|Information Technology Security Handbook, sponsored by the infoDev project of the World Bank (Dec. 2003) – a major resource, covering security for individuals and for organizations, government policy and IT security for technical administrators.|
Security is an imoprtant component of the policy framework for the Internet. Developing and transitional countries should examine their laws to ensure that they cover cybercrime and provide law enforcement agencies the investigative tools they need, consistent with privacy protection. But the criminal law is only a small part of the cybersecurity framework. Governments and private sector systems need to cooperate in improving the security of those systems by applying sound security practices, improving sharing of information, and raising awareness.
Several international initiatives on cyber-crime raise concerns for Internet freedom. Most notably, the Council of Europe (COE) fails to specify adequate procedures protecting the privacy of communications. Here is a collection of various materials on cybercrime, focusing on the COE treaty.
|The Legal Framework for Creating Trust in Cyberspace: Security and Privacy [PowerPoint] – presentation by Jim Dempsey, Skopje, March 2006.
Protecting Privacy and Freedom of Communication in the Fight against Cybercrime [PowerPoint] – Jim Dempsey’s presentation on cybersecurity and privacy at the Sofia Conference, September 8, 2003.
Council of Europe Treaty
In 2001, the Council of Europe completed drafting a Convention on Cybercrime. As of September 15, 2005, the treaty had been ratified by only 11 countries, mostly in Eastern Europe. The number of ratifications has been sufficient for the convention to enter into force, on January 7, 2004. As of September 15, 2005, the convention had not been ratified by most Western European countries, nor had it been ratified by the United States, which played a major role in its drafting and had been invited to ratify it.
As a model, the convention has some positive and some negative elements. The convention is very broad, reaching far beyond computer crime as such. And having taken on the issue of government access to computer data (for all crimes), the treaty fails to address half of the issue (the privacy and human rights half). Accordingly, developing countries must be very cautious in approaching the COE convention as a model.
The COE convention is really three conventions in one, covering three different sets of issues, and developing nations looking to it as a model need not take on all three sets of issues at the same time.
Trust And Security In Cyberspace: The Legal And Policy Framework for Addressing Cybercrime [pdf] September 2005
Memo focusing on cybercrime and the legal standards for government surveillance, including GIPI’s commentary and recommendations regarding the COE convention.
- European Union: The European Commission has issued a series of cybersecurity recommendations, in the Communication “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime,” available online at the EU Cybercrime Forum. Also available at that site, which is not being updated, is the EU recommendation on network security, 2002. Other EU resources are at: http://www.eu.int/scadplus/leg/en/s21012.htm#SECURITY and http://www.eu.int/information_society/policy/cybercrime/index_en.htm. Resources on the EU debate on data retention are available at http://www.edri.org/issues/privacy/dataretention and http://www.epic.org/privacy/intl/data_retention.html.
- OECD: The OECD Guidelines for the Security of Information Systems and Networks (May 2004) – an important benchmark for industry and other stakeholders to protect critical information infrastructures. See also the accompanying implementation guide. See also OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (October 2004)
- World Bank: Information Technology Security Handbook (December 2003) – sponsored by the infoDev project of the World Bank – a major resource, covering security for individuals and for organizations, government policy and IT security for technical administrators. Includes a chapter on government policy
- US Justice Department: The U.S. Department of Justice has published Federal Guidelines for Searching and Seizing Computers to provide guidance to police agencies in the U.S. but the document may also be useful to policymakers in developing and transitional societies: . The DOJ website has many other materials, at http://www.cybercrime.gov
- American Bar Association. The ABA has compiled the International Guide to Combating Cyber Crime, the International Guide to Cyber Security, and the International Guide to Privacy, which are available online.