2.5 Working with Service Providers

Cooperation with internet service providers is essential to law enforcement’s ability to effectively investigate cybercrime.

p18 requests

Consideration must be given to balance personal protections and online freedom with the need for law enforcement to access data needed to successfully investigate alleged cybercrimes. Both industry and government have roles in maintaining the safety of the internet and preventing online harm. Therefore, government cooperation with industry is a shared interest and the creation and maintenance of productive working relationships is of the utmost importance. The question is how both can best cooperate with each other to make the internet safer, while at the same time respect their different roles and the fundamental rights of users. Many service providers are often willing to provide some non-content data (e.g. subscriber, traffic data) on a police-to-police basis. However, most require a formal MAR to provide content data, and some will require a formal MAR before providing any data at all.

2.6 Where are the Records?

If seeking records from a service provider, the first question to ask yourself is ‘where are the records?’ Most service providers are located in the US and consequently, the requirements of US law need to be met when seeking to obtain internet records (non-content or content) from those service providers. However, as a number of these entities are moving servers and records from the US, it is important to check that the evidence you are trying to obtain through MLA is located in the country you are making the request to. Identifying an account by reference to the domain name (e.g. ‘.com.au’) is no guarantee that the records are located in the same country as the domain suggests.

Please refer to Service Provider Profiles and Search-ISP list for more information on specific service providers.

2.7 Preserving Internet Records

Service providers store electronic evidence in the form of internet records (non-content and content), however they generally do not store data indefinitely. Service providers will usually only keep data for as long as they need it for typical internal administrative purposes (such as billing), or as required by law under any data retention scheme[8]. It can also easily be deleted or changed by a user. In recognition of the fact that electronic evidence is fragile and volatile, a process to ‘preserve’ data has been established and is an essential part of the MLA process and domestic electronic evidence collection.

A preservation request takes a ‘snapshot’ of data relating to a particular account or profile at the time the preservation takes effect. Preservation requests can usually only be made by law enforcement and should be actioned straight away. After processing a preservation request, the service provider will usually send an automated response with a reference number within 1-2 business days. Most service providers have information on how law enforcement can make a preservation request in their law enforcement guidelines. It is a relatively simple process for law enforcement to preserve internet records, and most of the major US service providers have specific websites or ‘portals’ for this exact purpose. Though police-to-police cooperation, 24/7 Networks or MARs can be used to seek preservation of data, law enforcement should use the specific websites or portal.

Preservation requests can last for anywhere from 90 to 180 days and thereafter automatically lapse or expire unless an extension is sought. The law enforcement agency is responsible for maintaining and extending preservation requests, and it should be extended until the original material requested in the MAR has been received.

Most major service providers do not notify accountholders upon the receipt of a preservation request, however some do. If notification may be harmful to the investigation, prior to making the preservation request law enforcement should, if possible, confirm with the relevant service provider whether the account holder will be notified. If the service provider will notify the account holder, law enforcement may wish to request that the service provider refrain from doing so where the notification itself risks harming the investigation.

The date of preservation, any extensions and the preservation reference number should be included in the MAR. Indeed, some countries will not accept a MAR for internet records without proof that the data is preserved.

Further information on making emergency requests from particular service providers can be found in Chapter 7.


2.8 Emergency Situations

It is important to consider what options are available where electronic evidence could assist in an emergency situation where there is a risk of death or serious harm. Many service providers specifically provide for emergency situations in their law enforcement guidelines which allow for law enforcement to request data (content and non-content) directly from the service provider without delay. Clearly setting out the timeframe and ‘imminence’ of the risk or danger in an emergency request is critical to demonstrate that there is no opportunity to follow the standard MLA process.

Urgent MARs requesting assistance can also be made between countries. In some circumstances, an oral MAR could be made with a written MAR to follow. Strong relationships with counterparts in foreign law enforcement and central authorities are particularly important in emergency situations. The 24/7 Network of contact points, INTERPOL and the Pacific Transnational Crime Network (PTCN) are all useful contacts to seek advice on handling emergency requests. If making an emergency request to the US, it is recommended that the requesting country also contact the relevant FBI attaché who should be able to assist in following through the process with the service providers and Office of International Affairs in the US Department of Justice.

Further information on making emergency requests from particular service providers can be found in Chapter 7.

2.9 Child Sexual Abuse Material (CSAM)

The fast-paced technological innovation and widespread accessibility of ICT has allowed great gains in our society. However, it has also provided a new mechanism by which sexual abuse of children can occur, including providing an avenue for online offender communities to encourage one another and produce and share child sexual abuse material (CSAM)[9]. While not a new phenomenon, unprecedented access to technology through the internet has allowed the demand for and access to CSAM to flourish. CSAM is any representation, by whatever means, of a child engaged in real or simulated explicit sexual activities or any representation of the sexual parts of a child, the dominant characteristics of which is depiction for a sexual purpose.[10] Child sexual abuse can take many other forms in the online world and includes: grooming including of third parties such as parents or carers to gain access to a child; procuring, creating, controlling or accessing CSAM; engaging in live-streamed child sexual abuse; and conduct which facilitates these crimes (e.g. creating and administering online websites and forums to engage in child abuse offences online).

Unfortunately, a significant number of MARs relate to online child abuse investigations and prosecutions. Familiarise yourself with the criminal offences and procedural frameworks in your country that address CSAM, and related child abuse offences, so that you are able to assist should a MAR relating to CSAM arise. If records sought through a MAR are likely to contain CSAM it should be specifically noted in the MAR and specific handling protocols will apply.

p21 dark side
p21 characteristic

These protocols will be agreed between the requesting and recipient country. For example, before CSAM which has been requested in a MAR can be brought into Australia, it is mandatory for officials to first obtain an important certificate for those requested materials, otherwise they are prohibited.

Service providers located in the US are required by US law to report identified or suspected instances of child exploitation appearing on their sites or platforms from anywhere in the world to the National Centre for Missing and Exploited Children (NCMEC). NCMEC refers matters to law enforcement authorities from around the world in order to help victims.

This is a complex area that cannot be comprehensively covered in this handbook. For further information we recommend the following resources:

2.10 The Budapest Convention

The Budapest Convention seeks to harmonise national laws to address a range of criminal conduct such as computer related fraud, CSAM and violations of network security. The Convention serves as a guideline to member states for developing comprehensive national legislation against cybercrime. It also deals with the domestic collection of electronic evidence for the purpose of international crime cooperation between the 64 countries currently signatories to the convention. The development of effective substantive and procedural laws, and the facilitation of effective international crime cooperation between foreign governments and law enforcement agencies, is crucial to overcoming the modern challenges faced domestically when combatting serious criminal activity both online and offline. A number of guidance notes have been developed aimed at facilitating the effective use and implementation of the convention and represent the common understanding of the Parties regarding use of the convention.

Second Additional Protocol

Parties to the Convention (by way of the Cybercrime Convention Committee) continue to assess how to modernise the frameworks under the Convention to tackle the challenges posed by the impact of the digital age on crime and law enforcement. Over the years, the T-CY Committee has reported on the ongoing challenges associated with international crime cooperation. For example, significant delays in MLA processes, and not knowing the location of data sought. Accordingly, to address those challenges the T-CY Committee decided that a new additional protocol was required for the Convention.

On 9 June 2017, the terms of reference for the preparation of the draft Second Additional Protocol were published in order to address these urgent challenges and provide solutions for a more efficient international criminal justice response to cybercrime and crime involving electronic evidence. The Second Additional Protocol aims to include:

p20 second protocol

The significant growth in the transnational nature of cybercrime and cyber-enabled crime and the ease in which electronic data can be stored overseas, continues to place a significant burden on formal and informal international crime cooperation processes (especially MLA processes). The Second Additional Protocol stands as a timely update to the procedural laws within the Convention. The T-CY Committee aim for the Second Additional Protocol to be finalised by the end of 2020.

[8] Data retention is the mandated minimum period of time that a CSP has to keep data and is different in each Country_According to their legislation, if there if such legislation. It is different to preservation.

[9] Use of the phrase “child pornography” benefits child sex abusers because it indicates legitimacy and compliance on the part of the victim and therefore legality on the part of the abuser and does not recognise the horrific abuse suffered by victims. Every photograph or video captures an actual situation where a child has been abused. The term Child Sexual Abuse Material (CSAM) more accurately reflects what is depicted – the sexual abuse and exploitation of children. Not only do these images and videos document victims’ exploitation and abuse, but when these files are shared across the internet, child victims suffer repeat and ongoing re-victimization each time the image of their sexual abuse is viewed.

[10] Optional Protocol, UN Convention on the Rights of the Child