The Internet has provided fertile ground for the commission of old crimes in new ways, such as the use of P2P file sharing services to distribute child pornography, and the use of encrypted email to plan terrorist attacks. It has also enabled the commission of new crimes more peculiar to the Internet, that involve the subversion of its architecture. One example of the second class of crimes is the Distributed Denial of Service (DDoS) attack, by which the criminal typically causes a distributed network of home computers to be infected with a virus that covertly places them under the criminal’s control, and then uses that control to cause each computer to bombard a victim’s Internet server with data until the server’s capacity to respond to legitimate requests is overwhelmed.
This second class of new offences is normally termed “cybercrime,” and it has been the main focus of bodies involved in Internet public policy governance. There are no fully international instruments addressing this topic, apart from a non-binding UN General Assembly Resolution
Chapter 2. Internet governance as it was on a Global Culture of Security,145 which was based on an earlier OECD (Organization for
Economic Cooperation and Development) document.146 However the most notable regional
activity, which now has global reach, is the Convention on Cybercrime passed by the Council of Europe in 2001147 dealing with computer fraud, information security, and the content
regulatory issues of child pornography and copyright. This convention has also been acceded to by other non-European countries such as South Africa, Canada, the USA and Japan. Although Australia has not ratified the convention, its Cybercrime Act 2001 (Cth) was based on it in part.
Public policy governance by the executive arms of international, regional and domestic gov- ernmental bodies in the area of cybercrime has been at least as significant as that of their legislatures. The G8 Group (the United States, the United Kingdom, France, Germany, Italy, Germany, Japan and Russia), formed a High-tech Crime Subgroup in 1997 which has estab- lished a network of cybercrime points of contact in each country.148 The European Union in
2004 formed an agency of its own, the European Network and Information Security Agen- cy (ENISA), which aims to provide assistance to the European Commission and Member States in addressing security issues in hardware and software, and to promote standards and activities to minimise information security risks.149
In Australia’s region, the Telecommunications and Information Working Group (TEL) of APEC (Asia-Pacific Economic Cooperation) has drafted a cybersecurity strategy for its mem- ber states,150 and there is an Australian High Tech Crime Centre to provide a nationally
coordinated approach to high tech crime across all Australian jurisdictions.151
The war against cybercrime is also waged in non-governmental fora. National computer emer- gency response teams such as the eponymous CERT®152and Australia’s AusCERT,153some
of which are government-linked and others of which are private sector or civil society organ- isations, join together in the Forum of Incident Response and Security Teams (FIRST).154
They provide services and support, some voluntary and some for-fee, to those whose comput- er systems or networks are attacked by cyber-criminals and those investigating such attacks.
145. General Assembly of the United Nations, Creation of a Global Culture of Cybersecurity: Resolution (2003) 146. OECD, OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002)
147. Council of Europe Cybercrime Convention, 23 Nov 2001, 2003 S Treaty Doc No 108-11 148. See http://www.cybercrime.gov/g82004/g8_background.html.
149. See http://enisa.europa.eu/.
150. APEC, Recommendation by the APEC TELWG to SOM for an APEC Cybersecurity Strategy (2002) 151. See http://www.ahtcc.gov.au/.
152. See http://www.cert.org/, though CERT now disavows the origin of its name. 153. See http://www.auscert.org.au/.
Chapter 2. Internet governance as it was
The CA/Browser Forum155 provides another example of a purely private approach to com-
batting cybercrime; specifically phishing, a “social engineering” attack in which victims are induced (usually through spam email) to provide confidential details to a bogus Web site masquerading as that of a legitimate online business such as a bank. The CA/Browser Forum contains no governmental members, but is simply a consortium of CAs and vendors of Web browser software. Their approach to the problem is based on architecture: the introduction of a new type of SSL certificate that requires more rigorous verification by the issuing CA, and is flagged as such by the user’s Web browser.
As for crimes that are not Internet-specific but which are committed by use of Internet services, there are of course a number of relevant but general international instruments such as conventions on drug trafficking and organised crime,156 and a number of active executive
bodies such as Interpol. These fall outside the scope of this thesis, though some will be alluded to later at Section 3.4.2.
However mention should at least be made of the Optional Protocol to the Convention on the Rights of the Child on the sale of children, child prostitution and child pornography,157which
was passed in recognition of “the growing availability of child pornography on the Internet,” and of the Virtual Global Taskforce (VGT), which is a transnational network of police services combatting online child exploitation.158