[kictanet] Day 6 of 10: IG Discussions, Legal Issues

Brian Munyao Longwe brian at caret.net
Mon Aug 18 10:54:15 EAT 2008 

my experience is that our learned friends tend to "reserve comment"  
so that they are not "quoted out of context" or held personally  
liable for their remarks. Short of giving a legal opinion which would  
withstand the scrutiny of the entire LSK it is often very difficult  
to extract "feelings" out of this species without external (and  
sometimes internal influences).

I also heard one learned friend saying that of late it has been so  
cold he has actually been putting his hands in his own pockets ;-)

Anyway 'nuff said - but I would really love to hear even a simplified  
view of some of the issues that have been raised in this look at  
legal frameworks as pertain to internet, internet related  
technologies and more especially offenses that have had something to  
do with the internet.

Note this example of a cross-border engagement:

1. Dutch Police and F.B.I. Rein in Large Botnet
By JEREMY KIRK, IDG News Service
New York Times
August 14, 2008

The botnet created by a teenager who was arrested by Dutch police in  
a sting operation is most notable for its total reliance on social  
engineering to spread, computer security experts said Thursday.

The 19-year-old Dutch man was caught July 29 with his 16-year-old  
brother trying to sell a botnet to a 35-year-old Brazilian man,  
according to Dutch prosecutors. All were arrested by the Dutch High- 
Tech Crime Unit, with assistance from the U.S. Federal Bureau of  
Investigation.

As is customary in the Netherlands, Dutch police have not released  
the names of those arrested. Few other details, such as how  
authorities became cued into the case, have been released. U.S.  
authorities are seeking the extradition of the Brazilian man.

But experts from Russian security vendor Kaspersky Lab were called on  
by Dutch police to write up instructions for how to remove the botnet  
code from infected PCs, as well as aid in the continuing  
investigation, said Eddy Willems, one of Kaspersky's security  
evangelists.

A botnet is a group of PCs that is infected with malicious code and  
controlled by a hacker. This particular botnet, which at one time had  
as many as 150,000 machines worldwide, is called "Shadow," the name  
bestowed on it by its creator.

The code that enabled Shadow to work was distributed on Microsoft's  
Windows Live Messenger instant messaging network. Victims would  
typically get a message from someone who appeared to be one of their  
contacts. The message would contain a link to another Web site, where  
the victim was asked to download a file.

If the file was executed on a PC, Shadow would collect other instant  
messaging contacts and send out more messages trying to enlarge the  
botnet. It appeared that Shadow was particularly successful in the  
Netherlands, since some messages were sent out in Dutch.

The distribution method relied entirely on victims willingly  
downloading the code rather than trying to exploit a software  
vulnerability, which could result in an infection regardless of what  
the user does.

It means that Internet surfers are just as susceptible to fall victim  
to scammy tricks. "Social engineering seems just as effective as it  
was 10 years ago," said Roel Schouwenberg, senior antivirus researcher.

Shadow could also download other malicious code and may have been  
used to download advertising software and spyware programs,  
Schouwenberg said. The teenager who created Shadow appears to use  
bits of malware code already circulating on the Internet, as well  
writing his own code.

The result was a fairly run-of-the-mill botnet, but one that could be  
considered large, Willems said. When the bust occurred, the 19-year- 
old was attempting to sell the botnet for €25,000 (US$37,290), a  
price Willems said is way too high in proportion to how botnets are  
currently priced.

People who control a group of computers, called botnet herders, have  
been known to rent time to other scammers, who use the computers to  
send spam or conduct other malicious activity. The use of remote  
computers helps disguise who is actually using those machines to  
carry out crime.

Dutch prosecutors could not immediately be reached for comment.


On Aug 18, 2008, at 9:00 AM, John Walubengo wrote:

> Hi all,
>
> Hpe u had a good weekend.  Today is day 6 of 10, but the theme is  
> still on legal issues.
>
> I still cant believe the learned friends have not spoken and left  
> everything to Alex and Mike.  If any of you runs into Evelyn R.,  
> Kihanya J., Omo J. or Clara R. just to mention a few, ask them if  
> they can give us a shout without us having to 'open a file'
>
> We have only today for this since tomorrow we move into the  
> Economic Issues to be facilitated by a renowned IG expert to be  
> unveiled in due course.
>
> walu.
>
> --- On Sat, 8/16/08, Alex Gakuru <alex.gakuru at yahoo.com> wrote:
>
>> From: Alex Gakuru <alex.gakuru at yahoo.com>
>> Subject: Re: [kictanet] Day 5 of 10: IG Discussions, Legal Issues
>> To: jwalu at yahoo.com
>> Cc: "KICTAnet ICT Policy Discussions" <kictanet at lists.kictanet.or.ke>
>> Date: Saturday, August 16, 2008, 11:17 AM
>> G8 links!
>>
>> The introduction to this topic was on the presumption that
>> consumers were the criminals proceeding to outline law
>> enforcement challenges. The most convenient and common form
>> of misrepresenting cyber crimes and law -- first take away
>> all their rights then they struggle to regain one after the
>> other... It is good that Mike presents both sides of the
>> story.
>> Telecommunication companies hold massive data on all
>> individuals and they ensure that their on their "Terms
>> of Use" and contracts users are "guilty until
>> proven innocent" and the companies are at liberty to do
>> whatever they please with our personal data.
>>
>> Consider below extract from a local telecommunication
>> company's Terms of Use: -
>> ------------
>> 5. Use of your information
>>
>> (The Company) may hold and use information provided by you
>> for a number of purposes, which may include:
>>
>> (a) Carrying out any activity in connection with a legal,
>> governmental or regulatory requirement on (The Company) in
>> connection with legal proceedings or in respect of crime or
>> fraud prevention, detection or prosecution.
>>
>> (b) Monitoring or recording of your communications for (The
>> Company)’s business purposes such as marketing, quality
>> control and training, prevention of unauthorised use of
>> (The Company)’s telecommunications system and ensuring
>> effective systems operation in order to prevent or detect
>> crime.
>>
>> ---------
>>
>> "May include" does not mean "limited
>> to" - implying that they are allowed, for example, to
>> share, sell, etc private data to their partners... Exactly
>> what Mike points out to on the Business Week link.
>>
>> Framed in ways suggestive of company "law
>> enforcer" (illegal roles) onto "guilty"
>> users. Notice how "Intellectual Property" is
>> conveniently repeated. Or is it be assumed that consumers do
>> not have any "intellectual property" they would
>> wish protected? the companies should abide to also protect.
>> BTW, There is an IGF Dynamic Coalition movement calling for
>> a balance between Intellectual Property and development
>> which includes Access to Knwoledge
>> (A2K).<http://www.ipjustice.org>. Very resourceful!
>>
>>
>> Supposing earlier proposed M-Medicine went ahead in East
>> Africa? Sold ailments data to pharmaceutical companies, that
>> would hike medicines prices in outbreak zones at selected
>> locations... You go to a bank with a water-tight business
>> proposals and all bank turn you down. Reason? They have
>> shared your medical history and they think you will soon
>> "sleep in the shamba" your excellent business
>> proposals notwithstanding.
>>
>> In summary, unless Data Protection and Privacy Laws are
>> enacted, the default should be to deny all telecommunication
>> companies legal loophole to trade with personal information.
>> And it should be seen to be enforced.
>>
>> On a lighter note, should I sue a WiFi company for
>> trespassing when their signals enter my laptop, or should
>> they sue me for illegally access of their signal? Over to
>> Ben Shihanya.
>>
>> Thanks again Mike!
>>
>>
>> --- On Fri, 8/15/08, Mike Theuri
>> <mike.theuri at gmail.com> wrote:
>>
>>> From: Mike Theuri <mike.theuri at gmail.com>
>>> Subject: Re: [kictanet] Day 5 of 10: IG Discussions,
>> Legal Issues
>>> To: alex.gakuru at yahoo.com
>>> Cc: "KICTAnet ICT Policy Discussions"
>> <kictanet at lists.kictanet.or.ke>
>>> Date: Friday, August 15, 2008, 2:11 PM
>>> Not a legal opinion: It would be very difficult to
>> apply
>>> existing common law
>>> (analogous to jurisprudence) to electronic crimes
>> committed
>>> in a new era,
>>> atleast within the local context.
>>>
>>> For these reasons it is necessary to define the crimes
>>> under distinct and
>>> separate legislation. Due to the borderless nature of
>> the
>>> Internet (see
>>> shared link), it is necessary for such legislation to
>> take
>>> a broad
>>> approach into account.
>>>
>>> For instance there ought to be provisions that allow
>> local
>>> authorities to
>>> seek the arrest and extradition of foreign based
>> suspects
>>> from other
>>> jurisdictions for electronic crimes committed against
>>> citizens or local
>>> infrastructure owned by individuals or entities even
>> though
>>> the suspects at
>>> the time of commission of the crime were present in
>> other
>>> jurisdictions.
>>>
>>> The same provision can allow private parties to pursue
>>> civil remedies in a
>>> similar matter and give them the basis where possible
>> to
>>> enforce the
>>> judgement in the defendant's jurisdiction.
>>>
>>> This for example would close the possible
>> jurisdictional
>>> loophole
>>> of individuals crossing borders so as to commit
>> electronic
>>> crimes from a
>>> country that lacks electronic crime laws. Current law
>> is
>>> ill equipped in
>>> ensuring civil remedies, prosecution or arrest of
>> local or
>>> international
>>> cyber criminals, 419ers, lurers of minors, harassers,
>>> electronically
>>> transmitted or created threats (threats to a person,
>>> threats to
>>> infrastructure by way of viruses, malaware, DoS etc)
>> etc
>>> neither is it
>>> likely to be in a position to ensure serious
>> consequences
>>> or deterents for
>>> the same or allow for the definition of crimes as
>>> distinguished here for an
>>> international gang of culprits:
>>>
>> http://www.secretservice.gov/press/ 
>> GPA15-08_CyberIndictments_Final.pdf
>>>
>>> It was recently reported that a bill or regulations to
>>> protect the data of
>>> consumers would be brought about as a means of
>> regulating
>>> the CRBs. This
>>> could be model legislation/regulations to adopt to
>> ensure
>>> that the public
>>> has a say in the manner in which their private
>> information
>>> is used.
>>>
>>> At the same time consumers ought to be able to
>> instruct
>>> companies with whom
>>> they have business relationships with not to share
>> that
>>> same information
>>> with 3rd parties without their prior consent (ie
>>> opt-in/out). This is only
>>> effective if there are laws or regulations to provide
>> for
>>> consequences when
>>> businesses violate the same.
>>>
>>> As CRBs take root, there will be a likelihood that
>> similar
>>> bureaus or
>>> entities will eventually start sharing information in
>> real
>>> time, for example
>>> an underwriter of an insurance policy might want to
>> check
>>> an individual's
>>> claim history across the industry to determine the
>> level of
>>> risk the insured
>>> poses in determining policy premiums. Similarly an
>>> organization may want to
>>> conduct background checks for prospective employees in
>>> privately maintained
>>> electronic databases.
>>>
>>> It is important that instead of regulations or laws
>> being
>>> formed for sectors
>>> of the economy, that national data privacy laws and
>>> regulations be defined
>>> (or ammended) and on that basis refinement of specific
>>> regulations/laws
>>> could be made for sectors that require specific data
>>> requirements. Such
>>> regulatory foresight can reduce or avert the occurence
>> of
>>> issues such as
>>> those seen here:
>>>
>> http://www.businessweek.com/magazine/content/08_31/ 
>> b4094000643943.htm?campaign_id=rss_null
>>>
>>>
>>> On Fri, Aug 15, 2008 at 12:21 AM, John Walubengo
>>> <jwalu at yahoo.com> wrote:
>>>
>>>> Mornings,
>>>>
>>>> Today and next Monday, we intend to thrash out
>> the
>>> legal dimensions of
>>>> Internet Governance. The typical issues revolve
>>> around:
>>>> -Jurisdiction & Arbitration (who resolves
>>> e-disputes)
>>>> -Copyright & IPR (are they pro or
>>> anti-development?)
>>>> -Privacy and Data Protection (how is the
>> e-Citizens
>>> data abused/protected?)
>>>>
>>>> I do hope the 'learned' friends will chip
>> in
>>> since I cannot pretend to be
>>>> an expert here as I introduce the general legal
>>> principals.  Basically,
>>>> dispute resolutions can be done through,
>>>> ·       Legislation;
>>>> ·       Social norms (customs);
>>>> ·       Self-regulation;
>>>> ·       Regulation through code (software
>> solution);
>>>> ·       Jurisprudence (court decisions);
>>>> ·       International law.
>>>>
>>>> There is however two broad conflicting schools of
>>> thought when it comes to
>>>> resolving disputes occasioned by the Internet.
>> One
>>> group claims that
>>>> whatever happens online does have an equivalent
>>> 'off-line' characteristics
>>>> and as such existing laws can easily be applied.
>> E.g
>>> stealing money
>>>> electronically is no different from stealing
>> money
>>> physically and so Robbery
>>>> charges and subsequent jurisdictional procedures
>> could
>>> apply.  However, the
>>>> second group feels that electronic crimes have a
>>> totally different context
>>>> and must have a separate and totally new set of
>>> legislation or methodologies
>>>> for resolutions.
>>>>
>>>> The borderless nature of the Internet brings to
>> fore
>>> the Challenges of
>>>> Jurisdiction and Arbitration as in
>> yesterday's
>>> example, where content in one
>>>> country may be illegal but is legal in another.
>>> Copyright and Intellectual
>>>> Property Rights issues are also explosive as
>>> demonstrated by the Napster
>>>> Case, where some young software engineers created
>>> software that facilitated
>>>> sharing of (SONY) Music files across the
>> Internet.
>>> Also related was the case
>>>> of Amazon.com trying to Patent the
>>> 'single-click' method of buying goods
>>>> online.
>>>>
>>>> Other cases touch on Data Privacy where Business
>>> Companies have been known
>>>> to sell customer records to Marketing firms
>> without
>>> express authority from
>>>> the Customers. Other times customer data is
>> simply
>>> hacked into and
>>>> Businesses are unable to own up (going public) to
>> the
>>> detriment of the
>>>> Customer.
>>>>
>>>> Most of these issues are under discussion
>>> internationally at the Internet
>>>> Governance Forum (IGF), World Intellectual
>> Property
>>> Organization (WIPO)
>>>> amongst other fora. They present emerging legal
>>> challenges and it would be
>>>> interesting to know if stakeholders in the East
>>> African region are/should be
>>>> involved in shaping the outcomes of any of these
>>> issues.
>>>>
>>>> 2days on this one, today and next Monday and feel
>> free
>>> to belatedly respond
>>>> to Day 1 through Day 5 issues.
>>>>
>>>> References:
>>>> http://www.diplomacy.edu/ISL/IG/
>>>> http://en.wikipedia.org/wiki/Napster
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> kictanet mailing list
>>>> kictanet at lists.kictanet.or.ke
>>>>
>> http://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>>
>>>> This message was sent to: mike.theuri at gmail.com
>>>> Unsubscribe or change your options at
>>>>
>>>
>> http://lists.kictanet.or.ke/mailman/options/kictanet/mike.theuri% 
>> 40gmail.com
>>>>
>>> _______________________________________________
>>> kictanet mailing list
>>> kictanet at lists.kictanet.or.ke
>>> http://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>>
>>> This message was sent to: alex.gakuru at yahoo.com
>>> Unsubscribe or change your options at
>>>
>> http://lists.kictanet.or.ke/mailman/options/kictanet/alex.gakuru% 
>> 40yahoo.com
>>
>>
>>
>>
>> _______________________________________________
>> kictanet mailing list
>> kictanet at lists.kictanet.or.ke
>> http://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>
>> This message was sent to: jwalu at yahoo.com
>> Unsubscribe or change your options at
>> http://lists.kictanet.or.ke/mailman/options/kictanet/jwalu% 
>> 40yahoo.com
>
>
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> http://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> This message was sent to: brian at caret.net
> Unsubscribe or change your options at http://lists.kictanet.or.ke/ 
> mailman/options/kictanet/brian%40caret.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20080818/26502ede/attachment.htm>

More information about the KICTANet mailing list