Cybercrime Court Decisions from Latin America - Legal and Policy Developments by Cedric Laurant

Recent Cyber-crime Court Decisions from Latin America Legal & Policy Developments

Renato Opice Blum CĂŠdric Laurant Presentation available at http://blog.cedriclaurant.org

High Technology Crime Investigation Association International Conference (Atlanta, GA â&#x20AC;&#x201C; USA - Sept. 20-22, 2010) http://www.htciaconference.org/

OUTLINE ! A. The importance of cyber-crime in Latin America for US cybersecurity professionals ! B. How this emerging cyber-crime activity impacts American companies and computer users ! C. Major legal & policy developments related to cyber-crime in Latin America ! D. Recent cyber-crime court decisions from Brazil and Argentina ! E. Recent data protection developments in Latin America - How they relate to cyber-crime

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

OUTLINE ! A. The importance of cyber-crime in Latin America for US cyber-security and law enforcement professionals ! B. How this emerging cyber-crime activity impacts American companies and computer users ! C. Major legal & policy developments related to cyber-crime in Latin America ! D. Recent cyber-crime court decisions from Brazil and Argentina ! E. Recent data protection developments in Latin America - How they relate to cyber-crime

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

A. The importance of cyber-crime in Latin America for US cybersecurity and law enforcement professionals

•  Cyber-crime is growing in Latin America, especially in Brazil. –  In Brazil, more than 6 out of 10 computers get infected by viruses and malware attacks, compared to an average of 1 out of 2.

From: Norton Cybercrime Report: The Human Impact (August 2010) High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

A. The importance of cyber-crime in Latin America for US cybersecurity and law enforcement professionals

•  Cyber-crime is international by nature. •  It requires international cooperation among all countries. •  But it also requires speedy international cooperation.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

OUTLINE ! A. The importance of cyber-crime in Latin America for US cybersecurity and law enforcement professionals

! B. How this emerging cyber-crime activity impacts American companies and computer users ! C. Major legal & policy developments related to cyber-crime in Latin America ! D. Recent cyber-crime court decisions from Brazil and Argentina ! E. Recent data protection developments in Latin America - How they relate to cyber-crime

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

B. How this emerging cyber-crime activity impacts US companies and computer users

•  1. Impact on US companies. •  2. Impact on American people whose personal information is misused, leaked, stolen. •  3. Impact on American consumers and ecommerce in the US.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

B. How this emerging cyber-crime activity impacts US companies and computer users •  1. Impact of cyber-crime on US companies: –  Key conclusions from a recent study (*) that quantifies the economic impact of cyber-crime attacks: •  “Cyber-crime attacks” include criminal activity conducted via the Internet: theft of a company’s intellectual property, confiscation of online bank accounts, creation and distribution of viruses on other computers, posting confidential business information on the Internet, and disruption of a country’s critical national infrastructure. •  “Cost” includes: “direct, indirect and opportunity costs that resulted from the loss or theft of information, disruption to business operations, revenue loss and destruction of property, plant and equipment, and the external consequences of the cyber crime. The survey also captures the total cost spent on detection, investigation, containment, recovery and after-the-fact or “ex-post” response. •  Cyber crimes can do serious harm to an organization’s bottom line. The median annualized cost of cyber crime of the 45 organizations surveyed is $3.8 million per year. It can range from $1 million to $52 million per year per company. (*) Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

B. How this emerging cyber-crime activity impacts US companies and computer users

From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010

B. How this emerging cyber-crime activity impacts US companies and computer users •  Impact of cyber-crime on US companies: –  Key conclusions from a recent study that quantifies the economic impact of cyber-crime attacks:

•  Cyber-crime attacks are now common occurrences. The companies surveyed experienced 50 successful attacks per week and more than one successful attack per company per week. •  Cyber-crime attacks can get costly if not resolved quickly: average number of days to resolve a cyber attack was 14 days; average cost per company of $17,696 per day. Malicious insider attacks can take up to 42 days or more to resolve. Quick resolution is needed for today’s cyber-crime attacks. •  Information theft represents the highest external cost, followed by the costs associated with the disruption to business operations. High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

B. How this emerging cyber-crime activity impacts US companies and computer users

From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010

B. How this emerging cyber-crime activity impacts US companies and computer users •  Impact of cybercrime on US companies: –  Key conclusions from a very recent study that quantifies the economic impact of cyber-crime attacks:

•  Detection and recovery are the most costly internal activities.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

B. How this emerging cyber-crime activity impacts US companies and computer users

From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010

•  All industry sectors are impacted.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

B. How this emerging cyber-crime activity impacts US companies and computer users

From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010

B. How this emerging cyber-crime activity impacts US companies and computer users

•  2. Impact on American people whose personal information is misused, leaked, stolen. •  3. Impact on American consumers and e-commerce in the US. The Norton Cybercrime Report: The Human Impact released last August finds that: –  “For nearly 3 in 10 victims, the biggest hassle is the time it takes to sort things out: […] 4 weeks to resolve an average cyber-crime incident.” –  “There’s the emotional baggage, with around 1/5 of victims finding it made them stressed, angry and embarrassed (19%), and 14% mourning the loss of irreplaceable data or items of sentimental value, such as photo collections.” High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

B. How this emerging cyber-crime activity impacts US companies and computer users

From: Norton Cybercrime Report: The Human Impact (August 2010) High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

! C. Major legal & policy developments related to cyber-crime in Latin America ! D. Recent cyber-crime court decisions from Brazil and Argentina ! E. Recent data protection developments in Latin America - How they relate to cyber-crime

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  Organization of American States: –  1999: first concern about cyber-crime. –  1999: established an intergovernmental cyber-crime expert group. –  2000: the Council of Ministers of OAS Member States issued a set of recommendations: •  •  •  •

Facilitate cooperation among OAS Member States Increase technical and legal capacity-building Consider implementation and signature of CoE Cybercrime Convention Study feasibility of an Inter-American model of cybercrime legislation.

–  Several expert group meetings have taken place every year and have started: •  To put in place information exchange and cooperation mechanisms among all OAS countries and with relevant international organizations (Council of Europe, UN, EU, G8, OECD, APEC, Commonwealth, Interpol) •  To establish public-private collaboration mechanisms. High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  The Council of Europe’s Cybercrime Convention: –  Adopted and opened for signature in 2001, entered into force on July 1, 2004. –  As of April 2009, 46 States have signed it, 25 have ratified it. –  Costa Rica, the Dominican Republic, Mexico and Chile have been invited to accede. Argentina requested accession. •  Any State may accede following majority vote in Committee of Ministers and unanimous vote by the parties entitled to sit on the Committee of Ministers.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  Argentina and Colombia enacted new cyber-crime laws: –  Argentina’s Act on Cybercrimes (“Ley de Delitos Informáticos”) (Law No. 26.388 of 2008): includes all cyber-crimes defined as such by the United Nations and the CoE Cybercrime Convention. –  Colombia adopted a cyber-crime law (No. 1273 of 2009) that criminalizes the illegal acquisition and sale of personal data, phishing, hacking, use of malware and viruses, computer theft.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  C o u n c i l o f E u r o p e ’ s “ G l o b a l P r o j e c t o n Cybercrime” (between March 1, 2009 – June 30, 2011) –  Objective: promote broad implementation of the Convention on Cybercrime. –  To be achieved through results in the following areas: •  Legislation and policies •  International cooperation •  Law enforcement – service provider cooperation in the investigation of cybercrime •  Financial investigations •  Training of judges and prosecutors •  Data protection and privacy •  Exploitation of children and trafficking in human beings. •  Cooperation with 120+ countries •  Legislation strengthened in more than 100 countries, including in Argentina, Colombia, Dominican Republic •  Contributes to the organization of regional legislative workshops in Latin America High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  The challenges of cyber-crime in Latin America –  1. Challenges to international cooperation on cyber-crime: •  •  •  •

Transnational character of computer crimes Lack of appropriate legislation on cyber-crime Lack of harmonization between different national laws Legal powers for investigation are insufficient (e.g., inapplicability of seizure powers to intangibles such as computer data) •  Lack of specialized personnel and equipment (From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.)

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  The challenges of cyber-crime in Latin America –  2. Challenges to fighting cyber-crime: •  •  •  •  •  •

Policies and awareness of decision-makers Harmonized and effective legislation Regional and international cooperation Law enforcement capacities and training Judicial training Law enforcement and cooperation among ISPs

(From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.)

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  The challenges of cyber-crime in Latin America –  3. Difficulties of regional and international cooperation: •  Limitations regarding skills, knowledge and training of judges, and to some extent prosecutors. Direct impact on mutual legal assistance process (e.g., difficulty to understand cyber-crime matters; reluctance to open a case or issue search warrants).

•  Insufficient use of possibility provided by international agreements for direct contacts between judicial authorities in urgent cases and efficient communication channels. •  Involvement of Contact Points (“CP”) network established under Cybercrime Convention in the MLA process is too limited. •  Not all CP sufficiently trained, resourced or available to assist competent authorities and facilitate the process. •  Authorities for MLA of many countries receive a large volume of requests. (From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.) High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

C. Major legal & policy developments related to cyber-crime in Latin America

•  Advantages of using the CoE Cyber-crime Convention as a model of legislation in Latin America –  Provides important tools for law enforcement to investigate cybercrime. –  Provides for Latin American countries: •  Harmonization of criminal law provisions on cyber-crime with those of other countries. •  Legal and institutional basis for international law enforcement and judicial cooperation. •  Participation in the Consultations of the Parties. (T-CY: “Convention Committee on Cybercrime”). •  The treaty as a platform facilitating public-private cooperation. è Convention provides global standards and a framework for an effective fast international cooperation. (From Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.) High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

OUTLINE ! A. The importance of cyber-crime in Latin America for US cybersecurity and law enforcement professionals ! B. How this emerging cyber-crime activity impacts American companies and computer users ! C. Major legal & policy developments related to cyber-crime in Latin America

! D. Recent cyber-crime court decisions from Brazil and Argentina ! E. Recent data protection developments in Latin America - How they relate to cyber-crime

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

D. Recent cyber-crime court decisions from Brazil and Argentina

BRAZIL – SOME CASES MEDICAL CLINIC database copy / unfair competition AUTOMOTOR COMPANY illegal video BROKER COMPANY database breach / unfair competition AIRLINE COMPANY database breach CHEMICAL INDUSTRY COMPANY database breach FORMULA ONE PILOT image damage BEVERAGE COMPANY 483 confidential files High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

CASES

ILLICIT •  SCAMS •  HIJACKING THROUGH GAME PASSWORD •  LIBRARY EMPLOYEE – CONTENT COPIED – ORKUT •  SÃO PAULO STATE COURT – 3000 TIMES •  DATA BASE CAPTURING – CURRICULUM FIRM ON THE INTERNET •  RIO GRANDE DO SUL STATE COURT – UNAUTHORIZED ACCESS TO DATABASE •  COUPLE ON THE BEACH – PRIVACY

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

BRAZIL CONSTITUTION Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE. Section 5.12 – Secrecy of correspondence and telecom – INVIOLABLE. CIVIL CODE Section 20 – Disclosure of writings, the transmission of the word, or publication, display or use the image of a person. Section 21 – Private life of a person – INVIOLABLE. EXPECTATION OF PRIVACY SÃO PAULO STATE COURT DECISION Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in love) on locations – Spanish beach – Injunction to terminate the exposure of movies and photos on web-sites because it is probable to presume lack of consent to publication. Filing with a daily penalty payment of $ 250,000.00, in order to inhibit infringement of the command to abstain. The paparazzi are known for aggressively working with the capture of images, which characterizes the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these professionals that do not require authorization for their photos and, especially, to legalize the sensationalism and scandal propagated by the media, without permission of those involved. High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

ARGENTINA – COURT DECISION SEARCH ENGINE FILTER

MARADONA FORBIDS GOOGLE TO ASSOCIATE HIM TO SEX SITES High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

SEARCH ENGINE FILTER RIO DE JANEIRO STATE COURT INTERLOCUTORY APPEAL “I note that the injunction has already been accomplished by placing a FILTER ON THE SEARCH ENGINES. In this manner, it seems more reasonable to maintain the status quo, pending examination of the matter, without any harm to the plaintiff and without prejudice for the defendant, who has fully complied with the measure.” (Interlocutory appeal 20006.002.05508)

Argentina In two search engines – Google and Yahoo – is possible to make a search to avoid that certain words appear among search results. In fact, this procedure could be configured to avoid that a certain word be linked with others in certain types of search or in any search. It is therefore technically possible to adapt the search for information by avoiding certain words. IT IS POSSIBLE TO SET UP FILTERS THAT DO NOT ALLOW STATIC LINKING SITES TO INDEX CERTAIN WORDS WITH PORNOGRAPHIC, EROTIC OR SEXUAL CONTENT, AND ESTABLISH OTHER INDEX IMAGES THAT DO NOT ALLOW CERTAIN PEOPLE (…) The content selection control cannot affect the operation of the search engine site or access to Internet content by users. (99.620/06) High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

BRAZIL PARANA STATE COURT NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR. HE WAS NOT GUILTY, BUT THERE WAS NO NEWS ABOUT THAT, ONLY ABOUT THE PENDING PROCESS

JUDGE ORDERS GOOGLE TO SET UP A FILTER TO R A N D O M I Z E R E S U LT S W I T H PLAINTIFF’S NAME, MAKING POSSIBLE T H E R O TAT I O N BETWEEN NEWS PARANA STATE COURT 1819/2008 High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

BRAZIL CONSUMER DEFENSE CODE Section 43 – Database access. Section 72 – Block access. Detention from six months to one year or a fine PRIVACY SANTA CATARINA STATE COURT DECISION

Consumer Defense Association causes damages to consumers by disclosing its database to third parties. Association must include a warning about the disclosure and ask for permission.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

BRAZIL WIRETAPPING – ACT 9296/1996 Section 1 – Interception of telephone communications – flow of communication. Section 10 – Intercept communication or violate secret of Justice, without judicial authorization – confinement from two to four years and fine.

PRIVACY SÃO PAULO STATE COURT DECISION Breach of confidentiality of correspondence and of telegraphic, data and telephone communications – Non-occurrence – Seizure of emails in possession and known of the recipient by court order – Strong suspicions that the material might enlighten the criminal infraction – Interpretation of Section 5, XII of the Constitution. THERE IS NO VIOLATION OF THE SECRECY OF CORRESPONDENCE. High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

BLOGGER CONVICTED TO INDEMNIFY State Court of Ceará

BLOGGER POSTED CONTENT WICH GENERATED OFFENSIVE COMMENT. HE WAS UNABLE TO IDENTIFY THE AUTHOR AND WAS CONVICTED TO INDEMNIFY THE VICTIM IN R$16.000

http://www.correiobraziliense.com.br/app/noticia182/2010/02/24/tecnologia,i=175488/ SAIBA+COMO+TENTAR+EVITAR+PROBLEMAS+COM+O+USO+DA+REDE.shtml High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

RS STATE COURT – CYBERBULLING STUDENT CREATES WEBPAGE TO OFFEND ITS CLASSMATE. THE COURT RULED FOR THE INDEMNIZATION TO THE VICTIM TO BE PAYED BY THE DEFENDANT´S MOTHER. APPEAL. LIABILITY. INTERNET. USE OF IMAGE FOR A DEROGATORY END. FLOG CREATION - PERSONAL WEBSITE FOR POSTING PICTURES IN THE NETWORK. PARENT´S LIABILITY. PATERNAL POWER. BULLYING. MORAL DAMAGE IN RE IPSA. OFFENDED THE SO CALLED RIGHTS OF PERSONALITY. The responsibility of ISP. ISPs provide space for creating personal pages on the World Wide Web, which are used freely by users. However, with complaint of inappropriate or offensive content to human dignity, the service provider needs to detect and expeditiously remove the elements of this page. Imagem: http://farm3.static.flickr.com/2181/2512997167_d6ba9a5031.jpg Source: http://g1.globo.com/vestibular-e-educacao/noticia/2010/07/justica-determina-que-mae-pague-indenizacao-vitima-de-cyberbullying.html High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

SP State Court – Civil Code, Section 927

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

ARGENTINE COURT DECISION

“The inviolability of correspondence and telecommunications – in this case, the interception of text messages – is only possible upon court request.”

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

http://adirferreira.files.wordpress.com/2009/02/sms.jpg

COURT DENIES TEXT MESSAGE AS EVIDENCE OF WIFE’S INFIDELITY

LABOR COURT – 13th REGION ORKUT’S PHOTO ALBUM IS USED AS AN EVIDENCE AT HEARING. THE TOOL PROVED THAT AT A CERTAIN DATE THE EMPLOYEE STILL WORKED AT THE COMPANY.

Source: http://www.trt13.jus.br/engine/interna.php?pag=exibeNoticia&codNot=1769# High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

REGIONAL LABOR COURT – E-MAIL AS AN EVIDENCE Lawsuit nº 2004.028935-4

OVERTIME. EVIDENCE. E-MAIL. EVIDENCE VALIDITY. THE ELECTRONIC MAIL IS A MODERN EVIDENCE THAT IS VALID TO CERTIFY OVERTIME LABOR, AS LONG AS THERE IS NO DOUBT RELATED TO TAMPERING, ESPECIALLY WHEN ITS CONTENT REMAINS CORROBORATED BY OTHER EVIDENCE IN THE CASE FILE. IF THE COMPUTER CLOCK WAS CHANGED FOR A LATER TIME, AS ALLEGED IN THE APPEAL, THE DEFENDANTS WOULD HAVE TO PROVE IT, AND THEY DIDN´T.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

CRIMINAL STATE COURT OF SÃO PAULO PRIVACY – BREACH OF CONFIDENTIALITY TELECOMMUNICATIONS - BREACH OF CONFIDENTIALITY - "E-MAIL" SENT FROM BRAZIL TO THE ELECTRONIC ADDRESS OF THE WHITE HOUSE, IN THE CITY OF WASHINGTON, DC, WRITTEN IN ENGLISH, CONTAINING THREATS TO PHYSICAL INTEGRITY OF THE PERSON OF THE AMERICAN PRESIDENT AND ITS FAMILY – SUBPOENAED THE ISP TO PROVIDE PERSONAL IDENTITY AND ADDRESS OF USER CONNECTED AT THAT MOMENT TO SUCH “IP” NUMBER - NOTIFICATION REJECTED ON THE GROUND THAT THE DATA REQUEST IS PROTECTED BY THE FEDERAL CONSTITUTION FOR TELECOMMUNICATION SERVICES, SO THAT DATA REQUEST PROCEDURES WOULD BE REGULATED BY ACT Nº. 9296/96, ESPECIALLY WITH REGARD TO THE NEED FOR A JUDICIAL ORDER - Habeas Corpus to not be prosecuted for disobedience. Habeas corpus denied. Need of legal authorization for the breach of confidentiality of telecommunications - postal, telephone or transmission of messages or data. High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

ARGENTINA – COURT DECISION E-MAIL MONITORING E-mail at work. Private use. Importance as a working tool. Privacy. Need for clear policies on its use. Dismissal for cause. Rejection. (CAUSE 15198/2001 S. 36580)

“E-mail has more privacy protection than the classic snail mail, because to operate it, it is required to use a service provider, a user name and a password, that prevents others from intruding into the data and content sent and received. (…) According to constitutional guarantees, along with the evidences concerning the alleged emails the defendant’s privacy is violated with the consequent harm to his dignity and self-determination.” (C. 35.369 Ins. 18/156)

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

BRAZIL – SUPERIOR LABOR COURT PASSWORD IS A PROTECTION TOOL FOR THE EMPLOYER Password does not imply any expectation of privacy in relation to corporate email once the PASSWORD BECOMES AN EMPLOYER’S PROTECTION TOOL TO PREVENT THIRD PARTIES TO ACCESS THE CONTENT OF MESSAGES. (…) Also, there is no offense to the principle of inviolability of intimacy and privacy (Section 5, X, CF/88), once an employee can’t be granted the right to privacy with respect to the use of a corporate email system made available by his company. Otherwise, the employee had no reasonable expectation of privacy, which is conveyed by the statement that the corporate e-mail was intended "only for issues and matters affecting the service” (fl. 636). At last, there is no harm to the principle that ensures admissibility in the process of evidence obtained by illegal means (Section 5, LVI): the corporate e-mail is company’s property, merely transferred to the employee for working purposes, and the employer may exercise control both formal and material (content) over the messages that travel through his corporate email system. High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

RS STATE COURT – EVIDENCE (EMAIL) E-MAILS CONTAINING PLAINTIFF’S PERSONAL DATA, ALONG WITH THE INFORMATION THAT SHE IS A CALL-GIRL. SENT BY EX-BOYFRIEND. INCOMING CALLS FROM PEOPLE INTERESTED IN HER SEXUAL SERVICES. SUBJECTIVE LIABILITY. NEGLIGENCE. MORAL DAMAGES. Declarations by the ISP are in his legal file that proves the e-mail was sent from a domain name that belongs to the defendant, and considering the failure to prove a fact wich could remove his liability, the case is upheld.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

RIO GRANDE DO SUL STATE COURT Rio Grande do Sul Court of Appeals determines INDEMNIZATION TO FURNITURE STORE´S CLIENT FOR BEING COLLECTED IN A VEXATIOUS WAY THROUGH ORKUT. Appeal Nº 71002350874/2009 DAMAGE REPAIR. INCURRING DEBT FOR THE PURCHASE OF FURNITURE. VEXATIOUS COLLECTION. POST ON PLAINTIFF´S ORKUT PROFILE STATING HE WAS INDEBTED. LIABILITY OF THE COMPANY ON BEHALF OF WHOM HE WAS CHARGED FOR THE FURNITURES. MORAL DAMAGES. EXISTING DEBT. REDUCED VALUE. APPEAL PARTIALLY UPHELD. (...) because the defendant, from whom the furnitures had been purchased through installments, had called several times to collect the bill and had posted on the plaintiff´s orkut profile that he was indebted, causing embarassment among his co-workers (...)

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

BRAZIL – LABOUR COURT (2nd REGION) I N D U S T R I A L P R O P E R T Y. E M P L O Y E E ORDERED TO COMPENSATE COMPANY FOR PUBLISHING MATERIAL NOT YET PUBLISHED “(...) THE DEFENDANT HAD PUBLISHED IN ORKUT MANY PHOTOGRAPHS RELATED TO A PRODUCT THAT HAD NOT EVEN BEEN LAUNCHED, WHICH PREMATURE DISCLOSURE DID NOT AND DO NOT INTEREST THE AUTHOR, HOLDER OF INDUSTRIAL PROPERTY RIGHTS”. “(...) IT IS ABSOLUTELY IRRELEVANT TO KNOW IF THE DEFENDANT HAS ACTED WITH BAD FAITH, BECAUSE WHAT IS IMPORTANT TO INVESTIGATE IS THAT THERE IS A HIGH LIKELIHOOD THAT REFERRED DISCLOSURE CAN CAUSE PATRIMONIAL HARM TO THE AUTHOR”. High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

FEDERAL COURT – 2nd REGION (RJ) “CRIMINAL LAW AND CRIMINAL PROCEDURE. CRIME AGAINST TELECOMMUNICATIONS COMPANIES. ILLEGAL DISTRIBUTION OF CABLE TV SIGNAL. UNION’S INTEREST. FEDERAL COURT JURISDICTION. RECLASSIFICATION OF FACTS. CRIMES OF SECTION 171 OF CRIMINAL CODE AND SECTION 183 OF ACT Nº 9.472/97.” I - The conduct attributed to defendants in the complaint is the illegal distribution of cable TV signals, which violates the uniqueness of the Union to organize the exploitation of telecommunications services. III - The retransmission of illegal cable TV signal is not atypical. Though TV signal is not considered a source of energy, ruling out the possibility to characterize the crime as a theft, the crime to be considered is qualified as “larceny by fraud”. (...) I correct the material error for the accused to be CONVICTED under the terms of the sentence, but TO BE ARRESTED."

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

Lawsuit nº 591/07 – Unfair competition (Sponsored links) District of justice of São Carlos – 1st criminal court

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

FEDERAL COURT – 1st REGION CRIMINAL PROCEDURE. HABEAS CORPUS. SCAM. INTERNET CRIME. TEMPORARY PRISON. ABSENCE OF REQUIREMENTS. 1. Larceny by fraud practiced over the internet, with the participation of several people with specific activities - a) the programmer (the one who designs the phishing website and the malicious codes, e.g. the trojan) – the person responsible for capturing passwords; is the cracker, not the hacker, b) the user (who directly uses the software); c) the carder (responsible for obtaining credit cards and bank notes that will be paid through the Internet); d) the sub-carder (the person who, despite not knowing the software users, buy the magnetic cards from mules and sell them to carders that make contact with users; e) the mule (the one who lends your bank account to receive the money from the illicit activity) – aiming to phish the account holder´s password and withdraw the money from his bank account.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

PARANÁ STATE COURT – CRIMINAL APPEAL LAWSUIT Nº 2004.028935-4 CRIMINAL APPEAL - INSERTION OF FALSE DATA INTO INFORMATION SYSTEM (SECTION 313-A OF CRIMINAL CODE) - AUTHORSHIP AND MATERIALITY PROVED - CIVIL SERVANT WHO INSERTED FALSE DATA ON CIRETRAN´S SYSTEM REQUESTED BY HER BOYFRIEND RELEASING VEHICLE´S DOCUMENTS WITHOUT PAYING THE PROPER FEES - VEHICLE LICENSE FEES NOT COLLECTED DISQUALIFICATION THE FOR PREVARICATION - CONDUCT WICH OVERSTEPPED THE LIMITS EXPOSED IN SECTION 319 oF THE CRIMINAL CODE - PENALTY DECREASE - LATER REGRET - CRIME PRACTICED 17 TIMES REPETITIVELY, SHOWED LACK OF REGRET INCREASING THE PENALTY IS SUITABLE, CONSIDERING THE NUMBER OF RECIDIVISM - CRIME COMMITTED AGAINST THE PUBLIC ADMINISTRATION - PENALTY OVER A YEAR - LOSS OF JOB COMDEMNATION EFFECT - APPEAL DENIED

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

The arrows point...

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

GREETINGS

“That God gives you serenity to accept things that cannot be changed, courage to change things that can be changed and wisdom to know the difference”.

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

! E. Recent data protection developments in Latin America - How they relate to cyber-crime

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

C. Recent data protection developments in Latin America – How they relate to cyber-crime

•  Relationship between data protection, cyber-security and cyber-crime: –  A strong data protection framework is necessary to provide support to cyber-crime laws. –  Implementing data protection processing rules during cyber-crime investigations improves its accuracy and efficiency. –  Security breach notification requirements in the U.S. since 2005: triggered by leaks, disclosures or theft of personal information.

•  Lack of data protection frameworks in LAC (with a few exceptions: Argentina and Mexico).

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

E. Recent data protection developments in Latin America How they relate to cyber-crime

MEXICO CONSTITUTION -  Since 2007, the Constitution expressly acknowledges the right of personal data protection as a fundamental right. -  “The information pertaining to private life and personal data shall be protected pursuant to the terms and exemptions set forth in the laws.” “Every person, without the need to prove his own legal interest or justify his use, shall have free access to public information, to his own personal data and the correction of such data.” -  In 2009, the Constitution obliged the Congress to enact a data protection law for the private sector within 12 months from the publication of the reform. The deadline was April 30, 2010.

IAPP Global Privacy Summit Washington, DC 2010

E. Recent data protection developments in Latin America How they relate to cyber-crime

MEXICO

BILLS ON PERSONAL DATA PROTECTION

-â&#x20AC;Ż Since 2001, there have been 6 data and privacy bills, which are modeled loosely on international data protection standards such as those found in the EU Data Protection Directive, the Spanish Data Protection Law, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and the APEC Privacy Framework.

IAPP Global Privacy Summit Washington, DC 2010

E. Recent data protection developments in Latin America How they relate to cyber-crime

MEXICO LEGAL FRAMEWORK AT THE FEDERAL LEVEL -

New data protection law since June 2010.

There are several laws about privacy and data protection in specific fields, such as finance and banking, consumers' rights, credit information, telecommunications and national security.

The Federal Law of Transparency and Access to the Government Public Information (LFTAIPG) standardizes principles under which the various organs of the State must process citizens' personal data.

IAPP Global Privacy Summit Washington, DC 2010

E. Recent data protection developments in Latin America How they relate to cyber-crime

MEXICO OBSTACLES TO OVERCOME 1.2.3.-

Proliferation of federal regulation. Differences between state regulations. Lack of provisions about transborder data flows.

RELEVANT INTERNATIONAL INSTRUMENTS OECD Recommendations on Privacy. Mexico is an OECD member since 1994. APEC Privacy Framework, 2004. Economic Partnership, Political Coordination and Cooperation Agreement between the European Community and its Member States, and the United Mexican States, 2000. IAPP Global Privacy Summit Washington, DC 2010

E. Recent data protection developments in Latin America How they relate to cyber-crime

COLOMBIA DATA PROTECTION LAW OF 2008

! Ley Estatutaria 1266 de 2008 ! Habeas data ! Limited to the financial sector (banks, credit reporting and commercial companies).

IAPP Global Privacy Summit Washington, DC 2010

E. Recent data protection developments in Latin America How they relate to cyber-crime

COLOMBIA PRIVACY IN E-GOVERNMENT SERVICES

! General obligation of all government entities that use electronic resources to manage the information of citizens in a manner respectful to their privacy. ! Decree No. 1151 of 2008 establishes general principles to follow in how online services are provided by the government. ! Protection of privacy is further regulated by the Ministry of Communications’ “e-Government Policy Manual,” applicable throughout all governmental entities.

IAPP Global Privacy Summit Washington, DC 2010

E. Recent data protection developments in Latin America How they relate to cyber-crime

PERU “SAN SALVADOR COMMITMENT” (2008)

! 2nd Ministerial Conference on the Information Society in Latin America and the Caribbean. ! Decision made to: ! “facilitate dialogue and coordination of various regulatory initiatives at the regional and local levels that may contribute to the region’s regulatory harmonization, especially on the topics of privacy and data protection”; ! “invites countries to consider the possibility of ratifying or acceding to the Council of Europe Cybercrime Convention as an instrument to facilitate [the] integration and regulatory adaptation in this area within the framework of principles of protection of the right to privacy.”

IAPP Global Privacy Summit Washington, DC 2010

Speakers

Renato Opice Blum, CEO and Partner, Opice Blum Advogados Associados (Brazil) http://www.opiceblum.com.br <renato [at] opiceblum [dot] com [dot] br>

CĂŠdric Laurant, Independent Privacy Consultant http://blog.cedriclaurant.org http://security-breaches.com <cedric [at] laurant [dot] org>

High Technology Crime Investigation Association International Conference (Atlanta, GA - USA â&#x20AC;&#x201C; Sept. 20-22, 2010)

WWW.OPICEBLUM.COM.BR Renato Opice Blum renato@opiceblum.com.br twitter.com/opiceblum u  Lawyer and Economist; u  Coordinator of Electronic Law's MBA, of São Paulo Law School; u  Invited Professor at Electronic Law’s Course, Florida Christian University, Fundação Getúlio Vargas (FGV), PUC, FIAP, Rede de Ensino Luiz Flávio Gomes (LFG), Universidade Federal do Rio de Janeiro, FMU and others; u  Speaker teacher at Mackenzie University; u  Collaborating Professor of ITA-Stefanini’s partnership; u  Speaker at the IAPP’s Global Privacy Summit 2010, Washington, DC u  Arbitration Referee at FGV and Mediation and Arbitration's Chamber of São Paulo (FIESP); u  President of the Superior Council of Information Technology of the Trade Federation of São Paulo, and Technology Law Committee of AMCHAM; Member of Information Society Law Committee – OAB/SP; Former Vice-President of Electronic Crime’s Committee – OAB/SP; u  Member of American Bar Association (ABA), Inter American Bar Association (IABA), International Law Association (ILA), International Bar Association (IBA) and International Technology Law Association (Itechlaw); u  Coordinator and co-author of “Internet and Electronic Law Manual”; u  CEO at Opice Blum Attorneys-at-Law http://www.opiceblum.com.br/lang-en/index.html u  Résumé at Lattes Platform: http://lattes.cnpq.br/0816796365650938 High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)

www.cedriclaurant.org Cédric Laurant cedric [at] laurant.org twitter.com/cedric_laurant u  Independent consultant based in Brussels, Belgium. u  Attorney, member of the District of Columbia Bar. u  Specialty areas: international privacy, data protection and information security. u  Senior Research Fellow, Central European University (Budapest, Hungary). Currently directing the research of the "European Privacy and Human Rights”, a European Commission-funded privacy research and advocacy project. Info at: http://phr.privacyinternational.org/ u  Research Director, Privacy & Human Rights – An International Survey of Privacy Laws and Developments (EPIC & Privacy International 2003, 2004, 2005). u  Formerly Visiting Law Professor, University of los Andes (Bogota, Colombia) and International Privacy Project Director, Electronic Privacy Information Center (Washington, DC). u  Lic. Jur., University of Louvain (Belgium); LL.M., Columbia Law School (New York, NY); M.A. (London). u  Profile/Résumé: http://www.linkedin.com/in/cedriclaurant u  Blogs: http://blog.cedriclaurant.org; http://blog.security-breaches.com High Technology Crime Investigation Association International Conference (Atlanta, GA - USA – Sept. 20-22, 2010)