International Law and the Coordinated and Cooperative Investigation and Prosecution of Transnational Organised Cybercrime

To successfully investigate cybercrimes and to bring such cases to judgment, capacity building still is of the utmost importance, especially in the field of digital forensics. Beside the technical and analytical capabilities, the normative framework to enable the investigation and prosecution of all crimes in which ICT plays a role needs to be adapted to meet the challenges outlined above. Alongside the legally binding international instruments, which the following analysis will focus on, model rules might again provide another useful source for states when adapting their codes of criminal procedure.89

Requirements on investigatory powers in international law on cybercrime

Coercive measures in general

One of the classic coercive powers known in criminal procedure is the search for and seizure of tangible objects. With ICT systems and in particular data storage devices being tangible objects, evidence that may then be analysed by means of digital forensics is accessible to the authorities using classic means. Nonetheless, several international agreements call for national legislation to enable the search and seizure of computer data (Article 19 CCC, Articles 26 and 27 Arab ITO Convention, Article 30 ECOWAS-Cybercrime, Article 31 para. 3(a) and (b) AU-CS), at least for the crimes covered by these instruments. This enables the access to ICT systems on site to preselect and pre-analyse computer data (‘live forensics’), and to access remotely attached storage devices during an open search-and-seizure operation. In general, these new provisions allow investigators to focus on the information sought—which may be the data, which can be duplicated without loss, but not the tangible object.

When the data are located with a (natural or legal) person not implicated with the crime, it may be more efficient and less invasive to merely require production of the data sought by the authorities (Article 18 CCC, Article 25 Arab ITO Convention).[1] [2] [3] [4] This only relates to data that were located within the territory of the state issuing the production order and not data located outside it.91 Neither provision is clear on the issue whether a third party—or even suspects themselves, which would raise serious nemo tenetur implications (see, e.g. Article 15 CCC)—may also be required to decrypt the data if so required by the authorities.

As both mutual legal assistance (see section and normal search-and- seizure operations may take some time, but data may be highly volatile (see section 16.1.3), many international legal instruments on cybercrime call for a preliminary, expedited preservation of data (Article 16 CCC, Article 23 Arab ITO Convention, Article 31 ECOWAS-Cybercrime, Article 31 para. 3(d) AU-CS). The preserved data then must generally be acquired under standard investigatory proceedings.

As the interception of content data (telecommunication surveillance) constitutes a very severe infringement of privacy, international legal instruments defer largely to national law to define the scope of applicability of this investigation technique (Article 21 CCC, Article 29 Arab ITO Convention, Article 31 para. 3(e) AU-CS).

No international legal instrument to date contains requirements regarding new forms of covert investigation techniques such as the installation of keyloggers or the use of remote forensic software. Such software may be used to intercept encrypted telecommunication at a stage prior to encryption, to covertly search the data of a suspect, or to survey their actions for a longer period^2

  • [1] Cf. CCC, cited in note 51 above, Explanatory Report, §§170f.
  • [2] Cf. ibid, Explanatory Report, §§173.
  • [3] Sieber, ‘Mastering complexity’, cited in note 3 above, p. 161.
  • [4] Cf. CCC, cited in note 51 above, Explanatory Report, §§150, 153, and 181.
< Prev   CONTENTS   Source   Next >