Fighting Cybercrime Like It's 1999


It's been a big month for the internets in Australia.

Last week the News Limited newspapers reported a suspected hacking attempt on a number of parliamentary computers, including those of the Prime Minister, Foreign Minister and Attorney-General. Although the Government declined to comment, somebody down at the Attorney-General's office was happy to leak that the attack had compromised the parliamentary email network used predominantly for constituent matters. Allegedly it was all the handiwork of a Chinese hacking outfit, after information on our mining industry.

Without evidence or even a source to bolster the claim, it's yet another contribution to the case for insidious Chinese hacker cells as the opium den's modern analog.

Also, as reported in New Matilda and elsewhere this week, the AFACT/iiNet suit is to be appealed again, this time in a special sitting of the High Court in Sydney. The brave underdogs of Hollywood are hoping to be third-time-lucky in their quest to offload the onus for hunting copyright pirates onto ISPs. No wonder! Losing twice against Australia's pluckiest alternative ISP must be galling, especially if one conceives of the internet as a seedy "safe harbour" for online corsairs.

Although the two events may seem unrelated, they converge under the banner of cybercrime. The Australian Government also recently closed submissions on its proposed accession to the Council of Europe's Convention on Cybercrime. Initially ratified by the Council's European members in 2001 and acceded to by the United States in 2006, the convention establishes an extensive intergovernmental intelligence-sharing regime and a raft of criminal offences for deviancy online.

It's a broad reaching scheme, curious for the fact that in a world where Moore's law reigns, it's now 10 years old.

There is a strong case for intergovernmental cooperation on cybercrime. When a Russian phisher can operate out of Turkey, use servers in Sweden, and skim your internet banking details from a netcafe in New York, problems of legal jurisdiction are obvious, if not intractable. On its face cooperation between security and intelligence agencies seems necessary.

Problem is, when one considers what that cooperation entails it's not so clear cut. For instance, how can constitutional differences between jurisdictions be overcome? What happens when different member states conceive of crime differently and express that in their criminal statutes? No worries! Article 25 of the Convention demands that member states provide extensive mutual assistance, even in cases where offences don't necessarily match up in each jurisdiction. This is a distinct watering down of the doctrine of dual criminality, which at its core is an expression of national sovereignty.

Why is this cause for concern? Article 16 mandates state preservation of online data and expedited measures for its sharing with member states. This would have to happen at the ISP level, who would be required to keep copies of your emails, web history and the like — for up to 90 days. Consider that the Convention also establishes a 24/7 contact point for intergovernmental agencies and measures to enable real-time observation at the ISP level (so Stephen Conroy can watch what you're doing online as it happens) — and lament that Michel Foucault is no longer around to write eDiscipline and iPunish.

Although the state's fixation on internet paedophiles is explicitly invoked in the Convention to justify measures like this, retention of vast amounts of data on ordinary citizens' browsing habits means even those who obey the law should be worried — even if they're not a self-proclaimed wet civil libertarian.

Central data retention is an incredible risk, when we remember our much-maligned friends, the Chinese hackers. If they're prepared to hack parliamentary computers mainly used for correspondence (Dear Twiggy, sorry about the Carbon Tax…), then what expense would be spared to batch download trillions of emails that could include logins, passwords, scans of personal documents and so on? It's an identity thief's dream.

Furthermore, the WikiLeaks saga should make clear by now that governments are capable of producing distortions all by themselves. The NSW Council for Civil Liberties is concerned (pdf) that some signatories could employ torture or the death penalty on intel provided by Australia under the agreement.

It's unsurprising that Australia wants to buy into the scheme. Our government's policy mindset on the internet, typified by Stephen Conroy's "clean feed" web filter, is aligned with surveillance, and heavy-handed regulation.

Moreover, the Commonwealth Criminal Code is already largely compliant with the Convention. Offences include: unauthorised access or modification of data on computers and networks, the creation and dissemination of malware (software with a malicious purpose like viruses and self-replicating worms), and the use of botnets, large covert networks of compromised "zombie" computers that can be controlled from a single machine for nefarious purposes.

The convention also obligates member states to enact further criminal offences for copyright infringement. Australia already did so in the Commonwealth Copyright Amendment Act 2006.

In view of all this, what new benefits would we derive from acceding to the Convention? In their discussion paper the Attorney General's Department argues that accession and expediting international data sharing will:

"also demonstrate Australia's commitment to actively engage in international efforts to combat cyber crime and complements the Australian Government's broader policy agenda on cyber crime and cyber security."

There has been plenty of criticism of this motivation from a governmental and civil liberties position. Stilgherrian's excellent essay on The Drum makes for good reading on the topic. But I think one of the novel benefits lies elsewhere, namely on the issue of copyright.

The resurgence of the AFACT/iiNet suit discussed earlier is another casus belli for Conroy and his goons, who hate internet piracy as much as the next Hollywood mogul. iiNet's tenuous victory was thanks to AFACT's inability to provide enough data to render their infringement notices sufficiently credible. It doesn't require a particularly vivid imagine to picture Hollywood and the music industry slobbering over new requirements for ISPs to store terabytes of information on their customers' browsing and downloading histories.

At any rate, if copyright infringement is so endemic as to demand extensive criminalisation to correct it, either our societal mores dictate it's not a morally reprehensible act, or we're a morally bankrupt polity. It's hard to compare copyright infringement with theft, a real crime, because intellectual property is a legal fiction; copyright infringement is non-rivalrous (if you download a movie it doesn't prevent somebody else from doing so) and non-excludable (it's impossible to build barriers around ideas).

So apart from justifiable suits like large-scale corporate theft of IP, should the state exert a heavy hand in helping business enforce their civil rights?

The clean feed, criminal penalties for downloading music and films, the fixation on cybercrime as typified by seedy hackers both overseas and lurking in every teenage bedroom, insidious paedophile rings and other forms of sexual deviancy: policymakers and business see the internet as unruly, wild and in need of sanitising. All solutions converge on the point of regulation and punishment — it's all quite distinct from the internet's original character as a free home for subaltern communities.

For example, harmless and ethical "hacker" activity where curious users wander through unguarded systems, often alerting administrators to potential exploits, is now criminalised under the Commonwealth Criminal Code. A shame, considering that many pioneers honed their skills in that scene, many going on to contribute to free, democratic open source software projects. Hackers of this ilk are also in high demand by security software companies who sometimes run competitions to find holes in their products and then employ the winners.

Likewise, Distributed Denial of Service (DDOS) attacks are not always launched by illicit zombie botnets. Hacker collective Anonymous uses a well-known application called "Low Orbiting Ion Cannon" to allow users to voluntarily join a botnet, launching DDOS attacks on organisations as a form of social protest and dissent. Blogger and academic Evgeny Morozov likens these actions to "sit-ins" in corporate headquarters or government buildings, an historically legitimate form of dissenting behaviour.

The more governments impose regulatory duties on ISPs the stronger the impetus becomes for people to spy upon and regulate each others' conduct — rather than having real, substantive criminal offences given due process by the courts.

Signing up to the Convention is to continue the new, sanitary approach to the internet — to preference foreign security over individual freedoms, majority norms over legitimate dissent, commercial interests over already marginal subaltern voices. Beyond civil liberties, a fixation on regulation rather than individual responsibility online does us all a disservice by diluting the richness of our still nascent online world.


Like this article? Register as a New Matilda user here. It's free! We'll send you a bi-weekly email keeping you up to date with new stories on the site.

Want more independent media? New Matilda stays online thanks to reader donations. To become a financial supporter, click here.

New Matilda is independent journalism at its finest. The site has been publishing intelligent coverage of Australian and international politics, media and culture since 2004.