Authors: Jan Kerkhofs and Philippe Van Linthout
Cybersecurity is becoming increasingly important for risk management as well as for BCM (Business Continuity Management). BCM organizations are placing more and more emphasis on incorporating cybersecurity into their range of services. Often, this involves the technical aspects of cybersecurity and how to technically repel a cyber attack. However, many overlook the legal aspects associated with cybersecurity. What is legally permissible and what is not? The authors investigated and published a book that was up-to-date until December 1, 2013. It deals with legal aspects, and a part of the book is illustrated with a case in which YAHOO! was involved. It demonstrates how legislation can be interpreted.
The following points stood out:
Today’s criminals have changed their methods: not all of them carry a revolver, but they all carry a smartphone.
Cyberspace provides an incredibly fertile ground for crime with still unknown and untapped possibilities that can be perfected.
Cyberspace may eventually emerge as a separate legal territory, as there are no visible national borders.
Crimes include (non-exhaustive list):
Illegal data or fund transfers, etc.
Forgery
Obstruction of computer systems and telecommunications systems
Misuse of protected software
Interception of messages
Fraud
Damage to hardware, software, or data
Sabotage
Unauthorized access
Plagiarism
The evolution of ICT is outpacing the legislator.
Part 1 of the book deals with substantive cybercriminal law. The most important aspects include:
It is economic legislation.
There is a separate criminalization for intentionally disguising the truth through data manipulation regarding legally relevant data.
Something must be introduced, changed, deleted, or altered to constitute a crime of computer falsehood. Omission offenses are also possible.
Computer falsehood is spoken of if there was intent to harm or if there was fraudulent intent.
If someone knowingly and willingly uses data that they know to be false, they are liable as if they were the perpetrator of the falsehood. An attempted crime is not punishable.
An attempt is punishable if economic advantage is sought by committing computer fraud. (This is not the same as computer falsehood, which mainly involves disguising the truth.)
In addition to computer falsehood and computer fraud, there is also the concept of unauthorized manipulations of a machine. For example, computer fraud.
The Penal Code attaches great importance to crimes against confidentiality, integrity, and availability, concepts that also appear in ISO 2700x. One consequence is that a distinction is made between external and internal hacking.
Not only actual hacking is punishable, but also related acts such as possessing hacking tools, incitement to hacking, etc.
There is also computer sabotage: entering, changing, or deleting data or changing their normal use by any technological means. For example: a virus.
It is noteworthy that penalties for a government representative engaging in illegal communication interception during the exercise of their duties are heavier than those outside or by a civilian.
Not only the perpetrator of an illegal tap is liable, but also the possessor of illegally intercepted data.
Cybercriminal law also contains rules concerning electronic communication. It involves the use of 1) an electronic network, 2) or an electronic communication service, or 3) other electronic communication means through which the offense can be committed. This last point covers a very broad range of instruments. This aspect of cybercriminal law is often used for disturbances. Damage, including psychological damage, is also possible.
Digital distribution is equated with multiplication via a printing press.
Using electronic communication data without the consent of all communicating parties is punishable.
There is such a thing as an information society, where ISPs (Internet Service Providers) and IAPs (Internet Access Providers) play an important role. These service providers do not have a general supervision obligation, but they can be required to temporarily supervise in a specific case. However, in case of suspected abuse, they must immediately inform the administrative authorities. They must also provide all information requested by the authorities for the detection and establishment of offenses committed through their intervention.
Part 2 of the book deals with procedural cybercriminal law. The most important aspects include:
It concerns the procedural instruments with which cybercrime can be combated.
Tools available to internet investigation in the investigative investigation:
Data seizure as evidence.
Seizure and reading of a mobile phone or smartphone.
Copying data on government media without loss of evidence.
Notification of seizure or data copying.
Making the internet or parts thereof inaccessible. For example, in the context of negationism or incitement to racism or xenophobia, etc.
Reverse IP domain check.
Identification of internet users with the assistance of ISPs and IAPs and operators and service providers.
In case of urgency, a judicial police officer can independently requisition data under certain rules.
There is a legal obligation to cooperate and maintain confidentiality by operators of electronic communication networks and providers of electronic communication services.
There is a registration requirement for internet communication and internet use. Content may never be stored, only certain metadata.
Data interception and network searching are possible for them via mini-instructions.
Social media and their content can be used as an investigative tool, as a source of information for the police and judiciary.
Geotagging and facerecognition.
Publicly accessible parts of the internet can be viewed by the police. They can also participate in it.
Inklook operations with searching in private parts of the internet, provided certain conditions are met.
Police and judiciary can tap, observe, and infiltrate on the internet and in social media.
However, there is also privacy legislation in place, as well as the right to anonymity. There are also cyber-private clubs.
Additionally, there is internet investigation in the judicial investigation. It shares a number of (legal-technical) weapons with the investigative investigation.
It can contain a covert phase as well as an overt one. For example, when intercepting webmail.
One of the strong weapons for justice is the duty to cooperate in internet investigation.
This applies to operators, service providers, but also to holders of knowledge. (both of computer system knowledge and knowledge of machine operation and knowledge of services to encrypt or secure data)
The example of the Yahoo! case is started here from a police report on October 3, 2007.
Secondary internet providers have fewer obligations.
Suspects cannot be compelled to provide information.
Part 3 deals with data retention by ISPs and IAPs. Part 4 deals with territorial jurisdiction in Cyberspace. In this regard, Belgian justice can directly request information from ISPs and IAPs offering services on Belgian territory or initiate a rogatory investigation. Data retention is a minimum of 6 months and a maximum of 2 years, within which each country must establish its own rules. For Belgium, a royal decree establishes a data retention period of 1 year. ISPs or IAPs unwilling to cooperate with the legal investigation always have the freedom to no longer offer their services on Belgian territory.