Cybercrime Treaty: Advanatages for Developing Countries

23 October 2013 - A Workshop on Security in Bali, Indonesia

Also available in:
Full Session Transcript

The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.


 

  

   >> ZAHID JAMIL: I'll take about ten minutes, not longer, to set the scene and give you an idea of what we're trying to do at today's workshop, and move on from there to the panels, panelists, and, you know, we would like to get a lot more attraction from the ordinance and answer questions and hopefully answer questions or queries you might have.  Let me see if we can get this up on the screen.  Here we go.  Okay.  So the idea basically of today is to discuss whether a treaty on cybercrime is helpful in general and secondly if it has advantages for developing countries, what it brings to them, what it can resolve, what kind of issues can it address.  And so those problems, I speak to law enforcement all the times, even users who have been affected by crimes, somebody has been a victim of a financial crime, somebody may have other sort of problems, social network issues that they've faced and eventually when they end up going in the developing countries to the law enforcement, the response is usually either slow or we're not sure how we're going to handle this or there is no legislation, and so the most important thing we generally see is that sometimes the response is I'm sorry, the law does not absolutely cover this aspect here.  So the process which becomes effectively slow, inefficient and is unable to satisfy the demand of users in developing countries as to being protected under cybercrime legislation.  Also, the law enforcement is unable to do many things that many developed countries might be able to do is to have the relevant procedures and powers the law provides them.  Examples is -- this is not a holistic list but there are examples like having a preservation request.  It's a new concept, freezing basically data.  It doesn't necessarily exist in most developing countries, and so that's the first thing a law enforcement official will want to do if he receives a complaint from a user, a victim, saying, could you, the ISP or a service provider immediately freeze data.  Production orders, could you release some of this data so we can then use it in our investigation.  Being able to do search and seizure, electronically, not just walking in and picking up laptops and servers and things like that but doing technical search and seizures, and disclosure of traffic data, realtime collection.  These are things they don't have necessarily in the legislations.

   Practically, the other day, which is related to law, is the issue of how do I trace down who did this.  How do I find out whose IP this is?  Those kind of skills, how do we get behind proxies, for instance, to figure out if this is, you know, a child pornography case or a fishing fraud, who's actually doing this.  Is this being hosted on a server that is being run by a legitimate company but it's actually been taken over by some criminals, and the company or the bank doesn't even know about it, so how do we trace these folks.?  How do we collect intelligence about this sort of crime for criminal purposes, how do we collect this information?  And I think that's really, really important.  The only way you can do that is if you have a live realtime network, what is known as a 24/7 network.  Usually the 24/7 network, which means 24 hours, 7 days a week, 365 days a year, it is up, and it's a network of individuals who will pick up the phone and respond, and usually it's in a global situation, but, you know, it might also be relatable to a national situation, for instance, if you need assistance from cybercrime cells or investigators on the ground in the countries.  As I said, the skills -- not just the law but the skills to do search seizure, evidence and forensic capability to be able to get behind and collect the evidence and look at the evidence and prove by actually getting the evidence that, in fact, there is a crime that has been committed tends to be a challenge at times.

   The other thing which we find, and I found whenever I've gone and spoken to any sort of regional law enforcement is saying, well, you know, cybercrime's biggest problem is it's offshore.  It's cross-border, transborder, it's outside my country.  The moment I hit a Yahoo or a Gmail or a Hotmail account, that's where my, you know, investigation pretty much ends.  What do I do next?  Because I can't -- I can send a request out to service providers abroad, but I guess I should go through the Mutual Legal Assistance treaty, if I have one.  Most -- a lot of developing countries don't necessarily have Mutual Legal Assistance treaties with the countries they need to necessarily get the data from, which could be the U.S., it could be European UN, could be Japan, could be places where -- places where most of the data is actually stored.  And the responses they sometimes get is my law is different from the law that exists in, say, the U.S. or in the European UN.  My procedures -- union.  My procedures are different.  This is not how I do the processing or procedures.  Even if they get a request coming from a country outside of their own and asking for assistance, they will say, well, that's not how we do things in my country.  So there's a lack of harmonization of procedures as well.  And obviously the biggest issue is that the data obviously is held in the west, so, you know, how do I get to that data and that evidence?

   The other issue is when you do start asking, some developing countries, and I know in my country we have this issue, for instance, and in others within our region, sometimes, when we request data or request information or assistance from service providers, the first response would be, I don't know if you're from a country which has enough safeguards or Human Rights protections and civil liberties, so I'm not sure if I should cooperate.  I need to see my assessment.  And that's a fair point because that service provider is risking they could be sued for Human Rights violations where they are.  So sometimes you don't necessarily get that cooperation and you may or may not be part of their trusted network that will cooperate and give you that assistance.

   Imagine the kind of things, and I'll sort of give you an idea -- if you're an investigator and you want to be able to capture an image of a Web site, so it's accessed and open network outside your country, so if you were to go to a Web site, a CNN.com, and there was some information there, and as a law enforcement or investigator you're trying to capture that information, the first question is, well, that information is not on a server in your country, say, in India or Sri Lanka or anywhere else.  That information lies in the U.S.  That information, on your screen, is that the right way to capture that information?  That's somebody cybercrime investigator will bring up.  If you come across an individual who is cranial and who is using a Yahoo mail account, that mail account happens to be hosted in a country outside yours, maybe it's a Yahoo.co.K and that's a Yahoo server because of the domain name.  The CCT would be the jurisdiction of the U.K.  Now, if that person is actually in your own country, in your developing country and you were able to ask him to open up that email and show you that data and share that data while he's in your developing country, but he's accessing this data off from a U.K. server, the question is whether that data that is coming across is something that you can take to court and does your law authorize that or was that actually transporter access which was not authorized.  So this is something that would need to be addressed and would need to be taken care of in national legislation and otherwise as well.  Then there's the other aspect.  If you were to try and contact an ISP, for instance, or a provider in your developing country abroad to say, again, U.K., U.S. or Japan or elsewhere, if they shared the data with you voluntarily, if they decided to do so, is that legal?  What law would cover it?  Would it be covered under a treaty?  The reason I bring this up is maybe you can get the information but at the end of the day you want to prosecute the criminal and the defense attorney or the criminal will bring up these issues in court saying, I'm sorry, this evidence has to be excluded from the trial because the evidence wasn't properly obtained through a legal channel.  So that could be an issue as well.

   So what do we need in international cooperation?  We need a binding -- that's the biggest problem law enforcement has.  When I can for a request, sometimes I don't get the response.  So I need a binding mechanism by which I can actually get an effective, efficient, maybe not realtime but, you know, some assistance through a 24/7 network.

   Now, who -- what's the group that you would get this response and what kind of an international treaty, what are the members of this treaty?  Well, you could have a bilateral international treaty.  I come from Pakistan, so people there said maybe there should be a treaty between India and Pakistan on criminal matters and other things, which I think is a great idea.  The trouble is, when the server is in a third country, that bilateral treaty between just the two countries is totally and utterly useless.  So does it mean that we should have a regional arrangement?  Is it sufficient for 10 or 12 countries to be part of a treaty?  Again, the location could be in a third country and you couldn't get to it.  The greater the outreach, if it's multilateral and the more countries that are covered the more useful it would be so it would be an international treaty that would cover it and that would be the answer we're looking for.  And that was the purpose of basically starting this debate and we'll go to the panel in a few seconds.  But what should a treaty like that have?  I guess it should try addressing all the problems that we just looked at in slide 2 and 3.  Number one, it should try and harmonize the legislation across those members.  It should not be technologically specific, because remember, I mean, if you talk about social networks, and you talk about Facebook, you go back about five years and people would never have thought that you needed to have an offense related to social networks.  So defining crimes on the basis of technology does not work in the long run, and you cannot negotiate treaties every three or four years.  It has to be something that has to be defined at a technologically neutral manner.  Otherwise it becomes archaic.  Also you'll have difficulty getting consensus on everything.  I come from, say, Pakistan.  I have a -- you know, we have religious views.  Can I get other countries that have the same views to agree to a treaty?  Probably not.  It will be very difficult.  So you need a treaty that actually has consensus, that people agree on it, which means that not everything necessarily will be part of it but some of it might be.  Baseline an inclusive treaty that basically can give you a baseline -- may not cover everything but covers sufficiently the really difficult things we're trying to deal with in cybercrime.

   The other thing it would have to do also is help in harmonizing procedure, so that when one law enforcement calls another law enforcement, what ends up happening is that they understand what powers and procedures they have to use, so that the cooperation is more effective and is quicker.  And when it's not just your procedures on the ground that are the same, but guess what, we need to harmonize how you communicate with each other, which is also important.  So that you do it in a cooperative and efficient fashion.

   Again, it's also important that this treaty should not be something that says, well, if you're a member of this treaty, you cannot be a member of any other treaty.  That's not going to work either.  So it needs to be an open platform treaty, something that's complementary, that is not exclusive to anything else, and is therefore inclusive.  So, you know, who would you want to have as members of this treaty?  Would it be for Pakistan sufficient that India, Sri Lanka and Bangladesh were members?  No, because most of my data -- it could be that some of the data could be in India, some in Sri Lanka but most of my requests will be to the U.S., will be to the European UN, to the U.K., will be to those kind of countries where the data is held.  It should enable cross-border access to open and close so it should be a treaty that says it's okay for my law enforcement to access which is openly accessible over the Internet or if somebody can disclose that across the border or a CCL is able to give me that information, which is happening every day.  So when the law enforcement calls up a provider and says there's a phishing or fraud case happening would you give me information?  I need data.  They are without this trying to cooperate.  But you can't take that to court because it's not legal, it's not evidence.  You need a legal mechanism that recognizes the right that you would as a law enforcement to get that data, which you're doing it on a daily basis anyway but you need a legal cover for it.

   So is there a treaty for developing countries that they can join?  Well, this is an interesting debate.  We don't have a treaty -- for -- related to cybercrime and all the things we discussed, the list in a sense of criteria, and the only treaty one can point to that exists currently is the convention on cybercrime.  It was drafted in 2001.  It's called a Budapest because it was signed in Budapest.  It's in force.  It exists.  It's being used.  It has 51 signatures ratifications currently 51 states, those states basically include the United States of America, European union, Canada is a signatory, South Africa is a signatory, U.K. ratified a couple years ago, ratification in Australia last year or this year.  And so it is not regional.  So it's not just restricted to Europe.  It's not just restricted to Asia.  It's not just restricted to Latin America or North America.  It is including various regions, and I think most important is who are the members?  The members are those who actually have most of the data.  That's where the platforms are.  That's where the servers are.  That's where the evidence is.  That's where you want the cooperation from.  And therefore that has a use.

   And the last slide I'll use and we'll quickly move to the panel.  What does it include?  It includes, let me first say all the issues we mentioned earlier.  It's inclusive, an open platform.  It means if you join, it doesn't mean you will not join or you cannot join another treaty.  It doesn't -- it also is technologically neutral so it doesn't have offense like, you know -- use the word virus, talks about misuse of devices, doesn't talk about illegal access.  It talks about access to -- illegal access to content data and as you can see quickly from a snapshot, we'll make this available on-line subsequently.  Is criminalizing conduct such as illegal access, illegal interception, data interference, system interference and these are basically the offense you find in cybercrime legislation because the convention has been a model.  It also provides the procedural powers and tools as you can see in the second box in the middle, the expedited preservation, search and seizure, deception, et cetera.  This is provided in the treaty as well, and then there's the most important element, the third element, which is the international cooperation, which makes it the most useful aspect of the treaty, which is, well, how do we cooperate with each other?  And as you can see, it allows for other mutually legal assistance treaties to work in conjunction.  It doesn't say I'll override any treaty you of.  If you have a treaty already that will work but if you don't have a treaty you can come to me.  It's a an inclusive open platform.  The last you'll see in 27 points of contact where you can actually pick up the phone, know who the person in X country is, make a phone call and immediately get a response so you can ask for assistance, preservation, other things.

   And if there are requests for ac -- accession and people who haven't asked for accession, and the council has assisted them in capacity building in those countries, myself -- he'll speak more about this, he organized a regional workshop in Sri Lanka where I said yeah, Pakistan, we had people from all these, et cetera, who also had participated.  This is not the first one.  It's actually a series that has actually taken place.  So that's just for me.  Just to set the scene, to sort of start maybe spark a discussion or debate and discussion with the panel.  And I'll stop there.  And we'll go to our first panelist, so you've heard stuff from researchers and law enforcement but maybe it's interesting to go and listen to what the private sector may have to say about treaties of this nature, does it help them, give consistency, et cetera.  So our first panelist of the day would be Audrey Polk.  She is with the Intel corporation and has background in these sort of issues.  Audrey, thank you, take it away.

   >> AUDREY POLK: Thanks.  Hi, everyone, it's great to be here with you.  Good morning.  Some background in these issues.  Yeah.  So I just wanted to say a few things about the private sector's overall interest in harmonization of specifically criminal statutes and laws across borders and then talk about why I think it's helpful, specifically for developing countries to consider as they're developing legal frameworks to consider participation in the Budapest convention.

   So first, just as in the regular world or in the kinetic environment, criminal behavior is a destabilizing force in society.  It's generally a negative thing.  It creates concern, and so the same is true in cyberspace, and so when you look at criminal activity on-line, it's -- it's a disincentive for investment and development from a private sector perspective.  So to the extent that -- that legal frameworks aren't in place and criminality on line just as in the physical world isn't addressed, it makes an environment unsafe and unpredictable, and those are all factors the private sector considers when they're looking where to put staff and where to build offices and where to have technological development take place.  And so at a very high level I think it's important to address criminality on-line in every country, up front as robustly in legal frameworks as possible, because it has, I think, a direct tie to economic development and to growth and prosperity.  And to the extent that we all understand and believe that the Internet and ICTs are advancing growth at a rate that's much, much greater than maybe we would have anticipated 20 years ago, it's really important that the environment that is enabling that growth, advancement of GDP, prosperity, societal values, is a relatively stable and predictable environment.  Business likes predictable environments as a general matter.

   So I think -- thinking about how to address criminal statutes in the context of the culture, in the existing legal frameworks, of course.  Not everybody can have a law that looks like everybody else's law but I think that's why he talks about harmonization and cohesion as the way to address that because what you want to have is compatibility so that from a private sector perspective you can anticipate that a criminal act in one country will be generally treated as a criminal act in another country and you can expect a certain amount of enforcement and action to be taken on the part of the government to both enact and then enforce the laws.  And that creates an environment whereby business is incentivized to invest in the economy, to invest more, and the local environment is incentivized to take their business on-line, to use ICTs, to use the Internet to advance their own business goals.  And so many -- many developing countries have the goal of trying to -- trying to connect more users and to get more businesses using the Internet, and so trust and safety is going to be critical for that advancement to connecting the next billion users and the businesses that will rely on ICTs.  And so, you know, criminal statutes are directly tied to trust, so to the extent that the environment is predictable and people can generally trust the infrastructure to execute their business, they're going to be more likely to take their business on-line and you're more likely to see growth in a positive direction.

   And so I think from a very high level that's the overall private sector interest in ensuring that -- participating in conversations about how to advance cybercrime laws specifically across the globe and to have them as harmonized as possible.

   The advantages, I think -- you know, I think there's advantages to everybody, developed, developing, whoever you are, and participating in the Budapest convention specifically, or at least using it as a foundation in developing criminal -- criminal statutes with regard to crime on-line.  But -- so I think -- and sometimes it's hard to kind of envision what does this really look like when you start to break it down to an actual crime.  And so if you think about a normal crime or a crime that you might be more familiar with in the physical world and you look at, say, somebody trying to rob a bank, most crimes are combinations of smaller crimes that are all prosecutable, depending on obviously what jurisdiction you're in and all of that, separately.  And so they all sort of congregate into creating, you know, maybe the ultimate crime that you're -- that gets reported in the news, but there's lots of little crimes that lead you to that place.  So, you know, if you're robbing a bank, then the person might steal a car, they might illegally carry a firearm, they might brandish it illegally, they might park illegally, they might do a bunch of things that eventually get them into the bank where they steal the money, and that's the part that everybody cares about in the end.  They did a whole lot of other things that were also illegal, and the problem that Zahid represented in his presentation is that in a global scale in the Internet, you have a situation where it's easy to break up all of those little crimes into different jurisdictions where those crimes may not be either -- they may not -- there may not be laws against those crimes or they may not be enforced if there are laws against those crimes.  So when you're robbing a bank you can't do that.  You're sitting in front of a bank and you're in one jurisdiction and you're usually within not only one country but one state and one county and one municipality, whereas on the Internet you can break those crimes up, carry them across jurisdictions and target them to places where -- where either the laws are weak or nonexistent.  And so -- so the reason it races all boats to have the harmonization of laws is to try to -- to disincentivize that behavior, and, you know, I don't think -- eradication of crime is not the goal here.  The goal is manageable and stable.  And if criminals were anticipate that all of the things that they have to do that are illegal to get to the place where they're committing the crime stealing the money, accessing the data, whatever the crime is, is going to be, you know, illegal in every jurisdiction that they go look at, then they're going to be much less incentivized, I think, overall, to take that approach to things.  And so that's why, to Zahid's point, regional cooperation is important but at the end of the day global cooperation is even more important because you can continue to break up the crime into small, small, small parts and spread it around the world until -- until everybody has a sort of general accepted level of what is -- what is -- what is anticipated and what is acceptable.  So -- thank you.

   >> ZAHID JAMIL: Thank you, Audrey.  That's fantastic.  Thanks a lot.  I remember just last week we were in Seoul talking about cybersecurity and I believe Microsoft mentioned one of the top four issues when they look at cooperation or how they view a country is whether they've actually signed on to the Budapest convention as an example.  It gives you an idea how private sector sees it as a trust issue if you're part of it.  So that's very helpful.  I'm going to move on to someone who's even more of an expert in any of these developing countries.  This is Jayantha Fernando.  Wrote the legislation related to cybercrime in that country and has a lot of experience related to capacity building and has experience about accession to the Budapest convention treaty as well.  Thank you.

   >> JAYANTHA FERNANDO: Thank you, Zahid.  Thank you for the very kind production, and -- the introduction I think some people might be wondering if we're part of the mutual admiration society here, admiring each other.  (laughter).

   So let me within this little period of time talk a little bit about the legal or legislative option Sri Lanka looked at at the time we started this entire process and how we brought together various options into a common framework, resulting in a legislative instrument that in this ages, harmonization -- has harmonization as an ultimate objective.  So Sri Lanka embarked on an ICT development agenda, which is quite an ambitious ICT development program called the e-Sri Lanka development initiative, and that ambitious initiative resulted in a series of reforms in the policy and legal arena.  So on the one hand we had PM 1 systems, reforms, enabling SMEs and small businesses to be involved in Internet-based trade and commerce activity, providing a common platform for systems, and of course that resulted last year in the very first mobile license that was issued to international -- international-based company in Sri Lanka and that -- Sri Lanka and that put us on the scale of the semi-facilitation.  But with all these evolutions and the developments taking place if ICT sector, safety is -- they pointed out, was a key factor that we wanted to emphasize.  And as part of the cross safety we embarked on a legislative journey that started in 1999.  And at that time we looked at multiple options available.  We looked at -- since we were part of the British commonwealth of nations, we were under the British domain for 400 years until 1948, and many countries were in similar situations.  We looked at the U.K. act of 1990 as an example of a legislative instrument to help us formulate our own law, and I remember asking the drafting committee way back in 1999, we embarked on that model, and then we had collaboration with the U.K. government who introduced us to the commonwealth model of law that was available.  And all these options were put on the table and we fashioned our law based on those parameters.  And then when we went into the provision governing investigation and prosecution, we also had access to what is called the Harari convention at that time, still available, mutual assistance and cooperation between commonwealth countries.  However, having looked at all these options we also felt it was necessary to put in harmonized regime that enables us to go one step beyond that framework that all the benchmarks we looked at and looked at -- and because we found that a large number of complaints relating to Facebook, Twitter, Yahoo, Google, all of them related to cooperation -- we had to necessarily engage law enforcement, the U.S. and other parts of Europe and including Japan and Australia.  So in that context we felt it was more prudent to look at harmonized framework that ensures access to open systems and ensures collaboration with countries, even outside of the commonwealth.

   So taking all this into consideration, we modeled a law on the Budapest cybercrime convention for the simple reason that it provides a platform for broader harmonization in a global context and it also provided for criminalizing conduct as pointed out in this slide, covering broad areas, issues that were compatible with the criminal -- criminalization provisions that were found even in the U.S., Australia and Japan.

   And that is a journey we followed, and in 2007 the computer crimes act No. 24, 2007, was enacted by Parliament in Sri Lanka.  It is based largely on the provisions of the U.K. computer misuse act.  It embodies some of the feature of the Harari convention for Mutual Legal Assistance, so much so that in section 35 of the computer crimes act it specifically says that the provisions of the mutual assistance in criminal matters act, that is the statute that ratified the Harari convention, will be applicable in respect of providing assistance as the government of Sri Lanka and other states while the commonwealth countries specified by the minister or non-commonwealth countries specified by the minister, in 2 of that particular statute.  So we looked at all these options and what I want to say in conclusion is that, yes, there is already available models for consideration, but we have to go one step beyond that and ensure that we have harmonized provisions that makes our statutes compatible with Japan, U.S., other European countries which are not part of the British commonwealth and provides for a framework for Mutual Legal Assistance and cooperation.  And that is the reason why we felt it was important to formulate a law based on the contents or features of the Budapest convention and here we are in a country, a lovely, beautiful country, Bali, which is part of Indonesia.  And for the Indonesian guests I would like to say that the Budapest convention is open even in Indonesia.  And we had that at the last conference we had contributors from Indonesia.  They've been proactive, but in this region, in my opinion, Japan and Australia have shown leadership in ratifying the Budapest convention and we are part of this amazing mutual assistance cooperation group.  Where information is exchanged, legal assistance is -- Mutual Legal Assistance is greatly enhanced, and our law enforcement is able to collaborate on equal terms with those in the developed world.

   So in conclusion, Zahid, what I want to say is that Sri Lanka is looking at options of an accession request to the Budapest convention, the capacity building work, very, very useful workshop we had in Columbo in consultation in Europe, week before last, right, in Columbo, provided a platform for knowledge sharing and, more than that, we also found as an advantageous tool, the council of Europe has formulated something called the Electronic Evidence Guide, and that Electronic Evidence Guide was the only instrument so far, by any international organization to have been produced, which has a well -- whether you are in a common law jurisdiction or not, so it's platform neutral, legislative neutral, technology neutral, and it provides a useful tool for law enforcement and judges and provides a guide for them to use in their -- and they are engaged in the enforcement of cybercrime.  So that was another advantage I thought we should flag, that it provides a platform for amazing amount of knowledge sharing and information gathering and not just the dissemination of information.  Thank you much.

   >> ZAHID JAMIL: Thank you, yes, you're absolutely right.  Whereas the commonwealth models are model and they are schemes, the legally binding provision comes from the treaty, et cetera, and that's why both of these are useful, and also the commonwealth is consistent with the Budapest convention.  So following that, as I said, doesn't make -- doesn't mean that you are excluding something.  In fact, all of it is very consistent, compatible and collaborative.

   It's great to have seen your chief justice in Sri Lanka taking such an active role and one of the things he mentioned is that the convention has specific provisions related to safeguards and Human Rights.  So it does do more than many other, say -- there is no other instrument per se, but at least it provides protections and asks Member States to have civil liberties and Human Rights protection.

   I will now move to asking Bevil, who is from the Caribbean but works back at clearinghouse and they've done a lot of work at Internet exchange points and related to cybersecurity, to share his views and thoughts on treaties related to cybercrime.  Thank you.

   >> BEVIL WOODING: Good morning, everyone.  I want to just share a bit of perspective coming out of the Caribbean.  It's a very diverse region.  People think Caribbean, developing states, islands, but it's not just islands, it's countries such as Beliz, guy and a in South America and it's a very economically diverse region and I'm saying that because the issues being faced as far as cybercrime, obviously was in other regions, and this is -- this is a challenge because of the economic constraints.  You have countries that are both economically but also from a human resource challenged by the onslaught of criminal activity over cyberspace, and the challenge really centres around the fact that the legislative environment in a region is still very much a work in progress.  And so if you consider the landscape as a -- and I think Audrey -- Audrey said it well when she referred to the fact that environmental laws are attraction points for cyber criminal activity and the region represents a very attractive location.  And it has already had a history of being a trans-shipment point for illegal drugs, for example, and the history of financial services in a number of territories, such as the British Virgin Islands, Cayman Islands, one makes computerized criminal activity particularly attractive.  For us what we have seen is that this creates an interesting set of circumstances for governments in the region to look at cybercrime, and it also creates an incentive for governments or nations outside of the region to look to the Caribbean as a place where if it is not shored up, then it becomes a point of attack for their own economies and their own -- their own environments.  And against that backdrop I want to talk about some of the work that has been taking place within the Caribbean as it relates to cybercrime and the response to it.

   There have been a number of initiatives targeted throughout the region to help strengthen the environment and to help bolster the laws as it pertains to cybercrime.  One of them is an ITU initiative, which is also coordinated by the Caribbean telecommunications union called hip core, the harmonization of ICT policies for the Caribbean.  The interesting thing about this process is it's now going on, and it's now into its second or third year, it's going on while other initiatives surrounding cybercrime are also in process, and I've seen working on the ground in some of these countries cases where one -- where one activity is completely independent of another.  So you have the commonwealth cybercrime initiative, which has been promoted again through the CTU in the region to support our countries and has been taken on by departments of government where they don't know that they're already part of the process.  This is presenting a serious challenge, and it is -- it's creating a context where there is an acknowledgment that treaties are important.  There are a number of incidents recently that have led to greater profiling of the requirement to enter into a multilateral agreement.  One of them, for example, a case in Tobago where government officials were implicated in an email -- email threats that represented criminal activity.  And to investigate it they had to Google, because the emails were all on Yahoo and Gmail servers.  Uses-based email service companies, and there was some debate over where did the crime take place?  And the issue -- when I look at the -- in terms of the Budapest convention, for example, you can see where a provision is made for these kinds of situations for governments to seek assistance from both private perspective and the government, but where there is limited knowledge of the availability of channels of cooperation, then these things can spin off into months and months of unnecessarily legal action.

   And so from a -- from a cybercrime coordination standpoint, one of the main issues that we have seen is the issue of education and awareness, what is happening out there?  We have pulled together programs, this is back at clearinghouse, also in conjunction with the Caribbean telecommunications union, brought together programs to raise the awareness for the need for harmonization but also to participate in wider international fora where ministers of government, law enforcement agencies can all understand the fundamental issues, and at the same time bring to bear upon local legislative environments necessary actions that are required.

   So you do have, one, the issue of criminalization of activities, if it is not a crime in a jurisdiction then it's not a cybercrime.  That is one of the key things, is to bring legislative action to bear within the region, harmonization is also another, but I think the issue of coordination of activities and the issue of education remain two of the priority areas that the region is looking at, both at the national level but also at the regional level.  How does the Caribbean respond to threats that pay no respect or regard for slowness of legislative updates, pay no regard to limited resources at the level of the policing or national security infrastructure and apparatus.  These issues basically don't respect borders, they don't respect economic circumstance, and so there is an acknowledgment that action is required but action cannot be based simply on national timetables.  All right?  Thank you.

   >> ZAHID JAMIL: Thank you, Bevil, and I'm glad you mentioned the ITU issues.  You can go to the Web site, and you'll see in our resources we have the ITU guide to understanding cybercrime and in that you'll see that right in the first two pages the entire document is based on the Budapest convention's definitions, and, you know, things like hip car, et cetera, are extremely helpful because they are again fashioned on the basis of the Budapest convention, but they do give you only national legislation.  What they don't give you is necessarily the international cooperation procedures in order to, as you rightly said, to do collaboration and cooperation.  You need to have the Harari scheme of the commonwealth be part of the whole process and also have the Budapest convention, which is the actual basis on which if you join you will become -- so it's great to see that that sort of progress is taking place on the ground in the Caribbean as also and also in the Pacific countries as well, using those models.

   I will now turn to our last speaker from the panel and then we'll open it up to questions and we'll hope for interesting debate and questions, comments from the floor.  Ana Neves is with the Portuguese government and is heavily involved with governance, security, was at the cyber meeting, and we're happy to have her here.  Thank you so much, Ana.

   >> ANA NEVES: Thank you very much and good morning.  Well, I have only four points to raise here today after all these very good explanations that I don't think that -- I don't have anything interesting to add except an overview of someone that is from a government in Europe.

   My first point is that it will be very interesting to hear the reaction of the audience on what has been said here, and what are your views on this issue, because the importance of international cooperation here is self-explanatory.  If you don't have harmonized procedures with the world, how can you solve national cybercrime?  It is not going to stop.

   My third point is that it makes no sense for a new specific treaty for developing countries, this is an area where all countries worldwide have to share information rules, share mechanisms, et cetera.  And finally, my -- my first point is -- fourth point is that the Budapest convention on cybercrime is a very important tool to be used, but there is no single solution for the accession of developing countries.  Thank you.

   >> ZAHID JAMIL: Thank you, Ana.  It's great to have the perspective of European country also who's a member of the council of Europe and convention, et cetera, and thank you for your support in that.  What I'd like to now do is open up the -- to the floor.  Please, if you have questions or comments or things you'd like clarifications on or any question you want to address to any of the panelists feel free to do so.  There is a mic, hopefully, that is going around.  I think Zara will be getting that mic to you.  Raise your hands and we'll pull you in.  Please.  You have a microphone.  Go ahead.  Thank you.  And for the transcribers, it would be great to get your name and your affiliation.

   >> Okay, thank you.  My name is Intadare.  I'm from the University of Padaran.  I'd like to know more about how Pakistan and Sri Lanka practices in cybercrime legislation relating to the on-line defamation, because we have several cases on on-line defamation, and how are you balancing when the cybercrime convention and Human Rights.  Thank you.

   >> ZAHID JAMIL: I'll take the first since you mentioned Pakistan.  I'm happy to address that and then I think, Jayantha.  You can chime in.  We have an extensive process in Pakistan -- and this is happening in many places, where although the Budapest convention was slightly being followed, there was a lot of interesting things that were included where they just simply had a provision for cyber stocking that related to -- stalking, anything that's immoral.  There was no definition of what immoral is so it depends who thinks what is immoral is a cybercrime and it could have a seven year sentence.  There was a huge advocacy from Civil Society and from parliamentarians rejecting that draft bill, and it was rejected by Parliament Phil it even came to the vote and there was a big fight and it was rejected.  The prime minister sent it back to committee and now we have a different legislation that actually doesn't have such open-ended definitions, and what we realized is that cybercrime doesn't mean that -- because these days anything in life is related to IT or cyber.  Now, are you going to take your entire penal code and say that we need to revamp the entire penal code and include it into a cybercrime legislation?  That becomes very challenging and does not become the solution.  A cybercrime deals with those provisions that would not be triable, for instance, or wouldn't be offenses if you didn't -- and they're specifically to the technology of cyber.  That's what we concentrate on.  That's why the Budapest convention and the model laws help because they identify those particular ones and so you don't have to fight about the rest of the aspects.

   On specific -- specifically on defamation, one of the things we've done is we have a 2002 ordinance, defamation ordinance, that actually simply takes a defamation law and says whether this is done through broadcast, electronic means, communication, the same defamation legislation law would apply even if it was electronic.  But we did not do it as part of the cybercrime legislation because we did it separately.  And I think that's helpful, because sometimes what happens is anybody comes to the party on trying to draft a cybercrime legislation, they want to just throw anything and everything in there.  And I think it's very important to be aware that, one, that's just not going to be possible.  Two, it doesn't make sense in the cyber -- how you define many of the things, and third, imagine the sort of administrative issues you would have.  So it's helpful to put it in and mainstream these sort of things into your -- in your penal code.  And so that's how we dealt with defamation on-line.  We have separate legislation that deals with that.

   And I'll let Jayantha chime in.

   >> JAYANTHA FERNANDO: Thank you.  Thank you very much for that question, and this is indeed a very, very interesting issue.  Let me give the Sri Lankan perspective to this whole thing.  Defamation, the question I would put back to you is if there's a defamatory material on-line, is it punishable as a criminal law offense or will you be liable for penalties or damages in what is called a civil lawsuit?  And the legislative route that you can take to address this question depends on that -- on those two options.

   So talking of the Sri Lankan perspective, sometime ago until 2003 we had provision in the criminal code criminalizing defamation, but due to the advocacy of the Article 19 working group in Sri Lanka and the free media movement and the press contents commission and many other people, and due to the misuse of this provision sometimes by various authorities, criminal punishment was abolished.  So now what we have is remedies available under civil law, namely action for things that can be filed for publication.  So how our courts have looked at this is the following.  We have common law principles governing defamation, and the courts have been fairly flexible in making use of the definition called publication.  So the definition of publication has been extended to mean on-line electronic publications as well.

   But in terms of serving notices, in terms of filing a case, if the defamatory publication is in Sri Lanka, no problem.  If it is in some part of the commonwealth, again, then we can refer to some other Mutual Legal Assistance provisions, but there again, the issue is we cannot extend the notice provisions, quote, notices, to U.S. or the part of the world where the server is located, where the defamatory material is found.

   So this is where I come to a slightly different subject, the role and the very important task that any countries, national or independent, certs, computer emergency response teams have in addressing this whole issue.  In Sri Lanka we have a situation where roughly every month there are over 200 defacements and abuse cases and abuse cases or defamatory activity arising from Twitter and so on and so forth.  So how we have dealt with that issue is that without pursuing a legal course that would take a long period of time, especially in the case of our a defamatory publication, our national CERT, which became part of the first global community way back in 2007, has been able to work collaboratively with other CERTs and with Facebook and Twitter and many other organizations to take down abusive sites and sites which contains harmful material.  But there again, I want to emphasize that Facebook, Twitter, Google, Yahoo, all of them, they look into a country to see what treaties, what rules and norms that particular country has adopted, and there again, I come back to the advantage of the Budapest convention, because if you have acceded or made an accession request to the Budapest convention or ratified it as a treaty obligation, then resolving those issues become extremely difficult, extremely simple.  Why?  Because if you look at Facebook policies, Google policies, Yahoo policies and even those servers which are hosted in Australia, Japan, South Korea, those policies have a mechanism where they say somewhere that if that country or a requesting country has signed up to an international best practice treaty, then their assistance is faster, quicker and more responsive.

   >> ZAHID JAMIL: Thank you, Jayantha.  I also want to say deface.  Is an illegal access, so somebody defaces your Facebook, it's illegal access.  Both a picture is being corrupted, that's an Intellectual Property offense because they've taken a picture, and defaced it.  So there are other ways you can get around it.  And for that purpose you can get cooperation.  Sometimes when you make a request of defamation people may not cooperate but if you frame the question or charge correct lip you may get more cooperation.  I'll come to other people in a second.  We have one, I'll recognize the gentleman in the red shirt and I think we'll go, the next one, you, sir, are the third and fourth there on the left and I think the lady also raised her hand.  I'll try to remember the cue if you don't help me.  Go ahead.

   >> You talked a lot of the European treaty and also some developing countries like Iran and South Africa are complaining that if countries don't have enough voice for the treaty, and also countries like China, Russia and -- their complaint is that these treaties are build in the first -- the advantage, the advantage of countries and they basically are arguing that we should build more information security rather than cybersecurity.  And I was interested in what is your view on this one?  And relation to that is this harmonizing is something that might be very difficult to achieve.  I don't know if you can harmonize an entire ten years, and a lot of other areas, they are developing this informal network, international network, and those type of informal type of cooperation, and so if you know any engagement in that type of cooperation from your country rather than working on the treaty, which is not easy to achieve probably.

   >> ZAHID JAMIL: Thank you, just for the transcribers, would you give your name --

   >> My name is had inn Nitprit from the University of North Carolina.

   >> ZAHID JAMIL: Nice to meet you.  The important point you raised is useful for this audience.  Let's take them step by step.  And anyone on the panel wants to raise their hand please do that.  First of all, the challenge with -- and I think informal mechanisms of cooperation are extremely important.  It's useful.  But they only can go to the step where they give you the intelligence or the information.  Those informal channels cannot provide you evidence that you can take to court because when you get that information, you cannot use that in a court, therefore you cannot prosecute.  So that's one of the first problems, or limitations, if you will, with respect to an informal network.  It's very useful as an intelligence gathering tool to tell you what to do, but it cannot give you the tools you need to do an actual cybercrime prosecution and take the criminals to court.  That's one.

   Second, I think you mentioned the harmonization.  I agree with you, but I think what I've seen generally is everybody -- whatever model law we look at it's interesting, even the ITU guide shows you this on the Web site if you have a look at it.  You'll see that all the basic provisions of illegal access, you know, information systems, et cetera, these definitions are all generally the same.  So harmonizing to a large extent is taking place already by following these models, but it's very difficult to come up with your own definition which doesn't make sense.  So most drafters are following this.  So that harmonization is taking one, number one, on its own.  Second, I think that harmonization has to take place if you're really going to cooperate, otherwise how would you be able to address the crimes, and it's not that you try to actually address, as I said, everything.  The convention has for about five or six or 7 different provisions you need to criminalize.  If you can get those you have a basis to start cooperating.  If other countries want to build on that, Indonesia wants to make a criminal defense out of defamation they can do that, no stopping them.  But the baseline set of the minimal standard is an open platform.  That's what the convention provides.  I want to address the more important question of there is this myth that the convention actually is to the advantage of the developed countries and I want to address that.  This is a longer discussion.  I'm happy to take this off-line as well, but let me just suggest the following to you.

   The convention enables cooperation between countries.  As a developing country, the fact that basically I would become a member, my country would become a member and Sri Lanka is thinking of acceding to the Budapest convention, who is going to be making most of the requests?  I don't think it will be the United States of America making most of the requests to Pakistan or maybe Sri Lanka.  I think most of the requests will be going the other way, where the developing countries are asking for assistance from the developed countries because the servers and the data is actually there.

   So one of the things which I find very interesting is it's never really been played up because the focus has never really been on this issue, is actually at the end of the day the convention really helps the smaller developing countries, the one who are the requesters of assistance, to actually be the ones who are advantaged at a result.  I don't otherwise see any other -- unless you can specify specific advantage that a developed country has over a developing country, but I would say that's the other way around and that would be my response.  Jayantha, do you want to add or anybody else?  I think Audrey wants to go next.

   >> AUDREY POLK: I think just one thing in reaction to the question of, you know, what is the -- you know, who is the convention intended for.  You know, I agree with Zahid that the basic goal here is to get those seven or eight or ten or however many things they are, criminal acts, yeah, internationally criminalized, yes, thank you.  The goal -- so I think it's -- you know, there's been a lot of rhetoric around, you know, whether this was intended only for Europe or whether it was intended only for the west.  And I think we should try to set aside the rhetoric and talk about how to get the substance dealt with, because the rhetoric distracts us away from making progress on the real issues.

   So I think the intent not to disadvantage anyone or to be more favorable to one type of law versus another type of law, but the intent is to try to articulate criminal acts that should be unambiguously criminal for pretty much everybody.  And so, you know -- so I'm encouraged to Zahid's point, a model law, if we have a baseline to start with cooperation can flow.  One thing I meant to say earlier that I didn't say, I think in the larger context of trust and security and stability in cyberspace, that one of the most important ways to build the trust among countries over time is to build cooperation and that's sort of self-evident.  It's easy to say that and hard to do, but the most actionable way to do that is cooperation on prosecution of cybercrime.  It's an area that's a little bit less politically charged than other areas.  It's an area where people can often cooperate easier, and so it's a really important place to start the conversation among the global community if we're going to continue to make progress on, I think, broader sort of cyberspace and security and privacy issues generally.  But there has to be a mechanism to have that cooperation, and so, you know, whether it's Budapest and Budapest just happened to be there first and it happened to be -- you know, it happens to be sort of globally recognized, or whether it's a different model, I'm not sure at the end of the day we should care too much.  We should care that the outcome is that we're reducing criminal activity on-line and that we're making the environment more stable for business and consumers to use.

   >> ZAHID JAMIL: Thank you, Audrey.  I just wanted to say -- share with you, and this just occurred to me now, do you know who the most excited person in a sense, stakeholder in my country is about the Budapest convention?  They actually brought it to a meeting when we were drafting the legislation, was both law enforcement and intelligence.  This is what we need.  And it was them.  And the politics is where the foreign office -- that's the policy of, we're all getting involved.  And I think the developing countries are becoming victims of this politics of global, you know, dimension or whatever you want to call it, the paradigms.  But actually on the ground, you know, we need cooperation, we need to be able to sign up to this so that we can actually get assistance.  Jayantha has a point.  What I want to do now after Jayantha speaks is take short questions and come back and the panelists and all of us will try to be limited in our time because we also have remote moderation.

   >> JAYANTHA FERNANDO: Just a quick reaction to your question.  In fact, the concerns and problems you raised are very well known, and really well appreciated.  And that is the reason why we need to have a wider dialogue and discussion about those issues.  But having said that, we can have technical collaboration or we can have legal collaboration, or both.  So in the area of technical collaboration between countries, the CERT model is a good example, and that is where we have very unique collaborative activity in the Asia-Pacific region, Japan, Philippines, and now with China and India.  So it's working really well and that technical collaboration will address part of the problem.

   But if you are to address the legal issues, Mutual Legal Assistance and trying big deems or windows in each of our country, by Mutual Legal Assistance, then we have to have a legal instrument.  So either we can make use of an existing framework or make and just wait and idle around for 10, 15 years before an international legal instrument comes.  The choice is yours.

   >> ZAHID JAMIL: That's a good way to put it.  There's a glass that has water in it and a glass that's empty and it's up to you to choose.  What I would like to do is without having the panel respond, take three or four questions quickly.  Sir, I think you were next.  Please?

   >> Thank you, my name is Walter Natris.  It's easiest to say that I'm representing the spam community today and tomorrow something else.  I think I wanted to give an example but I think we're running out of time, so what I would like to do is to say that at 1630 tomorrow afternoon we're going to have some excellent examples of best practices on cooperation, internationally and nationally in a form which is strangely enough called the Dutch economic Ministry's open forum, and it doesn't say anything.  But it's on international and national cooperation examples and I think that will really help people here in the room learn from that and see some examples.

   I'm going to skip the example I had, but what I think it's important basically how do we teach civil service and governments and their ministers and bosses, that it's really necessary to take down these national border barriers in international cooperation, because the example I had is basically to skip everything, you do something for one country in another country, then the judge says, well, it's -- there's no offense.  And somebody else does it in another country to your country and you're not allowed to do anything because it's done in abroad.  If that is the case in cybercrime and the judge does it in the highest ruling possible it means you're completely tied unless somebody is doing it.  That's happened in the Netherlands in a case.  In other words how can you best be helping judges so that they understand they did this wrong, saw this wrong, and on the other hand how do you get government officials that it's really necessary to tear down a little bit of these barriers.

   >> ZAHID JAMIL: Thank you, that's right.  And the convention helps with judicial as well.  It has a judicial guide as Welch who was -- I think -- as well.  I think there was a gentleman here who was first.  Is that right?  I think you were first.  Can we come back to you, sir, afterwards?  Please go ahead.

   >> Thank you.  Well, from the speaker --

   >> ZAHID JAMIL: And if you -- (audio difficulties) to the origin, to the Caribbean and so on and so forth.  So I think maybe these are the problems that we will face in the future and maybe it's time for different countries to see a view on having international standards.  So how do you think about that?

   >> ZAHID JAMIL: I think it's a good point and I do want to address it.  I know I promised but I quickly want to say, that's exactly the reason why the Budapest convention offers the open platform, because just because you join that doesn't mean that it is inconsistent or contradicts the other ones you mentioned.  On the merits of the other regionals, I think it's a great thing that those regions are working on trying to have collaboration amongst themselves.  Anything that can happen internationally is a good thing.  But they don't necessarily have the international provisions in any of the treaties you mentioned.  They're not mutual assistance treaties.  They just have principles and that's pretty much it.  But it's a good thing they're doing it.  The only convention that provides that is the Budapest convention which is across regions, and again, if you join that doesn't mean you can't -- so the question of is it going to be inconsistent and split the work?  Not at all.  It's an open platform, open source, come and join.  Doesn't stop you from doing what you want to do in your country or other countries.  There's a gentleman who wanted to add as well?  Please.

   >> My name is -- I'm from Sudan.  I'd like to talk about the crime -- what's the crime ? -- my question to all panelists, is how do you think about -- in consultation -- the children -- from the because it's a crime against children, because children is our future, if you have a good -- you have a good leader tomorrow.  How do you think about this?

   >> ZAHID JAMIL: Thank you, actually.  What I'm quickly responding, the convention has a (no audio).

   >> Reasons why they decided not to sign it.  Thank you.

   >> ZAHID JAMIL: We'll definitely take that.  That's an extremely important question, Human Rights Article 15 of the convention, and we want to deal with it.  We have -- who was next, I think?  There was -- I think you had raised your hand, sir, if you want to do that and then we'll go to the two remote participants and come back to the panel with a collection of these points and see what responses we have.  Sir?

   >> Just adding on to that point --

   >> ZAHID JAMIL: Your name and affiliation for the transcribers.

   >> Prakash, I'm at the Centre for Internet & Society and I'm with the Yale ISP.  Following on from that point therefore provisions in the Budapest convention that allow authorities to force ISPs and DNS providers, et cetera, to implement measures for data retention.  Now, I'm wondering how all of this would play, for instance, with what ITF is now thinking about with ACT 2, where SSL becomes -- where encryption becomes required, how do these kinds of provisions about forcing actually and I'm working with those, and secondly, how does -- so copyright is -- is there in Article 10 of the convention.  Copyright is put on the same pedestal as child pornography, okay?  That both will have to be equally implemented.  Now, that will have many more requests coming in from the U.S. and U.K. and European countries towards developing countries than the other way around.  So I'm not sure I agree with you on the point that it will only -- that the traffic -- most of the requests will be one-way traffic, and what happens to the concept of data havens under this?  So what happens to, for instance, a country like Iceland that is trying to have a very high set of standards for free speech, for privacy, et cetera, and seeing store data here.

   >> ZAHID JAMIL: Thank you, what I'll just say because I know sometimes you lose threads.  First of all, this is the greatest myth that the Budapest convention actually requires data retention.  There is absolutely no provision related to data retention in that convention.  I'm glad you asked that question, because this is a very publicized myth.  There is no provision related to that.  There is a provision of preservation, and if you can show me a retention one I'll be happy to look at it.  We know it quite well.  We've been dealing with this constantly.  But what is in there is problem.  We'll deal with that in --

   >> I was talking about preservation Article 16.

   >> ZAHID JAMIL: Preservation means it's the same as any other situation, if the law enforcement gets for know there's a crime they freeze whatever data exists as of that moment, not retention that you have to actively -- people might say the NSA collecting data.  That is not something that's part of the Budapest convention.  It's important to make that distinction.  It does not make any law enforcement of a country start retaining citizens' data.  Does not happen.  It's not part of the convention.  On Article 10, I'll come back to that because most countries are already members of the W -- and the Paris convention so I don't think that's a problem.  We'll come back to that.  Two questions from other participants if you could run them through, please.

   >> Thank you.  We actually have a question from one of the remote participants.  Her name is Karen.  She's from Malaysia, are directed to Zahid and one is a general comment for all the panelists.  First question is you mentioned earlier in your slides whether instead of preservation -- is data -- referring to data retention, and the second question is it is the proposal to develop a new treaty in cybercrime.  Would it be managed by the UN?  Would it not be better to ratify the treaties where 51 countries are already ratified.  We have lost -- there was a general comment, which is, in your experience when a cybercrime is committed across jurisdictions, it's normal there is a treat -- as long as there is a treaty for cooperation how would the investigation be managed?  Managed by the country that first had the issue, i.e. -- thank you.

   >> One clarification, in addition to Article 16 I was also referring to articles 20 and 21, talking about data retention.

   >> ZAHID JAMIL: They don't say retention.  Look at it again.  They talk about --

   >> Why they don't, because they talk about realtime collection of computer data, which can be future --

   >> ZAHID JAMIL: Right.

   >> Saying that collect data relating to -- and let me just read, traffic data in realtime associated (off mic) communications in -- transferred by means of a computer system and they have to -- they're allowed to compel a service provider to collect a record through application of technical means on the territory of that party, et cetera, et cetera.

   >> ZAHID JAMIL: Correct.  So the way that works, just to clarify -- and this is why I think what -- trying to do in developing countries, give clarification to what this means, and so let me address that.  And I think that's a great thing.  People here want to discuss these provisions off-line.  We'll be glad to help you with it as well.  Let me address that.

   What it's talking about first of all is traffic data, which is logs and information of logs.  That's number one.  So that's not your content recording of conversations.  So --

   >> (off mic).

   >> ZAHID JAMIL: I know it.  That's one.  Second, when it's realtime collection of general data, the way that works is there has to be usually in most countries a warrant by a judge authorizing that there's an investigation going on from that point, in fact, targeted at a single individual, not basically the sort of thing that we all think is happening, which is, you know, you collect data generally, which -- if you come from India, I don't know, I came from Pakistan, our intelligence agencies do it all day.  But they're intelligence agencies, not law enforcement.  So that's not what is required.  It's not collection on an ongoing basis of everybody.  It is in a particular -- it's like a wiretap that you have on a phone conversation of an individual targeted for a particular period and safeguarded by judicial oversight, because Article 15, which I wasn't able to mention earlier, Article 15 of the convention, if you read, requires -- and you read that, judicial and independent supervision of the procedural powers that have been used.  So you can't have a law enforcement official go, okay, I think I'm going to target about 25 people today and let's go ahead and start recording the data or ask an ISP to do that.  That Article doesn't do that.  But it can give you further information about how that would be implemented and it's a requirement that the civil liberty safeguards in that convention have to be safeguarded.  As an example, the commonwealth model law that is being implemented or the hip car that you mentioned, required that these powers -- this addresses the question you asked, have to be enabled by a judge's before a court, an independent court of law, and it's again targeted at an individual, not at a system.  Let me go to the panel to respond to the various questions, et cetera, that we've heard.  Audrey, would you like to go first?

   >> AUDREY POLK: Sure.  I can pick up on that thread.  I think the other thing that's important to remember about the convention is that it -- it's broad in the way that it talks about, you know, interception, realtime interception and data at rest or, you know, stored data in that it requires that there be some capability, some legal instrument in a jurisdiction that when there's an ongoing investigation, that you can -- for the purposes of this investigation, give access to that.  It doesn't necessarily tell the jurisdiction what the legal instrument has to be, how they have to implement it, what it has to look like in the law, but as a practical matter there has to be a way to conduct the criminal investigation just like any other criminal matter.  It provides the way for countries to develop the legal instruments in the way that best fits within their existing legal frameworks while trying to set a level of harmonization so that, you know, if there is a criminal action going and you need to be able to get access to data, that there's some understanding that there can be cooperation in that.

   Now, and I think that the questions that you raise about -- or that you imply, perhaps, about privacy and surveillance are, you know -- I think they're difficult and they're -- they are less harmonized, perhaps, across jurisdictions, which makes it a challenging conversation, but I think one way to have a conversation in the future is about to Zahid's point, not just to have the provisions that are there about judicial oversight -- judicial warrants, but also to have a conversation about judicial oversight and accountability in the process of implementing this over time.  And so that there's inherently some need to be able to get access to data.  I think that generally people accept that.  What I think they don't accept is the idea that that goes unchecked and unmonitored, and if that's done in an untransparent way by government then you lose trust.  And so the question is, within every jurisdiction how do you build that transparency and accountability within the government so that -- so that, you know, the lines between criminal and noncriminal actions are much more clear and helpful.

   With regard to your question about Human Rights, I think that, again, I sort of have the same response in some ways in the sense that this doesn't -- first of all, it has the protections for Human Rights and recognizes the existing mechanisms and convention on Human Rights and everything here in Article 15.  I also think it's important to reemphasize that this is trying to be culturally neutral, and it's important that we have as many culturally sort of neutral mechanisms as possible because so many of these sensitive issues are very contextual to a legal environment or a culture.  What's private to you isn't private to me.  It isn't private to our colleagues here in Indonesia, and so, you know, it's trying to set a high-level goal, and I think if we get to a place where we say, oh, we can't set goals because we're all too different, then we really run ourselves into trouble in terms of being able to maintain interconnectedness.  So we need to be able to say, you know, we have the goal of this and you can go implement it in a way that makes sense for your Human Rights obligations and your culture under your privacy laws, and we can go implement it in a way that makes sense under our culture and our privacy laws and our security laws, whatever they may be, but still achieving that same goal.  And so I think that's -- at least I think that's the intent, and we've seen it work in some places.

   The other thing about -- somebody asked a question about number of signatories and things, and I don't work for the council of Europe.  I never have, I can't represent them at all, but they were in Seoul -- not in Budapest last week, we were in Seoul last week (laughter).  In solely, Alexander Seager, I think, unless he's here, I assume he would be on this panel if he was here.  He made reference to the number of countries who while they may not have signed and ratified the treaty are using it as a basis for developing a legal framework.  And I can't remember what the number was so I apologize, but it was large.  I think it was over a hundred.  And I think that's encouraging in the sense that even if they aren't sign -- it took the U.K. a really long time to -- ratifying treaties is a non -- the U.S., a long time, five or six years to -- didn't take them long to sign it.  Took them long to ratify it just as a result of procedural political issues.  But I think that the -- it's encouraging to see that even if countries aren't able to sign or ratify they're still using it as a foundation which will help us drive towards harmonization.

   >> ZAHID JAMIL: Thank you, Audrey, this is why this workshop is basically a starter.  Hopefully in the next IGF what we'll plan to do is a clarifying exercise, myth busting exercise, take many of the things you've said.  Please come to the next workshop so we can take each and every one of these points and drill down.  That's the whole point, try to help you understand what the limits of this are.  It's up to you to decide whether it makes sense for a particular country or not.  On the issue of the IPR, the commission on Article 10 basically says that members of the convention have to comply with the existing responsibilities under the trips and Paris conventions.  It only says that if you are a signatory you comply with it.  And I think they'll talk about how that is implemented in a country with safeguards.  Go ahead.

   >> JAYANTHA FERNANDO: So I think the lady from Turkey -- or the lady over there, from -- my friend from India, I think you raised two very valid points, and those were the concerns and issues that we had addressed in Sri Lanka during 2006 and 2007 when our computer crimes act was finalized and presented before the parliamentary review committee.  And how we addressed it was the following, basically, in the interest of time.  Number one, we understood that the Intellectual Property obligations imposed was simply a commitment to extend the existing treaty obligations, both under the Paris and the trips convention.  And as far as Intellectual Property law is concerned, even if a request comes from another country, making use of the legal assistance provisions here, they have to subscribe to the legal requirements in their own country, right, because Intellectual Property is territorial.  It's a private law.  So that is how we address the issue, and we have put in our own safeguards while being consistent with the Budapest convention.  We have put in our safeguards to ensure that our courts will have the jurisdiction and authority to address that.

   Then the issue of Human Rights, and I think this was an issue that was slightly blown out of proportion in our view, the issue was whether this drafting a law consistent with this Budapest convention will impose the same standards, Human Rights standards of Europe.  But when we studied we found in respect of all of the provisions concerning preservation of data, subscriber information or subscriber -- traffic data and subscribe information, all that was required was to ensure checks and balances, that there was no open-ended mechanism for law enforcement to continue to track information or access subscriber data or traffic data.  What we have done in our law was to include the same safeguards, and those are the Human Rights safeguards that they're talking about, nothing else.  Safeguards to courts of law.  So in our law in section 18 of the computer crimes act, 24, 2007, available by doing on the Web site, doing a Google search or anything while you are on this Web site here you will see that the magistrate's intervention, court intervention is mandatorily required, if preservation is -- of data is needed beyond a prescribed period.  That is how we have addressed it.  Thank you.

   >> ZAHID JAMIL: And I just want to take a moment and say that I think this is why the myth busting exercise is very helpful, and one of the things we'd like to do is basically take time and sort of address one of these things step by step.  So if you have any questions, feel free to come and contact us on the Web site.  We will provide you with clarifications, and in addition to that please do watch out for the sort of capacity-building exercise we'll have next time around, which is going to take some of these criticisms and try to say, well, how does a developing country handle this one, whether -- how it should implement it.  One of the interesting points made by the -- one of the remote participants was that should we keep waiting for something else when there is nothing?  Or should we -- and if there is an attempt to try and have something, this will probably take 10, 15, 20 years, maybe longer, this discussion of whether there should be maybe a new treaty has been going on for now at least ten years.  We've lost a lot of time.  So, you know, we can keep waiting for this thing that will never ever arrive, or basically we will not probably get consensus on it, and there's no proposal currently that is accepted in the UN for a treaty.  There isn't.  It was actually voted down.  So there is no process at the moment on that.  There is only one agreement, capacity building, that's the only agreement you have.  So in the meantime there is a treaty, 51 people or Member States have actually signed on it, which are the large ones, so the question then arises, is does it suit your own national interest to be able to get cooperation or it doesn't.  Because the way we looked at it in our country was in our country says, I don't care about the international global politics of being pulled in one direction by one force or being pulled in another direction by another force.  I'm interested in my sovereign, vested interest of my own national -- my nation and my country.  Does this help me get cooperation?  Does it help me get cybercrime cooperation and data which I'm otherwise not able to get?  And that I think is the main issue.  Get away from the politics and look at the merits and see whether that makes any sense.  We are way out of time.  What I'm surprised is nobody has come and said you need to leave.  (chuckle) so we're about ten minutes into the -- there's one other point, we'll take that and then we'll I think close.  Go ahead.  And there's -- I'm so sorry, the two -- let's go to you first.  You raised your hand and then we'll close the panel.  Go ahead, next.

   >> Thank you.

   >> ZAHID JAMIL: Go ahead.

   >> Thank you, I'm Eduardo Tony.  I'm a law proffer at (off mic) university in Buenos Aires.  Let me tell you, I'm teaching two courses, one is Human Rights on the Internet and the other is cybercrime.  And usually students makes tough questions, so I want to pass you one of the tougher questions that I have in my cybercrime course.  When one of my last classes is about international standards, and of course I give the students the Budapest convention, and after studying and reading and analyzing the Budapest convention, they ask me, Eduardo, why us as a country should support this convention that was drafted more than ten years ago --

   >> Good question.

   >> Than the wording -- the technology more than ten years ago was dramatically different, that the wording is creating what you are calling the myth, because I think that what you call the myth is the interpretation of the wording that probably is outdated, and why we should follow and support this convention that was drafted ten years --

   >> Right.

   >> -- and we were not participating in that --

   >> ZAHID JAMIL: One is the age and second is participation.  Let me address that quickly.  I apologize.  You -- made the replying and hopefully at 4:00 we'll get -- go ahead and then I'll respond.  I think they're waiting outside.  We just realized.

   >> My name is Walt Nakis.  What I think happens in your country is somebody made himself responsible for this topic and then started driving and trying to find people who -- that would actually listen to you.  Is this what that is about, finding the right person in a country that makes himself responsible for this --

   >> DAVID SATOLA: Thank you, I think that's an excellent point.  Finding champions.  Let me respond quickly to the point you had made.  Number one, you know, that Australia ratified it last year or this year, I think, and Britain ratified this convention last year, and they are probably the most advanced and basically trying to be ahead of the time.  The reason why -- the reason why the definitions do not become archaic, and I'll explain.  If you had seen the presentation -- let me explain.  If you had seen the presentation that I've given, I think you came in a little later, you will find that basically the way that the definitions have been done, are technologically neutral.  So they don't define any specific technology.  So it's -- it's not hacking but illegal access.  It's not Botnets but interference with the system.  It's not VoIP, but the gentleman said, collection of data.  So that's why these countries are still signed on to it, number one.  Number two, what about participation?  One of the things you'll recall, that most of the country, even in Latin America and India, Pakistan, south Asia, we signed on to conventions that we didn't negotiate when it came to aviation, when it came to logistics, maritime, a whole bunch of different ones.  It's only recent conventions I guess we were party to.  Russia and China signed O they weren't part of the W-2.  They didn't negotiate it but they came in afterwards.  So that's I think a question for every country to decide, whether it wants to say I was not there at that time so I just won't join it or to say no, this is useful for me.  It doesn't matter whether I was there at that time.  If it's helping me, that's the merit.  Is it helping me?  Does it make sense for me, useful for me.  Not the politics of saying why wasn't I called to the party but saying do I have something to gain from a national interest.  And I've realized people are waiting outside.  Thanks very much.  We'll have to close this up and keep watching this space.  Thank you.