<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<title>RE: [governance] Re: IG questions that are not ICANN [was:</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Latha;
panose-1:2 0 4 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Well, there is a multitude of organizations.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>ITU is the UN agency that handles WSIS action line C5 –
which covers cybersecurity<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Interpol certainly does quite a lot on coordinating between law
enforcement agencies on cybercrime issues. In fact, see this interview
with their secretary general Ronald Noble – on ABC 60 minutes.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><a
href="http://cosmos.bcst.yahoo.com/up/player/popup/?rn=3906861&cl=5007247&ch=4227541&src=news">http://cosmos.bcst.yahoo.com/up/player/popup/?rn=3906861&cl=5007247&ch=4227541&src=news</a><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>A lot of additional cooperation also goes on through MLATs –
bilateral “mutual legal assistance treaties” between national
police agencies (such as the US DoJ).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Other organizations that do work to some extent in this area are
ENISA (http://enisa.europa.eu) and the CoE (through their convention on
cybercrime, and a network of 24x7 hotline PoCs that works with / extends the G8’s
similar hotline). The international organizations that deal specifically
with this are more than capable. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Then, there’s international cooperation on child porn –
public private, this one – <a href="http://www.virtualglobaltaskforce.com">http://www.virtualglobaltaskforce.com</a>
<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>As I said though, several individual countries’ law
enforcement agencies may range all the way down the spectrum from “don’t
know” to “don’t care”. And individual
countries may not have extradiation treaties as well .. so that issues of
rather more significance than cybercrime (such as seeking the arrest of someone
who put plutonium in a guy’s sushi not too long back) may run into these
very same issues.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> srs<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> George Sadowsky
[mailto:george.sadowsky@attglobal.net] <br>
<b>Sent:</b> Sunday, December 02, 2007 8:24 PM<br>
<b>To:</b> governance@lists.cpsr.org; Alejandro Pisanty; Jacqueline A. Morris<br>
<b>Cc:</b> 'Ian Peter'; 'Suresh Ramasubramanian'<br>
<b>Subject:</b> RE: [governance] Re: IG questions that are not ICANN [was:
Irony]<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>So where is the international organization that claims
(cyber)crime as its target? IMHO the obvious target is Interpol.
Yet I don't see strong evidence of Interpol's involvement in cybercrime.
why not? Some possible reasons:<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>(1) It's happening, but I don't see it because I'm not looking
in the right places<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>(2) It's happening, but purposely being kept secret for the
purposes of effective operations<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>(3) It's not happening because Interpol doesn't see it as a
high priority or doesn't see it as a part of its mandate<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>(4) It's not happening because Interpol doesn't have the
resources to address the issue effectively -- technical, legal, or
financial.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>(5) None of the above.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><o:p> </o:p></p>
</blockquote>
<div>
<p class=MsoNormal>Seriously, I would like to understand if our existing
international organizations are capable or could be made capable of really
assisting in this area, or not. This would give us some evidence
regarding in which directions it would be most effective to proceed.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>What do we collectively know about Interpol, and possibly
other similar organizations that could provide a basis for a concerted attack
on cybercrime?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Regards,<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>George<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>At 2:02 AM +0000 12/2/07, Alejandro Pisanty wrote:<o:p></o:p></p>
</div>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Hi,<br>
<br>
on the strand on cybercrime:<br>
<br>
a useful way to approach this would be to make a quick list of stakeholders
(the four WSIS stakeholder groups, then a more fine-grained segmentation of
these), and their present and possible future roles.<br>
<br>
Thus, you can recognize governments as you are already doing. Governments in
many countries (certainly the once you are mentioning here) have three main
branches, executive, legislative, and judiciary. Each plays or can play a
vital, differentiated role. Then e.g. within the executive you have
differentiated functions - crime prosecution is in the executive in many
countries, crime prevention, education, telecoms regulator (or other setting
and policing rules for ISP operation), and so on.<br>
<br>
The cooperation described in previous emails in this strand is mainly among
law-enforcement agencies, which aid each other cross-border in investigating
crimes and prosecuting criminals.<br>
<br>
Not much of this can be done with cooperation form other parts of the
governments. It is well known that a person that has committed a crime under
the laws of country A but is in country B cannot be captured in country B and
lawfully extradited to country A unless his actions are also a crime in country
B. And then of course you have to have compatible rules for evidence, country A
has to recognize the evidence obtained in country B, the rules for the control
of the custody of the chain of evidence in country B have to satisfy country A,
and so on.<br>
<br>
Lawyers and other experts will be happy to dwell in the details.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>The business (what we call the private sector outside the US
and UK) to business cooperation is often easier to meet. Phishing is recognized
by banks in most countries, and though competition issues (banks compete with
each other by being safer, among other factors) may make them want to not
cooperate, once the environment is toxic enough they will not only cooperate
with each other in-country but also cross-border. This gets complicated by the
huge level of consolidation among banks that exists transnationally.<br>
<br>
Other private-sector victims or co-victims to cybercrime (strictly speaking the
bank is not the victim of phishing; the client is the victim; so I use
"co-victim" because banks are shouldering some of the burden for many
reasons) such as small and medium enterprises which are swindled by criminals
(e.g. in fake purchases) may find it more difficult to cooperate with their
peers cross-border directly, preferring their governments to act on their
behalf instead, unless they are very cyber-savvy.<br>
<br>
(And, ah, many of us are of the opinion that there is actually no cybercrime,
only crime committed by cyber means.)<br>
<br>
I'll stop here for a moment and ask, what is the role of civil society in this
picture? (exercise left to the readers.)<br>
<br>
Yours,<br>
<br>
Alejandro Pisanty<br>
<br>
<br>
. . . . . . . . . .
. . . . . . . . . .
. . . . . .<br>
Dr. Alejandro Pisanty<br>
Director General de Servicios de Computo Academico<br>
UNAM, Universidad Nacional Autonoma de Mexico<br>
Av. Universidad 3000, 04510 Mexico DF Mexico<br>
Tel. (+52-55) 5622-8541, 5622-8542 Fax 5622-8540<br>
http://www.dgsca.unam.mx<br>
*<br>
---->> Unete a ISOC Mexico, www.isoc.org<br>
Participa en ICANN, www.icann.org<br>
. . . . . . . . . .
. . . . . . . . . .
. . . . . .<br>
<br>
<br>
On Sat, 1 Dec 2007, Jacqueline A. Morris wrote:<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal>Date: Sat, 1 Dec 2007 21:34:54 -0400<br>
From: Jacqueline A. Morris <jam@jacquelinemorris.com><br>
Reply-To: governance@lists.cpsr.org,<br>
Jacqueline A. Morris <jam@jacquelinemorris.com><br>
To: governance@lists.cpsr.org, 'Ian Peter' <ian.peter@ianpeter.com>,<br>
'Suresh Ramasubramanian' <suresh@hserus.net><br>
Subject: RE: [governance] Re: IG questions that are not ICANN [was: Irony]<br>
<br>
There is some cross-boundary cooperation, but it isn't easy. There are some<br>
bilateral agreements (for example between Trinidad and Tobago and the UK and<br>
also with the US ) that allow for co-ordination and cooperation in certain<br>
instances, but some in the local Police complain that the processes are<br>
unwieldy.<br>
I do agree that there needs to be more than simple government to government<br>
cooperation. But governments are vital, in that they are the ones who can<br>
sign agreements that are binding, they can amend laws that allow for<br>
cooperation (and that is important with regard to evidence, with regard to<br>
what is allowed in different jurisdictions, such as methods of data<br>
gathering).<br>
Jacqueline<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal>-----Original Message-----<br>
From: Ian Peter [mailto:ian.peter@ianpeter.com]<br>
Sent: Friday, November 30, 2007 23:03<br>
To: governance@lists.cpsr.org; 'Suresh Ramasubramanian'<br>
Subject: RE: [governance] Re: IG questions that are not ICANN [was:<br>
Irony]<br>
<br>
Nice concept Suresh, but at Rio a number of govt reps complained at the<br>
almost total lack of international co-operation in this area and the<br>
ineffectiveness of current efforts because there is no way to get<br>
cross-boundary co-operation currently.<br>
<br>
That's a structural problem IMHO. And one not likely to be solved<br>
solely by<br>
governments co-operating among themselves. In addition technical<br>
co-operation is necessary as they readily admit - that takes two forms<br>
at<br>
least which I outlined. Finally the public policy issues are<br>
substantial of<br>
course.<br>
.<br>
<br>
Ian Peter<br>
Ian Peter and Associates Pty Ltd<br>
PO Box 10670 Adelaide St Brisbane 4000<br>
Australia<br>
Tel (+614) 1966 7772 or (+612) 6687 0773<br>
www.ianpeter.com<br>
www.internetmark2.org<br>
www.nethistory.info<br>
<br>
<br>
-----Original Message-----<br>
From: Suresh Ramasubramanian [mailto:suresh@hserus.net]<br>
Sent: 01 December 2007 14:00<br>
To: governance@lists.cpsr.org; Ian Peter<br>
Cc: 'Alejandro Pisanty'; 'Milton L Mueller'<br>
Subject: Re: [governance] Re: IG questions that are not ICANN [was:<o:p></o:p></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>Irony]<br>
<br>
Ian Peter [01/12/07 13:45 +1100]:<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal>A structure for dealing with cybercrime would have the
following<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>inputs <o:p></o:p></p>
<p class=MsoNormal>1. Governmental<br>
2. Industry players (carriers, ISPs, etc)<br>
3. Technical innovators and standards groups<br>
4. Public interest groups<br>
Each would need representation on a structure dealing with this issue.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal><br>
Actually, the focus would not be on "governance" - it would be on<br>
interoperability and cooperation across "stakeholder communities" (or<br>
stakeholder silos, as I've heard them called .. civ soc talking to<br>
other<br>
civ soc, agency talking to agency etc)<br>
<br>
Take a look at these three - they actually do a lot of what you ask<br>
for.<br>
<br>
CoE convention on cybercrime -<br>
http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm<br>
<br>
ITU botnet project - again, taking these concepts you cite and applying<br>
them practically, instead of as a thought experiment -<br>
http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html<br>
http://www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-botnet-mitigation-<br>
toolki<br>
t-background.pdf<br>
<br>
And then this - a "self assessment" document to help a country assess<br>
how<br>
ready it is to deal with cybersecurity.<br>
http://www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal>Effective action would require the consent and involvement
of each<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal>group<br>
<br>
At an international level? What you would get at that level is again<br>
coordination and cooperation at a broad level, and awareness of each<br>
others<br>
initiatives. It is not like (say) governing a swiss canton where all<br>
the<br>
citizens can get together to decide where to build the next public<br>
toilet<br>
or how much to spend to improve a local park.<o:p></o:p></p>
</blockquote>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>
<p class=MsoNormal> srs<o:p></o:p></p>
</blockquote>
</blockquote>
</div>
</div>
</body>
</html>