Cybercrime Cooperation for Developing Countries: International Frameworks

4 September 2014 - A Workshop on Other in Istanbul, Turkey

Also available in:
Full Session Transcript

***

This is realtime captioning taken during the IGF 2014 Istanbul, Turkey, meetings.  Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors.  It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

***

      

     >> ZAHID JAMIL:  So good morning, everybody.  I thought I'd try to wake people up.  As you know, slide two, I don't know how you're going to fix that.  I think there is something wrong with the screen.  If you go to slide two.  If everybody knows Lord of the rings.  What we're going to do today is, after the success of last year's workshop, is focus on -- this is a capacity building session.  So focus basically on the questions and issues the Developing Countries have.  One of the biggest ones that law enforcement who fight cybercrime in Developing Countries is how do I get data and how do I get cooperation cross-border?

     I thought I'd spice it up this morning.  I don't think it's safe for me to take an annual country's name, so I thought I'd take that.

     I'm going to jump right into this.  I'm done in about -- done talking in about 20 minutes, et cetera.  And then we will get to the panel.

     You can see this is the fictional sort of -- those people who know Lord of the Rings.  Rohan on the left hand and Gondor which has access to the sea.  The scenario we're trying to build is that Gondor -- basically, Rohan is landlocked and Gondor has access to the sea.  So the Cable comes to Gondor and feeds the traffic into Rohan.  These are Developing Countries.  So the Republic of Gondor, the one on the coast.  It's a member of the UN, a member of the Commonwealth of nations, ITU, the World Trade Organisation, UNODC as well.  And that's just our logo on the side.

     Moving to the next one.

     You'll keep seeing that, I think it's too big.  I don't know what happened with the calibration.  Gondor has the National Bank, Gontel, the largest cellular phone operator, using 3G, 4.  It has mobile banking.  And basically, not just using SMS, but it's using IP, which means it's online because it has 3G, 4G as well.

     On the right-hand corner, if you can see it, for some reason we have things -- anyway, that is the undersea cable that gets to Gondor and the idea is that it's basically a more developed country, and its neighbor, Rohan is relying to some extent at least on the Internet traffic.

     Moving to the next slide.

     So what's happening is the GNB and I didn't want to change the logos there, but GNB, the Gondor National Bank and Gontel, the customers are getting emails or messages, saying this is a phishing e-mail.  This is the type you get.  You click on that and next slide, if you click on that, you end up at another bank's website or the same -- allegedly the same bank's website, which is spoofed.  It asks you to enter your account detail, password, that's the way how these things are done and the phishing e-mail leads to people trying to get your personal information, account detail, and then they empty your account.  So that has deny going on, so GNB and Gontel face this crisis.

     You can do traces, I can't find Rohan in Google maps.  An IP trace figures out that its leading to Ronan, the neighboring country.  Gondor is upset, GNB is upset.  Somebody says you have to do something.  This affects or mobile banking system, you have to do something about this immediately, okay.  Remember this, when you trace an IP, that doesn't mean that's the originating IP necessarily.  People can be using VPNs, there are providers that actually mask the IP in their e-mail headers.

     Next slide, please.

     So when Rohan law enforcement was asked, they said no, I'm sorry.  I'll not give you have any date tachl the first thing that the Government in Gondor said hand ov your ISP's data.  We want traffic and trace and get traffic data and everything else you can provide.  They just turned around and said sorry.  I won't help you.  That happens all the time in the world.

     Gondor itself, even though it's an advanced nation, even though it's technology, doesn't have a cybercrime law.  So somehow it has to fight this battle with the use of existing sort of traditional legislation.

     Please come in.

     There is lots of room up here, so please come through.

     Next slide, please.

     So what I wanted to -- pause here for a second and think about, for everyone to think about and then we will go to the panel as well on bits and species pieces and come back to the audience.  Keeping this scenario in mind.  I won't take names of certain region, but I'm fall with regions that had these kinds of problems precisely in certain continents.  What kind of things can law enforcement and Governments do to try to get cooperation to track down these criminals?  The first one could be informal cooperating.  I don't need an agreement.  It's not a Treaty, nothing.  The problem with an informal cooperation is it's discretionary.  Rohan says sorry, I'm not going to help you.  It's faster, that's an advantage.  But it seldom works, not all the time.

Whatever you get from informal cooperation is information.  It's not evidence.  You can't take it to court.  You can't prosecute somebody with it.  It will not stand the test of evidence and admissibility in any court of law that I'm aware of. It's usually an uneven playing field because if you're a small little insignificant Developing Country, I'm from Pakistan, if my law enforcement asks for data from Europe or other places, it's not necessarily going to get it.

     And a lot of times, Developing Countries, this is the basic problem we are trying to address.  This was asked last year, in last year's workshop.  What do we do about getting data from Developed Countries or, as I like to call them, infrastructure countries?  Being developed is one thing.  But the main thing is you have the infrastructure and the servers.  That's why people want to get your data.

     This is an example of the /7 network.  It happens in the fight under providing information and intelligence.  Interpol again.  It's a chartered institution, so it has an agreement.  It's sort of like a, Treaty -- not really.  But it doesn't focus on evidence collection, just like a mutual assistance Treaty would do.  You cannot necessarily take stuff you get from Interpol to the court.  It could have to go through the proper channels of mutual legal assistance in the countries.  They can try to coordinate that for you.

     Impact was started in Malaysia.  Again, informal.  Once a flash in the pan sort of situation.  ADWP is focused.  They are collecting data from phishing emails and they let people know what are the threats so they can in their spam folders and others try to address those things.  So that's helpful.  But it doesn't catch the criminal.

     What is the other way that you can try and sort of address this?  You can try to have a formal cooperation process, like a Treaty or a Convention.  Countries sign that.  Usually these are bilateral, so the U.S. has several.  UK has several mutual legal assistance treaties in criminal matters, only.  So the purpose of this Treaty is not extradition.  It's simply to say that we will exchange evidence and information and help each other in criminal matters. The trouble with that, some of the provisions in the existing MLATs are old.  They don't allow for preservation or digital evidence and many other problems.  And they are also very, very slow.  This is one of the challenges with the mutual legal assistance Treaty process.  But some countries are trying to do something about that.  So we will talk about that in a while.

     Not always lead to cooperation.  Sometimes, in a global crime area, if you're bilateral, it's just you and me talking, and a criminal in a third country, good luck.  There is not much you can do.  If you try to sign up bilateral MLSATs,s that a long process.  It's a negotiation and sometimes they don't look the same.

     It needs a cybersolution.  Modernization.  Some people say fine, why don't we try to come up with a Treaty in a region.  Is this why don't we have an African Union Convention Treaty?  Maybe let's try to solve this.  What about the south?  What about Caribbean, what about other places?  And the challenge there is that this is a global crime.  So if Gondor and Rohan in the region, the example that we gave earlier, have a regional Treaty that they are signed up to, but if the emails were routing through say the U.S. or another country, then you can forget about getting that information, because they are not party to that Treaty.  Why would they help you?  You need something International, which is global.  And especially those countries -- oops.  Sorry.  Those countries that are holding the data, they are the ones who would cooperate or be party to it.

     So it's fine for us in regions, as Developing Countries necessarily, to say we all agree but we hold the data.  The data is sometimes elsewhere.

     Can we go to the next slide.  Please?

     >> There is a technical problem.  There is no connection.

     >> ZAHID JAMIL:  Sorry there is no connection.  Sorry.  So that happens sometimes.

     We can start and run the movie?

     (Laughter)

     A little more live action.

     So there are situations where, for instance, I've gone into regions where we as the Developing Countries for cybercrime try to provide legislative capacity building in that regard.  And everybody comes back and says but if me and my neighbor agree, doesn't that solve the problem?  The answer is no.

     Let's look at examples of treaties.  The United Nations is one.

     Oops.  Sorry, go back, please.       These are examples of treaties or soft treaties that may exist or places that one can try to go to.  Think about Gondor and Rahan trying to cooperate.  Gondor is a member of the UN, ITU, the commonwealth and it's signed up to the NODC.

     Now, if you were signed up to all of these treaties, would you still not be able to get cooperation.  Why?  Because none of organisations have a cybercrime instrument Treaty as yet.  The closest one I think would have been the UNODC.  Because it deals with crime.  But it doesn't deal with cybercrime and digital evidence.  And it's really slow.  Again, there is a huge challenges with that, that takes months and years.

     The SCO, right in the centre, tried to do something.  But they are just principles that those countries agreed to.  They don't provide a framework in which Developing Countries can cooperate amongst themselves.  And then there is the African Union Convention that recently we talked about cybercrime, again it's limited to the region.  But it doesn't have the sufficient International cooperation provisions. If you look at it, it talks about data protection, electronic actions, some bits of cybercrime, but it doesn't have the framework that you would expect of

     I'd like to stop here for a second and and ask one of the participants on the panel, Jayantha, also from Sri Lanka and ask him -- you're a Commonwealth country.  I come from one.  Margaret, you're from a Commonwealth country -- and the U.S. is not, just to be clear.

     >> JAYANTHA FERNANDO:  Thank you.  So I'm is Jayantha Fernando.  I'm a lawyer from the Sri Lankan Government.  So with reference to your case, and by the way, Zahid, is your case up until -- yes.

     So he mentioned an interesting case study which we were privy to at least a couple hours before we started.  So with reference to Commonwealth and the frameworks that are available, let me give some background to what came out of our own experience.

     In the formulation of our Sri Lankan legislative framework, which started in the late 1990s, and went on through 2001 first one, 2003  second, 2005 third review, and then 2007 selected by Parliament.  All these reviews.  The country, Sri Lanka, had multiple options to look at.  Yes, we are part of the Commonwealth and we had the Commonwealth law on computer crime as they call it, right?  So we looked at that, and the -- as a part of the Commonwealth, we looked up to jurisdictions like Singapore and UK that had adopted frameworks.  And those were pretty acceptable within the Commonwealth jurisdictions.

     However, in the second review or the first review, the latter part of 2001 and early 2002, we realized that this issue is becoming bigger than what we could imagine.  And the threat of cybercrime could go beyond the parameters of Commonwealth countries.  And then we came across an available tool that was brought to our attention, namely the Council of Europe Convention on Cybercrime.  And Sri Lanka became a country that looked at this option that was available.  We were not a European country and we understood from the literature available that this was a Treaty that was available for nonEuropean countries to potentially sign and accede.  And no link to the Council of Europe at that time.  Nevertheless, we went on to look at this template, the available tool, and it looked very good.  And it provided for mutual assistance, legal cooperation in a most effective manner.

     And what we did was we incorporated provisions in the Budapest Convention on Cybercrime into our national legislation in the best way possible.  And when we introduced the law in 2007, which became the Computer Crimes Act on November 24, 2007, it incorporated the features of the Budapest Convention, especially the provisions governing mutual assistance and cooperation.

     On the last point, I want to highlight this association to the Commonwealth.  What we did was in the Cybercrime Act -- Computer Crimes Act, there is a specific provision that incorporates by reference the provisions of what is known as the Mutual Assistance in Criminal Matters Act of 2002, which incorporates the provisions -- the mutual assistance provisions emanating or coming from the Harari Convention.

     Now, although that was incorporated by reference, we felt that Commonwealth by itself does not adopt binding Conventions which require formal ratification.  Countries have options to do so.  Commonwealths do not.  If they do not want to, they don't have to do that.  So that was the issue that we had.

     >> ZAHID JAMIL:   Basically, what you're saying is it wasn't binding, but you went for another option as you mentioned.

     So the ITU was again -- let me come back to this.  The ITU is a technical organisation, doesn't do criminal justice, for instance.

     Let's go to the next slide.  So what was it that you need?  A formal obligation within countries so they can actually formally in an obligation manner cooperate.  It must catch up with the speed of the informal process.  That process is good, because it's faster.  The formal process is slower.  We need something faster.

     It must take care of human rights, because you want to make sure that this is not a cooperation that is basically violative of civil liberties and the UN declaration of rights and ICDR.  And you have to ask for the correct information and not abuse it or misuse it.  And that when the other countries are requested, they will feel obliged.  Well, they are obliged to it under the law.

     One of the things you want them to do, in the case of Gondor, they didn't have a cybercrime legislation.  So you have to make sure that in every country, this kind of activity, that phishing, for example, needs to be criminalized.  It can be technology specific, because it's phishing today, spoofing, whatever, botnets.  Zombies.  I think it's a bad practice trying to define crimes by taking the title we give them.  And the legislation needs to be drafted in a technology nonspecific manner.  Not have everything or else no consensus, there should be a baseline that everybody adopts.  It should be inclusive, open to everybody, not restricted to certain regions or certain countries.

     Procedures in how you will cooperate should be harmonized.  There should be cybercrime procedures. And it should be complementary to other forms of Treaty.  If you sign up to one Treaty, that doesn't mean that you cannot sign up to another one.  It should be inclusive and not exclusive.

     It should include those members where the data resides.  Otherwise, there is no point in you being a member if the people who you want to get the data from are not part of that Treaty.  That's the most important key aspect of any Treaty or agreement that you you would sign.

     The majority of the requests flow, and I don't like to call them, I'm from a developing country, but I don't like to call it that.  It's infrastructure States.  Sometimes you can find countries which are not necessarily completely developed but have the infrastructure.  And the information needs to flow to Developing Countries which require that information.

     So think about it in slightly less about developed and developing and more about who has the infrastructure?  Are they a party to this agreement?  That becomes key.

     So you mentioned the Budapest Convention.  I put that up on the slide as well.  That is the only Convention currently that exists which has all these things we just talked about.  The other ones don't.

     And I want to close, I think probably my last slide, one of the things when we work with Developing Countries, we sort of say forget any International politics or what we can get if we sign the Treaty.  But focus -- and when you talk to law enforcement, it happens most of the time.  What do I get if I join the Treaty?  So for developing country law enforcement, the biggest answer to their problem of not getting cooperation is you'll get cooperation.  So it's effectively, if you look at this from the sovereign national interest of law enforcement in those countries, their own interest, that when they sign up to this, they are serving that particular interest.  So target what is practical, achievable, what benefits Developing Countries and what benefits you now.  There could be a Treaty tomorrow or five or ten years hence which could be beteter.

I don't know.  But if you have something now, the answer for most countries in the developing world would be to sign up to what exists currently.  So no time to waste.

     So what I wanted -- this is our address and I've taken too much time now.  I think I'm at least five minutes over time, so I'll stop.  You can take the -- leave the slide up there.

     What I'd like to do now is ask Christopher Painter, who is here from the State Department, and who is head of Cyberissue, that's the mutual legal assistance Treaty process, is criticized sometimes with the States saying it takes too long.  What is the U.S. doing and what are your views about what you have just seen?

     >> CHRISTOPHER PAINTER:  I'll start with the second part and go into the specifics of legal assistance.

     Before I came to the State Department, for many years I was a Federal prosecutor doing cybercrime cases and have been involved in lot of investigations over the years.  So I've seen a lot of this firsthand.  And I'd say that you need a combination of different tools as you approach these kinds of investigations.  Because the data, as we said earlier, the data doesn't necessarily last very long and it can go through several jurisdictions.  You're a developing world country, you're Gondor or Rohan, and you find that you have -- you're trying to get this data.  And it could be traced back to one country, but really as you mentioned in the hypothetical, it could come from yet another country and maybe a third.  And smart cybercriminals will often route their attacks or communications, their phishing, fraud, through several different countries because they are trying to take advantage of the fact that there is uneven laws in different countries and uneven procedures in different countries.

     And so, you know, there are a couple things that are really important.  One, for every country we need to have base cybercrime laws.  As you mentioned, the Council of Europe -- or the Budapest Convention that was hosted by the Council of Europe, that many more countries are members of it than those countries.  And it's not really -- some people say it's a regional Convention.  It's not a regional Convention, really it's a global Convention.  More and more countries are joining all the time.

     And the benefit of that is it sets out what some of those -- what the floor is, what some substantive provisions you need in your law, proposal provisions, and also provides a mechanism for formal cooperation and informal cooperation.  24/7 cooperation, and using mutual legal assistance sort of authorities.

     As you investigate the crimes, you have to do a couple things.  You have to look at networks.  You mentioned that.  Using things like the 24/7 number, which is over 60 countries, to do a fast freeze of evidence.  Make sure that the evidence can be preserved, so when you come back later on, with the legal process, it is still there.  That's one of the real benefits of doing that fast cooperation.  You can follow it up with the more formal cooperation where you can get the evidence for that.

     And also informally doing the investigation helps you get back to the origin of some of the attacks.  So you can get the evidence from them as well.  And that's important.  I think you're right.  The problem with mutual legal assistance requests in treaties in the past had been that people preceded them.  And they were written at a time where people were writing in quill pens and doing -- not all of them, frankly, but it's -- they had a very old way of cooperating, and they made sense in a world that wasn't digital and they made sense in a world where you had the time to find records sometimes months later.  That is not true in the digital world.  That doesn't mean that we throw that out, because that kind of legal assistance is grounded in laws around the world and bilateral agreements

     >> And even though a lot of the mutual legal assistance treaties are not specifically cyber, they are about classes of different kinds of crimes.  So you can still get cooperation under them.  And the U.S. has about 100 bilateral mutual legal assistance treaties around the world, with lots of countries obviously.  So on one level, you want to do things that will make that mutual legal assistance process easier.

     Two, things you do.  Bilaterally, let's say you are a country that is not a member of the Budapest Convention, and there is a bilateral Treaty in place, or there is a memorandum or something that is less than a bilateral mutual legal assistance Treaty.  It's still pretty slow.  How do we do that?  One of the reasons for an infrastructure country, as you mentioned, they may get lots and lots of requests from all over the world and they don't have lots and lots and lots of law enforcement officers to handle that or people in their justice departments. We recognize that in the U.S. when President Obama, back in January, said in a speech wanted core things he wanted the U.S. to do, he wanted them to streamline the mutual legal assistance process, recognizing these concerns, asking our Congress to mind more money, 24 million to go to the justice Department to expand the number of people who do this, so we can speed this up.  Do outreach and training around the world that would help streamline these requests as well.  So that is a real commitment.  We really do think this is important.  Because it's important to the developed and developing world and we're all better off by strengthening that system.

     There is also a training aspect of this as well.  Sometimes requests come in and they say tell me everything that you have on this IP.

They don't give information or data to help fulfill that request.  Then people go back and ask for more data.  And there is a delay when they come back and it's back and forth.  So there are lots of resources out there that talk about what kinds of data are important.  So that is something in outreach and training that you do.  As we do capacity building around the world, we have done seminars with the East African community, the West Africa with Sadec and Botswana, when we talk about these issues, so that helps streamline.  The Budapest Convention allows you, under that framework, to work today more speedily and get that information you need.  So that really is a foundational pillar to have that.  And our position is best practice, sign-on to that Convention as we have.  If you can't do that right away, start emulating its provisions in your law. You won't get the full advantage of the mutual legal assistance provisions, but at least you'll be part of International system where there are similarities so you can work together.  But the gold standard is still there.

     >> ZAHID JAMIL:  Margaret is with the National Crime Agency in Ghana.  What is your experience being where they have informal cooperation mechanisms?  Have they worked well?  What is your view about formal cooperation measures?  If you sign up to a Treaty, how would that help you in a Developing Country context, for instance?

     >> MARGARET ABBA-DONKOR:  I don't work with the National Cybercrime Organisation.  I work with the Regulator and we have a national antifraud task force that deals with these crimes.  And the cooperation, we have had so many cooperations with maybe the U.S. State Department.  We have also -- we also signed a memorandum of understanding with the Commonwealth secretary.  But when it comes to (inaudible) Ghana has yet to accede to the Budapest Convention.  The Council of Europe has helped in so many ways.

For example, this year, in March, the Council of Europe, you asked for training from investigators, and they graciously sponsored for the Judges, the prosecutors, the investigators, from the Criminal Investigation Department of Our police.  So I was surprised because I haven't seen that in the budapest Convention yet.  But they willingly came to organise and fully sponsored this training workshop in Ghana.  And it was a huge success.  And so we are asking for more needs from the Council of Europe.

     Thank you.

     >> ZAHID JAMIL:  Alexander Seger from the Council of Europe.  I'll let him explain this.  But let me challenge you a bit.  So you have this Convention, but in the example you saw of Gondor and Rohan, what is in the Treaty that would help those countries?  I mean, does it really work?

     >> ALEXANDER SEGER:  None of these two countries is probably party to any of the Treaties.  Otherwise, they would have legislation in place and a number of other things in place.

     Taking that example, let's be realistic.  You can get started and you can cooperate to a certain extent by using existing legislation by analogy, fraud provisions in this case, or other provisions.  You can work on the basis of bilateral MLA agreements, like you mentioned.  You can work by reciprocity.  You can use all sorts of informal channels, at least to get intelligence and so on and so forth.  So you can get to a certain point.  But if now you have a situation where another country doesn't want to cooperate or simply refuses to cooperate by taking a formal position, you have a problem.  And that is the situation, that is the situation here.  We have to recognize that.

     I would like to make a more general statement now in relation to what you said.  That these countries are relying on ICT, on the financial sector for the development.  Many countries look at ICT as a development strategy.  We had a series of eight workshops the other week, last month, actually, in Mauritius.  Now they are doing capacity building.  And now they developed and now it's the third most important pillar of their economy.  And many countries want to follow a similar example.  So we have to look at measures against cybercrime as a contribution to human development, to economic and social development, to human rights and the rule of law altogether.  We have to look at it like that.  It means that we should not support measures that should run counter to these objectives.

     You have to respect human rights and the rule of law.  I would go further and say you should not only avoid violating human rights and the rule of law or principles of the rule of law, you should consider measures against cybercrime as a positive contribution to human rights and the rule of law and cyberspace.  So have a positive approach there.  If both parties were part of the Budapest Convention, both countries, let's look ahead.  And if you give us the Government addresses of the two countries that we shared to see what could be done, they would certainly have legislation in place, because parties have to have legislation in place.  It's not just a Treaty and then no follow-up.  It would have to have legislation in place.  They would be part not just of a Treaty, they would be part of a whole system, meaning, yes, a Treaty, a formal framework for cooperation.

But also be party to the cybercrime Convention committee, which meets twice a year, which has Working Groups and meets all the time.

     There is also right now evaluation of the effectiveness of the International Cooperation Provisions.  So we have them in the Treaty, yes.  But we are also evaluating right now the effectiveness of these provisions in practice.

     That may lead to another Protocol to the Budapest Convention to make International cooperation more effective.  As a party, you participate in the negotiation of these additional options.  They would also benefit from capacity building programmes, because we realise countries may sign up to the Treaty, may have the formal legislation in place, but you have to do more.  You have to follow up with restraining, with providing guidance, developing guidelines with those countries.  Help countries set up high tech crime units.  Help high tech crime units develop operating procedures.  And so forth.  So it would show a whole system here.

     There was one point you made about national interests, a question.  It's actually an interesting one, because some countries come and say yes, you know, we don't mind about the Budapest convention, but we didn't participate in the preparation and the negotiation.  And as a matter of policy, we are not joining a Treaty that we did not participate in the preparation.

     There are two points here -- or three points, actually.

     Is there an alternative right now?  Maybe there will be one in many years, but right now it's difficult to see any alternatives.  So I would say that right now, so many different interests regarding cyberspace that it's very difficult to come to any agreement on anything these days.  And it's certainly not possible these days to come to an agreement on a new or additional Treaty.  So the strength of the Budapest Convention, it's there and functioning.  It's been there and functioning for the past 12 years.

     The second thing, parties that join later, that join now, like Mauritius, like Japan recently, like the Dominican Republic, these countries are now participating in the negotiation of possibly additional protocols to the Convention.  So they participate in the further development of this Treaty.

     And the third one is a very interesting point, the national interest one.  The same countries that tell us:  Oh, we don't join as a matter of principle such a Treaty, the Budapest Convention, because we didn't participate in the negotiation.  They sign another Council of Europe Treaty, namely the one on administrative cooperation and tax matters.  Because the benefits -- it's important to get money back from tax evasion.  So that Treaty they joined, they don't say we didn't participate in the negotiation.  So many countries signed up for that Treaty.  But when it comes to the Budapest Convention, we don't join because we didn't participate 13 or 14 years ago.

     Anyway, countries get different and confusing messages from International organizations.  That's a problem.  International organisations have to make an effort to come to a more coherent position when they advise countries around the world.  I think that's -- it's all to the taxpayers who pay for organisations.

     I'll leave that for a moment.

     >> ZAHID JAMIL:  I want to ask, I interrupted you when you were saying something, could you tell me, Jayantha, you're a Developing Country, you want to exceed to this Treaty, why?  It's in your International interests?  You just heard that there are conversations.  Why not wait for something more global, something that is a UN?  Is this or is this not global?  How do you feel about that?

     >> JAYANTHA FERNANDO:  So starting from that point where I think Alexander stopped, as a country we are just looking at empowering the citizens with digital options.  And a country that is moving from perhaps a (inaudible) based economy to an (inaudible) economy.  We see an environment where there is substantial investment both from the Government and the private sector towards the growth of the ICT sector.  And as a country, we just moved up the ladder in terms of the knowledge and economic status.  We feel that accessibility development measures would add substantial economic value to the country.

     Now, when you empower a country or make a country digitally enabled, and ensure that the country's economic growth is contingent on that digital empowerment, we need to have an effective tool and a measure where we can collaborate other countries on an equal foot, and get the best in terms of judicial cooperation, law enforcement cooperation, and that is the reason why we are looking at the Budapest Convention as the option.

     >> ZAHID JAMIL:  Why not wait for something more global like the UN or ITU or someplace else.  Why not?

     >> JAYANTHA FERNANDO:  Well, the changing landscape of cybercrime is such that there is no time to waste.  There is no time to waste.

     So we need to get on with that fast.  And we have an available tool and an option that is on the table.

     >> ZAHID JAMIL:  Audrey, I'm sorry I don't understand.  I'm sorry, you can have a Treaty in two or three years, maybe, how long would it take?  Somebody want to answer this one?  Why not?  The UN is trying to fix this problem.

     >> CHRISTOPHER PAINTER:  I was involved in negotiating the Budapest Convention, and that took five years.  And, you know, what you -- I would expect it would take at least five years.  And the bench is not very deep in this area.  You know, the resources that people understand cybercrime, not diplomats, but people who actually understand -- and diplomats are great people.  I'm a diplomat.  But people who actually understand cybercrime and cybercrime laws would be needed to help negotiate some new Treaty, and it would take years.  And you lose -- you can lose five years of actually going after all of this crime.  And you know, as Alexander said, this is important to the Developing Countries, not just because it's good to have good laws in place, but it helps to get investment in your country. It helps your economy.  It enhances human rights.  It does all these benefits to your country if you have strong laws in place.  And if you wait all that time, you're losing out.

     The second thing is, this is the floor and not a ceiling.  The floor is there is commonality if you have the Budapest Convention and you can have things on top of that.  But if you take the time to negotiate a new Treaty, it may not be as strong as this.  There may be lots of compromises that take place and you won't be able to get to the heart of some of the problems that we're seeing.

     >> ZAHID JAMIL:  Alexander?  How long would it take?

     >> ALEXANDER SEGER:  It will take 30 seconds.  But I want to check one thing in the transcript -- now my name is correct.  Before my name was incorrect.

     The Budapest Convention, the actual negotiation took five years.  There were another eight years preceding that of negotiations.  Now we are 13 or 14 years later, we have 42 parties.  So you have to think in five-year timeframes.  Even when you talk about the broader part of the Convention, it takes two or three years to agree that you need a protocol.  The proprietary work, you need another two, three, four years for negotiation.  And you need at least ten years for a sufficient number of countries to ratify that.  Because it all has to go through domestic Parliaments.  So you're talking about 15, 20, 25 year timeframe. If you start with a new Treaty that is meaningful, then 25 years to have it in place and functioning is a realistic timeframe.  And what do you do in the meantime?

     >> ZAHID JAMIL:  So the cybercrime criminals will love that one.  Everybody just keeping waiting.  We show Gondor National Bank being affected.

     >> ZAHID JAMIL:  How does the private sector view the importance or whatever of cybercrime legislation, for one, and whether people should be talking to each other for cooperating?

     >> AUDREY PLONK:  I'm Audrey Plonk from Intel.  Just a couple points to reinforce things that were said, but from a slightly different perspective.

     So, very fundamentally, 25 years from now, the computing landscape will be completely different than what we're talking about today.  Even five years from now, the computing landscape, the Internet landscape, connected devices, it will be completely different.  So the idea that you can wait even what might seem like a small amount of time, I think, is a misnomer, just from looking at the pace of innovation and the rate at which the private sector is building new things.  Software, hardware, the Internet of Things, mobile computing.  Everything.

     So I think from a private sector perspective, it's completely irrational to wait five years and inconceivable to wait 25.  Just as a basic matter.

     With regard to investment and stability, I think what you generally see is that a stable legal instrument and a somewhat predictable environment with regard to criminal enforcement, it's -- it spurs a lot of different things.  It not only spurs foreign investment, foreign direct investment, but it also provides a platform for local innovation creation, and ultimately for economic growth because that's the promise of the Internet as we have seen in the past and what I think many countries that are developing and continue to develop their Internet ecosystem are looking for, continued economic benefits.  The private sector gravitates towards jurisdictions and economies where there is stable infrastructure, and they will invest there and enable the legal system there and they will gravitate away from places that don't have a predictable legal environment for innovation to grow. Just because we all know that crime is bad for the economy so I don't need to talk about that.

     >> ZAHID JAMIL:  Margaret?  Did you want to comment?

     >> MARGARET ABBA-DONKOR:  If it's five years, plus waiting for the -- during the five years, while you go to your Parliament to decide, plus you are thinking about your legislation and things like that, the Council of Europe doesn't sit down idly.  Just like the example I gave of Ghana, we are not trying to decide, but the Council of Europe will come to your aid when the need arises, just like giving you capacity building, helping you in connection with the cybercrime.

     Thank you.

     >> ZAHID JAMIL:  What it would do is provide proceeding powers which don't exist in legislation and also cybercrime cooperation.  And they don't exist in International Treaties, so MLATs, most of them don't have the ability to say I'll call somebody up on a 24/7 network.  Saying listen, there is data on your ISP.  Please freeze it.  This is not something that you can do on a current MLAT that exists between countries, and you cannot ask for the disclosure of digital evidence because the legislation or Treaty doesn't provide for that.  I understand that.  I also understand now the delay issue.

     What I want to do now is open it up to the audience.  If you have questions about the example -- not the movie.  I might be in copyright infringement.  But fair use.  Jayantha, you had the mic phone.

     >> JAYANTHA FERNANDO:  What was said earlier, in consulting the private sector, and we consulted the private sector extensively at the time of formulating the legislation.  And in a country that is trying to promote its destination for knowledge, outsourcing, processes, kind of activity, we find that signing up to a Budapest Convention model helps a country effectively promote itself as a destination outsourcing by itself.

     The second point on that is that when we get into a framework like the Budapest Convention, you have a whole range of access to local jurisprudence, especially in the area of data privacy and data protection.  That is hugely essential to a country that is going in the technology direction, especially in the area of eGovernment.  And our Government is drawing on the best practices including from Europe in the privacy data protection area.  And that is a huge benefit arising from signing to an arrangement or accessing to the Budapest Convention.

     >> ZAHID JAMIL:  I thought I understood this.  This was about cybercrime, but we just talked about data protection and human rights.  Why do we care about that?  This is about catching criminals.  No matter what.  What does that have to do with privacy or anything?  Alexander, I'm confused.  I want the answer to this question before we go back out.

     >> ALEXANDER SEGER:  Well, I mentioned before that we have to be clear about the rationale of why we are doing certain things and why we have to vest resources in dealing with cybercrime.  One rational is the economic development rationale, if you want, that also Audrey referred to.  The other rationale is when you look at it from the perspective of that we deal with cybercrime because it undermines human rights, the rule of law, and Democracy, actually, because if you talk about freedom of Assembly, Freedom of Expression, you have to talk about Democracy.

     Because if you undermine these objectives, which happen to be the core objectives, we might need to start work with the cybercrime (inaudible)

     It's very important, also, if you talk about trust and confidence.  Also, trust from the private sector, but also trust by individuals in ICT and in what the Government is doing.  That's all these measures are based on clear legislation, that there are conditions and safeguards, et cetera, which we called it the Article 15 issue in the Budapest convention.  Article 15 means that proposal powers for law enforcement have to be limited for the safeguards and practices.  Many countries that deal with cybercrime legislation that reform the legislation also start working on the data protection legislation.  Then we can come in with some additional instruments that we heard from the Council of Europe, including Convention 108 on data protection.  So we also provide advice to countries on data protection because they request it.

     >> AUDREY PLONK:  Just in addition to that, so I think that there is often a narrative that says either you have security or privacy and you can't have both together.  Because if you're providing security, you're inherently violating somebody's privacy.

     And so there is some truth to that, or it wouldn't be the story that we like to tell ourselves.  But it's much more nuanced than that.  If you think of this in terms of mutually reinforcing concepts instead of exclusive concepts, the reality is you can't have privacy if you don't have some security.  So that's -- and to Alexander's point that this is an enabling concept.  So it's not that you shouldn't have, you know, that one particular legal instrument will get you everything that you need.  But one thing I think is guaranteed, that if there aren't legal instruments around, criminal activity with regard to cyberspace, you can pretty much forego any idea of privacy.  They will steal credit card information and et cetera.

     So regardless of how you define privacy, and this is not a privacy panel, but you can think of those as ultimately getting access to somebody's personal data that is identifiable to somebody's data and we generally think of that as a privacy issue.

     So it's good to think about the more security that you think about in terms of legal instruments and providing information cross-border, within the narrowly defined concepts of what is cybercrime, which the Convention does a good job on, and then you marry that with other instruments around data protection or privacy itself, and those are different things in and of themselves, then you can have a comprehensive system.  But saying that we shouldn't advance the security agenda because it might indicate privacy, it's just counter intuitive to me.

     >> ZAHID JAMIL:  Let's throw it out -- there were complaints about not letting the audience speak.  So the rest of time is all yours.  Let's pick up and see if people have questions or comments or questions to the panel, what you just heard.  Anyone want to go first?  Yes, sir, please.  Could you identify your name just for the transcribers.

     >> AUDIENCE:  My name is Bua Bakakursan, executive director of the Union of Tanzania Press Club, coming all the way from Tanzania.

     >> ZAHID JAMIL:  Welcome.

     >> AUDIENCE:  Thank you.  The biggest problem that we have here is not the time to use in establishing the Conventions, the Treaties, but to me I see the most important issue is once the Treaties have been established, ratified, and sworn to, that's where the problem starts.

     We have the Lomay Convention, 1 and 2.  This is the agreement between Africa and Pacific country, we call it ACP.  The European Councils, Africa, Pacific, have this Convention.  It has been established quite a long time ago.  But it had not been implemented.  Because of this, a lot of conflicts inside.

     Now we have this cybercrime, which we cannot say that we sit down.  We have to do something.  But who?  Police who?  You have given us the Gondor and Rohan as a case to take into consideration.  Now, who will make sure that this Treaty which is connecting or regulating Gondor and Rohan is being implemented?  There will be a 30 country or 30 establishment in, and if there is, who will establish that?

     >> ZAHID JAMIL:  I think it's a valid point.  I'll just say something quickly and we will go to the panel, but I want to take questions.  Treaties do exist and there are self treaties that do work, but I think Alexander will be better to answer this.  You have something called the International Court of Justice.  People don't usually go to it because they try to make sure that whatever they are doing, they don't violate International law.  Mostly.  But I want that question to be answered by the panel.  Let's go to somebody else here.  Please, go ahead.

     >> AUDIENCE:  I have many hats on, but this is my own.  I'm not representing anybody.  

     I want to make two points.  First I think you're preaching to the choir.  We are probably in this room more or less converted that the Council of Europe and the Budapest Convention is a good idea.  When I refer to the Minister of Macedonia, I don't know how you officially call it, saying where are the ministers of justice, of foreign affairs, where are the secretaries of -- what do you call it, education, et cetera?  That may be an opportunity to bring this message across again.  Unfortunately, the gentleman representing the local space conference in April 2015, that may be an excellent place to have a panel like this again.  If you would like to have an introduction I can make sure that happens, but you'll know the road itself also.

     The second thought is there are so many different sort of organisations working on this topic, also.  I have two very good examples sitting right next to me from the U.S. and Australia.  They do it from a spam and malware point of view.  They are not police.  There are SIRTs walking around here trying to find Governments to talk to.

     What they actually do, there is the MMMEAWG and other organisations and we stand as best practices around here that actually help mitigate the problem from a technical side.  And I think this is such a multistakeholder topic we're talking about, that by only focusing on the cybercrime part, we have to understand that it's important to get everybody in the room and see where the abuse can be stopped.  And then you have the real criminals left.

     >> ZAHID JAMIL:  Just for everybody, some may or may not.  What is a SIRT and what is MMMEAGW?

     >> AUDIENCE:  They like to be called CSIRTs.  The Computer Security Incident Response Team.  You can have them in a private company or Government or University.  They deal with incidents happening to computer systems within their constituency.  Let's say their membership.  The Messaging Mobile Malware Entity Abuse Working Group, which are ISPs, direct marketing organizations, the hosting companies that come together three times a year -- and they only do that basically now in the U.S. and in Europe.  So it's very important to find -- and India, since last year, thank you, thank you, Betsy.  So it may be important to get this organisation into Africa, into Latin America, into Asia.  But they need funding for that.  So who can help them with bringing them to countries where they don't get you yet.

Because it's a private funded something.  So maybe the opportunities will arise and get the right people in to discuss this.

     Did that explain enough?

     >> ZAHID JAMIL:  Perfect.  Thank you.  One more, if somebody wants to -- please.  Ma'am, go ahead.

     >> AUDIENCE:  Hi.  My name is Fargu, I'm Tunisian.  I come from a region where cybercrime laws are less about child pornography or identity theft, et cetera, and more about crushing political dissent or sending to jail those who are -- who express themselves or spying on citizens.

     Anyway, so my question is, if one of these countries actually would like to join the Budapest Convention, are there mechanisms in the Convention that would ensure that these countries review their national laws or like anything that can ensure that they wouldn't use the Convention to do bad things?

     >> ZAHID JAMIL:  So let me do -- that's a good point.  Let's do this.  Let's go backwards.  I'll take yours as a comment I imagine maybe not as a question.  But I'll open it up to anybody, maybe the private sector, who may want to talk about it.  Hers first, and then we have a question on Treaties, generally, who polices who, maybe somebody else can take that.  Thanks.

     >> ALEXANDER SEGER:  I want to underline that only countries that have legislation in place that is compatible with the Budapest Convention should actually become a Party.  And we make it a requirement.  That means countries at the moment of accession or ratification have to have the laws in place.  When a country seeks accession, we do a sort of assessment of this request.  And at that point if a country has nothing in place yet, not even a draft law of any sort, we discourage that country of pursuing the request.  We work with the country until at least a draft law is there or Parliament or even better a law is in place.  We ensure that.

     Furthermore, after a country is a party, they are also members of the Cybercrime Convention Committee that assesses the implementation by the parties.  So there is -- it's sort of not a full monitoring, but some sort of light monitoring that is taking place, where there is a continuous assessment of the way parties implement the Convention.  So that is the case.

     However, if a country wants to misuse its law, we are getting into a bit more difficult situations.  There is a naming and shaming that can take place also in a committee like this.  We have to make sure that when a country that is part of the procedure, when any country seeks access, we check whether the basic conditions in relation to Article 15, conditions and safeguards, are in place.  So we also look into that.

     So there are a number of let's say safeguards under way to accession.  And also once a country is a Party, at the end of the day if a Government is so bad that they really misuse the laws, I don't think in any country it's in the laws.  This is a law to crash -- permitting to crush political opposition.  I guess other laws.  Or very often they move the problem from the criminal justice arena into the national security arena, to take it out of that, to use that avenue.  And then things get very difficult.

     >> ZAHID JAMIL:  So I just want you to respond.  I wanted to say this, just so that we are talking about Article 15.  Article 15, and it's not clear what Article 15 is, it says you must respect the UN Declaration of Human Rights and ICPR.  And legislation that we worked on trying to conform to this, we made sure that human rights provisions, ensuring that third-party rights --

 

     (Technical difficulty)

    

     >> AUDIENCE:  Not a response, really, but -- we just had the PPO passed in our country.  It's --

     >> ZAHID JAMIL:  Do you want to introduce yourself?

     >> AUDIENCE:  I'm Gilda Hari, in Pakistan, I work with a human rights organisation.  And whilst you know I totally agree with you when you said about security and privacy, I think there are two sides of the same coin.  So I don't have an issue with that.

     The issue is exactly what my friend here sort of articulated.  And we have examples of where even provisions within the Pakistan Constitution which safeguard human rights have been overwritten with recent ordinances.  And there is a concern that, you know, even at an International level, the Government could possibly sort of misuse this.  We would love for our Government to sign up to this, but we don't even have the basic law in place, cybercrimes law.  But once we do, and so on and so forth, we would want these safeguards spelled out really clearly, with something like the PPO, what is it called --

     >> ZAHID JAMIL:  Protection of Pakistan Ordinance.

     >> AUDIENCE:  It's a very, very Draconian thingie.

     >> ZAHID JAMIL:  You get arrested and you're gone for 90 days.  They changed it and made it 60 days.  And there is a trial that nobody knows about.  Once you're convicted, people find out.

     >> AUDIENCE:  And that's in place.

     >> ZAHID JAMIL:  So the legislation on cybercrime that was pending in that country was bringing in some of those safeguards.

     The first gentleman didn't get an answer to his question, who polices the policemen?

     >> CHRISTOPHER PAINTER:  Just to add to what Alexander said.  First, we're very sensitive to this.  And we have said, and as said several times even during the last few days, that security cannot be a talking horse for infringement of human rights of trying to suppress dissent.

     And even when we talk about -- when some people talk about having a new global Convention, some of them want to add provisions that would go do exactly that.  They get at that kind of content, what they think are destabilizing sorts of things.  That is certainly not what is covered by the Budapest Convention.  Which is, really, saying to countries, you need to have a rule of law.  And it does have human rights language in it as well.

     When the Budapest Convention was being negotiated, when our country acceded, we had a lot of discussion with Civil Society and others about these issues.  It's important for countries to do that.

     I also say that with respect to mutual legal assistance that we talked about earlier, you know, we do -- we are careful when we get mutual legal assistance requests, and this is going back to being specific about what you're asking for.  If a Government is coming to us saying we would like your help in tracing this down so we can find the person criticizing the Government, we don't do that.  So there are protections that countries also can impose when dealing with other Governments in terms of the evidence that is shared, to make sure it's really criminal conduct that is outlined in the Convention.  But human rights is a very important part and having the rule of law and that kind of oversight is important.

     >> ZAHID JAMIL:  There is a requirement of due criminality.  So if there was a blasphemy case where data was requested, that is not a crime in the U.S., there would be no response.  International law, mutual legal assistance treaties require both countries to criminalize the same conduct, otherwise they don't cooperate on those.  But they would cooperate on other cybercrime stuff.

     Sorry, you wanted to say something?

     >> AUDIENCE:  The Government request, when you know, when requests come in from Government, they have to provide a subpoena from their own courts or anything or is it -- because there has to have been some proven judicial process before you request.

     >> ZAHID JAMIL:  And so Article 15 requires that all powers when implemented in your country must be through judicial -- independent judicial oversight and supervision.  So absolutely.  You would have a warrant.

     Jayantha, you wanted to respond?  You wanted to talk about policing the policemen.

     >> JAYANTHA FERNANDO:  Yes, on that point I just want to say that effective enforcement, there is another dimension to the whole aspect of empowering law enforcement, judiciary, and other people who are combating cybercrime.  And that's the dimension that I want to add, in terms of a benefit of signing the Budapest Convention, because you get access to a whole lot of training and capacity building that Margaret spoke about.  They have a new project called the Global National Cybercrime.  a country that has shown a positive interest in joining the Convention gets access to judicial training, law enforcement training, and our country already has benefited from a number of such options.  So, effectively, policing the policemen.  The capacity building side is one positive aspect of the Convention that I want to highlight.

     Thank you.

     >> ZAHID JAMIL:

     >> ALEXANDER SEGER:  Just to respond to the question regarding Tanzania, we have been working with Tanzania on your current draft law on cybercrime.  We have reviewed it in two rounds.  We had a workshop in Dorsalem last year, not just for Tanzania but for the other four countries in the community.  We believe that a lot of capacity building is needed in particular with regard to the judiciary, prosecution and judiciary.  I think your law enforcement is getting started.  That's okay.  Very good.  But judicial training is very much needed.  And when we do judicial training, we have to discuss the rule of law matters, safeguards, human rights, and so on, due process matters.  That's another avenue then to reinforce that.

     And we hope that also Tanzania at some point will seek accession and other countries in the East African community will, too.  And then I'm sure we can address the sort of problems that you mentioned.

     >> ZAHID JAMIL:  Christopher, go ahead.

     >> CHRISTOPHER PAINTER:  Just one line.  In the capacity building, I talked about the four sessions that we had in various regions in Africa.  We talk about cybercrime and cybersecurity.  But we talk about human rights online as part of that.  So we combine all of these things together.  So when decision makers think about this, they think about how that affects human rights and their economic interests.  We do a multistakeholder training.  We have Civil Society there.  We have industry there, much like the IGF.

     >> ZAHID JAMIL:  More on the police and policemen.  The way the sovereign nations work, I don't think anybody would accept that there should be a Government that tries and decides between two different nations who is right or wrong.  That's why you have the International Court of Justice.  But not everything goes to it, so that's a difficult one.  There is no solution to policing the policemen.  And you have to somehow accept or live with the fact that countries will work in this mechanism where they do not want to contravene International contributions or law most of the time.  There are consequences that happen.  Even sometimes -- I wouldn't say the most bad actor, but people who may be in the middle of the spectrum or closer to the bad side, I found, want to avoid those kinds of circumstances.

So that is self governed a bit.

     Bertrand, you raised your hand.  And if there is another question, and I want to go to remote participation after this round.  Bertrand, go ahead.

     >> BERTRAND de La CHAPELLE:  I'm the Director of the Internet and Jurisdictional Project.  I wanted to speak on one word that Alexander used, which is a term "Due process."  The situations that we are either addressing here, especially in the cybercrime Convention and the Mutual Legal Assistance Treaty, rely fundamentally, as just indicated, on the dual incrimination.  And there are many situations where things are criminal in one country and not criminal in another one.  That is not necessarily just a matter of a bad country and a good country.

     I mean, to give you a very concrete example, it's not a cybercrime but there is something criminal in France regarding hate speech for historic reasons, and in Germany as well.  This is not compatible legally with the first amendment framework in the United States. And this raises a lot of concerns in the relationship between law enforcement in one country that wants to implement this, and the operators of the platforms that are located in another country.

     So without belaboring, what I want to highlight here is that we're covering as you said a situation where there is no overarching decision maker between the laws of two countries.  So either you have the dual incrimination and here you spread the frameworks, like the cybercrime Convention, and one of the components is due process.  But in the other cases, where there is a discrepancy between laws that are perfectly legitimate on one hand but not on the other, but deals with speech issues, for instance, the established due process as much as possible is the only avenue available today.

     >> ZAHID JAMIL:  Let me respond.  The thing the Convention does is at least lets everyone agree on the dual criminality on the pure cybercrimes.  So some people may want to view blasphemy as a cybercrime, but tough luck guys, not in this room.  But the idea is that at least on those crimes, there will be cooperation because dual criminality exists on that.

     Okay.  Go ahead.

     >> ALEXANDER SEGER:  Just a correction, there is a Protocol to the Budapest Convention on racism on the Internet.  And it was put in a protocol because it was clear from the outset that the Budapest Convention wouldn't be ratified by a number of countries because of first amendments or the equivalent, and therefore it was put in a protocol to that.  And it also doesn't come up blasphemy, but it covers religious insults and things like that are covered.  So those who want to cooperate on that are free to try the protocols to the Budapest Convention.

     >> AUDIENCE:  Rick Lane with 21st Century Fox.  I do cybercrime policy issues and other related policy issues, privacy, et cetera, online.

     I think this is the first panel I've been to at IGF where Government has a role.  The mantra of every other meeting I've been to is multistakeholderism, Government should stay out, the Internet should take care of itself.  But I do think there is a fundamental missing link in that conversation, which is what you folks have been talking about.  Because, unfortunately, what happens is the bad actors who misuse cybercrime laws overtake the arguments and the debate when you're trying to use the laws for the right reason.  And I think as a community, as an Internet community, we have to talk about a safe, secure and sustainable Internet.  And part of that is having Government and law enforcement help protect the citizens.  Government was created to protect citizens. Yes, Governments abuse that in terms of misusing the laws in place.  But I think we need to do a better job of showing that there is a balance, and Governments and law enforcement do have an important role to protect human rights, privacy, and cybersecurity.  As I said, this is the only panel that has had Government being the good guys.  In all the other panels, you're the enemy.

     (Laughter)

     >> That's nice to know.  We have another q/Question and then a remote question as well.

     >> AUDIENCE:  Hi.  I'm Nico Lise and I come from the College of Europe.  We talked about treaties and International law.  What about the operational dimension of fighting cybercrime?  And here I'm thinking about the recent setup of the European setup.  They have had a lot of cooperations with the United States.  But I was wondering, even though the Europe Union has a way of having a cooperating police force, would that kind of framework be implementable in Developing Countries, or would this kind of framework possibly be extended from outside the boundaries of the European Union to a much more global framework?

     >> CHRISTOPHER PAINTER:  So one of the things, you know, when I think about this problem, it's like a stool with three legs.  One is the substantive and procedural law.  One is being able to cooperate Internationally.  And one is having trained law enforcement who do the operational investigations.  It doesn't matter what your laws are if you don't do the investigations, but that includes judges and prosecutors and others.  So as we think about this issue, and a lot of the capacity building work being done by the Department of Justice is a lot of this work.  Our FBI and others is going and training those law enforcement authorities around the world and helping them set up cybercrime units in countries.  This is such a new area that training law enforcement to understand it, to do the forensics, to follow through, training the prosecutors how to make these requests, that's critically important.

     There is a lot of work to be done, but more of that is being done.  That's an important piece of this puzzle.  We talked a lot about law, but we shouldn't lose sight of the fact that we have to actually have that personal capacity in countries around the world.  Otherwise, you are the weakest link issue.

     >> ZAHID JAMIL:  The remote q/Question after this, but first Alexander.

     >> ALEXANDER SEGER:  We recently sent people to the Hague to get training.  And we are funding people from 25 countries going to Singapore in one month from now to the Interpol meeting on cybercrime.  What I'm saying, you're joining a system where we link up people all the time.  We don't do anything else.  We link up people to provide platforms.  EC3 is one of our partners.

     >> ZAHID JAMIL:  We have a remote question from Gidian from dot Africa.  Let me focus on the first one.  Do we think that the Developing Countries need help in creating these laws like cybercrime laws?  Let me ask, what does Ghana think?  Do you need help?

     >> MARGARET ABBA-DONKOR:  Yes, definitely.  We need help.  No one country can fight cybercrime alone.  So there is a need for International cooperation and collaboration in our fight against this menace.  Thank you.

     >> ZAHID JAMIL:  Thank you.  We will take one last question -- maybe two last questions.  Go ahead.

     >> AUDIENCE:  Thank you.  Betsy Broder with the U.S. Federal Trade Commission.  We do enforcement work but not at criminal level.  To that we defer to the Department of Justice.

     For those countries who don't have a criminal framework for approaching cybercrime issues, one suggestion I would raise is that there could be regulatory or administrative functions that could be used.  We talk about the Budapest Convention as being the gold standard, and I think that is very true.  But if countries are not yet at that level, what are the alternatives?

     So I will just give one example, which I think might be valuable.  The U.S. Federal Trade Commission entered into a memo of understanding with the Nigerian Protection Council and others in an effort to both secure our relationship on the U.S. to Nigeria side, but also encourage the cooperation between the criminal and civil agencies in that country.

And to pose as a model the way that we will work our civil cases involving consurmer fraud, deceptive spam, malware and botnets and working with the criminal partners to enhance it.  So that's an alternative way to approach things.

     >> ZAHID JAMIL:  And what others have done is fantastic, SIRTS, there are important ways to fight cybercriminals.  If you want to take them to court, there is one way.

     Any other questions?  Anyone?  Yes, ma'am.  

     >> AUDIENCE:  Good morning.  Within the last two years, the Council of Europe invited seven latin American countries to join to the cybercrime Convention.  Another seven were discussing how to use their local (inaudible) freedom of speech and anonymity for countries where institutions are not necessarily working properly.

     So how the mechanisms of legal cooperation of infrastructure can actually help to move this way forward, the only reason why it doesn't move forward is always the same.  And it remains the same.  (?)

     >> ZAHID JAMIL:  Do we have a Latin American country join the Convention recently?

     >> ALEXANDER SEGER:  We had Panama, Dominican Republic and so on.  I'm not sure that that is the sticking point, where the other countries have not yet completed the accession.  The main point seems to be for Latin American countries, the difficulty to have criminal procedure law reformed.  That's why it was stuck in many countries.

     Again, you can only join the Budapest Convention, complete the accession, once the law's in place, and that includes proposal law.  Very difficult, in particular in Federal countries like Argentina and Mexico.  But I think we are getting there slowly and we have actually more requests from Latin America coming that are currently being processed.  So it's not the Freedom of Expression that is the sticking point.  It's the proposal law.

     >> ZAHID JAMIL:  I want to first of all thank everybody who is here at the panel, especially the private sector helped us out.  Audrey, thank you so much for being here, really helped us a lot.  And especially the last minute.

     What I want to do quickly is take ten seconds per person if you want to wrap up.  Because we have also to close.  Christopher.

     >> CHRISTOPHER PAINTER:  This is a great discussion.  And I think this really is one of the key issues for developing world countries.  And I'd say that, you know, streamlining mutual assistance on the operational side, training and capacity building is critical, and having a strong law in place.

     So if the discussion sparked interests in countries and participants, we have to follow up and build on it.  This is one of the practical innovations of the IGF this year.

     >> AUDREY PLONK:  I totally agree.  The discussion has been extremely informative.  It gives perspective on the challenges that we need to consider and the evolving nature of the the whole technology space.  And so I thank you for your time and attention.

     >> JAYANTHA FERNANDO:  So the threat of cybercrime is real and fast becoming, you know, slightly going out of control.  But countries cannot just afford to wait.  And when countries are moving forward with legislation, they cannot afford to work in isolation.  And that is one message I want to convey.  They should become part of a global community, and that is where the Budapest Convention is the most effective tool for legal reform.

     Thank you.

     >> MARGARET ABBA-DONKOR:  Just like my colleague just said, nobody can do it alone.  There is a need for International cooperation and collaboration, and that's where the Council of Europe with that first Convention comes in.  They are ready to assist Developing Countries, whether in their legislation or developing a new one.  They are there to help.

     Thank you.

     >> ZAHID JAMIL:  Thank you.  Alexander, you have the last word.

     >> ALEXANDER SEGER:  Thank you for organising this workshop.  Three messages.  The first thing is let's look at cooperation against cybercrime as a contribution to human rights, Democracy, and the rule of law.  And the contribution to economic and human development all together.  So let's use that as the rationale.

     Secondly, let's focus on capacity building, because that is what most countries need.

     And, thirdly, keep in mind that when you join the Budapest Convention, you join a whole system of cooperation.  You are not just signing up to a piece of paper.  You join, as would be said, a community of trust.

     >> ZAHID JAMIL:  I wish I could run the Lord of the rings back again, but we are out of time.

     Thank you for being here.  I hope you had an interesting workshop.  Thank you.

     (Applause)

     (End of session, 10:37 a.m.)

 

***

This is the output of the realtime captioning taken during the IGF 2014 Istanbul, Turkey, meetings.  Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors.  It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

***