IGF 2016 - Day 2 - Room 5 - WS143: How to Acknowledge Cyber Evidence Reform/New Parallel


The following are the outputs of the real-time captioning taken during the Eleventh Annual Meeting of the Internet Governance Forum (IGF) in Jalisco, Mexico, from 5 to 9 December 2016. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 


>> We'd like to ask if yes the audio is working fine.  Just a test.  We have five more minutes of preparations then we're launching.  Sorry for the delay.

>> Welcome, everybody.  Just a little bit before we start.  Please wait your turn if you have your turn if you have a question until the microphone gets to you.  If you have a table microphone, please talk loud to it.

Thank you.  We go on screaming in 30 seconds.

>> MODERATOR:  Hello and welcome, everybody.  Thank you for making it to our workshop entitled "how to acknowledge cyber evidence:  Reform/new parallel law."

What I'd like to first start with is a brief introduction of the session.

But before we do that, let me send you greetings from the session organizers who are unfortunately unable to be here.  And Jahangir Hossain and Khan Muhammad Fuad Bin Enayet weren't able to make it; however, the session is being organised as you see it.  And we have a set of distinguished speakers as well as locally here as well as remotely.  Let us start with the workshop itself and what it an east supposed to do.

>> DR. WALID AL‑SAQAF:  I'm Walid al‑Saqaf and the moderator of the session.  I am purely as an individual.  I'm an ISOC board member but I'm here to help facilitate and moderate the session.

So the workshop itself has several topics and questions to raise.  The first question is how to address and acknowledge the cyber evidence where virtual and real life activities should be treated equally with logical consequences or sequences of happenings and identity confirmation.  And so that means that how to deal with virtual and real when it comes to evidence.

The second you is whether the modernization and/or amendment of classical criminal procedure, evidence law, et cetera, are good enough to manage the Human Rights and criminal activities in Internet domain.  That is to say the coexistence of real and virtual domain.

The third point is whether the law enforcement activities, for example, surveillance, intelligence, policing, defense, et cetera, are going to require separate legal and administrative frameworks.  That is to say, drafted from scratch to separate the real and virtual domain for the sustainable ecosystem.

And the fourth point is the short‑term and long‑term governance model for the Internet, legislature and Internet ecosystem.

We hope we come up with a number of outcomes and recommendations from the workshop based on the following.  The first is the points/remarks raised by each of the participants and then we'd like to have recommendations given by the rapporteurs.  We'd like to also note the importance of the having counter logic and answers being critical.  And then given by the rap tours.

And then finally, we'd like to have a conclusion that I will be drawing as the moderator.

We have a distinguished set of speakers, some of them were not able to make it.  But let me start by introducing our first speaker.  He is Sumon Ahmed Sabir, the chief technology officer of fiber at home.  He also has a couple of other hats.  He's also the Chair of BD Nog.  And he is also the vice or policy co‑Chair of APNIC.

So I'd like to bring the question to him in a straightforward way and ask:  What is your position of whether there should be cyber laws, parallel laws compared to what we already have like penal codes and traditional laws in the various sovereign countries?  And why do you think that is the case?  Thank you.

>> SUMON AHMED SABIR:  Thank you very much, Walid.  I'm from technical background.  You heard from Walid.  But we're talking about law.  I worked with technology and Internet and we feel/felt that we Ned to talk about it, actually the way things are moving forward.

Since Internet became popular in 1990s, we started we saw starting from ‑‑ and today we can see different kind of online criminal activities including ransomware, even handicapping your own data and asking money for that.  Very different kind of crime happening online.  And the kind ‑‑ and what I've seen I think from 2000 or something within different countries starting to make parallel laws for handling Cybercrime.

First law was made in 200 April it amended three times and last event is now going on because it does not fit in with the newer kind of challenges you are facing over Internet.  So from where the question comes that should we go for new and newer laws for new kinds of crimes?  Or we can really change something with how we handling the evidences.

To my point of view, that any cumulative activities ‑‑ criminal activities, whether it is in cyber world or real world.  So a criminal should be prosecuted based on the merit of the crime, not on it is done in the cyber world or in the real world.  Rather, we should focus on the evidence and the merit of the crime done by the criminals.  So, I'm not in favor of creating new laws all the time; rather, I'd like to focus on how we can really focus on that evidences, actually.

And creating laws, creating some new problems, as well.  Like I can give an example.  I'm talking about my country, that like for if you threat somebody online, then it is proven that in cyber law, it says it can go up to 70 years of prison with 10 million ‑‑ penalty.  But if you do same thing in another world, the law is not that actually.  So actually you have been treated differently doing crime in cyber law.  Facebook is of more challenging than posting something in a newspaper or talking something in a television.

So this kind of discrepancy also we are watching for creating different laws for handling cyber crimes.

And also we found that in some countries, that the cyber law is being used for kind of operation to the opposition or some kind of thing.  So it has new kind of laws.

Even in our country, the cyber, if somebody file a case against you using cyber law, it is not available.

So anyway, you have to be at least two to three months to get bail for high court even though you did nothing.  So these are the consequences, actually, that we are seeing for having different cyber laws.  Rather, what I like to focus, that every kind of criminal activity has some kind of evidences.  In civil crime there's civil evidence.  Rather we need to review this kind of evidence should be recognizable by the court.  So we need to change the legal system in such a way that it recognizes cyber evidences.

Earlier days in many other countries, we observed that a videotape or an audiotape is not recognized as evidence because it is not in paper or some other kind of not physical evidence.  So this changed.  So we now treat those as evidence in many countries.

So we need to focus on that area.  We need to focus on our legal system.  We need to focus on law enforcement.  They should be able to handle the cyber evidence.  They should be able to secure the cyber evidence and produce to the court.  And the court, judiciary should be aware of how this crime has happened and acknowledge the evidence and based on the merit of that crime, the criminal should be prosecuted.  So this is how we can ‑‑ creating new parallel laws, rather we if Ed to acknowledge several evidenced.  I can go in different evidences.  Not only criminal activities.  For example, signing a contract.  In many countries, contract means it has to be on hard paper or signed.  But now they're talking about digital signature.  We are doing contracts in digital world by clicking in capture or some type of digital signature.  And those can be treated as a legal contract.  So from that, we need to have a new cyber law for contracts; rather, we can add this type of digital contract as to be recognized.  Purely valid if it is a contract.

So this is the area that I initially try to focus.  Another new area actually we are focusing and that is that Cybercrime actually is cross‑border thing.  It's not limited to a particular nation.  So even if you do have parallel law, it is a different country.  And if a crime happened from different country, the law has nothing to do at all.  Rather, in that case, we need more collaboration.  A lot of people are working on that how we can handle this cross‑border Cybercrime.  And we can address this kind of issues.  So this is not about creating new cyber laws.  So again I think I like to support the notion that we made several evidence reform, not new parallel law.  Thank you very much.

>> DR. WALID AL‑SAQAF:  Thank you.  I'd like to summarize quickly the points that have been raised were.

The idea that there should be a law for every medium is invalid or let's say not practical.  That's what I hear because a crime is a crime, whether it's committed electronically or in the real world.  And maybe the reference to the need yum can actually bring us to the question of whether, for example, there could be a law for telephone crimes.  For example, you have harassment.  There is no such law because that is evidence.  You have video, let's say an audio record, then you use that in the court of law.  And then it leads to a conviction.  It doesn't mean that you need to have a law for this form of communication.  So it is the evidence itself and the way you collect that matters, it's not where and how let's say the crime takes place if that is what I understood correctly.  No need for new laws for every different form of communication.

So now that we have this particular viewpoint from the technical and business perspective, and you expected this.  Let me turn to the government.  Do governments do believe that the cyber laws or necessary or not?  And I'm really privileged to have here Mr. Andrew from the government of Congo.  He serves as director for information technology at the ministry of MEIDECC.  And I'd like to give him the floor now to explain or give his perspective on this matter.

>> Andrew:  Thank you very much.  As I have been introduced my name is Andrew Doymana.  I am basically responsible for the ICD and the domination of srt and I'm very grateful to be here and be part of this panel discussion.

In regards to the question, the government do recognize the cybersecurity law.  We have been engaged in many activities in addressing different ways to improve our computer law.  Just a little background from where I'm at.  Most of you don't know where Tonga is.  It is a small island nation in the south Pacific.  Very close to Fiji and New Zealand.  And in 2013, we had our fiberoptics landed in Tonga.  And that changed the whole playground for Internet activities in TO ma.  And the government have addressed the issue of safety in using the cyber activities by creating a taskforce, a cyber taskforce.  And this cyber taskforce had three working groups, which includes cybersecurity, cyber Cybercrime and cyber safety.

And because of this initiative, Tonga have participating on the cultural activities in regards to the (something) convention.  And as of last month I think November, we have put up our interest to be an a full member of this Convention which is the I believe the 51st state to be a member of the Budapest convention.

In regards to carrying a lower form for cybersecurity, we recognize the importance of this.  As we all know nowadays there are different days that are integrated or related to any cyber crimes.  One of the important things is when you get the evidence, there are certain ways of getting those evidence and preserving it and if you are not doing it right, then it can be argument in the court of law.  And there is not a valid evidence to be presented.  And because of that, there are clauses in the laws that need to be in Tonga, our latest act was created in 2003, way before the fiberoptics landed in Tonga.  So there is a new cyber law 2016, it's still appealed right now.  But we are looking at amending that 2003 law to be 2016 act, which raises a lot of issues that it didn't cover in the 2003.

And we are looking forward for making this law as a baseline for prosecutors.  One thing that we have learned from the Council of Europe and trying to get ready for the Budapest Convention is the ‑‑ of our charges to understand the different evidence in Cybercrime.  So there has been some trainings that's been done with the assistance of Budapest or Council of Europe, basically focusing on upgrading the prosecutors' knowledge and also the charges.  So when issues or evidence are presented in a court of law, they would understand better how these evidences have been apprehended and how it has been contacted these crimes.  And one thing that we have also noticed, that with Cybercrime, you don't have to be residence in the country to commit the crime.  So you could be anywhere.  You could be in America.  You could be in Brazil or Africa and commit a crime to Tonga.  So there are different aspects in regards to the law.  There needs to be addressed.  When you find some new evidence that there's been a crime committed in your country.  So those issues, that's why we are trying to assist, that's why we're interested in the Budapest Convention because of these international laws that we need to address because it's very important to us because ever since that we connected to the fiberoptics, we enable our citizens and also other citizens from the rest of the world to play in the activities in our countries in regards to the cyber.  And I think we have come so far to create this cyber law in Tonga, and I think in my opinion that it is a good thing that we need to evolve, we need to upgrade our laws to match what has been introduced to the country.

As you know, technology evolves really quickly.  And we need to move forward together with technology.  We need to understand how this technology can become a problem to our citizens.  One thing that we also is that the law also point out is how to preserve the data that has some evidence.  There are right now there's no law that you can preserve any data, but on a in you law there is a provision that you can preserve the data or you can seize the data from the ‑‑ for those who are committing the crime, and with the relationship to other laws, we also need to pine in to some kind of agreement of mutual assistance, agreement or bilateral so that we can also request for evidence from foreign countries.  It's very important that those evidence can also be recognized in our jurisdictions, as well.  And I believe that that's enough for me for now.  And maybe later on we can elaborate some more.

>> DR. WALID AL‑SAQAF:  Thank you, Mr. Andrew.  I'd like to summarize basically what I heard so far.  Basically that cyber criminal activities have a lot of commonalities.  And the way you provide for, let's say, collect evidence and gather it and make it, say, bulletproof in the court of law is that you have to follow certain procedures, certain regulations.  And this has to be enforced by cyber laws so that it can be considered by the court.  So that is perhaps the gist of what you are referring to.

The other point you noted was the fact that cyber laws can be committed cross‑border, the transnational.  And that reflects on the ‑‑ that's because of the way technology operates.

And then you referred to the cyber law in the context of more broader than sovereign cyber laws is that you have agreements and cooperations between srts, among srts around the world and governments coming together and seeing what best approaches to tackle cyber law in a more global aspect.  If that's what I understood.

So now you can see actually you have a split of opinions, which is healthy for a debate.  And the motion that was provided by sum on was against cyber law altogether and keeping it within the traditional laws that we already have in place.  The second opinion is that we have to establish cyber law and we have to work on and adapt them and improve them as we can as technology improves.

Now we have a bit of a test of the remote participation to see if we can get the other speakers who have opted to speak connected.  So if Mr. Babu Ram Aryal can perhaps let us know if he can begin to speak directly to the microphone, we can open up if he's muted.  And he is actually the President for digital equality and very outspoken person with the ICT community in Nepal in Katmandu.  And he's been very active in areas surrounding access to technology and access to the Internet.  He is also very active within the Internet Society through the Nepal chapter.

Do we have success in having him connected?  If you can hear us, if you can speak?

>> BABU RAM ARYAL:  Can you hear me?

>> DR. WALID AL‑SAQAF:  Yes.  Can we raise the volume a little bit?

>> BABU RAM ARYAL:  Can you hear me?

>> DR. WALID AL‑SAQAF:  Yes, we can.  Welcome, Babu, the floor is yours.

>> BABU RAM ARYAL:  Thank you very much, Walid, and all the colleagues.  At the beginning I missed a little bit but I'm following the discussion.

Directly on the subject matter, Cybercrime is not a different crime.  It is an extension of traditional crime measure.  So while drafting or while making new legislation, we need to consider our previous or traditional evidence laws.  So there are some [Inaudible] of new kind of [Inaudible] when some technological differences makes some sense of the justice.  For example, some telecommunication acts are also there and Cybercrime acts are also there.  And some mediums like SMS and telecom service like mobile are also there.  They are traditionally governed under the telecommunications act.  Now with the development of this Internet platform, the importance of evidence and chain of custody also has become a very different thing.  So we need a little bit a new thing or new evidence, law in place.

But since we have been discussing about the amendment in government ‑‑ Cybercrime laws, we have been observing many changes in the technology.  But what we have made a consensus is that if we make any law specific to any technology, then technology may change in frequent manner.  But changing law is very difficult.  So while drafting any legislation, we need to go into the principle rather than about the mediums.

So there are a little bit different mediums, but we need to focus on the principle rather than the technology alone.

>> DR. WALID AL‑SAQAF:  Thank you, Babu, for your reflections on this important matter.  What I understand is that you're not totally against cyber law, it's just that you are very much aware of the difficulty in keeping it up‑to‑date with the various forms of technologies.  And you have some sort of skepticism not to the extent of abandoning it but being very careful in ensuring that the laws do reflect the way that technology is deployed and used.

If that is what you have reflected, then we have a good balance of opinions.  One for cyber laws by Andrew, the other by Sumon against cyber law.  And the third is nor in between, that there should be but there have to be a lot of measures and guarantees that evidence is there.

So let me now allow the audience to chime in with their comments and opinions and feedback on this important topic.  If you'd like to introduce yourself and begin to speak within a minute or two, please.

>> Hi, I'm Andy Smith, I'm here with the British computer society.  I've been working with the Internet Society for about 30 years.  I think laws should be written in such a way that they don't need to keep being changed and updated.  And that is one of the really big problems with cyber law.  And you've been talking about cyber law rather than digital evidence.

Now in the UK, we've got a couple of British standards.  We've got BSI 008 which is about collection of digital evidence.  We now have British standard 10,08 which is a standard around collection and presentation of evidence ‑‑ 10,008.

I think you should be concentrating on generating international standards around collection and preservation of evidence and actually get people to understand how to do it properly, especially when it comes to having immutable evidence, evidence that is hard to challenge in court.  Because one of the biggest problems you see with criminal cases is the evidence can be challenged and people can basically show it's not pen collected properly or the time stamps are wrong or someone could have changed the audit logs.  So it's really important that organizations, Internet Service Providers put the time and effort in to make sure that the information that's collected is of evidential quality.  And you can also trace every action to an accountable individual if it is necessary to do so.  That will also stop a lot of people ending up in court when they actually had nothing to do with it.

So I think there is really a need to concentrate on standards, especially international standards, and move away from trying to put everything into law when technology and the whole Internet changes so quickly.

>> DR. WALID AL‑SAQAF:  Thank you for your important comment.  It may add to the notion that cyber law is not necessary perhaps if that is ‑‑ you're not absolutist in that but you do not favor it.

>> We've had cyber law.  I mean, we've had it since 1991.  And the laws keep getting updated and bits keep getting added.  But technology's changing way too fast for policymakers and legislators to keep up.  So you're always going to ‑‑ if you try and put too much in the law and too much detail, you are going to end up with ways around it and you're basically going to give the defendant loopholes to I don't.  It's of better ‑‑ to use.  It's much better to concentrate on having good strong laws.  And I do agree that the laws should be equal whether it's in the physical world, real world, or cyber world.  And then concentrate on getting actually the evidence to prosecute properly.

>> DR. WALID AL‑SAQAF:  Thank you very much.  We have another comment from the audience here.

>> Thank you, Alexander Siegel from Council of Europe and I particularly thank the representative from Toga for his presentation.

When you talk about law, we have to substantiate between the part, what did you fine as what conduct you define as crime and the procedural law.  And I have a question to the first speaker.  How would you address a denial of service attack through traditional law?  Keeping in mind 16 years after the "I love you" bug attack from the Philippines where the spreading of that bug, of the virus was not a crime in the Philippines.  And the student who caused hundreds of millions of dollars of damage around the world went free because it was not a crime.  So keep that in mind.  The procedural law is another story.  Keep in mind again that when government searches computers, collects evidence, this is a strong interference with the rights of individuals.  And this interference is only possible if it is clearly defined and prescribed by law.

Again, you have to go back to the law and define it very clearly.  It's a fundamental principle of the Rule of law.

We have here again the dilemma that traditional law is difficult to apply by analogy.  You may have traditional law for searching of a house.  You give it to the judge to search the house, all the safeguards that are there.  Searching a computer system is a completely different story.  And in particular as the representative of Tonga said then you come to the conclusion of evidence, yeah you may enter in this computer but the evidence may be another jurisdiction.  You have to regulate it in one way or the other.  And that's why happy that Tonga is soon a part of the Budapest Convention because we are now going to negotiate solutions of how can we get to this other, how can we regulate, get clear rules of access to evidence in the cloud computing context.

But again, the clarification to first speaker, Bangladesh, you had an interesting case, bank robbery via Internet.  How would you resolve this if it's not addressed in substantive criminal law?

Just one more comment to the intervention by the representatives of the UK there, yeah, you cannot change ‑‑ changing criminal law is very complicated.  Very difficult.  You may be able once every three, four years to go to parliament with that.  You cannot go every three months.  There has been a new technique, a new type of Cybercrime comes up.

When you look at the conduct in the Budapest Convention, the 9 offenses defined in the Budapest Convention, that covers in combinations almost everything you still need today.  The parties to the Convention every now and then issue guidance notes saying how can you apply the Budapest Convention to address denial of service attacks, bought necessities, crucial ‑‑ identity theft, terrorism, knowledge offenses that are not defined in the laws itself but you can use combination o of offenses.  So we have to be technology‑neutral so we don't have to change it; but when it comes to the procedural law, you have to keep it up‑to‑date all the time otherwise you don't meet the basic Rule of law principle.

>> DR. WALID AL‑SAQAF:  Thank you for your important comment.  I'd like to ask if we have one more comment and then come back to the panel for another round.

>> Hello.  My name is Victor Benavides from the Dominican Republic.  Here we are talking about Internet Governance.  And here is about the cyber evidence and penal law.  And I have a question.  Do you think that strict cyber law in many countries to regulate the crime, the crime, can affect the governance of Internet because the government regulate the crime alone.  They don't ask to civil society, to the multistakeholder who participate in Internet Governance.  Do you think that this strict every e lance can affect the governance of Internet?

>> DR. WALID AL‑SAQAF:  Thank you.  We'll have first the response and take another round of discussions.  And also if there are any remote participants raising your hands, you can also keep us informed.

So a few comments from the panel.

>> Yeah, thank you.  The questions how we could handle digital attack without law.  To me, digital attack means I'm doing a service.  And somebody interrupted somehow and I have been stopped from doing the service.  Delivering packets or whatever it is.  But again same thing that could happen in physical world.  I am providing service.  Put garbage in front of my shop and cannot open my shop.  This is criminal an offense.  I think normal law can handle this kind of situation provided we have to reform the evidence that I have attack in the civil world, sending this type of packet.  And court should see that it actually stopped my service.  So that kind of I'm talking about.  We don't have to have type of law in digital world that it happen in cyber world.  I don't think we need to have any parallel law for handling that.  Rather we need to accept new kind of evidence in the cyber world that can be produce today the court.  That is my one point.

And secondly getting that cross‑border effort like mentioned the bank robbery happened in Bangladesh from other countries, mostly money went to Philippines.  And before going on, how to resolve that.  Again, Bangladesh we have a cyber law.  And for this kind of crime.  But it cannot be applied in Philippines from what the crime is for.  We need kind of collaboration on that.  And globally I really like the point by the gentleman who interrupted first that we have international standards about criminal evidence so that all the court would recognize clearly in all the countries.  That is the most significant thing in terms of handling Cybercrime.

The law handling Internet Governance.  But in my point of view yes in some cases it is true actually because some harsh civil law may ‑‑ cyber law may create issue on free expression and many other laws like maybe if you look at Cybercrime law in different countries, you will find valid questions on that actually hampering that governance.  That's my personal point of view.  Thank you.

>> DR. WALID AL‑SAQAF:  Since your name was referenced, Andrew, before, we'd like to comment on the discussion?

>> Andrew:  Thank you.  I'd just like to point out like to the gentleman from UK, you have pointed out believe there shouldn't be any additional.  What we are trying to stop this in Tonga is to establish one.  You have mentioned that in the UK you already have a cyber law.  We do believe that we should have a cyber law and then like me like the comment before, we stop this and then we can amend it as it needed.  As we going through the exercise of developing our law, we have identified so many shortfalls in the procedural powers in apprehending that evidence.  And so we added some more class to develop a more stable law that can assist in the court of law.

I still think it's very important for us to look at even though the technology was really fast, we also need to identify a baseline where we can work on just like the mention from the Council of Europe.  They have developed a baseline that has been there for a while.  And it's been not applied.  It covers most of the cases that need to be addressed.  And we also don't believe that but he wanted to develop the baseline and he can always refer to.

In regards to that question from that gentleman relating to other organizations, it's also from the interest of our government and also and is probably true from other governments that the reference to other organizations just like Council of Europe.  We also when we develop our cyber law, we also learn from other countries like Sri Lanka.  Those similar environments that we establish a good relationship with them and also learn from them on how they prosecute their Cybercrime.  And we also added some values to our law based on their perspectives.

And I think at the end of the day, we really need to have something on the baseline.  So later on we can add on.  We can add on like it's been mentioned.  It's not easy to change the law every three months.

But if you have something solid on the baseline, you can always relate to add on new to the law to what make it more appealing or focused on how to prosecute the criminals.  As the criminals are getting smarter every day, they find new ways of intruding to your personal properties or personal life, we need to address those.  And I think some of the ‑‑ cannot really define how to prosecute those who are committing law via cyber.  And I think by looking at different ways of amending those laws, it will also help them in the court of law.

>> DR. WALID AL‑SAQAF:  Thank you, Andrew.  Before going to another round of comments, I want to check if Babu has additional intervention as panelist.  Babu, would like to respond to comments?

>> BABU RAM ARYAL:  Yes, Walid, I'd like to make a couple comments.  As I already mentioned, we need to focus on more principle rather than technology or any medium.  But this electronic mediums are electronic evidence that they are more vulnerable for compromise.  So we need to have certain level of legislative practice on this area, how to protect this kind of evidence rather than judging about the ‑‑ based on the content.  So if ‑‑ in courts they have interpreted traditional evidence based on the principle of evidence or impact of that thing to any crime.

So we need to that to level of legislative part.  One is evidence in the law practice.  There are certain substantive things and certain ‑‑ thing.  So first outstanding thing if the traditional Rule of best evidence law/principle and for procedural law, maintaining the evidence, we can have more developed, new ‑‑ evidence.  Thank you.

>> DR. WALID AL‑SAQAF:  Thank you, Babu.  We will now move to another round of comments.  I realise there are several who would like to comment.

The lady?  Also any remote participations.  Also remote participant, please.

>> Just a comment from June Tessi, IGF ISOC fellow.  So her comment says as a counsel they we are also reviewing our Cybercrime law.  And I agree that there is a need for review and constant update.  I think we need both reform and new laws.  The traditional law did not foresee certain current trends just as Mr. Alexander from the EU council said.  And there is a need to provide it in law in order to affect prosecution.

>> DR. WALID AL‑SAQAF:  Thank you for that comment, Jun.  Yes, please?

>> My name is Lawrence.  I'm IGF Fellow.  I have a question.  How does the government handle the Rule of encryption when collecting cyber or digital evidence?  And how can the technical community come to sort of aid in this?

>> DR. WALID AL‑SAQAF:  We'll take another couple comments before we go back.  Yes, please.

>> Good morning.  Thank you for your presentations.  My name is Patricia Vargas.  I'm a PhD candidate Veracruz University.  Kind of followup what the representative of the Council of Europe mentioned.  Initial between substantial and procedural law there is a distinction between local and international law.  Academics call the cyberspace a perplexity for the international law because there's no recognition of the traditional borders of the nation states.  So with the nation states come the issue of jurisdiction, the jurisdiction in what a crime is state B may not be a crime in nation of state C.  There are also differences in encryption policies.  For instance, so in the Budapest Convention itself helps because it gives some kind of framework for the members of how to address these issues.  But when you talk about collaboration ‑‑ because we may have multiple nation states involved in a crime.  What would be the main elements for this potential collaboration?  Because we are talking about different legal systems, different legal cultures, different ways of searching, et cetera, et cetera.  Thank you.

>> DR. WALID AL‑SAQAF:  Thank you.  Were there any other comments at the back?  And then we can come to you.  And then there's also one remote participant.

>> So I'll just give you a quick example of where I'm coming from with this.  I bring you or bring in something slander comments.  You want to take me to court to slander.  Do you use a different law if I running you using GSM or Skype from the same phone?

And more importantly, can you prove it was me?

That's what it really comes down to.

>> DR. WALID AL‑SAQAF:  Very strong point, yes, indeed.

>> Luis, BCS‑‑ for IT.  I think one of the important differences that hasn't been raised yet between some Cybercrime and some "conventional crime" if I can call it that.  Is the question of scale.  If we take the example of DDOS versus putting garbage outside a single person's shop, both of them prevent people going about their lawful business, which is probably illegal in the country and cross‑border, let's just stay in one country.

I think the difference that perhaps needs to be considered ‑‑ and I'd like the panel's opinion on ‑‑ is:  Should the ‑‑ is the thing that needs to be changed not the underlying law but the range of things that you can do to ‑‑ if you find the person who's done it ‑‑ to stop them because one affects many more people and is perhaps more serious.  And maybe your law before said you could only fine a person loss of one day's service for one person; whereas it should be a of bigger fine or maybe ‑‑ much bigger fine or perhaps a civil sentence, it should go from civil to criminal law because of the scale of what you can do in so the cyber world.  So I'd just like your view on that.

>> DR. WALID AL‑SAQAF:  Thank you.  There is a remote participant who wanted to add a comment.

>> Jun:  Yes there is followup comment from the earlier remote participant June.  She says the problem we have seen with blanket alteration of the traditional criminal legislation, at least in Kenya, is that there's created loopholes in wide interpretation and excessive abuse of power by our state agencies.  There's therefore a need for specialised Cybercrime law.

>> DR. WALID AL‑SAQAF:  Thank you, June.  Yes, please.

>> This is Mohid from Internet Society chapter.  First of all, many thanks for your presentation.  I think it's important that we have this sense of diversity in the Forum where people debate about:  Is cyber law really required to properly cope with the challenges we are facing in the current world?

My question to the panel is about two things.  One is about cyber disarm amount because there has been increased talks about cyber disarmament because all the nation states have been affected.  And there are some things which are in the challenge of jurisdiction.  So this has been talks in the Forum of Budapest Convention and otherwise also about cyber disarmament.

So is cyber disarmament somewhere related to cyber law?  That's one of my questions.

And I forgot the second one.  Thank you.

>> DR. WALID AL‑SAQAF:  That's more time.  If it's a pressing comment?  Yes?  Go ahead.

>> Everything is pressing, no?


Just to this last one because refers to Budapest Convention.  Budapest Convention is not a treaty about the states, state to state military criminal, it is a criminal law treaty only.  Of course it can help if you can deal with interstate relations if you can deal with it as a criminal justice matter rather than putting it to national security measure.

But something to keep in mind about the issue of electronic evidence.  Most of the offenses investigated these days by criminal justice authorities have an element of electronic evidence without it being Cybercrime.  Kidnapping, terrorists communicating with each other, extortion, whatever.  Element of electronic evidence.  You have to keep in mind probably 99 percent of cases that I investigated ‑‑ are not Cybercrime but are traditional crime.  We have to keep that in mind.

We also have to keep in mind that all charges, all prosecutors, all law enforcement would rather sooner or later come across electronic evidence.  Large that touches criminal charges altogether.

I agree with the first speaker in some ways; namely, that it is a mistake if you put every new technique that cyber criminals use into the criminal law.  It's impossible.  Don't put a substantive law in place that talks about phishing or pharming or bot attacks.  I've seen some of the laws I mention in countries because we get lots of draft laws to review from around the world that you have for one offense, in the Budapest Convention takes about 3 or 4 lines which some countries have implemented that it works, that in some countries you have 25 different paragraphs on the same offense of criminal access to this, criminal with the intent to do that, criminal against government computers so on and so on.  That's a mistake.  DDOS attacks can be covered by system interference as it is defined in the Buddha test Convention, it is five lines.  So you don't need to update the laws every three weeks if a new technique comes up have keep it neutral.  Keep it simple.  Use the Budapest Convention.

>> DR. WALID AL‑SAQAF:  Thank you.  I may want to abuse my role as the moderator and pose my open enrollment question before anyone else does.  Is that have you not felt that some governments, it's not a blanket assumption, some governments have abused cyber law to prosecute bloggers, prosecute journalists and prosecutes several civil society activists on the basis of the committing a crime?  And in fact they may use the scale aspect and say they've done of bigger damage to national security than other regular crimes?

So keeping that in mind, isn't that the case in some countries?  And how can one deal with it?

>> Absolutely.  I was on a panel in I think it was the Nairobi IGF.  And we discussed after the panel I discuss Wednesday the person next to me.  It was a blogger from a Middle East country, he said "I was blogging critical to the government.  Under the criminal law, the government couldn't do anything against me.  But then the same day they declared me a threat to national security and that's how I ended up in prison and being tortured."

So let's keep it in mind.  We need criminal law.  We need to have it clearly defined with all the safeguards in it.  We have to bring as of as possible within the realm of criminal law and not give governments the possibility to work in a different arena, the national security arena where all these protections don't apply.

>> DR. WALID AL‑SAQAF:  Do you have something quick?  Very quickly, please.

>> I wanted to add.  I just remember what I wanted to ask.  So I wanted to ask about is concealing any potential Cybercrime by one nation state is also a crime in another?

So, for example, if you want to take an example of heartbeat where NSA was knowing about these vulnerabilities which can be potentially used to attack some other nation state, so is concealment of those kind of activities also be considered as Cybercrime in the law?

>> DR. WALID AL‑SAQAF:  Good.  So many questions and different ways of looking at it.  But perhaps I can start the other way around, with Andrew, perhaps.  There were several provocative questions including ones about how to use Skype or GSM device and how we differentiate?  Do you have any responses to those questions?

>> Andrew:  Thank you.  I'll just try to remember all the questions.  But let's start with this question.  I think it's very important that we have some kind of mutual understanding or bilateral understanding with other countries.

In regards to Skype, you all know Skype is hosted somewhere else, possibly in the United States.  We have similar cases in Tonga where people do defamation through Facebook.  And the police, they report it to the police.  The way they have to do it is to ask Facebook to bring down the account.

Because of Facebook, they have also have policies in place for privacy.  So you can't ask them who it is unless you go through the legal process in the United States where you and launch to ‑‑ what happened is a threat to national security?  Or committing crime in your country?  There is a way of going through it, mutual legal assistance where you can launch a complaint through the Department of Justice in America and they launch a court order.  So in that way, you can bring down and identify if that evidence is sufficient enough.  And I think it applies to something of that degree of what you just said.

If you talk on Skype and it's proven that it's some terrorist nature, to our country, we can make that arrangement to identify the person.  That's the beauty of interconnecting with other jurisdictions in regards to this.  And that's reflected in our new cyber law also that we need to address those things.  With the encryption data.  As you may know, we're starting our cert(Srt?) when there's encryption data coming through and there needs to be decrypt, is that what the question is all about?  The question was?

>> When collecting cyber evidence, the aspect of inscription, there is already encryption, how does it play?  Or what's the effect of encrypted data in relation to evidence collection?

>> Andrew:  Okay.  There are different ways that addressed those issues.  And I think there are mechanisms that they can decrypt data and also store those.  Encryption data is also ‑‑ there's procedures that need to be followed.  In order for that data to be presented as evidence in court.  Because if you are to tempt, to try to decrypt any encryption data in some ways that it will alter the data, it won't be recognized in the court of law.  So there are certain ways and procedures that need to be accounted for.  And follow through in order for you to deal with that kind of data.

>> DR. WALID AL‑SAQAF:  Now to Sumon, you had the bulk of the questions.

>> SUMON AHMED SABIR:  After the discussion of all the audience here, I think the question already answered have and we have a very clear view about that.  Again, even so, first my apology, I'm not lawyer, actually.  I'm not expert in legal.  I'm more of technological person, technology.  Sometimes came to us and we need to handle this in that regard, discussions came to my mind that while we are ‑‑ law rather we need to empower, we need to enhance the ability of our law enforcement agencies or legal systems so that we can measure, we can address the Cybercrime evidences.  We need to measure on the degree of the crime, the impact on the people.  If it is single individual or it is impacting a large community.  So other crimes or in physical world, that needs to be measured based on the evidence.  It is important how correctly, how effectively we can guide the evidence and the Code and the court give justice more.  That is more important than creating new laws, that's my point of view, actually.  Apart from that I think.

>> DR. WALID AL‑SAQAF:  You had questions about the effect that perhaps 99 percent of cyber criminal laws are actual real laws, any.  Yeah.

>> SUMON AHMED SABIR:  Yeah, maybe, using the Internet or technology.  But it is essentially something, some criminal law real world, actually.  So the same law can actually apply.  That's what I believe.  And I believe that's very doable.  Another point you mention, Skype call or GSM call.  It may happen that I come to you and tell you that we need to do this crime together.  Or I can use eye use pigeon to send a letter to you.  Doesn't matter what kind of crime we have done through that.  If it is that, important thing that government should need to identify that it is me or we have done this crime.  So that is more important than creating laws for different technology for different method.  Maybe new technology come in the future.  So we need to focus on the laws, rather than focus on how things happen.  Actual fact.  Actual evidences and that should be created equally.  And discuss the international boundary actually that I don't have answer how to do that properly, but I think we altogether work to that, that if criminal actual happen cross‑border, maybe different countries involved in that, how we can work together, some ongoing problem and discuss you all are having.  I think we need to work on it together.  I don't have anything else to that.  Thank you.

>> DR. WALID AL‑SAQAF:  Maybe if I could reflect on the last point.  There are laws that actually deal, real laws that deal with cross‑border issues, for example, smuggling, you have money laundering, you have aspects regarding global economy.  So there are ways to deal with it.  But again to come back to the point of the baseline.  There cannot be a way to ensure that every single crime in the format on type needs a separate law.  I mean that's ludicrous.  No one here argues for this.  But perhaps you have to have some kind of disagreement, some kind of agreement that there are certain things that can be put into a cyber law and then there's still the view that even that is not necessary.  Let us take Babu, and then come back for last round of comments.

>> BABU RAM ARYAL:  Thank you.  I have a couple of examples of issues of this platform or this kind of law, cyber laws you just mentioned before.  In Nepal, there are recording of Supreme Court hearing and the municipal court charge that person ‑‑ Cybercrime case, which is absolutely different regarding ‑‑ posting is not Cybercrime.  And that was taken by the court though he won the case but it was absolutely ‑‑ posting in that kind of case.

Another case was Nepal police published one their good attempt of defending law and order.  But one comment by the citizen was that and they didn't do this without any bribe.  So police charged that person based on cyber terrorism.  So there are issues that apart from and this in aggregate is more severe than traditional platform.  If it is definition under our traditional law, punishment is just like ‑‑ but in this cyberspace, it goes up to five years.  So based on the technology, we should ‑‑ we should not treat differently.  You just mention that there are certain laws, certain crimes which are in traditional format.  For example, binding recovery we covered earlier this discussion, there are certain kind of tools, robbers or criminals are using to transfer money in the bank but actually that is transfer of money which is also a crime in traditional law.  So we need to balance these kind of things.  This is my perception.  We need to balance offline and traditional evidence.

>> DR. WALID AL‑SAQAF:  Thank you, Babu, from holding the stick from the middle, I guess.

Let's move on to the last round of comments because we are about to finalise.

>> I want you to keep in mind because reference was made to the international nature of the crimes or of the evidence.  Create difficulties getting international cooperation by another country if the dual criminals done that is not met.  Which means if you don't have something ‑‑ if there is a denial of service attack against Bangladesh and your offense comes from Tonga, but Tonga says that type of interference is not a crime, they would not cooperate with Bangladesh because criminality is not met.

And pornography issues, not talking about child pornography, pornography is a crime in some countries but not others.  It is difficult for Europe to get cooperation from United States with hate speech and xenophobia and that kind of thing.

So you need something in your domestic law to obtain cooperation from other country.  And again the type of conduct that is in the Budapest Convention, that's internationally agreed.  If you put it into law, you get cooperation.  If you don't put it in law you don't get cooperation from another country.

On the issue of the severity of penalties, sometimes it's more severe in cyber environment than not, indeed it has often to do with the impact it has.  I think the garbage in front of the shop is a very good example to that.  There are only a few crimes in the Budapest Convention which are crimes committed by means of computers.  Like the nature of child pornography has changed in the online environment.  The impacts, the negative impact has changed a lot in the online environment compared to real life when you had to send some around by posts and now you spread it by Internet.  Similarly the type of fraud have changed a lot.  There are a lot of fraud that you don't have in real life.  In real life you have to deceive the mind of a person to be fraudulent.  Now to deceive the computer, the man in the middle attack, in some countries that would not be a crime.  In Germany it was not a crime until they ratified the Budapest Convention.  Now two‑thirds of the crimes in Germany are crimes because of the Budapest Convention, it was not a crime before.  And so forth.  You have to keep that in mind, as well.

>> DR. WALID AL‑SAQAF:  Thank you.  Anymore comments?  Remote participants?

>> Again, comment from June.  I think it goes back quite far back.  So what the Chair said earlier, please refer back to comments several times ago, has actually been seen in Kenya, in other words, abuse of law on Cybercrime.  The effect of that, however, upon challenge before the court was that the law was declared unconstitutional.  So that was her comment.

>> DR. WALID AL‑SAQAF:  Good.  So now we approached the last 10 minutes of the workshop.  And perhaps I'd give the panelists a few minutes each to round up their comments and bring in the strongest points to persuade whoever is not yet persuaded.  And then finally I'll just give a very short summary and conclude.

>> Thank you, Walid.  I agree with the comment made last example.  I just forgot, actually.

>> DR. WALID AL‑SAQAF:  Of the laws having to be there?  National?

>> Right.  And the Budapest Convention is actually important that all the countries should agree.

It is not debating that creating laws are different kind of situation we're debating, but practically we need to solve the problem actually that Cybercrime is a real issue and crime coming to the Internet being used.  Even we got report of this kind of complaint to police and say that my ‑‑ is lost.  He bought it paying money physical loss and that has been snatched by somebody and told police to get that.  So that is also happening.  So we're living in both physical world and cyber world.  So things are getting more and more difficult to divide us.  So we need to act sensibly and effectively so that in future we can get a safer and better Internet.  For that we need to all work together.  And I really want to thanks all the different comments for supporting me.  But all very important.  Then again come to decision.

>> DR. WALID AL‑SAQAF:  That's sportsmanship we like.  Thank you.  Andrew?

>> Andrew:  First of all, I would like to thank you for all the comments made.  And thank you for your contributions, especially for the Council of Europe, for the kind of enlightenment in a lot of issues that we have discussed today.

From the government point of view, especially from my government, the bottom line is that it is the best interest of any government, including Tonga, that the issue of safety of our citizens is the most important thing.  And that's why we looking to different laws including the cybersecurity law because as I was mentioning before, we just knew ‑‑ the case with the fiberoptics to Tofga.  And there's a big form in the using of technology.  According to our system right now, there's not many cases reported.  But in our assessment, there's been cases happening in Tonga.  But the problem is they're not aware of what's going on.  And they never get it reported or recorded because they didn't really know that what's going on.  It's something can be classified as a crime.

Putting up the new law, it really defined what considered as defined and what is considered as crime and also have some more definition to it.  And it really helps our prosecutors, our judges to really understand activities going on throughout cyberspace.  And I would like to recognize the an assistant from Council of Europe in that regards because they have contributed a lot in developing the laws for Tonga in regards to Cybercrime.  And we have come across a lot of issues that we have now recognized that needs to be addressed, probably.  And also looking into the future, we'll hope that we will create something that will better serve our citizens as well not only for our country only but also provide any mutual assistance to any other countries that we can interact with through the Budapest Convention.  Thank you.

>> DR. WALID AL‑SAQAF:  Thank you, and drew.  And perhaps the last word by analyst Babu would like to say something.

>> BABU RAM ARYAL:  Thank you, Walid.  Major thing in this evidence lesson is that we need to recognize the format of the medium of ‑‑ in many ‑‑ traditionally they require, for example, document is the only document which is in paper.  So now we have the documents in electronic or digital form.  So we need to recognize the evidence or content rather than interpreting totally differently.  We need to emphasize the impact of any act or any tools rather than ‑‑

And second part I'd like to say that cooperation, national international is different thing when talking about the evidence.  Evidence is basically a fact.  Rather than interpretation.  Many laws whether it is crime or not is interpretation.  But evidence is a fact.  So evidence are basically it's universal.  Need to recognize universal these things.  And then only you can prosecute or we can have better Cybercriminals.  Thank you.

>> DR. WALID AL‑SAQAF:  Thank you, Babu.  So let me try to take the hard task of summarizing what we've been through.  It looks like there is more or less, I am sorry to say, Sumon, majority were calling for keeping cyber law and having it there.  However, there was also agreement with you on the need to not take things to the extremes, to the details, to the level that makes cyber law not possible to implement.

It is one thing to ensure that there is something, some baseline, some commonalities, common ground that everyone can agree with, which would foster international collaboration and fighting Cybercrime.  But on the other hand, some countries as earlier mentioned may take it to the extreme either too technically by elaborating on things, making laws very difficult to make laws to continue to evolve and sometimes to sue protocol east citizens to suppress dissent.  And in some cases cause more harm than good.  But if you think of in terms of the benefit of society at large, the benefit of citizens, keeping them safer, then having some sort of guidance there that's uniform, that's standard, that's based on digital evidence, good practices is very useful and it can be elaborated more and clarified in ways that help society at large.

The points that have been raised on various subjects from the different tools used to collect evidence, the technicalities, procedural things, these are lower in some ‑‑ they're not laws, per se.  So they need to be taken into account.  However, there's something that I felt was a bit missing in this discussion, which was the competence of the ones, law enforcements and evidence collectors and judiciary systems and juries and everyone, competence understanding what is going on in the Internet, cyber evidence, what are we dealing with?  This has been mentioned in different workshops, in different events.  And that's why there were capacity building programmes for individuals from lawyers, to judges, to civil servants, to police forces to understand how the Internet is shaping our world and making us a need for these competences and abilities.  And so it's very complex workshop and the topic is complex.  The ideas that have been floating around are very much ingrained bodes as citizens and governments and law enforcement units as well as technologists and lawyers.  But on the other hand, it's still promising that we have a way to debate this openly, fairly in a sense of sportsmanship and spirit of understanding that we can disagree but eventually it's the interests of the end user that matters.

So we are two minutes earlier than our time.  Thank you for coming here.  I'd like to give a special round of applause for the panelists.


And for you.  And for the remote moderator, thank you very much for helping us.  And we hope you enjoy the rest of the day.  Thank you.

(end of session)