IGF 2010
VILNIUS, LITHUANIA
15 SEPTEMBER 10
SESSION 23
1415
CYBERCRIME COMMON STANDARDS AND JOINT ACTION
***
Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
***
>> ALEXANDER SEGER: Good afternoon. Thank you all for cutting your naps short and joining this workshop. Let me start by introducing very briefly the panelists and explain how we want to go ahead. On the left side Markko Künnapu, Ministry of Justice of Estonia and the Chair of the Cybercrime Convention Committee. We have Rusudan Mikhelidze, Minister of Georgia. We have Jayantha Fernando, Director and Legal Advisor, with ICT Agency of Sri Lanka. We have Zahid Jamil from Pakistan, and we have Laurent Masson, Director for Anti Piracy and Digital Crimes for Microsoft in Europe, Middle East and Africa, and we have Cristina Schulman from the Council of Europe.
All of these people are friends and we will try to be relatively short. Each presenter has one slide for the key points, key statements that you may want to take home and that you would hopefully also take up for the further discussion so we should have I think everybody says in every workshop we should have enough time for discussion but we will really live up to that and will limit the time for the presentations here. There is a big risk in IGF meetings that we encounter that every year we discuss the same thing and then we meet again in regional IGF's and discuss again the same thing and we go in circles.
What we would like to do in this workshop is build on what we discussed in previous years, build on the results from, for example, the global conference on Cybercrime that we had in Strasburg last March and go a step further. Our main arguments are that the key tools and instruments to cope with Cybercrime are already available, doesn't mean that some more won't be developed but the body is available and the core problem is that these instruments are not necessarily implemented all over the world and therefore we need to see how can we overcome this core problem.
One element is that we need to reinforce global capacity building through technical assistance. To help countries apply, help them set up crime units, help make international corporations more efficient, provide for training of law enforcement, prosecutors, training, et cetera. The second issue that is so far we have not advanced very much and that is to see whether we should establish some sort of a review mechanism so that in the future we can review or assessor monitor to what extent countries apply tools and instruments that are on the market. With that, if I understand how this works I would like to give the floor immediately to the first panelist, that is Markko Künnapu from Astonia. Estonia.
>> MARKKO KÜNNAPU: Thank you, I would like to start by saying I'm glad to be here and I will try to be brief. We encourage states to join the Budahpist convention because it is the only legally binding instrument. We have seen initiatives from other international organizations and I'm not going to name them right now but all of these are in the form of recommendations, guidelines, policy documents, but they have no binding affect on states. So even if an international organisation does adopt an instrument, if it's not legally binding, then actually states don't have to take any measures at all. The only exception is Europe and Europe in June legislation is binding and the problem is Cybercrime is global and it's not limited only with all those 27 member states. That's why I would like to stress that right now there is one existing instrument and the number of parties to the convention is quite low, implementation level is quite poor but the states can improve that situation and they can join the convention.
Many more standards, when I speak about minimum standards, first, I mean, certain legislative base, that means states must have a certain level of substantial and procedural law and they require that they be able to enforce that legislation as well, member states must have specific IT crime units in place, with someone who is competent and able to work, able to work at national level and if required able to work at international level, if there is a need to cooperate with other countries.
So according to the Convention a consultation of parties is provided and especially it's provided under Article 46, it is a committee a Cybercrime convention platform and it provides for the states to join the Convention, and let them discuss, exchange information, and analyze new threats, emerging issues and so on, and the committee can provide guidance and assistance if needed. Another tool under the Council of Europe is the approach of Cybercrime.
>> ALEXANDER SEGER: We have to shout!
>> MARKKO KÜNNAPU: And the programme offers assistance to the states and the states will have joined the convention, and the project can provide guidance, assistance, assistance in creating country profiles, assistance in analyzing their national legislation and training. In order to fight Cybercrimes and cyber affects we have to act globally because Cybercrimes and attacks are across border, cyber criminals act globally and the law enforcement authorities must respond, and that's why cooperation between countries is needed but in order to cooperate with each other the countries need the same minimum standards. In order to cooperate the countries must have some certain level of harmonization, they need minimum standards concerning substantial law otherwise the principle will not be fulfilled.
Countries need procedural law otherwise police officers won't be able to cooperate with each other and most important there must be a legal basis for the corporation and the convention provides perfect legal basis. I think I have used my time and I will finish here.
>> ALEXANDER SEGER: Thank you, Markko, I propose each of the panelists make their statements first and then we can, based on your discussion revert to some of these slides. The next presenter is Rusudan Mikhelidze from Georgia. It's interesting, you know, everybody talks about cyber attacks, Georgia, Estonia, here they are.
>> RUSUDAN MIKHELIDZE: Thank you Mr. Speaker. It is a privilege for me to speak at this forum and more of a privilege to speak after Markko Künnapu who is the Chair of the Cybercrime Convention committee in view of the Cybercrime issues that are going on in Georgia at the moment, we are ratifying the Convention of the Council of Europe.
Today I will brief you about the Council of Europe's work going on in Georgia, and I will brief you on the benefits that were achieved and that were present for the government after the project was completed and throughout the project. In this information age when the governments and ordinary people are more and more relying on ICTs, when the government electronic services it is important to properly investigating incidents of Cybercrime. It is vital for the government to be equipped with necessary capacity to cope with the existing threats of this phenomenon. European union Council of Europe joint Cybercrime which lasted for one year was a project that indeed achieved these results and the issue I would like to put here for the discussion, the question to raise, is why and how this kind of capacity building projects can be beneficial for governments such as Georgia, and the other countries as well. Answer to the question whether this type of projects are beneficial from the perspective of the government is yes, definitely, absolutely, they are very beneficial and how and why?
The first point in my presentation is that they help deliberation on the policy level support political will to address the problem of Cybercrime and support in planning concrete plans. Although the government of Georgia is relying on ICTs and the e governance has made it a top priority and although we experienced massive attacks on government as well as private sector during the war, there was no political will ripe at the moment the project started to harmonize or to ratify the convention. After the workshops, conferences and discussions, now at this moment the political will is there and the fight against Cybercrime is made as one of the top priorities for the government of Georgia.
I'm not saying that without the project the government would not take necessary measures to fight Cybercrime, but this is just to point out that the project speeded up the process very much. The second point is that these type of capacity building projects provides, requires technical expertise in addressing legislative gaps and indeed this project brought necessary know how in view of harmonizing Georgia and legislation with the Council of Europe Convention on Cybercrime. After intensive works the legislation project was elaborated, which is now in the parliament and I'm happy to announce that the legislative package was adopted with the first hearing and we expect all the three hearings that are required for legislation in Georgia to be adopted will be finalized before the first of October and the legislative package will enter into force.
The process is ratification of the Cybercrime Convention. The third point is that the projects like this support development of necessary human capacity. In case of Georgia a number of trainings were conducted, especially they were TOTs for law enforcement agencies and Georgia prosecutors, and it is not to say that the project has covered all the training needs in this area, however, again, these provided a very good basis for further increase of qualification of necessary stuff, and with the assistance of several organizations now dedicated to investigating Cybercrime cases are more intent to increase their qualification.
The fourth and last point that I wanted to make is that the project in Georgia paved the way toward public/private dialogue resulting in solid partnership. In this I mean the law enforcement ISP cooperation, which at the beginning of the project was not imagined, there was no dialogue between the two, they met on very special occasions and infrequently. The project initiated the dialogue which resulted in memorandum of understanding, MOU signed by law enforcement and ISPs on basic principles in fighting against Cybercrime. The project launched policy reform which has found its own development as a sustainable process and even now when the project is over it still affects of area fight against Cybercrime in Georgia. The amendments are in parliament and will be adopted and the process of are the fiction will be finalized. It is planned to establish the crime unit after the legislation is adopted by the minister Of Affairs Minister Of Internal Affairs in Georgia. The project continues itself which will give good outcome, thank you very much.
>> ALEXANDER SEGER: Thank you Rusudan. Looking at the title of this workshop, namely "common standards and joint action" this is an excellent example. In the beginning there were the conflicts in summer of 2008, where Georgia then we realised had very little to protect itself, and in October of 2008 I traveled to Georgia and together with the European Union Delegation we designed a small project, one year, about 200,000 Euros and a few months later that project was started, 12 months of implementation and that resulted in concrete, specific results that will now help you carry the process further from legislation, a Memorandum Of Understanding between law enforcement and ISP, training concepts and the adoption of a concept on establishing a high tech crime unit that will start operating. I think this is an excellent example and I would like in this context to thank the European Commission for cooperating with us on that but I think, Rusudan one of the key factors was involvement of you and other colleagues from Georgia. You need the commitment of the personal authorities and personal engagement of key stake holders and this has made it also possible as a joint exercise in Georgia to lead it to a successful conclusion, but it will continue, of course, the process will continue as you said. So we have been doing this in Europe with Georgia, we will do more in Europe, we are soon launching a programme with southeastern Europe, Albania, Croatia and Turkey, other countries, where we will do the same thing on a larger basis but I think the Georgia example is also something that we could replicate in other countries around the world to show that we're not just interacting with European countries, I would like to invite Zahid Jamil from Pakistan to present a view from Pakistan, thank you.
>> ZAHID JAMIL thank you for the opportunity, ladies and gentlemen. Before I get to the slide I wanted to take a few seconds and tell you I'm sorry, I've got to be closer. The position that exists in Pakistan with regard to our legislation on cyber security, what is good for us, in fact, the way we look at it is the legislation that was earlier passed was legislation that was modeled largely and it can be tweaked and there are things that can be fixed in that but it was based on the Budapest Convention, and they adopted most of the structure and a lot of the contents of the Convention itself. Unfortunately, it has lapsed with the new political government, that's why it was nice to see Alexander and friends from Microsoft come to Pakistan earlier this year and do a training for law enforcement and investigators and had an interesting interaction with the judicial academy and there has been great interest from all these other areas to start engaging on technical capacity building and those sort of areas. Now one of the things while that training was going on highlighted for a country like mine was that there was no other mechanism of which Pakistan law enforcement, remember, they were involved in many things but it was the only mechanism often they could get Cybercrime issues cross border was really this Convention, nothing else would help. We saw interest from within the law enforcement itself saying "really, this can work for us?" We've been asking Y country and we don't get it, how do we get it? And the answer was "well, you've got to sign up for this Convention" so they were willing. It gives you an idea of how important it would be for countries outside the Council of Europe, but, unfortunately, there seems to be very little international motivation or incentive for developing countries to adopt these conventions or measures. I'm taking Pakistan as an example where there is terrorism and security issues but, still, the adoption of a cyber security legislation or signing on to the Convention Cybercrime is not a bilateral or multi lateral within any country when it comes to Pakistan and I think that is the case in many other countries, as well, so keeping that in context I've come up with suggestions. I think it's time after 2001 now to revitalize the convention on Cybercrime and the people who are best suited to take this message out to other developing countries beyond Europe and other signatories of this convention, are the friends and the symmetries of the conventions. It's want just European countries who are the members of the Council of Europe, but also the United States of America, Japan, South Africa, Canada, and all the other countries who want to sign up to this convention who should join in effort in trying to save with many agencies involved to say look it must become a bilateral priority. When they're discussing free trade agreements and bilateral investment treaties or World Bank donors making donations, they should engage in cyber securities, because this is the future. Some have modeled laws to affect change. Help with funding would be important, and that would be developed coming from governments in Europe or in the United States or Canada or Japan, which by the way don't fund a lot of projects within developing countries. The bilateral investment treaties could make it imperative and it could be number 5 or number 6 or somewhere in there because we need to understand that the local communities and countries are based on the principle of law and order, and when you talk about closing the digital divide that is in the as secretary of securities, as well, and it can be done if it's a two way street. If we are to engage with other countries to provide what we need and we need to work together to say, yes, we want to be responsible states and citizens within the sphere and we want to be part of a security framework at least have legislation in a country which is in line with the international best practice. The second major suggestion would be that there should be resource and coordinated awareness campaign, a myth busting process because I can give you an example, other countries, canvassed from other organisations where they are told that you should not sign up to this or it's not really the best or maybe somewhere else would be a better place and so what's happening is confusion, misinformation is creating disturbance in the process of those countries that are adopting this as a model legislation or joining up with the Convention so there needs to be engagement between the friends and the signatories of the Convention and developed in other countries, business, civil society, legal and judicial community, programmes, outreach and all of that but at the moment I don't see the resource or the international motivation to do this and I think that is a void that needs to be filled because we're about nine years from the Convention and I think a lot of work needs to be done. Thank you.
>> ALEXANDER SEGER: Thank you indeed. In Pakistan with regard to developing legislation there is a favorable situation right now because the prevention of electronic crime ordinance that was put in place by the government under Musharraf has lapsed and this needs to be converted into proper law and this is a good situation where the previous ordinance had the provisions ready to be implemented of the Budapest Convention and of course when we met in this interesting meeting in January, we also reached a tentative agreement with the Judicial Academy to help them develop sustainable training for Cybercrime issues. This is important in any country. With regard to the countries quing up, in another workshop this morning as of today, Australia and Argentina have been invited to join us. I would like to give the microphone now to Jayantha Fernando from Sri Lanka.
>> JAYANTHA FERNANDO: Thank you, Alexander. Good afternoon to you. The Sri Lankan story is an interesting model that can be used as an example where we have gone ahead, gone the full hog and implemented the necessary legislative framework based on the formulations and the principles contained in the Budapest Convention. It goes without saying this arose because in a conflict arena we were embarking on a lot of development missions relating to ICT to the extent that Sri Lanka and ICT industry has become the fifth highest business and it is taking off and we have close to 26% and here in 2010 it's around 27, 28%, and we had a situation where most of our infrastructure, the ICT infrastructure was subject to various kinds of attacks and many of you know that Sri Lanka went through a terrorist period, and we had attacks on our defense system, our banking, and our ICT government infrastructure. So in view of that we embark on a journey to form the legislation that has been outlined here and in doing that we looked at the various options and models available. In that connection we got the assistance from the Council of Europe in a significant manner in understanding the fundamental principles and issues that would help us not just to solve our problems by ourselves. Instead, they prevail on us that this is an opportunity where we can have a framework for mutual assistance and cooperation, judicial cooperation and law enforcement cooperation so we adopted the journey and adopted it full hog. Adopted another thing that I would like to highlight that happened in Sri Lanka that could be used in other countries is the establishment of a single point of contact to deal with cyber threats and incidents. So on the one hand we have the soft infrastructure and on the other hand we establish the institution of framework to deal with all these issues. In setting that up, we originally depended entirely on the government framework but then government folks turned back and said that they were not able to find that whole thing so we had to gather around a public/private partnership in a private sector driven model where the membership in the Sri Lanka services, the majorities are the banks and partners who are part of this framework that could then hired the best people from the private sector who could work with us and they provide us sometimes CSR and people to work with us for one year, two years at a minimum with a High Level of competency resulting in the first to be admitted to the first Forum.
The value of the Budapest Convention, how was it helpful? I said at the beginning it helped us with legislation, and helped us to form the best practices and that has started a lot of collaborative activity, we have been invited to the global conferences and graduated not just one person, we have two or three people participating and in addition to that the best recognition of our collaborative efforts was when we had an effective hands on workshop for judges, law enforcement officials, way back in October of 2008 and perhaps it's time to repeat it again in our region, and that created an atmosphere for technical collaboration not only within law enforcement people but with the judicial and the prosecution service and that is lead to go a healthy core system where we are able to collaborate on an equal fitting. So the Convention provides a platform for all these activities to take place and that is another feature I wanted to highlight.
Finally in terms of technical assistance, in addition to training, one point I want to emphasize is that in Sri Lanka in the development of the law and the policy setting, the establishment of the national we included that in the ICT road map and in the agenda way back in 2006. There were occasions that we had to take certain things off but ultimately it kept on getting included and in that connection we were able to rely on the support given by the World Bank in implementing the road map and all of this was factored in so the point I'm trying to drive home is in providing development assistance, maybe it is opportunity for countries to consider include these elements, the formulations of law and setting up the institutional framework as part of the development agenda so they have the package, the whole thing together and they are providing the complete assistance. Finally we should not forget the private sector, setting up the institutional framework required us to work in collaboration with the private sector and we encouraged Sri Lanka to sign up with the security programme with Microsoft and that has benefited us significantly where we have been able to collaborate with the global private sector community, thank you.
>> ALEXANDER SEGER: Thank you, so I stand correctly you are inviting all of us to come to Sri Lanka again? It's a beautiful country and I'm sure many will follow this proposal. What impressed me in the Sri Lankan experience is you're able to bring because you are coming from the IT in Sri Lanka but you were able to bring together law enforcement, prosecutors, et cetera, because the ICT on one hand and the criminal justice on the other hand is a problem, they both have their own mandates, they're dealing with different issues but when it comes to cyber crime we need to have a stronger connection, and I've experienced in countries where one is without the other it failed or you had turf wars going on which blocked legislative processes for years so I found that an enriching experience in the case of Sri Lanka so we have the ICT community, the criminal justice community, are the official development eight community that we have to bring in and hopefully in this workshop we can do more on that and also through the workshop this morning with the World Bank we need more developmental agencies involved and providing funding or making conditions, of course there is controversy but there is more, we have to bring in the private sector and therefore it is a great pleasure to invite Laurent Masson from Microsoft to talk about how the private vector can cooperate in this.
>> LAURENT MASSON: Thank you, Alexander, what I would like to do during this few minutes is talk about some of the joint actions that we are running with different partners. Before I go into the slide, just two words. One is, since we started to engage on Cybercrime and on the fight against Cybercrime as a company, cooperation for us has been a key driver for all our actions. Why? Simply because no matter how big the company a company can be we quickly realised we can't do anything without working with NGOs, governments, all the stakeholders engaged in this fight so this is very important and quickly Europe became a partner for us as part of our strategy. What I would like to present to you is to show examples of some of the work we're doing. The way we approach this as a company has been around two different activities, one is establishing framework and mainly a legal framework and I don't want to repeat what has been said on this panel, just before me but we've been engaging with the Council of Europe and also with other international organisations on supporting some countries, and I put on this slide here a few examples and a few names of countries, Argentina, Philippines, Georgia, Canada, to put into place legislation to address Cybercrime so we're engaged. When we talk about legislation we normally do it with a partner and with the Council of Europe. The second aspect, what we call the "best practice."
This afternoon during the presentation people talked about best practices, and one of the best examples for us is the ISP Guidelines which were mentioned because it's a concrete tool that we can use to improve the communication between law enforcement and DISPs so this is why we are promoting this tool wherever we go. I put names of countries where we've been pushing for that.
When we talk about establishing a framework in different countries we're working at the national level with some countries and I put just one name which is Nigeria for this year because it's where we are currently putting a lot of efforts and just for your information in the coming months we're going to organise the first West African summit on Cybercrime with the Council of Europe in Aberjon and also with the agency, local agencies there and it is important for us to work with the local authorities there. The second aspect is around capacity building. It has been shared that it's key to the strategy we have, and I fully agree. Some of the things we are doing basically around training and education are two different types of activities, one, which is something I would call abduct trainings, whenever a country is requesting us to engage and come into the countries to provide some technical training we are talking about forensic techniques and technical training with law enforcement, we try to address the need and send over experts. Normally we do that in cooperation once again with the law enforcement authorities in the country, very often also with some international organisations such as Interpol or UNDC when it's possible. I put on this slide the recent training we organised during the last few months and there is a second type of approach that we're taking which is more around a programme with academia and Microsoft is part of this with other representatives from the industry, and also some universities, European universities, and it's an initiative which is going to become important for us, where we try to train law enforcement officers but also people working for the industry through very clear and defined curriculums. As part of this idea of building the infrastructure, the correct and the sharing of data is key for activities around Cybercrime and therefore we try to engage in that space as well. A recent initiative that we are pushing is happening which is called "signal spam" and we're doing that with international authorities and key stakeholders and private authorities in France. It's an initiative where we are inviting people, victims to share with us all the different spams they've been receiving and we are collecting it and giving it to the authorities, preparing, helping the authorities to prepare cases against some of the spamers. It's critical for the enforcement action that we are running, so I wanted to mention this. The last point is about putting people in contact together, which we think is also critical, and I mentioned some of the actions that we're taking at the European level but also I wanted to talk about the law enforcement portal that Microsoft is running whereby we're given access to all the law enforcement agencies around the world, and that tool allows the law enforcement to share information about criminals, about different cases, it's a platform to affect change and share information. That's very important and we're going to announce shortly a new platform whereby it will not only be something for law enforcement but it will be for all different stakeholders working in the space of cybercrime so in the coming weeks there will be a come ago announcement and anyone interested would be advise to do register, for free of course to this service. Just to finish, I would like to come back to a comment that Alexander made which is key for us and I'm talking not only for Microsoft but I would say for the industry in general, just based on the experience that we had in terms of cooperating with public authorities mainly, there are two things which are extremely important. One is to find the right people. Sometimes we tend to minimize the suspect. When I look at the different projects that we're running around the world, wherever it works it's very often because we have the right people within the public authorities or public institution were willing to work with us. That's really important. Sometimes we tend to minimize this aspect, the personal aspect and personal contact is really important. The second thing which is important? If we want to attract the private sector we need concrete projects where we are working with the Council of Europe, typically, because they are offering us the possibility to work on concrete projects, I'm talking about training and visiting some countries and working on the legislation, talking about changing information with law enforcement, working on some concrete cases with law enforcement. That's just because of the nature of a private organisation, I believe. This these two aspects in my mind are very important. Thank you for your attention.
>> ALEXANDER SEGER: Thank you, Laurent. Indeed it's been an interesting experience for us to work with Microsoft. Three years ago Microsoft received requests from many countries for working with legislation and law enforcement and other issues and Microsoft at that time played with the idea of developing its own model law on Cybercrime. At that moment we got into discussion and Microsoft decided as a company that whenever they would get the request they would refer countries to the Council of Europe and that's how we started to cooperate with each other. Again, the title of the workshop is "common standards and joint action."
Again we heard about concrete examples for action, we are not just talking in workshops like this one but determined to take action and produce results. Now I have the and you said a lot depends on the people you work with, one of the people I have the pleasure to work with is Cristina who has the difficult task after everybody else has already said everything to make additional important points.
>> CRISTINA SCHULMAN: Thank you, Alexander. The way the council is working it's an example of cooperation and the presentation made already in the workshop really underlined this point that we work by cooperating with other partners.
The Convention, of course, provided the basis for global action. As an organisation, or any initiative while working on these issues you need standards, standards to develop legislation, ominous legislation and to ensure that there is an international legal framework. However, the Council of Europe work on Cybercrime doesn't mean only the convention. In connection with this Budapest Convention additional tools have been developed. When we start working in a country we go to if we discuss about training we develop a paper on Cybercrime training for judges and prosecutors. When we discuss about private/public cooperation we develop a guideline and Laurent mentioned that. When a country needs to establish a high tech crime unit for cybercrime investigation we provide the guideline based on best practices of what other countries did in more advanced countries. So it's not only the Budapest Convention, when a council is working in a region, it's coming with this package. It comes with experts, we have a wide network of experts we are working with, we come with our experience and in this way I must say that working Georgia was a learning experience for us as well, what we learned there we apply in our countries as well. We come with all these tools so it's not about only Budapest Convention, it's everything that was created in the past five years around this instrument. Of course implementing such standards and tools in any countries is a challenge. It's a challenge to implement in a way to respond to each country's needs but also it's a matter of resources and I'm very much in line with what and I hate to mention here but we need more resources to provide technical assistance worldwide. I would like of course we have excellent partners in our work and it wouldn't have been possible to achieve quite extraordinary results on this global project on cybercrime which is running, having extraordinary partners, European Union, Microsoft, US, with OIS and many organisations and I would like to conclude because most of the speakers on the line of the segments were working with the question, how can we have more partners to join this effort in fighting cybercrime? Thank pickup
>> ALEXANDER SEGER: Thank you, Cristina. I think it's important to note that it is not just the booklet that you found there, the green lilac booklet which helps you develop legislation, a whole array of tools have been built around that, good practices documented, guidelines developed, et cetera, so there is an arsenol of tool and instruments available. Now we come to the discussion I put some questions on the screen in case we get stuck, but after the six interventions I would like to open the floor for exchange of discussions, supporting statements, whatever. I think somebody ladies first?
>> Thank you very much. Thank you for this workshop; it has been interesting for me that I am not an expert in that field but what in thinking about that I am wondering why the war prevention is not coming so often in that discussions? Because in other kind of crimes it's one of the best words that we use. I have a sensation in cyber crimes we are going behind pretty walls which something is known in the world that it is changing fast so maybe we have to go faster to use some kind of prevention in this kind of crime and I am referring to both ways, the legislative way and also in the projects, you see? I don't know if you have any experience on that or maybe I am wrong! Second thing is, just another comment, in case of interest of fields of cloud computing and those kinds of things, in my opinion there are two different world's, urgency and seriously because if we want to take advantage of the benefits of this, advancing in the computer sciences, so I really just like a comment on that, how we have to face these new challenges, and especially this urgency that we have now. Thank you.
>> ALEXANDER SEGER: Anybody on the panel who wants to respond to any of the two? Markko?
>> MARKKO KÜNNAPU: I full Al agree with you and prevention is very necessary. It's really important. While talking about prevention I would like to point out two different aspects. First, raising awareness. You have to raise awareness, explain things to individuals, ordinary home users, how they can protect their own home computer. You have to turn to, let's say, small and medium enterprises to explain to them and give them guidance as to how to protect their systems and computers. Another aspect is protection of critical infrastructure. This is something which is interesting because attacking critical infrastructure, it is something which is a threat to national security as well. Both of those aspects are really important and states have to pay attention to both of them. Depends on the state which kind of measures they choose. This is something which has to be done.
>> ALEXANDER SEGER: I think that's a good question that we just got from the audience, thank you for asking that. I completely agree with you, prevention is one of the first obviously it's the first line of defense against cybercrimes, and awareness is a big part of that because unless you have businesses who implement systems and things where they can prevent all of this and educate their employees and even ordinary people about this is a crime. I'll give you an example how legislation can help with prevention, I know it sounds odd, because that's supposed to come after you've committed a crime but it can help in the following way. In my country until that cybercrime legislation has been created, all the younger kids thought hacking was not a crime, it's not a problem, why shouldn't I do it? So there was nothing to deter them or stop them or prevent them from not doing this so I think legislation praise an important role to it's deterrents, so that will be my first response to the legislation issue. Secondly, you're right things move on quickly. So the language today, will it be relevant tomorrow, et cetera? I think at least in the Budapest Convention which has now been followed by the Commonwealth model Law and others who pick it up as their model law, the language has remained technically nonspecific so it's not related to a certain technology, it's drafted in a way neutral of technology and that helps because then you can capture many of the things that you're trying to get without saying this is phishing or spamming and those things, and therefore we've seen the convention survive and all legislation that followed it actually be able to survive and reflect and adapt to the challenges that are upcoming and for the moment I think that non specificity has helped in the language of the law.
>> MARKKO KÜNNAPU: We are now dealing with the level of access with the Council of Europe, and you are from the European Union Parliment Association, but you are a politician. I think we can do a lot at the Council of Europe, with the level of technical expertise we can go a long way and countries shouldn't rush into criminal law measures because you have to be very cautious when you take criminal law measures, you cannot rush into it but the fact that some countries after 10, 12 years of discussion are still not moving ahead with legislation, that is really a question of whether there is efficient political commitment, leadership on that question. So I think this is also a message we should bring across that political leaders have to take their responsibilities, parliament has to take their responsibilities seriously and adopt legislation.
>> ALEXANDER SEGER: Question reserved for the gentleman over there.
>> WILLIE DEHONEY: Thank you very much for this interesting conversation. My name is Willie Dehoney from Tunisia. The first question is with regard to cybercrimes, committed by using new tools or are they really new crimes? If we consider that cybercrimes are new crimes we face absolutely the danger of the imaging of new crimes, unknown crimes and as well as we know the criminal law is governed by law which means that no crime without law, no punishment without law. Do you think that this principle will resist or not? Third question is concerning the problem of cooperation between states. To judge criminals, we know there is a difference between states, the same compartment can be criminal in place and not criminal in another, so how to apply law in this case? Thank you very much. Of
>> ALEXANDER SEGER: Anybody from the panel who wants to react? It is true that every day there are new techniques for committing cybercrime that are emerging but two weeks ago we had an interesting workshop with countries of Latin America and Mexico and we looked at actual cases that had very new techniques for committing crime and we looked at it and we looked at the Budapest Convention we found corresponding provisions and I don't know who said it before, but the Budapest Convention is criminalizing conduct not techniques and almost 10 years after the adoption of the Budapest Convention it still holds. Just to give you a small example, old crimes, new techniques and in the bank workshop, somebody mentioned fraud, fraud was a crime in the past and it's now a fraud. In Mexico when you look at the fraud provision in criminal law it talks about fraud involves deceiving the mind of somebody. You're deceiving somebody. So in many countries criminals go through because a machine is deceived and not the human mind. So if you look at the Budapest Convention you find the information on fraud and that's why you have to put a specific provision on fraud in place any type of fraud committed on the internet you can then cover if you articulate. This is just an example. Chapter 3 of the Budapest Convention on international corporation says that de facto parties to the convention assume what is a crime under the Budapest Convention what is a crime in one country is a crime in another country. Of course there are areas where everybody agrees, child pornography, where it should be criminalized everywhere in Article 9 of the Budapest Convention and you will have trouble getting issue of pornography exercised across the gamut, not just child pornography.
>> I am unique George from the island of Saint Lucia, my question to you is we say that catalyst is an issue of driving cybercrime. Now within the Caribbean, although they are aware of it, the interest is not there, there is no political responsibility. My question to you is what are the best practices seen globally that have been used to drive and push your government agencies to take this political charge in terms of driving legislation and taking control in terms of cybercrimes?
>> ALEXANDER SEGER: Very good question. I think the best way is to have an attack against government computers. The second best is to have a web site defacement of the political leaders of the government, that will trigger legislation as Georgia and Estonia experienced and as Cambodia recently experienced. Regard to the Caribbean, some countries, Barbados has gone that way and some others, but what happened in those countries, and I think it's also in your case is that laws were developed then the discussion came up about developing a Caribbean wide cybercrime adoption, and countries said okay, we'll wait and it never came. You find at the United Nations level, that the risk and the reform treaties will stop the movement and we have to found a way to relaunch the effort that had been started three o four years ago in your country then interrupted, in yours and other countries.
>> If
>> RUSUDAN MIKHELIDZE: If I may follow up with regard to the experience of Georgia I can't imagine that a Caribbean is not a Council of Europe member. In Georgia we signed the Budapest Convention, and we experienced attacks on government private and private sector issues, and even then it was not easy to push the political will in the government. A lot of questions were raised, why this conduct should be formulated or these offenses should be defined this way, et cetera, et cetera. Even now when the amendments are already in parliament they announced a couple of days ago that, okay, they were adopted with the first reading but nobody knows why these provisions are important. This leads us, again, to the public awareness raise and go other issues that are related to proper implementation of the convention but at this point it's just to point out that it is not easy to achieve fostering political will even for the European state which is a part of the Council of Europe. Thank you.
>> LAURENT MASSON: I think you said it's useful that you said this is a Caribbean issue, there is an open forum of the Commonwealth IGF, where at least in the last IGF a strong discussion took place and a road map was made with regarding cybercrime and cyber security and one of the things that the IGF would could to promote this and one of the things they discovered is that the commonwealth has a model legislation on cybercrime and this is modeled around the Budapest Convention, so I think perhaps getting others involved and speaking to the people at IGF which is a benefit may be useful. I agree with Alexander, doing some of the things like that make a government respond, for instance in our country when you had politician's pictures or videos put up on web sites, they definitely responded. Not that I encourage anybody to do that, you might get into trouble, but there is sort of a reverse of that when initially the cybercrime initiative was adopted, are we in Pakistan got very concerned because it was draconian and we lobbied or forever three years to have it amended. We did that by using "You Tube" had things done that people could do and putting it on to "You Tube" it became locally available and internationally available and writers wrote about it and that gives you a whipping up of support. (That was Zahid Jamil).
>> Right now we have national status concerning cyber security and we have critical information, infrastructure protection and if you ask, if we had no things before the cyber attacks in spring of 2007 then the right answer would be no.
>> ALEXANDER SEGER: Don't report tomorrow everywhere or this afternoon that this workshop is incitement to cyber attacks. One point I want to underline, the commonwealth model of cybercrime is in a way a copy of the Budapest Convention, so if you don't want to adopt that, adopt the Commonwealth and you have 100% compliance with the Budapest Convention.
>> KRISTO VELASKO: Kristo Velasko, ambassador and I'm a remote operator participant. First of all there is a question from a lady whose name is Anila from the University of Argentina and she wants to know about the communication issues and how the states are to rely this. Perhaps this is for the Microsoft representative. Personal comment: I would like to know what the T CY of the committee on Cybercrime, what's the status on Article 32 because they've been studying this issue since the last two octopus conferences, so it would be important to know what's happening in that regard. The convention on Cybercrime knows that, Alexander, we were in Mexico when this was going on and there was a strong discussion as to how to criminalize most cybercrimes, a lot of attorneys in Mexico say they have something in place but it's not specifically oriented or focused to cybercrime but there are a number of issues that the Cybercrime Convention is not advocating like the jurisdiction issues, so what happens when two countries want to investigating a cybercrime issue, well, we have guidelines in Article 32 and I think it needs further revision and guidelines in that regard. Another issue that I'm concerned about is that the Convention, the Cybercrime Convention is that it implements convention speak am but with regard to law enforcement and criminal prosecutors, protecting the confidentiality of information that they share among them, how do they protect the privacy of the possible suspect or the individual? This is something that hasn't really been addressed either. This is just I just wanted to make some points across because it's really important that the panelists take this into account and perhaps we could hear views from each of you, thank you.
>> ALEXANDER SEGER: Laurent, did you want to respond?
>> LAURENT MASSON: Yes, with regard to the first question on behalf of Microsoft and all the industry, it's a very good question, because what was happening I would say in the past was that and it's still true today but not to the same extent, was that the different ISP around the world had set some morals and their own guidelines and rules on how to cooperate with law enforcement in different countries. So typically you will find some very specific roles, you will find specific roles for Google, MSN, everybody had their own rules on how they were cooperating with the law enforcement. That was creating a lot of problems in different countries and not only legal issues but also practical issues because that was creating some friction with law enforcement because of course the law enforcement in different countries wanted, you know, all the different industries to work the same way with them, so that was creating a lot of problems. This is when the Council of Europe started working on these guidelines, and we decided to join the effort to try to find with the other ISPs a way to agree and some guidelines and rules to agree on in the way we were cooperating with the authorities. I'm not suggesting everything is perfect right now but if you look at the overall picture, the guidelines have the benefit to bring consistency in the world we are working with in law enforcement today and there is still work to be done, to work properly, but this is probably one of the answers to the problem.
Now the way we work with law enforcement in every country and I think it needs to be clearly stated is that we are working within the legal framework of the countries. And, therefore, we comply every time with the regulations and with the laws in the countries where the action is taking place.
>> ALEXANDER SEGER: To be clear as Laurent said, the guidelines are the guidelines to work top of existing legislation, if you have bad legislation or no legislation you have a problem applying the guidelines. Regarding the question on 32B and jurisdiction, I think the situation you have is around the world is that too few countries want to investigate, and we don't have too many countries investigating the same case at the same time so the problem is from a practical point of view isn't a pressing one, doesn't mean weapon shouldn't provide additional guidance on the jurisdiction issue, and with regard to transport or access to data, you have a copy of the Budapest Convention of course but 32B defines that law enforcement can access data stored in another country under very limited circumstances. Now, in the context of cloud computing, to come back to that term, this makes things difficult so therefore the Cybercrime Convention Committee decided to look at this issue and perhaps Markko can say one or two things on that.
>> MARKKO KÜNNAPU: Yes, and I would like to reply, and I can assure you that T CY is dealing with this question among others and recently T CY sent out a questionnaire on member states to explore the best practices and how member states have implemented that article on the basis of those replies we did a short study and right now we are working with that.
Right now there is no definite deadline when we have a final solution of that. We are dealing with this issue.
>> ALEXANDER SEGER: I think roughly there is indication that within one year there would be roughly some solution.
>> JAYANTHA FERNANDO: I think the rights of the states to investigate and the intermediaries, and I would draw reference to the Sri Lanka legislation, who has seen that the investigator's rights have been ensured and we have measures in place so that the normal operations of system that is in an organisation that has been subject to attack will not be a affected and the integrity of the systems and the confidentiality of the systems are maintained and there is also a specific provision to safeguard the confidentiality and all that goes with it. So some country's legislation have dealt with it comprehensively, some haven't but I believe the European council has guidelines marking how that can be done.
>> MARKKO KÜNNAPU: But I think the point for a need for some guidance on how to collect electronic evidence and how to deal with privacy issues is something we need to take up in our future work.
>> Three questions which I would like to ask. The first one, the capacity of trainings and so forth, like Microsoft has mentioned and our friend from Sri Lanka has mentioned, just wondering, the training that is provided to the officers and people from industry also have human rights and elements and safeguards according to Article 15? That's the first question. Second question is the very best convention am on this cybercrime, we are talking about minimum standards so the question is will there be further exploration of a definition of cybercrime to go beyond what has been stated in the convention? Because in many countries that is not so democratic, the definitions of cybercrime it's vague and it's talking about the computer and it's content. Will we have limitation on definition of cybercrime or not? For example in some countries information can be considered as a cybercrime. Last one is it is taken for granted that every member will have to stand (Away from mic.) For the moment, anything that members are to be ratified or if this Convention is going to be implemented, any process that help the legal system reform or whatsoever about the due process for member states or not.
>> ALEXANDER SEGER: Anybody from the panel?
>> ZAHID JAMIL: Every time in my country we talk about the legislation and we have reformed it and gone for a better process and in general when the council came in they explained what the impact would be and we explained to law enforcement if you do something that's against civil liberties or against the Constitution or fundamental rights, what happens is the person gets the benefit of the doubt so initially you're thinking you've got the information and if they've got it in the wrong mechanism it spoils not just any investigation going on there but in any other country they're investigating it in. You need judicial safeguards in place and it was important to have that in place and the only thing we could point to when the government said why do we need it? And we said the Budapest Convention has it in this Article.
>> ALEXANDER SEGER: The Budapest Convention has a strong constitutional court and it safeguards conditions and in the future if we develop guidelines for gathering electronic evident and so on we can reinforce that in practice and yes it is part of our interaction to help countries develop legislation and it's interesting in countries where legislation is being adopted by ICT ministries, or similar, they know about technology, they go straight to the point, they're not that concerned about the due process and that sort of thing so in many countries we have been able to remove major issues from draft laws or in countries you have people like our friend here who has been very strong and also in action with us in some instances with regard to the point of safeguard and conditions. You cannot in an international treaty prevent a country from going beyond a treaty so what you have in the Budapest Convention is an agreement on what should be criminalized, but if countries go beyond, we cannot stop that country from doing so. In Council of Europe we don't like that but there is very little that can be done. We have to stop where we cannot go beyond. But, of course, the process of technical assistance of providing legislative support is also a dialogue and through this dialogue we can bring in many aspects that normally a country would not accept or that normally would not that is not in the Budapest Convention. It's a complex issue and the more countries we discuss with the more complicated it gets, I admit.
>> CRISTINA SCHULMAN: I wanted to add something, the reference to the Cybercrime definition, actually the Convention do not provide a definition on cybercrime but you have offenses, against the computer data, offenses which traditional, so called traditional offense which are committed through the mean of computer data, you have content offenses and those related to infringement of copyright so you have these categories. But with regard to going beyond convention you can have maybe not so happy case when it goes beyond and you can have the positive example like Germany or Portugal or many other countries that went beyond the convention going into more details in some of the provisions, we talk about procedural law or substantive law, we very much encourage that, depending on the needs or what you encounter in your country you may need to go and have qualified versions, for example, on fraud or child pornography or any of these offenses, so, of course, it is possible to go beyond the Convention and go into more details, more standards, are the Convention provides minimum standards.
>> LAURENT MASSON: Around the trainings issue, based on the work we are doing in countries, if I want to specify technical training, for law enforcement and it's techniques, purely technical and this is where Microsoft and other countries can bring something by sending technical persons, and there is a second type of training that normally we are doing, depending on the needs, of course, which is much more about the legal framework and the legal procedure. Which is normally for prosecutors, for judges, lawyers in general. What I am trying to tell you is based on your question, the kind of issues that we are addressing in the first training are totally different, technical, not really legal, everything is done within the legal framework of the country where we go, but there is not real legal discussion. Whereas in the second type of training we are reviewing all different aspects of the law and we try to see how the Cybercrime Convention or any legislation work in the country.
>> VANESSA CALB: My name is Vanessa Calb. I'm from Brazil. I'm an ambassador, and I speak on my behalf. First of all, congratulate the speakers for lectures and the Council of Europe who has done an amazing job specially regarding capacity in this area. There are many countries that have not signed the Convention and are not going to sign it and in the last IGF and also in this one I haven't heard their voices, in my opinion the workshop disseminates and the Convention is the only way to combat cybercrime, and many countries are invited to sign it but they were not invited to negotiate terms, isn't it time to discuss a new instrument that could be discussed by all following the IGF in spirit?
>> CRISTINA SCHULMAN: Who starts?
>> MARKKO KÜNNAPU: This issue has been discussed in Brazil, intense civil, many night sessions, and of course at the end you need to reach an agreement and the agreement in Brazil was that we all need capacity building, all countries need capacity building, there was no disagreement on that. There was no agreement on a new treaty, so we have now this very practical problem in front of us. We have a treaty where everybody says this meets all the requirements, most of the requirements and if you look around the world every single model law that we have seen, every guidance document, any training document, including ITU tool kits and guides for developing countries, all these documents and all these tools, 90% based on the Budapest Convention, that's a reality. So the question we have to ask ourselves is how to go ahead, help countries best now and in the next 10 years to deal with cybercrime, our response is let's take the Budapest Convention and also many other tools, and not all of the tools have been developed there are a huge A. Tools developed by the private sectors, let's take these instruments and help countries apply it, that's one option. The other option is let's see what we can do at the United Nations level, maybe it will take five years, ten years, 15 years, maybe we will have the situation where you have half the countries of the world having put in place high standards based odd Budapest Convention and the other half of the world saying we have a new treaty which very likely will have lower standards than the Budapest Convention because I doubt at this point in time you could reach at the global level an agreement at the similar level as the Budapest Definition. Convention Budapest Convention. Brazil was looking at legislation, and decided to start all over again. I don't think that is a problem of an international treaty, I think you need to put domestic legislation in place in your countries, Argentina, Columbia, Peru, Paraguay, they seem to be satisfied with the Convention, so the question is are we continuing to talk for 10 years or using the 10 years to put practical measures in place, of course it's the choice of the country to go ahead with that. ) That was Alexander).
>> JAYANTHA FERNANDO: Just to go along with what Alexander said, when we were looking at the best practices model and we were drafting our legislation, in fact, this question arose, how much was Sri Lanka a part of this discussion, why we should adopt something which we were not really involved in? But ultimately the point came out through several other panelists before me, when we looked around the only useful tool we had was this Convention. That was the reason why we had to look at it. On this issue of having member countries getting involved in a participated process and before legislation is drafted and adopted, it applies not only for Sri Lanka but for many developing countries, is that whenever our many of our countries don't have the resources to go out there and participate at all of these forum that get involved in drafting and negotiating through several rounds of meetings a Convention on a treaty that will be applied across countries. So many of us can't wait until such formulations are done and we are very often resource constrained and in that context we have the option to look at the global best practice model and it is in that context that we use this in the formulation of our national law.
>> RUSUDAN MIKHELIDZE: We have to be clear, here, we have a convention that is largely accepted, I mean, most of the countries or the partners who are working agree with the content of this convention and then there is an option, we don't know what is in this option, there is no draft of another convention, there is not even a title of a different option. You should be very much aware that such an announcement, a new treaty would be negotiated, we have already feedback from other countries that they stopped taking legal reforms based on this idea that maybe in some years a UN treaty will be developed. We have many examples in which it took years to take reforms on cybercrime, countries like Germany or Portugal or many other countries in Europe they needed years to adopt legislation on cybercrime, many others are in the process to take these measures, what will happen with these countries? They will need to change back this legislation in order to adjust to the new treaty.
So I think we need to talk a little more responsible when you talk about this idea of why shouldn't discuss a new UN treaty, more responsibility at the organisational level with regard to the participation the parties of the Convention, signatory or invited to sit at the convention, they will participate in a T CY committee so such discussion of the amendments of the convention they will be taking part in those negotiations. Thank you. (Cristina)
>> ALEXANDER SEGER: Ideally 10 years ago the United Nations would have developed something like the Budapest Convention and all the countries should have participated in the preparation of the Budapest Convention, it was not there. 10 years ago it was not there to be developed and unfortunately 10 years ago only for countries participated in the preparation and not 150 countries, it's a fact. But as Cristina underlined a party that becomes a party to the Budapest Convention now will be a further participant in the further development.
>> LAURENT MASSON: I think this is a good question and it underscores a point I made earlier in my presentation that the delay that has taken place opt of the signatories of the Council of Europe, by not getting this out there sooner is actually now showing itself and there are people saying we should have a totally different negotiated convention and that delay has caused confusion.
>> ZAHID JAMIL: If you want to create a treaty, it won't happen in a year and my country who has cybercrime don't have the luxury of time to wait for years before the treaty is negotiated, we have very little time and we cannot create safe hay venues through the process so that there will be safe havens in the world because criminals know it's not there.
>> My name is Illi, and I'm from a working group of information society in Latin America. Latin America have platform political call is ILAC to create policies about different issues and next week we will have our review of this problem and one of the principle issues in the two first reviews we've found through the European Commission, was the Budapest treaty. Some of the countries in the region and specifically Brazil said they will not sign the treaty and they will not sign it for different reasons and the principle reasons is the chapter of intellectual property, they have their own point of view about the treaty and about the intellectual property, but they think and other countries in the region think why is it not possible to sign part of the treaty and not all of the treaty, you can affect me these chapters, be the these chapters, reserve or some part of the treaties, this could be a good option for the country to say, okay, this issue, the more interesting issue is in the treaty of civil crime, the issue is the fact is that so some things they agree, but working with the police and using the basis of the agreements of cooperation that appear in the Budapest treaty. Another thing is maybe next week when we prepare our Constitution for the next five years we will not put a goal for signing the Budapest treaty. This is not bad, it's good, why? Because in the past three years, some of our countries decide to sign it so we I am satisfied with that, because we research for the people and they sign it right now, Panama, Dominican Republic, Argentine, Mexico, Chile, so the majority of the countries sign it because they don't have any problems with any part of the agreement and they don't advance in relations in their countries because of one reason because they want to sign the treaty, and it's internal law in their eyes, to resolve two problems at the same time, this is the situation in Latin America, maybe like a recommendation on that, I don't know. Maybe some flexibility with countries that are interested, big places that are necessary to have global and participatory and democratic and other words you can put in for me, from Information Society, thanks. Marc
>> ALEXANDER SEGER: I think you have an international you have the possibility of international relations where you will not implement this part of a provision because of this and that so also the Budapest Convention has the possibility for a number of reservations. But if you open it even more and say it's a pick and choose then it has no value anymore in an international treaty. If you say we like Article 35 to 40 and other countries say we only like Article 5, there is a problem, you have to admit that. With regard to the international property right I had a detailed discussion with the ministry of Brazil and in the end there was no issue. I would recommend that countries read the report which makes it clear that if you are a party to the convention it doesn't force you to implement all the other treaties mentioned in Article 10, that's the first thing. The second thing it only talks about intellectual international property in the commercial sense. I think sometimes things get out of hand and the issue you raised this morning in the other workshop we have been working with the representatives from the Ministry of Justice from Peru, are the people responsible for criminal law reform so I'm sure Peru will move ahead in the right direction.
>> ZAHID JAMIL: First off, countries cannot pick and choose, in the different conventions countries cannot come up and say I want to join the Convention, but I want you to change the Convention for me, history shows us that a, secondly if you look at the intellectual property article it reproduces the past convention, and the W 2 trips agreement, so it's not something new. And so just on the substance of that point. As I said, if they don't want to apply then the international standard, it's difficult to change it but if Brazil is serious if what you are saying is correct and they will sign it except for the intellectual property provision, since 2001 they could say the Budapest Convention, delete the paragraph with regard to intellectual property and ledge late a model role.
>> I didn't want to make a discussion I only show the position of Latin America. I put in the Article they take off, but in lat Latin America in Latin America you have in the countries around 2,000 legal consequences is Brazil, so we need to be clear that not just making a law or signing a treaty will resolve the problems.
>> My name is I'm from Poland and this is my first visit here, I am impressed of the intellectual value of the Congress and the topics you have discussed here. I am impressed of the job you did with the European council, implementation and I would like to comment for me the value of this forum, it's because you do not make it a negotiation and agreement, we try to think about the future and build let's say intellectual framework for the future so if we try to make it a negotiation between the European council and Brazil, for example, at this forum, we will lose the future. Our (no microphone.) I think it would be a good thing if every country were to sign the Convention, but some countries can stay out of the convention, and we can discuss with them separately so please take care about this forum to be open forum for discussion for building intellectual value for the future and cooperation.
>> ALEXANDER SEGER: We will of course continue discussing with Brazil and other governments to resolve any questions. We have an interest that all countries use the Convention as a model of whether or not they exceed the Budapest Convention is another story.
>> The process of adopting in Latin America is much more complicated than you slapped and the council has than you explained and the works in Latin America turned out to be a regional event, Costa Rica Mexico, Peru, there will be cooperation at the government level and what's important is that the Council of Europe, throughout this process has been inclusive with regards to academia and private society, not only public, so it's important to make this forum aware of that. I have a couple of questions from remote participants so I would like to address them real quick.
First question is from Shafkat from the Pakistan Communication Authority and he's based in the remote office in Islamabad and he wants to discuss an ordinance that lapsed in 2009 and what future expectations (no microphone) and what signatories have become specific to the Convention?
>> ZAHID JAMIL: Thank you, we talked about the fact that there was a lapse and in fact it is pending in parliament and it's actually I would say now six days ago that I had a meeting with one of the parliamentarians who has requested assistance and if I'm not mistaken, Alexander, the same thing is being asked of Microsoft to give briefings to the national committee members so they can go through quickly so that's the answer to number 1. It's fairly advanced. Second, the signing at the Convention I can't decide, that will be the foreign office to decide with the cabinet position, I can't decide that one but I hope with the encouragement of the Council of Europe and the friends of the Council of Europe on Cybercrime which holds some of the important alleys to Pakistan, that this would come about especially since we require work on terrorism, this would be an important Convention to sign on to.
>> Another question from Islamabad, there is a question from a representative of Cameroon, and he wants to know in his name is Victor and he's an internet activist and founding member of an chapter in Cameroon and he has a question for Laurent. There are victims of cybercrimes and criminals so I wonder if Microsoft is working with Cameroon on the issue of cybercrime?
>> LAURENT MASSON: I'm happy to get this question actually because I've been working in that region which is Middle East and Africa for five years where I was in charge of the legal department and Cameroon is a place where we started to engage around 2005. We were having of course some business activities in Cameroon but not a large presence. While I'm talking about the presence, people on the ground in this country, because if you look at the way we engage with the countries it's through a representative of the country so my answer to that question is if there is a special request or special need, which could be expressed by the government of Cameroon, I'm sure we would be more than happy to try to address that. We're talking about support for legislation and we will do that in cooperation with some partners, but I'm also think about training in the country and we would be about training in the country and we would be more than happy to do that and to my knowledge we have not received anything about cybercrime from Cameroon. At the beginning of December we are organizing in Abidjan, and we would be more than happy to have Cameroon come join us in that project.
>> The next question is from a lady asking what would be an example using the international coalition or Interpol to perfect a cybercrime criminal?
>> ALEXANDER SEGER: The international court of justice and Interpol have different objectives and mandates and I think they're far away from anybody thinking about setting an international cybercrime court. I think what we need to think about and it's the last bullet on that slide, I think in the future we need to be clear on working with countries to assess progress made on whether they are international principles with regard to principles, whether they would review needs and resources for countries and then that mechanism can also bring in countries that are not sure whether they want to sign the Budapest Convention or not, they may nevertheless agree to be reviewed, participate in peer assessments and so on. I think that would be more practical than thinking about an international cybercrime court or something like ICUT, something that a person proposed at the octopus conference in Strasburg a few years ago. We have time for one more question and I think we have a candidate for that.
>> Thank you for the panel, I think we all benefited from it. Two questions and it they take too long to answer you can answer afterwards but the first question: Is there a place online where we have collected laws that are similar to an adoption of the convention or national laws that substitute for that? For example, I've been sitting here thinking and I missed part of the panel, what's the position of the United States? My sense of the United States is we haven't adopted the Convention but we have individual statutes that address those pieces. If you could just consider whether it would be helpful for somewhere there online a compendium of statutes and if you could address the position of the United States so I will know this aspect of the law.
>> ALEXANDER SEGER: Thank you, this is a great question, two great questions toward the end. Our web site is www.coe.int/cybercrime, and there you have country profiles there where we come pair for each article in the Budapest Convention the corresponding domestic legislation and most of these profiles have either in the profile itself or in the appendix the relevant extracts from domestic legislation and the United States is a party to the Budapest Convention ratified in 2006, full compliance and I think we also have an unauthorized country profile there for United States where you can find the statutes. It's a complex legislation because it's scattered over different statutes but when you look through it in detail you realise they are in compliance with the Budapest Convention. With that I would like to thank all panelists and in particular all of you for indeed raising some issues, some supportive, some controversial, this is good because we need to not just slap our shoulders and praise ourselves for the great work we have done we need to see where the issues are and that we have to do further work. I think comparing where we are now with regard to cybercrime legislation, measures globally, I think everybody participating in the process can be happy if you compare to where we are five years ago when the IGF process started. I think we have seen a global process of reform in the right direction. Doesn't mean that there are no political disputes, political issues there but I think we do have common standards and we have taken action to do more on that in the future, thank you.
(Applause.)
(End of session)
***