3rd ANTI-CYBERCRIME FORUM Engaging in international cooperation on cybercrime and electronic evidence: CyberSouth to reinforce the capacities Phoenicia Hotel, Beirut, Lebanon, 29 November 2017 Marie Agha-Wevelsiep, Project manager, Council of Europe marie.agha-wevelsiep@coe.int www.coe.int/cybersouth

Project CyberSouth Title CyberSouth – Cooperation on cybercrime in the Southern Neighbourhood Region Priority countries Algeria, Jordan, Lebanon, Morocco and Tunisia Duration 36 months (mid-2017 / mid-2020) Budget EUR 3.3 million Funding European Union and Council of Europe Implementation C-PROC ( Council of Europe Programme Office on cybercrime) www.coe.int/cybersouth

Project CyberSouth Challenges The scale and quantity of cybercrime, devices, users and victim The issue of electronic evidence Availability of data Technical challenges Cloud computing, territoriality and jurisdiction Mutual legal assistance www.coe.int/cybersouth

Project CyberSouth 1 - Standards: Budapest Convention on Cybercrime and other instruments “Protecting you and your rights in cyberspace” 2 Follow up and assessments Cybercrime Convention Committee (T-CY) 3 Capacity building : C-PROC www.coe.int/cybersouth

+ + Budapest Convention Criminalising conduct Procedural tools Illegal access Illegal interception Data interference System interference Misuse of devices Fraud and forgery Child pornography IPR-offences Procedural tools Expedited preservation Search and seizure Interception of computer data International cooperation Extradition MLA Spontaneous information Expedited preservation MLA for accessing computer data MLA for interception 24/7 points of contact Harmonisation www.coe.int/cybercrime 5

130+ Reach of the Budapest Convention as a guideline Indicative map only Budapest Convention Ratified/acceded: 56 Other States with laws/draft laws largely in line with Budapest Convention = 20 Signed: 4 Further States drawing on Budapest Convention for legislation = 45+ Invited to accede: 10 = 70

C-PROC In practice, how does the Budapest Convention work? 10 Case 1: Earthquake case (Romania) App X on their Android or iOS smartphones received false alerts indicating an earthquake of 10 Richter Magnitude. Offences committed: illegal access to a computer system – art. 360 of the Criminal Code alteration of computer data integrity – art.362 of the Criminal Code perturbation of the functioning a computer system (system interference) – art.363 of the Criminal Code dissemination of false information – art.404 of the Criminal Code Object of the request: Preservation of data through the 24/7 point of contact to the responsible authorities of USA, using 24/7 Contact Point Dta preservation + use of MLAT all the data preserved and identification and prosecution of the suspect who committed the offences

C-PROC In practice, how does the Budapest Convention work? 10 Case 2: ”Phishing” Case (Romania) Unidentified perpetrators succeeded onto gaining access and transferring different sums from customers accounts of two banks in Norway and Finland to bank accounts from Romania, using the phishing method. Romanian citizens that redraw the fraudulently transferred sums were using, at the time, the following email addresses, that were created, probably by the same person, from the same computer system: CHH@yahoo.com; dfds@yahoo.com; andreaaa774@yahoo.com Offences committed: illegal access to a computer system - art. 360 of the Criminal Code fraudulent financial operations- art.250 of the Criminal Code computer related forgery – art. 325 of the Criminal Code

C-PROC In practice, how does the Budapest Convention work? 10 Case 2: ”Phishing” Case (Romania) Object of the request, data preservation for : Email addresses’ logs and associated accounts Content of any communication stored by these email addresses IP address/addresses of the computer system/systems that created the email addresses mentioned above Preservation of data through the 24/7 point of contact to the responsible authorities of USA, using 24/7 Contact Point Data preservation + use of MLAT all the data preserved regarding e-mail accounts used by the suspects and to identify and prosecute a large money mule group who caused significant financial losses (more that 3 million Euro)

C-PROC In practice, how does the Budapest Convention work? 10 Case 3: “ONLINE SCAM” CASE (Romania) Advertisement for a car on www.craigslist.com Victim in Miami, expressed interest in the vehicle, the unknown user of the email address asked for payment with a stolen gift card. Email account is linked by back up contact information to several other email accounts. One of these email accounts was accessed with an Android device. The IP address associated with the Android device was 86.124.239.xxx. The internet service provider for this IP address is RCS-RDS. Data associated with this IP address will assist in identifying the unknown user of the email address.

C-PROC In practice, how does the Budapest Convention work? 10 Case 3: “ONLINE SCAM” CASE (Romania) Offences committed: Wire fraud - Title 18, United States Code, Section 1343 Identity theft - Title 18, United States Code, Sections 1028 Object of the request: The contents of any communication or file stored by or for the account and any associated accounts, and any information associated with those communications or files (source and destination email addresses or IP addresses) All records and other information relating to the Account and any associated accounts including: names, addresses, records of session times and durations, length of service

C-PROC In practice, how does the Budapest Convention work? 10 Case 3: “ONLINE SCAM” CASE (Romania) Request sent by US Department of Justice on September 21, 2015 to the responsible authorities of Romania, using 24/7 Contact Point. Response received on September 30, 2015, confirming that all the data has been preserved by RCS-RDS (ISP). Based on the data preservation, US authorities were able to receive through MLAT all the data preserved and to identify and extradite 7 Romanian suspects, involved in online scams.

C-PROC Functions: Cybercrime Convention Committee (T-CY) 10 Established under Article 46 Budapest Convention Members (statut November 2017): 56 Members (State Parties) 14 Observer States 10 International organisations (African Union Commission, ENISA, European Union, Europol, INTERPOL, ITU, OAS, OECD, OSCE, UNODC) Functions: Assessments of the implementation of the Convention by the Parties Guidance Notes Draft legal instruments Etc.

Joining the Budapest Convention Treaty open for accession (article 37) Phase 1: A country with legislation in place or advanced stage Letter from Government to CoE expressing interest in accession Consultations (CoE/Parties) in view of decision to invite Invitation to accede Phase 2: Domestic procedure (e.g. decision by national Parliament) Deposit of the instrument of accession www.coe.int/cybercrime 14

Capacity building Cybercrime strategies and policies Reporting system mechanism Legislation Specialised services LEA training Training for the judiciary Public-private cooperation International cooperation www.coe.int/cybersouth

CyberSouth offers capacity building to Lebanon C-PROC Project CyberSouth 10 CyberSouth offers capacity building to Lebanon

Project CyberSouth: Benefits for Lebanon? Legal framework on cybercrime strengthened international cooperation facilitated Specialised units on cybercrime strengthened: set up of standard operating procedure for electronic evidence, good practice for information exchange with service providers, access to training materials Number of investigation on cybercrime and involving electronic evidence increased Judicial training on cybercrime and electronic evidence mainstreamed reinforcement of judges and prosecutors Reinforcement of the role of 24/7 contact point and international cooperation Strategies on cybercrime and electronic evidence strengthened or enhanced

Project CyberSouth: For Lebanon For international community Benefits on international cooperation For Lebanon Become a member of the international community Use of the international instrument Benefit from the network of the other criminal justice players specialised on cybercrime Cooperate with countries sharing common standards Increase in the number of investigations on cybercrime and electronic evidence For international community Increase the Parties of the Budapest Convention Influence of Lebanon in the region Contribution to increase the capacities in the fight against cybercrime worldwide

Project CyberSouth: which actions for which results? Expected results Actions to be taken Deliverables for Lebanon Result 1 Strengthened legislation Assessment visit 1 regional workshop on cybercrime and data protection legislation as well as on criminal justice statistics to determine the effectiveness of legislation. A guide on the application of data protection and rule of law safeguards in investigations on e-evidence and cybercrime. 2 in-country workshops for judges, prosecutors and law enforcement on the application of cybercrime legislation, including rule of law safeguards and data protection requirements + best practice booklets

Project CyberSouth: which actions for which results? Expected result Actions to be taken Deliverables for Lebanon Result 2 Specialised police services and interagency as well public/private cooperation strengthened Assessment visit 1 regional workshop on specialised cybercrime and computer forensic units and specialised prosecutors to share experience 1 regional workshop on law enforcement/service provider cooperation with the participation of multi-national service provider 1 in-country workshop on law enforcement/service provider cooperation with the participation of multi-national service provider E-evidence Guide and the Standard Operating Procedures Guide available in Arabic. Recommendations on the development of domestic SOPs for e-evidence and on the strengthening of cybercrime units. 1 in-country training on Darknet and virtual currency investigations. Sharing of experience Good practice compilation on the cooperation with multi-national service providers Facilitate access to ECTEG training material and in the delivery of first training

European Cybercrime Training and Education Group - ECTEG

Project CyberSouth: which actions for which results? Expected result Actions to be taken Deliverables for Lebanon Result 3 Judicial training on cybercrime and electronic evidence mainstreamed Assessment visit Regional workshop for representatives of judicial training institutions to reach agreement on the approach to follow. In-country training of trainers workshops Regional conference on the progress made Recommendations on mainstreaming judicial training on cybercrime and electronic evidence and assistance in the elaboration of a long term strategy. Availability and adaptation of training material 2 train to train training for basic and advanced training

Project CyberSouth: which actions for which results? Expected result Actions to be taken Deliverables for Lebanon Result 4 24/7 points of contact strengthened and enhanced international cooperation on cybercrime and electronic evidence Assessment on competent authorities and on the functioning of international cooperation 1 regional/international conference on roles and responsibilities in international police-to-police and judicial cooperation on cybercrime and e-evidence. Recommendations on strengthening of 24/7 contact followed up by a mission of expert Funding of Lebanese representatives to participate in conferences and training sessions on international cooperation (Interpol, Europol, Octopus Conference,…) Regional training on international cooperation and the role of 24/7 contact point

Project CyberSouth: which actions for which results? Expected result Actions to be taken Deliverables for Lebanon Result 5 Strategic priorities on cybercrime and electronic evidence identified. Assessment visit 1 in-country workshop 1 international conference 1 annual report on cybercrime and e-evidence situation in Lebanon Study on progress made with respect to legislation and institutional capacities since the start of the project in the Southern Neighbourhood region. Recommendations on cybercrime strategy

GLACY EU/COE Joint Project on Global Action on Cybercrime Project CyberSouth: Implemented by the Council of Europe, recognised know-how GLACY EU/COE Joint Project on Global Action on Cybercrime GLACY+ EU/COE Joint Project on Global Action on Cybercrime Cybercrime@EAP II EU/COE Eastern Partnership Cybercrime@EAP III EU/COE Eastern Partnership iPROCEEDS Cooperation on Cybercrime: targeting crime proceeds on the Internet Cybercrime@Octopus (voluntary contribution funded) CyberSouth EU/CoE Joint Project www.coe.int/cybercrime 25

Project CyberSouth: Assessment report next steps Assessment report Fact checking with Lebanese institutions National project team nominated (Ministry of Justice, Prosecution, Law enforcement authorities, Training institution for magistrates, Training institution for law enforcement) Agreement on a first draft work plan of activities Launching conference in February 2018 in Tunisia

Project CyberSouth: Thank you! www.coe.int/cybersouth Cooperation on cybercrime in the Southern Neighbourhood Region Thank you! marie.agha-wevelsiep@coe.int www.coe.int/cybersouth