Cybercrime is by its very nature a transnational crime and it is critical that resilient, cooperative measures are available to combat this crime type.
Attacks launched by a person in one country can affect persons in multiple other countries. Even a relatively straightforward email communication sent to a person in the same country may generate electronic evidence in another country and data may be transmitted through servers located in several other countries. It is difficult to estimate the overall cost of cybercrime, which often involves the investigation response, repair and loss of resources and productivity. In 2018, cybercrime was estimated to cost the global economy approximately USD 600 Billion.
Government, service providers (including internet service providers (ISPs) and communication service providers (CSPs) play a crucial role in building trust in information and communication technologies (ICT) and helping societies around the world make best use of these technologies. Cooperation between the government and private organisations is critical to ensure an effective criminal justice response.
Internet data has become increasingly important in the investigation and prosecution of criminal offences. MLA is a complex and often-lengthy process that contrasts with the often very fast-paced nature of cybercrime. Electronic evidence moves quickly, and MLA can be a slow process, often taking months or even years to complete. As transnational crime increases and electronic evidence is routinely located across borders, it is essential that criminal justice systems are able to capture this evidence.
2.1 What is Cybercrime?
Cybercrime is criminal activity that captures a wide range of behaviour in which computer technology is used as a tool, target or accessory of criminal activity. Cybercrime can be broadly broken down into two categories:
Use technology to enable traditional offences
Pure ‘cybercrime’ offences, made possible only by the technology itself
Technology-enabled offences use the internet and ICT as a force multiplier. These crimes use the internet to increase the scale and reach of victims using computers, computer networks or other forms of information communications technology. Examples of technology-enabled offences include fraud, theft, sexual exploitation and harassment offences.
Pure cybercrime offences differ from technology enabled crimes, as they require the use of ICT. That is, crimes against computers and information systems where the aim is to gain unauthorised access to a device or deny access to a legitimate user (typically with malicious software such as WannaCry and Industroyer). Other examples include hacking, the production and dissemination of malware for the purpose of criminal activity, botnets and phishing.
There is no single ‘type’ of cybercriminal. Historically, criminal prosecutions and investigations reveal that cybercriminals can vary significantly in terms of age, sophistication, resources, objectives, opportunities, and technical abilities. Other elements constituting the criminality may also significantly differ, such as:
Whether it is done solely by an individual, or may involve sophisticated, organised and serious crime elements
What motivations may be, including financial, political or ideological, reputational or information gathering
This can make investigating and prosecuting cybercrime incredibly difficult. While sophistication, technical ability and resourcing can go a long way in disrupting law enforcement efforts to detect, prevent, investigate and prosecute these kinds of crimes, the availability and increasing simplicity of disruption technologies, platforms and services, enhances the ability for even non-technical criminals to find success in criminal activity online. For example, the use of anonymising browsers and platforms (such as The Onion Router) may significantly increase the difficulty for law enforcement to determine who may be accessing child sexual exploitation or abuse material online.
2.3 Under Reporting of Cybercrime
Cybercrime is widely believed to be underreported. Victims may report criminal activity if they personally sustain loss or some kind of damage.
However, there are numerous reasons why victims of cybercrime may choose not to report, including:
The underreporting of cybercriminal activity may mean that law enforcement and policy makers do not fully appreciate the impact of certain types of cybercrime. Underreporting or lack of reporting may also make it difficult for law enforcement agencies to identify evidence to support investigations and prosecutions, including having a sufficient evidence base for supporting international crime cooperation mechanisms, such as MLA.
2.4 Electronic Evidence
Electronic evidence, also known as e-evidence or digital evidence, is ‘any information generated, stored or transmitted in digital form that may later be needed to prove or disprove a fact disputed in legal proceedings’. This can include information that is obtained from a device (such as a computer hard drive or mobile phone), directly from the internet (such as an email account or information retrieved remotely from a cloud storage account), or from a service provider that is storing the information.
The intangible nature of information stored electronically makes it more volatile and fragile than traditional forms of evidence. Electronic evidence, when on devices with computer memory is volatile because it can easily be altered, overwritten, corrupted or even destroyed – on purpose, or through normal use. This creates new challenges for our criminal justice systems and, as with other types of forensic evidence, proper processes for obtaining and handling electronic evidence is critical. Digital forensics is a branch of forensic science that has developed in response to this need in our criminal justice response and encompasses the recovery and investigation of material found in digital devices. Specialised procedures, tools and techniques are essential to investigate various cybercrimes and to ensure electronic evidence is handled appropriately in order to ensure the evidence is obtained in compliance with existing legislation and can be used in court.
In many ways, electronic evidence is no different from traditional evidence (such as documents, photographs, witness testimony, and DNA). If electronic evidence is to be introduced as ‘evidence’ in legal proceedings the court must be satisfied the evidence has not been altered or changed in any way from the time it was obtained.
Technology and electronic evidence have become regular features in criminal investigations. This is due to the way technology has become an integral part of every aspect of our lives. For example, most of the ways we interact or conduct business involve a computer or some type of electronic device. Cybercriminals use technology in much the same way and use the technology itself to commit the crime.
Due to the shift of criminal activity from the real world to the online sphere, evidence of the criminal activity is regularly discovered on personal computers, websites, social networks, emails or cloud storage. Courts have accepted emails, ATM transaction logs, social media posts, audio files as evidence in cases and are generally becoming more familiar with the unique value electronic evidence can have to proving the occurrence of crime.
Electronic evidence is generally dealt with in court in the same way as any other type of evidence and is subject to the same rules and laws that apply to traditional forms of documentary evidence. That is, the onus is on the prosecution to demonstrate the evidence has not been altered or changed since it was first obtained by law enforcement. In words, the defence can challenge its admissibility and the prosecution will need to provide sufficient evidence to the court showing that the electronic evidence is trustworthy and reliable. Common challenges made by the defence in relation to electronic evidence include: challenging the search of persons property or the electronic device where the evidence was seized (e.g. search warrant not properly obtained or executed), and challenging the integrity of the evidence itself (e.g. has been altered, the defendant using the profile at that time). Prosecutors need to be aware of and ready for these kinds of challenges.
Types of Data
Electronic data is typically classified as either content or non-content. Data can also be categorised by whether it already exists (i.e. stored data) or is being captured as it is generated (real-time collection or interception). The types of data captured from both content and non-content data is instrumental to the investigation of modern crime types as it can be used to identify the perpetrator through the cross analysis of the contents of the message as well as the geo-spatial details from which the message was sent and received.
Non-content data includes transactional data such as whom a communication was to or from, the time it was transmitted, and the duration or size of the communication. It also includes subscriber information such as a customer’s name, address, billing information, and any subscriber identifier such as a username, email address or IP address.
Dependant on the country and the laws governing the disclosure of data to foreign countries, service providers may provide non-content data to law enforcement for investigative use where possible, it is highly recommended that law enforcement obtain non-content data prior to making a MAR. Law enforcement may be able to seek this data through informal police-to-police channels or directly from the service provider.
However, non-content data can be very useful to assist, confirm or dismiss targets in an investigation, to confirm the evidence is available and/or as supporting grounds for making a MAR for content data. Non-content data can also be useful to meet the relevant legal threshold for seeking content data in a MAR (e.g. probable cause if seeking content data from the US).
Subscriber data includes personal details provided by the user at registration of service. This could include the name and address of a subscriber, internet connection records, length and type of internet service, a subscriber’s assigned IP address, network address assigned to a specific internet session, and/or payment information (bank account, credit card details).
Subscriber data could assist an investigation if the person who up the account used their real details. Remember the subscriber data may not be verified by the company when it is collected from the subscriber.
Referred to by a few different names, transactional data, traffic data or IP logs show when an internet account has been accessed by a particular IP address. An IP address is the unique number assigned to a computer or device which is used to route traffic to or from the device. IP log data shows when an internet account has been accessed by a particular IP address. This transactional data about when, and from what computer, a message was sent might help identify who has used a particular internet account or profile. You can then trace the IP address back to a physical location or match it up with times when the suspect was known or believed to be online. This information may help identify who has used a particular internet account at a specific time.
IP addresses and IP logs are helpful in the identification of user details and can be used to ascertain when an account was accessed. Seeking this type of non-content data directly from the service provider may be useful to include in the MAR. However, mobile phones (and other internet enabled devices) are allocated a new IP address every time the internet is accessed (referred to as dynamic allocation) and records of which IP address were allocated to which phone may not be kept for very long dependent on domestic data retention laws and business practices. While this may confuse the MAR process, it is still useful data to include in a MAR to help the service provider in finding the information requested.
Content data means information that reveals the content of the communication, or the message or information being conveyed by the communication, whether or not any interpretation, process, mechanism or device needs to be applied or used to make the meaning of the communication intelligible. It refers to the stored content of emails, posts, comments, address books, photos.
There is no universal definition or common understanding of what is considered content data or non-content data. For example, in some jurisdictions IP logs would be considered to be a type of non-content data, whereas as in others it would be content data. What is important is to consider whether a coercive power (e.g. a search warrant) will be required in order to obtain the data, which is almost always the case with content data.
 UNODC Op Ed on Cybercrime, 2018 (https://www.unodc.org/westandcentralafrica/en/2018_04_24_oped-on-cybercrime.html)
 UNODC guide (vii) UNODC Practical Guide for Requesting Electronic Evidence Across Borders, 2019 (vii)
 Please note that hacking is not necessarily an illegal activity. Hacking is simply the act of accessing a computer system through unconventional means. It is effectively the act of picking a digital lock. However, like the real-world lock smith, picking a lock is not necessarily an illegal activity depending on why it is done.
 Like hacking, botnets are often considered to be malicious. A botnet is simply a number of internet-connected devices. Such a network can be used for malicious purposes.
 CoE Electronic Evidence Guide, 2020, p129
 CoE Electronic Evidence Guide, 2020, p12