13 June 1999. Thanks to q/depesche and Telepolis.
Source: http://www.heise.de/tp/deutsch/inhalt/te/2937/1.html

Translation by JYA using the Systran program and tweaking. Apology to German speakers.


Telepolis, June 11, 1999

"We also want to make a guide for other countries"


Christiane Schulzki-Haddouti   11.06.99

Interview with Scott Charney, chairman of the G-8-Work Group "High-Tech Crime"


The main western industrial nations and Russia want to fight high-tech organized crime. We arranged an interview with Scott Charney, chairman of the G-8-Work Group, "High Tech Crime," with its own working group. Under the presidency of Scott Charney, the chief overseer of computer crime matters in the US Department of Justice, the G8-Work Group, "High Tech Crime," a 24-Hour-Contact-Group was created.

Nations require mutual help across national borders : For example if the traces of a case lead from Germany to the USA, Charney assisted by the US Internet Service Provider (ISP) concerned follows up the contact, in order to assure data evidence. Charney is personally available virtually around the clock. Still, only two times in a month have international cases landed on his desk. The chief computer law enforcer is convinced that such cases will occur more frequently in the future. Therefore, together with his colleagues from the G8-States he aims for better coordination and to achieve more efficient prosecution. The working group tinkers at present with a training program for the preservation of evidence. Thus all policemen practice searches and seizing using the same procedure. So that evidence required for each can be also mutually recognized. Training software is already in beta version: Policemen can scan an area of the computer in a three-dimensional environment, retrieve articles as needed and secure the evidence.

However, a common practice has not yet been sufficient, and legal harmonization is not aimed at now within the G8-States. In the context of the legal possibilities, evidence is to be exchanged regularly, in order to be able to solve international cases. Christiane Schulzki-Haddouti spoke with Scott Charney in Washington.

________________________

How did the G8-Work Group "High Tech Crime" develop?

Scott Charney: We began with the G8-Process in January 1997. Within the G7/G8-States the presidency changes each year. The US served as president in 1997. While the USA furnished so-called working groups, in which experts focussed on certain topics set under each presidency. Each working group was led from another country. The working group for "High Tech Crime" was created as part of the working groups at that time.

The reason why we concerned ourselves with this topic lies in the fact that we concerned ourselves for the first time in 1986 with a case of hacker. Ever more cases came in following years. During the 90's they became more than hacking and/or conventional computer criminality: Computers were used increasingly in order to facilitate conventional criminal offences. The more computerization increases, the more technical and complicated becomes the crime problem. We regarded it therefore a good idea, to those of us in a small group like the G8-States, which belongs to to most industrialized and computerized countries, to work with the problem. Since January 1997 we have met nearly each month.

What would you like to accomplish?

Scott Charney: We want to guarantee that computer crime is criminalized within as well as outside the G8-States. We want to accomplish something not only in our states but to also make a guide for other countries. We want procedures for transnational tasks to be accelerated. Crime is not only quicker, it also spreads in a larger measure than before. It requires therefore an increasingly more coordinated response. We want to guarantee that our juridical systems are substantially and procedurally so arranged that they achieve maximum efficiency. Besides that we wish to see in what ways the needs of prosecution are converging with those of the market and how they are developing separately.

How does what is happening in the market affect the interests of law enforcement?

Scott Charney: There are two trends on the market: One supports public security, the other less so. For e-commerce people want authentication for a certain kind of communication. With home-banking, for example, they want to know for sure that a certain money transfer was made by them personally and not by another person. Here, there is a need for a high degree at authentication in which our purposes also benefit.

Another instance is when announcements in the Internet are generated. The value of the announcement depends on how many people see the announcement. The question is now what to do when there are a high number of accesses. One method consists of furnishing anonymous free accounts. This service is used by many people which do not have to authenticate themselves for use. But what happens if one of these people threatens someone else with the help of an anonymous account? In this case the market does not help us. In discussions with the industry we engage experienced technicians to tell us in which direction the market will develop.

What do you want to accomplish within the bounds of free, anonymous Internet access?

Scott Charney: It depends not least on the individual country, what one can do. Some options contain for example, certain means of authentication which firms know their customers want. However, in the USA this cannot be accomplished. Some people want to use the Internet happily anonymous - not because they are criminal, but because they want to retain their privacy. Together with the industry we see the need for applications for authentication. The question is, how importantly is actual anonymous use, because people can also send anonymous contents by way of regular mail. I have the impression nobody has found a solution.

"freezing and storing" as alternative

A European Union resolution for the fighting child pornography in the Internet plans prohibition of anonymous email. Also there is a suggestion to store customer data for at least 90 days. Is this also a model for the USA?

Scott Charney: In the USA there is a certain data storage requirement for short periods - for accounting purposes or for technical reasons. Legally we can obligate the Provider to store the data of a certain account 90 days long before they are deleted. That gives us time to obtain the judicial subpoena for release of the data. If we do not succeed in this period we can get the data stored for a further 90 days.

Is a similar regulation to come now to the other G8-States?

Scott Charney: That is one of the topics which we are discussing at present. The problem lies in the fact that the Provider cannot store arbitrary data sets on indefinite time, which international legal assistance needs to process requests. There is at present the option of "fast freeze quick thaw": the Providers are to freeze the data quickly, in order to retain it. Then we try to reach the release of the data quickly in a legal way with a court order or the right legal assistance. The advantage of this procedure is that no important data are lost. Also data security interests are considered, since data under national jurisdiction are released.

However, if one asks all Providers to store all data for 90 days with it both a use, and a damage are connected: Is sometimes useful that one does not know exactly, which data are important. If one needs data from the past week, they would be already lost with the "freezing & thawing" method. But the drawback is the following: If one asks a Provider for those data sets generally [zuspeichern] perhaps, since one could be interested sometime in the future in a small cutout of these data it would be as if one asks to keep a whole pile of hay only because one straw is needed. That is expensive, brings data security problems and other problems. The question is, how does one achieve an appropriate balance. And that is not simple.

How do you judge the chance to realize the suggestion of " freezing and storing " within the G8-States?

Scott Charney: The chances of a multi-layered  ["weitflächigen"] implementation are rather high. It has a number of advantages, but only few disadvantages. Law enforcers which new them get the data. The Provider must store only a comparatively small data set - that is not expensive. And from data security perspective not all the data are stored but only the suspected.

How now does the schedule look for conversion?

Scott Charney: It happened already at our last meeting in the middle of May in Paris in our working group. Now Ministers of the individual countries must decide on it.

Harmonization efforts

What other topics were discussed in Paris?

Scott Charney: It concerned sequential topics. For example we looked at some technical questions regarding trap and trace and the differences between flow of traffic data and contents. Each delegation examined its own laws in order to determine where similarities and differences exist. We asked questions, and as we dealt with those answers, we asked still more questions. It is rather complicated. It is a work in progress and will continue that way.

Did the G8-States provide for a right of overview in order to be able to say at which points a legal assistance agreement needed?

Scott Charney: If you determine differences in the national rights, some are important and some less so. We try to find out where they become problematic for us. For example: In some countries one can force the service provider to provide assistance, in other countries can one only ask him for assistance. This becomes important if a Provider refuses assistance. If you are then stuck again and again in the same place, these countries will examine whether they need to modify their laws. An example of it is breaking into a someone else's computer. That is not punished by some countries, like Japan. Japan is considering now whether to change its law in order to harmonize its law with the other G7-States. We ourselves look at differences in the laws and consider whether they hurt or support the prosecution. Then we talk about whether we can change to them.

Do you actually need legal assistance agreements, or do you also get co-operation without them?

Scott Charney: The G8 does not preclude formal agreements. We are a substantially smaller group and can therefore have more intensive dialogue. We often go off into detail and to balance all pro and cons of a certain procedure. We put that down in writing and send it to the European Union Parliament in order to make it well-known with our considerations. The European Union Parliament prepares at present a convention for cyber-criminality, which will be an obligatory agreement under the European Union member states and so-called observing countries, the USA, Canada and Japan. The Parliament tries thereby some ideas, which we discussed within the G8 in the detail to merge into the convention.

The 24-Hour-Contact-Group of the G8

Which happens, if a US citizen does something illegal under US law by using a Russian Provider and US authorities ask Russian colleagues to examine the data traffic and furnish evidence. Is it a legal problem if the Russian police without court order - which would be necessary in the USA - examine the servers?

Scott Charney: It can be a legal problem. Several questions are raised by the case. The first question is: How do we ask the Russians in such a case for assistance? In international law there has been for a long time traditional proceedings. So a US court can ask a court in another country for assistance. It is a very slow process. Therefore the countries concluded all possible agreements with one another, in order to practice a quick legal aid. We have no legal assistance agreement with Russia, but we can ask them for assistance.

In practice there is often a mixture between international and national law. If we ask the Russians to make certain data available, they must ask themselves whether Russian law permits getting the data and passing them on to the USA. So far this process was much too slow for cases of hackers, which move very quickly: Under many legal aid agreements countries have a central authority, which functions as group of contacts for all international inquiries. If we worked in former times thus together on a case of hacker, we asked our group of contacts, which asked in turn the group of contacts in the other country, which asked their police officer, who perhaps had a question pertaining to the case and asked in turn his group of contacts, which asked our group of contacts, in order to ask us. The people, which were really concerned with the case and which knew technology, were thereby at the opposite ends of a formalized process. There were cases in which the delay in the center of the process killed us.

For this reason we created the 24-Hour-Contact-Group. It functions in such a way that we can contact directly the expert of the other country. It starts then all necessary arrangements. In this way the ball remains in motion. We worry about the fact that there is an appropriate national law, so that the countries can help each other quickly. And we worry about the fact that there are international rules, so that the data can be passed on.

How successfully does the 24-Hour-Contact-Group work?

Scott Charney: It now functions substantially faster. Within 24 to 48 hours a country receives the data for which it asked.

Do you obey rules set by the 24-Hour-Contact-Group? Do you work on a legally solid basis?

Scott Charney: Yes. We have two different sets of rules: On the one hand we have the 24-Hour-Contact-Group. In the USA that functions as follows: If someone needs assistance in the USA, he contacts his contact man directly in the 24-Hour-Contact-Group. For the USA I am the contact man. I then go to the respective contact man in the other country. The individual contact persons stay constantly in contact with one another. If I myself receive an inquiry from another country, I must be sure that my national law permits me to receive the necessary data.

The 24-Hour-Contact-Group is however only a temporary model, since you expect that such cases will in the future take place more frequently. Surely in five years you will not be able to master that any longer alone.

Scott Charney: That is correct. I am supported by people in my department.

Is there a model for how that will be organized in the future?

Scott Charney: The most important for us is to expand the network. We would like for as many countries as possible to join the group of contacts since sometimes there are cases which do not come from G8-States. We co-operate already now with a number of international organizations like Interpol, the European Union Parliament, the Organization of American States. We understand that the 24-Hour-Contact-Group should not be overloaded and to expand it if necessary.

Can you introduce yourselves for example in co-operation between Germany and the USA also without a German contact man to work? Finally do you already have purely technically means to get around the legal barrier to data access.

Scott Charney: Some countries already conversed about the direct entrance - under the term "transnational search" ("transborder search"). There are thereby some problems: Even if we receive an international inquiry, we may act only according to our national laws. Can you assume that that a German law enforcement officer understands US laws completely, or in reverse? There is thus a problem with the direct trespass beyond the border, since it concerns an affair of national sovereignty here.

Beyond that there are also quite practical doubts: Humans in the different countries have different expectations: How is privacy protected, under what conditions do authorities have access to the data? If each country acts under its own law, the citizens have no more notion under whose law their data are used. That is very complicated and difficult. We hope that we can help us with the quick freezing of data within the 24-Hour-Contact-Group quickly enough, so that it gives less need to act directly. If the international mechanisms are too slow and ponderous, people will develop the impression that there is no justice. Therefore we must do everything to assure that international mechanisms function, so that we protect our sovereignty, protect our citizens and get the job done.

One must see how networks in an international field will develop. Remember that we spoke particularly about bilateral relations. However, what about, for example, a Web page over which drugs are illegally sold? That is illegal both in the USA and Germany. For now the Web page consists of a set of pictures. Each picture is stored in another country. One part is in Germany, the other one in France, again a part in North Africa, in South America, in China and North Korea. If one liked to seize this Web page one needs the agreement of six governments. Can that be accomplished? Probably not. The countries have begun to talk it, but there is no simple solution. We must talk and see about how much this becomes a real problem.

Cryptography - still a topic

Do you think encryption regulation is still a topic or is the question meanwhile settled?

Scott Charney: Within the G8 we do not work with encryption policy. We look at cryptography however from a practical point of view: When and how often do law enforcement officers discover encryption? What do they undertake if they discover encryption? From the political perspective the OECD has already developed guidelines for an encryption policy. The basic principles of the G8 is not to duplicate the work of other international committees. That is a waste of time if different groups concern themselves with the same topic.

They accepted the OECD guidelines?

Scott Charney: We accepted them. We will not duplicate work. We concern ourselves however with the everyday effect of encryption on prosecution.

Do you plan a study in addition within the G8?

Scott Charney: We thinking about how we can raise additional data. The difficulty lies in the fact that it much of it at present is anecdotal. Many different organizations are concerned - the FBI, the Secret service. In the USA we have 17,000 police jurisdictions at the national and local levels. If a local Sheriff in Alabama stops a car and finds drugs and a computer with encrypted data, he would report this discovery to nobody. There is no mandatory reporting obligation for coincidentally-found encryption. Therefore we are only able to collect anecdotal stories. If a policeman says that he has discovered encryption twice in 10 searches and another says that he has discovered encryption three times in 10 searches, then one can estimate that in twenty to thirty per cent of the cases encryption is involved. In this way one tries to find reference points. There is no scientific method which would be comparable with the counting of cancer cells.

Then how do you want to accomplish the study?

Scott Charney: We want to know how often a policeman has discovered encryption. However, one must define the terms carefully. If someone discovers, for example, a translated Arabic text - with hope that nobody understands Arabic in its location - is not cryptography. We will thus ask simple questions and will let the inquiry cover as much as possible in the prosecution municipality into the G8-States circulate.

Will you ask also in how many instances a case could not be solved due to cryptography?

Scott Charney: Exactly. There is however the difficulty that encryption can play a role also in the cases which were solved. In a case of a pedophile you find some encrypted files, for example, four are related to child pornography. They can condemn it for the four pictures and celebrate the case as success. But, perhaps, since you could not decrypt the encrypted files, do not learn something crucial. Perhaps you would have found a picture with the child and its brother, on whom they abuse the child of the brother. If you would have found this picture, you would have arrested the brother and would have taken the child from the house and conducted a better search of the home and much more besides. If you count thus only condemnations, the case is still a success. However, if you would have decrypted the files, you could have reached perhaps still more. They can only guess, everything is speculative.

So one must be careful during evaluation of the study and pay attention to it, what it really states. There are cases in which someone was under suspicion of child pornography actions. But because the data were encrypted, we had to let it go. We did not have simply enough to be able to condemn it. And here one does not know simply how many cases there are. Because in some cases we have an informant, that gave us the pictures and we can arrest the evil author on the basis ow what we have. We seize also his computer but cannot decrypt what's on it. One does not know what one does not know. In the United States the accused has the right to refuse to incriminate himself. He can also refuse to decrypt data. The encrypted data could contain all possibilities: A letter home, newspaper articles, child pornography or a plan to murder the president. We do not know what is in it. We cannot estimate it, we can only speculate.

When do you want to terminate the study?

Scott Charney: We must still finish individual parts of the study, then we must distribute and pass it on to the national delegations. Finally we must receive their responses and again assess all of it. That could take a year perhaps, more or less. We began just recently.

The question of encryption regulation comes to the table again only if the study is terminated?

Scott Charney: Correctly, we will again decide due to the results of the study.

Standardization of new technologies for prosecution purposes

You are also developing new technologies to support you in your efforts. Can you give examples?

Scott Charney: Information technologies are usually based on standards, those from international mechanisms like the IETF, the W3C, the ITU, to which ISO are specified. The governments cooperate there. But mostly only technical-oriented people go to the sessions, not people from the prosecution. We noticed that into economy, which is steered by the market, which have to do technical standards a quantity with public security. As an example of this, IP spoofing has been documented for a long time. With this spoofing someone can send a message in the name of another person. The reason for it is that the return address is not bound in a IP packet to the packet itself. Because there is no check on integrity, the header information can be easily changed. Nobody would notice it. Version 6 of Internet minutes binds the source address better to the IP package, but it is not used for cost reasons. The market does not support it.

Possible technical standards are to be set which will support public security. Countries must pay attention to send to the standardization committees not only their commerce experts and technicians but also the technicians from the prosecution. If the prosecution in 21st Century in the environment of a global market is to be effective, we need to plug in to market models, which affect our success. Look at both sides of a situation: If you see the way a fraud is committed in minutes, you can improve your quickness to prevent such fraud. Then more people will use the net, since it is safer, and business is thereby better.

Did you also affect standards to facilitate surveillance of telecommunications?

Scott Charney: We have a statute, which is partly from the CALEA in the USA, which is the "Communications Assistance for Law Enforcement Act". In it requirements for telecommunications operators are described, and how to fulfill them, so that we can exercise further electronic monitoring. The law does not specify how the standards are to look, but it says what results we have to get. The firms will then develop the technical standards according to our requirements. In this regard I can answer your question with "yes."

Didn't it cite a 1997 ITU discussion which concerned specifications for technical surveillance standards?

Scott Charney: I saw only one International Telecommunication Union document, which said in principle that we must carry over these requirements also into the digital age. I am not involved into this process, that is an FBI thing.

Surveillance capabilities of Internet Service Providers

Is there a discussion in the USA also about whether Internet Service Providers must correspond to surveillance requirements?

Scott Charney: No, we left out Internet Service Providers deliberately from the legislation. This is a young industry in which there are many small players. They could not absorb the costs. If one puts an excessive burden on them that would drive them from the business and leave only the large players. But we spoke with the Providers about market models and the direction in which the whole is moving in order to find out how technical infrastructures can support prosecution. In some cases this does not apply, in others it does.

What do you see for the moment are the largest problems in co-operation with the Internet Service Providers?

Scott Charney: It is less a question whether they want to cooperate with us, but whether it is technically possible: Are the data available and as can they be evaluated? For example the Provider offers an access number, 555-2000, for Internet service. Over this number some thousand users use to assign address automatically to an IP packet. We had a case where someone himself assigned this number and did something bad. We wanted to know now over which voice grade channel this person had selected for itself, but there was no possibility for finding out. some months later there was the same problem. This time, though, IP had a tool in place to find it out. The Provider had had to do this because of several fraud cases and had not been able to identify the cheats. Another problem: We want to know, who assigned its own address three hours ago ago and a used certain IP address. However, the Provider does not store such data. If the user was still on-line, the Provider could have identified him. Thus, in one case there was not the technology, in other case the data was no longer existed.

Do you try to improve co-operation with the Providers, in which you make, for example, tools available to them?

Scott Charney: We developed tools, which we provide to the Providers in some cases at their disposal. In other cases we mediate between the Providers, so that they help each other out mutually. But the hangup is that not all of them know how to use the tools. There are also large development costs for proprietary tools the singular characteristics they possess. The developers of these tools not want to them passed to other firms for competition reasons.

Do you try to develop a kind of super tool?

Scott Charney: The technology does not permit such a thing. Each system looks differently - different platforms, different machines, different configurations. We try it nevertheless for each individual case. If I want to make a monitoring measure, for example, and someone will use different procedures, we can build a computer with different slots. Then, after those procedures are used, we change the layout.

Copyright © 1996-99 World Rights Reserved.
All rights reserved by the publisher Heinz Heise, Hanover
Last modified: 11.06.99