Better enforcement, and not new laws, may be the best way to deal with cybercriminals
The fact that it is so easy to hide our phone communications from third parties has angered a lot of people, especially the authorities. Called “going dark,” anyone with a smartphone can download any number of applications that use end-to-end encryption, making it all but impossible for text messages, photos, documents, etc. to be monitored or intercepted by anyone, including Internet providers and the police. Many popular apps use this kind of encryption, including WhatsApp, Cyber Dust and a Canadian chat application called Kik. Facebook recently announced its “Secret Messages” encryption feature, available to 900 million messenger users.
Law enforcement officials and, increasingly, the public, believe that end-to-end encryption poses a real danger to us, our children and to national security — so much so, that the TV programme 48 Hours began its new season in September with a much-hyped show called “Killer App.” It was all about Kik.
It’s not only “going dark” that causes problems for authorities trying to locate and prosecute cybercriminals. There is a very long list of hurdles facing law enforcement when it comes to cybercrime — and all crimes committed with a cyber element to them. These include difficulties in determining who owns electronically stored information; a lack of expertise needed to analyze the data (if you can access it); ineffective penalties in cases where defendants refuse to comply with orders to disclose data; and an inability to compel local companies to produce data stored in other countries.
Canadian authorities have made it clear they want a change in our laws related to investigating digital-related crimes. They want more access to the public’s communications — and they want faster access. On Aug. 16, the Canadian Association of Police Chiefs passed a resolution calling for a new law to be enacted that would enable the police to unlock digital evidence, forcing people to reveal their passwords. One month later, the federal government introduced a Green Paper on national security called “Our Security, Our Rights: National Security Green Paper, 2016”. Included in the paper are a number of discussion points about allowing authorities to access digital information without a warrant. It seems like Canada is considering a move in this direction.
This is not the right approach, according to Internet, technology and privacy lawyer David Fraser, a partner at McInnes Cooper in Halifax. “If police officers could just snap their fingers and get authorization to open your front door, they would do it all the time.” By forcing the police to explain to a justice of the peace why they should be able to enter your house against your will, they will only seek that right when they absolutely have to. “So I am sorry not having easy access creates work for the police, but they’re looking for a shortcut. And law-abiding Canadians will have their security compromised and that is not good.”
The evidence needed to prosecute cybercriminals can be located anywhere on the planet. Servers are easy to set up. Data can be bounced from place to place in microseconds, making it extremely difficult to find the person and the evidence behind the crime. And while some countries have agreements with Canada that can help authorities, many other countries do not.
Fraser believes Canada’s existing laws are effective enough. Referring to the “going dark” phenomenon, he says the ability to avoid police is not new. “It used to be, if you wanted to go dark, you’d go for a walk in the woods. Or you’d use pen and paper. There have always been ways to circumvent police surveillance.” The problem, says Fraser, is not a lack of laws but a lack of imagination. “I don’t mean that in the sense of making things up. What I mean is, the police are having trouble translating traditional crimes into the online context. The rank and file, the routine police who take the calls, who wear the uniforms, don’t have the training and the savvy to figure out all this [cyber] stuff.”
Fraser uses the tragic suicides of Amanda Todd and Rehtaeh Parsons as examples of cases where the horrific acts committed against the two young women — many of which included cyber elements — were clearly criminal and against Canada’s existing laws. “The attention to these cases made the public and the police say, ‘Oh, we need new laws,’ when in fact, we already have laws that could have been put to good use,” says Fraser. Among the many crimes committed in these cases were child pornography and extortion. According to Fraser, the fact that the perpetrator in the Todd case was investigated in the Netherlands and extradited to Canada without having to enact any new laws is proof that, if you have the right resources and are able to co-operate with foreign police, the system works.
Canadian cybersecurity expert Ritesh Kotak advises and assists the judiciary, the police and other officials with respect to the investigations, analytics and challenges of social/cyber/digital technology. Before deciding if new laws are needed to help the authorities, Kotak says we first have to rethink what digital crime actually is. “Cybercrime can’t be a thing anymore. It needs to be seen as just crime. Our cars are connected, our houses are connected and even our medical devices are connected. A pacemaker can now be hacked into and turned off. Is that a homicide or a cybercrime?”
Even when Canada does enact new cyber-related laws, their existence can be slow to trickle down to the public, says Fraser. He uses “revenge porn” as an example. This act has become popular in recent years, whereby (mostly) men post intimate images of their former girlfriends or former wives online, without their consent. As a result of these kinds of cases, Canada amended the Criminal Code (s. 162.1) in late 2014 to address the nonconsensual distribution of intimate images of any person. And it added s. 162.1 to the peace bond section of the Criminal Code at s. 810(b).
Fraser thinks this is good news, except for one problem: Even though the law is roughly two years old, he wonders if the public even knows peace bond protection exists. If a potential victim checks the Canadian Resource Centre for Victims of Crime website, for example, there is no mention of using a peace bond for s. 162.1.
Kotak says the Internet has made the world really small but also really big. Both the investigation and forensics of cybercrime are extremely complex and require specific skill sets. “With physical investigations, tactics are changing, the craft is changing and you’re seeing exactly the same thing in the digital world.
The way we acquire evidence, the way we retain evidence, the way we present evidence — this is a complex field. You cannot conduct only a traditional investigation or only a digital forensics investigation — you have to do both, and they have to complement each other.”
Says Fraser, “Twenty or 30 years ago, if I wanted to rob a bank, I would just go rob it. The evidence would be on one surveillance camera inside the bank, maybe. And there’d be witnesses. Both would be enough to convict me. Now, they’ll go through my cellphone records. They’ll get a production order from the cellphone company that shows my phone was outside that bank three days earlier when I was casing the building. This is better evidence, but it is not the only evidence.”
In recent years, Canada’s governments have wanted to make it easier for the police. “The way they can make [these investigations] easier is to do so without a warrant, which has a huge impact on the justice system in general,” says Fraser. Kotak says that laws are already in place to help authorities, through production orders, subpoenas, the Mutual Legal Assistance Treaties process and the various amendments of the Protecting Canadians from Online Crime Act (S.C. 2014, c. 31), among many others. He says the laws are there to help authorities obtain the appropriate evidence. “But if you can’t get the data because the servers are located in a difficult country or you can’t break encryption, then we have to look at other solutions.”
One solution may be to reverse the trend of centralized knowledge. “They create a child pornography unit, a fraud unit and you have very specific skillsets in those units,” says Kotak. “What we have to do is look at decentralization, which would ensure the knowledge, skills and abilities, with respect to social/cyber-/digital crimes, are built into every element and training module in policing.”
Lorne Lipkus, founding partner at Kestenberg Siegal Lipkus in Toronto, spends most of his practice working on brand protection and counterfeit cases. In his experience, even though selling counterfeit goods online has skyrocketed, the criminals behind the cases he comes across are rarely convicted. “If you are able to find them — and that’s a big ‘if’ — then you have to go to where they are physically located. In Canada, we have found the criminals, and the local police have dealt with them, but it is a spit in the ocean.” Asked if amending our laws would help, Lipkus says: “There is no one step. There is no one law. There is no one agency and there is no one way. This is a global issue that requires a lot of different entities to get together.”