DevEX - reference for building teams, processes, and platforms
Cybercrime Court Decisions from Latin America - Legal and Policy Developments (HTCIA Conference, Atlanta, GA (USA), 20 Sept. 2010)
1. Recent Cyber-crime Court Decisions
from Latin America
Legal & Policy Developments
Renato Opice Blum
Cédric Laurant
Presentation available at http://blog.cedriclaurant.org
High Technology Crime Investigation Association
International Conference
(Atlanta, GA – USA - Sept. 20-22, 2010)
http://www.htciaconference.org/
2. 2
OUTLINE
A. The importance of cyber-crime in Latin America for US
cybersecurity professionals
B. How this emerging cyber-crime activity impacts American
companies and computer users
C. Major legal & policy developments related to cyber-crime in
Latin America
D. Recent cyber-crime court decisions from Brazil and Argentina
E. Recent data protection developments in Latin America - How
they relate to cyber-crime
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
5. 5
OUTLINE
A. The importance of cyber-crime in Latin
America for US cyber-security and law
enforcement professionals
B. How this emerging cyber-crime activity impacts American
companies and computer users
C. Major legal & policy developments related to cyber-crime in
Latin America
D. Recent cyber-crime court decisions from Brazil and Argentina
E. Recent data protection developments in Latin America - How
they relate to cyber-crime
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
6. A. The importance of cyber-crime in Latin America for US cyber- 6
security and law enforcement professionals
• Cyber-crime is growing in Latin America, especially in Brazil.
– In Brazil, more than 6 out of 10 computers get infected by viruses and malware
attacks, compared to an average of 1 out of 2.
From: Norton Cybercrime Report: The Human Impact (August 2010)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
7. A. The importance of cyber-crime in Latin America for US cyber- 7
security and law enforcement professionals
• Cyber-crime is international by nature.
• It requires international cooperation among
all countries.
• But it also requires speedy international
cooperation.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
8. 8
OUTLINE
A. The importance of cyber-crime in Latin America for US
cybersecurity and law enforcement professionals
B. How this emerging cyber-crime activity
impacts American companies and computer
users
C. Major legal & policy developments related to cyber-crime in
Latin America
D. Recent cyber-crime court decisions from Brazil and Argentina
E. Recent data protection developments in Latin America - How
they relate to cyber-crime
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
9. B. How this emerging cyber-crime activity impacts US 9
companies and computer users
• 1. Impact on US companies.
• 2. Impact on American people whose
personal information is misused, leaked,
stolen.
• 3. Impact on American consumers and e-
commerce in the US.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
10. B. How this emerging cyber-crime activity impacts US 10
companies and computer users
• 1. Impact of cyber-crime on US companies:
– Key conclusions from a recent study (*) that quantifies the economic impact
of cyber-crime attacks:
• “Cyber-crime attacks” include criminal activity conducted via the Internet: theft of
a company’s intellectual property, confiscation of online bank accounts, creation
and distribution of viruses on other computers, posting confidential business
information on the Internet, and disruption of a country’s critical national
infrastructure.
• “Cost” includes: “direct, indirect and opportunity costs that resulted from the loss
or theft of information, disruption to business operations, revenue loss and
destruction of property, plant and equipment, and the external consequences of
the cyber crime. The survey also captures the total cost spent on detection,
investigation, containment, recovery and after-the-fact or “ex-post” response.
• Cyber crimes can do serious harm to an organization’s bottom line. The median
annualized cost of cyber crime of the 45 organizations surveyed is $3.8
million per year. It can range from $1 million to $52 million per year per
company.
(*) Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
11. B. How this emerging cyber-crime activity impacts US 11
companies and computer users
From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010
12. B. How this emerging cyber-crime activity impacts US 12
companies and computer users
• Impact of cyber-crime on US companies:
– Key conclusions from a recent study that quantifies the economic impact of
cyber-crime attacks:
• Cyber-crime attacks are now common occurrences. The
companies surveyed experienced 50 successful attacks per
week and more than one successful attack per company per
week.
• Cyber-crime attacks can get costly if not resolved quickly:
average number of days to resolve a cyber attack was 14
days; average cost per company of $17,696 per day. Malicious
insider attacks can take up to 42 days or more to resolve.
Quick resolution is needed for today’s cyber-crime attacks.
• Information theft represents the highest external cost,
followed by the costs associated with the disruption to
business operations.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
13. B. How this emerging cyber-crime activity impacts US 13
companies and computer users
From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010
14. B. How this emerging cyber-crime activity impacts US 14
companies and computer users
• Impact of cybercrime on US companies:
– Key conclusions from a very recent study that quantifies the economic
impact of cyber-crime attacks:
• Detection and recovery are the most costly internal
activities.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
15. B. How this emerging cyber-crime activity impacts US 15
companies and computer users
From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010
16. B. How this emerging cyber-crime activity impacts US 16
companies and computer users
• Impact of cybercrime on US companies:
– Key conclusions from a very recent study that quantifies the economic
impact of cyber-crime attacks:
• All industry sectors are impacted.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
17. B. How this emerging cyber-crime activity impacts US 17
companies and computer users
From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010
18. B. How this emerging cyber-crime activity impacts US 18
companies and computer users
• 2. Impact on American people whose personal information
is misused, leaked, stolen.
• 3. Impact on American consumers and e-commerce in the
US.
The Norton Cybercrime Report: The Human Impact released
last August finds that:
– “For nearly 3 in 10 victims, the biggest hassle is the time it takes
to sort things out: […] 4 weeks to resolve an average cyber-crime
incident.”
– “There’s the emotional baggage, with around 1/5 of victims finding
it made them stressed, angry and embarrassed (19%), and 14%
mourning the loss of irreplaceable data or items of sentimental
value, such as photo collections.”
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
19. B. How this emerging cyber-crime activity impacts US 19
companies and computer users
From: Norton Cybercrime Report: The Human Impact (August 2010)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
20. 20
OUTLINE
A. The importance of cyber-crime in Latin America for US
cybersecurity and law enforcement professionals
B. How this emerging cyber-crime activity impacts American
companies and computer users
C. Major legal & policy developments related to
cyber-crime in Latin America
D. Recent cyber-crime court decisions from Brazil and Argentina
E. Recent data protection developments in Latin America - How
they relate to cyber-crime
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
21. C. Major legal & policy developments related to cyber-crime in 21
Latin America
• Organization of American States:
– 1999: first concern about cyber-crime.
– 1999: established an intergovernmental cyber-crime expert group.
– 2000: the Council of Ministers of OAS Member States issued a set of
recommendations:
• Facilitate cooperation among OAS Member States
• Increase technical and legal capacity-building
• Consider implementation and signature of CoE Cybercrime Convention
• Study feasibility of an Inter-American model of cybercrime legislation.
– Several expert group meetings have taken place every year and
have started:
• To put in place information exchange and cooperation mechanisms
among all OAS countries and with relevant international organizations
(Council of Europe, UN, EU, G8, OECD, APEC, Commonwealth,
Interpol)
• To establish public-private collaboration mechanisms.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
22. C. Major legal & policy developments related to cyber-crime in 22
Latin America
• The Council of Europe’s Cybercrime Convention:
– Adopted and opened for signature in 2001, entered into
force on July 1, 2004.
– As of April 2009, 46 States have signed it, 25 have
ratified it.
– Costa Rica, the Dominican Republic, Mexico and Chile
have been invited to accede. Argentina requested
accession.
• Any State may accede following majority vote in Committee of Ministers and
unanimous vote by the parties entitled to sit on the Committee of Ministers.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
23. C. Major legal & policy developments related to cyber-crime in 23
Latin America
• Argentina and Colombia enacted new cyber-crime
laws:
– Argentina’s Act on Cybercrimes (“Ley de Delitos
Informáticos”) (Law No. 26.388 of 2008): includes all
cyber-crimes defined as such by the United Nations and
the CoE Cybercrime Convention.
– Colombia adopted a cyber-crime law (No. 1273 of 2009)
that criminalizes the illegal acquisition and sale of
personal data, phishing, hacking, use of malware and
viruses, computer theft.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
24. C. Major legal & policy developments related to cyber-crime in 24
Latin America
• C o u n c i l o f E u r o p e ’ s “ G l o b a l P r o j e c t o n
Cybercrime” (between March 1, 2009 – June 30, 2011)
– Objective: promote broad implementation of the Convention on Cybercrime.
– To be achieved through results in the following areas:
• Legislation and policies
• International cooperation
• Law enforcement – service provider cooperation in the investigation of
cybercrime
• Financial investigations
• Training of judges and prosecutors
• Data protection and privacy
• Exploitation of children and trafficking in human beings.
• Cooperation with 120+ countries
• Legislation strengthened in more than 100 countries, including in Argentina,
Colombia, Dominican Republic
• Contributes to the organization of regional legislative workshops in Latin
America
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
25. C. Major legal & policy developments related to cyber-crime in 25
Latin America
• The challenges of cyber-crime in Latin America
– 1. Challenges to international cooperation on cyber-crime:
• Transnational character of computer crimes
• Lack of appropriate legislation on cyber-crime
• Lack of harmonization between different national laws
• Legal powers for investigation are insufficient (e.g.,
inapplicability of seizure powers to intangibles such as
computer data)
• Lack of specialized personnel and equipment
(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,”
Regional Workshop, Mexico City, August 26-27, 2010.)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
26. C. Major legal & policy developments related to cyber-crime in 26
Latin America
• The challenges of cyber-crime in Latin America
– 2. Challenges to fighting cyber-crime:
• Policies and awareness of decision-makers
• Harmonized and effective legislation
• Regional and international cooperation
• Law enforcement capacities and training
• Judicial training
• Law enforcement and cooperation among ISPs
(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,”
Regional Workshop, Mexico City, August 26-27, 2010.)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
27. C. Major legal & policy developments related to cyber-crime in 27
Latin America
• The challenges of cyber-crime in Latin America
– 3. Difficulties of regional and international cooperation:
• Limitations regarding skills, knowledge and training of judges, and to
some extent prosecutors. Direct impact on mutual legal assistance
process (e.g., difficulty to understand cyber-crime matters; reluctance to open a
case or issue search warrants).
• Insufficient use of possibility provided by international agreements for
direct contacts between judicial authorities in urgent cases and efficient
communication channels.
• Involvement of Contact Points (“CP”) network established under Cyber-
crime Convention in the MLA process is too limited.
• Not all CP sufficiently trained, resourced or available to assist competent
authorities and facilitate the process.
• Authorities for MLA of many countries receive a large volume of
requests.
(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,”
Regional Workshop, Mexico City, August 26-27, 2010.)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
28. C. Major legal & policy developments related to cyber-crime in 28
Latin America
• Advantages of using the CoE Cyber-crime
Convention as a model of legislation in Latin America
– Provides important tools for law enforcement to investigate cyber-
crime.
– Provides for Latin American countries:
• Harmonization of criminal law provisions on cyber-crime with those of
other countries.
• Legal and institutional basis for international law enforcement and
judicial cooperation.
• Participation in the Consultations of the Parties. (T-CY: “Convention
Committee on Cybercrime”).
• The treaty as a platform facilitating public-private cooperation.
Convention provides global standards and a framework for an effective
fast international cooperation.
(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop,
Mexico City, August 26-27, 2010.)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
29. 29
OUTLINE
A. The importance of cyber-crime in Latin America for US
cybersecurity and law enforcement professionals
B. How this emerging cyber-crime activity impacts American
companies and computer users
C. Major legal & policy developments related to cyber-crime in
Latin America
D. Recent cyber-crime court decisions from
Brazil and Argentina
E. Recent data protection developments in Latin America - How
they relate to cyber-crime
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
30. 30
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
33. 33
BRAZIL – SOME CASES
MEDICAL CLINIC
database copy / unfair competition
AUTOMOTOR COMPANY
illegal video
BROKER COMPANY
database breach / unfair competition
AIRLINE COMPANY
database breach
CHEMICAL INDUSTRY COMPANY
database breach
FORMULA ONE PILOT
image damage
BEVERAGE COMPANY
483 confidential files
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
34. 34
CASES
ILLICIT
• SCAMS
• HIJACKING THROUGH GAME PASSWORD
• LIBRARY EMPLOYEE – CONTENT COPIED – ORKUT
• SÃO PAULO STATE COURT – 3000 TIMES
• DATA BASE CAPTURING – CURRICULUM FIRM ON THE INTERNET
• RIO GRANDE DO SUL STATE COURT – UNAUTHORIZED ACCESS TO
DATABASE
• COUPLE ON THE BEACH – PRIVACY
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
35. 35
BRAZIL
CONSTITUTION
Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE.
Section 5.12 – Secrecy of correspondence and telecom – INVIOLABLE.
CIVIL CODE
Section 20 – Disclosure of writings, the transmission of the word, or publication,
display or use the image of a person.
Section 21 – Private life of a person – INVIOLABLE.
EXPECTATION OF PRIVACY
SÃO PAULO STATE COURT DECISION
Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in love) on
locations – Spanish beach – Injunction to terminate the exposure of movies and photos on web-sites
because it is probable to presume lack of consent to publication. Filing with a daily penalty payment
of $ 250,000.00, in order to inhibit infringement of the command to abstain.
The paparazzi are known for aggressively working with the capture of images, which characterizes
the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these
professionals that do not require authorization for their photos and, especially, to legalize the
sensationalism and scandal propagated by the media, without permission of those involved.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
36. 36
ARGENTINA – COURT DECISION
SEARCH ENGINE FILTER
MARADONA FORBIDS GOOGLE TO
ASSOCIATE HIM TO SEX SITES
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
37. 37
SEARCH ENGINE FILTER
RIO DE JANEIRO STATE COURT
INTERLOCUTORY APPEAL
“I note that the injunction has already been accomplished by placing a FILTER ON THE
SEARCH ENGINES. In this manner, it seems more reasonable to maintain the status
quo, pending examination of the matter, without any harm to the plaintiff and without
prejudice for the defendant, who has fully complied with the measure.”
(Interlocutory appeal 20006.002.05508)
Argentina
In two search engines – Google and Yahoo – is possible to make a search to avoid that
certain words appear among search results. In fact, this procedure could be configured to
avoid that a certain word be linked with others in certain types of search or in any search. It is
therefore technically possible to adapt the search for information by avoiding certain words.
IT IS POSSIBLE TO SET UP FILTERS THAT DO NOT ALLOW STATIC LINKING SITES TO
INDEX CERTAIN WORDS WITH PORNOGRAPHIC, EROTIC OR SEXUAL CONTENT, AND
ESTABLISH OTHER INDEX IMAGES THAT DO NOT ALLOW CERTAIN PEOPLE (…)
The content selection control cannot affect the operation of the search engine site or access
to Internet content by users. (99.620/06)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
38. 38
BRAZIL
PARANA STATE COURT
NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR.
HE WAS NOT GUILTY, BUT THERE WAS NO NEWS ABOUT THAT,
ONLY ABOUT THE PENDING PROCESS
JUDGE ORDERS
GOOGLE TO SET
UP A FILTER TO
R A N D O M I Z E
R E S U LT S W I T H
PLAINTIFF’S NAME,
MAKING POSSIBLE
T H E R O TAT I O N
BETWEEN NEWS
PARANA STATE COURT 1819/2008
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
39. 39
BRAZIL
CONSUMER DEFENSE CODE
Section 43 – Database access.
Section 72 – Block access. Detention from six months to one year or a
fine
PRIVACY
SANTA CATARINA STATE
COURT DECISION
Consumer Defense Association
causes damages to consumers by
disclosing its database to third
parties. Association must include a
warning about the disclosure and
ask for permission.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
40. 40
BRAZIL
WIRETAPPING – ACT 9296/1996
Section 1 – Interception of telephone communications – flow of
communication.
Section 10 – Intercept communication or violate secret of Justice, without
judicial authorization – confinement from two to four years and fine.
PRIVACY
SÃO PAULO STATE COURT DECISION
Breach of confidentiality of correspondence and of telegraphic, data and telephone
communications – Non-occurrence – Seizure of emails in possession and known of
the recipient by court order – Strong suspicions that the material might enlighten the
criminal infraction – Interpretation of Section 5, XII of the Constitution.
THERE IS NO VIOLATION OF THE SECRECY OF CORRESPONDENCE.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
41. 41
BLOGGER CONVICTED TO INDEMNIFY
State Court of Ceará
BLOGGER POSTED CONTENT WICH
GENERATED OFFENSIVE COMMENT.
HE WAS UNABLE TO IDENTIFY THE AUTHOR
AND WAS CONVICTED TO INDEMNIFY THE
VICTIM IN R$16.000
http://www.correiobraziliense.com.br/app/noticia182/2010/02/24/tecnologia,i=175488/
SAIBA+COMO+TENTAR+EVITAR+PROBLEMAS+COM+O+USO+DA+REDE.shtml
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
42. 42
RS STATE COURT – CYBERBULLING
STUDENT CREATES WEBPAGE TO OFFEND ITS CLASSMATE. THE
COURT RULED FOR THE INDEMNIZATION TO THE VICTIM TO BE
PAYED BY THE DEFENDANT´S MOTHER.
APPEAL. LIABILITY. INTERNET. USE OF IMAGE FOR A DEROGATORY END.
FLOG CREATION - PERSONAL WEBSITE FOR POSTING PICTURES IN THE
NETWORK. PARENT´S LIABILITY. PATERNAL POWER. BULLYING. MORAL
DAMAGE IN RE IPSA. OFFENDED THE SO CALLED RIGHTS OF PERSONALITY.
The responsibility of ISP.
ISPs provide space for creating personal pages on the
World Wide Web, which are used freely by users.
However, with complaint of inappropriate or offensive
content to human dignity, the service provider needs to
detect and expeditiously remove the elements of this
page.
Imagem: http://farm3.static.flickr.com/2181/2512997167_d6ba9a5031.jpg
Source: http://g1.globo.com/vestibular-e-educacao/noticia/2010/07/justica-determina-que-mae-pague-indenizacao-vitima-de-cyberbullying.html
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
43. 43
SP State Court – Civil Code, Section 927
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
44. 44
ARGENTINE COURT DECISION
COURT DENIES TEXT MESSAGE AS
EVIDENCE OF WIFE’S INFIDELITY
http://adirferreira.files.wordpress.com/2009/02/sms.jpg
“The inviolability of
correspondence and
telecommunications – in this
case, the interception of text
messages – is only possible upon
court request.”
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
45. 45
LABOR COURT – 13th REGION
ORKUT’S PHOTO ALBUM IS USED AS AN EVIDENCE
AT HEARING. THE TOOL PROVED THAT AT A
CERTAIN DATE THE EMPLOYEE STILL WORKED AT
THE COMPANY.
Source: http://www.trt13.jus.br/engine/interna.php?pag=exibeNoticia&codNot=1769#
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
46. 46
REGIONAL LABOR COURT – E-MAIL AS AN EVIDENCE
Lawsuit nº 2004.028935-4
OVERTIME. EVIDENCE. E-MAIL. EVIDENCE VALIDITY. THE
ELECTRONIC MAIL IS A MODERN EVIDENCE THAT IS VALID TO
CERTIFY OVERTIME LABOR, AS LONG AS THERE IS NO DOUBT
RELATED TO TAMPERING, ESPECIALLY WHEN ITS CONTENT
REMAINS CORROBORATED BY OTHER EVIDENCE IN THE
CASE FILE. IF THE COMPUTER CLOCK WAS CHANGED FOR A
LATER TIME, AS ALLEGED IN THE APPEAL, THE DEFENDANTS
WOULD HAVE TO PROVE IT, AND THEY DIDN´T.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
47. 47
CRIMINAL STATE COURT OF SÃO PAULO
PRIVACY – BREACH OF CONFIDENTIALITY
TELECOMMUNICATIONS - BREACH OF CONFIDENTIALITY - "E-MAIL"
SENT FROM BRAZIL TO THE ELECTRONIC ADDRESS OF THE WHITE
HOUSE, IN THE CITY OF WASHINGTON, DC, WRITTEN IN ENGLISH,
CONTAINING THREATS TO PHYSICAL INTEGRITY OF THE PERSON OF
THE AMERICAN PRESIDENT AND ITS FAMILY – SUBPOENAED THE ISP
TO PROVIDE PERSONAL IDENTITY AND ADDRESS OF USER
CONNECTED AT THAT MOMENT TO SUCH “IP” NUMBER - NOTIFICATION
REJECTED ON THE GROUND THAT THE DATA REQUEST IS PROTECTED
BY THE FEDERAL CONSTITUTION FOR TELECOMMUNICATION SERVICES,
SO THAT DATA REQUEST PROCEDURES WOULD BE REGULATED BY
ACT Nº. 9296/96, ESPECIALLY WITH REGARD TO THE NEED FOR A
JUDICIAL ORDER - Habeas Corpus to not be prosecuted for disobedience.
Habeas corpus denied.
Need of legal authorization for the breach of confidentiality of
telecommunications - postal, telephone or transmission of messages or data.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
48. 48
ARGENTINA – COURT DECISION
E-MAIL MONITORING
E-mail at work. Private use. Importance as a working tool. Privacy.
Need for clear policies on its use. Dismissal for cause. Rejection.
(CAUSE 15198/2001 S. 36580)
“E-mail has more privacy protection than the classic snail mail,
because to operate it, it is required to use a service provider, a user
name and a password, that prevents others from intruding into the
data and content sent and received. (…) According to constitutional
guarantees, along with the evidences concerning the alleged emails
the defendant’s privacy is violated with the consequent harm to his
dignity and self-determination.”
(C. 35.369 Ins. 18/156)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
49. 49
BRAZIL – SUPERIOR LABOR COURT
PASSWORD IS A PROTECTION TOOL FOR THE EMPLOYER
Password does not imply any expectation of privacy in relation to corporate
email once the PASSWORD BECOMES AN EMPLOYER’S PROTECTION
TOOL TO PREVENT THIRD PARTIES TO ACCESS THE CONTENT OF
MESSAGES. (…) Also, there is no offense to the principle of inviolability of
intimacy and privacy (Section 5, X, CF/88), once an employee can’t be
granted the right to privacy with respect to the use of a corporate email
system made available by his company. Otherwise, the employee had no
reasonable expectation of privacy, which is conveyed by the statement that the
corporate e-mail was intended "only for issues and matters affecting the
service” (fl. 636). At last, there is no harm to the principle that ensures
admissibility in the process of evidence obtained by illegal means (Section 5,
LVI): the corporate e-mail is company’s property, merely transferred to the
employee for working purposes, and the employer may exercise control both
formal and material (content) over the messages that travel through his
corporate email system.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
50. 50
RS STATE COURT – EVIDENCE (EMAIL)
E-MAILS CONTAINING PLAINTIFF’S PERSONAL DATA,
ALONG WITH THE INFORMATION THAT SHE IS A
CALL-GIRL. SENT BY EX-BOYFRIEND. INCOMING
CALLS FROM PEOPLE INTERESTED IN HER SEXUAL
SERVICES. SUBJECTIVE LIABILITY. NEGLIGENCE.
MORAL DAMAGES.
Declarations by the ISP are in his legal file that proves the
e-mail was sent from a domain name that belongs to the
defendant, and considering the failure to prove a fact wich
could remove his liability, the case is upheld.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
51. 51
RIO GRANDE DO SUL STATE COURT
Rio Grande do Sul Court of Appeals determines INDEMNIZATION TO
FURNITURE STORE´S CLIENT FOR BEING COLLECTED IN A
VEXATIOUS WAY THROUGH ORKUT.
Appeal Nº 71002350874/2009
D A M A G E R E PA I R . I N C U R R I N G D E B T F O R T H E P U R C H A S E O F
FURNITURE. VEXATIOUS COLLECTION. POST ON PLAINTIFF´S ORKUT
PROFILE STATING HE WAS INDEBTED. LIABILITY OF THE COMPANY ON
BEHALF OF WHOM HE WAS CHARGED FOR THE FURNITURES. MORAL
DAMAGES. EXISTING DEBT. REDUCED VALUE. APPEAL PARTIALLY UPHELD.
(...) because the defendant, from whom the furnitures had been purchased through
installments, had called several times to collect the bill and had posted on the
plaintiff´s orkut profile that he was indebted, causing embarassment among
his co-workers (...)
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
52. 52
BRAZIL – LABOUR COURT (2nd REGION)
I N D U S T R I A L P R O P E R T Y. E M P L O Y E E
ORDERED TO COMPENSATE COMPANY FOR
PUBLISHING MATERIAL NOT YET PUBLISHED
“(...) THE DEFENDANT HAD PUBLISHED IN ORKUT MANY
PHOTOGRAPHS RELATED TO A PRODUCT THAT HAD NOT EVEN
BEEN LAUNCHED, WHICH PREMATURE DISCLOSURE DID NOT AND
DO NOT INTEREST THE AUTHOR, HOLDER OF INDUSTRIAL
PROPERTY RIGHTS”.
“(...) IT IS ABSOLUTELY IRRELEVANT TO KNOW IF THE DEFENDANT
HAS ACTED WITH BAD FAITH, BECAUSE WHAT IS IMPORTANT TO
INVESTIGATE IS THAT THERE IS A HIGH LIKELIHOOD THAT
REFERRED DISCLOSURE CAN CAUSE PATRIMONIAL HARM TO THE
AUTHOR”.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
53. 53
FEDERAL COURT – 2nd REGION (RJ)
“CRIMINAL LAW AND CRIMINAL PROCEDURE. CRIME AGAINST
TELECOMMUNICATIONS COMPANIES. ILLEGAL DISTRIBUTION OF
CABLE TV SIGNAL. UNION’S INTEREST. FEDERAL COURT
JURISDICTION. RECLASSIFICATION OF FACTS. CRIMES OF SECTION
171 OF CRIMINAL CODE AND SECTION 183 OF ACT Nº 9.472/97.”
I - The conduct attributed to defendants in the complaint is the illegal distribution of
cable TV signals, which violates the uniqueness of the Union to organize the
exploitation of telecommunications services.
III - The retransmission of illegal cable TV signal is not atypical. Though TV signal is
not considered a source of energy, ruling out the possibility to characterize the crime
as a theft, the crime to be considered is qualified as “larceny by fraud”.
(...) I correct the material error for the accused to be CONVICTED under the terms
of the sentence, but TO BE ARRESTED."
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
54. 54
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
55. Lawsuit nº 591/07 – Unfair competition (Sponsored links)
District of justice of São Carlos – 1st criminal court
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
56. 56
FEDERAL COURT – 1st REGION
CRIMINAL PROCEDURE. HABEAS CORPUS. SCAM. INTERNET
CRIME. TEMPORARY PRISON. ABSENCE OF REQUIREMENTS.
1. Larceny by fraud practiced over the internet, with the participation of
several people with specific activities - a) the programmer (the one who
designs the phishing website and the malicious codes, e.g. the trojan) – the
person responsible for capturing passwords; is the cracker, not the hacker,
b) the user (who directly uses the software); c) the carder (responsible for
obtaining credit cards and bank notes that will be paid through the Internet);
d) the sub-carder (the person who, despite not knowing the software users,
buy the magnetic cards from mules and sell them to carders that make
contact with users; e) the mule (the one who lends your bank account to
receive the money from the illicit activity) – aiming to phish the account
holder´s password and withdraw the money from his bank account.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
57. 57
PARANÁ STATE COURT – CRIMINAL APPEAL
LAWSUIT Nº 2004.028935-4
CRIMINAL APPEAL - INSERTION OF FALSE DATA INTO INFORMATION
SYSTEM (SECTION 313-A OF CRIMINAL CODE) - AUTHORSHIP AND
MATERIALITY PROVED - CIVIL SERVANT WHO INSERTED FALSE DATA
ON CIRETRAN´S SYSTEM REQUESTED BY HER BOYFRIEND -
RELEASING VEHICLE´S DOCUMENTS WITHOUT PAYING THE
PROPER FEES - VEHICLE LICENSE FEES NOT COLLECTED -
DISQUALIFICATION THE FOR PREVARICATION - CONDUCT WICH
OVERSTEPPED THE LIMITS EXPOSED IN SECTION 319 oF THE
CRIMINAL CODE - PENALTY DECREASE - LATER REGRET - CRIME
PRACTICED 17 TIMES REPETITIVELY, SHOWED LACK OF REGRET -
INCREASING THE PENALTY IS SUITABLE, CONSIDERING THE
NUMBER OF RECIDIVISM - CRIME COMMITTED AGAINST THE PUBLIC
ADMINISTRATION - PENALTY OVER A YEAR - LOSS OF JOB -
COMDEMNATION EFFECT - APPEAL DENIED
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
58. 58
The arrows point...
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
59. 59
GREETINGS
“That God gives you serenity to accept things that
cannot be changed, courage to change things that
can be changed and wisdom to know the
difference”.
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
60. 60
OUTLINE
A. The importance of cyber-crime in Latin America for US
cybersecurity and law enforcement professionals
B. How this emerging cyber-crime activity impacts American
companies and computer users
C. Major legal & policy developments related to cyber-crime in
Latin America
D. Recent cyber-crime court decisions from Brazil and Argentina
E. Recent data protection developments in Latin
America - How they relate to cyber-crime
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
61. C. Recent data protection developments in Latin America – How 61
they relate to cyber-crime
• Relationship between data protection, cyber-security and
cyber-crime:
– A strong data protection framework is necessary to provide
support to cyber-crime laws.
– Implementing data protection processing rules during cyber-crime
investigations improves its accuracy and efficiency.
– Security breach notification requirements in the U.S. since 2005:
triggered by leaks, disclosures or theft of personal information.
• Lack of data protection frameworks in LAC (with a few
exceptions: Argentina and Mexico).
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
62. E. Recent data protection developments in Latin America 62
How they relate to cyber-crime
MEXICO
CONSTITUTION
- Since 2007, the Constitution expressly acknowledges the right of
personal data protection as a fundamental right.
- “The information pertaining to private life and personal data shall be
protected pursuant to the terms and exemptions set forth in the laws.”
“Every person, without the need to prove his own legal interest or
justify his use, shall have free access to public information, to his own
personal data and the correction of such data.”
- In 2009, the Constitution obliged the Congress to enact a data
protection law for the private sector within 12 months from the
publication of the reform. The deadline was April 30, 2010.
IAPP Global Privacy Summit
Washington, DC 2010
63. E. Recent data protection developments in Latin America 63
How they relate to cyber-crime
MEXICO
BILLS ON PERSONAL DATA PROTECTION
- Since 2001, there have been 6 data and privacy bills, which are
modeled loosely on international data protection standards such as
those found in the EU Data Protection Directive, the Spanish Data
Protection Law, the OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data, and the APEC Privacy
Framework.
IAPP Global Privacy Summit
Washington, DC 2010
64. E. Recent data protection developments in Latin America 64
How they relate to cyber-crime
MEXICO
LEGAL FRAMEWORK AT THE FEDERAL LEVEL
- New data protection law since June 2010.
- There are several laws about privacy and data protection in
specific fields, such as finance and banking, consumers' rights,
credit information, telecommunications and national security.
- The Federal Law of Transparency and Access to the
Government Public Information (LFTAIPG) standardizes
principles under which the various organs of the State must
process citizens' personal data.
IAPP Global Privacy Summit
Washington, DC 2010
65. E. Recent data protection developments in Latin America 65
How they relate to cyber-crime
MEXICO
OBSTACLES TO OVERCOME
1.- Proliferation of federal regulation.
2.- Differences between state regulations.
3.- Lack of provisions about transborder data flows.
RELEVANT INTERNATIONAL INSTRUMENTS
OECD Recommendations on Privacy.
Mexico is an OECD member since 1994.
APEC Privacy Framework, 2004.
Economic Partnership, Political Coordination and Cooperation
Agreement between the European Community and its Member
States, and the United Mexican States, 2000.
IAPP Global Privacy Summit
Washington, DC 2010
66. E. Recent data protection developments in Latin America 66
How they relate to cyber-crime
COLOMBIA
DATA PROTECTION LAW OF 2008
Ley Estatutaria 1266 de 2008
Habeas data
Limited to the financial sector (banks, credit reporting
and commercial companies).
IAPP Global Privacy Summit
Washington, DC 2010
67. E. Recent data protection developments in Latin America 67
How they relate to cyber-crime
COLOMBIA
PRIVACY IN E-GOVERNMENT SERVICES
General obligation of all government entities that use
electronic resources to manage the information of
citizens in a manner respectful to their privacy.
Decree No. 1151 of 2008 establishes general
principles to follow in how online services are
provided by the government.
Protection of privacy is further regulated by the
Ministry of Communications’ “e-Government Policy
Manual,” applicable throughout all governmental
entities.
IAPP Global Privacy Summit
Washington, DC 2010
68. E. Recent data protection developments in Latin America 68
How they relate to cyber-crime
PERU
“SAN SALVADOR COMMITMENT” (2008)
2nd Ministerial Conference on the Information Society
in Latin America and the Caribbean.
Decision made to:
“facilitate dialogue and coordination of various
regulatory initiatives at the regional and local levels that
may contribute to the region’s regulatory
harmonization, especially on the topics of privacy and
data protection”;
“invites countries to consider the possibility of ratifying
or acceding to the Council of Europe Cybercrime
Convention as an instrument to facilitate [the]
integration and regulatory adaptation in this area within
the framework of principles of protection of the right to
privacy.”
IAPP Global Privacy Summit
Washington, DC 2010
69. 69
Speakers
Renato Opice Blum, CEO and
Partner, Opice Blum Advogados
Associados (Brazil)
http://www.opiceblum.com.br
<renato [at] opiceblum [dot] com [dot] br>
Cédric Laurant, Independent
Privacy Consultant
http://blog.cedriclaurant.org - http://security-
breaches.com
<cedric [at] laurant [dot] org>
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
70. 70
WWW.OPICEBLUM.COM.BR
Renato Opice Blum
renato@opiceblum.com.br
twitter.com/opiceblum
Lawyer and Economist;
Coordinator of Electronic Law's MBA, of São Paulo Law School;
Invited Professor at Electronic Law’s Course, Florida Christian University, Fundação Getúlio
Vargas (FGV), PUC, FIAP, Rede de Ensino Luiz Flávio Gomes (LFG), Universidade Federal do Rio
de Janeiro, FMU and others;
Speaker teacher at Mackenzie University;
Collaborating Professor of ITA-Stefanini’s partnership;
Speaker at the IAPP’s Global Privacy Summit 2010, Washington, DC
Arbitration Referee at FGV and Mediation and Arbitration's Chamber of São Paulo (FIESP);
President of the Superior Council of Information Technology of the Trade Federation of São
Paulo, and Technology Law Committee of AMCHAM; Member of Information Society Law
Committee – OAB/SP; Former Vice-President of Electronic Crime’s Committee – OAB/SP;
Member of American Bar Association (ABA), Inter American Bar Association (IABA),
International Law Association (ILA), International Bar Association (IBA) and International
Technology Law Association (Itechlaw);
Coordinator and co-author of “Internet and Electronic Law Manual”;
CEO at Opice Blum Attorneys-at-Law http://www.opiceblum.com.br/lang-en/index.html
Résumé at Lattes Platform: http://lattes.cnpq.br/0816796365650938
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)
71. 71
www.cedriclaurant.org
Cédric Laurant
cedric [at] laurant.org
twitter.com/cedric_laurant
Independent consultant based in Brussels, Belgium.
Attorney, member of the District of Columbia Bar.
Specialty areas: international privacy, data protection and information security.
Senior Research Fellow, Central European University (Budapest, Hungary). Currently directing the
research of the "European Privacy and Human Rights”, a European Commission-funded privacy research
and advocacy project. Info at: http://phr.privacyinternational.org/
Research Director, Privacy & Human Rights – An International Survey of Privacy Laws and
Developments (EPIC & Privacy International 2003, 2004, 2005).
Formerly Visiting Law Professor, University of los Andes (Bogota, Colombia) and International Privacy
Project Director, Electronic Privacy Information Center (Washington, DC).
Lic. Jur., University of Louvain (Belgium); LL.M., Columbia Law School (New York, NY); M.A. (London).
Profile/Résumé: http://www.linkedin.com/in/cedriclaurant
Blogs: http://blog.cedriclaurant.org; http://blog.security-breaches.com
High Technology Crime Investigation Association International Conference
(Atlanta, GA - USA – Sept. 20-22, 2010)