31
Views
0
CrossRef citations to date
0
Altmetric
Original Articles

The legal duty of IAPs to preserve traffic data: a dream or a nightmare?

Pages 221-230 | Published online: 22 Jan 2007
 

Abstract

This paper describes, from the perspective of a defence attorney, the role and the limitations of IAP involvement in digital evidence collection in Italy.

Notes

Correspondence: Andrea Monti, Studio Legale Monti, 96 Via Paolini, 65124 Pescara, Italy. E‐mail: [email protected]. He is at the University of Chieti, Italy.

See A Monti ‘The network society as seen from Italy’ The Information Society, Vol 18 No 3, 2002 and in Proceedings of the 10th Conference on Computers, Freedom and Privacy: Challenging the Assumptions, Toronto, Ontario, Canada, 2000, pp 189–193. Available in English (http://www.ictlaw.net/internal.php?sez=art&IdT=1&IdTA=31&IdA=274&lang=3, http://portal.acm.org/ft_gateway.cfm?id=332282&type=pdf&coll=GUIDE&dl=ACM&CFID=14801289&CFTOKEN=94375145v. Dec. 8, 03) and Italian (http://www.ictlaw.net/internal.php?sez=li_art&IdT=1&IdTA=31&lang=1 v. Dec. 8, 03).

On 24 December 2003 the Italian Government passed the decree‐law No 354/03 (http://www.alcei.it/documenti/dataret.htm v. Jan 29, 2004) imposing up to a 5‐year traffic data retention duty for ISP and Telco. The decree‐law (an exceptional power granted to the Government to deal with urgent issues) must be converted into a true law by the Parliament within 60 days in which the provisions can be deeply modified. Civil rights NGOs such as ALCEI (Associazione per la Libertà nella Comunicazione Elettronica Interattiva) raised public concern about the consequences of the choices made by the government. In detail, ALCEI claims, ‘the concept of responsibility is shifting from proven fact to assumed intention. Sanction or punishment no longer relates to the actual effects of a behaviour, but to the “status” of a “category” of people. While prevention, per se, is legitimate and correct, this way of applying the concept leads to suspicion against (real or imaginary) characterization of people. “Criminal models” are created in order to be persecuted not for what they “do”, but for what they “are”—or are assumed to be. These arbitrary definitions empower anyone who has control to persecute, with a variety of pretexts, anyone who is considered to be uncomfortable, unfriendly or untamed. As many “behaviour patterns” can be made up to suit the whims of whoever has access to retained data, various forms of persecution are developed against ‘virtual identities’ that can be created ad hoc on the basis of prejudice or questionable intentions. There is no limit to the number or kind of “tendencies” or “types” that can be made to include any person or category of people. The result is a sort of institutionalized pogrom, without even the visibility of a publicly declared ethnic or cultural prejudice. A consistent watch is to be kept in the defence of civil rights and personal freedom—and this is not only a matter of privacy. The issue goes far beyond the single case of a hastily and clumsily conceived Italian law—that is only an episode in a series that has been going on for several years and is getting worse all the time.’ See ALCEI Civil rights and ambiguity of crime ‘prevention’ http://www.alcei.it/english/actions/crimprev.htm, visited 29 January 2004.

RAND Europe Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries—Study for the European Commission Directorate—General Information Society (2002), p 119.

See, for instance, J F Blanchette and D Johnson ‘Data retention and the Panoptic Society: the social benefits of forgetfulness’ The Information Society Vol 18, No 1, 2002, pp. 33–45. Available at http://portal.acm.org/ft_gateway.cfm?id=276761&type=pdf&coll=GUIDE&dl=ACM&CFID=14801289&CFTOKEN=94375145, visited 8 December 2003.

The current approach is trapped within the context of examining ‘categories’ an approach based upon the examination of ‘facts’ may well be more productive.

The first alleged copyright infringement ‘mass investigation’, known even outside the Italian boundaries as the infamous ‘Italian Crackdown’, shut down hundreds of innocent BBS part of the pioneering world wide distributed FidoNet Network. Hundreds of computers (in many cases also monitors, printers, other peripherals, even mouse mats) were seized in the homes and offices of people who turned out to be innocent and who became involved in the ‘witch hunt’ against alleged software traders by mistake. Thousands of users throughout Italy were deprived of their right to use e‐mail because the services they were using were abruptly put out of action. Their privacy was violated because the content of the seized computers (as well as all sorts of backup and storage) were open to detailed inspection by the authorities and by often carelessly chosen ‘experts’. The ‘Italian Crackdown Saga’ has been documented in two books: A Monti and S Chiccarelli Spaghetti Hacker Apogeo, Milan, 1997 and C Gubitosa Italian Crackdown Apogeo, Milan, 1999.

The word ‘documented’ refers here to currently pending or already judged cases.

Three different Public Prosecutor offices (Rome, Catania, Pescara) are still investigating cases ranging from illegal Internet‐based online casino advertising and Internet bookmaking.

See the case history section of this paper.

One of the most incredible cases is the defacement of several Italian Ministry websites, including Health, Transport, Agricultural Politics, reported on 15 May 2000 by ‘Il Messaggero’, one of the leading national daily newspapers (see http://ilmessaggero.caltanet.it/hermes/20000515/01_NAZIONALE/1/HACKERS.htm, visited 8 December 2003), which includes a report on the incident from ANSA, one of the leading Italian press agencies, from May 2000. The news of the incident received very poor coverage in the national media (both TV and newspaper). A search performed in two of the publicly available Italian court decision databases (InfoUTET—ver. 5/2003, JurisDATA 5/2003) shows that there is no evidence for a trial (even a first degree one) related to this matter.

In 1995, the Public Prosecutor of Rome successfully prosecuted two cases that are still considered leading examples in Italy. ‘Ice Trap’ in which an Italian cracker crew accused of breaching some low interest systems belonging to Banca d'Italia (Italy's central bank) was defeated and ‘Gift Sex’, the ‘mother of all online child pornography investigations’. Other investigations currently pending (handled by the Public Prosecutor of Salerno and L'Aquila) are related to the breach of the computer systems of some Italian universities. Unofficial sources and rumour indicate that the reality is far worse the picture obtained from prosecution figures. It is clear that the incidence of illegal activity is greater than the cases actually prosecuted, but it would be dangerous to attempt to determine numerical evidence from unverified data and press claims.

The case No 11577/01 started on 29 March 2001 with the identification of the alleged author of a program named ‘Vjierika’ that the law enforcement bodies that performed the investigation claimed to be a worm. The case is currently being heard by the Tribunale penale of Bologna

A widely used program is the well known ‘Mirc’ IRC client.

In greater detail, the IAP‐generated elements of evidence are: connection and resource access date, time and duration, phone line ID and location, hardware and software tracking (operating system, Internet and mail client. etc.), mail content and delivery/reception information, IAP third party‐related information, mail relay information, third party IP number connection type (ftp, http, etc.), date, time and duration, content accessed, IAP log server (mail, web, chat, etc.), account activity and identity, copies of web pages.

See The HoneyNet Project Know Your Enemy Addison‐Wesley, London, 2002

Steganography (literally ‘hidden writing’) is a discipline dealing with techniques for hiding content within content. This is a powerful tool for investigative purposes because it can be used to hide a ‘watermark’ within an electronic image. Any image with such a watermark can be shown unequivocally to have originated within the law enforcement agency that watermarked the file, obviating the defence that the image merely appears similar to one that the prosecution alleges was obtained during the investigation. For a detailed description of how steganography works see: P Wayner Disappearing Cryptography 2nd edn. AP Professional, London (2002); E Cole Hiding in Plain Sight: Steganography and the Art of Covert Communication Wiley, Chichester, 2003 (Book and CD‐ROM edition).

Reseaux Internet Europeenne (RIPE—http://www.ripe.net) allocates IP numbers within Europe. The American Registry for Internet Number (ARIN—http://www.arin.net) is responsible for North America, a portion of the Caribbean and sub‐equatorial Africa. Asia Pacific Network Information Centre (APNIC—http://www.apnic.net) deals with the Asia Pacific community. The Latin American and Caribbean IP address Regional Registry (LACNIC http://www.lacnic.net) deals with Latin America and Caribbean.

Being log files just digital text strings, the above‐mentioned operations should be executed, if not in presence of the defence lawyer, at least by a skilled law enforcement officer documenting all the operations performed.

The Italian criminal procedural code says that every investigation must be listed in a general directory called ‘Registro generale delle notizie di reato’ (RGNR) where the case is assigned a progressive number (that starts from 1 every year) and to a Public Prosecutor. The investigations related to an unknown defendant (as is usual in the network computer crimes) are filed under the ‘Modello 45’ RGNR. While the ones relate to an identified person are filed under ‘Modello Unico’. In network‐related crimes, the shift from ‘Modello 45’ to ‘Modello Unico’ should happen only after receiving the results of the forensic analysis of the seized data. What actually happens, instead, is that the shift is performed before the issue of the search warrant. Thus transforming the IAP's customer into a person under investigation before, any solid evidence has been found.

Only two Courts (namely, Turin and Venice), have asked to reverse the enforcement of a Public Prosecutors order, stating that when dealing with computer‐related evidence what really matters is the hard‐disk content; thus limiting the seizing to data alone (Ordinanza Tribunale di Torino, 7 February 2000 http://www.ictlaw.net/internal.php?sez=giuris&IdT=7&IdTG=6&IdG=52 v. Dec. 8, 03) or to the whole mass‐memory (Ordinanza Tribunale di Venezia Oct.15, 2001 – unavailable online). See also the Electronic Frontier Italy commentary, Sequestri di computer. Lo scandalo continua, available at http://www.alcei.it/sequestri/cs990615.html, visited 8 December 2003.

It happened during the investigation of the earlier mentioned alleged virus writing case. The information came from the public statement made by the law enforcement officer who perfomed the actions, during the cross‐examination held in the public hearing of 27 November 2003 at the Tribunal of Bologna.

The only existing regulations relating to data retention have been set for telephone services providers and—following the rules of interpretation of criminal law—cannot be extended to network data traffic without a specific law being passed to enable this. A controversial case is Sect.123 and 130 of the new Data Protection Act (Decreto legislativo No 196/03 ‘Codice in materia di trattamento dei dati personali’ – http://www.ictlaw.net/internal.php?sez=normL&IdT=2&IdTN=1&IdN=86, visited 8 December 2003) which regulates the retention of data. But it is clear that the terms have been conceived for telephone services only because the provisions talk about data needed to produce bills. A duty of network traffic data preservation might be deduced from the fiscal (Sect. 21–23, Decree of the President of the Republic No 633/72, Sect. 13–22, Decree of the President of the Republic No 600/73) and commercial (Sect 2214, 2219, 2220, 2711, 2934, 2946 Civil code) regulations that force companies to collect and store all the information about service billing to permit the tax authorities to check the regularity of financial administration.

Sometimes after a Public Prosecutor search warrant sent by fax alone.

The expression ‘non liturgical examination’ refers to a network/computer forensic investigation performed by an entity for internal use only and that is (or should) not targeted to become the basis for a claim. In the case State v Russo, documented in the case histories paragraph, the Internet access log files were sent by the IAP by fax alone.

Unless, during the investigation, the Public Prosecutor is able to find some third‐party verification of the veracity of the IAP provided log files. This may happen for instance by matching the IAP provided information with that from another ‘in transit’ IAP, but usually this double check is not performed. This leaves unsolved the problem of improperly handled evidence that is likely to occur where the IAP staff are unaware of forensic data collection issues.

Accountability means non‐ambiguous identification of the person to whom the data belongs or are related, Integrity means evidence, granted by a safe handling‐process, that data are not altered. Non‐refutability means not being able to reasonably deny being the ‘generator’ of the targeted data.

If the data source is unreliable, the ‘value’ of the preservation in the perspective of the trial is dramatically low.

The ‘big freeze’ idea is to adopt all reasonable measures to ensure that the data that is collected is not modified by the acquisition or analysis process. The ‘chain of cold’ concept is to ensure that, as happens for frozen food, nothing occurs that may alter the data integrity during the collection, storing, replication and analysis steps. The ‘chain of cold’ principle is slightly different from the ‘chain of custody’ (often quoted as part of the digital evidence minimum requirements) since the latter only ensures that the stored data are always under control whereas the ‘chain of cold’ requires data to be both under control and subject to checks of data integrity at each stage of transfer. For a detailed description, see W G Kruse and J G Heiser Computer Forensics Addison‐Wesley, London, 2002, p 6. In addition to the application of both BF and CoC to the evidence there arises, from the perspective of the defence attorney, the problem of the admissibility in Court of a proprietary forensic software‐generated analysis, performed using ‘closed source’ software that is difficult to both challenge and to corroborate. This problem is compounded if such software is used—as seen before—to examine improperly acquired network traffic data. The first challenge of the use of proprietary computer forensic tool generated evidence by the law enforcement agencies documented in Italy is the criminal case n. 2029/01 currently pending in the Court of Civitavecchia. For a general position about the relevance of open source computer forensics see: ‘Open source digital forensic tools: the legal argument’ http://www.atstake.com/research/reports/acrobat/atstake_opensource_forensics.pdf, visited 8 December 2003.

Full text in Italian available at http://www.ictlaw.net/internal.php?sez=giuris&IdT= 2&IdTG=18&IdG=3, visited 8 December 2003.

Additional information

Notes on contributors

Andrea Monti Footnote

Correspondence: Andrea Monti, Studio Legale Monti, 96 Via Paolini, 65124 Pescara, Italy. E‐mail: [email protected]. He is at the University of Chieti, Italy.

Log in via your institution

Log in to Taylor & Francis Online

PDF download + Online access

  • 48 hours access to article PDF & online version
  • Article PDF can be downloaded
  • Article PDF can be printed
USD 53.00 Add to cart

Issue Purchase

  • 30 days online access to complete issue
  • Article PDFs can be downloaded
  • Article PDFs can be printed
USD 878.00 Add to cart

* Local tax will be added as applicable

Related Research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.