tag:theconversation.com,2011:/uk/topics/fighting-crime-across-digital-borders-42662/articlesFighting crime across digital borders – The Conversation2017-09-07T20:11:26Ztag:theconversation.com,2011:article/828912017-09-07T20:11:26Z2017-09-07T20:11:26ZPolice want to read encrypted messages, but they already have significant power to access our data<p><em>This article is part of a series on how law enforcement is fighting crime across digital borders. You can read the rest <a href="https://theconversation.com/au/topics/fighting-crime-across-digital-borders-42662">here</a>.</em></p>
<hr>
<p>The Australian government wants new powers to access encrypted communications, but do they need them?</p>
<p>Police and intelligence agencies already have significant abilities to access data about our emails, phone calls and text messages if we’re suspected of committing a crime, although it can be difficult to tell exactly what they’re doing with them.</p>
<p>The government argues existing interception capabilities are inadequate to <a href="https://www.pm.gov.au/media/2017-06-13/national-security-statement">protect national security</a>. According to Attorney-General George Brandis, backdoor access to encrypted communications would redress the “<a href="https://www.gizmodo.com.au/2017/07/everything-george-brandis-has-to-say-about-australias-new-encryption-laws/">degradation of our intelligence capability</a>” to prevent terrorism.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">Choose better passwords with the help of science</a>
</strong>
</em>
</p>
<hr>
<p>Many Australians are unaware of current police and intelligence powers when it comes to accessing our data. As the government lobbies for new levels of access, that needs to change. </p>
<h2>‘Backdoor’ access</h2>
<p>The government’s proposal to compel technology companies to <a href="https://www.theregister.co.uk/2017/07/07/oz_governments_definition_of_backdoor/">provide access</a> to encrypted messaging services is modelled on laws passed by other members of the <a href="https://www.privacyinternational.org/node/51">Five Eyes</a> surveillance alliance, of which Australia is a member. </p>
<p>Deputy US Attorney-General Rod Rosenstein <a href="https://www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-10th-annual-utah-national-security-0">recently announced</a> the Department of Justice intends to demand interception of encrypted communications. New Zealand already requires technology companies to <a href="http://www.legislation.govt.nz/act/public/2013/0091/latest/DLM5177923.html">grant access</a>. In the UK, authorities may force decryption where it is <a href="http://www.legislation.gov.uk/ukpga/2016/25/contents/enacted">technologically feasible</a>.</p>
<p>As with our allies, it is unclear if Australia’s laws will require so-called “backdoor” vulnerabilities to be built into messaging applications like <a href="https://techcrunch.com/2016/07/08/messenger-adds-end-to-end-encryption/">Facebook Messenger</a> or <a href="https://theconversation.com/how-whatsapp-encryption-works-and-why-there-shouldnt-be-a-backdoor-75266">WhatsApp</a>. </p>
<p>They could compel access via decryption keys or they might enable <a href="https://www.asio.gov.au/special-powers.html">remote access</a> to devices for interception of communications “at the ends”.</p>
<p>In response, <a href="https://theconversation.com/when-is-not-a-backdoor-just-a-backdoor-australias-struggle-with-encryption-79421">cryptographers argue</a> it is not mathematically possible to access end-to-end encrypted messages via interception <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3021580">without undermining</a> online privacy for everyone.</p>
<h2>The current state of telecommunications surveillance</h2>
<p>The government already has various powers to access metadata, the contents of digital conversations and computer networks.</p>
<p>The Attorney-General’s Department recently released its <a href="https://www.ag.gov.au/NationalSecurity/TelecommunicationsSurveillance/Documents/Telecommunications-Interception-and-Access-Act-1979-Annual-Report-15-16.pdf">annual report</a> on telecommunications surveillance. </p>
<p>Thanks to the Telecommunications (Interception and Access) Act (<a href="https://www.legislation.gov.au/Details/C2017C00192">TIA Act</a>), law enforcement and other agencies can access stored communications with a warrant. This can include “email, SMS or voice messages stored on a carrier’s network”. In other words, the contents of any communication not encoded via encryption. </p>
<p>Agencies may also apply for “preservation notices” to compel telecommunications companies to preserve data. </p>
<p>During the 2015-16 financial year, there were 712 warrants issued for access to stored communications. Data is not available about the types of offences these warrants were used for. It is also not clear how the telecommunications information was used in investigations. </p>
<iframe src="https://datawrapper.dwcdn.net/QUrnR/4/" scrolling="no" frameborder="0" allowtransparency="true" allowfullscreen="allowfullscreen" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" oallowfullscreen="oallowfullscreen" msallowfullscreen="msallowfullscreen" width="100%" height="750"></iframe>
<h2>The issue of metadata retention</h2>
<p>A controversial 2015 amendment to the TIA Act requires telecommunication service providers to <a href="https://www.legislation.gov.au/Details/C2015A00039">retain metadata</a> for two years. </p>
<p>This allows authorised law enforcement agencies warrantless access to information about digital communications such as the recipient or time sent, but not their content.</p>
<p>However, some agencies that aren’t meant to be able to access metadata are still making requests under different legal regimes, <a href="https://www.ag.gov.au/Consultations/Documents/Access-to-telecommunications-data/Communications-Alliance.PDF">according to</a> the Communications Alliance, and there have already been <a href="http://www.abc.net.au/news/2017-04-28/afp-officer-accessed-journalists-call-records-in-metadata-breach/8480804">reported breaches</a> where an Australian Federal Police officer accessed a journalist’s metadata without an appropriate warrant.</p>
<p>The 2015-16 financial year was a <a href="http://www.abc.net.au/news/2017-04-13/data-retention-laws-start-but-information-not-for-civil-cases/8442068">grace period</a> for service providers to comply with retention requirements. During this time, there were 332,639 <a href="https://www.ag.gov.au/NationalSecurity/TelecommunicationsSurveillance/Documents/Telecommunications-Interception-and-Access-Act-1979-Annual-Report-15-16.pdf">authorisations</a> by criminal law-enforcement agencies.</p>
<p>Authorisations occurred most for drugs or homicide investigations. It’s possible this may indicate police are relying on ready access to metadata rather than pursuing traditional investigatory methods.</p>
<iframe src="https://datawrapper.dwcdn.net/QoCbK/1/" scrolling="no" frameborder="0" allowtransparency="true" allowfullscreen="allowfullscreen" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" oallowfullscreen="oallowfullscreen" msallowfullscreen="msallowfullscreen" width="100%" height="900"></iframe>
<h2>Computer network operations</h2>
<p>Recent amendments to the TIA Act also allow the Australian Security Intelligence Organisation (ASIO) and authorised law enforcement agencies remote access to <a href="https://policyreview.info/articles/analysis/computer-network-operations-and-rule-law-australia">entire computer networks</a>. </p>
<p>These agencies may <a href="http://www.abc.net.au/news/2015-08-26/secret-anti-paedophile-operation-saves-children-from-abuse/6720304">covertly invade</a> a network to intercept communications at the point they are received. This works whether communications are encrypted or not.</p>
<p>These laws have been <a href="https://theconversation.com/sweeping-security-law-would-have-computer-users-surrender-privacy-30041">criticised</a> as too broad, potentially undermining the privacy of Australians, and have dramatically expanded ASIO’s powers.</p>
<p>It is unclear how often these surveillance powers are exercised due to the <a href="http://journals.sagepub.com/doi/pdf/10.1375/acri.38.3.400">secrecy provisions</a> surrounding ASIO operations.</p>
<h2>The need for additional surveillance capabilities?</h2>
<p>It is clear that Australian law enforcement agencies already have extensive surveillance capabilities. And while many of the details remain secret, we do know these powers are frequently used. </p>
<p>It may be that Australia is becoming a test case for the introduction of broad new powers that mandate backdoors in an attempt to undermine encrypted technology more widely. Unlike other Western democracies such as the US or Canada, Australia has no constitutional protection for human or privacy rights. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/end-to-end-encryption-isnt-enough-security-for-real-people-82054">End-to-end encryption isn't enough security for 'real people'</a>
</strong>
</em>
</p>
<hr>
<p>In the meantime, Facebook <a href="http://www.smh.com.au/federal-politics/political-news/facebook-rebuffs-malcolm-turnbull-on-laws-to-access-encrypted-messages-for-criminal-investigations-20170714-gxb773.html">argues</a> that “weakening encrypted systems would mean weakening it for everyone.” We also know Apple has been <a href="http://www.smh.com.au/federal-politics/political-news/apple-flies-in-top-executives-to-lobby-turnbull-government-on-encryption-laws-20170719-gxebvn.html">lobbying</a> the government to drop the proposal. </p>
<p>Technology companies need to fight back against a government that has considerable appetite to intercept private communications, but has not made a convincing case for why they need these new powers.</p>
<p><em><strong>Read other stories in this series:</strong></em></p>
<ul>
<li><em><a href="https://theconversation.com/poisoned-water-holes-the-legal-dangers-of-dark-web-policing-82833">Poisoned water holes: the legal dangers of dark web policing</a></em></li>
<li><em><a href="https://theconversation.com/its-too-hard-to-get-the-data-of-australian-criminals-when-its-stored-overseas-82828">It’s too hard to get the data of Australian criminals when it’s stored overseas</a></em></li>
<li><em><a href="https://theconversation.com/virtual-child-pornography-could-both-help-and-hinder-law-enforcement-82746">Virtual child pornography could both help and hinder law enforcement</a></em></li>
</ul><img src="https://counter.theconversation.com/content/82891/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michael Wilson receives funding from the Commonwealth Government as part of the Research Training Program scheme.</span></em></p><p class="fine-print"><em><span>Monique Mann is a Board Member of the Australian Privacy Foundation and is on the Advisory Council of Digital Rights Watch Australia. While at the Australian Institute of Criminology, she consulted for the Australian Criminal Intelligence Commission on information systems and cybercrime. The views expressed here are those of the author and do not represent the views of any Commonwealth agency.</span></em></p>Many Australians are unaware of current police and intelligence powers when it comes to accessing our data.Michael Wilson, PhD Candidate, School of Justice, Faculty of Law, Queensland University of TechnologyMonique Mann, Lecturer, School of Justice, Researcher at the Crime and Justice Research Centre and Intellectual Property and Innovation Law Research Group, Faculty of Law, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/828332017-09-06T20:10:28Z2017-09-06T20:10:28ZPoisoned water holes: the legal dangers of dark web policing<p><em>This article is part of a series on how law enforcement is fighting crime across digital borders. You can read the rest <a href="https://theconversation.com/au/topics/fighting-crime-across-digital-borders-42662">here</a>.</em></p>
<hr>
<p>Australian police are using <a href="http://www.csoonline.com/article/2614643/security/watch-out-for-waterhole-attacks----hackers--latest-stealth-weapon.html">“poisoned watering holes”</a> to investigate crime on the dark web. By taking over illegal marketplaces that traffic in child pornography or drugs, law enforcement are collecting information about criminals all over the world.</p>
<p>Of course, crimes that occur on the internet often cross international borders, but this situation is creating troubling new standards in transnational policing. </p>
<p>Research, <a href="https://eprints.qut.edu.au/102299/">including our own</a>, indicates that as police operations move into online environments, new rules for digital evidence collection and exchange must be developed to assist prosecutions while preserving due process and <a href="https://necessaryandproportionate.org/">human rights</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/spyware-merchants-the-risks-of-outsourcing-government-hacking-80891">Spyware merchants: the risks of outsourcing government hacking</a>
</strong>
</em>
</p>
<hr>
<p>Investigations on the <a href="https://theconversation.com/explainer-what-is-the-dark-web-46070">dark web</a> readily transcend geographic demarcations fundamental to the use of search warrants and the admissibility of evidence.</p>
<p>Some enforcement agencies have <a href="https://www.eff.org/deeplinks/2016/08/illegal-playpen-story-rule-41-and-global-hacking-warrants">conducted online investigations</a> and attempted to <a href="http://epublications.bond.edu.au/law_pubs/761/">access or transfer information</a> outside existing domestic and transnational legal frameworks. This is common <a href="https://motherboard.vice.com/en_us/article/mg79nb/australian-authorities-hacked-computers-in-the-us">in cases</a> involving dark web sites that distribute child exploitation material (CEM). </p>
<p>Without proper checks, police could have significantly expanded scope to search homes and computers around the world, even in cases not involving CEM.</p>
<h2>Watering holes and network investigative techniques</h2>
<p>The techniques used in online investigations can have potentially problematic legal standing.</p>
<p><a href="https://arstechnica.com/tech-policy/2017/05/creator-of-infamous-playpen-website-sentenced-to-30-years-in-prison/">Playpen</a> was a dark web site used to distribute CEM. The FBI seized the site in 2015, and obtained a warrant to continue its operation on a government server. </p>
<p>The FBI used a Network Investigative Technique (NIT), also known as <a href="https://policyreview.info/articles/analysis/computer-network-operations-and-rule-law-australia">Computer Network Exploitation</a>, to identify Playpen users. This distributed <a href="https://theconversation.com/after-wannacrypt-should-governments-stockpile-software-vulnerabilities-experts-respond-77717">malware</a> onto any computer used to log into the site. </p>
<p>The NIT enabled the FBI to identify the IP addresses, log-in times, and operating systems of around 150 computers located in the United States and more than 8,000 computers <a href="https://motherboard.vice.com/en_us/article/53d4n8/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant">located in 120 countries</a>. Up to <a href="https://www.casemine.com/judgement/us/5914abd5add7b049347399fb">215,000 registered Playpen users globally</a> could be affected.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/oqqIdRFeu24?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">A Fast Explainer Of The Dark Web.</span></figcaption>
</figure>
<p>According to the Electronic Frontier Foundation, Playpen is the largest known <a href="https://www.eff.org/deeplinks/2016/09/playpen-story-fbis-unprecedented-and-illegal-hacking-operation">US government hacking operation</a>. But it was authorised by a single warrant issued in Eastern Virginia. </p>
<p>Specialist online units in Australia, such as <a href="https://www.theguardian.com/society/2016/jul/13/shining-a-light-on-the-dark-web-how-the-police-ended-up-running-a-paedophile-site">Task Force Argos</a> in the Queensland Police Service, have also used “poisoned watering hole” tactics. </p>
<p>Australian convicted child sex offender <a href="http://www.abc.net.au/news/2016-02-26/paedophile-shannon-mccoole-gives-evidence-at-royal-commission/7203970">Shannon Grant McCoole</a>, who administered “The Love Zone” site, was apprehended after a tip from Danish police. Task Force Argos investigators then <a href="https://www.cdpp.gov.au/news/record-sentence-head-administrator-paedophile-site">effectively ran the site</a> “while feeding information to international law enforcement colleagues”.</p>
<p>The investigation identified many users located in other countries, including several who were <a href="https://motherboard.vice.com/en_us/article/mg79nb/australian-authorities-hacked-computers-in-the-us">prosecuted in the United States</a>.</p>
<p>Details of the warrant used in this investigation are unclear, which is common in cases involving CEM that result in guilty pleas.</p>
<h2>Darkweb investigations and the law</h2>
<p>There are some established methods for law enforcement sharing information across borders.</p>
<p><a href="https://mlat.info/">Mutual Legal Assistance Treaties (MLATs)</a> are similar to extradition treaties. States seeking access to digital evidence located offshore must first issue a formal request.</p>
<p>MLATs aim to protect the legal rights of people suspected of transnational or offshore offending. However, available US cases <a href="https://motherboard.vice.com/en_us/article/mg79nb/australian-authorities-hacked-computers-in-the-us">involving The Love Zone</a> do not appear to mention MLAT procedures. </p>
<p>This has troubling implications for the right to a fair trial.</p>
<p>It’s possible Task Force Argos informally communicated the IP addresses of US-based site users directly to US authorities. Queensland Police declined to comment on the warrant.</p>
<p>The geographic scope of the Playpen NIT warrant, on the other hand, is extremely unclear. <a href="https://www.aclu.org/report/challenging-government-hacking-criminal-cases?redirect=malware-report">Some US courts</a> have declared the NIT warrant to be valid only within Eastern Virginia. </p>
<p>At least one US court has ruled that warrants to search homes and seize computers outside of this district produced evidence viewed as the <a href="https://assets.documentcloud.org/documents/3533838/2017-03-23-44-US-v-Carlson-DMN.pdf">“fruit of the poisonous tree”</a>.</p>
<p>In other words, because the dark web’s infrastructure could only enable law enforcement to uncover the locations and identities of suspects through the defective NIT warrant, any physical evidence seized from a subsequent warrant to search a home was inadmissible.</p>
<p>However, some US courts seem willing to admit evidence from the Playpen NIT because the FBI is regarded by the courts as acting in <a href="https://www.ca10.uscourts.gov/opinions/16/16-1401.pdf">good faith</a> in both seeking and executing it. </p>
<h2>Legal geographies of online investigations</h2>
<p>Law enforcement agencies are keen to maintain secrecy of dark web CEM investigations. But there is concern from legal experts that informal police networks routinely operate outside of established MLAT procedures.</p>
<p>The MLAT process is slow, technical <a href="https://www.accessnow.org/whats-wrong-system-cross-border-access-data/">and cumbersome</a>. This may fuel the acceptance of questionable NITs and exchange of data between police to streamline transnational dark web investigations. But it could also undermine complex cyber-prosecutions and the fairness of criminal trials that rely on electronic evidence.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/inside-the-fight-against-malware-attacks-81433">Inside the fight against malware attacks</a>
</strong>
</em>
</p>
<hr>
<p>The informal exchange of criminal intelligence and use of malware is understandable where child welfare is at stake. But these investigative methods <a href="https://publicpolicy.googleblog.com/2015/02/a-small-rule-change-that-could-give-us.html">undercut current attempts</a> to preserve due process and digital security standards.</p>
<p>Success in these types of investigations cannot solely be measured by prosecution and conviction rates. It should also be measured by the legality, ethics and transparency of transnational investigative procedures and the rules that underpin them.</p>
<p><em><strong>Read other stories in this series:</strong></em></p>
<ul>
<li><em><a href="https://theconversation.com/police-want-to-read-encrypted-messages-but-they-already-have-significant-power-to-access-our-data-82891">Police want to read encrypted messages, but they already have significant power to access our data</a></em></li>
<li><em><a href="https://theconversation.com/its-too-hard-to-get-the-data-of-australian-criminals-when-its-stored-overseas-82828">It’s too hard to get the data of Australian criminals when it’s stored overseas</a></em></li>
<li><em><a href="https://theconversation.com/virtual-child-pornography-could-both-help-and-hinder-law-enforcement-82746">Virtual child pornography could both help and hinder law enforcement</a></em></li>
</ul><img src="https://counter.theconversation.com/content/82833/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ian Warren is affiliated with the Australian Privacy Foundation.</span></em></p><p class="fine-print"><em><span>Adam Molnar is a Board Member of the Australian Privacy Foundation and is on the Advisory Council of Digital Rights Watch Australia.</span></em></p><p class="fine-print"><em><span>Monique Mann is a Board Member of the Australian Privacy Foundation and is on the Advisory Council of Digital Rights Watch Australia. While at the Australian Institute of Criminology, she consulted for the Australian Criminal Intelligence Commission on information systems and cybercrime. The views expressed here are those of the author and do not represent the views of any Commonwealth agency.</span></em></p>Without proper checks, police could have significantly expanded scope to search homes and computers around the world.Ian Warren, Senior Lecturer, Criminology, Deakin UniversityAdam Molnar, Lecturer, Criminology, Deakin UniversityMonique Mann, Lecturer, School of Justice, Researcher at the Crime and Justice Research Centre and Intellectual Property and Innovation Law Research Group, Faculty of Law, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/828282017-09-05T20:12:22Z2017-09-05T20:12:22ZIt’s too hard to get the data of Australian criminals when it’s stored overseas<p><em>This article is part of a series on how law enforcement is fighting crime across digital borders. You can read the rest <a href="https://theconversation.com/au/topics/fighting-crime-across-digital-borders-42662">here</a>.</em></p>
<hr>
<p>Solving crimes and prosecuting criminals depends on efficient access to evidence. Technology has not changed that. </p>
<p>What has changed, however, is that much of that evidence has migrated online. Most importantly, it’s often stored overseas. </p>
<p>This is true for so-called cybercrime, and for traditional “offline” acts. For example, prosecuting a murder, rape or child abduction may depend on access to e-mails, search history and mobile phone locations – all data that may be stored on overseas servers.</p>
<p>This presents problems for Australia, and needs to be addressed.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/spyware-merchants-the-risks-of-outsourcing-government-hacking-80891">Spyware merchants: the risks of outsourcing government hacking</a>
</strong>
</em>
</p>
<hr>
<p>The movement of evidence to the online cloud in particular means that the efficiency of the Australian police depends directly on the level of cooperation provided by overseas actors. </p>
<p>They need help from law enforcement agencies in other countries, or the assistance of tech giants such as Google, Amazon, Microsoft, Facebook and Apple, which actually hold the data.</p>
<p>The concern is that support from overseas law enforcement typically involves a slow and cumbersome process, while the assistance of the tech giants rests on uncertain legal ground. </p>
<h2>Mutual Legal Assistance treaties</h2>
<p>The traditional method for accessing evidence in another country is via Mutual Legal Assistance Treaties (<a href="https://mlat.info/faq">MLATs</a>). Australia has entered into <a href="https://mlat.info/country-profile/australia">many such agreements</a>. </p>
<p>For example, Australian police may request that US law enforcement agencies acquire crime-related information from the relevant US-based technology company. </p>
<p>This process often takes months, and it’s <a href="https://www.lawfareblog.com/mlat-reform-some-thoughts-civil-society">widely accepted</a> that the MLAT structure is opaque and under too much stress due to the volume of requests. </p>
<p>The alternative is for law enforcement to make requests directly to the tech companies, but this can be legally fraught and involves a complex matrix of interests. </p>
<p>Microsoft, for example, is in a difficult position. The US government served <a href="https://www.linkedin.com/pulse/after-microsoft-v-us-law-enforcement-cloud-1-2-svantesson?_mSplash=1&trk=mp-reader-card">a search warrant</a> in 2013 authorising the search and seizure of information associated with a specified e-mail account. Microsoft opposed it, given that the emails are stored on servers in Dublin, Ireland.</p>
<p>If it complies with the US request for data, <a href="http://digitalconstitution.com/wp-content/uploads/2014/12/albrecht-microsoft-ireland-amicus-brief1.pdf">it risks</a> violating European data protection law that imposes restrictions on the cross-border transfer of data. The US Justice Department <a href="https://arstechnica.com/tech-policy/2017/06/supreme-court-asked-to-decide-if-us-has-right-to-data-on-foreign-servers/">has petitioned</a> for the Supreme Court to resolve the matter.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/184101/original/file-20170831-22218-1tmicun.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/184101/original/file-20170831-22218-1tmicun.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=489&fit=crop&dpr=1 600w, https://images.theconversation.com/files/184101/original/file-20170831-22218-1tmicun.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=489&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/184101/original/file-20170831-22218-1tmicun.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=489&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/184101/original/file-20170831-22218-1tmicun.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=615&fit=crop&dpr=1 754w, https://images.theconversation.com/files/184101/original/file-20170831-22218-1tmicun.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=615&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/184101/original/file-20170831-22218-1tmicun.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=615&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Microsoft is caught between the US and EU governments.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/new-york-city-usa-july-08-600763007?src=Rb1svuHA6BU0Y1sjrw7xxw-1-26">Antonio Gravante/Shutterstock</a></span>
</figcaption>
</figure>
<h2>Dated legal thinking</h2>
<p>One of the key obstacles for progress is found in the law’s focus on “territoriality”. </p>
<p>Drawing on outdated thinking cemented in <a href="http://www.worldcourts.com/pcij/eng/decisions/1927.09.07_lotus.htm">a 1920s case involving colliding steam ships</a>, international law attaches great significance to where data are located. </p>
<p>But online, it’s easy for criminals to move data around as they wish, and it’s not always possible to ascertain its geographic location.</p>
<p>We need to move away from territoriality as a core principle of jurisdiction. </p>
<p>A new framework, which better reflects the world <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2874238">we live in today</a>, could involve a multi-factor test for jurisdiction. It could allow cross-border access where the overseas country has a legitimate interest in data stored in another country, among other requirements.</p>
<h2>An urgent dilemma with solutions in sight</h2>
<p>A variety of groups are trying to fix these problems.</p>
<p>The <a href="https://www.coe.int/en/web/cybercrime/home">Council of Europe</a> is working on providing further <a href="https://rm.coe.int/16806f943e">guidance</a> on how its <a href="https://www.coe.int/en/web/cybercrime/the-budapest-convention">Cybercrime Convention</a>, of which Australia is a party, can address these concerns. </p>
<p>The <a href="https://www.internetjurisdiction.net/">Internet and Jurisdiction Policy Network</a> – a Paris-based global multi-stakeholder policy network addressing the tension between the cross-border internet and national jurisdictions – has brought together a <a href="https://www.internetjurisdiction.net/news/data-jurisdiction-contact-group-members">Contact Group</a> consisting of experts from academia, industry, government, policy groups and law enforcement. </p>
<p>The European Union Commission is also working on this topic and is currently undertaking a <a href="https://ec.europa.eu/info/consultations/public-consultation-improving-cross-border-access-electronic-evidence-criminal-matters_en?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_shares%3BQdDP15bwT2KdTV1Ud6sN3A%3D%3D">consultation</a> until October 2017. </p>
<p>In addition to these international and regional initiatives, the US and UK governments <a href="http://thehill.com/policy/cybersecurity/337997-us-british-officials-push-deal-to-improve-law-enforcement-access-to-data">are working on</a> a bilateral arrangement for reciprocal cross-border access to data. </p>
<p>The US is also <a href="http://cyberlaw.stanford.edu/blog/2017/06/cross-border-data-fix-it%E2%80%99s-not-so-simple">considering changes</a> to its Electronic Communications Privacy Act (<a href="https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285">ECPA</a>) that could cater for US tech companies voluntarily disclosing user content data to foreign law enforcement under specific guarantees and safeguards.</p>
<h2>Legal uncertainty benefits no one, apart from the criminals</h2>
<p>Certainty around these issues is vital, but while law enforcement, victims and society all have an interest in the efficient transfer of evidence, the solution is not simple. </p>
<p>The suspect also has an interest in the integrity of evidence, due process and a fair trial. </p>
<p>Both the suspect and the public more broadly have important privacy needs that must be protected. Suspicion of some petty crime should not automatically give police access to a suspect’s full online life, such as their entire Facebook history.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australias-car-industry-needs-cybersecurity-rules-to-deal-with-the-hacking-threat-82268">Australia's car industry needs cybersecurity rules to deal with the hacking threat</a>
</strong>
</em>
</p>
<hr>
<p>We must also consider the interests of the countries in which the data are located. Imagine if North Korea demanded that an Australian tech company hand over data about local dissidents. Would we want the company to comply?</p>
<p>Finally, the tech companies themselves have legitimate interests. Particularly in avoiding being squeezed between contradictory rules in different legal systems. </p>
<p>The success of any new policy depends on striking an appropriate balance.</p>
<p>Unfortunately, the chaotic situation we are faced with currently hinders the work of law enforcement, and also fails to protect privacy rights – it only benefits the criminals.</p>
<p><em><strong>Read other stories in this series:</strong></em></p>
<ul>
<li><em><a href="https://theconversation.com/police-want-to-read-encrypted-messages-but-they-already-have-significant-power-to-access-our-data-82891">Police want to read encrypted messages, but they already have significant power to access our data</a></em></li>
<li><em><a href="https://theconversation.com/poisoned-water-holes-the-legal-dangers-of-dark-web-policing-82833">Poisoned water holes: the legal dangers of dark web policing</a></em></li>
<li><em><a href="https://theconversation.com/virtual-child-pornography-could-both-help-and-hinder-law-enforcement-82746">Virtual child pornography could both help and hinder law enforcement</a></em></li>
</ul><img src="https://counter.theconversation.com/content/82828/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dan Jerker B. Svantesson held an Australian Research Council Future Fellowship (2012-2016) for a project on Internet Jurisdiction. He is a member of the 'Data & Jurisdiction Contact Group' of the Internet & Jurisdiction Project (<a href="https://www.internetjurisdiction.net/news/data-jurisdiction-contact-group-members">https://www.internetjurisdiction.net/news/data-jurisdiction-contact-group-members</a>). </span></em></p>Support from overseas law enforcement and tech companies is typically a slow and cumbersome process.Dan Jerker B. Svantesson, Co-Director Centre for Commercial Law, Bond UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/827462017-09-04T20:16:59Z2017-09-04T20:16:59ZVirtual child pornography could both help and hinder law enforcement<p><em>This article is part of a series on how law enforcement is fighting crime across digital borders. You can read the rest <a href="https://theconversation.com/au/topics/fighting-crime-across-digital-borders-42662">here</a>.</em></p>
<hr>
<p>More than one decade ago, the United States <a href="https://www.govtrack.us/congress/bills/108/s151/text/is">government predicted</a> that “technology will soon exist, if it does not already, to make depictions of virtual children look real”. </p>
<p>There is now evidence to suggest we have reached that point. </p>
<p>We need to consider the implications this may have for law enforcement agencies in combating child abuse material. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/child-sex-dolls-and-robots-exploring-the-legal-challenges-81912">Child sex dolls and robots: exploring the legal challenges</a>
</strong>
</em>
</p>
<hr>
<p>When fears over child abuse material <a href="http://digitalcommons.pepperdine.edu/cgi/viewcontent.cgi?article=2170&context=plr&sei-redir=1&referer=http%3A%2F%2Fscholar.google.com.au%2Fscholar%3Fhl%3Den%26as_sdt%3D0%2C5%26q%3DPreying%2Bon%2Bplaygrounds%253A%2BThe%2Bexploitation%2Bof%2Bchildren%2Bin%2Bprostitution%2Band%2Bpornography#search=%22Preying%20playgrounds%3A%20exploitation%20children%20prostitution%20pornography%22">reached fever pitch</a> in the 1970s, the internet was still in its infancy. </p>
<p>Since then, digital technology has advanced significantly. Lawmakers throughout the world, including Australia, have sought to extend laws prohibiting child abuse material to include pictures and videos created even without a child. </p>
<p>Sexually explicit images that are wholly computer generated, but that appear realistic, are known as “virtual child pornography” (VCP). </p>
<p>Although it is safe to assume cartoon depictions of children (say, Bart Simpson) would not be mistaken, distinguishing a photograph depicting a real child from VCP can be complex.</p>
<h2>Virtual child pornography becomes too real</h2>
<p><a href="http://www.dartmouth.edu/press-releases/real-or-virtual021816.html">According to</a> <a href="http://www.dartmouth.edu/press-releases/real-or-virtual021816.html">Hany Farid</a>, a professor of computer science at Dartmouth: </p>
<blockquote>
<p>[a]s computer-generated images quickly become more realistic, it becomes increasingly difficult for untrained human observers to make this distinction between the virtual and the real. </p>
</blockquote>
<p>This is supported by <a href="http://dl.acm.org/citation.cfm?id=2871714">a 2016 study</a> conducted by Farid and his colleagues that showed approximately 250 participants 60 images of human faces. Half of these images were computer-generated, the other half were real. </p>
<p>The participants were able to correctly identify which images were photographic 92% of the time, but were only able to accurately classify a computer-generated image 60% of the time. </p>
<p>The second part of the study found that training increased the ability of participants to identify when an image was virtual. </p>
<p>These findings, along with advances in photo-imaging software, indicate the need for the courts to reconsider <a href="https://www.leagle.com/decision/20031467335f3d113211338">its belief that</a> “juries are still capable of distinguishing between real and virtual images”.</p>
<p>Unlike laypersons, law enforcement officers are likely to have the training and skill to distinguish real images from virtual images of children. But there <a href="https://www.leagle.com/decision/2006597445fsupp2d1521578">are reports</a> suggesting that sometimes even “experts cannot know whether a digital image is real or virtual”.</p>
<h2>Law enforcement using VCP to detect offenders</h2>
<p>Nevertheless, VCP that is virtually indistinguishable from images of children creates new possibilities for law enforcement officers in catching criminals. </p>
<p>A sting operation conducted in 2013 used a fictitious virtual child character, “<a href="https://www.japantimes.co.jp/news/2013/11/05/world/virtual-girl10-snares-1000-net-sex-tourists/#.WazsRtMjGi5">Sweetie</a>”. </p>
<p>Created by activist group <a href="https://www.terredeshommes.nl/">Terre de Hommes</a> in the Netherlands as part of a sting operation aimed at tackling the growing threat of webcam child sex tourism, the apparently 10 year old Filipina girl reportedly misled thousands of men around the world (including in Australia, the United States and the United Kingdom). These men were exposed after paying to see Sweetie perform sexual acts in front of a webcam. </p>
<p>While there is no data highlighting how frequently law enforcement in Australia use VCP, there are multiple reports of police using technology to catch online sexual predators. </p>
<p>In May 2016, for example, it was <a href="http://www.news.com.au/national/breaking-news/regional-nsw-raids-nab-3-groomers/news-story/4e6177193ca5253ece8cf9931464c845">reported</a> that three men in New South Wales were arrested after making “sexually explicit comments” to police officers pretending to be underage girls online. </p>
<p>Now that it is possible to create photorealistic images of children, perhaps Australian police forces will conduct their own Sweetie-like operations to target offenders.</p>
<h2>The legal and ethical risks of VCP</h2>
<p>While VCP may equip law enforcement agencies with a powerful weapon to detect and apprehend offenders, such police operations are fraught with legal and ethical concerns. </p>
<p>These operations may contravene domestic laws prohibiting VCP. They may also contravene laws in some jurisdictions, such as the United States, <a href="https://www.law.cornell.edu/uscode/text/18/2252A">making it a crime</a> to advertise VCP as material depicting real children. </p>
<p>There are no reported Australian cases dealing with the legality of police using VCP to catch predators. But the case law that involves police adopting fictional identities highlights the tendency of the courts to reject arguments challenging the lawfulness of such <a href="http://www.austlii.edu.au/au/journals/PrecedentAULA/2011/22.pdf">police stings</a>.</p>
<p>For instance, the New South Wales case of <a href="http://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/nsw/NSWCCA/2010/192.html?context=1;query=%22POLICE%20STING%22%20AND%20%22CHILD%22">R v Fuller</a> involved a priest who used the internet to engage in sexually explicit communications with a 13-year-old girl. The “child” was really a fictitious person created by police. </p>
<p>The Court stated that although “the presence of an actual victim may aggravate the offence, the absence of a victim will not mitigate it”. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/from-live-streaming-to-tor-new-technologies-are-worsening-online-child-exploitation-78198">From live streaming to TOR: new technologies are worsening online child exploitation</a>
</strong>
</em>
</p>
<hr>
<p>In Australia, it is <a href="https://www.legislation.gov.au/Details/C2017C00235/Html/Volume_2">a defence</a> for law enforcement officers to deal with child abuse material if it is for a “public benefit”. Given the societal interest in protecting children, the use of VCP to detect potential predators may be seen as acceptable. </p>
<p>Certainly, it is a public priority to catch offenders before they harm actual children. But just how far should the police be allowed to go to catch child predators? Do the ends justify the means? </p>
<p>An informed public debate on the potential use and misuse of VCP is needed. </p>
<p><em><strong>Read other stories in this series:</strong></em></p>
<ul>
<li><em><a href="https://theconversation.com/police-want-to-read-encrypted-messages-but-they-already-have-significant-power-to-access-our-data-82891">Police want to read encrypted messages, but they already have significant power to access our data</a></em></li>
<li><em><a href="https://theconversation.com/poisoned-water-holes-the-legal-dangers-of-dark-web-policing-82833">Poisoned water holes: the legal dangers of dark web policing</a></em></li>
<li><em><a href="https://theconversation.com/its-too-hard-to-get-the-data-of-australian-criminals-when-its-stored-overseas-82828">It’s too hard to get the data of Australian criminals when it’s stored overseas</a></em></li>
</ul><img src="https://counter.theconversation.com/content/82746/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dr Al-Alosi does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It’s increasingly difficult to tell virtually-created images from those of real children.Dr Al-Alosi, Lecturer, School of Law, Western Sydney UniversityLicensed as Creative Commons – attribution, no derivatives.