, computing and equipment systems or any other mean or form that allows for the communication between one or multiple emitting parties or one or multiple receiving parties might be subject to the intervention of private communications. 2 The Federal Code of Criminal Procedure and the Federal Telecommunications Law establishes specific provisions that mandate cooperation of telecommunication and internet services providers with LEAs in order to obtain and disclose information and judicial evidence when requested3 3 and in the identification of real time geographic location of mobile communication equipment associated to telephone lines as part of investigation related to organized crime, crimes against health, kidnapping and particularly extortion threats. 4 Mexico enacted the Federal Law on Protection of Personal Data Held by Private Parties (FLPPDPP) on July 2010 and its Regulation in December 2011. Such federal Law and its Regulation regulate the legitimate, controlled and informed processing of personal data in possession of individual and private legal entities, which includes telecommunication providers and Internet access and service providers. The Law and the Regulation establish specific rules and exemptions on the notion of consent for the processing of personal data.5 5 Additionally, Article 52 of the Regulation establishes specific obligations and conditions for the processing of personal data for cloud service providers. Among those obligations are to maintain the confidentiality with respect to the personal data regarding the service provided or offered and to establish mechanisms for impeding access to personal data to individuals who do not have the corresponding access credentials or in the event of a request duly made by a competent authority whereby cloud service providers should inform the data controller on such request. Neither of said laws and regulations estipulate specific rules and conditions for disclosing data or providing access to LEAs of evidence located in other States or foreign jurisdictions nor specific guidance on how Internet service and access providers might facilitate and provide access and disclose data when the perpetrator is located in a territory different than the requesting State of the LEA. On August 2011, a Mexican Court on Constitutional Matters (Primera Sala en Materia Constitucional) issued a judgment on the right to the inviolability of private communications. The judgment found that traffic data such as the identity of the caller, the telephone call duration or identification of an Internet protocol address (IP) should afford the necessary protection in order to preserve the right of privacy of communications pursuant to paragraphs twelfth and thirteenth of Article 16 of the Mexican Constitution. 6 2 VELASCO, Cristos Cyber Law in Mexico, see paragraphs 655-659, pp. 352-353, Wolters Kluwer Law & Business, Fourth Edition, January 2013. 3 VELASCO, Op. cit., paragraph 699, p. 380. 4 Ibid, paragraph 660, p. 353. 5 See Articles 8 to 10 of the Federal Law on Protection of Personal Data Held by Private Parties (FLPPDPP) and Articles 11 to 21 of its Regulation. The FLPPDPP and its Regulation are available in the website of Proteccion Datos Mexico (ProtDataMx) at http://protecciondatos.mx/information/?lang=en 6 VELASCO, Op. cit., note 2, paragraph 633, p. 333. 11

The great majority of countries in Latin America, including Mexico have entered into bilateral and multilateral agreements on judicial cooperation on criminal matters within the sphere of the Organization of American States (OAS). 7 Although such instruments have been useful to improve the necessary channels for cooperation on criminal investigations, prosecutions and proceeding among countries of the region, the reality is that such instruments have proved to be ineffective when it comes to investigation of computer and Internet related crime that necessarily require immediate reaction from LEAs, national contact points, and the support from private sector entities and Internet intermediaries in order to identify and investigate cross-border crime pursuant to the existing procedural and technical channels. Final Observations We support the TC-Y proposal of further developing a Guidance Note on the scope and effect of Article 32 in the investigation of conduct and access to data by LEAs in other jurisdictions. Such guidance note should not only reflect and describe both, the technical and legal procedures used by countries that have ratified the Budapest Convention regarding the practices use to extend searches and access data stored in servers and data centers located in other jurisdictions, but it should also include a description of the technical and practical legal limitations encountered by LEAs with Internet intermediaries. We believe such initiative would surely guide and help non-signatories of the Budapest Convention to deal with these issues on a better basis and offer them certainty and if they wish to become signatories of such treaty in the future. The Council of Europe should encourage both, signatories and non-signatories countries of the Budapest Convention to establish specialized multi-stakeholder working groups that could function as contact points for the exchange of information and practices related to aspects of jurisdiction and transborder access to data in their own countries. We believe the work and feedback of such national working groups should not only bring a value added to the activities currently undertaken by the TC-Y Committee, but also a source of comparative experiences occurring in other countries. Finally, we d like to underline the importance of facilitating resources to provide capacity and training to LEAs in other countries to help them comply with the technical and legal frameworks on access to data and the existing international assistance channels to carry out transborder investigations in other countries while ensuring the compliance with the international and national frameworks on data protection and access to information that are fundamental human rights. 7 See Inter-American Convention on Mutual Assistance in Criminal Matters of 23 May 1992 and its Optional Protocol of 6 November 1993, available in the website of the Organization of American States at: http://www.oas.org/juridico/mla/en/en_convention.html 12

3 Cisco Cisco Systems is pleased to respond to your solicitation for comments of 14 April 2013 regarding clarifications to the Budapest Convention, as well as a proposed additional protocol on enhanced transborder cooperation. We believe the Convention on Cybercrime is an important tool for law enforcement that provides for a means to help address the important issue of cybercrime. Research has previously shown that both accession and even congruence to the Convention provides benefit to countries. The convention itself is now twelve years old, and should take into account recent developments, both in terms of the overall ICT market as well as way in which issues have evolved over this span of time. As a leading global provider of products and services for the Internet, including security and cloud-based services, Cisco has a gained a significant amount of experience in networking and associated issues related to cyberspace. Research has shown that transborder cooperation is an important aspect for addressing cybercrime. Meaningful improvements in the area of transborder cooperation may have a positive impact on overall cybersecurity. We would like to bring to your attention two general concerns when considering proposed changes: a. There should be clear and transparent rules for when a demand for release of information is competent. With forty nine signatories with numerous different legislative frameworks and constitutions, it is important for a recipient of a request for information to understand who is authorized to make a request for information, what form that request should take, what notification should take place (if any), and what the requirements are for preservation of that evidence (if any). The Convention as it stands today is clear on these points. The proposed protocols, however, may introduce uncertainty, especially as relates to third parties. Although physical devices (such as a particular computer) can provide clean boundaries for the scope of any search the issue becomes murkier when networks and storage cross country boundaries, which may be the case with services such as the cloud. Any new proposal should take into account, and address the issues raised by the possibility that information is stored in many devices, and perhaps in many countries. At the same time, it is important for proposals to seek to ensure that businesses are not put in a position where cooperation with one jurisdiction puts that business in legal jeopardy in another jurisdiction. For example, if a signatory were to request information about a subscriber in the EU, under the proposed revision of the Data Protection Framework, the service provider could potentially be required to obtain consent from the data subject before forwarding the information or at least provide information about the request and give them the right of access and to object. This could be in direct conflict with the requirements of the original request. We would request that guidance or additional protocols should take into account such jurisdictional issues and ensure that contradictions are resolved in discussions between Parties as opposed to sanctioning service providers caught in the middle. b. Attention to establishing clear and established procedures Clear and established procedures within the context of the Convention will help facilitate cross-border law enforcement efforts. It is important that the law enforcement community work closely with the Internet community to establish strong lines of communication, and that each trains for these situations. The Forum of Incident Response and Security Teams (FIRST) provides both regional and global training opportunities in this regard with an eye toward improving readiness. 13

In conclusion, we hope that providing clear and established procedures that take into account the legal frameworks of both signatories and non-signatories and the rights of their peoples will reduce cybercrime. 14

4 Google Google thanks the Council of Europe for the opportunity to submit comments in advance of the public hearing to address transborder access to data and the Budapest Convention on Cybercrime. Based on our experience, we believe that it is critical to focus efforts on improving existing internationally recognized evidence gathering mechanisms, which can protect the public as well as the rights of users and national interests alike. The rationale for our position is outlined below. For more information about how Google handles government requests for user data, please see our Transparency Report and our legal process FAQ. a. Legitimized Hacking into Remote Systems is a Dangerous Step. An arrangement that allows a government to circumvent security of private sector networks to acquire evidence present a serious threat to the sovereignty of other countries, and to the wellbeing of the companies, their networks and the users. b. No Demonstrated Need for Ability to Circumvent Internationally Recognized Mechanisms. Google recognizes the challenges presented by cloud computing and the reality that data important to an investigation may reside outside the territory where the crime took place or is being investigated. But there is little data to suggest that existing Article 32 of the Budapest Convention and other instruments fail to provide adequate mechanisms to address the concern. c. Can Improve GovernmenttoGovernment Evidence Gathering Mechanisms. Even if current international mechanisms were inadequate, focus should be upon improving those instrumentalities rather than adopting unilateral crossborder evidence collection without the knowledge or cooperation of legal authorities of the Party with jurisdiction over the person from whom the data is sought. To that end, Google supports improvements to the MLAT process in particular, because bilateral treaties can address many of the concerns raised in the proposal respect for human rights, dual criminality, protection of users and property, etc. The International Chamber of Commerce has articulated principles that are helpful in that regard. These MLAT improvements should be made before unilateral authorities are deemed necessary or appropriate. 1. Consent Should not be Unlimited or Compelled. Google also is concerned about the proposal s interpretation of consent. Any protocol would have to include the notion that consent may be withdrawn by the person with control over the data. Thus, while an employee in the requesting country may have authorized access to company data stored outside the jurisdiction, the company should be able to withdraw such consent at any time to protect its rights or property. Further, consent must be viewed consistent with the principle of control, which in turn includes the concept of lawful access and disclosure. An employee may be lawfully authorized to access data in another country for legitimate business purposes but the law of country where the data is stored may limit the right of access by precluding disclosure without legal process from the country where the service provider resides or the data is otherwise stored. These protections are critical to avoiding compelled consent where, though voluntary 15

in the requesting country, the failure to consent has clearly implied negative ramifications for the individual. 2. Expand to NonSignatories. Google urges the working party to expand its analysis to include countries that are not signatories the creation of international norms is important, and an international norm that embraces unilateral crossborder access may be interpreted by non signatories as acceptance of a procedure that no one agrees with without all the safeguards presented in the proposal, but private entities have to deal with in practice. 16

5 Leaseweb 5.1 General overview 5.1.1 About LeaseWeb Netherlands B.V. With 60.000 hosted servers, hosted content that generates 3-4% of all global internet traffic and more than 200 highly skilled employees, LeaseWeb Netherlands B.V. is one of the world s largest Internet hosting service providers. Our core business is to provide high quality computer servers, racks, power supply and a fast Internet infrastructure. The majority of our clients are hosting resellers, who re-rent their LeaseWeb servers to their respective customers to deliver Internet services. LeaseWeb s fast infrastructure also attracts user generated content sites and cloud storage providers. Besides offices in the Netherlands, LeaseWeb also has operations in Germany (LeaseWeb Deutschland GmbH) and in the U.S. (LeaseWeb USA, Inc.). By estimate, LeaseWeb s servers host 2 million websites. This paper represents the position of LeaseWeb Netherlands B.V (hereafter LeaseWeb ). 5.1.2 Abuse handling LeaseWeb has a clear business perspective on hosting: it will host anything as long as it is legal in the jurisdiction it is hosted in. For LeaseWeb, this means that as long as customers uphold their contracts and act within the boundaries of the Dutch law, LeaseWeb will provide them with our hosting service and respect confidentiality of business operations and data privacy. To support the fight against cybercrime, LeaseWeb works closely with the Dutch National Police. However, the fight against cybercrime has to be balanced with respect for the privacy of customer data and the confidentiality of lawful businesses operations. In addressing this dilemma, it is LeaseWeb s opinion that it is ultimately only up to the Dutch LEA and courts to assess what is illegal under Dutch law. 5.1.3 Law Enforcement Requests LeaseWeb s Law Enforcement Transparency Report shows that in 2012 LeaseWeb B.V. received 240 government requests for access to, disclosure of or removal of data related to our dedicated hosting and cloud offerings.1 In addition, the Dutch fiscal police impounded 60 servers owned by one client, a large cloud storage provider, following a Mutual Legal Assistance Treaty (MLAT) request from the U.S. government. 5.2 LeaseWeb s position on guidance on article 32b of the Budapest Convention on Cybercrime 5.2.1 On the notion of consent In order for consent to be valid, it should be given freely and must be based on sufficiently specified and understandable information.2 In LeaseWeb s experience, requests of foreign LEAs to voluntary consent to transborder access are frequently not presented as voluntary, nor experienced by Leaseweb as such. Following a refusal to voluntarily consent to cooperate, it is not uncommon to be threatened that criminal proceedings will be initiated against LeaseWeb s management board. Such force and pressure is at odds with the notion of freely given consent and leads to conflicts with privacy and data protection laws, violations of 17

commitments to individuals, employees, and customers, as well as risks of political tensions and negative impact on business decisions. In addition, LeaseWeb does not have the legal expertise nor is it in the position to determine the legality or illegality of any foreign request relating to criminal offenses. Moreover, such requests often do not provide specific information, may be written in an unfamiliar language and/or appear disproportionate in regards of the extent of data requested. LeaseWeb rejects law enforcement requests, in total or in part, if they are invalid, incomprehensible, or otherwise have no basis under the law. 5.2.2 On the person who can provide access or disclose data Following the wording of article 32b of the Convention, consent may be given by the person who stored the requested data, not any intermediary, third or other party Article 32b of the Budapest Convention on Cybercrime allows A Party ( ) without the authorisation of another Party [to] access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system (emphasis added). Explanatory note 294 further details that, who this person is may vary depending on the circumstances, the nature of the person and the applicable law concerned. For example, a person s e- mail may be stored in another country by a service provider, or a person may intentionally store data in another country. These persons may retrieve the data and, provided that they have the lawful authority, they may voluntarily disclose the data to law enforcement officials or permit such officials to access the data, as provided in the Article (emphasis added). Following the wording of article 32b and its explanatory note, LeaseWeb is convinced that the referred person is in fact the person who stored the data abroad through a computer system. For instance, Anne, a national of the Netherlands, who uses Gmail and whose e- mails are thereby stored on servers in Ireland, may voluntarily consent to the Dutch LEA, who is investigating a criminal case, to retrieve her data stored abroad through her e-mail account ( through that computer system ). By providing her account name and password for this goal, Anne provides explicit consent. There is no indication whatsoever in article 32b of the Convention, nor in the explanatory note that this person can also be an ISP or any other third party. 5.2.3 On the notion of transborder and location and access without authorisation of another Party Any Party s request for transborder access in relation to criminal investigations should follow the formal route It is LeaseWeb s strong conviction that consenting to a voluntary access request by a foreign LEA to data hosted in the Netherlands is at odds with Dutch law, most notably with the right to privacy, and may even be at odds with article 32b of the Budapest Cybercrime Convention.3 Therefore, such requests should never be aimed at an intermediary by means of voluntary consent, but should rather be formally requested, by means of mutual legal assistance, through the LEA of the country under which jurisdiction the intermediary resides. Or following from article 32b of the Convention with consent of the person who intentionally or unintentionally stored his data abroad and is subject to criminal investigations. 5.2.4 LeaseWeb s position on an Additional Protocol to the Budapest Convention on Cybercrime An Additional Protocol to the Budapest Convention on Cybercrime as suggested, is at odds with the principle of territoriality and legal certainty and creates an unstable business climate. 18

As a Dutch company, LeaseWeb is required to uphold and fulfill the requirements of the Dutch law. This way, LeaseWeb has a reasonable understanding of what is legal and what isn t in the Netherlands. This provides security for LeaseWeb to develop and invest in its business and to provide clearly defined services to its customers. LeaseWeb understands the complications that cross-border crime and technical developments entail for tackling cybercrime. However, voluntary compliance with direct requests from foreign authorities to provide access and/or disclose data in relation to investigations of supposed criminal offences in another Party and/or by the law of another Party, is at odds with the principle of territoriality and legal certainty. Unlike international private law, which is much more harmonised on an international level, (substantive) criminal law is still very much a national affair. This may lead to situations of competing sovereignty, whereby Leaseweb has to judge the merits of a particular case and decide whether a request may be fulfilled under local law as well as Dutch law. It is not possible for LeaseWeb to understand and apply another Party s legal framework to determine the legality of a request from a foreign LEA and to weigh it. To create or expand a legal basis for voluntary consent would create even more uncertainty for LeaseWeb on the legal environment in which to develop its business. This problem is exacerbated by the fact that in those cases where LeaseWeb wishes to contest the request, it is has to be familiar with the law of criminal procedure of all signing parties, in practice leaving LeaseWeb without an effective legal remedy. Finally, the legal regime and the protection it provides intermediaries may also differ from country to country, creating an even more uncertain business climate. LeaseWeb follows lawful orders given by the Dutch court or LEA. This includes MLAT requests that are 'translated' into offenses under Dutch law, to the widest extent possible. This approach is in line with the principles of territoriality, legal certainty, and fundamental rights. Furthermore, it allows for a more stable and safe business climate in which innovation can thrive. There is no need for an Additional Protocol to the Budapest Convention on Cybercrime. What is needed is to improve cooperation between LEAs on the use, timeframe and execution of MLAT requests. Transborder access to data in relation to criminal investigations is already possible under a MLAT. Thus, in order to fight cross-border cybercrime more effectively, the Council shouldn t seek to expand the concept of 'voluntary' cooperation to transborder access with consent, 2013 LeaseWeb B.V. 8 but instead try to expand possibilities within MLAT and to improve cooperation between LEA in applying the MLAT, as mentioned in the report of the Transborder Group.4 There already exists a 24/7 hotline for LEAs whereby in urgent cases, LEAs can request MLAT at short notice. Such initiatives should be stimulated and expanded, rather than creating more room in the current legal framework for requesting access to data across borders. This is the only way to guarantee the principles of territoriality and legal certainty are protected, as well as fundamental rights and legitimate business interests. Difficulties between LEAs and their foreign colleagues in the cooperation under MLATs shouldn t become the problem of legitimate businesses and their clients. It will create legal uncertainty that may threaten the fundamental rights and freedoms of our clients and uncertain business climate that will hurt innovation. Contact Mr Alex de Joode, LeaseWeb Senior Regulatory Counsel 19

6 ICMEC THE NEED FOR EXPANDED TRANSBORDER ACCESS TO DATA The Internet has created an exciting, new world of information and communication for anyone with access to online services. While this technology offers unparalleled opportunities for children and adults to learn about the world, it has also had an immeasurable impact on child victimization, specifically through the distribution of sexually exploitive images of children. Increased accessibility and the use of home computer technology have revolutionized the distribution of these images by providing greater anonymity, increasing the ease of possession and dissemination and decreasing the cost of production and distribution, especially across international borders. The continual expansion of the access to and use of Information Communication Technologies and the speed at which new technological tools and applications are developed has provided an ideal atmosphere for the criminal element to utilize these tools to commit countless crimes. An increasing amount of available data, use of encryption and other barriers, the fluidity of movement of data between servers and networks worldwide, and cloud based services with unknown locations are all examples of issues that pose serious challenges for law enforcement in collecting electronic evidence, investigating cases, and ultimately prosecuting criminals. There is an evident need for standardized and harmonized laws that facilitate effective cooperation and coordination amongst law enforcement, as well as between them and the private sector, in different countries. This depends on their ability to access data necessary to arrest and prosecute those seeking to use these technologies illicitly, in particular to commit crimes against children. As a global non governmental organization working with law enforcement, industry partners, and other stakeholders worldwide to improve the protection of children, greater transborder access to data is essential to these efforts. Article 32 of the Council of Europe Convention on Cybercrime addresses trans border access to stored computer data with consent or where publicly available. It states: A Party may, without the authorization of another Party: a) access publicly available (open source) stored computer data, regardless of where the data is located geographically; or b) access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system. The notion of consent as articulated in Article 32b) requires that, in order to access or receive stored computer data located within the jurisdiction of another State Party, the seeking party must request consent from the entity, legal or natural, which has the lawful authority to share that data. The Party with jurisdiction may not be compelled to provide such consent. A private entity, such as an Electronic or Internet Service Provider, Cloud based Provider or other private sector (industry) entity, which has lawful control of the data, can provide access to or disclose such data to the requesting Party. Any electronic data which is stored on the entity s network (cloud or web based) can be disclosed by the private sector entity that has lawful control of the data. The only restrictions/conditions that are currently articulated under Article 32 are: i) the data must be electronic data stored in another Party s jurisdiction; ii) the data must either be publicly available; or iii) if it is not publicly available then lawful and voluntary consent to disclose or provide access to data must be sought; and iv) the entity giving consent and providing access must have the lawful authority to disclose such data. The language of Article 32 is intentionally loose, giving no specific guidelines regarding the location of the person 20