Notes from the 6th Internet, Law and Politics Conference: Cloud Computing: Law and Politics in the Cloud, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 7th and 8th, 2010. More notes on this event: idp2010.
Chairs: Blanca Torrubia
Police investigation in the field of cloud computing
Rubèn Mora, head of Technologies of Information Security Department, Mossos d’Esquadra [Catalan national police].
One of the problems of cybercrime in cloud computing might be that the actual regulation does not take into account especific illegal uses of the Internet. Thus, the police has always to catch up with both technology and the law.
On the other hand, in real life we are used to sue (or to complain after) someone whose actions hurt us, but when it happens online we just go and call the police: this is overwhelming for cybercrime prosecutors, as many times it is not their duty or it is not that clear that it is.
Nevertheless, it is understandable that the citizen goes to the police, as many times it is not that clear who is liable for you having been harmed. This ends up with the citizen, in general terms, being less secure in matters of who is liable. In the same way, the police is tied to geographical jurisdictions that are not always the same ones as the ones that affect the one that created the harm.
If that was already a problem in the first year of the Internet, with cloud computing it has been multiplied by orders of magnitude, as cloud computing works in three different layers (SaaS, PaaS, IaaS) that make reality much more complex. The creation of Certs has lightened bureaucracies, but their interaction is still slower than crime.
Some cloud computing cyber-crimes: password cracking (PaaS), anonymous transactions (SaaS), phishing hosting (PaaS), botnet renting (IaaS), CAPTCHA resolving (PaaS), credential credit card steal (SaaS), etc.
Law has to be practical, efficient. We have very nice laws and guarantees of rights that we never apply. There usually is a trade-off between efficiency and guaranteeing the citizens’ rights: the problem is finding the desired balance.
Against cloud computing, nowadays, there is no way to be efficient: prosecutors (police, courts) have no means of being efficient. Thus, should we give up to some guarantees? Cloud computing is about dematerializing everything: and, with dematerialization, the difficulty to trace and monitor. Cloud computing shifts the claim for ownership to availability (e.g. instead of downloading music, having it available through streaming). Cloud computing is also about delocalization: hardware and software are usually not where the user is.
The division of two concepts: the difference between being connected and being communicating. Your mobile phone might be on and connected and exchanging information with other devices, but you might not be communicating — strictly speaking — with anyone. And being so easy becoming a criminal — in full consciousness or unconsciously — the solution is to monitor and put surveillance on anyone.
Main characteristics of cloud computing:
- Economic: money aimed;
- Highly pro;
- Botnet: the infrastructure as system;
- Absolutely unbalanced: the bad guys are much more than the good ones, as the good ones’ computers are corrupted by the bad ones, thus becoming part of the crime network.
We definitely have to re-define the law.
- We need a set of measures to enable surveillance of the citizen but distinguishing connection and communication. e.g. RFID-based crime should fall onto the category of data protection, not onto the right of communications.
- Measures (legal and technical) have to be progressive: we have to distinguish an individual uploading photos of their ex-couple in a social networking site, from a terrorist network copying credit cards.
- We need a catalogue of cyber-crimes, especially those characterized as serious.
- And we need independence of the support or the holder of data: we need access to all data from a person wherever they are stored.
The model should, thus, split technicalities from guarantees: the police should lead the investigations, as they have the knowledge and the means; while prosecutors and courts should follow the processes to guarantee their righteousness.
Jordi Vilanova: what is the liability of the owner of an infected device? Hernández Guerrero: Yes, in the same way that you are liable to a certain extent to do the maintenance of your car so that you don’t run over anyone, some knowledge of the power of a specific device and its maintenance (e.g. a PC and an anti-virus) should be a requisite and the owner liable for not acting according to that requisite.
Marcel Mateu: Right, we have to change the law. But how many policemen and prosecutors are able to work in the digital age? Mora: the resources of the police often depend on how the citizenry pushes their governments to fight this or that type of crime. If the priority is e.g. gender violence, then cyber-crime is less funded. Hernández: in general terms, agreed that cyber-crimes are not in the political agenda. Surely much of the “cyber-” is just crime done by electronic means, but maybe the politician needs an “e-Pearl Harbor” to realize that the world has changed.
Blanca Torrubia: what is the profile of the cyber-criminal? and what should be required to fight cyber-crime? Mora: the cyber-criminal is increasingly younger as years go by, astonishingly young. And the best way to fight cyber-crime is information and training. There is evidence that cyber-crime over minors drastically decreases if they are being informed and trained on the hazards of specific behaviours on the net.
- Detectar a los ‘malos’ es más difícil en la nube, by Karma Peiró.