Question

Computer Security:

Give three reasons why computer crime is so hard to prosecute and provide an explanation of each of them. Give at least one example of the difference in cyber law between the United States and Europe. Also give one example of how this has already created a problem for the United States (or how it could lead to problems in the future).

Answer 1

1)

Jurisdiction, jurisdiction, jurisdiction

This is the No. 1 barrier to prosecuting cyber crime. Most of the time, the person committing the crime is located outside of the country (or at least outside the legal jurisdiction of the court and prosecutors seeking the conviction). It’s hard enough to successfully prosecute a cyber criminal if they originate in the same jurisdiction as the victim, but close to impossible when both reside in different locations.

Many times we successfully collect good legal evidence and even verify the identity and location of the cyber criminal, but we have no legal ability to arrest the person. We have established cross-boundary, reciprocal legal rules with many cyber allies, but many more countries don’t and won’t participate. China and Russia will never honor our warrants of arrest any more than we would honor theirs.

We're still learning how to prosecute

Our legal system, refined over centuries, was forged in the physical world for physical crimes. Internet crime is not even three decades old.

Localities, cities, and states have had a hard time figuring out what is or isn’t illegal in the computer world for a particular location, especially if that crime involves computers or people outside of their jurisdiction. For example, if pron is illegal in a particular locality but is accessed on a computer that is located outside that locality, is it illegal? Is it prosecutable? Some local court systems say yes, but many more say no. For that reason, most smaller entities leave it up to the federal legal system to define and prosecute computer crime.

Most cyber crimes are not reported

The vast majority of internet crimes are never reported. I can understand why. Most people have no idea of where and how to report internet crime, and if they do, rarely does anything come of it.

To be honest, you could lose a ton of money -- say, $50,000 -- and most entities would have to spend many times that amount to try and recover it for you, if recovery was even possible. So when you call saying you lost $500 to a ransomware attack, perpetrated by a criminal that law enforcement probably can’t identify or touch, you’re probably not going to see resources assigned to the case beyond someone filing away your report.

Because most internet crimes are not reported, accurate statistics and evidence are hard to come by -- even though they're needed to help in a successful prosecution.

2)

The EU Data Protection Directive has seven guiding principles:

1. Notice: subjects whose data is being collected should be given notice of such collection;
2. Purpose: data collected should be used only for stated purpose(s) and for no other purposes;
3. Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s);
4. Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss;
5. Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data;
6. Access: subjects should granted access to their personal data and allowed to correct any inaccuracies;
7. Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.

To contrast, while the EU Data Directive has seven guiding principles, the FTC, for example, has issued three recommendations:

1. Privacy by Design – companies should include reasonable security for data, limit the collection and retention of data and use reasonable procedures to promote data accuracy.
2. Simplified Choice for Businesses and Consumers – companies should give consumers the option to decide what information is shared and with whom it is shared. This should include a do not track mechanism.
3. Greater Transparency – companies should disclose details about their collection and use of the data and allow consumers to access the data collected about them.

The three FTC recommendations include many of the seven principles of the EU Data Directive. Typically, the United States policy relies heavily on the private sector to voluntarily set up various data safety protocols reasoning that it is in policyholders’ own self-interest to do so.

The EU takes a more government-centric approach to data security. The 2012 revisions to the EU Data Directive seek to create a national data protection authority in each EU nation. The 2012 revisions want to strengthen the power of the national data protection authority to better enforce the EU data rules. The 2012 revisions propose penalties for breaches of up to 1 million Euros or up to two-percent of the global annual turnover of the offending company.

As data breaches continue to increase in frequency, U.S. regulators and policy makers are under pressure to establish more stringent enforcement system closer to the system in place in the EU. For example, this blog will address the N.I.S.T. Framework for data security in a future post.

Additionally, the EU continues to object to U.S. companies that do business in the EU that fail to uphold the EU data protection requirements. Under the EU Data Directive, the data of its citizens is not to leave the EU. However, U.S. companies have been permitted to store data of EU citizens on U.S. servers so long as those companies follow EU data protection laws. In fact, on August 14, 2014, the Center for Digital Democracy filed a complaint with FTC alleging that thirty U.S. Companies are in violation of the Safe-Harbor agreement and not complying with EU data protection laws.

NOTE: As per Chegg policy, I am allowed to answer only 2 questions (including sub-parts) on a single post. Kindly post the remaining questions separately and I will try to answer them. Sorry for the inconvenience caused.