Technica Editorial
Technica Editorial
Technica Editorial
Technology is one of the strategic factors driving the increasing use of the
Internet by terrorist organization and their supporters for a wide range of
purposes, including recruitment, financing, propaganda, training, incitement to
commit acts of terrorism, and the gathering and dissemination of information for
terrorist purposes. While the many benefits of the Internet are self-evident, it may
also be used to facilitate communication within terrorist organizations and to
transmit information on, as well as material support for, planned acts of terrorism,
all of which require specific technical knowledge for the effective investigation of
these offences
It is a commonly accepted principle that, despite the heinous nature of their acts,
alleged terrorists should be afforded the same procedural safeguards under
criminal law as any other suspects. The defense of human rights is a core value of
the United Nations and a fundamental pillar of the rule-of-law approach to the
fight against terrorism. The present publication accordingly highlights the
importance of respect for the principles of human rights and fundamental
freedoms at all times and, in particular, in the context of the development and
implementation of legal instruments related to countering terrorism.
The United Nations Office on Drugs and Crime (UNODC), as a key United
Nations entity for delivering counter-terrorism legal and related technical
assistance, actively participates in the Counter-Terrorism Implementation Task
Force, thus ensuring that the counter-terrorism work of UNODC is carried out in
the broader context of, and coordinated with, United Nations system-wide efforts.
In January 2010, the Task Force's Working Group on Countering the Use of the
Internet for Terrorist Purposes initiated a series of conferences involving
representatives from Governments, international and regional organizations, think
tanks, academia and the private sector to evaluate the use of the Internet for
terrorist purposes and potential means to counter such use. The objective of the
Working Group initiative was to provide Member States with an overview of the
current nature of the challenge and to propose policy guidelines, projects and
practical guidance regarding legal, technical and counter-narrative aspects of the
challenge. Working Group conferences were held in Berlin in January 2010,
Seattle (United States of America) in February 2010 and Riyadh in January 2011.
In furtherance of its mandate "to develop specialized legal knowledge in the area
of counter-terrorism... and to provide assistance to requesting Member States
with regard to criminal justice responses to terrorism, including. the use of the
Internet for terrorist purposes,"1 the Terrorism Prevention Branch of UNODC, in
collaboration with the Organized Crime and Illicit Trafficking Branch of
UNODC and with the support of the Government of the United Kingdom of
Great Britain and Northern Ireland, undertook to contribute to the Working
Group project through the development of the current technical assistance tool on
the use of the Internet for terrorist purposes. The current UNODC publication
builds upon the conclusions of the Working Group conferences, and in particular
the conference held in Berlin in January 2010, relating to Internet-specific legal
aspects of terrorism.
A. Introduction
1. Since the late 1980s, the Internet has proven to be a highly dynamic means of
communication, reaching an ever-growing audience worldwide. The
development of increasingly sophisticated technologies has created a network
with a truly global reach, and relatively low barriers to entry. Internet
technology makes it easy for an individual to communicate with relative
anonymity, quickly and effectively across borders, to an almost limitless
audience. The benefits of Internet technology are numerous, starting with its
unique suitability for sharing information and ideas, which is recognized as a
fundamental human right.2 It must also be recognized, however, that the same
techno logy that facilitates such communication can also be exploited for the
purposes of terrorism. The use of the Internet for terrorist purposes creates both
challenges and opportunities in the fight against terrorism.
2. For the purposes of the present publication, a functional approach has been
adopted regarding the classification of the means by which the Internet is often
utilized to pro- mote and support acts of terrorism. This approach has resulted in
the identification of six sometimes overlapping categories: propaganda (including
recruitment, radicalization and incitement to terrorism); financing; training;
planning (including through secret communication and open-source information);
execution; and cyberattacks. Each of these categories is addressed in greater
detail below.
I. Propaganda
3. One of the primaries uses of the Internet by terrorists is for the dissemination
of propaganda. Propaganda generally takes the form of multimedia
communications providing ideological or practical instruction, explanations,
justifications or promotion of terrorist activities. These may include virtual
messages, presentations, magazines, treatises, audio and video files and video
games developed by terrorist organizations or sympathizers. Nevertheless, what
constitutes terrorist propaganda, as opposed to legitimate advocacy of a
viewpoint, is often a subjective assessment. Further, the dissemination of
propaganda is generally not, in and of itself, a prohibited activity. One of the
basic tenets of international law is the protection of fundamental human rights,
which include the right to freedom of expression (see discussion in section 1.D
below). This guarantees an individual the right to share an opinion or distribute
content which may be considered objectionable by others, subject to certain
limited exceptions. One commonly accepted exclusion with respect to that right
is the prohibition against the distribution of certain categories of sexually explicit
content, the prohibition of which is deemed to be in the public interest in order to
protect certain vulnerable groups. Other exclusions, all of which must be
provided for by law and shown to be necessary, may include communications
that are clearly detrimental to the protection of national security and
communications that are both intended and likely to incite acts of violence
against individuals or specific groups of individuals.3
(a) Recruitment
7. The Internet may be used not only as a means to publish extremist rhetoric and
videos, but also a way to develop relationships with, and solicit support from,
those most responsive to targeted propaganda. Terrorist organizations
increasingly use propaganda distributed via platforms such as password-protected
websites and restricted- access Internet chat groups as a means of clandestine
recruitment.5 The reach of the Internet provides terrorist organizations and
sympathizers with a global pool of potential recruits. Restricted access cyber
forums offer a venue for recruits to learn about, and provide support to, terrorist
organizations and to engage in direct actions in the furtherance of terrorist
objectives.6 The use of technological barriers to entry to recruitment platforms
also increases the complexity of tracking terrorism-related activity by intelligence
and law enforcement personnel.
8. Terrorist propaganda is often tailored to appeal to vulnerable and marginalized
groups in society. The process of recruitment and radicalization commonly
capitalizes on an individual's sentiments of injustice, exclusion or humiliation. 7
Propaganda may be adapted to account for demographic factors, such as age or
gender, as well as social or economic circumstances.
(b) Incitement
10. While propaganda per se is not generally prohibited, the use of propaganda
by terrorists to incite acts of terrorism is considered unlawful by many Member
States The Internet provides an abundance of material and opportunities to
download, edit and distribute content that may be considered unlawful
glorification of, or provocation to, acts of terrorism. It should be noted, however,
that some intergovernmental and human rights mechanisms have expressed doubt
that the concept of "glorification" of terrorism is sufficiently narrow and
precise to serve as a basis for criminal sanctions compliant with the requirements
of the principle of legality and the permissible limitations of the right to freedom
of expression, as enshrined in articles 15 and 19 of the International Covenant on
Civil and Political Rights.9,10
(c) Radicalization
2. Financing
14. Terrorist organizations and supporters may also use the Internet to
finance acts of terrorism. The manner in which terrorists use the Internet to raise
and collect funds and resources may be classified into four general categories:
direct solicitation, e-commerce, the exploitation of online payment tools and
through charitable organizations. Direct solicitation refers to the use of websites,
chat groups, mass mailings and targeted communications to request donations
from supporters. Websites may also be used as online stores, offering books,
audio and
video recordings and other items to supporters. Online payment facilities offered
through dedicated websites or communications platforms make it easy to transfer
funds electronically between parties. Funds transfers are often made by electronic
wire transfer, credit card or alternate payment facilities available via services
such as PayPal or Skype.
15. Online payment facilities may also be exploited through fraudulent means
such as identity theft, credit card theft, wire fraud, stock fraud, intellectual
property crimes and auction fraud. An example of the use of illicit gains to
finance acts of terrorism can be seen in the United Kingdom case against
YOUNES TSOULI (see para. 114 below). Profits from stolen credit cards were
laundered by several means, including transfer through e-gold online payment
accounts, which were used to route the funds through several countries before
they reached their intended destination. The laundered money was used both to
fund the registration by TSOULI of 180 websites hosting Al-Qaida propaganda
videos and to provide equipment for terrorist activities in several countries.
Approximately 1,400 credit cards were used to generate approximately Cl.6
million of illicit funds to finance terrorist activity.12
3. Training
17. In recent years, terrorist organizations have increasingly turned to the Internet
as an alternative training ground for terrorists. There is a growing range of media
that provide platforms for the dissemination of practical guides in the form of
online manuals, audio and video clips, information and advice. These
Internet
platforms also provide detailed instructions, often in easily accessible multimedia
format and multiple languages, on topics such as how to join terrorist
organizations; how to construct explosives, firearms or other weapons or
hazardous materials; and how to plan and execute terrorist attacks. The platforms
act as a virtual training camp. They are also used to share, inter alia, specific
methods, techniques or operational knowledge for the purpose of commit ting an
act of terrorism.
4. Planning
20. Many criminal justice practitioners have indicated that almost every case of
terrorism prosecuted involved the use of Internet technology. In particular,
planning an act of terrorism typically involves remote communication among
several parties. A recent case from France, Public Prosecutor v. Hicheur,15
illustrates how different forms of Internet technology may be used to facilitate
the preparation of acts of terrorism, including via thorough communications
within and between organizations promoting violent extremism, as well as
across borders.
Public Prosecutor V. HICHEUR
In May 2012, a French court sentenced ADLÈNE HICHEUR, an Algerian-born French national, to
five years of imprisonment for participation in a criminal conspiracy for the preparation of a terrorist
act (under Article 421-1 et. seq. of the French Criminal Code), relating to acts that took place in
France in 2008 and 2009
The investigation implicating HICHEUR, a nuclear physicist, was launched in early 2008 in
connection with an e-mail communication containing jihadist content, which was sent to the website
of the President of the French Republic and traced back to a member of A Qaida in the Islamic
Maghreb (AQIM).
A preservation order issued in January 2009 enabled the authorities to identify e-mail exchanges
between the AQIM member and, inter alia, the Global Islamic Media Front (GIMF) and
the RAFIDAIN Center, a website with the stated goal of hosting and disseminating Al Qaida
documents, audio and video recordings, statements from warlords and suicide attackers and the
materials of other extremist Islamic groups. The e-mail exchanges were encrypted using the
dedicated software "ASRAREL Mujahedeen or "Mujahedeen Secrets", which includes 256-bit
encryption, variable stealth cipher encryption keys, RSA 2,048-bit encryption keys and encrypted
chat-forum-supported instant messaging.
Dozens of decrypted e-mail communications were presented at trial. The prosecution claimed that
the content of those e-mails indicated that HICHEUR actively performed, inter alia, the following
acts in support of the jihadist network, notably on behalf of the Al-RAFIDAIN CENTRE: -
At trial, the prosecution claimed that those communications proved HICHEUR had been fully aware
that he was engaging with a member of AQIM, and that he had acted knowingly and willingly as an
intermediary between jihadist fighters and GIMF. At the conclusion of the trial, the Court held that;
" HICHEUR became ... a logistical and media support for this terrorist structure for which the 'media
jihad' is crucial.
The Court further held that "Adlène HICHEUR, by giving his agreement to the establishment of an
operational unit linked to AQIM in Europe, or even in France, and determining targets or categories
of targets to be struck, participated in a group [AQM] specifically created to prepare acts of terrorism."
The court therefore found sufficient evidence to demonstrate, as required under the French Criminal
Code, that HICHEUR had provided not merely intellectual support but also direct logistical support to
a clearly identified terrorist plan. The decision of the court is appealable.
Sources Judgement of 4 May 2012 of the Tribunal de Grande instance de FARIS; and Tung,
Liam, Jihadists get worked-class encryption kit (29 January 20081, available from www
zdnet.com.au/jihadists-get-world-class-encryption-kit-339285480. HTM
21. Steps may also be taken via the Internet to identify a potential target of an
attack and the most effective means of achieving the terrorist purpose. These
preparatory steps may range from obtaining instructions on recommended
methods of attack to collecting open-source and other information regarding a
proposed target. The ability of the Internet to bridge distances and borders, and
the vast amount of information publicly available in cyberspace, make the
Internet a key tool in the planning of terrorist acts.
26. Elements of the categories described above may be employed in the use of
the Internet for the execution of terrorist acts. For example, explicit threats of
violence, including in relation to the use of weapons, may be disseminated via the
Internet to induce anxiety, fear or panic in a population or subset of the
population. In many Member States, the act of issuing such threats, even if
unfulfilled, may be deemed an offence. For example, in China, the fabrication of
a threat and/or the circulation of a threat that is known to be fabricated in relation
to the use of bombs or biological, chemical, or radioactive materials or other
weapons, when committed with the intent "to seriously disrupt public order", is
criminalized under domestic legislation. Internet communications may also be
used as a means to communicate with potential victims or to coordinate the
execution of physical acts of terrorism. For example, the Internet was used
extensively in the coordination of participants in the attacks of 11 September
2001 in the United States.
27. The use of the Internet in furtherance of the execution of acts of terrorism
may, inter alia, offer logistical advantages, reduce the likelihood of detection or
obscure the identity of responsible parties. Internet activity may also facilitate the
acquisition of items necessary for the execution of the attack. Terrorists may
purchase individual components or services required to perpetrate violent acts of
terrorism by means of electronic commerce. Misappropriated credit cards or
other forms of compromised electronic payment may be used to finance such
purchases.
6. Cyberattacks
29. While terrorists have developed many ways to use the Internet in furtherance
of illicit purposes, their use of the Internet also provides opportunities for the
gathering of intelligence and other activities to prevent and counter acts of
terrorism, as well as for the gathering of evidence for the prosecution of such
acts. A significant amount of knowledge about the functioning, activities and
sometimes the targets of terrorist organizations is derived from website, chat
room and other Internet communications. Further, increased Internet use for
terrorist purposes provides a corresponding increase in the availability of
electronic data which may be compiled and analyzed for counter-terrorism
purposes. Law enforcement, intelligence and other authorities are developing
increasingly sophisticated tools to proactively prevent, detect and deter terrorist
activity involving use of the Internet. The use of traditional investigative means,
such as dedicated translation resources for the timely identification of potential
terrorist threats, is also expanding.
D. Rule-of-law considerations
32. Respect for human rights and the rule of law is an integral part of the fight
against terrorism. Due care must be taken to respect international human rights
standards in all phases of counter-terrorism initiatives, from preventive
intelligence gathering to ensuring due process in the prosecution of suspects. This
requires the development of national counter-terrorism legislation and practices
that promote and protect fundamental human rights and the rule of law.24
33. States have both a right and a duty to take effective measures to counter the
destructive impact of terrorism on human rights, in particular the rights to life,
liberty and physical integrity of individuals and the territorial integrity and
security of States Effective counter-terrorism measures and the protection of
human rights are complementary and mutually reinforcing objectives which must
be pursued together.25 Counter- terrorism initiatives relating to Internet use may
have an impact on the enjoyment of a range of human rights, including the rights
to freedom of speech, freedom of association, privacy and a fair trial. While a
comprehensive analysis of human rights issues is beyond the scope of the present
publication, it is important to highlight key areas for consideration.
35. Countering terrorist use of the Internet may involve the surveillance and
collection of information relating to suspects. Due regard should be given to
protecting persons against arbitrary or unlawful interference with the right to
privacy,27 which includes the right to privacy of information about an individual's
identity as well as his or her private life. Domestic laws must be sufficiently
detailed regarding, inter alia, the specific circumstances in which such
interference may be permitted. Appropriate safeguards must also be in place to
prevent abuse of secret surveillance tools. Further, any personal data collected
must be adequately protected to ensure against unlawful or arbitrary access,
disclosure or use.28
36. Guaranteeing due process rights is critical for ensuring that counter-terrorism
measures are effective and respect the rule of law. Human rights protections
for all persons charged with criminal offences, including terrorism-related
crimes, include the right to be presumed innocent, the right to a hearing with due
guarantees and within a reasonable time by a competent, independent and
impartial tribunal and the right to have a conviction and sentence reviewed by a
higher tribunal that meets the same standards.29
37. For a more detailed analysis of the issues highlighted in the present
section and other relevant considerations, please see, for example, Fact Sheet
No. 32 of the Office of the United Nations High Commissioner for Human
Rights on "Human rights, terrorism and counter-terrorism", the report of the
United Nations High Commissioner for Human Rights on the protection of
human rights and fundamental freedoms while countering terrorism
(A/HRC/16/50) and the following reports of the Special Rapporteur on the
promotion and protection of human rights and fundamental freedoms while
countering terrorism: ten areas of best practices in countering terrorism
(A/HRC/16/51); and compilation of good practices on legal and institutional
frameworks and measures that ensure respect for human rights by intelligence
agencies while countering terrorism, including on their oversight (A/HRC/14/46).
II. The international context
A. Introduction
40. Legal obligations are also imposed upon States pursuant to bilateral and
multi- lateral instruments addressing terrorism. "Universal" legal instruments are
agreements that are open for ratification or accession by all Member States of the
United Nations. By contrast, agreements promulgated by regional or other inter-
State groupings may be open to only a limited group of potential signatories;
such treaty-based obligations are binding only upon those States which choose to
become a party to the agreements.
41. The duty to bring perpetrators of acts of terrorism to justice rests primarily
with domestic authorities, as international tribunals do not generally have
jurisdiction over such acts.31 United Nations resolutions, universal legal
instruments, regional agreements and model laws against terrorism play a key
role in establishing common standards accepted across multiple jurisdictions.
B. United Nations counter-terrorism resolutions
43. Several Security Council resolutions adopted in recent years require States to
cooperate fully in the fight against terrorism, in all its forms. In particular,
resolutions 1373 (2001) and 156 (2004), adopted under Chapter VII of the
Charter of the United Nations, require legislative and other action to be taken by
all Member States to combat terrorism, including through increased cooperation
with other Governments in the investigation, detection, arrest, extradition and
prosecution of those involved in terrorist acts and call upon States to implement
the international conventions and protocols relating to terrorism.
44. Another key Security Council resolution relating to terrorist activity that may
be conducted by means of the Internet is resolution 1624 (2005), which addresses
the incitement and glorification of terrorist acts. In its fourth preambular
paragraph, the Council condemns "in the strongest terms the incitement of
terrorist acts "and repudiates" attempts at the justification or glorification
(apologies) of terrorist acts that may incite further terrorist acts". In paragraph 1,
it calls upon all States to adopt such measures as may be necessary and
appropriate, and in accordance with their obligations under international law,
to prohibit by law and prevent incitement to commit a terrorist act or acts.
46. In its resolution 1963 (2010), the Security Council expressed "concern at the
increased use, in a globalized society, by terrorists of new information and
communications technologies, in particular the Internet, for the purposes of the
recruitment and incitement as well as for the financing, planning and preparation
of their activities." The Council also recognized the importance of cooperation
among Member States to prevent terrorists from exploiting technology,
communications and resources.
47. Since 1963, the international community has been developing universal legal
instruments to prevent terrorist acts under the auspices of the United Nations and
its specialized agencies, in particular the International Civil Aviation
Organization and the International Maritime Organization, and the International
Atomic Energy Agency. The universal counter-terrorism instruments represent a
major element of the global regime against terrorism and an important framework
for international cooperation in countering terrorism. These universal legal
instruments cover acts
ranging from the hijacking of aircraft to nuclear terrorism by individuals and
groups36 and require the States that adopt them to criminalize the most
foreseeable terrorist acts in the areas covered by the conventions. Nevertheless,
these universal legal instruments are legally binding only on the signatories
thereto,37 which are also responsible for enforcing the provisions through the
domestic criminal justice systems.
50. Member States have been engaged since 2000 in negotiations relating to a
comprehensive counter-terrorism convention, which will ultimately include a
definition of terrorism. Faced, however, with the difficulty of reaching consensus
on a single, globally accepted definition of what constitutes terrorism; progress
has instead been made through the existing universal legal instruments, which
have developed along sectoral lines. These instruments focus on criminalizing
specific "terrorist acts" without defining the broader concept of terrorism.
51. The universal instruments do not define terrorist offences as crimes under
inter- national law. Rather, they create an obligation for States parties to the
agreements to criminalize the specified unlawful conduct under their domestic
law, exercise jurisdiction over offenders under prescribed conditions and
provide
for international cooperation mechanisms that enable States parties to either
prosecute or extradite the alleged offenders. Until the successful conclusion of
ongoing negotiations on a universal definition or comprehensive convention
relating to terrorism, bilateral and multilateral agreements should provide
the basis for the development of common standards to counter the use of the
Internet for terrorist purposes, in the interest of promoting international
cooperation.
53. Human rights obligations form an integral part of the international legal
counter- terrorism framework, both through the obligation imposed on States to
prevent terrorist attacks, which have the potential to significantly undermine
human rights, and through the obligation to ensure that all counter-terrorism
measures respect human rights. In the United Nations Global Counter-Terrorism
Strategy, Member States reaffirmed those obligations, recognizing in particular
that "effective counter-terrorism measures and the protection of human rights are
not conflicting goals, but complementary and mutually reinforcing".
54. Key universal human rights instruments adopted under the auspices of the
United Nations include the Universal Declaration of Human Rights,41 the
International Covenant on Civil and Political Rights and the International
Covenant on Economic, Social and Cultural Rights,42 and applicable protocols.
I. Council of Europe
58. In 2001, the Council of Europe elaborated the Council of Europe Convention
on Cybercrime,48 which is currently the only multilateral, legally binding
instrument addressing criminal activity conducted via the Internet. The Council
of Europe Convention on Cybercrime seeks to harmonize national laws relating
to cybercrime, to improve domestic procedures for detecting, investigating, and
prosecuting such crimes and to provide arrangements for fast and reliable
international cooperation on these matters.49 The Convention establishes a
common minimum standard for domestic computer-related offences50 and
provides for the criminalization of nine such offences, including offences relating
to unauthorized access to and illicit tampering with computer systems,
programs or data; computer-related fraud and forgery; and attempting, aiding or
abetting the commission of such acts.51
59. The Council of Europe Convention on Cybercrime also includes important
procedural provisions which may facilitate investigations and evidence-gathering
in connection with acts of terrorism involving use of the Internet. These
provisions apply to any criminal offence committed by means of a computer and
the collection of evidence in electronic form and are subject to applicable
safeguards provided for under domestic law.52
63. The Council of Europe Convention on Cybercrime and the Council of Europe
Convention on the Prevention of Terrorism are open to ratification or
accession by all member States of the Council of Europe,63 non-member States
that participated in the elaboration of those Conventions and other non-member
States by invitation, with agreement from all of the States then parties to the
relevant Convention.64 It is worth noting that several countries that have not
formally acceded to the Council of Europe Convention on Cybercrime have
nonetheless used its provisions as guidelines in the drafting of their own national
cybercrime legislation. (See also section F below on model legislation.)
64. The Council of Europe has also elaborated the Additional Protocol to the
Convention on Cybercrime, concerning the Criminalization of Acts of a Racist
and Xenophobic Nature Committed through Computer Systems 65. This
Additional Protocol may also facilitate the prosecution of terrorist acts committed
via the Internet with the intention of inciting violence on the basis of race, color,
descent, national or ethnic origin, or religion. 66 The Additional Protocol is open
to all contracting States of the Council of Europe Convention on Cybercrime.67
2. European Union
65. In 2002, the Council of the European Union adopted framework decision
2002/475/JHA of 13 June 2002 on combating terrorism, which harmonizes the
definition of terrorist offences in all European Union member States68 by
introducing a specific and common definition of the concept of "terrorism",
setting forth jurisdictional rules to guarantee that terrorist offences may be
effectively prosecuted, and outlining specific measures with regard to victims
of
terrorist offences. In response to the growing terrorist threat, including the use of
new technologies such as the Internet, frame work decision 2002/475/JHA was
amended in 2008 69 to specifically include provisions on public provocation to
commit a terrorist offence, recruitment for terrorism and training for terrorism. In
that decision, the Council of the European Union also took note of Security
Council resolution 1624 (2005), in which the Council called upon States to take
measures to prohibit by law incitement to commit a terrorist act or acts and to
prevent such conduct.
F. Model legislation
68. While model legislation provides advisory guidelines, rather than legally
binding obligations, it plays an important role in harmonizing legal standards
among States. Unlike international conventions, which may be subject to
extensive negotiations to reflect the needs of a diverse range of potential
signatories, the provisions of model laws provide States with the benefit of strong
foundational legal provisions as a point of departure for the development of
domestic legislation. A key benefit of the use of model provisions as a basis for
national legislation is the facilitation of international cooperation, including
through the mitigation of conflicts arising out of misinterpretation of provisions
in different legal systems (for example, between common-law and civil-law
jurisdictions) and with respect to dual criminality requirements. 71 (See discussion
in section V.E.5 below.)
I. Commonwealth
69. The Commonwealth Model Law on Computer and Computer Related Crime
(2002) was drafted on the basis of the Council of Europe Convention on
Cybercrime.72 The Model Law is aimed at leveraging the similarities in the legal
traditions of Commonwealth member States 73 to promote the harmonization of
both substantive and procedural aspects of combating cybercrime and to promote
international cooperation. The Commonwealth Model Law is consistent with the
standards defined by the Council of Europe Convention on Cybercrime.
70. Member States of the Commonwealth of Independent States (CIS) have also
adopted model legislative acts and guidelines, aimed at harmonizing the national
legislative systems, taking into account international experiences in the fight
against terrorism. These model provisions reflect international legal standards,
adapted to the needs of CIS member States.74 For example, article 13 of
the
Model Law on the regulatory framework of the Internet75 provides model
provisions with respect to countering the use of the Internet for illegal purposes.
A. Introduction
72. In addition to using the Internet to plan and finance terrorist acts,
terrorists also use it to recruit and train new members; communicate, research or
reconnoiter potential targets; disseminate propaganda; and incite others to carry
out acts of terrorism.
73. In the present chapter, issues related to the development of criminal justice
policies and legislation aimed at countering these threats are considered, with the
aim of identifying, by reference to examples and national experiences offered by
some States represented at the expert group meetings, common challenges and
approaches that can either impede or strengthen the effective investigation and
prosecution of terrorism cases involving some aspect of Internet use.
B. Policy
Policy approaches
75. In its 2011 publication, Countering the Use of the Internet for Terrorist
Purposes: Legal and Technical Aspects,78 the Working Group on Countering the
Use of Internet for Terrorist Purposes of the Counter-Terrorism
Implementation
Task Force identified three broad strategic approaches by which States might
counter terrorist activities over the Internet; involving the use of:
(a) General cybercrime legislation
(b) General (non-Internet-specific) counter-terrorism legislation;
(c) Internet-specific counter-terrorism legislation
76. It is noted that in approach (a), in addition to the use of general cybercrime
legislation, other inchoate criminal offences such as solicitation and criminal
association might also be used when dealing with terrorism cases involving some
aspect of Internet use, particularly when dealing with alleged acts aimed at
inciting acts of terrorism.
84. Finally, the same year saw the Government of India amend the Information
Technology Act, 2000, to provide for the offence of "cyber terrorism" (section
66F) and other Internet-related issues.
86. This is the approach in China, where the Criminal Law of the People's
Republic of China contains an article dealing with the criminalization of all
illegal activities involving the use of the Internet. Article 287 of the Criminal
Law makes it an offence to use a computer in the commission of an offence,
which will be prosecuted and sentenced in accordance with the relevant
criminalization and sentencing provisions in that law in this way, under Chinese
criminal law, the use
of Internet is regarded as a medium or tool through which a criminal act may be
committed, rather than an independent constituent element of the crime, and is
therefore criminalized within the substantive provisions of the criminal law.
87. In the terrorism context, in China there are provisions criminalizing different
forms of terrorist activities, including article 120 of the Criminal Law, which
criminalizes activities related to organizing, leading and participating in terrorist
organizations. This broad criminalization provision covers a wide range of
terrorism-related activities, including those carried out over the Internet.
88. In the Republic of Korea, two types of criminal law can be applied to terrorist
acts involving some use of the Internet. One is the general criminal code and the
other is a special criminal code, established in 1986, relating to criminal acts
involving information/communication. Article 90 of the Criminal Code deals
with the preparation of such acts, as well as conspiracy, incitement or propaganda
and provides that any person who prepares or plots for the purpose of committing
crimes under article 87 of the Criminal Code (public riots, revolts or
disturbances) or article 88 (homicides committed for the purpose of acts under
article 87) is liable to imprisonment of three years or more. Under article 101 of
the Criminal Code, any person who prepares or conspires to commit offences
under articles 92 to 99 of the Criminal Code is guilty of a crime and liable to two
years or more imprisonment. Article 114 of the Criminal Code relates to
organizing a criminal group. Also, under the special criminal code, the
Government established a range of criminal offences specifically criminalizing
unlawful acts targeting information-communication networks and personal
information.
89. In practice, regardless of the policy approach taken, experience shows that
most States adopt a multifaceted approach when dealing with the investigation
and prosecution of terrorist acts, including those involving some use of the
Internet. Law enforcement and prosecution agencies use whatever legislative
provisions best suit the particular circumstances of the case.
C. Legislation
I. Criminalization
93. As stated above, none of the universal instruments against terrorism impose
an obligation on States to enact legislation specifically targeting the use of the
Internet by terrorists. Accordingly, while it is therefore highly likely that most
terrorism cases will involve some use of the Internet by perpetrators, it is likely
that in many States, in addition to using offence provisions related to unlawful
conduct specified in universal instruments, authorities will also be reliant on
other criminal offence provisions under their penal codes, including inchoate
offences such as conspiracy, solicitation and criminal association, in order to
prosecute offenders.
94. In the present section, examples of different legislative provisions from some
States are considered, with a view to identifying approaches that might provide
the basis for effective criminal justice responses to different types of conduct.
95. In addition to acts associated with the commission of substantive terrorist acts
(e.g. terrorist bombings), there is clear evidence that the Internet increasingly
being used by terrorists to carry out support actions such as recruiting and
training members, sharing useful information, disseminating propaganda and
inciting the commission of acts of terrorism. Owing to the configuration and
global reach of the Internet, it is increasingly likely that these types of activities
may involve different actors being physically present in different legal
jurisdictions.
96. In the United Kingdom, part VI of the Terrorism Act 2000 contains several
offences that can provide the basis for charging individuals who have used the
Internet to support terrorist activities.
This 2007 case from the United Kingdom involved successful appeals by the defendants ZAFAR,
BUTT, IQBAL, RAJA and MALIK against convictions imposed for possession of articles for a
purpose connected with the commission, preparation or instigation of an act of terrorism, contrary
to section 57 of the Terrorism Act 2000.
Four of the five defendants in the case were students at Bradford University. The fifth, Ra a, was a
schoolboy in oxford and established contact with global through the Internet messaging service
MSN.
Raja visited Bradford for a few days, staying at the house in which global and Zafar lived, and
brought with him three CDs he had made that contained selected mater al from the computer and
were labelled as philosophy discs". Raja was arrested by police upon his return home after the visit.
Subsequent police enquiries led them to arrest and search the places of residence of the other
accused, which revealed that they too were in possession of radical jihadist material and other
material such as a United States military manual downloaded from the Internet. Evidence of
communications via online messenger were found, including a discussion between all four of the
Bradford appellants and a cousin of Malik-Imran-who lived in Pakistan.
The defendants originally faced charges under section 58 of the 2000 Act; however, at the
committal stage, the prosecution added counts under section 57 reflecting the same particulars as
those under sect a 58. Following various pre-trial rulings on the issue of whether electronically
stored information could be considered an article for the purposes of section 57, the prosecution
elected to proceed to trial on the basis of the section 57 charges only.
At trial, ZAFAR and IQBAL were acquitted on one count, which charged them with possession of
three "philosophy discs" containing material emanating from Raja; however, they, together with
the other defendants, were found guilty in respect of all other charges. Malik was sentenced to
three years of imprisonment, ZAFAR and IQBAL to three years of detent an in a young offenders'
institution, Butt to 27 months of detention and Raja to two years of detention.
The defendants appealed these convictions. At the appeal, the Court considered the critical issue to
be whether, based on the facts of the case, there existed between the articles and the acts of
terrorism a connection that satisfied the requirements of section 57.
The articles that the Crown alleged that the appellants possessed in breach of section 57 were, for
the most part, CDs and hard drives containing electronically stored material. This mater al included
ideological propaganda and communications between the defendants, which the prosecution
alleged showed a settled plan involving the defendants travelling to Pakistan to receive training
and participate in fighting in Afghanistan, which the Crown alleged amounted to acts of terrorism.
The Court of Appeal held that it was necessary for the prosecution to prove first the purpose for
which each appellant held the stored material and then to prove that this purpose was connected
with the
commission, preparation or instigation of the prospective acts of terrorism relied on by the
prosecution, namely fighting against the Government in Afghanistan.
On the facts of the case, noting that it raised difficult questions of interpretation about the scope
of application of section 57, the Court held that the necessary connection was not present, and
therefore the resulting convictions were unsound, and allowed the appeals.
99. Section 58 of the Act has proven particularly useful in several cases in which
authorities have needed to intervene when there was no evidence that the
individual was engaged in activity associated with terrorism. The section makes
it an offence to collect, make or have in one's possession, without a reasonable
excuse, any record of information of a kind likely to be useful to a person
committing or preparing an act of terrorism or to have possession of any
document or record containing such information.
100. In R u. K [2008] 3 All E.R. 526, the Court held that a document falls within
the scope of section 58 only if it is of a kind that is likely to provide practical
assistance to a person committing or preparing to commit an act of terrorism.
This approach was reaffirmed in R u. G and 3 [2009] UKHL 13, in which the
Court reaffirmed this "practical use test", under which possession of a document
or record is a crime only if it is of practical use and was possessed by a person
without a reasonable excuse.85 There is no restriction on what might constitute a
reasonable excuse for this purpose, provided that it is capable in law of
amounting to a defense.
101. Under section 58, the prosecution is not required to prove that the accused is
a terrorist or that any items are possessed for a terrorist purpose; however, the
prosecution may only in very limited circumstances call extrinsic evidence to
prove the practical utility of any item. For example, evidence of cipher may be
called in order to decipher a document written in code, but no evidence may be
called to explain the significance of locations circled on a map. The information
must "speak for itself" and not be of a type in general circulation.
102. In R v. Sultan Mohammed [2010] EWCA Crime 227, the court held that
"provided that the document containing the information is not one in every
day use by ordinary members of the public (e.g. published timetables and maps)
and provided that a reasonable jury could properly conclude that the document
contains information of a kind likely to be useful to a person committing or
preparing an act of terrorism, then it will be a matter for the jury whether they are
sure that it contains such information. If so, and provided the defendant has the
necessary men`s rea, then the only issue will be whether the defendant has a
reasonable excuse."86 The jury must accordingly decide whether the explanation
given for possessing the document is in fact reasonable given the particular facts
and circumstances of the case.87
103. The Terrorism Act 2006 established (in its section 5) the offence of
"committing acts in preparation for terrorism". This section was designed to deal
with cases in which individuals actively planning acts of terrorism were stopped
before they completed or attempted a substantive terrorist act.88
104. Section 5 has been particularly useful in "lone wolf" cases, in which an
offender is acting alone, there is insufficient evidence to establish the basis of a
conspiracy charge because it cannot be proven that more than one person was
involved, or authorities do not know in detail the offence that was being planned.
The offence does not require proof of an identifiable final act or acts of terrorism,
but the prosecution must prove a specific intent to commit a terrorist act or to
assist another to do so. Several individuals have been convicted of the offence in
the United Kingdom and sentenced to varying terms of imprisonment, including
life imprisonment.89
105. The case of R u. Terence Roy Brown [2011] EWCA Crime 2751, is an
example of the utility of provisions such as section 58.
R v. Terence Roy Brown
Terence Roy Brown, a citizen of the United Kingdom, ran an online business, in which he
advertised and sold an annual edition of a CD-ROM that he called the "Anarchist's Cook book"
(the title is nearly identical to that of a well-known book called The Anarchist Cock book).
Rather than a sing publication, however, these discs contained 10,322 files, some of which
were complete publications in their own right. These included terrorist manuals such as the A-
Qaida Manual and instructions for the manufacture of different forms of explosives and the
construction of bombs. Other files consisted of instructions for making poisons, how to avoid
attracting the attention of authorities when travelling and weapons handling techniques. In an
apparent effort to circumvent the law, Mr. Brown posted disclaimers on the website advertising
the publication, stating that the instructions they contained might be illegal or dangerous to
perform and were intended for "reading pleasure and historical value only". It was clear an
investigate on that Mr. Brown was motivated purely by commercial incentives. It was also
apparent that he deliberately had expanded his collection in the immediate aftermath of the July
2005 London bombs and had significantly increased his profit as a result.
In March 2011, Mr. Brown was convicted of seven counts under the Terrorism Act 2000
(section 58) relating to the collection of information that could have been used to prepare or
commit acts of terrorism, two counts under the Terrorism Act 2006 (section 2) relating to the
dissemination of terrorist publications and an offence under the Proceeds of Crime Act 2002
relating to the transfer of criminal property (his use of the profits from his business).
The excuse raised by Mr. Brown at trial was that his activities amounted to no more than the
lawful exercise of his right to freedom of expression in relation to material that was freely
available on the Internet and that was similar in type, if not volume, to that sold by other online
booksellers. The same points were raised during an unsuccessful application to appeal
conviction, during which the court ruled that the restriction of Brown's article 10 rights in
relation to mater al that was likely to assist terrorists was justified and proportion ate. The court
also affirmed the discretion of the prosecuting authorities not to charge every individual who
might have committed an offence, but to cons der instead each case on its own merits.
"Businessman who published bomb-makers' hard book "facing lengthy spell in jail". Daly Mail,
9 March 2011. Available from www.dailymailcouk/hews/artice-1364621/Businessman-
published-bomb-makers-handbook-facing-lengthy-spell-jal-htmieixzz1j4gXbMLu
106. The case is one of several, including R v. K [2008] QB 827 and R v. G [2010]
1 AC 43, in which the courts in the United Kingdom have clarified the
jurisprudence surrounding the scope and application of section 58 of the Act, in
the light of relevant human rights safeguards.
This United Kingdom case is linked to, and followed, the 2010 case involving ROSHANARA
CHOUDHRY, who was sentenced to life imprisonment on 2 November 2010 for the attempted
murder of STEPHEN TIMMES, a Member of Parliament.
In a statement, Chaudhry said she had decided to commit the offence approximately four weeks
prior to the assault in May 2010 and had purchased two knives in preparation, one as a spare in
case the broke while she stabbed the victim. She told police that she had been watching ANWER
AL-AWLAKI videos and ABDULLAH AZZAM videos and had visited the website
www.revalutionmuslim.com during her period of radicalization. This well-known site, which
was hosted in the United States, contained material promoting violent jihad, including videos and
speeches encouraging terrorism and web links to terrorist publications.
On 1 November 2010, the defendant posted a link on his Facebook page to a news article about
the TIMMS/Chaudhry case, ta which he added the following comment:
This sister has put us men to shame. WE SHOULD BE DOING THIS On 4 November 2010, the
defendant posted an article entitled "MPs that voted for War on Iraq’ on the Revolution Muslim
website under the name of "BILAL". The article was headed with the symbol of the Islamic State
of Iraq (an Al-Qa da affiliate). The opening text was a quotation from the Karan stating that
those who died without participating in jihad were hypocrites.
The article advised readers that they could "track" British Members of Parliament through a
link it provided to an official parliamentary website. This would enable them to find out details
regarding the location of surgeries to be performed on Members of Parliament, where they could
be "encountered in person".
This was followed by 29 religions quotations, all translated into English and all relating to the
obligation for Muslims to participate in jihad or to "martyrdom". Immediately under the quotations
was a link to a web page advertising a knife for sale. A copy of this article was captured evidentially
by British counter-terrorism officers. A further copy of the web page was obtained from Google
Inc. in response to a letter of request.
On 10 November 2010, the defendant was arrested by the Counter Terrorism Unit of the West
Midlands Police near his home in WOLVERHAMPTON. He was found in possession of a laptop;
which he told the arresting officers he had used to post the article on members of parliament and the
Revolution Muslim website. Forensic examination of the laptop revealed that he appeared to have
attempted to delete traces of his online activities prior to his arrest.
On 16 November, the defendant was charged with soliciting murder in relation to the article and
with three offences of possession of material likely to be of use to a terrorist under section 58 of the
Terrorism Act 2000. He later pleaded guilty to these charges, as well as to an offence of inciting
religious hatred, arising from comments posted on an Internet forum, and was sentenced to 12 years
of imprisonment, with an additional five years extended period on license.
108. In the United States, Title 18 of the United States Code, section 842 (p),
entitled "Distribution of information relating to explosives, destructive devices,
and weapons of mass destruction" makes it illegal for a person to distribute by
any means information regarding the manufacture or use of explosives,
destructive devices or weapons of mass destruction with the intent that the
information be used in furtherance of a crime of violence or with the knowledge
that the person to whom the information is distributed intends to use the
information in furtherance of a crime of violence. This statute has been used in
the United States to prosecute individuals who have distributed such information
over the Internet.
(b) Incitement
109. The crime of inciting terrorist acts is the subject of Security Council
resolution 1624 (2005). In that resolution, the Council called upon all States to,
inter alia, adopt such measures as may be necessary and appropriate and in
accordance with their obligations under international law to prohibit by law
incitement to commit a terrorist act or acts, and to prevent such conduct.
112. Those experts at the expert group meeting who had been involved in cases
related to the investigation and prosecution of crimes of inciting terrorist acts
agreed and highlighted the importance, in practice, of fully assessing the
context in which alleged statements of incitement were made, including not
only the words but also the forum in which they were made, and that the
characteristics of likely recipients might be highly relevant factors in determining
whether criminal proceedings for the crime of incitement were instituted or
likely to be successful in a particular case.
113. In the United Kingdom, section 59 of the Terrorism Act 2000 makes it an
offence to incite another person to commit an act of terrorism wholly or partly
outside the United Kingdom, when the act would, if committed in England and
Wales, constitute an offence specified in the section (e.g. murder, wounding with
intent, explosions or endangering life by damaging property).
This well-known case from the United Kingdom involved three defendants-YOUNES TSOULI,
WASEEM Mughal and Tariq Al-DAOUR-who were initially indicted on 15 counts. Prior to trial,
TSOULI and Mughal pleaded guilty to a charge of conspiracy to defraud. During the trial, having
heard the prosecution evidence, all three pleaded guilty to a charge of inciting terrorism overseas,
and Al- DAOUR pleaded guilty to a charge of conspiracy to defraud.
Between June 2005 and their arrest in October 2005, the defendants were involved in the purchase,
construct and maintenance of a large number of websites and Internet chat forums on which material
was published that incited acts of terrorist murder, primarily in Iraq. The cost of purchasing and
maintaining the websites was met from the proceeds of credit card fraud. The material on the
websites included statements that it was the duty of Muslims to wage armed jihad against Jews,
crusaders, apostates and their supporters in al Muslim countries and that it was the duty of every
Muslim to fight and kill them wherever they were, civilian or military.
In the Internet chat forums, individual’s disposed to join the insurgency were provided with routes by
which to travel into Iraq and manuals on weapons and explosives recipes. Extreme
ideological material demonstrating adherence to the espoused justification for the acts of murder that
the websites and chat forums incited was recovered from the home of each defendant.
A- DAOUR organized the obtaining of stolen credit cards, both for his own purposes and for
providing Mughal with funds for the setting up and running of the websites. Al- DAOUR had also
been involved in further credit card fraud; the proceeds of which were not applied to the support of
the websites. The loss to the credit card companies from this aspect of the defendants' fraudulent
activity was £1.8 million.
Among the evidence was a list made by TSOULI n his handwriting and found in his desk on which
he had written the details of a number of websites and of stolen credit cards. This revealed 32
separate websites provided by a number of different web-hosting companies that TSOULI had set
up or attempted to set up, mostly in the last week of June 2005 but continuing into July and into
August. The creation and administration of these websites were funded by the fraudulent use of
credit card details that had been stolen from account holders, either by direct theft of computer
records, by hacking or by some fraudulent diversion within the financial institutions. These credit
card details had been passed on to TSOULI by the other two defendants.
The websites created by TSOULI were used as a vehicle for uploading jihadist materials, which
incited acts of violence outside the United Kingdom in Iraq. Access to the sites was restricted to
those who had been issued with usernames and passwords. This was done, the trial judge found, to
make it more difficult for the web-hosting companies and the law enforcement agencies to know
what was being pasted on the sites.
On 5 July 2007, TSOULI was sentenced to 10 years of imprisonment and 3 ½ years (concurrently)
on two counts. Mughal to 7 ½ years of imprisonment and 3 ½ years (concurrently) on two counts and a
- DAOUR, to 6 ½ years of imprisonment and 3% years (concurrently).
115. Part 1 of the Terrorism Act 2006 established a number of new offences
aimed at enhancing the ability of authorities to take action in cases involving
statements by persons inciting or glorifying acts of terrorism or otherwise
intended to support the commission of such acts.
116. Part 1 of the Act makes it an offence for a person to publish a statement
intended to directly or indirectly encourage members of the public to prepare,
instigate or commit acts of terrorism, including (but not limited to)
encouragement that "glorifies" terrorist acts, or for a person to be reckless as
whether such conduct has such an effect. In practice, how a statement is likely to
be understood is determined by reference to the content as a whole and the
context in which it is made available.
119. In the United States, a different legal approach has been taken to the
criminalization and prosecution of acts of incitement of terrorism owing to
constitutional safe guards attaching to the right to freedom of speech under the
First Amendment to the Constitution. Under the principles set out in the
landmark case of Brandenburg u Ohio, 395 US. 444 (1969), in order to
successfully prosecute an individual for incitement of criminal acts (including
terrorism), the prosecution is required to prove both an intent to incite or
produce unlawful action and the likelihood that the speech will actually incite
imminent unlawful action.93
120. In prosecuting statements inciting acts of terrorism, authorities in the United
States are reliant upon inchoate offences such as solicitation and conspiracy,
together with the "material support" provisions of the United States Criminal
Code, which in certain circumstances permit the prosecution of conduct that
supports violent acts of terrorism.94
121. The material support provisions of the United States Criminal Code, Title
18, section 2339A and 2339B, prohibit persons from knowingly or intentionally
providing, attempting to provide or conspiring to provide material support or
resources to a terrorist organization. The Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
(PATRIOT) Act of 2001 broadened the definition of material support to include
"any property, tangible or intangible, or service, including ... training, expert
advice or assistance or communications equipment" 95
123. In the United States, there have been several cases in which this approach
has been used to successfully prosecute the words or actions of terrorists
communicated via the Internet. These include United States of America v.
Emerson Winfield Begolly
United States of America v. Emerson Winfield Begolly
A 22-year-old student (a United States national), Emerson Winfield Begolly was indicted for his
involvement in the distribution aver the Internet of information relating to bomb-making and
solicitation to commit violence on American sail. Additional charges against him included
assaulting and threatening Federal Bureau of Investigation (FBI) agents with a loaded firearm.
Formally known under the alias of "ASADULLAH AL-SHISHANI", Begolly took an active part
in an internationally known jihadist forum called the ANSAR AL-MUJAHIDEEN English Forum
and eventually became an active moderator. The forum provided an opportunity for Begolly to
express his affinity for radical views while concurrent y encouraging other members of his faith to
engage in terrorist acts within the United States. His propaganda also included dissemination of
videos with instructions for making explosive devices to perform acts of terrorism. The intended
targets included synagogues, military facilities, train lines, police stations, bridges, cell phone
towers and water plants.
Over a period of nine months, Begolly posted several lengthy messages in which he extensively
discussed the need for violence. An indictment issued a 14 July 2011, by the U.S. District Court of
the Eastern District of Virginia, included as a key evidence part of the propaganda that Begolly had
posted on an Internet forum
Peaceful protests do not work. The KUFFAR see war as solution to their problems, so we must
see war as the solution to ours. No peace. But bullets, bombs and martyrdom operations.
He also posted links to an online document entitled "The explosives course", made available for
download. The 101-page document authored by The Martyred Sheik Professor ABU KHABBAB
AL MISRI" (as referred to by Begolly) contains detailed instructions a setting up a laboratory with
basic chemistry components for the manufacture of explosives. A note was added that those
downloading the content should be careful to use anonymity software for their own protection.
During this time, Begolly had been under the constant surveillance of federal authorities. An FBI
agent downloaded the document from one of the uploaded links, which eventually led to Begolly
being arrested. On 14 April 2011, he was charged with unlawful and purposeful distribution of
information over the Internet related to the manufacture and distribution of explosive materials, use
of weapons of mass destruction and solicitation to commit bombings of places for public use,
government buildings and public transportation systems. On 9 August 2011, Begolly pleaded guilty
to solicitation to commit terrorist acts. He is currently awaiting sentencing.
A term extensively used by Begolly curing his online forum discussions in reference to the "non-
believers or infidels.
(c) Review of legal approach to incitement
126. The European Court of Human Rights, in assessing the protections afforded
by article 10, paragraph 1, of the European Convention for the Protection of
Human Rights and Fundamental Freedoms, has already dealt with article 5 of the
Council of Europe Convention on the Prevention of Terrorism. In the well-
known case of Leroy u France, a French Court did not find a violation of article
10 in the case of a journalist who had been convicted and fined for having
published a certain cartoon in a Basque weekly newspaper. On 11 September
2001, the cartoonist submitted to the magazine's editorial team a drawing
representing the attack on the twin towers of the World Trade Centre, with a
caption which parodied the advertising slogan of a famous brand: "We have all
dreamt of it. Hamas did it" (cf. "Sony did it"). The drawing was then published in
the magazine on 13 September 2001.
127. In its reasoning, the European Court of Human Rights, inter alia, referred to
article 5 of the Council of Europe Convention on the Prevention of Terrorism, the
first time that the Court took that Convention into consideration in a judgment. It
held that the drawing went further than merely criticizing the United States but
rather supported and glorified its violent destruction. The Court noted the caption
that accompanied the drawing, indicating the applicants' moral support for the
suspected perpetrators of the attacks of 11 September 2001. Other factors taken
into account by the Court were the applicant's choice of language, the date of
publication of the drawings (which the Court considered increased the
cartoonist's responsibility) and the politically sensitive region in which it was
distributed (the Basque region). According to the Court, the cartoon had
provoked a certain public reaction, capable of stirring up violence and
demonstrating a plausible impact on public order in the region. The principles
developed in this landmark case will apply equally to cases in which the alleged
incitement to terrorism has occurred via the Internet.
130. In Egypt, in article 86 bis of the Penal Code establishes as offences acts
amounting to executive and support responsibility, the planning and
preparation of terrorist acts, membership in or support of an illegal organization,
providing financing and material support of terrorist organizations, and
incitement offences. Moreover, the article provides aggravated penalties for, inter
alia, intentionally promoting (by any means) the purposes of terrorist
organizations or for obtaining
or producing (directly or indirectly) articles, publications or recordings of
any kind intended to promote or encourage such purposes.99
132. In Spain, articles 18 and 579 of the Spanish Penal Code make public
incitement to commit a crime of terrorism a preparatory act of the crime of
provocation. Article 578 punishes the crime of praising terrorism, an offence that
was incorporated in the Penal Code by Organic Law 7/2000 of 22
December 2000. As informally translated, this article provides that "The praising
or the justification by any means of public expression or dissemination of the
offences included in articles 571 to 577 of this Code (Crimes of Terrorism) or of
anyone who has participated in their execution, or com- mission of acts that
involve discredit, contempt or humiliation of the victims of a terrorist offence or
of their family will be punished with imprisonment from one to two years" The
Organic Law also provided a penalty of a period of civil disability upon
conviction. 101
135. When calling upon States to criminalize the incitement of terrorist acts,
Security Council resolution 1624 (2005) expressly provides that States must
ensure that any measures adopted to implement their obligations comply with all
their obligations under international law, in particular human rights law, refugee
law and humanitarian law.
137. It is not possible within the confines of the present publication to fully
analyze, in the context of respect for guaranteed human rights to freedom of
expression, all the commentaries and judicial authority available on the proper
scope and application of offence provisions enacted by countries to
criminalize the incitement of terrorist acts.
139. The investigation of terrorism cases involving the use of the Internet or
other related services by suspected terrorists will often necessitate some type of
intrusive or coercive search, surveillance or monitoring activity by intelligence or
law enforcement agencies. It is therefore important, for the success of any
prosecution, that these investigative techniques be properly authorized under
national laws and, as always, that supporting legislation uphold fundamental
human rights protected under international human rights law.
140. In Israel investigative powers for the collection of digital evidence on the
Inter- net, in both general criminal and terrorism-related cases, are dealt
with under the Computers Act of 1995, which defines a few specific powers for
gathering digital evidence. The Computers Act amended the Wiretap Act,
deeming the acquisition of communications between computers to be a "wiretap",
and therefore, making it possible for investigative authorities to obtain judicial
permission, or administrative per- mission in urgent and exceptional cases, to
acquire data transferred on communication between computers.
141. In 2007, the Communication Data Act was enacted. The purpose of that
statute was to arrange, in a more structured and progressive manner, the accepted
practice regarding obtaining non-content data from landline and cellular phone
companies, as well as from Internet-access providers. The Act does not apply to
Internet-service providers that provide other services, such as information
storage, information-sharing, c-mail, social services and so forth. Currently, in
cases in which authorities wish to obtain information from Internet-service
providers, an old section of the law applies that enables them, in general, to issue
a subpoena and obtain information from anyone who has information that might
advance the investigation.
142. In 2010, the Government of Israel promoted a bill aimed at codifying
investigative powers relating to both physical and digital data. The bill is
designed to arrange, in an advanced manner, the gathering of digital evidence.
It contains an orderly arrangement of powers that are not currently set forth in
Israeli legislation, such as secret searches of computers (in the case of especially
serious crimes), obtaining information that is to be stored (in the future) on a
certain computer, the manner in which stored e-mails in the possession of the
service provider are to be obtained, a search of computer material by
administrative authorization under certain circumstances. If passed, these
measures would apply to terrorism cases involving use of the Internet.
145. Under article 6, mobile phone operators and Internet cafes are required to
keep records of client connections for 12 months and make these available to
police. The law also authorizes the use of surveillance cameras in public spaces
such as train stations, churches and mosques, shops, factories and nuclear plants
Article 8 allows police to automatically monitor vehicles and occupants on
French roads and highways (including by taking pictures of vehicle license plates
and occupants) and to monitor people at large public gatherings. 104
146. More recently, on 14 March 2011, the French Code of Criminal Procedure
was amended to provide authorities with additional powers in terrorism
investigations. These amendments include the power to requisition documents
relevant to an investigation (including the conversion and transfer of computer
data), the decryption of protected computer data, numeric infiltration, the capture
of computer data (including images), wiretapping and the interception of other
communications. Moreover, the law establishes the legal basis for the activities
of
law enforcement officers engaged in, inter alia, online chat room discussions as
part of investigations into crimes related to the incitement of terrorism. This is an
important legal issue to which Governments might wish to give consideration.
These articles provide French law enforcement authorities with, inter alia, the
ability to obtain evidence related to the connection data of e-mails, telephone
activity and 1P addresses.
147. The expert from China referred to regulations in that country under
which the police, when undertaking a criminal investigation involving the use of
the Internet, may order the submission by the Internet-service provider and
Internet- communication provider of relevant records and data, which they are
required to retain by law for 60 days.
148. In the United Kingdom, the Regulation of Investigatory Powers Act 2000
sets out a legal framework regulating the following five types of surveillance
activities under- taken by Government agencies:
Interception of communications (e.g. intercepting telephone calls or
accessing the contents of e-mails)
Intrusive surveillance (e.g. covert surveillance in private premises or
vehicles)
Directed surveillance (e.g. covert surveillance against an identified target
in a public place)
Covert human intelligence sources (e.g. undercover agents)
Communications data (e.g. records related to communications but not
the content of such communications).105
149. In addition to setting out the purposes for and procedures by which such
activities must be authorized, the Act obliges surveillance authorities to consider
whether the exercise of these powers and the interference with the rights of the
individuals under surveillance are proportionate and to take steps to avoid what is
known as "collateral intrusion", whereby the rights of parties other than those
being targeted are affected. The Act also makes it an offence for parties holding
encryption keys for targeted communications to withhold such keys from
authorized agencies. 106
150. In 2000, the Government of India passed the Information Technology Act
2000, which it amended in 2008, to provide for the offence of "cyber-terrorism"
(section 66F) and other Internet-related issues. Section 67C (1) of the Act
deals
with the issue of data retention, stipulating that regulated providers "shall
preserve and retain such information as may be specified for such duration and in
such manner and format as the Central Government may prescribe" and making it
an offence (punishable by up to three years of imprisonment and fines) to
knowingly contravene this obligation.
151. Section 69 (1) of the Act provides Government authorities with the power to
issue directions for the "interception, monitoring, and decryption of any
information generated, transmitted, received or stored in any computer resource"
and sets out the legal obligations and safeguards attaching to such State actions,
while Section 69A (1) provides State agencies with the power to issue directions
for blocking public access to any information through computer resources if they
consider it necessary or expedient to do so, in the interests of India's sovereignty,
integrity, security and international relations, or to prevent the incitement of
related "cognizable" offences, including terrorism. Finally, Section 69B provides
designated State agencies with the power to monitor collect and store data traffic
or information generated, transmitted or received via any computer resource.
152. In New Zealand, the Search and Surveillance Act 2012 updates,
consolidates and harmonizes the powers of law enforcement agencies relating to
search, surveillance and interception of communications to address new forms of
technology. The Act creates a new definition of the term "computer system
searches", extending it to include the search of computers that are not internally
connected to, but are able to access, a network remotely.
153. In order to strengthen legal safeguards, the Act makes it clear that remote-
access searching of computers is permitted in only two situations: when a
computer had the capability to lawfully access a computer system which is the
subject of the search and is therefore considered part of that system; and when
there was no physical location to search (e.g. in the case of web-based e-mail that
the user accesses from various locations, such as Internet cafes). The Act also
provides that, when police undertake authorized remote access searches of
Internet data facilities, they must provide electronic notification of the search via
e-mail, sent to the e-mail address of the facility being searched.
(b) Issues associated with the provision of interception capability
155. In Israel, section 13 of the Communication Law, 1982, states that the Prime
Minister may direct Internet-access providers, within Israel, to carry out
technological modifications as required by security forces (defined as including
police, security and other special services) for the purpose of counter-terrorism
activities. The law applies only to Internet-access providers, who under Israeli
law receive their licenses from the Ministry of Communications. It does not
apply to data storage service providers or content management providers
operating within Israel, as these operators do not require a license from the
Ministry.
158. In Brazil, Federal Law No. 9.296 of 1996, together with article 5 (XII) of
the Federal Constitution of 1988, regulates official wiretapping undertaken by
authorized government agencies. While recognizing the inviolable nature of
telecommunications, the laws provide, subject to judicial authorization, specific
derogations for the purpose of criminal investigations or penal processes. The
law sets out the procedures to be followed in wiretap cases, which take place
under supervision of a judge. Once executed, the results of the wiretap are
transcribed and provided to the judge, along with a summary of all actions taken
pursuant to the authority (article 6).
160. In Indonesia, following the Bali bombings in 2002, the Government passed
anti-terrorism legislation which permits law enforcement and security agencies,
for the purpose of terrorism-related investigations, to intercept and examine
information that is expressed, sent, received or stored electronically or with an
optical device. In relation to the retention period of Internet or log files, this
subject is regulated under Law No. 11 of 2008 on Electronic Information and
Transactions, specifically article 6, paragraph 1, subparagraph a, which obliges
every system operated by an electronic system provider to reproduce in complete
form any electronic information and/or electronic document for the duration
of the retention period stipulated under the law.
161. In Algeria, in 2006, the Government adopted a law permitting microphone
and video surveillance and the interception of correspondence, if authorized and
executed under the direct control of the prosecutor. The same law authorizes the
technique of infiltration for the purpose of investigating terrorism or organized
crime and permits the agent to commit specified minor infractions in the course
of the infiltration. The secrecy of the agent's identity is carefully protected by
law, but the infiltration must be conducted under the authority of the prosecutor
or investigating magistrate.107
164. Chapter 2 of the Act relates to the issue of offensive content, and prohibits
content application service providers and any persons using such services from
providing content that is "indecent, obscene, false, menacing, or offensive in
character with intent to annoy, abuse, threaten or harass any person"
(Section 211). Persons contravening these obligations commit an offence and
are liable to a fine not exceeding 50,000 ringgit (approximately US$16,200) or to
imprisonment for a term not exceeding one year, or both, and shall also be
liable to an ongoing fine of 1,000 ringgit (approximately US$325) for every day
or part of a day during which the offence is continued after conviction. Section
212 of the Act provides for the designation of an industry body to be a forum for
the development of an industry code relating to content.
165. In the United States, telecommunications operators are currently obliged,
under the Communications Assistance to Law Enforcement Act 1994, to provide
interception capability for telephone and broadband networks.
166. There is evidence that terrorists have in some cases used Internet cafes to
carry out actions associated with terrorism; however, there is no data available on
the proportion this type of activity in relation to legitimate Internet activity
conducted through these services.
167. The issue of the extent to which Governments should, for counter-terrorism
purposes, regulate Internet or cyber-cafes is a complex issue, closely linked to
human rights issues. Internationally, there is a divergence of approaches. In some
States, including Egypt, India, Jordan and Pakistan, Governments apply specific
legislative or regulatory measures, which oblige operators of Internet cafes to
obtain, retain and, upon request, produce photo identification, addresses and
usage/connection data of customers to law enforcement agencies.
169. The issue of the extent to which Governments should regulate terrorism-
related content on the Internet is highly contentious. Approaches vary
considerably, with some States applying strict regulatory controls on Internet and
other related service providers, including in some cases the use of technology
to
filter or block access to some content. Others adopt a lighter regulatory
approach, relying to a greater extent on self-regulation by the information sector.
170. In the article "Terrorism and the Internet: should web sites that promote
terror ism be shut down?",108 Barbara Mantel notes that "most Internet service
providers, web hosting companies, file-sharing sites and social networking sites
have terms-of-service agreements that prohibit certain content". For example, she
notes, Yahoo's Small Business Web hosting service specifically forbids users
from utilizing the service to provide material support or resources to any
organization(s) designated by the United States Government as a foreign terrorist
organization. To that extent, there is an element of self-regulation within the
information society.
171. When assessing the approach and level of intervention in this area,
Governments need to take a number of factors into account, including the
location where content is hosted, constitutional or other safeguards relating to the
right to freedom of expression, the content itself and the strategic implications
from an intelligence or law enforcement perspective of monitoring or infiltrating
certain sites or rendering them inaccessible,109
173. Section 3 of the Act applies to cases involving offences under sections 1 or
2 of that Act in which "(a) a statement is published or caused to be published in
the course of, or in connection with, the provision or use of a service provided
electronically; or (b) conduct falling within section 2(2) [dissemination of a
terrorist publication] was in the course of, or in connection with, the provision or
use of such a service".
174. Section 3(2) provides that, if the person upon whom the notice has been
served fails to remove the terrorism-related content, and if he or she is
subsequently charged with offences under sections 1 or 2 of the Terrorism Act
2006 in relation to it, then a rebuttable assumption may be made at trial that the
content in question had his or her endorsement.
175. Despite the availability of these "take down" notices as a preventive
measure, in practice this power has not yet been used. In most cases, especially
when the offending content was hosted on the websites of third parties, it
tended to breach the terms and conditions of the service provider, and authorities
were able to successfully negotiate the removal of the offending content. In fact,
in the United Kingdom the specialized Counter Terrorism Internet Referral Unit
coordinates national responses to referrals from the public, as well as from
Government and industry, on terrorism-related Internet content and acts as a
central, dedicated source of advice for the police service.
4. International cooperation
176. States are obliged, under many different international, regional, multilateral
and bilateral instruments related to terrorism and transnational organized crime,
to establish policies and legislative frameworks to facilitate effective
international cooperation in the investigation and prosecution of these types of
cases.
177. In addition to having policies and legislation that establish criminal offences
necessary to satisfy dual criminality requirements, States should enact
comprehensive legislation that provides their authorities with a legal basis for
international cooperation with foreign counterparts in transnational terrorism-
related investigations. In cases involving the use of Internet, it is highly likely
that effective international cooperation, including the ability to share information,
including Internet-related data, will be a key factor in the success of any criminal
prosecution.
178. Issues related to international cooperation in terrorism cases are dealt with
in closer detail in chapter V below.
IV. Investigations and intelligence-gathering
This French case involves several defendants: RANY ARNAUD, NADIR ZAHIR BADACHE,
ADRIEN LUCIANO GUIHAL and YOUSSEF LAABAR, who were convicted on 26 January 2012 by
the Tribunal Correctional de Paris and sentenced to terms of imprisonment ranging from 18 months to 6
years for, inter alia, disseminating terrorist-related material.
Arnaud, BADACHE and GUIHAL were arrested in France in December 2008 after Arnaud, what
operated under the username of "Abdallah", posted messages calling for jihad against France on a
propaganda website, minbar-sos.com:
"Do not forget that France keeps on fighting our brothers in Afghanistan and that you are in a
land of war, rush up to martyr as soon as you can, boycott their economy, squander their wealth,
do not support their economy and do not participate in the financing of their armies.
As a result of the posting, authorities had intercepted ARNAUDS Internet account, put him under
physical surveillance and tapped his phone line. After arresting Mr. Arnaud, investigators forensically
examined the content of the computers used by him and found that he had conducted research on
matters relating to the commission of terrorist acts, for example products capable of being used to make
explosives and incendiary devices, identifying possible targets and tracking the activities of a company
which used ammonium nitrate. The enquiries revealed that Arnaud had recruited GUIHAL and
BADACHE, taken part in meetings and discussions to prepare an attack, made contact with people
involved in jihadist movements to seek help in carrying it out and received remittances to fund it.
These acts constituted crimes pursuant to articles 421-2-1, 421-1, 421-5, 422-3, 422-6 and 422-7 of the
French Criminal Code, and articles 203 and 706-16 et. seq. of the Code of Criminal Procedure.
The Court found that the plan in which Mr. Arnaud had an allegedly taken part, in association with
the other offenders, which consisted of placing explosives on a truck that would explode upon
reaching the target, posed a particularly high threat to public policy. He was thus sentenced to six
months imprisonment on charges relating to participating in a group committing criminal acts for the
purpose of preparing a terrorist attack, possession of several fraudulent documents and fraudulent use
of administrative documents evidencing a right, identity or quality or granting an authorization. On
the same charge, Mr. BADACHE was sentenced to two years of imprisonment, with six months
suspended, while Mr. GUIHAL was sentenced to four years, with one year suspended. MR.
LAABAR, who faced trial for other related acts, was sentenced to 18 months’ incarceration.
I. Internet-based communication
182. Over the past decade, applications that allow users to communicate in real
time using voice-over-Internet protocol (VOIP), video chat or text chat have
grown in popularity and sophistication. Some of these applications offer
advanced information-sharing functions, for example allowing users to share files
or giving them the ability to remotely view another user's onscreen activity in
real time. VOIP in particular has become increasingly used as an effective means
to communicate via the Internet. Well-known VOIP service providers include
Skype and Vonage, which operate by converting analogue sound into a
compressed, digital format, enabling transfer of the digital packets of information
via the Internet, using relatively low bandwidth connections.
183. As VOIP telephony involves the transmission of digital data packets, rather
than analogue signals, and service providers typically generate subscriber
invoices related to Internet usage based on aggregate data volume, computer-to-
computer VOIP calls are not invoiced on a per-call basis, as is the practice with
traditional mobile and fixed-line telephone calls. This difference in billing
practices may have a significant impact on investigations involving VOIP
communications, as it makes it more difficult for law enforcement authorities to
corroborate such communications with markers relating, for example, to the time
of the call and the location of the participants. Other indicators, however, such as
the timing and volume of Internet data traffic, may also provide a means to
identity perpetrators of illicit Internet activity (see para. 205 below).
Additionally, while the origin and destination of conventional telephone calls
may be routed via fixed-line switches or cellular communication towers, which
leave geolocation traces, wholly Internet-based VoIP communications, conducted
for example via wireless networks, may pose challenges in the context of an
investigation. Further complicating factors arising out of the use of VOIP
technology may involve, inter alia, the routing of calls via peer-to-peer networks
and the encryption of call data (discussed in greater detail in section IV.A.2
below).111
185. Web-based e-mail services also provide terrorists with a covert means of
communication, which can be misused for illicit purposes. E-mail messages sent
between parties typically contain a number of elements which may be af
investigative value. A typical e-mail may be comprised of the envelope header,
the message header, the message body and any related attachments. While only
an abbreviated version of the envelope header may be displayed, in accordance
with the settings of the applicable software, the complete envelope header
generally contains a record of each mail server through which the message
transited on the way to the final recipient, as well as information regarding the IP
address of the sender.112 The information contained in the envelope header is less
susceptible to tampering (although not impermeable) than that in the message
header, which generally consists of user-provided information in fields such as
"To", "From",
"Return-Path", "Date" and "Time", as displayed on the device from which the
message is being sent.113
186. One commonly used technique to reduce electronic traces between parties,
and therefore the likelihood of detection, is communication through the use of
saved, unsent messages in the draft folder of the e-mail account. This information
is then available to multiple parties using a shared password to access the
account. Additional steps may also be taken to avoid detection, for example use
of a remote public access terminal, such as in an Internet cafe, to access the draft
message. This method was used in connection with the Madrid terrorist
bombings in 2004.
190. For example, in France, article 706 of the Code of Criminal Procedure
provides for the authorization by the prosecutor or investigative judge of such
infiltration operations in connection with offences committed through electronic
communications (see discussion in section I1I.C.3 (a)). The aim of such
operations may be, inter alia, to gather intelligence or otherwise take proactive
action in connection with a perceived terrorist threat. Due care should be taken,
however, at the inception of the operation to ensure that any infiltration of online
chat room or other Internet-based discussions is conducted in a manner that
would not support a defense of entrapment, based on the assertion that a
government authority induced a suspect to commit a crime that he or she was not
predisposed to commit.
192. Cloud computing is a service which provides users with remote access
to pro- grams and data stored or run on third-party data servers. As with file-
sharing, cloud computing provides a convenient means to securely store, share
and distribute material online. The use of cloud technology to access remotely
stored information reduces the amount of data stored locally on individual
devices, along with the corresponding ability to recover potential evidence in
connection with an investigation of terrorist use of the Internet.
193. The data servers used to provide these services may also be physically
located in a different jurisdiction from that of the registered user, with varying
levels of regulation and enforcement capabilities. Close coordination with local
law enforcement authorities may therefore be required to obtain key evidence for
legal proceedings.
195. Internet activity, or the identity of the associated users, can also be disguised
through advanced techniques, including masking the source IP address,
impersonating another system's IP address or redirecting Internet traffic to an
obscured IP address,116 A proxy server enables users to make indirect network
connections to other network services. Some proxy servers allow the
configuration of a user's browser to automatically route browser traffic through a
proxy server. The proxy server requests network services on behalf of the user
and then routes the delivery of the results again through a proxy Varying levels
of anonymity may be facilitated by the use of proxy servers. A proxy may
obscure the identity of a user by fulfilling requests for network services
without reveal- ing the IP address from which the request originates, or by
intentionally providing a distorted source IP address. For example, applications
such as The Onion Router may be used to protect the anonymity of users by
automatically rerouting Internet activity via a network of proxy servers in order
to mask its original source. Rerouting network traffic via multiple proxy servers,
potentially located in different jurisdictions, increases the degree of difficulty of
accurately identifying the originator of a transmission.
3. Wireless technology
200. In addition, service providers such as phone have emerged in recent years,
which enable registered users to share a portion of their residential Wi-Fi
bandwidth with other subscribers, in exchange for reciprocal access to Wi-Fi
networks of subscribers worldwide. Activity conducted over a shared Wi-Fi
network significantly complicates the process of attribution of an act to a single,
identifiable perpetrator in the course of an investigation.118
202. There is a vast range of data and services available via the Internet which
may be employed in an investigation to counter terrorist use of the Internet. A
proactive approach to investigative strategies and supporting specialist tools,
which capitalizes on evolving Internet resources, promotes the efficient
identification of data and services likely to yield the maxim um benefit to an
investigation. In recognition of the need for a systematic approach to using
technological developments relating to the Internet for investigative purposes, the
RAGGRUPPAMENTO OPERATIVO SPECIALE of the CARABINIERI of
Italy developed the following guidelines, which have been disseminated through
the University College Dublin, master's programmer in forensic computing and
cybercrime (see section IV.G below) and implemented by domestic enforcement
authorities of many member States of the International Criminal Police
Organization (INTERPOL) and the European Police Office (Europol):
Protocol of a systematic approach
Data collection: This phase involves the collection of data through traditional investigative methods,
such as information relating to the suspect, any co-inhabitants, relevant co-workers or other associates
and information compiled through conventional monitoring activities of channels of communication,
including in relation to fixed-I ne and mobile telephone usage.
Research for additional information available via Internet-based services: This phase involves
requests to obtain information collected and stored in the databases of web based e-commerce,
communications and networking services, such as eBay, PayPal, Google and Facebook, as well as
using dedicated search engines such as www. 123people. com. Data collected by these services
through commonly used Internet "cookies" also provide key information regarding multiple users of a
single computer or mobile device.
The activities in phases (a) and (b) above provide information that may be combined and cross-
referenced to build a profile of the individual or group under investigation and made available for
analysis during later stages of the investigation.
VolF server requests: in this phase, law enforcement author ties request information from VOLP
service providers relating to the persons under investigation and any known affiliates or users of the
same networking devices. The information collected in this phase may also be used as a form of
"smart filter" for the purposes of verifying the information obtained in the two prior phases.
Analysis: The large volume of data obtained from VOLP servers and the providers of various Internet
services are then analyzed to identify information and trends useful for investigative purposes. This
analysis may be facilitated by computer programs, which may filter information or provide graphic
representations of the digital data collected to highlight, inter alia, trends, chronology, the existence of
an organized group or hierarchy, the geolocation of members of such group, or factors common
among9 multiple users, such as a common source of financing.
identification of subjects of interest: In this phase, following smart analysis of the data, it is common
to identify subjects of interest based, for example, on subscriber information linked to a financial,
VolP or e-mail account.
Interception activity: In this phase, law enforcement authorities employ interception tactics similar to
those used for traditional communication channels, shifting them to a different platform: digital
communication channels. Interception activity may be undertaken in connection with
telecommunications services, such as fixed-line broad- band, mobile broadband and wireless
communications, as well as with regard to services provided by ISPs, such as e-mail, chat and forum
communication services. in particular, in recent years’ experience has revealed vulnerabilities in new
communications technologies which may be exploited for investigative or intelligence -gathering
purposes. Due care should be taken with respect to ensuring the forensic integrity of the data being
gathered and the corroboration, to the extent possible, of any intelligence gathered with objective
identifiers such as GPS coordinates, time stamps or video surveillance.
Where permitted by domestic law, some law enforcement authorities may also employ digital monitoring
techniques facilitated by the installation of computer hardware or applications such as a virus, a "Trojan
Horse or a keystroke logger on the computer of the person under investigation. This may be achieved through
direct or remote access to the relevant computer, taking into consideration the technical profile of the
hardware to be compromised (such as the presence of antivirus protections or firewalls) and the personal
profile of all users af the device, targeting the least sophisticated user profile.
203. The Korean National Police Agency has responded to the need to
standardize domestic law enforcement practices relating to digital forensics by
developing and implementing two manuals: The Standard Guidelines for
Handling Digital Evidence and the Digital Forensics Technical Manual. The
Standard Guidelines detail seven steps in the proper handling of digital evidence:
preparation; collection; examination; evidence request, receipt, and transport;
analysis; reporting; and preservation and evidence management. The Digital
Forensics Technical Manual outlines required procedures and the appropriate
approach to the collection of digital evidence, including with reference to
establishing the appropriate environment, forensic tools and equipment;
preparatory steps such as the set-up of hardware and software, network
connections and time-accuracy; measures to secure the maximum amount of
digital evidence; independent analysis of secured data; and the production of the
final report.119
2. Tracing an IP address
205. Further, in response to a duly made request, an ISP can often identify which
of its subscriber accounts was associated with an IP address at a specific time.
Traditional investigative methods may then be used to identify the person
physically in control of the subscriber account at that time. In the HICHEUR case
(see para. 20 above), the defendant was identified by tracing a static IP address
used to access an e-mail account under surveillance. A request made to the
relevant ISP enabled authorities to link the IP address to a subscriber account
used by multiple occupants of a household, including the defendant. By
intercepting the data traffic for this subscriber account, investigators were also
able to establish links between the IP address and activity on a pro-jihadist
website which, inter alia, distributed materials for the purpose of physically and
mentally
training extremist combatants. In particular, investigators were able to
correlate the times at which multiple connections were made to the website's
discussion forum with concurrent increases in Internet data volume linked to the
defendant's personal e-mail account.120
206. Given the time-sensitive nature of investigations involving the Internet and
the risk of alteration or deletion of digital data owing to, inter alia, potential
server capacity constraints of the relevant ISP or applicable data protection
regulations, consideration should also be given to the appropriateness of a request
to the ISP to preserve data relevant to the criminal investigation, pending
fulfillment of the necessary steps to secure the data for evidentiary purposes.
208. Persons investigating the use of the Internet for terrorist purposes should
also be aware that online activity related to an investigation may be monitored,
recorded and traced by third parties. Due care should therefore be taken to avoid
making online enquiries from devices which can be traced back to the
investigating organization.
210. Other programs that may be used, subject to domestic laws and regulations
regarding, inter alia, access to the device and interception of communications,
include "Trojan horses" or Remote Administration Trojans (RATs), which may
be introduced covertly into a computer system to collect information or to enable
remote control over the compromised machine. Keystroke monitoring tools may
also be installed on a device and used to monitor and record keyboard activity.
Keystroke loggers, in the form of hardware or software, assist in obtaining
information relating to, inter alia, passwords, communications and website or
localized activity undertaken using the device being monitored. In addition, data
packet "sniffers" may be used to gather data relevant to an investigation. Sniffers,
which may be a device or software, gather information directly from a network
and may provide information relating to the source and content of
communications, as well as the content communicated.
C. Forensic data preservation and recovery
213. With regard to mobile devices such as smart phones and personal digital
assistants, similar principles apply, except that it is recommended not to power
down the device, as this may enable any password protection, thus preventing
access to evidence. The device should therefore be kept charged, to the extent
possible, or undergo specialist analysis as soon as possible before the battery is
discharged to avoid data loss.
214. The case below from India illustrates the importance of forensic analysis in
the identification and recovery of digital and other evidence of terrorist use of the
Internet.
The Zia Ul Haq case
The defendant, Zia Ul Haq, who was arrested on 3 May 2010 and is currently awaiting trial, is
allegedly a member of Lashkar e Taiba, which is a Pakistan-based armed group fighting against
Indian control in Kashmir. The prosecution case against Zia Ul Haq alleges, inter alia, that he was
lured into jihad while working in Saudi Arabia between 1999 and 2001; received training outside
India in the use of arms, ammunition and explosives and communicating through e-mails; collected a
consignment of arms, ammunition and explosives in Delhi in 2005, after being requested to do so via
e-mail; and subsequently used the Internet to coordinate with other members of Lashkar e Taiba and
conspired to commit terrorist acts using arms, ammunition and explosives.
The prosecution further alleges that, on 7 May 2006, Zia Ul Haq used hand grenades sup plied in the
weapons consignment from Lashkar e Taiba in an attack against the Odeon cinema in Hyderabad.
E-mail communications between the defendant and his handler were obtained from the Internet-
service providers and their content was examined. The cyber-cafe computers that were used by the
offender were forensically analyzed, the hotel where he stayed while he was in Delhi to collect the
grenades was traced and his signature in the guests register forensically matched. While the
defendant was in jail awaiting trial, a letter oratory was sent from India to the central authority in
another country to initiate action against the alleged handler.
Zia Ul Haq was charged in India for various offences, including under sections 15, 16, 17 and 18 of
the Unlawful Activities (Prevention) Act of 1967, as amended in 2004 and 2008, which provides far
punishment for terrorist activities, training and recruitment for terrorist purposes, raising funds for
terrorist activities and conspiracy to commit terrorist activities.
215. Owing to the fragile nature of digital evidence, its assessment, acquisition
and examination is most effectively performed by specially trained forensic
experts. In Israel, domestic legislation acknowledges the importance of specialist
training, requiring that digital evidence be secured by trained computer
investigators, who undergo a basic professional course and advanced professional
in-service training to become acquainted with computer systems, diverse forensic
software and the optimal way to use them. When the need for an especially
complex investigation arises, such as recovery of deleted, defective or complexly
coded or encrypted files, an external expert, who may later be called as an expert
witness on behalf of the prosecution, may be retained.124
217. Encase makes a duplicate image of the data on the device under
examination, analyzing all sectors of the hard disk, including unallocated sectors,
to ensure the capture of any hidden or deleted files. The software may also be
used, inter alia, to analyze the structure of the file system of digital media,
organize the files under analysis and generate a graphic representation or other
report relating to certain characteristics of the files. Encase also generates and
assigns a unique identifier, known as a "hash value", to the digital evidence.127
220. A prosecutor may also be required to show, inter alia, that the information
obtained is a true and accurate representation of the data originally contained on
the media and that it may be attributed to the accused. Hash values generated
with respect to digital evidence provide strong support that such evidence
remains uncompromised. Additional corroborating evidence and testimony may
also be introduced to establish authenticity. An illustration of this practice can be
found in the case of Adam Busby, who was convicted in Ireland in 2010 of
sending a bomb threat via e-mail to Heathrow Airport in London. During the
Busby trial, in addition to producing evidence that the e-mail was sent from a
specific computer to which the accused had access, hard-copy computer logs and
closed caption television footage were also introduced to establish the time at
which the e-mail was transmitted and the fact that the accused was the person in
control of the computer at that time.
222. The responsibilities of national or regional cybercrime units may include the
following:
(a) Gathering open-source intelligence by using specialist online surveillance
techniques from social networking sites, chat rooms, websites and Internet
bulletin boards revealing the activities of terrorist groups (among many
other criminal elements). Insofar as terrorist groups are concerned, this
function could be placed within the remit of counter-terrorism units in
which personnel have sufficient training and experience to conduct this
task, but specialist training within a cybercrime environment is seen as
essential training for this role. The intelligence-gathering function also
requires evaluation and analysis to support the development of strategy in
countering the threat posed by terrorists' use of the Internet. Conflicting
responsibilities or objectives between national intelligence agencies may,
however, hinder harmonization and the translation of intelligence leads
into effective operational plans;
(b) Conducting specialist cybercrime investigations in national and
international technology-related crime cases, such as those involving
Internet fraud or theft of data and other cases in which complex issues of
technology, law and procedure arise and the management of the
cybercrime unit assesses that the specialist investigation resources of that
unit are necessary;
(c) Serving as an industry and international liaison for the development of
partnerships with the principal stakeholders in the fight against cybercrime,
such as the financial services industry, the telecommunications services
industry, the computer industry, relevant government departments,
academic institutions and intergovernmental or regional organizations;
(d) Maintaining an assessment unit to assess cybercrime cases nationally and
internationally for prioritized investigation by national or regional
cybercrime units. Such a unit may also be responsible for the maintenance
of statistics on the incidence of cybercrime cases;
(e) Providing training, research and development, as the complex and
evolving nature of cybercrime requires scientific support from specialist
academic institutions to ensure that national and regional units are
properly skilled and resourced with all the technological tools, training and
education that is required to forensically examine computer media and
investigate cybercrime.
2. Computer forensic triage units
223. Computer forensic triage units may be established to support national and
regional cybercrime units. The personnel of such units would be trained to
forensically view computer items using specially developed software tools at
search sites. A triage team member can conduct an initial examination an site to
cither eliminate computers or other peripheral computer equipment from the
investigation as having no evidential value or may seize the computer-based
evidence in accordance with proper forensic techniques and support local
investigation teams in the questioning of suspects as regards the computer-based
evidence uncovered. When necessary, the items of computer media seized by
triage units may also be submitted for full forensic examination to the relevant
regional cybercrime unit or to the national cybercrime unit, as appropriate.
224. Researchers from University College Dublin are currently working on the
development of a range of forensic software tools to support preliminary
analysis, which will be available to law enforcement officials at no cost. The
development of these tools is part of a broader strategic solution being explored
by the University College Dublin Centre for Cybersecurity and Cybercrime
Investigation and the Computer Crime Investigation Unit of a Garda Siochána
(Ireland's national police service), aimed at assisting under-resourced cybercrime
units, with limited budgets and personnel, in the management of their caseloads.
The objective of this initiative will be to create an entirely "open source"
forensics lab. Participating investigators will receive instruction on building
computer evidence storage and processing equipment, and will be trained on the
use of free forensic tools.
F. Intelligence-gathering
227. Several experts have also highlighted the tension between the need to
encourage the availability of information regarding potential terrorist activity
conducted via the Internet and the need to apprehend and prosecute the
perpetrators of such activity For example, once potentially terrorism-related
website activity is identified, national security agencies may consider the long-
term and short-term implications of the operational response. Such response may
include passively monitoring website activity for intelligence purposes, covertly
engaging with other users to elicit further information for counter-terrorism
purposes or shutting down the website. The varying objectives and strategies of
different domestic and foreign agencies may guide the preferred counter-
terrorism actions.131
228. The practical considerations when evaluating the intelligence value versus
the threat level of an online resource were highlighted in a recent report of the
United States Congressional Research Service:
For example, a "honey pot" jihadist website reportedly was designed by the
[Central Intelligence Agency] and Saudi Arabian Government to attract and
monitor terrorist activities. The information collected from the site was used by
intelligence analysts to track the operational plans of jihadists, leading to arrests
before the planned attacks could be executed. However, the website also was
reportedly being used to transmit operational plans for jihadists entering Iraq
to
conduct attacks on U.S. troops. Debates between representatives of the [National
Security Agency, Central Intelligence Agency, Department of Defense, Office of
the Director of National Intelligence and National Security Council] led to a
determination that the threat to troops in theater was greater than the intelligence
value gained from monitoring the website, and a computer network team from
the Joint Task Force Global Network Operations] ultimately dismantled it.132
229. Other Member States, such as the United Kingdom, have indicated that
significant emphasis has been placed on developing working relationships and
entering into memorandums of understanding between the prosecution and law
enforcement or intelligence agencies, with positive results. Similarly, in
Colombia, the Integrated Centre of Intelligence and Investigation (Centro
Integrado de Intelligence e Investigación, or C13) is the domestic agency that
coordinates investigations into suspected terrorist activities using a strategy based
on six pillars. This approach involves a high-ranking official from the national
police assuming overall command and control of different phases of the
investigation, which include the gathering, verification and analysis of evidence
and a judicial phase in which police collect information on parties and places
associated with the commission of any crimes.133
230. The expert from France outlined the domestic approach to coordinating inter
agency responses to identified terrorist activity:
Phase 1: Surveillance and intelligence services identify a threat by
monitoring Internet activity
Phase 2: The surveillance services notify the public prosecution services of
the threat identified. The judge or prosecutor can then authorize law
enforcement authorities to place the Internet activity of an identified
suspect under surveillance. As of 2011, legislation permits the leading
judge to authorize law enforcement to record the monitored person's
computer data. Moreover, personal data (e.g. name, phone number, credit
card number) can be requested from the relevant service providers
Phase 3: The investigation is conducted based on the evidence gathered
from the sources outlined under phases 1 and 2.
G. Training
234. The Cybercrime Centre of Excellence Network for Training, Research and
Education (2CENTRE) is a project funded by the European Commission and
launched in 2010, with the aim of creating a network of Cybercrime Centre of
Excellence for Training, Research and Education in Europe. Centers are currently
being developed in Belgium, Estonia, France and Ireland. Each national center is
founded on a partnership among representatives of law enforcement, industry and
academia, collaborating to develop relevant training programs and qualifications,
as well as tools for use in the fight against cybercrime. The University College
Dublin Centre for Cyber security and Cybercrime Investigation is the leader and
coordinator of the project. 134
V. International cooperation
A. Introduction
236. The speed, global reach and relative anonymity with which terrorists can use
the Internet to promote their causes or facilitate terrorist acts, together with
complexities related to the location, retention, seizure and production of Internet-
related data, makes timely and effective international cooperation between law
enforcement and intelligence agencies an increasingly critical factor in the
successful investigation and prosecution of many terrorism cases.
245. It is noted that the Council of Europe Convention on Cybercrime is open not
only to members of the Council of Europe or non-member States that have
participated in its elaboration, but may also be acceded to by other non-member
States, in the latter case subject to unanimous agreement of the contracting States
entitled to sit on the Committee of Ministers.
248. Since it came into force in 2009, the European evidence warrant has, in a
similar way to the European arrest warrant with respect to arrests, provided a
streamlined procedure for procuring and transferring evidence, including objects,
documents and data, between member States for use in criminal proceedings. For
the purposes of the European evidence warrant, evidence gathered may include
Internet-related customer data.142
250. In a similar manner to the European arrest warrant under the Schengen
frame- work, the Commonwealth Scheme for the Transfer of Convicted
Offenders (London Scheme) provides a simplified mechanism for extradition
between Commonwealth countries, providing for the provisional arrest of
offenders on the basis of arrest war- rants issued by other member countries,
without the need for an assessment of the evidential sufficiency of the case
against the suspect. The scheme defines offences as extraditable if they constitute
offences in both countries and carry imprisonment for two years or more.
252. While the Commonwealth Schemes are not treaties as such, they are
examples of non-binding arrangements, or "soft law", under which certain
countries have agreed to incorporate compatible legislation into their domestic
laws, consistent with agreed principles, to simplify extradition and mutual legal
assistance among themselves in criminal cases, including terrorism-related
investigations and prosecutions.
254. Since 2006, the Council of Europe has, through its Global Project on
Cybercrime, been supporting countries worldwide in the strengthening of
legislation; the training of judges, prosecutors and law enforcement investigators
in matters related to cybercrime and electronic evidence; and in law
enforcement/service provider cooperation and international cooperation.143
Since 2010, one focus area has been criminal money flows and financial
investigations on the Internet, including Internet-based terrorist financing.144
255. On 26 April 2010, recognizing the integral role that information and
communications technology plays in modern society and the increasing number,
scope, sophistication and potential impact of threats for multiple jurisdictions
reinforcing the need for strengthened cooperation between Member States and
the private sector, the Council of the European Union adopted conclusions
concerning a cybercrime action plan, to be included in the Stockholm Program
for 2010-2014 and the associated future Internal Security Strategy.
256. Under the plan, members agreed, inter alia, to mandate the European
Commission, in cooperation with Europol, to analyze and report back on the
utility and feasibility of establishing a European cybercrime centre to strengthen
knowledge, capacity and cooperation on cybercrime issues. This work has been
completed and a proposal developed under which Europol would host a new
facility for receiving and processing analytical work files related to serious
organized crime and terrorism.
258. Internationally, there are many examples of such arrangements, but three,
operating in Europe, Africa and the Pacific, illustrate how groups of
countries with compatible law enforcement and security interests and objectives
can successfully work together to develop and harmonize close cooperation on
criminal investigations.
259. The French-German Centre for Police and Customs Cooperation, also
known as the Offenburg Centre, was established in 1998 to, inter alia, support the
coordination of multi-agency operations (e.g. search and surveillance operations
and exchanging information collected) across those countries' common border. It
is staffed by police and customs and border agencies from both federal and state
level and handles many thousands of requests each year, serving as a platform for
mediating pragmatic solutions to issues between partner agencies and developing
inter-agency trust and cooperation.
261. In the Pacific region, the Pacific Transnational Crime Coordination Centre
pro- vides a hub for the collection, coordination, analysis and sharing of criminal
intelligence data collected via a network of national transnational crime units
located in member countries across the region. The Centre, which is operated by
officers seconded from different law enforcement and border agencies in Pacific
island countries, provides member countries with an access point to INTERPOL
and other law enforcement agencies around the world, via the international
network of the Australian Federal Police, which supports the initiative.
262. Similarly, countries that are not necessarily close geographically, but that
have common interests in thematic areas related to law enforcement and security,
might enter into collective arrangements that provide for information exchange
and intelligence sharing.
267. Using the 1-24/7 system, national central bureaus can search and cross-
check a wide range of data, including information on suspected terrorists and a
variety of data- bases. The aim of the system is to facilitate more effective
criminal investigations by providing a broader range of information for
investigators.
(d) Euro-just
273. As part of its mandate, the work of Euro-just in the counter terrorism field
includes the facilitation of the exchange of information between the judicial
authorities of the different member States involved in terrorism-related
investigations and prosecutions, supporting the judicial authorities of member
States in the issuance and execution of European arrest warrants; and facilitating
investigative and evidence gathering measures necessary for member States to
prosecute suspected terrorism offences (e.g. witness testimony, scientific
evidence, searches and seizures, and the interception of communications). The 27
Euro-just national members (judges, prosecutors or police authorities with
equivalent competences in their respective member States) are based in The
Hague, the Netherlands, and are in permanent contact with the national
authorities of their respective member States, which may request the support of
Euro-just in the course of particular investigations or prosecutions against
terrorism (e.g. in resolving conflicts of jurisdiction or facilitating the gathering of
evidence).
274. Euro-just also encourages and supports the establishment and work of joint
investigation teams by providing information and advice to practitioners. Joint
investigation teams are increasingly recognized as an effective instrument in the
judicial response to cross-border crime and an adequate forum in which to
exchange operational information on particular terrorism cases. Euro-just
national members can participate in joint investigation teams, acting either on
behalf of Euro-just or in their capacity as national competent authorities for
terrorism. For example, in a Danish case related to terrorist activities, in which a
request for the establishment of a joint investigation team was forwarded to
Belgian authorities, the Danish and Belgium desks at Euro-just were involved in
setting up the team between the two competent national authorities. Euro-just
also provides financial and logistical assistance to the operations of such teams
and hosts the permanent secretariat for joint investigation teams.
276. The existence, at the national level, of a legislative framework providing for
international cooperation is a fundamental element of an effective framework for
the facilitation of international cooperation in the investigation and prosecution
of terrorism cases. Such legislation should incorporate into a country's domestic
law
the principles related to international cooperation espoused in the universal
instruments against terrorism.
D. Non-legislative measures
On 1 March 2008, the Colombian armed forces carried out various operations against alleged members
of the Revolutionary Armed Forces of Colombia (FARC). During these operations, an individual
suspected of being one of the top leaders of FARC and several other members of the organization were
killed, and evidence was retrieved, which included electronic devices such as computers, digital diaries
and USB sticks. The objects containing digital evidence were passed to the Colombian judicial
police for use in passible criminal investigations and prosecutions.
The data retrieved from the digital devices revealed information related to the organization’s
international network of support, including links to several countries in Central and South America and
in Europe. The network's primary objective was fundraising for FARC activities, the recruitment of
new members and the promotion of the organization’s policies, including the removal of the
organization’s designation on various terrorism lists maintained by the European Union and same
countries. Based on the evidence retrieved, the Public Prosecutor of Colombia initiated criminal
investigations against the persons allegedly supporting and financing FARC.
The evidence, which was shared by Colombian authorities with counterparts in Spain, led to the
identification of the leader of FARC in Spain, known by the alias "Leonardo". "Leonardo entered Spain
in 2000, and was granted political asylum.
The Public Prosecutor of Colombia obtained sufficient evidence to order the issuance of an arrest
warrant for the purposes of extradition against "Leonardo" and used diplomatic and other legal
international cooperation channels to request his extradition to Colombia for trial.
"Leonardo" was arrested in Spain, and searches of his residence and workplace revealed documents and
electronic devices that contained evidence of his links to the crimes under investigation. He was
subsequently released on bail; his refugee status prevented his immediate extradition.
Criminal proceedings were initiated in Colombia against "Leonardo" in absentia for his alleged
involvement in the financing of terrorism. Ina decision by the Supreme Court of Justice of Colombia,
the information obtained during the 1 March 2008 operation and located on the seized electronic
devices was deemed inadmissible. The Prosecutor subsequently, in conjunct on with counterparts in
several other countries where members of the FARC network of support were present, used all
available channels of international cooperation to identify members of the network in Spain and other
European countries and collect further evidence in support of the case.
Additionally, in responding to the letters rotatory issued by the Public Prosecutor of Colombia, the
Spanish judicial authorities transmitted to their Colombian counterparts all the information collected
during the raids and searches of "Leonardo's house. According to the Spanish judicial police, this
information established the culpability of "Leonardo" and other persons with respect to forming a
FARC terrorist cell in Spain. It also helped establish "Leonardo's" culpability for the financing of
terrorism and strengthened the assumption of possible links between "Leonardo" and persons being
prosecuted for their Inks with the terrorist group EUSKADI Ta ASKATASUNA (ETA) (Basque
Homeland and Liberty).
The searches conducted in Spain resulted in the seizure of further documentary and digital evidence,
which was substantively similar to the evidence that had been declared inadmissible. Using this new
evidence provided by Spanish authorities, the Colombian Prosecutor continued the proceedings against
Leonardo". Furthermore, the new evidence established efforts by FARC to provide its members with
access to universities, non-governmental organizations and other State entities where funding
opportunities could be sought and new members recruited.
The evidence also supported the existence of an "international commission" within FARC, which
operated a security programmer for communications, particularly those transmitted via the Internet or
radio waves (permanent means of communications between the leaders of the organization and
members of the international network of support), by encrypting the information transmitted, using
steganography to conceal messages, sending spam e-mails and deleting browsing histories to ensure
that information could not be retrieved by investigative or judicial authorities. In this regard, Spanish
and Colombian authorities cooperated to break" the keys and decipher the content of the messages that
were transmitted from the alleged leaders of FARC in Colombia and Spain.
Before initiating the proceedings against "Leonardo", the Public Prosecutor of Colombia submitted a
request to a judge that the new evidence be deemed "evidence subsequently received" and from an
"independent source. The effect of these requests, which were granted, was to allow the inclusion of the
evidence in the legal proceedings without triggering the grounds on which similar evidence would
otherwise have been excluded.
On 10 March 2007, a video in the form of an "open" letter read by Sheik Ayman al-Zawahiri was
posted on an Internet website. In it, A-Zawahiri warned the Governments of Austria and Germany to
withdraw their troops from peace-support missions in Afghanistan or face consequences. At one point
in the statement, Al-Zawahiri stated:
Peace is a reciprocal matter, if we are safe, you will be safe. If we are at peace, you will be at
peace and, if we are going to be killed, God willing, you will be beaten and killed. This is the
exact equation. Try, then, to understand it, if you understand.
The video, with the accompanying statements by Al-Zawahii, was set against a mosaic of images that
included armored cars with national flags and prominent Austrian and German national politicians. In
some parts of the video, there were photos of Al-Zawahiri and other hooded figures.
Following the broadcast of the video, Austrian authorities initiated an investigation that included
wiretaps on various communications from Mohammed Mahmoud, an Austrian national living in
Vienna.
Following the broadcast of the video, Austrian authorities initiated an investigation that included
wiretaps on various communications from Mohammed Mahmoud, an Austrian national living in
Vienna.
These communications consisted of VOLP and Internet chat sessions, conducted in Arabic, which
revealed that Mr. Mahmoud was engaged in communication about issues associated with jihad with a
person in Canada, including plans for a terrorist attack, most likely in Europe. The participants
discussed using explosives and other arrangements related to an attack.
As a result of interception activities, Sad Namouh, living in Canada, was identified as one of the
participants in the above communications. In July 2007, the Royal Canadian Mounted Police became
involved in the investigation, which was coordinated between Austrian and Canadian authorities
through Canada's law enforcement liaison officer based in Vienna. While a formal mutual legal ass
stance treaty existed between Austria and Canada, no formal mutual legal assistance request under the
treaty was initiated; the cooperation took place entirely on an informal basis.
Investigations revealed that between November 2006 and September 2007 someone using
Mr. NAMOUH`S Internet connection was spending a considerable amount of time on the Internet and
was in constant contact with jihadists around the world, including via the Global Islamic Media Front
(GIMF), one of the oldest and most prominent virtual jihadist groups. Supported by Al-FAJR Center, G
MF acts as the media arm for the Army of Islam (JAISH al-Islam). Among other things, GIMF
disseminates propaganda and provides jihadists with the tools (e.g. bomb manuals, encryption
software) needed to carry out jihad. Much of Mt. Namouh's internet activity involved postings on
various discussion forums frequented by jihadists
In May 2007, BBC journalist Alan Johnston was kidnapped in Gaza by the "Army of slam" GIMF
published several videos related to this event, but of particular note was the video published on 9 May
2007, in which the Army of Islam claimed responsibility for the kidnapping, as well as videos
published on 20 and 25 June, in which threats to execute him were made if certain demands were not
met. Fortunately, Mr. LOHNSTON was released unharmed on 3 July 2007
In total, between 3 June and 9 September 2007, 31 conversations took place between NAMOUH and
Mahmoud. These conversations revealed them to be planning to carry out a bombing at an undisclosed
location in Europe and discussing how to obtain or make suicide explosive belts, financing issues and
travel plans to meet other persons in the Maghreb and Egypt for final preparations. These
conversations suggested that Mt. Namouh was the intended suicide bomber
On 12 September 2007, fearing the plans were getting very close to fruition, authorities in Austria and
Canada carried out the simultaneous arrests of NAMOUH and MAHMAUD.
In Canada, Mr. NAMOUH was charged with conspiracy to use explosives (unknown location in Europe)
participation in the activities of a terrorist group, facilitating terrorist activities and extortion of a foreign
Government (threat video against Austria and Germany).
At trial, Mr. Namouh's defense challenged several aspects of the prosecution, including by raising
constitutional arguments based on the right to freedom of expression (related to the issue of whether the
GMF was a terrorist organization). Objections were raised to the objectivity of the primary expert witness
called by the prosecution to give testimony on the Al-Qaida movement, its offshoots, global jihadism
(including virtual jihadism) and the methods and style of GIMF propaganda and the organization's use
of the Internet. The defense also challenged whether activities undertaken by G MF and associated groups
amounted to terrorism, as well as the reliability of evidence related to the interception of Internet-based
communications in Austria and Canada and the accuracy of translations of the records of these
communications from Arabic into French. The defense asked the court to find that different messages
circulated by Mr. NAMOUH on behalf of GIMF should be taken figuratively and not as acts counseling or
encouraging acts of terrorism.
In considering the defense arguments in relation to the nature of the material posted or communicated on
behalf of GIMF, the court concluded:
The Court has no doubt on this subject. The context of these messages clearly refers to reactions
encouraged by the GIMF Death and destruction are everywhere. The jihad promoted by the GIMF
is a violent one. This promotion clearly constitutes counseling ("encouragement") and sometimes a
threat of terrorist activity Therefore, this activity clearly falls within the definition of terrorist
activity within the meaning of Section 83.01 of the Criminal Code.
In finding that Mr. NAMOUH was guilty of counseling or encouraging acts of terrorism, the court referred
to intercepted communications containing statements which showed the zealous, active nature of his
participation in the activities of GIMF Also relevant in the court's view were several posts, including
the one below from 12 December 2006, in which the defendant expressed his wish to conceal his activities,
and those of GIME, by removing incriminating computer data:
In other communications, the defendant enquired about the use of anonymizing software and similar tools
that could be used to conceal his activities. Following trial in October 2009, the defendant was found guilty
of all charges; he was later sentenced to life imprisonment.
(b) Joint investigations
288. Europol works with a system of national units, which are designated contact
points within national police forces. It facilitates and encourages information
exchange between member States through a secure digital network and provides
a system of 17 analytical work files within the Europol legal framework,
primarily aimed at enabling participating authorities to ensure full coordination
and cooperation.
289. While it is difficult to assess, at the international level, the extent to which
countries have collaborated in this manner, discussions at the expert group
meeting high- lighted the increasing awareness within the international law
enforcement and security communities that the nature of modern terrorism and
mod operandi of terrorists makes close cooperation in the investigation of
terrorism an increasingly important component of successful efforts to disrupt,
prevent and prosecute terrorist acts.
292. In many cases, for example when authorities in one country seek the
preservation of Internet data held by an ISP in another country, it might be
possible for authorities to cooperate informally to preserve such data for the
purpose of the investigation or prosecution of a criminal offence.
293. The legal issues associated with the conduct of Internet-related criminal
investigations, particularly issues related to jurisdiction, can be extremely
complex. In cases in which investigators in one country need to access
information held on computers located in another country, complex questions can
arise about the legal authority and the basis for their actions. While it is possible
for authorities in one country to deal directly with parties holding the information
they seek in another, the responses to this approach may vary. As a general rule,
it is desirable for authorities to work with their foreign counterparts, if possible
on an informal basis, to obtain such information.
294. The form and method of cooperation will depend largely on the nature and
intended purpose of the assistance requested. For example, while authorities
in one country might be able to afford informal assistance to foreign counterparts
by seeking the voluntary preservation of Internet-related data from ISPs, the
search and seizure of such data will usually require judicial authorization,
which can only be obtained by formal means.
295. Sometimes, the use of formal requests is the only method by which
authorities can provide the required mutual cooperation. In such cases, it is
important that countries have in place legislation and procedures that provide
for
timely and effective responses to requests, to maximize, to the extent possible, the
likelihood of such assistance being successful.
Informal cooperation
296. Given the potential importance and urgency of locating and securing
Internet related data in terrorism investigations, and the probability that such data
will be held in another country, investigators need to consider both formal and
informal means of obtaining it. While formal mutual legal assistance channels
might offer greater certainty with respect to associated legal issues, they also take
longer and involve more bureaucracy than informal channels.
297. At the expert group meeting, the expert from Canada emphasized the critical
role that the close informal cooperation between the Royal Canadian Mounted
Police and Austria's Federal Agency for State Protection and Counter-Terrorism
(BUNDESAMT für VERFASSUNGSSCHUTZ und Terrorismusbekämpfung),
facilitated through Canada's liaison officer based in Vienna, played in the
successful outcome of the prosecution. In addition to that case, other experts
referred to other similar examples in which the use of liaison officers to facilitate
informal cooperation had been instrumental in successful outcomes.
298. Internet-related data such as customer usage data held by ISPs is likely to be
crucial evidence in terrorism cases involving the use of computers and the
Internet. If investigators can secure physical possession of computers used by a
suspect, as well as associated usage data held by ISPs, they are more likely to
establish the link between the suspect and the commission of a crime.
299. With this is mind, it is important that investigators and prosecutors be fully
cognizant of the potential importance of Internet-related data and the need to take
the earliest possible steps to preserve it in a manner that ensures its
admissibility as potential evidence in any later proceedings. To the extent
possible, national law enforcement agencies should develop, either directly with
ISPs or with counterpart agencies in other countries, clear procedures, involving
both formal and informal elements, aimed at ensuring the earliest possible
retention and production of Internet-usage data required for a criminal
investigation.
300. In the United States, where many major 1SPs are hosted, a "dual"
approach is used by authorities to assist foreign counterparts with the retention
and production of Internet-related data held by ISPs based in the United States,
for possible evidential purposes. Under this approach, foreign requests for
retention and production of user account information of Internet service providers
could be handled in two ways:
(a) Informal process. There are two ways by which investigating authorities
can secure the retention of Internet related data held in the United States by
informal means: (I) foreign authorities can develop a direct relationship
with ISPs and make a direct informal request that they retain and produce
the required data; or (ii) if no direct relationship exists, they can make an
informal request through the Federal Bureau of Investigation, which will
make the request to the ISP;
(b) Formal process. Under the formal process, foreign authorities can make a
formal mutual legal assistance request for data related to a specific user
account, which goes through the Office of International Affairs of the
United States Department of Justice. Upon receipt, the request will be
reviewed by the Department's Counterterrorism Section to identify whether
it is connected to any investigation being led by the United States. If
not, the request is submitted to a federal court for the necessary warrant
authorizing the collection and transmittal of the required information to
authorities in the requesting country.
301. The above approach for production of ISP-related data has been used
success- fully in several terrorism investigations by authorities in the United
Kingdom and the United States. In one particular case, the procedures resulted
in a United States-based ISP providing a substantial cache of Internet data
which was crucial evidence in a prosecution in the United Kingdom.
302. By its very nature, the virtual geographical footprint, fragmented structure
and rapidly evolving technology associated with the Internet presents ongoing
challenges and issues for law enforcement and criminal justice authorities
involved in the investigation and prosecution of terrorism cases. The discussion
at the expert group meeting highlighted some areas that were currently
problematic
in relation to international cooperation. These included difficulties, in some
cases, in satisfying the dual criminality requirements in extradition and mutual
legal assistance requests. A number of experts had experienced cases in which
mutual legal assist once or extradition requests had been delayed or refused
because of problems satisfying dual criminality requirements. In some cases, that
had been a result of the incompatibility of criminal offence provisions, but in
others it was the result of an unduly restrictive approach to judicial interpretation
of corresponding criminalization provisions by the judiciary. Several experts
considered that this situation highlighted the need for training for members of the
judiciary on international cooperation issues.
303. Experts from several countries at the expert group meeting referred to the
ongoing challenges associated with the sharing of sensitive intelligence
information by national law enforcement and intelligence agencies with foreign
counterparts. Invariably, in terrorism cases criminal investigations and
prosecutions are intelligence-based, at least in the early stages, and involve
sensitive information that is closely held and protected. The disclosure of such
information carries considerable risks, often not only for its originating source
but also for the agency or agencies holding it, particularly if disclosure is likely to
or might compromise an ongoing or future investigation or operation.
2. Sovereignty
305. The concept of sovereignty, including the right of nations to determine their
own political status and exercise permanent sovereignty within the limits of their
territorial jurisdiction, is a widely recognized principle under international
relations and law. Cases requiring the investigation or prosecution of cross-
border
activities of terrorists or other criminals might have sovereignty implications
for those countries in which investigations need to be undertaken.
308. As stated, in many terrorism cases an important part of the evidence against
suspected offenders will relate to some aspect of Internet-related activity by the
suspect (e.g. credit card billing information and customer usage data related to
Internet-based communication such as e-mail, VOLP, Skype or related to social
networking or other websites). In many cases, it will be necessary for
investigating authorities to ensure that the relevant Internet-data is retained and
preserved for later evidential use in proceedings. In this regard, it is important to
note the distinction between "retention" of data and "preservation" of data. In
many countries, ISPs are obliged by law to retain certain types of data for a
specified time period. On the other hand, preservation refers to an obligation
imposed on an ISP, pursuant to a judicial order, warrant or direction, to preserve
data under specified terms and conditions for production as evidence in criminal
proceedings.
309. One of the major problems confronting all law enforcement agencies is the
lack of an internationally agreed framework for retention of data held by ISPs.
While Governments in many countries have imposed legal obligations on locally
based ISPs to retain Internet-related data for law enforcement purposes,
internationally there is no single, universally agreed, standard time period
for which every ISP is obliged to retain this information.
311. In the United States, the current approach requires ISPs to retain usage
data at the specific request of law enforcement agencies, with providers applying
widely varying policies for storing data, ranging from days to months.
312. While there have been some efforts, most notably within the European
Union, to achieve some consistency on this issue, this has proven, even at the
European Union level, to be problematic Under directive 2006/24/EC of the
European Parliament and of the Council of the European Union of 15 March
2006 on the retention of data generated or processed in connection with the
provision of publicly available electronic communications services or of public
communications networks and amending directive 2002/58/EC, in dealing with
the retention of data held by providers of electronic communications services and
public communications networks, European Union member States are obliged to
ensure that regulated providers retain specified communications data for a period
of between six months and two years. Nevertheless, despite the Directive, there
remains no single consistent data-retention period for all ISPs hosted within the
European Union, with periods ranging across the six-month to two-year time
period set by the directive. Consequently, while there is a greater measure of
certainty on these issues even within the European Union context, there are
differences in the duration for which data is held by ISPs based there.
313. Several participants at the expert group meeting were of the view that the
development of a universally accepted regulatory framework imposing consistent
obligations on all ISPs regarding the type and duration of customer usage data to
be retained would be of considerable benefit to law enforcement and intelligence
agencies investigating terrorism cases.
314. With no universally agreed standards or obligations on ISPs and other
communication providers relating to the retention of Internet-related data, it is
important in criminal investigations that investigators and prosecutors identify at
the earliest possible stage whether such data exists and for what time frame,
whether it is likely to be of relevance to a prosecution and where it is located,
along with the applicable time frame, if any, for which it must be retained by the
party holding it. If in doubt, it would be prudent for authorities to contact their
counterparts in the country in which the data is located and initiate steps (either
formal and informal) that might be necessary to secure the preservation of
the data for possible production. Depending on the circumstances, including their
familiarity or relationship with the relevant ISP, authorities might consider
contacting the ISP directly and seeking its informal assistance. Given sensitivities
over compliance with customer confidentiality and national privacy laws,
however, the level of responsiveness by ISPs to such direct, informal requests
can be highly variable. It would always be prudent for investigators and
prosecutors to communicate and coordinate their efforts with their foreign
counterparts to secure the preservation and production of such information.
4. Evidential requirements
316. In terrorism cases, there are a number of issues that can pose considerable
challenges for authorities in ensuring the admissibility of certain types of
information. Successfully overcoming them remains an ongoing challenge for all
practitioners involved in the investigation and prosecution of terrorism-related
cases, which often contain characteristics that could impede the admissibility
of
information. The transnational nature of terrorism cases, including the extensive
use of intelligence (often provided by foreign partners under strict conditions) or
highly specialized, often covert and intrusive, search, surveillance and
interception methods as the basis for the collection of evidence, can present
significant obstacles to authorities seeking to present admissible evidence to a
court or tribunal.
317. In the terrorism context, with specific reference to evidential issues that
might arise in relation to the Internet or computer technology, the general
approach taken by investigators and prosecutors remains the same. Issues of
particular importance are likely to be the need to secure, at the earliest possible
opportunity, physical possession of computers or similar devices allegedly used
by suspects; and the need to apply appropriate measures, in accordance with
recognized good practice, to protect the integrity of these exhibits (i.e. the chain
of custody/evidence) and undertake any digital forensics A failure to follow these
procedures could potentially affect the admissibility of this type of evidence.
Other forms of evidence that might require particular care include material
obtained as a result of search and/or surveillance activities, which must be carried
out only within the terms of the appropriate judicial authorization.
320. In the terrorism context, in the absence of any universal obligation on States
to criminalize specific unlawful conduct carried out over the Internet, central
authorities are likely to be reliant, when making or receiving requests for
international cooperation, on criminal offences established under terrorism-
related legislation or their national penal codes. For example, in the case of
alleged acts of incitement to terrorism that occur over the Internet, owing to
differences in the legal approach taken by States with respect to such conduct,
international cooperation requests might need to be based on inchoate offences
such as solicitation.
324. Matters related to human rights and constitutional safeguards touch on many
issues associated with the investigation and prosecution of terrorism, including
those related to international cooperation. Again, using acts relating to the
incitement of terrorism as an example, different national approaches to the
application of constitutional rights and/or human rights can be reflected in
different legal approaches. This can lead to difficulties in international
cooperation cases in which States seek to request or provide assistance. For
example, when authorities in one country make a request to their counterparts in
another country for Internet-related data relating to statements made over the
Internet amounting to incitement to commit terrorism in their jurisdiction; it will
be of great relevance whether the alleged acts also constitute a crime in
the
requested country. In the broader context of Internet content control, when
authorities in one country seek the removal of content that they consider incites
terrorism, and which is hosted on a server located in another jurisdiction,
applicable laws and constitutional safeguards for rights such as the freedom of
expression may differ.
7. Concurrent jurisdiction
326. Terrorism cases in which constituent elements of crimes are carried out over
the Internet can raise complex jurisdictional issues, especially when a suspected
offender is located in one country and uses Internet sites or services hosted
by ISPs in another to carry out constituent acts of a crime. There have been cases
in which person’s resident in one country have set up, administered and
maintained websites used for promoting jihad and for other terrorism-related
purposes in another.
327. The Belgian case of Malaki el AROUD and Others (see para. 377) is one
such example. The defendant, who was living in Belgium, administered a
website, hosted in Canada, which she used for promoting jihad and for other
purposes aimed at supporting terrorist activities. The prosecution of terrorist-
related activities in these situations relies heavily on effective international
cooperation.
328. There are no binding rules under international law dealing with the issue of
how States should deal with situations in which more than one State might assert
jurisdiction to prosecute a crime involving the same suspect. Despite the fact that
States have broad discretion with respect to the criteria applied, this typically
involves balancing, or weighing up, different factors. These might include the
relative "connectivity" between the alleged crime and particular States,
including
the suspect's nationality, the location where various constituent acts forming the
crime took place, the location of relevant witnesses and evidence and the relative
potential difficulties in collecting, transmitting or producing evidence in a
particular jurisdiction. In some States, including Belgium, Canada and Spain,
certain forms of jurisdiction are considered to be subsidiary to others. States with
close connections to a crime (e.g. the crime is committed within their territory or
by one of their nationals) are considered to have primary jurisdiction, with States
holding jurisdiction on other bases acting only when the State with primary
jurisdiction is either unwilling or unable to prosecute,
329. Some countries, including Canada, apply a "real and substantial connection"
test when determining whether criminal jurisdiction exists.1s in Israel, when
international cooperation requests are received from other countries, these are
investigated domestically to determine if it can be proven that an offence under
Israeli law was committed which should be prosecuted in Israel. If no prosecution
results from such an investigation, Israeli authorities will transmit all available
evidence [and transfer the suspected offender) via formal channels to the
requesting country for the purpose of prosecution there. In the United Kingdom,
legislation and case law dealing with certain terrorism related crimes involving
activity outside the United Kingdom (including via the Internet) allow British
authorities to assert jurisdiction if it can be shown that a "substantial measure" of
the activities constituting the crime took place in the United Kingdom, and if
it can reasonably be argued that these activities should not be dealt with by
another country.
331. National data protection or privacy legislation can often restrict the ability
of law enforcement and intelligence agencies to share information with both
national and foreign counterparts. Again, striking the appropriate balance
between the human right to privacy and the legitimate interest of the State to
effectively investigate and prosecute crime is and ongoing challenge for
Governments and, in some cases (including responses to terrorism), has been the
subject of concern.157
335. Several participants at the expert group meeting referred to issues related to
the sensitive nature of much information (often intelligence-based)
associated with terrorism investigations and the inherent challenges, not only in
the international cooperation context but also nationally, facing agencies wishing
to share such information with counterparts. Several experts highlighted that
information was often highly sensitive in nature and that sharing it became
difficult in the absence of a formal information sharing mechanism containing
appropriate conditions regarding its use and disclosure.
336. This issue is considered in more detail in the next chapter, relating to
prosecutions, in the context of evidential issues associated with translating
intelligence material into admissible evidence and the disclosure of evidence in
criminal proceedings.
VI. Prosecutions
A. Introduction
337. An integral part of the universal legal framework against terrorism, and
of the United Nations Global Counter-Terrorism Strategy, is the obligation
imposed on States to deny safe haven and bring to justice perpetrators of terrorist
acts, wherever such acts might occur. In order to achieve the last of these
objectives, countries not only require effective counter-terrorism legislation,
criminalizing terrorist acts and facilitating necessary international cooperation,
but also the capacity to apply specialized investigative techniques and
prosecution strategies to ensure the collection, preservation, production and
admissibility of evidence (often intelligence-based) when prosecuting suspected
terrorists, while ensuring international standards of treatment for accused
persons.
338. The role of prosecutors in the prosecution of terrorism cases has become
increasingly complex and demanding. In addition to responsibility for the
conduct of criminal proceedings, prosecutors are becoming more involved in the
investigative and intelligence-gathering phases of terrorism cases, providing
guidance or supervision on the legal and strategic implications of various
investigative techniques. In the present chapter, the role of prosecutors in
terrorism cases involving the use of the Internet by terrorists is considered, with a
view to identifying, from a prosecutor's perspective, common challenges or
obstacles and strategies and approaches that have been proven to be effective in
the successful prosecution of perpetrators.
341. There are several publications dealing specifically with, and aimed at,
promoting respect for human rights and the rule of law within the remit of
prosecutors and criminal justice officers involved in terrorism prosecutions. In
2003 the Office of the United Nations High Commissioner for Human Rights
produced the Digest of Jurisprudence of the United Nations and Regional
Organizations on the Protection of Human Rights while Countering Terrorism.
Within the Council of Europe, which has fully recognized and integrated the
obligation to implement the protection of human rights as a fundamental
principle into its instruments dealing with crime prevention and criminal justice
issues, including terrorism, this principle is reaffirmed in the Guidelines of the
Committee of Ministers of the Council of Europe on Human Rights and the Fight
against Terrorism, adopted by the Committee of Ministers on 11 July 2002, 1
These documents provide valuable guidance for prosecutors working in the
counter-terrorism field.
342. The role of the prosecutor in the conduct of criminal proceedings, including
terrorism cases, varies between countries. In some countries, particularly civil-
law jurisdictions, prosecutors have formal responsibility for overseeing the
conduct of criminal investigations, supervising teams of investigators
throughout, making
decisions on search and surveillance activities and the laying of charges or
indictments and dealing with international cooperation issues and the conduct of
proceedings before the courts.
343. In an inquisitorial judicial system like the French one, for example, the
prosecutor is generally tasked with beginning the legal action and with initiating
preliminary investigations, defining the scope of the crimes; however, an
examining judge, or JUGE D'INSTRUCTION, will lead the formal judicial
investigation, collecting and examining evidence. When the culpability of the
subject can be excluded, the examining judge will close proceedings; otherwise,
the subject will be committed for trial before a different judge. In terrorism cases,
in addition to presenting the prosecution case to a judge, the chief prosecutor may
petition or submit a motion for further investigation.