Technica Editorial

Background
Technology is one of the strategic factors driving the increasing use of the
Internet by terrorist organization and their supporters for a wide range of
purposes, including recruitment, financing, propaganda, training, incitement to
commit acts of terrorism, and the gathering and dissemination of information for
terrorist purposes. While the many benefits of the Internet are self-evident, it may
also be used to facilitate communication within terrorist organizations and to
transmit information on, as well as material support for, planned acts of terrorism,
all of which require specific technical knowledge for the effective investigation of
these offences
It is a commonly accepted principle that, despite the heinous nature of their acts,
alleged terrorists should be afforded the same procedural safeguards under
criminal law as any other suspects. The defense of human rights is a core value of
the United Nations and a fundamental pillar of the rule-of-law approach to the
fight against terrorism. The present publication accordingly highlights the
importance of respect for the principles of human rights and fundamental
freedoms at all times and, in particular, in the context of the development and
implementation of legal instruments related to countering terrorism.
The United Nations Office on Drugs and Crime (UNODC), as a key United
Nations entity for delivering counter-terrorism legal and related technical
assistance, actively participates in the Counter-Terrorism Implementation Task
Force, thus ensuring that the counter-terrorism work of UNODC is carried out in
the broader context of, and coordinated with, United Nations system-wide efforts.
In January 2010, the Task Force's Working Group on Countering the Use of the
Internet for Terrorist Purposes initiated a series of conferences involving
representatives from Governments, international and regional organizations, think
tanks, academia and the private sector to evaluate the use of the Internet for
terrorist purposes and potential means to counter such use. The objective of the
Working Group initiative was to provide Member States with an overview of the
current nature of the challenge and to propose policy guidelines, projects and
practical guidance regarding legal, technical and counter-narrative aspects of the
challenge. Working Group conferences were held in Berlin in January 2010,
Seattle (United States of America) in February 2010 and Riyadh in January 2011.
In furtherance of its mandate "to develop specialized legal knowledge in the area
of counter-terrorism... and to provide assistance to requesting Member States
with regard to criminal justice responses to terrorism, including. the use of the
Internet for terrorist purposes,"1 the Terrorism Prevention Branch of UNODC, in
collaboration with the Organized Crime and Illicit Trafficking Branch of
UNODC and with the support of the Government of the United Kingdom of
Great Britain and Northern Ireland, undertook to contribute to the Working
Group project through the development of the current technical assistance tool on
the use of the Internet for terrorist purposes. The current UNODC publication
builds upon the conclusions of the Working Group conferences, and in particular
the conference held in Berlin in January 2010, relating to Internet-specific legal
aspects of terrorism.
In connection with the development of the present publication, UNODC

convened two expert group meetings in Vienna, in October 2011 and February
2012, to provide a forum for counter-terrorism practitioners, from a
geographically diverse group of Member States, to share their experiences
relating to the use of the Internet for terrorist purposes. Experts from a total of 25
Member States participated in these meetings, including senior prosecutors, law
enforcement officers and academics, as well as representatives from several
intergovernmental organizations. The present publication draws heavily on the
discussions and expertise shared during those meetings, and is intended to
provide practical guidance to Member States to facilitate the more effective
investigation and prosecution of terrorist cases involving the use of the Internet.
1. Use of the Internet for terrorist purposes
A. Introduction
1. Since the late 1980s, the Internet has proven to be a highly dynamic means of
communication, reaching an ever-growing audience worldwide. The
development of increasingly sophisticated technologies has created a network
with a truly global reach, and relatively low barriers to entry. Internet
technology makes it easy for an individual to communicate with relative
anonymity, quickly and effectively across borders, to an almost limitless
audience. The benefits of Internet technology are numerous, starting with its
unique suitability for sharing information and ideas, which is recognized as a
fundamental human right.2 It must also be recognized, however, that the same
techno logy that facilitates such communication can also be exploited for the
purposes of terrorism. The use of the Internet for terrorist purposes creates both
challenges and opportunities in the fight against terrorism.
B. Means by which the Internet is utilized for terrorist purposes
2. For the purposes of the present publication, a functional approach has been
adopted regarding the classification of the means by which the Internet is often
utilized to promote and support acts of terrorism. This approach has resulted in
the identification of six sometimes overlapping categories: propaganda (including
recruitment, radicalization and incitement to terrorism); financing; training;
planning (including through secret communication and open-source information);
execution; and cyberattacks. Each of these categories is addressed in greater
detail below.
I. Propaganda
3. One of the primaries uses of the Internet by terrorists is for the dissemination
of propaganda. Propaganda generally takes the form of multimedia
communications providing ideological or practical instruction, explanations,
justifications or promotion of terrorist activities. These may include virtual
messages, presentations, magazines, treatises, audio and video files and video
games developed by terrorist organizations or sympathizers. Nevertheless, what
constitutes terrorist propaganda, as opposed to legitimate advocacy of a
viewpoint, is often a subjective assessment. Further, the dissemination of
propaganda is generally not, in and of itself, a prohibited activity. One of the
basic tenets of international law is the protection of fundamental human rights,
which include the right to freedom of expression (see discussion in section 1.D
below). This guarantees an individual the right to share an opinion or distribute
content which may be considered objectionable by others, subject to certain
limited exceptions. One commonly accepted exclusion with respect to that right
is the prohibition against the distribution of certain categories of sexually explicit
content, the prohibition of which is deemed to be in the public interest in order to
protect certain vulnerable groups. Other exclusions, all of which must be
provided for by law and shown to be necessary, may include communications
that are clearly detrimental to the protection of national security and
communications that are both intended and likely to incite acts of violence
against individuals or specific groups of individuals.3
4. The promotion of violence is a common theme in terrorism-related

propaganda. The broad reach of content distributed via the Internet exponentially
increases the audience that may be affected. Further, the ability to directly
distribute content via the Internet diminishes the reliance on traditional
channels of communication, such as news services, which may take steps to
independently evaluate the credibility of the information provided or to edit or
omit aspects deemed to be unduly provocative. Internet propaganda may also
include content such as video footage of violent acts of terrorism or video games
developed by terrorist organizations that simulate acts of terrorism and encourage
the user to engage in role-play, by acting the part of a virtual terrorist.
5. The promotion of extremist rhetoric encouraging violent acts is also a common

trend across the growing range of Internet-based platforms that host user-
generated content. Content that might formerly have been distributed to a
relatively limited audience, in person or via physical media such as compact discs
(CDs) and digital video discs (DVDs), has increasingly migrated to the Internet.
Such content may be distributed using a broad range of tools, such as dedicated
websites, targeted virtual chat rooms and forums, online magazines, social
networking platforms such as Twitter and Facebook, and popular video and file-
sharing websites, such as YouTube and Rapid share, respectively. The use of
indexing services such as Internet search engines also makes it easier to identify
and retrieve terrorism-related content.
6. The fundamental threat posed by terrorist propaganda relates to the manner in
which it is used and the intent with which it is disseminated. Terrorist
propaganda distributed via the Internet covers a range of objectives and
audiences. It may be tailored, inter alia, to potential or actual supporters or
opponents of an organization or shared extremist belief, to direct or indirect
victims of acts of terrorism or to the international community or a subset thereof.
Propaganda aimed at potential or actual supporters may be focused on
recruitment, radicalization and incitement to terrorism, through messages
conveying pride, accomplishment and dedication to an extremist goal. It may also
be used to demonstrate the effective execution of terrorist attacks to those who
have provided financial support. Other objectives of terrorist propaganda may
include the use of psychological manipulation to undermine an individual's belief
in certain collective social values, or to propagate a sense of heightened anxiety,
fear or panic in a population or subset of the population. This may be achieved
through the dissemination of disinformation, rumors, threats of violence or
images relating to provocative acts of violence. The intended audience may
include direct viewers of content, as well as those affected by potential publicity
generated by such material. With respect to the wider international community,
the goal is often to convey a desire to achieve noble political ends.4
(a) Recruitment
7. The Internet may be used not only as a means to publish extremist rhetoric and
videos, but also a way to develop relationships with, and solicit support from,
those most responsive to targeted propaganda. Terrorist organizations
increasingly use propaganda distributed via platforms such as password-protected
websites and restricted- access Internet chat groups as a means of clandestine
recruitment.5 The reach of the Internet provides terrorist organizations and
sympathizers with a global pool of potential recruits. Restricted access cyber
forums offer a venue for recruits to learn about, and provide support to, terrorist
organizations and to engage in direct actions in the furtherance of terrorist
objectives.6 The use of technological barriers to entry to recruitment platforms
also increases the complexity of tracking terrorism-related activity by intelligence
and law enforcement personnel.
8. Terrorist propaganda is often tailored to appeal to vulnerable and marginalized
groups in society. The process of recruitment and radicalization commonly
capitalizes on an individual's sentiments of injustice, exclusion or humiliation. 7
Propaganda may be adapted to account for demographic factors, such as age or
gender, as well as social or economic circumstances.
9. The Internet may be a particularly effective medium for the recruitment of

minors, who comprise a high proportion of users. Propaganda disseminated
via the Internet with the aim of recruiting minors may take the form of cartoons,
popular music videos or computer games. Tactics employed by websites
maintained by terrorist organizations or their affiliates to target minors have
included mixing cartoons and children's stories with messages promoting and
glorifying acts of terrorism, such as suicide attacks. Similarly, some terrorist
organizations have designed online video games intended to be used as
recruitment and training tools. Such games may promote the use of violence
against a State or prominent political figure, rewarding virtual successes, and
may be offered in multiple languages to appeal to a broad audience.8
(b) Incitement
10. While propaganda per se is not generally prohibited, the use of propaganda
by terrorists to incite acts of terrorism is considered unlawful by many Member
States The Internet provides an abundance of material and opportunities to
download, edit and distribute content that may be considered unlawful
glorification of, or provocation to, acts of terrorism. It should be noted, however,
that some intergovernmental and human rights mechanisms have expressed doubt
that the concept of "glorification" of terrorism is sufficiently narrow and
precise to serve as a basis for criminal sanctions compliant with the requirements
of the principle of legality and the permissible limitations of the right to freedom
of expression, as enshrined in articles 15 and 19 of the International Covenant on
Civil and Political Rights.9,10
11. It is important to emphasize the distinction between mere propaganda and

material intended to incite acts of terrorism. In several Member States, in order to
be held liable for incitement to terrorism, a showing of the requisite intent and a
direct causal link between alleged propaganda and an actual plot or execution of
a terrorist act is required. For example, in a contribution to the expert group
meetings, a French expert indicated that the dissemination of instructive
materials on explosives would not be considered a violation of French law unless
the communication contained information specifying that the material was shared
in furtherance of a terrorist purpose.
12. Preventing and deterring incitement to terrorism in the interest of protecting

national security and public order are legitimate grounds for limiting freedom of
expression, as provided under article 19, paragraph 3, of the International
Covenant on Civil and Political Rights. These grounds are also consistent with
article 20, paragraph 2, of that Covenant, which requires States to prohibit any
advocacy of national, racial or religious hatred that constitutes incitement to
discrimination, hostility or violence. In the light of the fundamental nature of the
right to freedom of expression, however, any restrictions on the exercise of this
right must be both necessary and proportional to the threat posed. The right to
freedom of expression is also linked to other important rights, including the rights
to freedom of thought, conscience and religion, belief and opinion.11
(c) Radicalization
13. Recruitment, radicalization and incitement to terrorism may be viewed as

points along a continuum. Radicalization refers primarily to the process of
indoctrination that often accompanies the transformation of recruits into
individuals determined to act with violence based on extremist ideologies. The
process of radicalization often involves the use of propaganda, whether
communicated in person or via the Internet, over time. The length of time and the
effectiveness of the propaganda and other persuasive means employed vary
depending on individual circumstances and relationships.
2. Financing
14. Terrorist organizations and supporters may also use the Internet to
finance acts of terrorism. The manner in which terrorists use the Internet to raise
and collect funds and resources may be classified into four general categories:
direct solicitation, e-commerce, the exploitation of online payment tools and
through charitable organizations. Direct solicitation refers to the use of websites,
chat groups, mass mailings and targeted communications to request donations
from supporters. Websites may also be used as online stores, offering books,
audio and
video recordings and other items to supporters. Online payment facilities offered
through dedicated websites or communications platforms make it easy to transfer
funds electronically between parties. Funds transfers are often made by electronic
wire transfer, credit card or alternate payment facilities available via services
such as PayPal or Skype.
15. Online payment facilities may also be exploited through fraudulent means
such as identity theft, credit card theft, wire fraud, stock fraud, intellectual
property crimes and auction fraud. An example of the use of illicit gains to
finance acts of terrorism can be seen in the United Kingdom case against
YOUNES TSOULI (see para. 114 below). Profits from stolen credit cards were
laundered by several means, including transfer through e-gold online payment
accounts, which were used to route the funds through several countries before
they reached their intended destination. The laundered money was used both to
fund the registration by TSOULI of 180 websites hosting Al-Qaida propaganda
videos and to provide equipment for terrorist activities in several countries.
Approximately 1,400 credit cards were used to generate approximately Cl.6
million of illicit funds to finance terrorist activity.12
16. Financial support provided to seemingly legitimate organizations, such as

charities, may also be diverted for illicit purposes. Some terrorist organizations
have been known to establish shell corporations, disguised as philanthropic
undertakings, to solicit online donations. These organizations may claim to
support humanitarian goals while in fact donations are used to fund acts of
terrorism. Examples of overtly charitable organizations used for terrorist ends
include the innocuously named Benevolence International Foundation, Global
Relief Foundation and the Holy Land Foundation for Relief and Development, all
of which used fraudulent means to finance terrorist organizations in the Middle
East. Terrorists may also infiltrate branches of charitable organizations,
which they use as a cover to promote the ideologies of terrorist organizations or
to provide material support to militant groups.13
3. Training
17. In recent years, terrorist organizations have increasingly turned to the Internet
as an alternative training ground for terrorists. There is a growing range of media
that provide platforms for the dissemination of practical guides in the form of
online manuals, audio and video clips, information and advice. These
Internet
platforms also provide detailed instructions, often in easily accessible multimedia
format and multiple languages, on topics such as how to join terrorist
organizations; how to construct explosives, firearms or other weapons or
hazardous materials; and how to plan and execute terrorist attacks. The platforms
act as a virtual training camp. They are also used to share, inter alia, specific
methods, techniques or operational knowledge for the purpose of commit ting an
act of terrorism.
18. For example, inspire is an online magazine allegedly published by Al-

Qaida in the Arabian Peninsula with the stated objective of enabling Muslims to
train for jihad at home. It contains a large amount of ideological material aimed
at encouraging terror ism, including statements attributed to Osama Bin Laden,
Sheikh Ayman al-Zawahiri and other well-known Al-Qaida figures. The fall
2010 edition included practical instructional material on how to adapt a four-
wheel- drive vehicle to carry out an attack on members of the public and how a
lone individual could launch an indiscriminate attack by shooting a gun from a
tower. The publication even suggested a target city for such an attack, in order to
increase the chances of killing a member of the Government.14
19. Instructional material available online includes tools to facilitate counter-

intelligence and hacking activities and to improve the security of illicit
communications and online activity through the use of available encryption tools
and anonymizing techniques. The interactive nature of Internet platforms helps
build a sense of community among individuals from different geographical
locations and backgrounds, encouraging the creation of networks for the
exchange of instructional and tactical material.
4. Planning
20. Many criminal justice practitioners have indicated that almost every case of
terrorism prosecuted involved the use of Internet technology. In particular,
planning an act of terrorism typically involves remote communication among
several parties. A recent case from France, Public Prosecutor v. Hicheur,15
illustrates how different forms of Internet technology may be used to facilitate
the preparation of acts of terrorism, including via thorough communications
within and between organizations promoting violent extremism, as well as
across borders.
Public Prosecutor V. HICHEUR
In May 2012, a French court sentenced ADLÈNE HICHEUR, an Algerian-born French national, to
five years of imprisonment for participation in a criminal conspiracy for the preparation of a terrorist
act (under Article 421-1 et. seq. of the French Criminal Code), relating to acts that took place in
France in 2008 and 2009
The investigation implicating HICHEUR, a nuclear physicist, was launched in early 2008 in
connection with an e-mail communication containing jihadist content, which was sent to the website
of the President of the French Republic and traced back to a member of A Qaida in the Islamic
Maghreb (AQIM).
A preservation order issued in January 2009 enabled the authorities to identify e-mail exchanges
between the AQIM member and, inter alia, the Global Islamic Media Front (GIMF) and
the RAFIDAIN Center, a website with the stated goal of hosting and disseminating Al Qaida
documents, audio and video recordings, statements from warlords and suicide attackers and the
materials of other extremist Islamic groups. The e-mail exchanges were encrypted using the
dedicated software "ASRAREL Mujahedeen or "Mujahedeen Secrets", which includes 256-bit
encryption, variable stealth cipher encryption keys, RSA 2,048-bit encryption keys and encrypted
chat-forum-supported instant messaging.
Dozens of decrypted e-mail communications were presented at trial. The prosecution claimed that
the content of those e-mails indicated that HICHEUR actively performed, inter alia, the following
acts in support of the jihadist network, notably on behalf of the Al-RAFIDAIN CENTRE: -
 Translated, encrypted, compressed and password-protected pro-jihadist materials, including

documents and videos, which he then uploaded and circulated via the Internet.
 Distributed the encryption software "Mujahedeen Secrets" to facilitate covert Internet
communications.
 Conspired with an AQIM member to organize and coordinate pro-jihadist activities,
including but not limited to providing financial support to the jihadist cause, disseminating
pro-jihadist information and supporting the creation of an operational unit in Europe, and in
particular in France, to potentially prepare terrorist attacks.
 Acted as moderator on the pro-jihadist Rabat website.
 Took concrete steps to provide financial support to AQIM, including through the attempted
use of Pay Pal and other virtual payment systems.
At trial, the prosecution claimed that those communications proved HICHEUR had been fully aware
that he was engaging with a member of AQIM, and that he had acted knowingly and willingly as an
intermediary between jihadist fighters and GIMF. At the conclusion of the trial, the Court held that;
" HICHEUR became ... a logistical and media support for this terrorist structure for which the 'media
jihad' is crucial.
The Court further held that "Adlène HICHEUR, by giving his agreement to the establishment of an
operational unit linked to AQIM in Europe, or even in France, and determining targets or categories
of targets to be struck, participated in a group [AQM] specifically created to prepare acts of terrorism."
The court therefore found sufficient evidence to demonstrate, as required under the French Criminal
Code, that HICHEUR had provided not merely intellectual support but also direct logistical support to
a clearly identified terrorist plan. The decision of the court is appealable.
Sources Judgement of 4 May 2012 of the Tribunal de Grande instance de FARIS; and Tung,
Liam, Jihadists get worked-class encryption kit (29 January 20081, available from www
zdnet.com.au/jihadists-get-world-class-encryption-kit-339285480. HTM
21. Steps may also be taken via the Internet to identify a potential target of an
attack and the most effective means of achieving the terrorist purpose. These
preparatory steps may range from obtaining instructions on recommended
methods of attack to collecting open-source and other information regarding a
proposed target. The ability of the Internet to bridge distances and borders, and
the vast amount of information publicly available in cyberspace, make the
Internet a key tool in the planning of terrorist acts.
(a) Preparatory secret communication

22. The most basic function of the Internet is to facilitate communication.
Terrorists have become increasingly sophisticated at exploiting communications
technologies for anonymous communication related to the planning of terrorist
acts. A simple online e-mail account may be used by terrorists for electronic, or
virtual, "dead dropping" of communications. This refers to the creation of a draft
message, which remains unsent, and therefore leaves minimal electronic traces,
but which may be accessed from any Internet terminal worldwide by multiple
individuals with the relevant password.
23. There is also an abundance of more sophisticated technologies that increase
the difficulty of identifying the originator, recipient or content of Internet
communications. Encryption tools and anonymizing software are readily
available online for download. These tools may, inter alia, mask the unique
Internet Protocol (IP) address that identifies each device used to access the
Internet and its location, reroute Internet communications via one or more
servers to jurisdictions with lower levels of enforcement against terrorist activity
and/or encrypt traffic data relating to websites accessed. Steganography, the
hiding of messages in images, may also be used.
(b) Publicly available information

24. Organizations and individuals often publish extensive amounts of
information on the Internet. In the case of organizations, this may be a result in
part of a desire to promote their activities and streamline their interaction with
the public. Some sensitive information that may be used by terrorists for illicit
purposes is also made available through Internet search engines, which may
catalogue and retrieve inadequately protected information from millions of
websites. Further, online access to detailed logistical information, such as real-
time closed-circuit television footage, and applications such as Google Earth,
which is intended for and primarily used by individuals for legitimate ends, may
be misused by those intent on benefiting from the free access to high-resolution
satellite imagery, maps and information on terrain and buildings for the
reconnaissance of potential targets from a remote computer terminal.
25. Particularly in the age of popular social networking media, such as Facebook,
Twitter, YouTube, Flickr and blogging platforms, individuals also publish,
voluntarily or inadvertently, an unprecedented amount of sensitive information
on the Internet. While the intent of those distributing the information may be to
provide news or other updates to their audience for informational or social
purposes, some of this information may be misappropriated and used for the
benefit of criminal activity.
5. Execution
26. Elements of the categories described above may be employed in the use of
the Internet for the execution of terrorist acts. For example, explicit threats of
violence, including in relation to the use of weapons, may be disseminated via the
Internet to induce anxiety, fear or panic in a population or subset of the
population. In many Member States, the act of issuing such threats, even if
unfulfilled, may be deemed an offence. For example, in China, the fabrication of
a threat and/or the circulation of a threat that is known to be fabricated in relation
to the use of bombs or biological, chemical, or radioactive materials or other
weapons, when committed with the intent "to seriously disrupt public order", is
criminalized under domestic legislation. Internet communications may also be
used as a means to communicate with potential victims or to coordinate the
execution of physical acts of terrorism. For example, the Internet was used
extensively in the coordination of participants in the attacks of 11 September
2001 in the United States.
27. The use of the Internet in furtherance of the execution of acts of terrorism
may, inter alia, offer logistical advantages, reduce the likelihood of detection or
obscure the identity of responsible parties. Internet activity may also facilitate the
acquisition of items necessary for the execution of the attack. Terrorists may
purchase individual components or services required to perpetrate violent acts of
terrorism by means of electronic commerce. Misappropriated credit cards or
other forms of compromised electronic payment may be used to finance such
purchases.
6. Cyberattacks
28. A cyberattack generally refers to the deliberate exploitation of computer

networks as a means to launch an attack. Such attacks are typically intended to
disrupt the proper functioning of targets, such as computer systems, servers or
underlying infrastructure, through the use of hacking, advanced persistent threat
techniques, computer viruses, malware,17 phlooding18 or other means of
unauthorized or malicious access. Cyberattacks may bear the characteristics of an
act of terrorism, including the fundamental desire to instill fear in furtherance of
political or social objectives. An example of a cyberattack was seen in Israel
January 2012, involving the targeting of multiple symbolic Israeli websites, such
as the websites of the Tel Aviv Stock Exchange and the national airline, and
the
unauthorized disclosure of the credit card and account details of thousands of
Israeli nationals.19 While a considerable amount of attention has focused in recent
years on the threat of cyberattacks by terrorists, that topic is beyond the scope of
the present publication and, as such, will not be a subject of analysis.
C. Uses of the Internet for countering terrorist activity
29. While terrorists have developed many ways to use the Internet in furtherance
of illicit purposes, their use of the Internet also provides opportunities for the
gathering of intelligence and other activities to prevent and counter acts of
terrorism, as well as for the gathering of evidence for the prosecution of such
acts. A significant amount of knowledge about the functioning, activities and
sometimes the targets of terrorist organizations is derived from website, chat
room and other Internet communications. Further, increased Internet use for
terrorist purposes provides a corresponding increase in the availability of
electronic data which may be compiled and analyzed for counter-terrorism
purposes. Law enforcement, intelligence and other authorities are developing
increasingly sophisticated tools to proactively prevent, detect and deter terrorist
activity involving use of the Internet. The use of traditional investigative means,
such as dedicated translation resources for the timely identification of potential
terrorist threats, is also expanding.
30. Online discussions provide an opportunity to present opposing viewpoints or

to engage in constructive debate, which may have the effect of discouraging
potential supporters. Counter-narratives with a strong factual foundation may be
conveyed through online discussion forums, images and videos. Successful
messages may also demonstrate empathy with the underlying issues that
contribute to radicalization, such as political and social conditions, and highlight
alternatives to violent means of achieving the desired outcomes. Strategic
communications that provide counter-narratives to terrorist propaganda may also
be disseminated via the Internet, in multiple languages, to reach a broad,
geographically diverse audience.
31. The Center for Strategic Counterterrorism Communications, based in the

United States, offers an example of a recently launched inter-agency initiative
which is aimed at reducing radicalization and extremist violence by identifying in
a timely manner extremist propaganda, inter alia, on the Internet and
responding
swiftly with targeted counter-narratives via a wide range of communications
technologies, including digital tools. For instance, in May 2012, the Center was
cited as having responded, within 48 hours, to banner advertisements promoting
extremist violence posted on various websites by Al-Qaida in the Arabian
Peninsula, with counter-advertisements on the same websites featuring an altered
version of that same message that was intended to convey that the victims of the
terrorist organization's activities were Yemeni nationals. The counter-narrative
campaign involved cooperation among the United States Department of State, the
intelligence community and the military. The Center also uses media platforms
such as Facebook and YouTube for counter-narrative communications.22,23
D. Rule-of-law considerations
32. Respect for human rights and the rule of law is an integral part of the fight
against terrorism. Due care must be taken to respect international human rights
standards in all phases of counter-terrorism initiatives, from preventive
intelligence gathering to ensuring due process in the prosecution of suspects. This
requires the development of national counter-terrorism legislation and practices
that promote and protect fundamental human rights and the rule of law.24
33. States have both a right and a duty to take effective measures to counter the
destructive impact of terrorism on human rights, in particular the rights to life,
liberty and physical integrity of individuals and the territorial integrity and
security of States Effective counter-terrorism measures and the protection of
human rights are complementary and mutually reinforcing objectives which must
be pursued together.25 Counter- terrorism initiatives relating to Internet use may
have an impact on the enjoyment of a range of human rights, including the rights
to freedom of speech, freedom of association, privacy and a fair trial. While a
comprehensive analysis of human rights issues is beyond the scope of the present
publication, it is important to highlight key areas for consideration.
34. As noted in subsection B.1(b) above, the proscription of incitement to

terrorism may involve restrictions on freedom of expression. Freedom of
expression is not an absolute right. It may be restricted, subject to satisfaction of
strictly construed tests of legality, necessity, proportionality and non-
discrimination, when that freedom is used to incite discrimination, hostility or
violence. A key difficulty in cases of glorification or incitement to terrorism
is
identifying where the line of acceptability lies, as this varies greatly from country
to country depending on differing cultural and legal histories.26 The right to
freedom of association is similarly a qualified right, which may be subject to
narrowly construed limitations and derogations.
35. Countering terrorist use of the Internet may involve the surveillance and
collection of information relating to suspects. Due regard should be given to
protecting persons against arbitrary or unlawful interference with the right to
privacy,27 which includes the right to privacy of information about an individual's
identity as well as his or her private life. Domestic laws must be sufficiently
detailed regarding, inter alia, the specific circumstances in which such
interference may be permitted. Appropriate safeguards must also be in place to
prevent abuse of secret surveillance tools. Further, any personal data collected
must be adequately protected to ensure against unlawful or arbitrary access,
disclosure or use.28
36. Guaranteeing due process rights is critical for ensuring that counter-terrorism
measures are effective and respect the rule of law. Human rights protections
for all persons charged with criminal offences, including terrorism-related
crimes, include the right to be presumed innocent, the right to a hearing with due
guarantees and within a reasonable time by a competent, independent and
impartial tribunal and the right to have a conviction and sentence reviewed by a
higher tribunal that meets the same standards.29
37. For a more detailed analysis of the issues highlighted in the present
section and other relevant considerations, please see, for example, Fact Sheet
No. 32 of the Office of the United Nations High Commissioner for Human
Rights on "Human rights, terrorism and counter-terrorism", the report of the
United Nations High Commissioner for Human Rights on the protection of
human rights and fundamental freedoms while countering terrorism
(A/HRC/16/50) and the following reports of the Special Rapporteur on the
promotion and protection of human rights and fundamental freedoms while
countering terrorism: ten areas of best practices in countering terrorism
(A/HRC/16/51); and compilation of good practices on legal and institutional
frameworks and measures that ensure respect for human rights by intelligence
agencies while countering terrorism, including on their oversight (A/HRC/14/46).
II. The international context
A. Introduction
38. Terrorist use of the Internet is a transnational problem, requiring an

integrated response across borders and among national criminal justice systems.
The United Nations plays a pivotal role in this regard, facilitating discussion
and the sharing of good practices among Member States, as well as the building
of consensus on common approaches to combating the use of the Internet for
terrorist purposes.
39. The applicable international legal framework related to counter-terrorism is

contained in a range of sources, including resolutions of the General
Assembly and the Security Council, treaties, jurisprudence and customary
international law. Security Council resolutions may impose legally binding
obligations on Member States or provide "soft law" sources of political
commitments or emerging norms of international law. Council resolutions
adopted under Chapter VII of the Charter of the United Nations are binding on all
Member States. The General Assembly has also adopted a number of
resolutions relating to terrorism which provide useful sources of soft law and
have high political importance, even though they are not legally binding.30
40. Legal obligations are also imposed upon States pursuant to bilateral and
multilateral instruments addressing terrorism. "Universal" legal instruments are
agreements that are open for ratification or accession by all Member States of the
United Nations. By contrast, agreements promulgated by regional or other inter-
State groupings may be open to only a limited group of potential signatories;
such treaty-based obligations are binding only upon those States which choose to
become a party to the agreements.
41. The duty to bring perpetrators of acts of terrorism to justice rests primarily
with domestic authorities, as international tribunals do not generally have
jurisdiction over such acts.31 United Nations resolutions, universal legal
instruments, regional agreements and model laws against terrorism play a key
role in establishing common standards accepted across multiple jurisdictions.
B. United Nations counter-terrorism resolutions
42. The United Nations Global Counter-Terrorism Strategy was unanimously

adopted by the General Assembly in 2006, representing a milestone in the
domain of multilateral counter-terrorism initiatives. Pursuant to the Strategy,
Member States resolved, inter alia:
a) To consistently, unequivocally and strongly condemn terrorism in all its

forms and manifestations, committed by whomever, wherever and for
whatever purposes, as it constitutes one of the most serious threats to
international peace and security;
b) To take urgent action to prevent and combat terrorism in all its forms and
manifestations;
c) To recognize that international cooperation and any measures that [they]
undertake to prevent and combat terrorism must comply with [their)
obligations under international law, including the Charter of the United
Nations and relevant international conventions and protocols, in particular
human rights law, refugee law and international humanitarian law;
d) To work with the United Nations with due regard to confidentiality,
respecting human rights and in compliance with other obligations under
international law, to explore ways and means to "(a) Coordinate efforts at
the international and regional levels to counter terrorism in all its forms
and manifestations on the Internet; (b) Use the Internet as a tool for
countering the spread of terrorism, while recognizing that States may
require assistance in this regard" [emphasis added].
43. Several Security Council resolutions adopted in recent years require States to
cooperate fully in the fight against terrorism, in all its forms. In particular,
resolutions 1373 (2001) and 156 (2004), adopted under Chapter VII of the
Charter of the United Nations, require legislative and other action to be taken by
all Member States to combat terrorism, including through increased cooperation
with other Governments in the investigation, detection, arrest, extradition and
prosecution of those involved in terrorist acts and call upon States to implement
the international conventions and protocols relating to terrorism.
44. Another key Security Council resolution relating to terrorist activity that may
be conducted by means of the Internet is resolution 1624 (2005), which addresses
the incitement and glorification of terrorist acts. In its fourth preambular
paragraph, the Council condemns "in the strongest terms the incitement of
terrorist acts "and repudiates" attempts at the justification or glorification
(apologies) of terrorist acts that may incite further terrorist acts". In paragraph 1,
it calls upon all States to adopt such measures as may be necessary and
appropriate, and in accordance with their obligations under international law,
to prohibit by law and prevent incitement to commit a terrorist act or acts.
45. Recent United Nations reports and resolutions have specifically

acknowledged the importance of countering terrorist use of the Internet as a key
part of a comprehensive counter-terrorism strategy, In his 2006 report to the
General Assembly entitled "Uniting against terrorism: recommendations for a
global counter-terrorism strategy"33 the Secretary-General explicitly stated: "The
ability to generate and move finances, to acquire weapons, to recruit and train
cadres, and to communicate, particularly through use of the Internet, are all
essential to terrorists."34 The Secretary-General went on to assert that the Internet
was a rapidly growing vehicle for terrorist recruitment and dissemination of
information and propaganda, which must be countered through coordinated
action by Member States, while respecting human rights and other obligations
under international law.35
46. In its resolution 1963 (2010), the Security Council expressed "concern at the
increased use, in a globalized society, by terrorists of new information and
communications technologies, in particular the Internet, for the purposes of the
recruitment and incitement as well as for the financing, planning and preparation
of their activities." The Council also recognized the importance of cooperation
among Member States to prevent terrorists from exploiting technology,
communications and resources.
C. Universal counter-terrorism legal instruments
47. Since 1963, the international community has been developing universal legal
instruments to prevent terrorist acts under the auspices of the United Nations and
its specialized agencies, in particular the International Civil Aviation
Organization and the International Maritime Organization, and the International
Atomic Energy Agency. The universal counter-terrorism instruments represent a
major element of the global regime against terrorism and an important framework
for international cooperation in countering terrorism. These universal legal
instruments cover acts
ranging from the hijacking of aircraft to nuclear terrorism by individuals and
groups36 and require the States that adopt them to criminalize the most
foreseeable terrorist acts in the areas covered by the conventions. Nevertheless,
these universal legal instruments are legally binding only on the signatories
thereto,37 which are also responsible for enforcing the provisions through the
domestic criminal justice systems.
48. As a result of the attention focused on countering terrorism following the

adoption of Security Council resolution 1373 (2001), in which the Council called
on Member States to become parties to the universal counter-terrorism legal
instruments, the rate of adherence to these instruments has increased
significantly. As at June 2011, two thirds of Member States had either ratified or
acceded to at least 10 of the 16-universal counters-terrorism instruments.38
Member States to become parties to the universal counter-terrorism legal

instruments, the rate of adherence to these instruments has increased
significantly. As at June 2011, two thirds of Member States had either ratified or
acceded to at least 10 of the 16-universal counters-terrorism instruments.
49 There is currently no comprehensive United Nations treaty on terrorism that is

applicable to an exhaustive list of the manifestations of terrorism. Similarly, the
international community has yet to agree on an internationally binding definition
of the term "terrorism",39 owing largely to the difficulty of devising a universally
acceptable legal categorization for acts of violence committed by States, by
armed groups such as liberation or self-determination movements or by
individuals.
50. Member States have been engaged since 2000 in negotiations relating to a
comprehensive counter-terrorism convention, which will ultimately include a
definition of terrorism. Faced, however, with the difficulty of reaching consensus
on a single, globally accepted definition of what constitutes terrorism; progress
has instead been made through the existing universal legal instruments, which
have developed along sectoral lines. These instruments focus on criminalizing
specific "terrorist acts" without defining the broader concept of terrorism.
51. The universal instruments do not define terrorist offences as crimes under
international law. Rather, they create an obligation for States parties to the
agreements to criminalize the specified unlawful conduct under their domestic
law, exercise jurisdiction over offenders under prescribed conditions and
provide
for international cooperation mechanisms that enable States parties to either
prosecute or extradite the alleged offenders. Until the successful conclusion of
ongoing negotiations on a universal definition or comprehensive convention
relating to terrorism, bilateral and multilateral agreements should provide
the basis for the development of common standards to counter the use of the
Internet for terrorist purposes, in the interest of promoting international
cooperation.
52. No universal convention has been adopted specifically relating to the

prevention and suppression of terrorist use of the Internet. In December 2010, the
General Assembly adopted resolution 65/230, in which it, inter alia, endorsed the
Salvador Declaration on Comprehensive Strategies for Global Challenges: Crime
Prevention and Criminal Justice Systems and Their Development in a Changing
World and requested the Com- mission on Crime Prevention and Criminal Justice
to establish, in line with the Salvador Declaration, an open-ended
intergovernmental expert group to conduct a comprehensive study of the problem
of cybercrime and responses to it by Member States, the international community
and the private sector, including the exchange of information on national
legislation, best practices, technical assistance and international cooperation. The
results of this study, which was launched by UNODC in February 2012, will
facilitate an evaluation of the effects of the use of emergent information
technologies in furtherance of criminal activities, including with respect to
certain terrorist uses of the Internet, such as computer-related incitement to
terrorism and terrorist financing offences.
D. International human rights law
53. Human rights obligations form an integral part of the international legal
counter- terrorism framework, both through the obligation imposed on States to
prevent terrorist attacks, which have the potential to significantly undermine
human rights, and through the obligation to ensure that all counter-terrorism
measures respect human rights. In the United Nations Global Counter-Terrorism
Strategy, Member States reaffirmed those obligations, recognizing in particular
that "effective counter-terrorism measures and the protection of human rights are
not conflicting goals, but complementary and mutually reinforcing".
54. Key universal human rights instruments adopted under the auspices of the
United Nations include the Universal Declaration of Human Rights,41 the
International Covenant on Civil and Political Rights and the International
Covenant on Economic, Social and Cultural Rights,42 and applicable protocols.
55. Several regional organizations have also developed conventions guaranteeing

human rights. Examples include the European Convention for the Protection of
Human Rights and Fundamental Freedoms43 (1950), the American Convention on
Human Rights44 (1969), the African Charter on Human and Peoples' Rights 45
(1981), and the Charter of Fundamental Rights of the European Union46 (2000).
56. While a comprehensive analysis of issues relating to human rights law is

beyond the scope of the present publication, rule-of-law considerations and the
applicable legal instruments will be addressed with reference to specific counter-
terrorism measures where the context so requires.47
E. Regional and sub-regional counter-terrorism legal instruments
57. In addition to the universal counter-terrorism instruments, several regional

and sub-regional instruments offer valuable substantive and procedural standards
for criminalizing acts of terrorism that may be perpetrated by means of the
Internet. These instruments, which complement the universal counter-terrorism
instruments, may vary in scope and in their degree of enforceability.
I. Council of Europe
58. In 2001, the Council of Europe elaborated the Council of Europe Convention
on Cybercrime,48 which is currently the only multilateral, legally binding
instrument addressing criminal activity conducted via the Internet. The Council
of Europe Convention on Cybercrime seeks to harmonize national laws relating
to cybercrime, to improve domestic procedures for detecting, investigating, and
prosecuting such crimes and to provide arrangements for fast and reliable
international cooperation on these matters.49 The Convention establishes a
common minimum standard for domestic computer-related offences50 and
provides for the criminalization of nine such offences, including offences relating
to unauthorized access to and illicit tampering with computer systems,
programs or data; computer-related fraud and forgery; and attempting, aiding or
abetting the commission of such acts.51
59. The Council of Europe Convention on Cybercrime also includes important
procedural provisions which may facilitate investigations and evidence-gathering
in connection with acts of terrorism involving use of the Internet. These
provisions apply to any criminal offence committed by means of a computer and
the collection of evidence in electronic form and are subject to applicable
safeguards provided for under domestic law.52
60. For example, the Council of Europe Convention on Cybercrime requires

parties to adopt legislation requiring Internet service providers (ISPs) to preserve
specified data stored on their servers for up to 90 days 53 (renewable), if requested
to do so by law enforcement officials during the course of a criminal
investigation or proceeding, until the appropriate legal steps may be taken to
compel disclosure of such data.54 This expedited procedure for the preservation of
stored data is crucial given the transient nature of electronic data and the often
time-consuming traditional mutual legal assistance procedures in transnational
cases.55 The issuance of a preservation order, or similar measure, also has several
benefits compared with traditional search and seizure procedures, as the ISP may
be better placed to rapidly secure the evidence in question. Additionally, a
preservation measure may be less disruptive to the legitimate business of the ISP,
with lower potential for reputational harm to the business, 56 which may facilitate
ongoing cooperation. The search and seizure procedure with respect to stored
data, established pursuant to article 19 of the Council of Europe Convention on
Cyber- crime, provides protections regarding stored data that are similar to those
generally afforded to tangible evidence57 under the relevant domestic
legislation.58
61. The Council of Europe Convention on Cybercrime also requires parties to

implement legislation relating to the production of stored subscriber data 59. Such
information may be crucial during the investigative stage to establish the identity
of a perpetrator of a terrorist act involving use of the Internet, and may include
the physical location of such person, as well as other related communication
services employed in the commission of the act. The Convention also requires
signatory States to establish minimum standards to enable real-time collection of
traffic data60 associated with specified communications and the interception of
content data in relation to specified serious offences under domestic law.61
62. The Council of Europe Convention on Cybercrime may be applied in

conjunction with counter-terrorism instruments, such as the Council of Europe
Convention on the Prevention of Terrorism,62 to provide a legal basis for
cooperation against the use of the Internet for terrorist purposes. The Council of
Europe Convention on the Prevention of Terrorism requires parties to criminalize
certain acts under domestic law that may lead to the commission of terrorist
offences, such as public provocation, recruitment and training, all of which
may be committed through the Internet. The Convention also mandates national
and international cooperation measures aimed at preventing terrorism, including
investigative measures. For example, article 22 of the Convention provides for
the sharing with another party of unsolicited information relating to
investigations or proceedings, within the limits imposed by domestic law, in the
common interest of responding to criminal acts (spontaneous information).
63. The Council of Europe Convention on Cybercrime and the Council of Europe
Convention on the Prevention of Terrorism are open to ratification or
accession by all member States of the Council of Europe,63 non-member States
that participated in the elaboration of those Conventions and other non-member
States by invitation, with agreement from all of the States then parties to the
relevant Convention.64 It is worth noting that several countries that have not
formally acceded to the Council of Europe Convention on Cybercrime have
nonetheless used its provisions as guidelines in the drafting of their own national
cybercrime legislation. (See also section F below on model legislation.)
64. The Council of Europe has also elaborated the Additional Protocol to the
Convention on Cybercrime, concerning the Criminalization of Acts of a Racist
and Xenophobic Nature Committed through Computer Systems 65. This
Additional Protocol may also facilitate the prosecution of terrorist acts committed
via the Internet with the intention of inciting violence on the basis of race, color,
descent, national or ethnic origin, or religion. 66 The Additional Protocol is open
to all contracting States of the Council of Europe Convention on Cybercrime.67
2. European Union
65. In 2002, the Council of the European Union adopted framework decision
2002/475/JHA of 13 June 2002 on combating terrorism, which harmonizes the
definition of terrorist offences in all European Union member States68 by
introducing a specific and common definition of the concept of "terrorism",
setting forth jurisdictional rules to guarantee that terrorist offences may be
effectively prosecuted, and outlining specific measures with regard to victims
of
terrorist offences. In response to the growing terrorist threat, including the use of
new technologies such as the Internet, frame work decision 2002/475/JHA was
amended in 2008 69 to specifically include provisions on public provocation to
commit a terrorist offence, recruitment for terrorism and training for terrorism. In
that decision, the Council of the European Union also took note of Security
Council resolution 1624 (2005), in which the Council called upon States to take
measures to prohibit by law incitement to commit a terrorist act or acts and to
prevent such conduct.
66. Framework decision 2008/919/JHA provides a basis for prosecuting the

dissemination of terrorist propaganda and bomb-making expertise also
through the Internet, to the extent that such dissemination is committed
intentionally and meets the requirements of the named offences. The amendments
to framework decision 2002/475/JHA relating to the offences of public
provocation, recruitment and training were based on similar provisions of the
Council of Europe Convention on the Prevention of Terrorism.70 Framework
decision 2008/919/JHA introduced new offences regarding conduct that may lead
to acts of terrorism, irrespective of the means or technological tools through
which these offences are committed. As with the Council of Europe Convention
on the Prevention of Terrorism, while the provisions of framework decision
2008/919/JHA are not Internet-specific, they also cover activities conducted by
means of the Internet.
3. Additional legal instruments
67. Additional binding legal instruments adopted by regional or sub-regional

organizations which may contain provisions relevant to countering terrorist use
of the Internet include the following:
 South Asian Association for Regional Cooperation Regional Convention
on Suppression of Terrorism (1987)
 Arab Convention on the Suppression of Terrorism (1998)
 Treaty on Cooperation among States Members of the Commonwealth
of Independent States in Combating Terrorism (1999)
 Convention of the Organization of the Islamic Conference on
Combating International Terrorism (1999)
 Organization of African Unity Convention on the Prevention
and Combating of Terrorism (1999)
 Inter-American Convention against Terrorism (2002)
 Association of Southeast Asian Nations Convention on Counter
Terrorism (2007)
 Economic Community of West African States directive on fighting
cybercrime (2009).
F. Model legislation
68. While model legislation provides advisory guidelines, rather than legally
binding obligations, it plays an important role in harmonizing legal standards
among States. Unlike international conventions, which may be subject to
extensive negotiations to reflect the needs of a diverse range of potential
signatories, the provisions of model laws provide States with the benefit of strong
foundational legal provisions as a point of departure for the development of
domestic legislation. A key benefit of the use of model provisions as a basis for
national legislation is the facilitation of international cooperation, including
through the mitigation of conflicts arising out of misinterpretation of provisions
in different legal systems (for example, between common-law and civil-law
jurisdictions) and with respect to dual criminality requirements. 71 (See discussion
in section V.E.5 below.)
I. Commonwealth
69. The Commonwealth Model Law on Computer and Computer Related Crime
(2002) was drafted on the basis of the Council of Europe Convention on
Cybercrime.72 The Model Law is aimed at leveraging the similarities in the legal
traditions of Commonwealth member States 73 to promote the harmonization of
both substantive and procedural aspects of combating cybercrime and to promote
international cooperation. The Commonwealth Model Law is consistent with the
standards defined by the Council of Europe Convention on Cybercrime.
2. Commonwealth of Independent States
70. Member States of the Commonwealth of Independent States (CIS) have also
adopted model legislative acts and guidelines, aimed at harmonizing the national
legislative systems, taking into account international experiences in the fight
against terrorism. These model provisions reflect international legal standards,
adapted to the needs of CIS member States.74 For example, article 13 of
the
Model Law on the regulatory framework of the Internet75 provides model
provisions with respect to countering the use of the Internet for illegal purposes.
3. International Telecommunication Union
71. The International Telecommunication Union (TTU) is a specialized agency

of the United Nations that plays a leading role in cybercrime issues. ITU has
developed the Toolkit for Cybercrime Legislation (2010) to promote harmonized
national cybercrime legislation and procedural rules, including with respect to
acts of terrorism committed by using the Internet. The Toolkit was developed on
the basis of a comprehensive analysis of the Council of Europe Convention on
Cybercrime and the cybercrime legislation of developed countries. 76 While the
ITU Toolkit primarily addresses cybersecurity issues, it provides model
provisions for the criminalization of certain acts of terrorism involving use of the
Internet, such as unauthorized access to computer programs or data for purposes
of terrorism or the transmission of malware with the intent of furthering
terrorism.77
III. Policy and legislative frameworks
A. Introduction
72. In addition to using the Internet to plan and finance terrorist acts,
terrorists also use it to recruit and train new members; communicate, research or
reconnoiter potential targets; disseminate propaganda; and incite others to carry
out acts of terrorism.
73. In the present chapter, issues related to the development of criminal justice
policies and legislation aimed at countering these threats are considered, with the
aim of identifying, by reference to examples and national experiences offered by
some States represented at the expert group meetings, common challenges and
approaches that can either impede or strengthen the effective investigation and
prosecution of terrorism cases involving some aspect of Internet use.
B. Policy
74. In order to provide effective criminal justice responses to threats presented by

terrorists using the Internet, States require clear national policies and legislative
frame works. Broadly speaking, such policies and laws will focus on:
(a) Criminalization of unlawful acts carried out by terrorists over the Internet
or related services;
(b) Provision of investigative powers for law enforcement agencies engaged
in terrorism-related investigations;
(c) Regulation of Internet-related services (e.g. 1SPs) and content control;
(d) Facilitation of international cooperation;
(e) Development of specialized judicial or evidential procedures D
Maintenance of international human rights standards.
Policy approaches
75. In its 2011 publication, Countering the Use of the Internet for Terrorist
Purposes: Legal and Technical Aspects,78 the Working Group on Countering the
Use of Internet for Terrorist Purposes of the Counter-Terrorism
Implementation
Task Force identified three broad strategic approaches by which States might
counter terrorist activities over the Internet; involving the use of:
(a) General cybercrime legislation
(b) General (non-Internet-specific) counter-terrorism legislation;
(c) Internet-specific counter-terrorism legislation
76. It is noted that in approach (a), in addition to the use of general cybercrime
legislation, other inchoate criminal offences such as solicitation and criminal
association might also be used when dealing with terrorism cases involving some
aspect of Internet use, particularly when dealing with alleged acts aimed at
inciting acts of terrorism.
77. The Working Group's broad classification system is a useful conceptual

framework to guide the work of policymakers and legislators when considering
appropriate policy and legislative approaches for their particular States.
78. Another useful resource for policymakers and legislators, referred to in

Countering the Use of the Internet for Terrorist Purposes 79 is the Toolkit for
Cybercrime Legislation, developed under the auspices of ITU. In addition to
other model criminal provisions, the Toolkit contains several specific terrorist-
related offences, including section 3 (f), which deals with unauthorized access to,
or acquiring computer programs for, the purpose of developing, formulating,
planning, facilitating, assisting in the commission of, conspiring to commit or
committing acts of terrorism.
79. Within the broad framework provided by universal counter-terrorism

instruments and relevant international human rights standards, Governments have
considerable flexibility in their preferred approach; inevitably, these vary
between States. The present chapter merely highlights examples of approaches
adopted by some States that might be helpful to policymakers and legislators.
80. Currently, few States have developed counter-terrorism legislation

specifically targeting the use of the Internet itself by terrorists, but there are
some, including the United Kingdom, where, after the 2005 bombings in London
the Government enacted the Terrorism Act 2006, Part 1 of which includes
provisions specifically dealing with Internet-based activity that is likely to
encourage or assist in the commission of acts of terrorism. The Act supplements
the Computer Misuse Act 1990, which addresses computer-based crime and
cybercrime more generally.
81. In 2007, the United Arab Emirates passed federal cyber-laws that, in
addition to criminalizing hacking and other Internet-related activity, criminalized
the establishment of a website or the publication of information for terrorist
groups under false names with intent to facilitate contact with their leadership or
promote their ideologies, finance their activities or publish information on how to
make explosives or other substances for use in terrorist attacks.80
82. In 2008, the Government of Saudi Arabia implemented new technology-

related laws, including one that established as a criminal offence, punishable by
fines and up to 10 years of imprisonment, owning a website that advocates or
supports terrorism.81
83. Also, in 2008, the Government of Pakistan enacted the Prevention of

Electronic Crimes Ordinance, 2008, which made specific provision for offences
connected to cyber- terrorism. The law is no longer in force, however.82
84. Finally, the same year saw the Government of India amend the Information
Technology Act, 2000, to provide for the offence of "cyber terrorism" (section
66F) and other Internet-related issues.
85. Nevertheless, internationally, with some exceptions, in the absence of any

universal instrument imposing an express obligation to enact legislation
specifically targeting terrorist activity over the Internet, most Governments have
elected to deal with such threats by using a mixed approach, utilizing a
combination of general criminal laws, as well as cybercrime and counter-
terrorism legislation. In some States, for example, criminal laws focus on
substantive criminal acts without differentiating among the specific means by
which they are committed. Under this approach, the Internet is regarded as
merely a tool by which terrorists commit a substantive crime, often contained
within the provisions of the national penal code.
86. This is the approach in China, where the Criminal Law of the People's
Republic of China contains an article dealing with the criminalization of all
illegal activities involving the use of the Internet. Article 287 of the Criminal
Law makes it an offence to use a computer in the commission of an offence,
which will be prosecuted and sentenced in accordance with the relevant
criminalization and sentencing provisions in that law in this way, under Chinese
criminal law, the use
of Internet is regarded as a medium or tool through which a criminal act may be
committed, rather than an independent constituent element of the crime, and is
therefore criminalized within the substantive provisions of the criminal law.
87. In the terrorism context, in China there are provisions criminalizing different
forms of terrorist activities, including article 120 of the Criminal Law, which
criminalizes activities related to organizing, leading and participating in terrorist
organizations. This broad criminalization provision covers a wide range of
terrorism-related activities, including those carried out over the Internet.
88. In the Republic of Korea, two types of criminal law can be applied to terrorist
acts involving some use of the Internet. One is the general criminal code and the
other is a special criminal code, established in 1986, relating to criminal acts
involving information/communication. Article 90 of the Criminal Code deals
with the preparation of such acts, as well as conspiracy, incitement or propaganda
and provides that any person who prepares or plots for the purpose of committing
crimes under article 87 of the Criminal Code (public riots, revolts or
disturbances) or article 88 (homicides committed for the purpose of acts under
article 87) is liable to imprisonment of three years or more. Under article 101 of
the Criminal Code, any person who prepares or conspires to commit offences
under articles 92 to 99 of the Criminal Code is guilty of a crime and liable to two
years or more imprisonment. Article 114 of the Criminal Code relates to
organizing a criminal group. Also, under the special criminal code, the
Government established a range of criminal offences specifically criminalizing
unlawful acts targeting information-communication networks and personal
information.
89. In practice, regardless of the policy approach taken, experience shows that
most States adopt a multifaceted approach when dealing with the investigation
and prosecution of terrorist acts, including those involving some use of the
Internet. Law enforcement and prosecution agencies use whatever legislative
provisions best suit the particular circumstances of the case.
90. The powers required by law enforcement agencies to effectively investigate

terror ism cases are broadly similar regardless of the particular jurisdiction
involved, with differences in national policies and legislation reflecting the
diversity in legal systems, constitutional arrangements and other factors (e.g.
cultures).
91. The area of Internet regulation and content control leaves considerable room
for variations in national approaches. While the Universal Declaration of Human
Rights and the International Covenant on Civil and Political Rights provide
international standards pertaining to the regulation of the expression and
communication of ideas, there is no comprehensive internationally binding
instrument setting definitive, binding norms on what is considered appropriate
Internet content or how each State should regulate Internet-related activity within
its own territory. Currently, child pornography is the one area where, even in the
absence of a universally binding instrument or definition, States invariably
prohibit such activities." In the terrorism context, however, the absence of a
universally agreed definition of terrorism presents an ongoing obstacle to any
internationally agreed approach to the appropriate regulation of terrorism-related
activity and content over the Internet.
92. In terms of specialized judicial or evidential procedures in the terrorism field,

some States have adopted specific judicial and case management procedures for
terror ism cases that might apply to cases involving the use of the Internet by
terrorists. When this approach is adopted, it is important that any specialized
mechanisms conform fully with relevant international human rights obligations,
including those related to the right to liberty and a fair trial.
C. Legislation
I. Criminalization
93. As stated above, none of the universal instruments against terrorism impose
an obligation on States to enact legislation specifically targeting the use of the
Internet by terrorists. Accordingly, while it is therefore highly likely that most
terrorism cases will involve some use of the Internet by perpetrators, it is likely
that in many States, in addition to using offence provisions related to unlawful
conduct specified in universal instruments, authorities will also be reliant on
other criminal offence provisions under their penal codes, including inchoate
offences such as conspiracy, solicitation and criminal association, in order to
prosecute offenders.
94. In the present section, examples of different legislative provisions from some
States are considered, with a view to identifying approaches that might provide
the basis for effective criminal justice responses to different types of conduct.
(a) Internet-based acts or statements supporting terrorism
95. In addition to acts associated with the commission of substantive terrorist acts
(e.g. terrorist bombings), there is clear evidence that the Internet increasingly
being used by terrorists to carry out support actions such as recruiting and
training members, sharing useful information, disseminating propaganda and
inciting the commission of acts of terrorism. Owing to the configuration and
global reach of the Internet, it is increasingly likely that these types of activities
may involve different actors being physically present in different legal
jurisdictions.
96. In the United Kingdom, part VI of the Terrorism Act 2000 contains several
offences that can provide the basis for charging individuals who have used the
Internet to support terrorist activities.
97. Section 54 of the Act makes it an offence to provide, receive or invite

others to receive instruction or training in the making or use of firearms,
radioactive material or related weapons, explosives or chemical, biological or
nuclear weapons.
98. Section 57 makes it an offence to possess articles in circumstances that give

rise to a reasonable suspicion that a person has such articles in connection
with the preparation, instigation or commission of an act of terrorism. In recent
years, this offence has been used to successfully prosecute several individuals
who have been found in possession of items as diverse as hard drives, DVIDs
and instructional documents on how to make or operate items such as mortars,
suicide vests and napalm." For there to have been a commission of this offence,
the prosecution must prove a connection between the article in question and a
specific act of terrorism. There have been several
successful prosecutions for offences under section 57; however, the Courts have
adopted a more restrictive approach in interpreting the scope of application of the
section, as demonstrated by the case of R. u Zafar, Butt, IGBAL, Raja and Malik
[2008] EWCA Crime 184.
R.V ZAFAR, R.V BUTT, R.V IQBAL, R.V RAJA AND R.V MALIK
This 2007 case from the United Kingdom involved successful appeals by the defendants ZAFAR,
BUTT, IQBAL, RAJA and MALIK against convictions imposed for possession of articles for a
purpose connected with the commission, preparation or instigation of an act of terrorism, contrary
to section 57 of the Terrorism Act 2000.
Four of the five defendants in the case were students at Bradford University. The fifth, Ra a, was a
schoolboy in oxford and established contact with global through the Internet messaging service
MSN.
Raja visited Bradford for a few days, staying at the house in which global and Zafar lived, and
brought with him three CDs he had made that contained selected mater al from the computer and
were labelled as philosophy discs". Raja was arrested by police upon his return home after the visit.
Subsequent police enquiries led them to arrest and search the places of residence of the other
accused, which revealed that they too were in possession of radical jihadist material and other
material such as a United States military manual downloaded from the Internet. Evidence of
communications via online messenger were found, including a discussion between all four of the
Bradford appellants and a cousin of Malik-Imran-who lived in Pakistan.
The defendants originally faced charges under section 58 of the 2000 Act; however, at the
committal stage, the prosecution added counts under section 57 reflecting the same particulars as
those under sect a 58. Following various pre-trial rulings on the issue of whether electronically
stored information could be considered an article for the purposes of section 57, the prosecution
elected to proceed to trial on the basis of the section 57 charges only.
At trial, ZAFAR and IQBAL were acquitted on one count, which charged them with possession of
three "philosophy discs" containing material emanating from Raja; however, they, together with
the other defendants, were found guilty in respect of all other charges. Malik was sentenced to
three years of imprisonment, ZAFAR and IQBAL to three years of detent an in a young offenders'
institution, Butt to 27 months of detention and Raja to two years of detention.
The defendants appealed these convictions. At the appeal, the Court considered the critical issue to
be whether, based on the facts of the case, there existed between the articles and the acts of
terrorism a connection that satisfied the requirements of section 57.
The articles that the Crown alleged that the appellants possessed in breach of section 57 were, for
the most part, CDs and hard drives containing electronically stored material. This mater al included
ideological propaganda and communications between the defendants, which the prosecution
alleged showed a settled plan involving the defendants travelling to Pakistan to receive training
and participate in fighting in Afghanistan, which the Crown alleged amounted to acts of terrorism.
The Court of Appeal held that it was necessary for the prosecution to prove first the purpose for
which each appellant held the stored material and then to prove that this purpose was connected
with the
commission, preparation or instigation of the prospective acts of terrorism relied on by the
prosecution, namely fighting against the Government in Afghanistan.
On the facts of the case, noting that it raised difficult questions of interpretation about the scope
of application of section 57, the Court held that the necessary connection was not present, and
therefore the resulting convictions were unsound, and allowed the appeals.
99. Section 58 of the Act has proven particularly useful in several cases in which
authorities have needed to intervene when there was no evidence that the
individual was engaged in activity associated with terrorism. The section makes
it an offence to collect, make or have in one's possession, without a reasonable
excuse, any record of information of a kind likely to be useful to a person
committing or preparing an act of terrorism or to have possession of any
document or record containing such information.
100. In R u. K [2008] 3 All E.R. 526, the Court held that a document falls within
the scope of section 58 only if it is of a kind that is likely to provide practical
assistance to a person committing or preparing to commit an act of terrorism.
This approach was reaffirmed in R u. G and 3 [2009] UKHL 13, in which the
Court reaffirmed this "practical use test", under which possession of a document
or record is a crime only if it is of practical use and was possessed by a person
without a reasonable excuse.85 There is no restriction on what might constitute a
reasonable excuse for this purpose, provided that it is capable in law of
amounting to a defense.
101. Under section 58, the prosecution is not required to prove that the accused is
a terrorist or that any items are possessed for a terrorist purpose; however, the
prosecution may only in very limited circumstances call extrinsic evidence to
prove the practical utility of any item. For example, evidence of cipher may be
called in order to decipher a document written in code, but no evidence may be
called to explain the significance of locations circled on a map. The information
must "speak for itself" and not be of a type in general circulation.
102. In R v. Sultan Mohammed [2010] EWCA Crime 227, the court held that
"provided that the document containing the information is not one in every
day use by ordinary members of the public (e.g. published timetables and maps)
and provided that a reasonable jury could properly conclude that the document
contains information of a kind likely to be useful to a person committing or
preparing an act of terrorism, then it will be a matter for the jury whether they are
sure that it contains such information. If so, and provided the defendant has the
necessary men`s rea, then the only issue will be whether the defendant has a
reasonable excuse."86 The jury must accordingly decide whether the explanation
given for possessing the document is in fact reasonable given the particular facts
and circumstances of the case.87
103. The Terrorism Act 2006 established (in its section 5) the offence of
"committing acts in preparation for terrorism". This section was designed to deal
with cases in which individuals actively planning acts of terrorism were stopped
before they completed or attempted a substantive terrorist act.88
104. Section 5 has been particularly useful in "lone wolf" cases, in which an
offender is acting alone, there is insufficient evidence to establish the basis of a
conspiracy charge because it cannot be proven that more than one person was
involved, or authorities do not know in detail the offence that was being planned.
The offence does not require proof of an identifiable final act or acts of terrorism,
but the prosecution must prove a specific intent to commit a terrorist act or to
assist another to do so. Several individuals have been convicted of the offence in
the United Kingdom and sentenced to varying terms of imprisonment, including
life imprisonment.89
105. The case of R u. Terence Roy Brown [2011] EWCA Crime 2751, is an
example of the utility of provisions such as section 58.
R v. Terence Roy Brown
Terence Roy Brown, a citizen of the United Kingdom, ran an online business, in which he
advertised and sold an annual edition of a CD-ROM that he called the "Anarchist's Cook book"
(the title is nearly identical to that of a well-known book called The Anarchist Cock book).
Rather than a sing publication, however, these discs contained 10,322 files, some of which
were complete publications in their own right. These included terrorist manuals such as the A-
Qaida Manual and instructions for the manufacture of different forms of explosives and the
construction of bombs. Other files consisted of instructions for making poisons, how to avoid
attracting the attention of authorities when travelling and weapons handling techniques. In an
apparent effort to circumvent the law, Mr. Brown posted disclaimers on the website advertising
the publication, stating that the instructions they contained might be illegal or dangerous to
perform and were intended for "reading pleasure and historical value only". It was clear an
investigate on that Mr. Brown was motivated purely by commercial incentives. It was also
apparent that he deliberately had expanded his collection in the immediate aftermath of the July
2005 London bombs and had significantly increased his profit as a result.
In March 2011, Mr. Brown was convicted of seven counts under the Terrorism Act 2000
(section 58) relating to the collection of information that could have been used to prepare or
commit acts of terrorism, two counts under the Terrorism Act 2006 (section 2) relating to the
dissemination of terrorist publications and an offence under the Proceeds of Crime Act 2002
relating to the transfer of criminal property (his use of the profits from his business).
The excuse raised by Mr. Brown at trial was that his activities amounted to no more than the
lawful exercise of his right to freedom of expression in relation to material that was freely
available on the Internet and that was similar in type, if not volume, to that sold by other online
booksellers. The same points were raised during an unsuccessful application to appeal
conviction, during which the court ruled that the restriction of Brown's article 10 rights in
relation to mater al that was likely to assist terrorists was justified and proportion ate. The court
also affirmed the discretion of the prosecuting authorities not to charge every individual who
might have committed an offence, but to cons der instead each case on its own merits.
"Businessman who published bomb-makers' hard book "facing lengthy spell in jail". Daly Mail,
9 March 2011. Available from www.dailymailcouk/hews/artice-1364621/Businessman-
published-bomb-makers-handbook-facing-lengthy-spell-jal-htmieixzz1j4gXbMLu
106. The case is one of several, including R v. K [2008] QB 827 and R v. G [2010]
1 AC 43, in which the courts in the United Kingdom have clarified the
jurisprudence surrounding the scope and application of section 58 of the Act, in
the light of relevant human rights safeguards.
107. In addition to criminal offences under anti-terrorism legislation, authorities

in the United Kingdom have, when circumstances require, used the offence of
solicitation to successfully prosecute persons carrying out activities linked to
terrorism. An example of this approach is the case of R v. Bilal Zaheer
Ahmad,90 in which the defendant was convicted of solicitation of murder.
R v. BILAL ZAHEER AHMED
This United Kingdom case is linked to, and followed, the 2010 case involving ROSHANARA
CHOUDHRY, who was sentenced to life imprisonment on 2 November 2010 for the attempted
murder of STEPHEN TIMMES, a Member of Parliament.
In a statement, Chaudhry said she had decided to commit the offence approximately four weeks
prior to the assault in May 2010 and had purchased two knives in preparation, one as a spare in
case the broke while she stabbed the victim. She told police that she had been watching ANWER
AL-AWLAKI videos and ABDULLAH AZZAM videos and had visited the website
www.revalutionmuslim.com during her period of radicalization. This well-known site, which
was hosted in the United States, contained material promoting violent jihad, including videos and
speeches encouraging terrorism and web links to terrorist publications.
On 1 November 2010, the defendant posted a link on his Facebook page to a news article about
the TIMMS/Chaudhry case, ta which he added the following comment:
This sister has put us men to shame. WE SHOULD BE DOING THIS On 4 November 2010, the
defendant posted an article entitled "MPs that voted for War on Iraq’ on the Revolution Muslim
website under the name of "BILAL". The article was headed with the symbol of the Islamic State
of Iraq (an Al-Qa da affiliate). The opening text was a quotation from the Karan stating that
those who died without participating in jihad were hypocrites.
The article advised readers that they could "track" British Members of Parliament through a
link it provided to an official parliamentary website. This would enable them to find out details
regarding the location of surgeries to be performed on Members of Parliament, where they could
be "encountered in person".
This was followed by 29 religions quotations, all translated into English and all relating to the
obligation for Muslims to participate in jihad or to "martyrdom". Immediately under the quotations
was a link to a web page advertising a knife for sale. A copy of this article was captured evidentially
by British counter-terrorism officers. A further copy of the web page was obtained from Google
Inc. in response to a letter of request.
On 10 November 2010, the defendant was arrested by the Counter Terrorism Unit of the West
Midlands Police near his home in WOLVERHAMPTON. He was found in possession of a laptop;
which he told the arresting officers he had used to post the article on members of parliament and the
Revolution Muslim website. Forensic examination of the laptop revealed that he appeared to have
attempted to delete traces of his online activities prior to his arrest.
On 16 November, the defendant was charged with soliciting murder in relation to the article and
with three offences of possession of material likely to be of use to a terrorist under section 58 of the
Terrorism Act 2000. He later pleaded guilty to these charges, as well as to an offence of inciting
religious hatred, arising from comments posted on an Internet forum, and was sentenced to 12 years
of imprisonment, with an additional five years extended period on license.
108. In the United States, Title 18 of the United States Code, section 842 (p),
entitled "Distribution of information relating to explosives, destructive devices,
and weapons of mass destruction" makes it illegal for a person to distribute by
any means information regarding the manufacture or use of explosives,
destructive devices or weapons of mass destruction with the intent that the
information be used in furtherance of a crime of violence or with the knowledge
that the person to whom the information is distributed intends to use the
information in furtherance of a crime of violence. This statute has been used in
the United States to prosecute individuals who have distributed such information
over the Internet.
(b) Incitement
109. The crime of inciting terrorist acts is the subject of Security Council
resolution 1624 (2005). In that resolution, the Council called upon all States to,
inter alia, adopt such measures as may be necessary and appropriate and in
accordance with their obligations under international law to prohibit by law
incitement to commit a terrorist act or acts, and to prevent such conduct.
110. The development and enforcement of laws criminalizing the incitement of

acts of terrorism while fully protecting human rights such as the rights to freedom
of expression and association presents an ongoing challenge for
policymakers,
legislators, law enforcement agencies and prosecutors. Cases involving
statements by persons made over the Internet, especially when the alleged
offender, the Internet services they use and their intended audience are located in
different jurisdictions, are regulated by different national laws and constitutional
safeguards and therefore present additional challenges for investigators and
prosecutors from an international cooperation perspective.
111. International experience relating to the enforcement of criminal offences

dealing with incitement to commit terrorist acts highlights two issues: first, how
important (and sometimes difficult) it is in practice to differentiate between
terrorist propaganda (statements advocating particular ideological, religious or
political views) from material or statements that amount to incitement to commit
violent terrorist acts; and second, how the enforcement of laws dealing with
alleged acts of incitement requires a careful case by-case assessment of the
circumstances and context to determine whether the institution of a prosecution
for an incitement offence is appropriate in a particular case.
112. Those experts at the expert group meeting who had been involved in cases
related to the investigation and prosecution of crimes of inciting terrorist acts
agreed and highlighted the importance, in practice, of fully assessing the
context in which alleged statements of incitement were made, including not
only the words but also the forum in which they were made, and that the
characteristics of likely recipients might be highly relevant factors in determining
whether criminal proceedings for the crime of incitement were instituted or
likely to be successful in a particular case.
113. In the United Kingdom, section 59 of the Terrorism Act 2000 makes it an
offence to incite another person to commit an act of terrorism wholly or partly
outside the United Kingdom, when the act would, if committed in England and
Wales, constitute an offence specified in the section (e.g. murder, wounding with
intent, explosions or endangering life by damaging property).
114. In the well-known case of R v. TSOULI and others,91 YOUNES TSOULI,

WASEEM Mughal and Tariq Al-DAOUR pleaded guilty to charges under the
Terrorism Act 2000 of inciting murder for terrorist purposes by establishing and
maintaining large numbers of websites and chat forums used to publish materials
inciting acts of terrorist murder, primarily in Iraq.
R v. TSOULI AND OTHERS
This well-known case from the United Kingdom involved three defendants-YOUNES TSOULI,
WASEEM Mughal and Tariq Al-DAOUR-who were initially indicted on 15 counts. Prior to trial,
TSOULI and Mughal pleaded guilty to a charge of conspiracy to defraud. During the trial, having
heard the prosecution evidence, all three pleaded guilty to a charge of inciting terrorism overseas,
and Al- DAOUR pleaded guilty to a charge of conspiracy to defraud.
Between June 2005 and their arrest in October 2005, the defendants were involved in the purchase,
construct and maintenance of a large number of websites and Internet chat forums on which material
was published that incited acts of terrorist murder, primarily in Iraq. The cost of purchasing and
maintaining the websites was met from the proceeds of credit card fraud. The material on the
websites included statements that it was the duty of Muslims to wage armed jihad against Jews,
crusaders, apostates and their supporters in al Muslim countries and that it was the duty of every
Muslim to fight and kill them wherever they were, civilian or military.
In the Internet chat forums, individual’s disposed to join the insurgency were provided with routes by
which to travel into Iraq and manuals on weapons and explosives recipes. Extreme
ideological material demonstrating adherence to the espoused justification for the acts of murder that
the websites and chat forums incited was recovered from the home of each defendant.
A- DAOUR organized the obtaining of stolen credit cards, both for his own purposes and for
providing Mughal with funds for the setting up and running of the websites. Al- DAOUR had also
been involved in further credit card fraud; the proceeds of which were not applied to the support of
the websites. The loss to the credit card companies from this aspect of the defendants' fraudulent
activity was £1.8 million.
Among the evidence was a list made by TSOULI n his handwriting and found in his desk on which
he had written the details of a number of websites and of stolen credit cards. This revealed 32
separate websites provided by a number of different web-hosting companies that TSOULI had set
up or attempted to set up, mostly in the last week of June 2005 but continuing into July and into
August. The creation and administration of these websites were funded by the fraudulent use of
credit card details that had been stolen from account holders, either by direct theft of computer
records, by hacking or by some fraudulent diversion within the financial institutions. These credit
card details had been passed on to TSOULI by the other two defendants.
The websites created by TSOULI were used as a vehicle for uploading jihadist materials, which
incited acts of violence outside the United Kingdom in Iraq. Access to the sites was restricted to
those who had been issued with usernames and passwords. This was done, the trial judge found, to
make it more difficult for the web-hosting companies and the law enforcement agencies to know
what was being pasted on the sites.
On 5 July 2007, TSOULI was sentenced to 10 years of imprisonment and 3 ½ years (concurrently)
on two counts. Mughal to 7 ½ years of imprisonment and 3 ½ years (concurrently) on two counts and a
- DAOUR, to 6 ½ years of imprisonment and 3% years (concurrently).
115. Part 1 of the Terrorism Act 2006 established a number of new offences
aimed at enhancing the ability of authorities to take action in cases involving
statements by persons inciting or glorifying acts of terrorism or otherwise
intended to support the commission of such acts.
116. Part 1 of the Act makes it an offence for a person to publish a statement
intended to directly or indirectly encourage members of the public to prepare,
instigate or commit acts of terrorism, including (but not limited to)
encouragement that "glorifies" terrorist acts, or for a person to be reckless as
whether such conduct has such an effect. In practice, how a statement is likely to
be understood is determined by reference to the content as a whole and the
context in which it is made available.
117. Section 2 of the Act makes it an offence to (intentionally or recklessly)

disseminate terrorist publications. These are defined as publications that are
likely to encourage acts of terrorism or are likely to be useful to someone
planning or committing such an act. This second category covers the same types
of documents or publications to which section 58 of the Terrorism Act 2000
applies. As with section 1 of the Terrorism Act 2006, the question of whether the
material in question comes within the definition of a "terrorist publication" must
be determined by reference to its content as a whole and the context in which it is
made available.92
118. In the United Kingdom, when making decisions as to whether to initiate

prosecutions for incitement, prosecutors exercise wide discretion, taking into
account the right to freedom of speech and the overall context in which the
statements or publications are made or distributed, including how they are
likely to be understood, both by the general public and the intended recipients.
119. In the United States, a different legal approach has been taken to the
criminalization and prosecution of acts of incitement of terrorism owing to
constitutional safe guards attaching to the right to freedom of speech under the
First Amendment to the Constitution. Under the principles set out in the
landmark case of Brandenburg u Ohio, 395 US. 444 (1969), in order to
successfully prosecute an individual for incitement of criminal acts (including
terrorism), the prosecution is required to prove both an intent to incite or
produce unlawful action and the likelihood that the speech will actually incite
imminent unlawful action.93
120. In prosecuting statements inciting acts of terrorism, authorities in the United
States are reliant upon inchoate offences such as solicitation and conspiracy,
together with the "material support" provisions of the United States Criminal
Code, which in certain circumstances permit the prosecution of conduct that
supports violent acts of terrorism.94
121. The material support provisions of the United States Criminal Code, Title
18, section 2339A and 2339B, prohibit persons from knowingly or intentionally
providing, attempting to provide or conspiring to provide material support or
resources to a terrorist organization. The Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
(PATRIOT) Act of 2001 broadened the definition of material support to include
"any property, tangible or intangible, or service, including ... training, expert
advice or assistance or communications equipment" 95
122. The criminal offences of solicitation or conspiracy, found in United States

Criminal Code, title 18, section 373 (a) provides that any person can be charged
with solicitation who "solicits, commands, induces or otherwise endeavors to
persuade another person to engage in a felonious conduct with intent that another
person engage in the conduct".
123. In the United States, there have been several cases in which this approach
has been used to successfully prosecute the words or actions of terrorists
communicated via the Internet. These include United States of America v.
Emerson Winfield Begolly
United States of America v. Emerson Winfield Begolly
A 22-year-old student (a United States national), Emerson Winfield Begolly was indicted for his
involvement in the distribution aver the Internet of information relating to bomb-making and
solicitation to commit violence on American sail. Additional charges against him included
assaulting and threatening Federal Bureau of Investigation (FBI) agents with a loaded firearm.
Formally known under the alias of "ASADULLAH AL-SHISHANI", Begolly took an active part
in an internationally known jihadist forum called the ANSAR AL-MUJAHIDEEN English Forum
and eventually became an active moderator. The forum provided an opportunity for Begolly to
express his affinity for radical views while concurrent y encouraging other members of his faith to
engage in terrorist acts within the United States. His propaganda also included dissemination of
videos with instructions for making explosive devices to perform acts of terrorism. The intended
targets included synagogues, military facilities, train lines, police stations, bridges, cell phone
towers and water plants.
Over a period of nine months, Begolly posted several lengthy messages in which he extensively
discussed the need for violence. An indictment issued a 14 July 2011, by the U.S. District Court of
the Eastern District of Virginia, included as a key evidence part of the propaganda that Begolly had
posted on an Internet forum
Peaceful protests do not work. The KUFFAR see war as solution to their problems, so we must
see war as the solution to ours. No peace. But bullets, bombs and martyrdom operations.
He also posted links to an online document entitled "The explosives course", made available for
download. The 101-page document authored by The Martyred Sheik Professor ABU KHABBAB
AL MISRI" (as referred to by Begolly) contains detailed instructions a setting up a laboratory with
basic chemistry components for the manufacture of explosives. A note was added that those
downloading the content should be careful to use anonymity software for their own protection.
During this time, Begolly had been under the constant surveillance of federal authorities. An FBI
agent downloaded the document from one of the uploaded links, which eventually led to Begolly
being arrested. On 14 April 2011, he was charged with unlawful and purposeful distribution of
information over the Internet related to the manufacture and distribution of explosive materials, use
of weapons of mass destruction and solicitation to commit bombings of places for public use,
government buildings and public transportation systems. On 9 August 2011, Begolly pleaded guilty
to solicitation to commit terrorist acts. He is currently awaiting sentencing.
A term extensively used by Begolly curing his online forum discussions in reference to the "non-
believers or infidels.
(c) Review of legal approach to incitement
124. In Europe, article 3 of the Council of the European Union framework

decision 2008/919/JHA of 28 November 2008 amending framework decision
2002/475/JHA on combating terrorism, and article 5 of the Council of Europe
Convention on the Prevention of Terrorism oblige the respective member
States of each instrument to criminalize acts or statements constituting incitement
to commit acts of terrorism. The Council of Europe Convention on the
Prevention of Terrorism imposes an obligation on member States to criminalize
"public provocation to commit a terrorist offence", as well as both recruitment
and training for terrorism.
125. The implementation of the Convention, which is partly based on article 3 of

the Additional Protocol to the Council of Europe Convention on Cybercrime,
concerning the Criminalization of Acts of a Racist and Xenophobic Nature
Committed through Computer Systems, obliges States to strike a sensible balance
between the requirements of law enforcement and the protection of human rights
and liberties. It has therefore given rise to fundamental concerns and debates.
Nevertheless, article 5 (like articles 6 and 7 on recruitment and training for
terrorist purposes) must be applied in conjunction with the basic provision of
article 12, which provides that implementation of that criminalization must be
carried out in a manner that respects human rights, in particular the rights to
freedom of expression, freedom of association and freedom of religion, as set out
in human rights instruments, including article 10, paragraph 1, of the European
Convention for the Protection of Human Rights and Fundamental Freedoms.
126. The European Court of Human Rights, in assessing the protections afforded
by article 10, paragraph 1, of the European Convention for the Protection of
Human Rights and Fundamental Freedoms, has already dealt with article 5 of the
Council of Europe Convention on the Prevention of Terrorism. In the well-
known case of Leroy u France, a French Court did not find a violation of article
10 in the case of a journalist who had been convicted and fined for having
published a certain cartoon in a Basque weekly newspaper. On 11 September
2001, the cartoonist submitted to the magazine's editorial team a drawing
representing the attack on the twin towers of the World Trade Centre, with a
caption which parodied the advertising slogan of a famous brand: "We have all
dreamt of it. Hamas did it" (cf. "Sony did it"). The drawing was then published in
the magazine on 13 September 2001.
127. In its reasoning, the European Court of Human Rights, inter alia, referred to
article 5 of the Council of Europe Convention on the Prevention of Terrorism, the
first time that the Court took that Convention into consideration in a judgment. It
held that the drawing went further than merely criticizing the United States but
rather supported and glorified its violent destruction. The Court noted the caption
that accompanied the drawing, indicating the applicants' moral support for the
suspected perpetrators of the attacks of 11 September 2001. Other factors taken
into account by the Court were the applicant's choice of language, the date of
publication of the drawings (which the Court considered increased the
cartoonist's responsibility) and the politically sensitive region in which it was
distributed (the Basque region). According to the Court, the cartoon had
provoked a certain public reaction, capable of stirring up violence and
demonstrating a plausible impact on public order in the region. The principles
developed in this landmark case will apply equally to cases in which the alleged
incitement to terrorism has occurred via the Internet.
128. There have been successful prosecutions for acts of incitement in

Europe. For example, in Germany in 2008, Ibrahim Rashid, an Iraqi Kurdish
immigrant was convicted of incitement after being charged with waging a
"virtual jihad" on the Internet. Prosecutors claimed that, by posting Al-Qaida
propaganda on internet chat rooms, Rashid was trying to recruit individuals to
join Al-Qaida and participate in jihad.
129. The UNODC Digest of Terrorist Cases97 contains a useful summary of

approaches taken to the criminalization of acts of incitement in Algeria, Egypt,
Japan and Spain. In Algeria, article 87 bis 1 of the Penal Code makes acts of
violent terrorism punish able by death, life imprisonment or other lengthy
sentences, Article 87 bis 4 provides that whoever justifies, encourages or finances
the listed terrorist acts is subject to imprisonment for from 5 to 10 years, as well
as a fine.98
130. In Egypt, in article 86 bis of the Penal Code establishes as offences acts
amounting to executive and support responsibility, the planning and
preparation of terrorist acts, membership in or support of an illegal organization,
providing financing and material support of terrorist organizations, and
incitement offences. Moreover, the article provides aggravated penalties for, inter
alia, intentionally promoting (by any means) the purposes of terrorist
organizations or for obtaining
or producing (directly or indirectly) articles, publications or recordings of
any kind intended to promote or encourage such purposes.99
131. In Japan any person who induces a crime, directly or through an

intermediary, is subject to sentencing as though the inducer had been one of the
material executors of the offence (article 61 of the Penal Code). 100 Other statutory
provisions in Japan, such as articles 38 to 40 of the Subversive Activities
Prevention Act, criminalize incitement of insurrection or arson, with the intent to
promote, support or oppose any political doctrine or policy.
132. In Spain, articles 18 and 579 of the Spanish Penal Code make public
incitement to commit a crime of terrorism a preparatory act of the crime of
provocation. Article 578 punishes the crime of praising terrorism, an offence that
was incorporated in the Penal Code by Organic Law 7/2000 of 22
December 2000. As informally translated, this article provides that "The praising
or the justification by any means of public expression or dissemination of the
offences included in articles 571 to 577 of this Code (Crimes of Terrorism) or of
anyone who has participated in their execution, or commission of acts that
involve discredit, contempt or humiliation of the victims of a terrorist offence or
of their family will be punished with imprisonment from one to two years" The
Organic Law also provided a penalty of a period of civil disability upon
conviction. 101
133. In Indonesia there is no regulation specifically addressing activities

undertaken by terrorists via the Internet, including incitement to commit acts of
terrorism. Article 14 of Law No. 15/2003 on the elimination of acts of
terrorism deals with incitement to conduct terrorist acts without reference
to the particular mode of communication used by the perpetrator, as does the
Indonesian Penal Code, which addresses incitement to commit other criminal
acts. Indonesian authorities have successfully prosecuted persons for
terrorism-related activity over the Internet. In 2007, 24-year-old AGUNG
PRABOWO, also known as MAX FIDERMAN, was sentenced to three years of
imprisonment (pursuant to section 13)
(c) of Government Regulation in Lieu of Law No. 1/2002 and Law No. 15/2003
on the elimination of acts of terrorism) for registering and hosting a website,
www.anshar.net, at the request of NOOR-DIN M. Top, leader of the Jemaah
Islamiyah terrorist group, through an intermediary, Abdul Aziz. Aziz is
reported to have designed www.anshar.net in mid-2005 at Top's request, with the
aim of spreading jihadist propaganda. While it contained general information
about Islam and jihad, it also contained specific "tips and advice" on how and
where to carry
out terrorist attacks, suggesting roads leading into shopping centers and offices,
traffic jams and specific named locations where members of the public could be
found, 102 In another case, MUHAMMED JIBRIL ABDUL RAHMAN, also
known as MUHAMMED RICKY ARDAN (the "Prince of Jihad"), was
sentenced to five years of imprisonment for having been an accomplice in an act
of terrorism.
134. In Singapore, in the Internet context, section 4 2 (g) of Singapore's Internet

Code of Practice prohibits material that "glorifies, incites or endorses ethnic,
racial or religious hatred, strife or intolerance".
2. Rule-of-law considerations related to criminalization of incitement
135. When calling upon States to criminalize the incitement of terrorist acts,
Security Council resolution 1624 (2005) expressly provides that States must
ensure that any measures adopted to implement their obligations comply with all
their obligations under international law, in particular human rights law, refugee
law and humanitarian law.
136. This principle, which is also reflected in the universal counter-terrorism

instruments, has been reaffirmed many times at the international level (including
within the framework of the United Nations), is a fundamental element of the
UNODC "rule of law" approach to strengthening criminal justice responses to
terrorism under the universal legal regime against terrorism and is supported by
many regional counter-terrorism and human rights instruments, most notably
those elaborated by the Council of Europe, which have been referred to earlier
(see section II.D above).103
137. It is not possible within the confines of the present publication to fully
analyze, in the context of respect for guaranteed human rights to freedom of
expression, all the commentaries and judicial authority available on the proper
scope and application of offence provisions enacted by countries to
criminalize the incitement of terrorist acts.
138. Nevertheless, while the available jurisprudence on the precise scope of

international human rights instruments such as article 10, paragraph 1, of the
European Convention for the Protection of Human Rights and Fundamental
Freedoms and article 19 of the International Covenant on Civil and
Political Rights leaves room for ongoing debate, what is clear is that, in
practice, striking
the right balance between preserving the right to freedom of expression and
enforcing criminal legislation targeting the incitement of terrorist acts continues
to be a challenge for Governments.
3. Law enforcement powers
139. The investigation of terrorism cases involving the use of the Internet or
other related services by suspected terrorists will often necessitate some type of
intrusive or coercive search, surveillance or monitoring activity by intelligence or
law enforcement agencies. It is therefore important, for the success of any
prosecution, that these investigative techniques be properly authorized under
national laws and, as always, that supporting legislation uphold fundamental
human rights protected under international human rights law.
(a) Search, surveillance and interception powers
140. In Israel investigative powers for the collection of digital evidence on the
Inter- net, in both general criminal and terrorism-related cases, are dealt
with under the Computers Act of 1995, which defines a few specific powers for
gathering digital evidence. The Computers Act amended the Wiretap Act,
deeming the acquisition of communications between computers to be a "wiretap",
and therefore, making it possible for investigative authorities to obtain judicial
permission, or administrative permission in urgent and exceptional cases, to
acquire data transferred on communication between computers.
141. In 2007, the Communication Data Act was enacted. The purpose of that
statute was to arrange, in a more structured and progressive manner, the accepted
practice regarding obtaining non-content data from landline and cellular phone
companies, as well as from Internet-access providers. The Act does not apply to
Internet-service providers that provide other services, such as information
storage, information-sharing, c-mail, social services and so forth. Currently, in
cases in which authorities wish to obtain information from Internet-service
providers, an old section of the law applies that enables them, in general, to issue
a subpoena and obtain information from anyone who has information that might
advance the investigation.
142. In 2010, the Government of Israel promoted a bill aimed at codifying
investigative powers relating to both physical and digital data. The bill is
designed to arrange, in an advanced manner, the gathering of digital evidence.
It contains an orderly arrangement of powers that are not currently set forth in
Israeli legislation, such as secret searches of computers (in the case of especially
serious crimes), obtaining information that is to be stored (in the future) on a
certain computer, the manner in which stored e-mails in the possession of the
service provider are to be obtained, a search of computer material by
administrative authorization under certain circumstances. If passed, these
measures would apply to terrorism cases involving use of the Internet.
143. In 2006, the Government of France passed new counter-terrorism legislation

facilitating, for the purpose of terrorism-related investigations, the surveillance of
communications and police access to communication data from telephone
operators, Internet-service providers and Internet cafes.
144. The Law of Combating Terrorism and on Various Provisions Concerning

Security and Borders Controls (2006-64 of 23 January 2006) provided that
Internet-service providers, Internet cafes, hosting providers and operators must
communicate traffic data, called numbers and IP addresses to specialist
government agencies in cases related to the investigation of suspected terrorist
activities.
145. Under article 6, mobile phone operators and Internet cafes are required to
keep records of client connections for 12 months and make these available to
police. The law also authorizes the use of surveillance cameras in public spaces
such as train stations, churches and mosques, shops, factories and nuclear plants
Article 8 allows police to automatically monitor vehicles and occupants on
French roads and highways (including by taking pictures of vehicle license plates
and occupants) and to monitor people at large public gatherings. 104
146. More recently, on 14 March 2011, the French Code of Criminal Procedure
was amended to provide authorities with additional powers in terrorism
investigations. These amendments include the power to requisition documents
relevant to an investigation (including the conversion and transfer of computer
data), the decryption of protected computer data, numeric infiltration, the capture
of computer data (including images), wiretapping and the interception of other
communications. Moreover, the law establishes the legal basis for the activities
of
law enforcement officers engaged in, inter alia, online chat room discussions as
part of investigations into crimes related to the incitement of terrorism. This is an
important legal issue to which Governments might wish to give consideration.
These articles provide French law enforcement authorities with, inter alia, the
ability to obtain evidence related to the connection data of e-mails, telephone
activity and 1P addresses.
147. The expert from China referred to regulations in that country under
which the police, when undertaking a criminal investigation involving the use of
the Internet, may order the submission by the Internet-service provider and
Internet- communication provider of relevant records and data, which they are
required to retain by law for 60 days.
148. In the United Kingdom, the Regulation of Investigatory Powers Act 2000
sets out a legal framework regulating the following five types of surveillance
activities undertaken by Government agencies:
 Interception of communications (e.g. intercepting telephone calls or
accessing the contents of e-mails)
 Intrusive surveillance (e.g. covert surveillance in private premises or
vehicles)
 Directed surveillance (e.g. covert surveillance against an identified target
in a public place)
 Covert human intelligence sources (e.g. undercover agents)
 Communications data (e.g. records related to communications but not
the content of such communications).105
149. In addition to setting out the purposes for and procedures by which such
activities must be authorized, the Act obliges surveillance authorities to consider
whether the exercise of these powers and the interference with the rights of the
individuals under surveillance are proportionate and to take steps to avoid what is
known as "collateral intrusion", whereby the rights of parties other than those
being targeted are affected. The Act also makes it an offence for parties holding
encryption keys for targeted communications to withhold such keys from
authorized agencies. 106
150. In 2000, the Government of India passed the Information Technology Act
2000, which it amended in 2008, to provide for the offence of "cyber-terrorism"
(section 66F) and other Internet-related issues. Section 67C (1) of the Act
deals
with the issue of data retention, stipulating that regulated providers "shall
preserve and retain such information as may be specified for such duration and in
such manner and format as the Central Government may prescribe" and making it
an offence (punishable by up to three years of imprisonment and fines) to
knowingly contravene this obligation.
151. Section 69 (1) of the Act provides Government authorities with the power to
issue directions for the "interception, monitoring, and decryption of any
information generated, transmitted, received or stored in any computer resource"
and sets out the legal obligations and safeguards attaching to such State actions,
while Section 69A (1) provides State agencies with the power to issue directions
for blocking public access to any information through computer resources if they
consider it necessary or expedient to do so, in the interests of India's sovereignty,
integrity, security and international relations, or to prevent the incitement of
related "cognizable" offences, including terrorism. Finally, Section 69B provides
designated State agencies with the power to monitor collect and store data traffic
or information generated, transmitted or received via any computer resource.
152. In New Zealand, the Search and Surveillance Act 2012 updates,
consolidates and harmonizes the powers of law enforcement agencies relating to
search, surveillance and interception of communications to address new forms of
technology. The Act creates a new definition of the term "computer system
searches", extending it to include the search of computers that are not internally
connected to, but are able to access, a network remotely.
153. In order to strengthen legal safeguards, the Act makes it clear that remote-
access searching of computers is permitted in only two situations: when a
computer had the capability to lawfully access a computer system which is the
subject of the search and is therefore considered part of that system; and when
there was no physical location to search (e.g. in the case of web-based e-mail that
the user accesses from various locations, such as Internet cafes). The Act also
provides that, when police undertake authorized remote access searches of
Internet data facilities, they must provide electronic notification of the search via
e-mail, sent to the e-mail address of the facility being searched.
(b) Issues associated with the provision of interception capability
154. When undertaking electronic monitoring, surveillance or interception

activities, authorities will require the cooperation of operators that provide public
telecommunications or related services. While in many cases private sector
operators are willing to provide assistance to law enforcement agencies
undertaking their lawful functions, clearly there are limits to the time and
resources they are willing to expend on an entirely gratis basis. It is therefore
desirable that Governments provide a clear legal basis for the obligations placed
on private sector parties, including the technical specifications required of their
networks and how the cost of providing such capabilities is to be met.
155. In Israel, section 13 of the Communication Law, 1982, states that the Prime
Minister may direct Internet-access providers, within Israel, to carry out
technological modifications as required by security forces (defined as including
police, security and other special services) for the purpose of counter-terrorism
activities. The law applies only to Internet-access providers, who under Israeli
law receive their licenses from the Ministry of Communications. It does not
apply to data storage service providers or content management providers
operating within Israel, as these operators do not require a license from the
Ministry.
156. In New Zealand, the Telecommunications (Interception Capability) Act

2004 clarifies the obligations of network operators to assist authorized
government agencies in undertaking interception operations or providing
authorized call- associated data. The Act obliges network operators to ensure that
every public telecommunications network or service that it owns, controls or
operates has interception capability. Networks or services are deemed to have
this capability when authorized government agencies are able to intercept
telecommunications or services in a manner that identifies and intercepts only
targeted telecommunications, provides call-associated data and content (in a
usable form) and enables unobtrusive, timely and efficient interception in a
manner that protects the privacy of, and avoids undue interference with, other
telecommunications users. The Act also obliges network operators to provide the
means of decrypting any telecommunication carried over their network if the
content is encrypted and the network operator has provided that encryption
facility.
157. Recognizing the time and expense involved for some network operators to
comply with these requirements, the Act provided affected operators with periods
of 18 months to five years (depending on the status of the network) within which
to incorporate this capability Moreover, the Government agreed to meet the costs
of incorporating interception capability into those networks already in operation
at the date of commencement that lacked the necessary interception capability.
158. In Brazil, Federal Law No. 9.296 of 1996, together with article 5 (XII) of
the Federal Constitution of 1988, regulates official wiretapping undertaken by
authorized government agencies. While recognizing the inviolable nature of
telecommunications, the laws provide, subject to judicial authorization, specific
derogations for the purpose of criminal investigations or penal processes. The
law sets out the procedures to be followed in wiretap cases, which take place
under supervision of a judge. Once executed, the results of the wiretap are
transcribed and provided to the judge, along with a summary of all actions taken
pursuant to the authority (article 6).
159. In order to meet their legal obligations, telecommunications companies have

been required to establish and train specialized units and invest in necessary
technology. With regard to the costs of providing interception capability, it falls
to the telecommunications companies to provide the necessary technical
resources and staff to support authorized interception activities. This approach
reflects the fact that under Brazil's Constitution telecommunications companies
operate under a government con- cession and provision of telecommunications
services is considered a public service.
160. In Indonesia, following the Bali bombings in 2002, the Government passed
anti-terrorism legislation which permits law enforcement and security agencies,
for the purpose of terrorism-related investigations, to intercept and examine
information that is expressed, sent, received or stored electronically or with an
optical device. In relation to the retention period of Internet or log files, this
subject is regulated under Law No. 11 of 2008 on Electronic Information and
Transactions, specifically article 6, paragraph 1, subparagraph a, which obliges
every system operated by an electronic system provider to reproduce in complete
form any electronic information and/or electronic document for the duration
of the retention period stipulated under the law.
161. In Algeria, in 2006, the Government adopted a law permitting microphone
and video surveillance and the interception of correspondence, if authorized and
executed under the direct control of the prosecutor. The same law authorizes the
technique of infiltration for the purpose of investigating terrorism or organized
crime and permits the agent to commit specified minor infractions in the course
of the infiltration. The secrecy of the agent's identity is carefully protected by
law, but the infiltration must be conducted under the authority of the prosecutor
or investigating magistrate.107
162. In Malaysia, the Communications and Multimedia Act 1998 contains

several provisions pertaining to the regulation of the Internet and related criminal
investigations. For example, section 249 of the Act dealing with the issue of
access to computer data during searches provides that access includes obtaining
"passwords, encryption or decryption codes, software or hardware and any other
means required to enable comprehension of computerized data".
163. In addition, chapter 4 of the Act, relating to national interest matters,

imposes a general obligation on Internet service operators to use "best endeavors"
to ensure that the network facilities they provide are not used for the commission
of any offence under the law of Malaysia (Section 263) and provides that the
responsible minister may determine, specifying related technical requirements,
that a licensee or class of licensees shall implement the capability to allow
authorized interception of communications (Section 265).
164. Chapter 2 of the Act relates to the issue of offensive content, and prohibits
content application service providers and any persons using such services from
providing content that is "indecent, obscene, false, menacing, or offensive in
character with intent to annoy, abuse, threaten or harass any person"
(Section 211). Persons contravening these obligations commit an offence and
are liable to a fine not exceeding 50,000 ringgit (approximately US$16,200) or to
imprisonment for a term not exceeding one year, or both, and shall also be
liable to an ongoing fine of 1,000 ringgit (approximately US$325) for every day
or part of a day during which the offence is continued after conviction. Section
212 of the Act provides for the designation of an industry body to be a forum for
the development of an industry code relating to content.
165. In the United States, telecommunications operators are currently obliged,
under the Communications Assistance to Law Enforcement Act 1994, to provide
interception capability for telephone and broadband networks.
(c) Regulation of Internet cafes:
166. There is evidence that terrorists have in some cases used Internet cafes to
carry out actions associated with terrorism; however, there is no data available on
the proportion this type of activity in relation to legitimate Internet activity
conducted through these services.
167. The issue of the extent to which Governments should, for counter-terrorism
purposes, regulate Internet or cyber-cafes is a complex issue, closely linked to
human rights issues. Internationally, there is a divergence of approaches. In some
States, including Egypt, India, Jordan and Pakistan, Governments apply specific
legislative or regulatory measures, which oblige operators of Internet cafes to
obtain, retain and, upon request, produce photo identification, addresses and
usage/connection data of customers to law enforcement agencies.
168. While Governments can impose obligations on operators of Internet cafes

aimed at restricting misuse of those services by terrorists, the utility of such
measures is open to debate, especially when facilities such as other publicly
available Internet services (e.g. computers at public libraries or public wireless
fidelity (Wi-F) zones) that offer similar opportunities for the anonymous use
of the Internet by terrorists. It is noted that in 2005, the Government of Italy
imposed regulatory obligations on operators of Internet cafes relating to the
identification of customers; however, these regulations were abolished in late
2010, owing in part to concerns about the effect that this form of regulation might
have on the development of Internet services and their uptake by legitimate users.
(d) Content control
169. The issue of the extent to which Governments should regulate terrorism-
related content on the Internet is highly contentious. Approaches vary
considerably, with some States applying strict regulatory controls on Internet and
other related service providers, including in some cases the use of technology
to
filter or block access to some content. Others adopt a lighter regulatory
approach, relying to a greater extent on self-regulation by the information sector.
170. In the article "Terrorism and the Internet: should web sites that promote
terror ism be shut down?",108 Barbara Mantel notes that "most Internet service
providers, web hosting companies, file-sharing sites and social networking sites
have terms-of-service agreements that prohibit certain content". For example, she
notes, Yahoo's Small Business Web hosting service specifically forbids users
from utilizing the service to provide material support or resources to any
organization(s) designated by the United States Government as a foreign terrorist
organization. To that extent, there is an element of self-regulation within the
information society.
171. When assessing the approach and level of intervention in this area,
Governments need to take a number of factors into account, including the
location where content is hosted, constitutional or other safeguards relating to the
right to freedom of expression, the content itself and the strategic implications
from an intelligence or law enforcement perspective of monitoring or infiltrating
certain sites or rendering them inaccessible,109
172. In the United Kingdom, an innovative tool, available to authorities in

dealing with cases involving potential acts of incitement over the Internet, is
contained in section 3 of the Terrorism Act 2006, which provides police with the
power to issue a "take down" notice to persons associated with operating
websites or other Internet content.
173. Section 3 of the Act applies to cases involving offences under sections 1 or
2 of that Act in which "(a) a statement is published or caused to be published in
the course of, or in connection with, the provision or use of a service provided
electronically; or (b) conduct falling within section 2(2) [dissemination of a
terrorist publication] was in the course of, or in connection with, the provision or
use of such a service".
174. Section 3(2) provides that, if the person upon whom the notice has been
served fails to remove the terrorism-related content, and if he or she is
subsequently charged with offences under sections 1 or 2 of the Terrorism Act
2006 in relation to it, then a rebuttable assumption may be made at trial that the
content in question had his or her endorsement.
175. Despite the availability of these "take down" notices as a preventive
measure, in practice this power has not yet been used. In most cases, especially
when the offending content was hosted on the websites of third parties, it
tended to breach the terms and conditions of the service provider, and authorities
were able to successfully negotiate the removal of the offending content. In fact,
in the United Kingdom the specialized Counter Terrorism Internet Referral Unit
coordinates national responses to referrals from the public, as well as from
Government and industry, on terrorism-related Internet content and acts as a
central, dedicated source of advice for the police service.
4. International cooperation
176. States are obliged, under many different international, regional, multilateral
and bilateral instruments related to terrorism and transnational organized crime,
to establish policies and legislative frameworks to facilitate effective
international cooperation in the investigation and prosecution of these types of
cases.
177. In addition to having policies and legislation that establish criminal offences
necessary to satisfy dual criminality requirements, States should enact
comprehensive legislation that provides their authorities with a legal basis for
international cooperation with foreign counterparts in transnational terrorism-
related investigations. In cases involving the use of Internet, it is highly likely
that effective international cooperation, including the ability to share information,
including Internet-related data, will be a key factor in the success of any criminal
prosecution.
178. Issues related to international cooperation in terrorism cases are dealt with
in closer detail in chapter V below.
IV. Investigations and intelligence-gathering
A. Tools in the commission of terrorist offences involving the Internet
179. Technological advancements have provided many sophisticated means by

which terrorists may misuse the Internet for illicit purposes. Effective
investigations relating to Internet activity rely on a combination of traditional
investigative methods, knowledge of the tools available to conduct illicit activity
via the Internet and the development of practices targeted to identify, apprehend
and prosecute the perpetrators of such acts.
180. A case from France illustrates how different types of investigative

techniques, both traditional and specifically relating to digital evidence, are
employed in unison to compile the necessary evidence to successfully prosecute
terrorist use of the Internet.
Public Prosecutor v. ARNAUD, BADACHE, GUIHAL AND OTHERS
This French case involves several defendants: RANY ARNAUD, NADIR ZAHIR BADACHE,
ADRIEN LUCIANO GUIHAL and YOUSSEF LAABAR, who were convicted on 26 January 2012 by
the Tribunal Correctional de Paris and sentenced to terms of imprisonment ranging from 18 months to 6
years for, inter alia, disseminating terrorist-related material.
Arnaud, BADACHE and GUIHAL were arrested in France in December 2008 after Arnaud, what
operated under the username of "Abdallah", posted messages calling for jihad against France on a
propaganda website, minbar-sos.com:
 "Do not forget that France keeps on fighting our brothers in Afghanistan and that you are in a
land of war, rush up to martyr as soon as you can, boycott their economy, squander their wealth,
do not support their economy and do not participate in the financing of their armies.
As a result of the posting, authorities had intercepted ARNAUDS Internet account, put him under
physical surveillance and tapped his phone line. After arresting Mr. Arnaud, investigators forensically
examined the content of the computers used by him and found that he had conducted research on
matters relating to the commission of terrorist acts, for example products capable of being used to make
explosives and incendiary devices, identifying possible targets and tracking the activities of a company
which used ammonium nitrate. The enquiries revealed that Arnaud had recruited GUIHAL and
BADACHE, taken part in meetings and discussions to prepare an attack, made contact with people
involved in jihadist movements to seek help in carrying it out and received remittances to fund it.
These acts constituted crimes pursuant to articles 421-2-1, 421-1, 421-5, 422-3, 422-6 and 422-7 of the
French Criminal Code, and articles 203 and 706-16 et. seq. of the Code of Criminal Procedure.
The Court found that the plan in which Mr. Arnaud had an allegedly taken part, in association with
the other offenders, which consisted of placing explosives on a truck that would explode upon
reaching the target, posed a particularly high threat to public policy. He was thus sentenced to six
months imprisonment on charges relating to participating in a group committing criminal acts for the
purpose of preparing a terrorist attack, possession of several fraudulent documents and fraudulent use
of administrative documents evidencing a right, identity or quality or granting an authorization. On
the same charge, Mr. BADACHE was sentenced to two years of imprisonment, with six months
suspended, while Mr. GUIHAL was sentenced to four years, with one year suspended. MR.
LAABAR, who faced trial for other related acts, was sentenced to 18 months’ incarceration.
181. The investigation and prosecution of cases involving digital evidence

requires specialist criminal investigation skills, as well as the expertise,
knowledge and experience to apply those skills in a virtual environment.
While the admissibility of evidence is ultimately a question of law, and therefore
within the remit of the prosecutors, investigators should be familiar with the legal
and procedural requirements to establish admissibility for the purposes of both
domestic and international investigations. A sound working knowledge of the
requirements of applicable rules of evidence, and in particular with respect to
digital evidence, promotes the collection of sufficient admissible evidence by
investigators to support the successful prosecution of a case. For example, the
procedures used in gathering, preserving and analyzing digital evidence must
ensure that a clear "chain of custody" has been maintained from the time it was
first secured, so that it could not have been tampered with from the moment of its
seizure until its final production in court. 110
I. Internet-based communication
(a) Voice-over-Internet protocol
182. Over the past decade, applications that allow users to communicate in real
time using voice-over-Internet protocol (VOIP), video chat or text chat have
grown in popularity and sophistication. Some of these applications offer
advanced information-sharing functions, for example allowing users to share files
or giving them the ability to remotely view another user's onscreen activity in
real time. VOIP in particular has become increasingly used as an effective means
to communicate via the Internet. Well-known VOIP service providers include
Skype and Vonage, which operate by converting analogue sound into a
compressed, digital format, enabling transfer of the digital packets of information
via the Internet, using relatively low bandwidth connections.
183. As VOIP telephony involves the transmission of digital data packets, rather
than analogue signals, and service providers typically generate subscriber
invoices related to Internet usage based on aggregate data volume, computer-to-
computer VOIP calls are not invoiced on a per-call basis, as is the practice with
traditional mobile and fixed-line telephone calls. This difference in billing
practices may have a significant impact on investigations involving VOIP
communications, as it makes it more difficult for law enforcement authorities to
corroborate such communications with markers relating, for example, to the time
of the call and the location of the participants. Other indicators, however, such as
the timing and volume of Internet data traffic, may also provide a means to
identity perpetrators of illicit Internet activity (see para. 205 below).
Additionally, while the origin and destination of conventional telephone calls
may be routed via fixed-line switches or cellular communication towers, which
leave geolocation traces, wholly Internet-based VoIP communications, conducted
for example via wireless networks, may pose challenges in the context of an
investigation. Further complicating factors arising out of the use of VOIP
technology may involve, inter alia, the routing of calls via peer-to-peer networks
and the encryption of call data (discussed in greater detail in section IV.A.2
below).111
184. Duly submitted information requests to VOIP service providers may,

however, still provide valuable identifying information such as a user's IP
address, e-mail address or payment details.
(b) Electronic mail
185. Web-based e-mail services also provide terrorists with a covert means of
communication, which can be misused for illicit purposes. E-mail messages sent
between parties typically contain a number of elements which may be af
investigative value. A typical e-mail may be comprised of the envelope header,
the message header, the message body and any related attachments. While only
an abbreviated version of the envelope header may be displayed, in accordance
with the settings of the applicable software, the complete envelope header
generally contains a record of each mail server through which the message
transited on the way to the final recipient, as well as information regarding the IP
address of the sender.112 The information contained in the envelope header is less
susceptible to tampering (although not impermeable) than that in the message
header, which generally consists of user-provided information in fields such as
"To", "From",
"Return-Path", "Date" and "Time", as displayed on the device from which the
message is being sent.113
186. One commonly used technique to reduce electronic traces between parties,
and therefore the likelihood of detection, is communication through the use of
saved, unsent messages in the draft folder of the e-mail account. This information
is then available to multiple parties using a shared password to access the
account. Additional steps may also be taken to avoid detection, for example use
of a remote public access terminal, such as in an Internet cafe, to access the draft
message. This method was used in connection with the Madrid terrorist
bombings in 2004.
documentary evidence in connection with investigations. In some jurisdictions,

law enforcement personnel may, subject to certain conditions, covertly register
for, and participate in, chat room discussions under a pseudonym in connection
with an investigation.
190. For example, in France, article 706 of the Code of Criminal Procedure
provides for the authorization by the prosecutor or investigative judge of such
infiltration operations in connection with offences committed through electronic
communications (see discussion in section I1I.C.3 (a)). The aim of such
operations may be, inter alia, to gather intelligence or otherwise take proactive
action in connection with a perceived terrorist threat. Due care should be taken,
however, at the inception of the operation to ensure that any infiltration of online
chat room or other Internet-based discussions is conducted in a manner that
would not support a defense of entrapment, based on the assertion that a
government authority induced a suspect to commit a crime that he or she was not
predisposed to commit.
(d) File-sharing networks and cloud technology
191. File-sharing websites, such as Rapid-share, Dropbox or File-share, provide

parties with the ability to easily upload, share, locate and access multimedia files
via the Inter- net. Encryption and anonymizing techniques employed in
connection with other forms of Internet communication are similarly applicable
to files shared via, inter alia, peer- to-peer (P2P) and File Transfer Protocol (FTP)
technology. For example, in the HICHEUR case (see para. 20 above), evidence
was presented that digital files in support of terrorist activities were shared via
Rapid-share, after being encrypted and compressed for security.
Some file-sharing networks may maintain transfer logs or payment information,
which may be relevant in the context of an investigation.
192. Cloud computing is a service which provides users with remote access
to programs and data stored or run on third-party data servers. As with file-
sharing, cloud computing provides a convenient means to securely store, share
and distribute material online. The use of cloud technology to access remotely
stored information reduces the amount of data stored locally on individual
devices, along with the corresponding ability to recover potential evidence in
connection with an investigation of terrorist use of the Internet.
193. The data servers used to provide these services may also be physically
located in a different jurisdiction from that of the registered user, with varying
levels of regulation and enforcement capabilities. Close coordination with local
law enforcement authorities may therefore be required to obtain key evidence for
legal proceedings.
2. Data encryption and anonymizing techniques
194. Data encryption refers to the protection of digital information from

disclosure by converting it into cipher-text, using a mathematical algorithm and
an encryption key, so that it is intelligible only to the intended recipient.
Encryption tools may be hard-ware or software-based, or a combination of both.
Once encrypted, a password, a passphrase, a "software key" or a physical access
device, or some combination thereof, may be required to access the information.
Encryption may be employed in respect of both "at-rest" data, contained in
storage devices such as computer hard drives, flash media and smart phones, and
"in transit" data, transmitted over the Internet, for example by means of VOLP
and e-mail communications. Some examples of common software-based
encryption tools include those integrated into computer operating systems or
applications, as well as stand-alone software such as Pretty Good Privacy and
WinZip.115 In a case in Brazil, an investigation was launched on the basis of
international cooperation and information-sharing against a suspect alleged to be
participating in, moderating and controlling the operations of a jihadist website
affiliated with recognized terrorist organizations, notably Al-Qaida. This website
hosted videos,
text and messages from leadership-level extremist militants, which had been
translated into English to reach a broader audience, and was also used to conduct
fundraising activities and racially motivated propaganda campaigns. The police
operation that led to the detention of the suspect was targeted to take the suspect
by surprise, while he was connected to the Internet and actively engaged in
activities relating to the website. By apprehending the suspect while his computer
was on and the relevant files were open, investigators were able to bypass the
cryptographic symmetric keys and other encryption and security features used by
the suspect and his associates. Investigators were therefore able to access digital
content that might have been otherwise unavailable or more difficult to obtain if
the computer had been secured while it was shut off.
195. Internet activity, or the identity of the associated users, can also be disguised
through advanced techniques, including masking the source IP address,
impersonating another system's IP address or redirecting Internet traffic to an
obscured IP address,116 A proxy server enables users to make indirect network
connections to other network services. Some proxy servers allow the
configuration of a user's browser to automatically route browser traffic through a
proxy server. The proxy server requests network services on behalf of the user
and then routes the delivery of the results again through a proxy Varying levels
of anonymity may be facilitated by the use of proxy servers. A proxy may
obscure the identity of a user by fulfilling requests for network services
without revealing the IP address from which the request originates, or by
intentionally providing a distorted source IP address. For example, applications
such as The Onion Router may be used to protect the anonymity of users by
automatically rerouting Internet activity via a network of proxy servers in order
to mask its original source. Rerouting network traffic via multiple proxy servers,
potentially located in different jurisdictions, increases the degree of difficulty of
accurately identifying the originator of a transmission.
196. Alternatively, a suspect may hack into a legitimate organization's IP address

and browse the Internet using the hacked address. Any traces of such activity
would be linked to the IP address of the compromised organization. A
suspect may also access a website through a compromised computer or store
malware (used, for example, to obtain credit card or other personal financial
information) on compromised websites in an effort to avoid being identified.
197. There is a variety of software programs that are available to disguise or
encrypt data transmitted over the Internet for illicit purposes. These programs
may include the use of software such as Camouflage to mask information
through steganography or the encryption and password protection of files using
software such as WinZip. Multiple layers of data protection may also be
employed. For example, Camouflage allows one to hide files by scrambling them
and then attaching them to the end of a cover file of one's choice. The cover file
retains its original properties but is used as a carrier to store or transmit the
hidden file. This software may be applied to a broad range of file types. The
hidden file may, however, be detected by an examination of raw file data, which
would show the existence of the appended hidden file.117
198. In the United Kingdom, it is a criminal offence under the Regulation of

Investigatory Powers Act 2000 to refuse to hand over an encryption key when
required. Care must be taken, however, to ensure that suspects do not seek to
evade the provision by utilizing several layers of encryption and multiple keys to
protect different data sets. For example, a setting of TRUECRYPT, a common
free encryption tool, allows a suspect to encrypt a hard drive and create two
passwords: one for the "clean" drive and the other containing the incriminating
material. This can be circumvented by ensuring that the forensic examination of
the hard drive takes into consideration whether there is any "missing volume" of
data. Additionally, offences of this nature are usually summary offences, which
carry maximum penalties of six months imprisonment. In the United Kingdom,
however, when the case involves national security issues, the maximum penalty
increases to two years of imprisonment.
3. Wireless technology
199. Wireless networking technology allows computers and other devices to

access the Internet over a radio signal rather than via a hard-wired connection,
such as a cable. To access a Wi-Fi network, a degree of proximity to the network
resources must be maintained, which is dependent upon the strength of the
wireless signal. Wireless networks may be configured to allow open access
to the Internet, without registration, or may be secured with the use of a
passphrase or varying levels of encryption. Wireless networks, registered to
individuals, businesses or public entities, can often be accessed from public
locations.
Anonymous access to secured or unsecured Wi-Fi networks may
allow perpetrators to mask links between Internet activity and
identifying information.
200. In addition, service providers such as phone have emerged in recent years,
which enable registered users to share a portion of their residential Wi-Fi
bandwidth with other subscribers, in exchange for reciprocal access to Wi-Fi
networks of subscribers worldwide. Activity conducted over a shared Wi-Fi
network significantly complicates the process of attribution of an act to a single,
identifiable perpetrator in the course of an investigation.118
201. A novel technique relates to the use of software-defined high performance

High frequency (HF) radio receivers routed through a computer. In this way, no
data is exchanged through a server and no logs are created. It is more difficult for
law enforcement and intelligence agencies to intercept communications sent
using this method, both in relation to finding the location of the transmitters and
with respect to predicting in real time the frequency at which the communications
are transmitted.
B. Investigations of terrorist cases involving the Internet
I. Systematic approach to investigations involving the internet.
202. There is a vast range of data and services available via the Internet which
may be employed in an investigation to counter terrorist use of the Internet. A
proactive approach to investigative strategies and supporting specialist tools,
which capitalizes on evolving Internet resources, promotes the efficient
identification of data and services likely to yield the maxim um benefit to an
investigation. In recognition of the need for a systematic approach to using
technological developments relating to the Internet for investigative purposes, the
RAGGRUPPAMENTO OPERATIVO SPECIALE of the CARABINIERI of
Italy developed the following guidelines, which have been disseminated through
the University College Dublin, master's programmer in forensic computing and
cybercrime (see section IV.G below) and implemented by domestic enforcement
authorities of many member States of the International Criminal Police
Organization (INTERPOL) and the European Police Office (Europol):
Protocol of a systematic approach
 Data collection: This phase involves the collection of data through traditional investigative methods,
such as information relating to the suspect, any co-inhabitants, relevant co-workers or other associates
and information compiled through conventional monitoring activities of channels of communication,
including in relation to fixed-I ne and mobile telephone usage.
 Research for additional information available via Internet-based services: This phase involves
requests to obtain information collected and stored in the databases of web based e-commerce,
communications and networking services, such as eBay, PayPal, Google and Facebook, as well as
using dedicated search engines such as www. 123people. com. Data collected by these services
through commonly used Internet "cookies" also provide key information regarding multiple users of a
single computer or mobile device.
 The activities in phases (a) and (b) above provide information that may be combined and cross-
referenced to build a profile of the individual or group under investigation and made available for
analysis during later stages of the investigation.
 VolF server requests: in this phase, law enforcement author ties request information from VOLP
service providers relating to the persons under investigation and any known affiliates or users of the
same networking devices. The information collected in this phase may also be used as a form of
"smart filter" for the purposes of verifying the information obtained in the two prior phases.
 Analysis: The large volume of data obtained from VOLP servers and the providers of various Internet
services are then analyzed to identify information and trends useful for investigative purposes. This
analysis may be facilitated by computer programs, which may filter information or provide graphic
representations of the digital data collected to highlight, inter alia, trends, chronology, the existence of
an organized group or hierarchy, the geolocation of members of such group, or factors common
among9 multiple users, such as a common source of financing.
 identification of subjects of interest: In this phase, following smart analysis of the data, it is common
to identify subjects of interest based, for example, on subscriber information linked to a financial,
VolP or e-mail account.
 Interception activity: In this phase, law enforcement authorities employ interception tactics similar to
those used for traditional communication channels, shifting them to a different platform: digital
communication channels. Interception activity may be undertaken in connection with
telecommunications services, such as fixed-line broadband, mobile broadband and wireless
communications, as well as with regard to services provided by ISPs, such as e-mail, chat and forum
communication services. in particular, in recent years’ experience has revealed vulnerabilities in new
communications technologies which may be exploited for investigative or intelligence -gathering
purposes. Due care should be taken with respect to ensuring the forensic integrity of the data being
gathered and the corroboration, to the extent possible, of any intelligence gathered with objective
identifiers such as GPS coordinates, time stamps or video surveillance.
Where permitted by domestic law, some law enforcement authorities may also employ digital monitoring
techniques facilitated by the installation of computer hardware or applications such as a virus, a "Trojan
Horse or a keystroke logger on the computer of the person under investigation. This may be achieved through
direct or remote access to the relevant computer, taking into consideration the technical profile of the
hardware to be compromised (such as the presence of antivirus protections or firewalls) and the personal
profile of all users af the device, targeting the least sophisticated user profile.
203. The Korean National Police Agency has responded to the need to
standardize domestic law enforcement practices relating to digital forensics by
developing and implementing two manuals: The Standard Guidelines for
Handling Digital Evidence and the Digital Forensics Technical Manual. The
Standard Guidelines detail seven steps in the proper handling of digital evidence:
preparation; collection; examination; evidence request, receipt, and transport;
analysis; reporting; and preservation and evidence management. The Digital
Forensics Technical Manual outlines required procedures and the appropriate
approach to the collection of digital evidence, including with reference to
establishing the appropriate environment, forensic tools and equipment;
preparatory steps such as the set-up of hardware and software, network
connections and time-accuracy; measures to secure the maximum amount of
digital evidence; independent analysis of secured data; and the production of the
final report.119
2. Tracing an IP address
204. The IP address associated with an Internet communication is an important

identifier, and therefore key in investigations into terrorist use of the Internet. An
IP address identifies the specific network and device being used to access the
Internet. The IP addresses can be dynamic, temporarily assigned for the duration
of an online session from a pool of addresses available to an ISP, or static
(assigned on a fixed basis, as in the case of website addresses). Dynamic IP
addresses are typically assigned to ISPs within region-based blocks. Therefore, in
the absence of the intervening use of anonymizing or other techniques, a dynamic
IP address can often be used to identify the region or State from which a
computer is connecting to the lnternet.
205. Further, in response to a duly made request, an ISP can often identify which
of its subscriber accounts was associated with an IP address at a specific time.
Traditional investigative methods may then be used to identify the person
physically in control of the subscriber account at that time. In the HICHEUR case
(see para. 20 above), the defendant was identified by tracing a static IP address
used to access an e-mail account under surveillance. A request made to the
relevant ISP enabled authorities to link the IP address to a subscriber account
used by multiple occupants of a household, including the defendant. By
intercepting the data traffic for this subscriber account, investigators were also
able to establish links between the IP address and activity on a pro-jihadist
website which, inter alia, distributed materials for the purpose of physically and
mentally
training extremist combatants. In particular, investigators were able to
correlate the times at which multiple connections were made to the website's
discussion forum with concurrent increases in Internet data volume linked to the
defendant's personal e-mail account.120
206. Given the time-sensitive nature of investigations involving the Internet and
the risk of alteration or deletion of digital data owing to, inter alia, potential
server capacity constraints of the relevant ISP or applicable data protection
regulations, consideration should also be given to the appropriateness of a request
to the ISP to preserve data relevant to the criminal investigation, pending
fulfillment of the necessary steps to secure the data for evidentiary purposes.
207. In the case of an investigation relating to a website, the relevant domain

name must first be resolved to an IP address. In order to identify the associated IP
address, which is in turn registered with the Internet Corporation for Assigned
Names and Numbers (ICANN), several dedicated utilities may be used. Common
utilities, which are available via the Internet, include "who is" and "nslookup", 121
For example, a whois query related to the domain name of the United Nations
Office on Drugs and Crime (www.unodc.org) produces the following result:
 Domain 11D: D91116542-L.ROR

 Domain Name: UNODc.ORG
 Created On: 11-Oct-2002 09:23:23 UTC
 Last Updated On: 19-Oct-2004 00:49:30 UTC
 Expiration Date: 11-Oct-2012 09:23:23 UTC
 Sponsoring Registrar: Network Solutions LLC (R63-L.ROR)
 Status: CLIENT TRANSFER PROHIBITED
 Registrant ID: 15108436-NSI
 Registrant Name: Wiessner Alexander
 Registrant Organization: United Nations Vienna
 Registrant Street l: Vienna International Centre, P.O. Box 500
 Registrant City: A-1400 Wien Vienna AT 1400
 Registrant Postal Code: 99999
 Registrant Country: AT
 Registrant Phone: +43.1260604409
 Registrant FAX: +43.1213464409
 Registrant E-mail: [email protected]
These details are provided by the registrant, however. As a result, further steps
may also be required to independently verify the accuracy of registrant details.
Domains may also be leased or otherwise under the control of a party other than
the registrant.
208. Persons investigating the use of the Internet for terrorist purposes should
also be aware that online activity related to an investigation may be monitored,
recorded and traced by third parties. Due care should therefore be taken to avoid
making online enquiries from devices which can be traced back to the
investigating organization.
3. Specialized investigative utilities and hardware
209. Investigators with the appropriate technical background have available to

them a range of specialized utilities and hardware. Some, such as "Ping", and
"Traceroute", may be integrated into the operating system of a device under
investigation. Ping, for example, may be used to send a signal to a computer
connected to the Internet to determine whether it is connected at a given time,
subject to the interference of any firewalls or other network configuration.
Similarly, traceroute may show the path between two networked computers,
which may assist in determining the physical location.
210. Other programs that may be used, subject to domestic laws and regulations
regarding, inter alia, access to the device and interception of communications,
include "Trojan horses" or Remote Administration Trojans (RATs), which may
be introduced covertly into a computer system to collect information or to enable
remote control over the compromised machine. Keystroke monitoring tools may
also be installed on a device and used to monitor and record keyboard activity.
Keystroke loggers, in the form of hardware or software, assist in obtaining
information relating to, inter alia, passwords, communications and website or
localized activity undertaken using the device being monitored. In addition, data
packet "sniffers" may be used to gather data relevant to an investigation. Sniffers,
which may be a device or software, gather information directly from a network
and may provide information relating to the source and content of
communications, as well as the content communicated.
C. Forensic data preservation and recovery
211. An important part of the acquisition of evidence in connection with cases

involving the use of the Internet for terrorist purposes concerns the recovery of
stored digital data. The two primary goals in this data recovery exercise are the
retrieval of relevant evidence for the purposes of effective investigation and
prosecution and the preservation of the integrity of the data source and the
chain of custody to ensure its admissibility in court proceedings. In order to
identify the best method of evidence preservation, it is important to distinguish
between volatile data, which stored on devices, such as the random access
memory (RAM) of devices, and may be irretrievably lost if there is a disruption
in the power supply, and non-volatile data, which is maintained independently of
the power supply to the device. For example, the act of switching off a computer
may alter the data contained on the storage discs and RAM, which may contain
important evidence of computer programs used by the suspect or websites
visited. Volatile data may provide information relating to current processes on an
active computer which may be useful in an investigation, such as information
relating to users, passwords, unencrypted data or instant messages. Examples of
storage devices for non-volatile data include internal/external hard disks, portable
disk drives, flash storage devices and zip disks
212. The United States Department of Homeland Security has developed a

valuable overview of this process in a guide entitled "Best practices for seizing
electronic evidence: a pocket guide for first responders". 123 This guide outlines
the following steps to preserve evidence in connection with criminal
investigations involving computing devices:
Best practices for data preservation
 Do not use the computer or attempt to search for evidence.
 If the computer is connected to a network, unplug the power source to the router or modem.
 Prior to moving any evidence, photograph the computer as found, including the front and back,
as well as any cords or connected devices and the surrounding area.
 If the computer is "off, do not turn it "on".
 If the computer is "on" and something is displayed on the monitor, photograph the screen.
 If the computer is "on and the screen is blank, move the mouse or press the space bar (this
will display the active image on the screen); after the image appears, photo graph the screen.
 For desktop computers, unplug the power cord from back of the computer tower.
 For laptop computers, unplug the power cord; if the laptop does not shut down, locate and remove
the battery pack (the battery is commonly placed on the bottom, and there is usually a button or
switch that allows for its removal), once the battery is removed, do not return it to or store it in the
laptop (this will prevent the accidental start-up of the laptop).
 Diagram and label cords to later identify connected devices Disconnect all cords and devices from
the tower or laptop
 Package and transport components (including the router and modem, if present) as fragile cargo
 Where permitted pursuant to the terms of any applicable search warrant, seize any
additional storage media
 Keep all media, including the tower, away from magnets, radio transmitters and other
potentially damaging elements
 Collect instruction manuals, documentation and notes, paying particular attention to any items
that may identify computer-related passwords or passphrases
 Document all steps involved in the seizure of a computer and its components.
213. With regard to mobile devices such as smart phones and personal digital
assistants, similar principles apply, except that it is recommended not to power
down the device, as this may enable any password protection, thus preventing
access to evidence. The device should therefore be kept charged, to the extent
possible, or undergo specialist analysis as soon as possible before the battery is
discharged to avoid data loss.
214. The case below from India illustrates the importance of forensic analysis in
the identification and recovery of digital and other evidence of terrorist use of the
Internet.
The Zia Ul Haq case
The defendant, Zia Ul Haq, who was arrested on 3 May 2010 and is currently awaiting trial, is
allegedly a member of Lashkar e Taiba, which is a Pakistan-based armed group fighting against
Indian control in Kashmir. The prosecution case against Zia Ul Haq alleges, inter alia, that he was
lured into jihad while working in Saudi Arabia between 1999 and 2001; received training outside
India in the use of arms, ammunition and explosives and communicating through e-mails; collected a
consignment of arms, ammunition and explosives in Delhi in 2005, after being requested to do so via
e-mail; and subsequently used the Internet to coordinate with other members of Lashkar e Taiba and
conspired to commit terrorist acts using arms, ammunition and explosives.
The prosecution further alleges that, on 7 May 2006, Zia Ul Haq used hand grenades sup plied in the
weapons consignment from Lashkar e Taiba in an attack against the Odeon cinema in Hyderabad.
E-mail communications between the defendant and his handler were obtained from the Internet-
service providers and their content was examined. The cyber-cafe computers that were used by the
offender were forensically analyzed, the hotel where he stayed while he was in Delhi to collect the
grenades was traced and his signature in the guests register forensically matched. While the
defendant was in jail awaiting trial, a letter oratory was sent from India to the central authority in
another country to initiate action against the alleged handler.
Zia Ul Haq was charged in India for various offences, including under sections 15, 16, 17 and 18 of
the Unlawful Activities (Prevention) Act of 1967, as amended in 2004 and 2008, which provides far
punishment for terrorist activities, training and recruitment for terrorist purposes, raising funds for
terrorist activities and conspiracy to commit terrorist activities.
215. Owing to the fragile nature of digital evidence, its assessment, acquisition
and examination is most effectively performed by specially trained forensic
experts. In Israel, domestic legislation acknowledges the importance of specialist
training, requiring that digital evidence be secured by trained computer
investigators, who undergo a basic professional course and advanced professional
in-service training to become acquainted with computer systems, diverse forensic
software and the optimal way to use them. When the need for an especially
complex investigation arises, such as recovery of deleted, defective or complexly
coded or encrypted files, an external expert, who may later be called as an expert
witness on behalf of the prosecution, may be retained.124
216. It is advisable to perform any examinations on a copy of the original

evidence, in order to preserve the integrity of the original source data.125 A
duplicate copy of digital data may be created with the use of specific forensic
tools, such as Guidance Software's Encase or Forensic Tool Kit, or freeware
alternatives. To the extent possible, at least two different forensic tools should be
used to create duplicate copies, in the event that one does not adequately
collect all data.126
217. Encase makes a duplicate image of the data on the device under
examination, analyzing all sectors of the hard disk, including unallocated sectors,
to ensure the capture of any hidden or deleted files. The software may also be
used, inter alia, to analyze the structure of the file system of digital media,
organize the files under analysis and generate a graphic representation or other
report relating to certain characteristics of the files. Encase also generates and
assigns a unique identifier, known as a "hash value", to the digital evidence.127
218. In order to support the authenticity of digital evidence in connection with

legal proceedings (see section IV.D below), a hash value assigned to digital files,
or portions thereof, is based on a mathematical algorithm applied to
characteristics of the dataset. Any alteration of the dataset would result in the
generation of a different hash value. Hash values are generated with respect to (a)
the original hard drive prior to the creation of a duplicate image, (b) the
duplicated copy or copies prior to forensic examination and (c)the duplicated
copy or copies after examination. Matching hash values support a finding that
digital evidence has not been tampered with and that the copy that has undergone
forensic examination may be treated as the original source data for the
purposes of the legal proceedings commonly used algorithms include MD5 and
SHA.128
D. Supporting the authentication of digital evidence
219. An effective prosecution of suspected use of the Internet for terrorist

purposes must be supported by evidence that has been properly collected and
well documented (see section V1.G.2). This is necessary to establish the
integrity of the digital evidence, for the purposes of both its admissibility in court
and its persuasive value. The integrity of digital evidence may be established by
a combination of traditional and specialized investigative techniques Key issues
include the chain of custody of both the physical device used to store or transmit
electronic data and the actual data, as well as the procedures followed to secure
such data and any deviations from established procedures. With regard to
traditional investigative methods, law enforcement officers may make enquiries
to establish, to the extent possible, who may have handled or had access to
the
evidence prior to it being taken into custody and when, how and from where the
evidence was collected.
220. A prosecutor may also be required to show, inter alia, that the information
obtained is a true and accurate representation of the data originally contained on
the media and that it may be attributed to the accused. Hash values generated
with respect to digital evidence provide strong support that such evidence
remains uncompromised. Additional corroborating evidence and testimony may
also be introduced to establish authenticity. An illustration of this practice can be
found in the case of Adam Busby, who was convicted in Ireland in 2010 of
sending a bomb threat via e-mail to Heathrow Airport in London. During the
Busby trial, in addition to producing evidence that the e-mail was sent from a
specific computer to which the accused had access, hard-copy computer logs and
closed caption television footage were also introduced to establish the time at
which the e-mail was transmitted and the fact that the accused was the person in
control of the computer at that time.
E. Operational cybercrime units
I. National or regional cybercrime units
221. Increased dependency on computer technology has led to dramatic increases

in the demand for dedicated cybercrime units to respond to requests for forensic
retrieval of computer-based evidence, and not just in terrorist cases involving the
use of the Internet. Organized crime such as drug trafficking, trafficking in
persons and international paedophile groups offers examples of cases in which
criminal use of the Internet has been particularly prevalent, but in recent years
there has been an increase in the degree to which cases involve computer-based
or electronic evidence in some form. The establishment of national cybercrime
units with specialized skills relating to the investigation of cybercrime could
significantly improve a State's operational capability to support such demands.
Depending on geographical and resource requirements, such a national unit may
also be supported by smaller regional units to respond to local needs.
Additionally, it may be more efficient and cost-effective to have regional units
under the command of local regional management.
222. The responsibilities of national or regional cybercrime units may include the
following:
(a) Gathering open-source intelligence by using specialist online surveillance
techniques from social networking sites, chat rooms, websites and Internet
bulletin boards revealing the activities of terrorist groups (among many
other criminal elements). Insofar as terrorist groups are concerned, this
function could be placed within the remit of counter-terrorism units in
which personnel have sufficient training and experience to conduct this
task, but specialist training within a cybercrime environment is seen as
essential training for this role. The intelligence-gathering function also
requires evaluation and analysis to support the development of strategy in
countering the threat posed by terrorists' use of the Internet. Conflicting
responsibilities or objectives between national intelligence agencies may,
however, hinder harmonization and the translation of intelligence leads
into effective operational plans;
(b) Conducting specialist cybercrime investigations in national and
international technology-related crime cases, such as those involving
Internet fraud or theft of data and other cases in which complex issues of
technology, law and procedure arise and the management of the
cybercrime unit assesses that the specialist investigation resources of that
unit are necessary;
(c) Serving as an industry and international liaison for the development of
partnerships with the principal stakeholders in the fight against cybercrime,
such as the financial services industry, the telecommunications services
industry, the computer industry, relevant government departments,
academic institutions and intergovernmental or regional organizations;
(d) Maintaining an assessment unit to assess cybercrime cases nationally and
internationally for prioritized investigation by national or regional
cybercrime units. Such a unit may also be responsible for the maintenance
of statistics on the incidence of cybercrime cases;
(e) Providing training, research and development, as the complex and
evolving nature of cybercrime requires scientific support from specialist
academic institutions to ensure that national and regional units are
properly skilled and resourced with all the technological tools, training and
education that is required to forensically examine computer media and
investigate cybercrime.
2. Computer forensic triage units
223. Computer forensic triage units may be established to support national and
regional cybercrime units. The personnel of such units would be trained to
forensically view computer items using specially developed software tools at
search sites. A triage team member can conduct an initial examination an site to
cither eliminate computers or other peripheral computer equipment from the
investigation as having no evidential value or may seize the computer-based
evidence in accordance with proper forensic techniques and support local
investigation teams in the questioning of suspects as regards the computer-based
evidence uncovered. When necessary, the items of computer media seized by
triage units may also be submitted for full forensic examination to the relevant
regional cybercrime unit or to the national cybercrime unit, as appropriate.
224. Researchers from University College Dublin are currently working on the
development of a range of forensic software tools to support preliminary
analysis, which will be available to law enforcement officials at no cost. The
development of these tools is part of a broader strategic solution being explored
by the University College Dublin Centre for Cybersecurity and Cybercrime
Investigation and the Computer Crime Investigation Unit of a Garda Siochána
(Ireland's national police service), aimed at assisting under-resourced cybercrime
units, with limited budgets and personnel, in the management of their caseloads.
The objective of this initiative will be to create an entirely "open source"
forensics lab. Participating investigators will receive instruction on building
computer evidence storage and processing equipment, and will be trained on the
use of free forensic tools.
F. Intelligence-gathering
225. Intelligence-gathering is a key component of counter-terrorism activities, as

information obtained through such channels often triggers the investigations that
lead to the prosecution of suspects, or is used as evidence at trial, to the extent
permitted by domestic law and rules of procedure. The different purposes for
which intelligence may be gathered, and the different agencies which may
acquire or use this information, may require the careful balancing of competing
interests, however. For example, the law enforcement or intelligence services
involved in acquiring intelligence information may place significant emphasis on
the protection of the confidentiality of the source of the information, while
officials of
the court would need to consider, inter alia, a defendant's right to a fair trial and
equal access to the evidence presented against him or her. Due care should be
taken to ensure that adequate checks and balances are in place with respect to the
fundamental human rights outlined in the applicable international conventions.129
226. In some Member States, intelligence from anonymous sources is not

admissible as evidence in court; however, intelligence information that is
corroborated by authoritative sources or additional evidence may be considered.
For example, in Ireland, intelligence gathered on terrorists can amount to prima
facie evidence that a particular individual is a member of an unlawful
organization when that evidence is given under oath by a police officer with
a rank of at least chief superintendent. The Irish Supreme Court upheld the use of
such intelligence as evidence, in the presence of corroborating evidence, when
the fear of reprisals made direct evidence unavailable and given the senior rank
of the officer giving evidence. 130
227. Several experts have also highlighted the tension between the need to
encourage the availability of information regarding potential terrorist activity
conducted via the Internet and the need to apprehend and prosecute the
perpetrators of such activity For example, once potentially terrorism-related
website activity is identified, national security agencies may consider the long-
term and short-term implications of the operational response. Such response may
include passively monitoring website activity for intelligence purposes, covertly
engaging with other users to elicit further information for counter-terrorism
purposes or shutting down the website. The varying objectives and strategies of
different domestic and foreign agencies may guide the preferred counter-
terrorism actions.131
228. The practical considerations when evaluating the intelligence value versus
the threat level of an online resource were highlighted in a recent report of the
United States Congressional Research Service:
For example, a "honey pot" jihadist website reportedly was designed by the
[Central Intelligence Agency] and Saudi Arabian Government to attract and
monitor terrorist activities. The information collected from the site was used by
intelligence analysts to track the operational plans of jihadists, leading to arrests
before the planned attacks could be executed. However, the website also was
reportedly being used to transmit operational plans for jihadists entering Iraq
to
conduct attacks on U.S. troops. Debates between representatives of the [National
Security Agency, Central Intelligence Agency, Department of Defense, Office of
the Director of National Intelligence and National Security Council] led to a
determination that the threat to troops in theater was greater than the intelligence
value gained from monitoring the website, and a computer network team from
the Joint Task Force Global Network Operations] ultimately dismantled it.132
As illustrated in the above case, coordination between agencies is an important

factor in successfully responding to identified threats.
229. Other Member States, such as the United Kingdom, have indicated that
significant emphasis has been placed on developing working relationships and
entering into memorandums of understanding between the prosecution and law
enforcement or intelligence agencies, with positive results. Similarly, in
Colombia, the Integrated Centre of Intelligence and Investigation (Centro
Integrado de Intelligence e Investigación, or C13) is the domestic agency that
coordinates investigations into suspected terrorist activities using a strategy based
on six pillars. This approach involves a high-ranking official from the national
police assuming overall command and control of different phases of the
investigation, which include the gathering, verification and analysis of evidence
and a judicial phase in which police collect information on parties and places
associated with the commission of any crimes.133
230. The expert from France outlined the domestic approach to coordinating inter
agency responses to identified terrorist activity:
 Phase 1: Surveillance and intelligence services identify a threat by
monitoring Internet activity
 Phase 2: The surveillance services notify the public prosecution services of
the threat identified. The judge or prosecutor can then authorize law
enforcement authorities to place the Internet activity of an identified
suspect under surveillance. As of 2011, legislation permits the leading
judge to authorize law enforcement to record the monitored person's
computer data. Moreover, personal data (e.g. name, phone number, credit
card number) can be requested from the relevant service providers
 Phase 3: The investigation is conducted based on the evidence gathered
from the sources outlined under phases 1 and 2.
G. Training
231. Law enforcement officials involved in investigations of the use of the

Internet for terrorist purposes require specialist training in the technical aspects of
how terrorists and other criminals can use the Internet in furtherance of illicit
purposes and how law enforcement can effectively use the Internet as a
resource to monitor the activities of terrorist groups. Training may be provided
through public or private sector initiatives, or a combination of both.
232. Courses on information technology forensics and cybercrime investigations

may be provided at the regional or international level by organizations such as
Europol and INTERPOL In addition, a number of countries have developed their
own law enforcement cybercrime training programs, either alone or in
conjunction with academic institutes. Training may also be provided through ad
hoc training courses, seminars, conferences and hands-on training provided
through the public sector or relevant industry stakeholders.
233. Specialized training may also be available through academic institutions,

such as University College Dublin in Ireland, which in 2006 established the
Centre for Cyber- security and Cybercrime Investigation. Programs offered by
the university include the law-enforcement-only master's degree in forensic
computing and cybercrime investigation. Further courses also provide first
responders with training to support their operational role in connection with
cybercrime cases.
234. The Cybercrime Centre of Excellence Network for Training, Research and
Education (2CENTRE) is a project funded by the European Commission and
launched in 2010, with the aim of creating a network of Cybercrime Centre of
Excellence for Training, Research and Education in Europe. Centers are currently
being developed in Belgium, Estonia, France and Ireland. Each national center is
founded on a partnership among representatives of law enforcement, industry and
academia, collaborating to develop relevant training programs and qualifications,
as well as tools for use in the fight against cybercrime. The University College
Dublin Centre for Cyber security and Cybercrime Investigation is the leader and
coordinator of the project. 134
235. Online counter-terrorism training is also available through the Counter-

Terrorism Learning Platform of UNODC, which was launched in 2011.135
The
platform is an interactive tool specifically designed to train criminal justice
practitioners in the fight against terrorism, while incorporating them into a single
virtual community where they can share their experiences and perspectives to
fight terrorism. In addition to allowing practitioners who have previously
participated in training provided by UNODC to connect and create networks with
their counterparts, the platform allows them to be kept abreast of legal
developments in the field, to be informed about upcoming training opportunities
and to engage in continuous learning activities.
V. International cooperation
A. Introduction
236. The speed, global reach and relative anonymity with which terrorists can use
the Internet to promote their causes or facilitate terrorist acts, together with
complexities related to the location, retention, seizure and production of Internet-
related data, makes timely and effective international cooperation between law
enforcement and intelligence agencies an increasingly critical factor in the
successful investigation and prosecution of many terrorism cases.
B. Instruments and arrangements relating to international cooperation
I. The universal instruments against terrorism
237. The universal instruments against terrorism, comprised of international

conventions and protocols and relevant resolutions of the Security Council,
contain comprehensive mechanisms for international cooperation in criminal
proceedings related to terrorism. These instruments make provision for
extradition, mutual legal assistance, transfer of criminal proceedings and
convicted persons, reciprocal enforcement of judgments, freezing and seizure of
assets and exchange of information between law enforcement agencies.
238. Key elements of the instruments against terrorism relating to international

cooperation include:
 The obligation to bring perpetrators of acts of terrorism to justice.
 The obligation to extradite or prosecute (the A U T D E D E R E A U T
J U D I C A R E P R I C I P L E ).
 The obligation to establish legal jurisdiction in defined circumstances.
 The obligation to exclude the political offence exception as a ground
for refusing a request for cooperation
 Respect for the rule of law and human rights.
 Respect for the principle of dual criminality.
 Respect for the rule of specialty
 Respect for the NE BIS IN IDEM rule: precluding a second prosecution
for the same offence.134
239. The general principles applicable to extradition and mutual legal

assistance in cases involving terrorism or transnational organized crime are part
of comprehensive mechanisms set out in the universal counter-terrorism
instruments and other instruments dealing with transnational organized crime
(e.g. the United Nations Convention against Transnational Organized Crime).135
It is not the intention of the present publication to provide a detailed restatement
or analysis of how these principles should be implemented by States at the
national level. Rather; its focus is on identifying, within the broad international
cooperation framework established through these instruments, and with reference
to established principles and mechanisms, issues specific to terrorism cases
involving the use of the Internet, in order to provide guidance to policymakers
and practitioners on approaches or strategies that reflect current good practice.
(a) Absence of a universal instrument relating to cyber-issues
240. While the international cooperation mechanisms in the universal instruments

against terrorism, when fully implemented, are likely to provide a legal basis for
cooperation in many cases involving Internet-related acts by persons involved in
the commission of unlawful conduct specified in the instruments, none of them
deals specifically with Internet-related acts per se. In the absence of a counter-
terrorism instrument dealing specifically with Internet issues connected to
terrorism, authorities, when investigating and prosecuting such cases, will
continue to be reliant upon existing international or regional treaties or
arrangements, established to facilitate international cooperation in the
investigation and prosecution of terrorism or transnational organized crime
offences generally.
241. It is clear that international cooperation in the investigation and prosecution
of terrorism cases involving use of the Internet by terrorists is hindered, to some
extent, by the absence of a universal instrument dealing specifically with cyber-
issues. It is not the aim of the present document, however, to assess the relative
merits of arguments in favor or against the utility of the development of a
comprehensive universal instrument dealing with, inter alia, international
cooperation in criminal cases (including terrorism) involving cyber-related
issues. Rather, its focus is on identifying areas under the current international
framework that operate as obstacles to such cooperation and how existing
available instruments and arrangements might be used by national authorities to
facilitate or strengthen international cooperation in terrorism cases involving
some aspect of Internet use.
(b) Other instruments: The United Nations Convention against Transnational

Organized Crime and the Council of Europe Convention on Cybercrime
242. The United Nations Convention against Transnational Organized Crime is

the primary international instrument dealing with the international cooperation
between States on serious transnational organized crime. Articles 16
(extradition), 18 (mutual legal assistance), 19 (joint investigations) and 27 (law
enforcement cooperation) of the Organized Crime Convention deal with
international cooperation. Although the unlawful conduct referred to in the
Organized Crime Convention deals with transnational organized crime, not
terrorism, the underlying principles and mechanisms in that Convention related
to international cooperation are very similar to those set out in the universal
counter-terrorism instruments. As such, those States parties which have
implemented their international cooperation obligations under these instruments
should have broadly compatible frameworks and mechanisms.
243. In addition to the Council of Europe Convention on Cybercrime, the

Council of Europe Convention on the Prevention of Terrorism; the European
Convention on Extradition,138 with its three Additional Protocols, 139 the European
Convention on Mutual Assistance in Criminal Matters, 140 with its two Additional
Protocols;141 and the Council of the European Union Act 2000/C 197/01 (of 29
May 2000] establishing, in accordance with article 34 of the Treaty on European
Union, the Convention on Mutual Assistance in Criminal Matters between the
Member States of the European Union might afford a legal basis for international
cooperation in terrorism cases involving some element of Internet use.
244. The Council of Europe Convention on Cybercrime contains provisions
aimed at encouraging international cooperation via police and judicial
cooperation mechanisms and provisional measures in urgent cases, for example,
the informal provision of spontaneous information upon request (art. 26) and the
establishment of 24/7 points of contact (art. 35). Such requests can be
accompanied by a request for non-disclosure and provide a legal mechanism
enabling the use of informal means of communication and information-sharing
among the parties of the Convention, even if they do not have such a provision in
their national legislation.
245. It is noted that the Council of Europe Convention on Cybercrime is open not
only to members of the Council of Europe or non-member States that have
participated in its elaboration, but may also be acceded to by other non-member
States, in the latter case subject to unanimous agreement of the contracting States
entitled to sit on the Committee of Ministers.
2. Other regional or multilateral arrangements
246. In addition to the international and regional instruments mentioned above,

States may choose to enter into bilateral or multilateral treaties or arrangements
that make specific provision for cooperation on cyber-related activity
connected to terrorism or transnational crime. Extradition and mutual legal
assistance tend to be regulated either by treaties or through "soft law" agreed
upon by blocs of countries. Nevertheless, regional and sub-regional organizations
also play an important role in facilitating the exchange of information and the
provision of cooperation under such mutually agreed arrangements.
(a) European arrest warrant: Schengen framework
247. The European arrest warrant under the Schengen framework is a

cooperation tool applicable throughout all member States of the European Union;
it has proven extremely useful in strengthening legal cooperation in the
investigation and prosecution of criminal cases, including those related to
terrorism in Europe. Once issued, it requires, on the basis of reciprocity, that the
authorities of another member State arrest and transfer a criminal suspect or
sentenced person to the issuing State so that the person can be put on trial or
complete a detention period. In this context, it is noted that the European arrest
warrant provides, inter alia, for the extradition of a member State's own
nationals, a concept formerly alien to the
legal (often constitutional) provisions of many States adhering to the so-called
European continental system.
(b) European evidence warrant
248. Since it came into force in 2009, the European evidence warrant has, in a
similar way to the European arrest warrant with respect to arrests, provided a
streamlined procedure for procuring and transferring evidence, including objects,
documents and data, between member States for use in criminal proceedings. For
the purposes of the European evidence warrant, evidence gathered may include
Internet-related customer data.142
249. Using these framework decisions and other international instruments,

European States have, as a bloc, established a highly developed, broadly
collective approach to the cross-border collection and transmission of evidence
and extradition/surrender of offenders for the purposes of criminal proceedings.
Other Governments might consider, at a political and operational level, the
desirability of adopting and adapting a collective approach at the regional or sub-
regional level to harmonizing their efforts to cooperate in the cross-border
investigation and prosecution of terrorism-related offences.
(c) Commonwealth Schemes relating to extradition and mutual legal assistance
250. In a similar manner to the European arrest warrant under the Schengen
framework, the Commonwealth Scheme for the Transfer of Convicted
Offenders (London Scheme) provides a simplified mechanism for extradition
between Commonwealth countries, providing for the provisional arrest of
offenders on the basis of arrest warrants issued by other member countries,
without the need for an assessment of the evidential sufficiency of the case
against the suspect. The scheme defines offences as extraditable if they constitute
offences in both countries and carry imprisonment for two years or more.
251. Likewise, the Commonwealth Scheme for Mutual Assistance in Criminal

Matters (Harare Scheme) is aimed at increasing the level and scope of assistance
rendered between Commonwealth countries in criminal matters by facilitating the
identification and location of persons the service of documents; the
examination of witnesses; search and seizure of evidence; the appearance of
witnesses; the temporary transfer of persons in custody for purpose of testimony;
the production
of judicial or official records; the tracing, seizure and confiscation of the
proceeds or instrumentalities of crime; and the preservation of computer data.
252. While the Commonwealth Schemes are not treaties as such, they are
examples of non-binding arrangements, or "soft law", under which certain
countries have agreed to incorporate compatible legislation into their domestic
laws, consistent with agreed principles, to simplify extradition and mutual legal
assistance among themselves in criminal cases, including terrorism-related
investigations and prosecutions.
(d) Council of Europe
253. In addition to the elaboration of instruments aimed at promoting

international cooperation in cyber-related criminal cases, including terrorism, the
Council of Europe has also established (under article 35 of the Council of Europe
Convention on Cyber- crime) the Council of Europe 24/7 Network of contact
points available 24 hours a day, seven days a week, which is aimed at facilitating
international cooperation in cybercrime cases. The Council of Europe and
European Union regional projects. CyberCrime@IPA and Cyber-crime@EAP,
among others, support the participation of 24/7 contact points in training events,
which provides an opportunity for them to link up with each other as well as
network with members of the Group of Eight (G-8) network.
254. Since 2006, the Council of Europe has, through its Global Project on
Cybercrime, been supporting countries worldwide in the strengthening of
legislation; the training of judges, prosecutors and law enforcement investigators
in matters related to cybercrime and electronic evidence; and in law
enforcement/service provider cooperation and international cooperation.143
Since 2010, one focus area has been criminal money flows and financial
investigations on the Internet, including Internet-based terrorist financing.144
(e) European Union action plan: cybercrime Centre
255. On 26 April 2010, recognizing the integral role that information and
communications technology plays in modern society and the increasing number,
scope, sophistication and potential impact of threats for multiple jurisdictions
reinforcing the need for strengthened cooperation between Member States and
the private sector, the Council of the European Union adopted conclusions
concerning a cybercrime action plan, to be included in the Stockholm Program
for 2010-2014 and the associated future Internal Security Strategy.
256. Under the plan, members agreed, inter alia, to mandate the European
Commission, in cooperation with Europol, to analyze and report back on the
utility and feasibility of establishing a European cybercrime centre to strengthen
knowledge, capacity and cooperation on cybercrime issues. This work has been
completed and a proposal developed under which Europol would host a new
facility for receiving and processing analytical work files related to serious
organized crime and terrorism.
3. Role of other regional organizations and cooperation agreements
257. As stated earlier, formal cooperation agreements, at the regional or sub-

regional level, between law enforcement or intelligence agencies play an integral
role in efforts by the international community to strengthen and coordinate
measures targeting terrorism and transnational organized crime. While
cooperation under these arrangements is usually not based on legally binding
treaties or other instruments, it can nevertheless provide highly effective
mechanisms for cooperation between participating member countries.
258. Internationally, there are many examples of such arrangements, but three,
operating in Europe, Africa and the Pacific, illustrate how groups of
countries with compatible law enforcement and security interests and objectives
can successfully work together to develop and harmonize close cooperation on
criminal investigations.
259. The French-German Centre for Police and Customs Cooperation, also
known as the Offenburg Centre, was established in 1998 to, inter alia, support the
coordination of multi-agency operations (e.g. search and surveillance operations
and exchanging information collected) across those countries' common border. It
is staffed by police and customs and border agencies from both federal and state
level and handles many thousands of requests each year, serving as a platform for
mediating pragmatic solutions to issues between partner agencies and developing
inter-agency trust and cooperation.
260. In Africa, members of the Southern African Regional Police Chiefs

Cooperation Organization and the Eastern African Police Chiefs
Cooperation
Organization have agreed to specific areas in which police agencies will
cooperate, including in the regular exchange of crime-related information; the
planning, coordination and execution of joint operations, including undercover
operations; border control and crime prevention in border areas, as well as
follow- up operations; the controlled delivery of illegal substances or any other
objects; and technical assistance and expertise, where required.140
261. In the Pacific region, the Pacific Transnational Crime Coordination Centre
provides a hub for the collection, coordination, analysis and sharing of criminal
intelligence data collected via a network of national transnational crime units
located in member countries across the region. The Centre, which is operated by
officers seconded from different law enforcement and border agencies in Pacific
island countries, provides member countries with an access point to INTERPOL
and other law enforcement agencies around the world, via the international
network of the Australian Federal Police, which supports the initiative.
262. Similarly, countries that are not necessarily close geographically, but that
have common interests in thematic areas related to law enforcement and security,
might enter into collective arrangements that provide for information exchange
and intelligence sharing.
(a) Egmont Group of Financial Intelligence Units
263. An example of such an arrangement with implications for investigations

related to terrorist financing is the Egmont Group of Financial Intelligence Units.
Investigations into suspected terrorist financing will invariably involve the
collection, sharing and analysis of financial or banking records located in one or
more jurisdictions. In these cases, the ability of financial intelligence units to
cooperate and share financial intelligence is likely to be critical to a successful
investigation and prosecution. The Egmont Group, an international body
established in 1995, works to promote and improve cooperation between
financial intelligence units in efforts to counter money-laundering and the
financing of terrorism and to foster, among other things, the expansion and
systematization of international cooperation in the reciprocal exchange of
information. The Egmont Group recommends that its members enter into
memorandums of understanding in which they agree to exchange financial
intelligence relevant to the investigation and prosecution of terrorist financing,
money-laundering and related criminal activity.
264. In order to ensure that their national financial intelligence units are able to
cooperate effectively with foreign counterparts in such cases, authorities should
consider the desirability of entering into appropriate information-sharing
agreements or arrangements with foreign counterparts. The model memorandum
of understanding suggested by the Egmont Group provides useful guidance on
the types of issues that might need to be addressed.
(b) International Criminal Police Organization
265. Many international instruments, including the International Convention for

the Suppression of the Financing of Terrorism (art. 18, para 4) and the United
Nations Convention against Transnational Organized Crime (art. 18, para. 13)
and various Security Council resolutions, including resolution 1617 (2005),
specifically encourage countries to work within the INTERPOL framework for
cooperation on the exchange of information.
266. One of the core functions of INTERPOL is to promote international

cooperation between international law enforcement agencies and the fast and
secure exchange and analysis of information related to criminal activities. It does
this via its 1-24/7 system, which is available to law enforcement officials in all
member countries.
267. Using the 1-24/7 system, national central bureaus can search and cross-
check a wide range of data, including information on suspected terrorists and a
variety of databases. The aim of the system is to facilitate more effective
criminal investigations by providing a broader range of information for
investigators.
268. In addition to the I-24/7 network, the cybercrime program of INTERPOL is

aimed at promoting the exchange of information among member countries
through regional working parties and conferences, delivering training courses to
build and maintain professional standards, coordinating and assisting
international operations, establishing a global list of contact officers for
cybercrime investigations, assisting member countries in the event of
cyberattacks or cybercrime investigations through investigative and database
services, developing strategic partnerships with other international organizations
and private sector bodies, identifying emerging threats and sharing this
intelligence with member countries and providing a secure web portal for
accessing operational information and documents.147
269. Since 2009, INTERPOL has worked closely with University College Dublin
to provide specialist training and academic exchanges to promote law
enforcement e-crime investigation expertise. In August 2011, cybercrime
investigators and computer forensic specialists from 21 countries took part in the
first INTERPOL/University College Dublin cybercrime summer school training
course. The two-week programmer, which was developed by the University,
included case-simulation exercises and was delivered by professionals from law
enforcement, University College Dublin and the private sector The event was
aimed at developing theoretical and practical knowledge and skills across a range
of areas to assist investigators in conducting more effective cybercrime
investigations and provided participants with skills in such areas as disk imaging,
live data forensics, mobile phone forensics, money-laundering investigations,
search and seizure techniques, VolP and wireless investigations and malware
detection and analysis. 148
270. Finally, the High-Tech Crime Unit of INTERPOL facilitates operational

cooperation among member countries through global and regional cybercrime
expert group meetings and training workshops, as well as cooperation among law
enforcement, industry and academia. It also assists member countries in the event
of cyberattack and in cybercrime investigations, through investigative and
database services.
(c) European Police Office
271. A major part of the mandate of Europol is to improve the effectiveness

of and cooperation among law enforcement authorities of European Union
member States in preventing and combating terrorism and other forms of
transnational organized crime. Europol plays a key role in the European
Cybercrime Task Force, an expert group made up of representatives from
Europol, Eurojust and the European Commission, working together with the
heads of European Union cybercrime units to facilitate the cross-border fight
against cybercrime. Europol offers the following support to European Union
member States on cybercrime related issues:
 Cybercrime database: Europol provides European Union member States
with investigative and analytical support on cybercrime and facilitates
cross-border cooperation and information exchange
 The Threat Assessment on Internet Facilitated Organized Crime (GOCTA)
assesses current and future trends in cybercrime, including terrorist
activities, and attacks on electronic networks, which informs both
operational activity and European Union policy
 The Internet Crime Reporting Online System (ICROS) and the Internet and
Forensic Expert Forum (IFOREX) are currently in development. These
will provide centralized coordination of reports of cybercrime from the
authorities of European Union member States, and will host technical data
and training for law enforcement.149
272. In addition to this support, at an operational level and in conjunction with

Euro-just, Europol is heavily involved in the establishment and support of joint
investigation teams and provides support to member States with respect to
investigations through analytical work files and case-based coordination and
tactical meetings. Under the analytical work file platform for analysis,
nominative data (e.g. information on wit nesses, victims, telephone numbers,
locations, vehicles and events) is stored and subjected to a dynamic analytical
process linking objects, entities and data between national inquiries and
investigations. The data is tagged with a "handling code" that clearly indicates
the conditions of use attached to that particular data component.
(d) Euro-just
273. As part of its mandate, the work of Euro-just in the counter terrorism field
includes the facilitation of the exchange of information between the judicial
authorities of the different member States involved in terrorism-related
investigations and prosecutions, supporting the judicial authorities of member
States in the issuance and execution of European arrest warrants; and facilitating
investigative and evidence gathering measures necessary for member States to
prosecute suspected terrorism offences (e.g. witness testimony, scientific
evidence, searches and seizures, and the interception of communications). The 27
Euro-just national members (judges, prosecutors or police authorities with
equivalent competences in their respective member States) are based in The
Hague, the Netherlands, and are in permanent contact with the national
authorities of their respective member States, which may request the support of
Euro-just in the course of particular investigations or prosecutions against
terrorism (e.g. in resolving conflicts of jurisdiction or facilitating the gathering of
evidence).
274. Euro-just also encourages and supports the establishment and work of joint
investigation teams by providing information and advice to practitioners. Joint
investigation teams are increasingly recognized as an effective instrument in the
judicial response to cross-border crime and an adequate forum in which to
exchange operational information on particular terrorism cases. Euro-just
national members can participate in joint investigation teams, acting either on
behalf of Euro-just or in their capacity as national competent authorities for
terrorism. For example, in a Danish case related to terrorist activities, in which a
request for the establishment of a joint investigation team was forwarded to
Belgian authorities, the Danish and Belgium desks at Euro-just were involved in
setting up the team between the two competent national authorities. Euro-just
also provides financial and logistical assistance to the operations of such teams
and hosts the permanent secretariat for joint investigation teams.
275. The Terrorism Convictions Monitor of Euro-just is also intended to provide

practitioners with examples of judgments in one country which might be useful
in another, in particular with respect to interpreting European Union legislation
on terrorism. In its September 2010 edition, the Terrorism Convictions Monitor
provided in-depth analysis of two cases featuring common attributes, such as
jihadist-related terrorism, radicalization and use of the Internet. One of the cases,
provided by Belgian authorities, was Maika el Aroud and Others, referred
to below (see para. 377). The Counter-Terrorism Team of Euro-just regularly
organizes tactical and strategic meetings on terrorism trends, in which leading
magistrates and experts on terrorism law from European Union and non-
European Union countries share their expertise on concrete matters. Examples of
such meetings include the 2010 strategic meeting relating to the use of V O L P
technology for terrorist purposes and the need for lawful interception, and a
tactical meeting held in April 2011 on violent single issue
extremism/terrorism. At these meetings, common issues are identified, and best
practices and resulting knowledge are disseminated to European Union decision
makers, identifying possible ways to make counter-terrorism coordination more
effective.
C. National legislative frameworks
276. The existence, at the national level, of a legislative framework providing for
international cooperation is a fundamental element of an effective framework for
the facilitation of international cooperation in the investigation and prosecution
of terrorism cases. Such legislation should incorporate into a country's domestic
law
the principles related to international cooperation espoused in the universal
instruments against terrorism.
277. In addition to producing a number of publications aimed at assisting

countries with the legislative incorporation of international cooperation
mechanisms, the Terror- ism Prevention Branch of UNODC includes advisory
support, training and capacity building on these issues as part of its menu of
services available to countries on the implementation of their international
counter-terrorism obligations.
D. Non-legislative measures
278. While accession to multilateral and bilateral instruments and adopting

related legislation are fundamental components of any effective regime for
international cooperation, they are not the entire answer. A key element in the
successful provision of effective international cooperation is the presence of a
properly resourced and proactive central authority which can, based on any
available mechanisms (both formal and informal), facilitate cooperation in a
timely and efficient manner.
279. An important precondition for successful international cooperation is the

presence of effective inter-agency coordination between law enforcement,
specialist intelligence agencies (e.g. financial intelligence units) and central
authorities at the national level, supported by necessary legislation and clear,
streamlined procedures for handling requests.
280. A good example of cooperation, at both the national and international

level, is illustrated in the following case, prosecuted in Colombia, with extensive
formal and informal cooperation between authorities.
Case involving the Revolutionary Armed Forces of Colombia
(FARC)
On 1 March 2008, the Colombian armed forces carried out various operations against alleged members
of the Revolutionary Armed Forces of Colombia (FARC). During these operations, an individual
suspected of being one of the top leaders of FARC and several other members of the organization were
killed, and evidence was retrieved, which included electronic devices such as computers, digital diaries
and USB sticks. The objects containing digital evidence were passed to the Colombian judicial
police for use in passible criminal investigations and prosecutions.
The data retrieved from the digital devices revealed information related to the organization’s
international network of support, including links to several countries in Central and South America and
in Europe. The network's primary objective was fundraising for FARC activities, the recruitment of
new members and the promotion of the organization’s policies, including the removal of the
organization’s designation on various terrorism lists maintained by the European Union and same
countries. Based on the evidence retrieved, the Public Prosecutor of Colombia initiated criminal
investigations against the persons allegedly supporting and financing FARC.
The evidence, which was shared by Colombian authorities with counterparts in Spain, led to the
identification of the leader of FARC in Spain, known by the alias "Leonardo". "Leonardo entered Spain
in 2000, and was granted political asylum.
The Public Prosecutor of Colombia obtained sufficient evidence to order the issuance of an arrest
warrant for the purposes of extradition against "Leonardo" and used diplomatic and other legal
international cooperation channels to request his extradition to Colombia for trial.
"Leonardo" was arrested in Spain, and searches of his residence and workplace revealed documents and
electronic devices that contained evidence of his links to the crimes under investigation. He was
subsequently released on bail; his refugee status prevented his immediate extradition.
Criminal proceedings were initiated in Colombia against "Leonardo" in absentia for his alleged
involvement in the financing of terrorism. Ina decision by the Supreme Court of Justice of Colombia,
the information obtained during the 1 March 2008 operation and located on the seized electronic
devices was deemed inadmissible. The Prosecutor subsequently, in conjunct on with counterparts in
several other countries where members of the FARC network of support were present, used all
available channels of international cooperation to identify members of the network in Spain and other
European countries and collect further evidence in support of the case.
Additionally, in responding to the letters rotatory issued by the Public Prosecutor of Colombia, the
Spanish judicial authorities transmitted to their Colombian counterparts all the information collected
during the raids and searches of "Leonardo's house. According to the Spanish judicial police, this
information established the culpability of "Leonardo" and other persons with respect to forming a
FARC terrorist cell in Spain. It also helped establish "Leonardo's" culpability for the financing of
terrorism and strengthened the assumption of possible links between "Leonardo" and persons being
prosecuted for their Inks with the terrorist group EUSKADI Ta ASKATASUNA (ETA) (Basque
Homeland and Liberty).
The searches conducted in Spain resulted in the seizure of further documentary and digital evidence,
which was substantively similar to the evidence that had been declared inadmissible. Using this new
evidence provided by Spanish authorities, the Colombian Prosecutor continued the proceedings against
Leonardo". Furthermore, the new evidence established efforts by FARC to provide its members with
access to universities, non-governmental organizations and other State entities where funding
opportunities could be sought and new members recruited.
The evidence also supported the existence of an "international commission" within FARC, which
operated a security programmer for communications, particularly those transmitted via the Internet or
radio waves (permanent means of communications between the leaders of the organization and
members of the international network of support), by encrypting the information transmitted, using
steganography to conceal messages, sending spam e-mails and deleting browsing histories to ensure
that information could not be retrieved by investigative or judicial authorities. In this regard, Spanish
and Colombian authorities cooperated to break" the keys and decipher the content of the messages that
were transmitted from the alleged leaders of FARC in Colombia and Spain.
Before initiating the proceedings against "Leonardo", the Public Prosecutor of Colombia submitted a
request to a judge that the new evidence be deemed "evidence subsequently received" and from an
"independent source. The effect of these requests, which were granted, was to allow the inclusion of the
evidence in the legal proceedings without triggering the grounds on which similar evidence would
otherwise have been excluded.
The Prosecution of the defendant "Leonardo" in absentia on charges of financing of terrorism is

currently ongoing in Colombia, pending the outcome of the extradition proceedings.
R.V Said NAMOUH

Mr. Sad NAMOUH was a Moroccan national living in a small town in Canada.
On 10 March 2007, a video in the form of an "open" letter read by Sheik Ayman al-Zawahiri was
posted on an Internet website. In it, A-Zawahiri warned the Governments of Austria and Germany to
withdraw their troops from peace-support missions in Afghanistan or face consequences. At one point
in the statement, Al-Zawahiri stated:
 Peace is a reciprocal matter, if we are safe, you will be safe. If we are at peace, you will be at
peace and, if we are going to be killed, God willing, you will be beaten and killed. This is the
exact equation. Try, then, to understand it, if you understand.
The video, with the accompanying statements by Al-Zawahii, was set against a mosaic of images that
included armored cars with national flags and prominent Austrian and German national politicians. In
some parts of the video, there were photos of Al-Zawahiri and other hooded figures.
Following the broadcast of the video, Austrian authorities initiated an investigation that included
wiretaps on various communications from Mohammed Mahmoud, an Austrian national living in
Vienna.
Following the broadcast of the video, Austrian authorities initiated an investigation that included
wiretaps on various communications from Mohammed Mahmoud, an Austrian national living in
Vienna.
These communications consisted of VOLP and Internet chat sessions, conducted in Arabic, which
revealed that Mr. Mahmoud was engaged in communication about issues associated with jihad with a
person in Canada, including plans for a terrorist attack, most likely in Europe. The participants
discussed using explosives and other arrangements related to an attack.
As a result of interception activities, Sad Namouh, living in Canada, was identified as one of the
participants in the above communications. In July 2007, the Royal Canadian Mounted Police became
involved in the investigation, which was coordinated between Austrian and Canadian authorities
through Canada's law enforcement liaison officer based in Vienna. While a formal mutual legal ass
stance treaty existed between Austria and Canada, no formal mutual legal assistance request under the
treaty was initiated; the cooperation took place entirely on an informal basis.
Investigations revealed that between November 2006 and September 2007 someone using
Mr. NAMOUH`S Internet connection was spending a considerable amount of time on the Internet and
was in constant contact with jihadists around the world, including via the Global Islamic Media Front
(GIMF), one of the oldest and most prominent virtual jihadist groups. Supported by Al-FAJR Center, G
MF acts as the media arm for the Army of Islam (JAISH al-Islam). Among other things, GIMF
disseminates propaganda and provides jihadists with the tools (e.g. bomb manuals, encryption
software) needed to carry out jihad. Much of Mt. Namouh's internet activity involved postings on
various discussion forums frequented by jihadists
In May 2007, BBC journalist Alan Johnston was kidnapped in Gaza by the "Army of slam" GIMF
published several videos related to this event, but of particular note was the video published on 9 May
2007, in which the Army of Islam claimed responsibility for the kidnapping, as well as videos
published on 20 and 25 June, in which threats to execute him were made if certain demands were not
met. Fortunately, Mr. LOHNSTON was released unharmed on 3 July 2007
On 7 and 8 May, communications by Mr. NAMOUH VA an Internet chat forum, intercepted by

authorities, revealed that Mr. NAMOUH was participating in discussions related to the Alan
JAHNSON kidnapping, and specifically in discussions about the preparation of the GIMF message
claiming responsibility, which was broadcast a short time later on 9 May. According to a transcript of
the Internet chat on 8 May, produced in evidence at trial (and translated from Arabic to French), Mr.
NAMOUH posted: "My beloved brother Abo-Obayada, stay with us on the line, may Allah fulfil you
with riches so that you may see what needs to be done; the statement will be made today God willing."
In total, between 3 June and 9 September 2007, 31 conversations took place between NAMOUH and
Mahmoud. These conversations revealed them to be planning to carry out a bombing at an undisclosed
location in Europe and discussing how to obtain or make suicide explosive belts, financing issues and
travel plans to meet other persons in the Maghreb and Egypt for final preparations. These
conversations suggested that Mt. Namouh was the intended suicide bomber
On 12 September 2007, fearing the plans were getting very close to fruition, authorities in Austria and
Canada carried out the simultaneous arrests of NAMOUH and MAHMAUD.
In Canada, Mr. NAMOUH was charged with conspiracy to use explosives (unknown location in Europe)
participation in the activities of a terrorist group, facilitating terrorist activities and extortion of a foreign
Government (threat video against Austria and Germany).
At trial, Mr. Namouh's defense challenged several aspects of the prosecution, including by raising
constitutional arguments based on the right to freedom of expression (related to the issue of whether the
GMF was a terrorist organization). Objections were raised to the objectivity of the primary expert witness
called by the prosecution to give testimony on the Al-Qaida movement, its offshoots, global jihadism
(including virtual jihadism) and the methods and style of GIMF propaganda and the organization's use
of the Internet. The defense also challenged whether activities undertaken by G MF and associated groups
amounted to terrorism, as well as the reliability of evidence related to the interception of Internet-based
communications in Austria and Canada and the accuracy of translations of the records of these
communications from Arabic into French. The defense asked the court to find that different messages
circulated by Mr. NAMOUH on behalf of GIMF should be taken figuratively and not as acts counseling or
encouraging acts of terrorism.
In considering the defense arguments in relation to the nature of the material posted or communicated on
behalf of GIMF, the court concluded:
 The Court has no doubt on this subject. The context of these messages clearly refers to reactions
encouraged by the GIMF Death and destruction are everywhere. The jihad promoted by the GIMF
is a violent one. This promotion clearly constitutes counseling ("encouragement") and sometimes a
threat of terrorist activity Therefore, this activity clearly falls within the definition of terrorist
activity within the meaning of Section 83.01 of the Criminal Code.
In finding that Mr. NAMOUH was guilty of counseling or encouraging acts of terrorism, the court referred
to intercepted communications containing statements which showed the zealous, active nature of his
participation in the activities of GIMF Also relevant in the court's view were several posts, including
the one below from 12 December 2006, in which the defendant expressed his wish to conceal his activities,
and those of GIME, by removing incriminating computer data:
[TRANSLATION] URGENT…. URGENT…. URGENT

May the peace, mercy, and benedictions of Allah be with you
I want to erase all the jihadist films and books that are on my computer without leaving any traces, may
Allah bless you, because I suspect that someone has inspected my computer.
May the peace, mercy, and benedictions of Allah be with you.
In other communications, the defendant enquired about the use of anonymizing software and similar tools
that could be used to conceal his activities. Following trial in October 2009, the defendant was found guilty
of all charges; he was later sentenced to life imprisonment.
(b) Joint investigations
287. While the concept of "joint investigations" is mentioned in some

international treaties (e.g. article 19 of the United Nations Convention against
Transnational Organized Crime), there is no express reference to the strategy
in the universal counter-terrorism instruments. Nevertheless, such an approach to
investigations is entirely consistent with the underlying principles and spirit of
the international cooperation elements of these instruments. Some countries,
particularly in Europe, have successfully adopted this approach in a number of
terrorism-related investigations, and the important role of Europol in establishing
and supporting joint investigation teams is noted. The main purpose of these joint
investigation teams, which comprise both national law enforcement officers and
Europol officers, is to carry out investigations for a specific purpose and limited
duration in one or more member States.152
288. Europol works with a system of national units, which are designated contact
points within national police forces. It facilitates and encourages information
exchange between member States through a secure digital network and provides
a system of 17 analytical work files within the Europol legal framework,
primarily aimed at enabling participating authorities to ensure full coordination
and cooperation.
289. While it is difficult to assess, at the international level, the extent to which
countries have collaborated in this manner, discussions at the expert group
meeting highlighted the increasing awareness within the international law
enforcement and security communities that the nature of modern terrorism and
mod operandi of terrorists makes close cooperation in the investigation of
terrorism an increasingly important component of successful efforts to disrupt,
prevent and prosecute terrorist acts.
E. Formal versus informal cooperation
290. International cooperation in terrorism cases involving a cross-border

element can take many forms, depending on the nature of the offence being
investigated, the type of assistance sought, the applicable national legislation and
the existence and status of any supporting treaty or arrangement.
291. Despite improvements in the overall level of their efficiency and
effectiveness, formal mutual legal assistance procedures in criminal cases can
still be lengthy processes, involving considerable amounts of bureaucracy for
both requesting and requested countries. In many terrorism cases, particularly
those involving Internet-related crimes, informal cooperation is increasingly
proving to be as important as formal channels, avoiding considerable delays in
situations in which time-critical actions (e.g. the preservation of Internet-usage
data) are pivotal to a successful prosecution outcome. Participants at the expert
group meeting highlighted the importance of the proactive development and
utilization, wherever possible, by national intelligence, law enforcement
authorities and prosecutors of mechanisms available for facilitating both informal
and formal channels for international cooperation.
292. In many cases, for example when authorities in one country seek the
preservation of Internet data held by an ISP in another country, it might be
possible for authorities to cooperate informally to preserve such data for the
purpose of the investigation or prosecution of a criminal offence.
293. The legal issues associated with the conduct of Internet-related criminal
investigations, particularly issues related to jurisdiction, can be extremely
complex. In cases in which investigators in one country need to access
information held on computers located in another country, complex questions can
arise about the legal authority and the basis for their actions. While it is possible
for authorities in one country to deal directly with parties holding the information
they seek in another, the responses to this approach may vary. As a general rule,
it is desirable for authorities to work with their foreign counterparts, if possible
on an informal basis, to obtain such information.
294. The form and method of cooperation will depend largely on the nature and
intended purpose of the assistance requested. For example, while authorities
in one country might be able to afford informal assistance to foreign counterparts
by seeking the voluntary preservation of Internet-related data from ISPs, the
search and seizure of such data will usually require judicial authorization,
which can only be obtained by formal means.
295. Sometimes, the use of formal requests is the only method by which
authorities can provide the required mutual cooperation. In such cases, it is
important that countries have in place legislation and procedures that provide
for
timely and effective responses to requests, to maximize, to the extent possible, the
likelihood of such assistance being successful.
Informal cooperation
296. Given the potential importance and urgency of locating and securing
Internet related data in terrorism investigations, and the probability that such data
will be held in another country, investigators need to consider both formal and
informal means of obtaining it. While formal mutual legal assistance channels
might offer greater certainty with respect to associated legal issues, they also take
longer and involve more bureaucracy than informal channels.
297. At the expert group meeting, the expert from Canada emphasized the critical
role that the close informal cooperation between the Royal Canadian Mounted
Police and Austria's Federal Agency for State Protection and Counter-Terrorism
(BUNDESAMT für VERFASSUNGSSCHUTZ und Terrorismusbekämpfung),
facilitated through Canada's liaison officer based in Vienna, played in the
successful outcome of the prosecution. In addition to that case, other experts
referred to other similar examples in which the use of liaison officers to facilitate
informal cooperation had been instrumental in successful outcomes.
298. Internet-related data such as customer usage data held by ISPs is likely to be
crucial evidence in terrorism cases involving the use of computers and the
Internet. If investigators can secure physical possession of computers used by a
suspect, as well as associated usage data held by ISPs, they are more likely to
establish the link between the suspect and the commission of a crime.
299. With this is mind, it is important that investigators and prosecutors be fully
cognizant of the potential importance of Internet-related data and the need to take
the earliest possible steps to preserve it in a manner that ensures its
admissibility as potential evidence in any later proceedings. To the extent
possible, national law enforcement agencies should develop, either directly with
ISPs or with counterpart agencies in other countries, clear procedures, involving
both formal and informal elements, aimed at ensuring the earliest possible
retention and production of Internet-usage data required for a criminal
investigation.
300. In the United States, where many major 1SPs are hosted, a "dual"
approach is used by authorities to assist foreign counterparts with the retention
and production of Internet-related data held by ISPs based in the United States,
for possible evidential purposes. Under this approach, foreign requests for
retention and production of user account information of Internet service providers
could be handled in two ways:
(a) Informal process. There are two ways by which investigating authorities
can secure the retention of Internet related data held in the United States by
informal means: (I) foreign authorities can develop a direct relationship
with ISPs and make a direct informal request that they retain and produce
the required data; or (ii) if no direct relationship exists, they can make an
informal request through the Federal Bureau of Investigation, which will
make the request to the ISP;
(b) Formal process. Under the formal process, foreign authorities can make a
formal mutual legal assistance request for data related to a specific user
account, which goes through the Office of International Affairs of the
United States Department of Justice. Upon receipt, the request will be
reviewed by the Department's Counterterrorism Section to identify whether
it is connected to any investigation being led by the United States. If
not, the request is submitted to a federal court for the necessary warrant
authorizing the collection and transmittal of the required information to
authorities in the requesting country.
301. The above approach for production of ISP-related data has been used
successfully in several terrorism investigations by authorities in the United
Kingdom and the United States. In one particular case, the procedures resulted
in a United States-based ISP providing a substantial cache of Internet data
which was crucial evidence in a prosecution in the United Kingdom.
F. Challenges and issues
302. By its very nature, the virtual geographical footprint, fragmented structure
and rapidly evolving technology associated with the Internet presents ongoing
challenges and issues for law enforcement and criminal justice authorities
involved in the investigation and prosecution of terrorism cases. The discussion
at the expert group meeting highlighted some areas that were currently
problematic
in relation to international cooperation. These included difficulties, in some
cases, in satisfying the dual criminality requirements in extradition and mutual
legal assistance requests. A number of experts had experienced cases in which
mutual legal assist once or extradition requests had been delayed or refused
because of problems satisfying dual criminality requirements. In some cases, that
had been a result of the incompatibility of criminal offence provisions, but in
others it was the result of an unduly restrictive approach to judicial interpretation
of corresponding criminalization provisions by the judiciary. Several experts
considered that this situation highlighted the need for training for members of the
judiciary on international cooperation issues.
I. Protecting sensitive information
303. Experts from several countries at the expert group meeting referred to the
ongoing challenges associated with the sharing of sensitive intelligence
information by national law enforcement and intelligence agencies with foreign
counterparts. Invariably, in terrorism cases criminal investigations and
prosecutions are intelligence-based, at least in the early stages, and involve
sensitive information that is closely held and protected. The disclosure of such
information carries considerable risks, often not only for its originating source
but also for the agency or agencies holding it, particularly if disclosure is likely to
or might compromise an ongoing or future investigation or operation.
304. Assessments by national authorities on whether and in what circumstances

to share such information, or under what conditions, can be complex, requiring
them to balance a number of factors. Nevertheless, regardless of the specific
criteria used for assessing the possible sharing of information, in all cases,
regardless of the circumstances, the agency making the disclosure will want to
satisfy itself that the receiving agency will provide the agreed safeguards and
protection to the information once in its possession.
2. Sovereignty
305. The concept of sovereignty, including the right of nations to determine their
own political status and exercise permanent sovereignty within the limits of their
territorial jurisdiction, is a widely recognized principle under international
relations and law. Cases requiring the investigation or prosecution of cross-
border
activities of terrorists or other criminals might have sovereignty implications
for those countries in which investigations need to be undertaken.
306. In some instances, concerns, valid or otherwise, held by national authorities

about perceived intrusion into their State's sovereignty can impede effective
international cooperation in criminal cases. It is therefore important, when
considering investigative actions involving the collection of evidence related to
computers or the Internet, for investigators and prosecutors to be mindful of the
potential implications such investigative actions might have for the sovereignty
of other States (e.g. authorities in one country remotely searching the computer
being operated by a suspect located in another country).
307. Generally speaking, whenever possible, national authorities considering

investigative steps relating to persons or objects located in another jurisdiction
should notify and coordinate such actions with their foreign counterparts in
relevant countries.
3. Retention and production of Internet-related data
308. As stated, in many terrorism cases an important part of the evidence against
suspected offenders will relate to some aspect of Internet-related activity by the
suspect (e.g. credit card billing information and customer usage data related to
Internet-based communication such as e-mail, VOLP, Skype or related to social
networking or other websites). In many cases, it will be necessary for
investigating authorities to ensure that the relevant Internet-data is retained and
preserved for later evidential use in proceedings. In this regard, it is important to
note the distinction between "retention" of data and "preservation" of data. In
many countries, ISPs are obliged by law to retain certain types of data for a
specified time period. On the other hand, preservation refers to an obligation
imposed on an ISP, pursuant to a judicial order, warrant or direction, to preserve
data under specified terms and conditions for production as evidence in criminal
proceedings.
309. One of the major problems confronting all law enforcement agencies is the
lack of an internationally agreed framework for retention of data held by ISPs.
While Governments in many countries have imposed legal obligations on locally
based ISPs to retain Internet-related data for law enforcement purposes,
internationally there is no single, universally agreed, standard time period
for which every ISP is obliged to retain this information.
310. As a result, while investigators in countries that have imposed data-retention

obligations on ISPs have some certainty, when engaged in purely domestic
investigations, about the type of Internet data that will be retained by ISPs and for
how long, the same cannot be said in those investigations in which they are
required to collect data held by an ISP in another country.
311. In the United States, the current approach requires ISPs to retain usage
data at the specific request of law enforcement agencies, with providers applying
widely varying policies for storing data, ranging from days to months.
312. While there have been some efforts, most notably within the European
Union, to achieve some consistency on this issue, this has proven, even at the
European Union level, to be problematic Under directive 2006/24/EC of the
European Parliament and of the Council of the European Union of 15 March
2006 on the retention of data generated or processed in connection with the
provision of publicly available electronic communications services or of public
communications networks and amending directive 2002/58/EC, in dealing with
the retention of data held by providers of electronic communications services and
public communications networks, European Union member States are obliged to
ensure that regulated providers retain specified communications data for a period
of between six months and two years. Nevertheless, despite the Directive, there
remains no single consistent data-retention period for all ISPs hosted within the
European Union, with periods ranging across the six-month to two-year time
period set by the directive. Consequently, while there is a greater measure of
certainty on these issues even within the European Union context, there are
differences in the duration for which data is held by ISPs based there.
313. Several participants at the expert group meeting were of the view that the
development of a universally accepted regulatory framework imposing consistent
obligations on all ISPs regarding the type and duration of customer usage data to
be retained would be of considerable benefit to law enforcement and intelligence
agencies investigating terrorism cases.
314. With no universally agreed standards or obligations on ISPs and other
communication providers relating to the retention of Internet-related data, it is
important in criminal investigations that investigators and prosecutors identify at
the earliest possible stage whether such data exists and for what time frame,
whether it is likely to be of relevance to a prosecution and where it is located,
along with the applicable time frame, if any, for which it must be retained by the
party holding it. If in doubt, it would be prudent for authorities to contact their
counterparts in the country in which the data is located and initiate steps (either
formal and informal) that might be necessary to secure the preservation of
the data for possible production. Depending on the circumstances, including their
familiarity or relationship with the relevant ISP, authorities might consider
contacting the ISP directly and seeking its informal assistance. Given sensitivities
over compliance with customer confidentiality and national privacy laws,
however, the level of responsiveness by ISPs to such direct, informal requests
can be highly variable. It would always be prudent for investigators and
prosecutors to communicate and coordinate their efforts with their foreign
counterparts to secure the preservation and production of such information.
4. Evidential requirements
315. In order for testimony, exhibits or other information to be admissible as

evidence in criminal proceedings, investigators and prosecutors need to exercise
great care to ensure that the methods used in its collection, preservation,
production or transmission are in full accordance with applicable laws, legal
principles and rules of evidence. A failure to observe the requirements relating to
the admissibility of evidence can weaken the prosecution case, to the point that
authorities may even be obliged to discontinue or withdraw the prosecution case.
In the Namouh case, Canadian prosecutors were able, through close collaboration
with their Austrian counterparts, to ensure that vital evidence relating to the
defendants' use of Internet chat rooms and websites was collected and transmitted
to Canada for use in an admissible form even though there were differences
between the two countries in the applicable rules of evidence.
316. In terrorism cases, there are a number of issues that can pose considerable
challenges for authorities in ensuring the admissibility of certain types of
information. Successfully overcoming them remains an ongoing challenge for all
practitioners involved in the investigation and prosecution of terrorism-related
cases, which often contain characteristics that could impede the admissibility
of
information. The transnational nature of terrorism cases, including the extensive
use of intelligence (often provided by foreign partners under strict conditions) or
highly specialized, often covert and intrusive, search, surveillance and
interception methods as the basis for the collection of evidence, can present
significant obstacles to authorities seeking to present admissible evidence to a
court or tribunal.
317. In the terrorism context, with specific reference to evidential issues that
might arise in relation to the Internet or computer technology, the general
approach taken by investigators and prosecutors remains the same. Issues of
particular importance are likely to be the need to secure, at the earliest possible
opportunity, physical possession of computers or similar devices allegedly used
by suspects; and the need to apply appropriate measures, in accordance with
recognized good practice, to protect the integrity of these exhibits (i.e. the chain
of custody/evidence) and undertake any digital forensics A failure to follow these
procedures could potentially affect the admissibility of this type of evidence.
Other forms of evidence that might require particular care include material
obtained as a result of search and/or surveillance activities, which must be carried
out only within the terms of the appropriate judicial authorization.
318. When managing evidential issues, at the investigative stage, it is

important that investigators have sufficient understanding of the legal
rules/principles applicable to investigative actions they are undertaking
as part of an investigation and/or to communicate closely with prosecutors, by
both updating them and seeking legal advice.
In cases in which evidence is being collected by authorities in one
country for use in a prosecution taking place in another, close
communication and coordination with foreign counterparts on the
actions being taken to collect and preserve evidence is very important. As part
of this coordination, it is important that authorities undertaking
investigative actions clearly understand the evidential requirements/implications
associated with their actions in the jurisdiction in which the evidence is
ultimately to be used. Issues associated with the admissibility of foreign
evidence in terrorism-related cases are dealt with more broadly in the UNODC
Digest of Terrorist Cases.153
5. Dual criminality
319. A requirement, commonly found in the universal counter-terrorism

instruments and other international, regional and bilateral instruments relating to
terrorism and transnational organized crime, is that only unlawful conduct that
constitutes a criminal offence in both the requesting and requested States can
form the basis for international cooperation. This requirement, known as "dual
criminality", can present difficulties in all criminal investigations and
prosecutions, not merely those relating to terrorism, involving some element of
international cooperation. Several participants at the expert group meeting
identified the dual criminality issue as an ongoing fundamental problem, which
often led to mutual legal assistance or extradition requests being refused when
authorities in requested countries considered dual criminality requirements not to
have been satisfied.
320. In the terrorism context, in the absence of any universal obligation on States
to criminalize specific unlawful conduct carried out over the Internet, central
authorities are likely to be reliant, when making or receiving requests for
international cooperation, on criminal offences established under terrorism-
related legislation or their national penal codes. For example, in the case of
alleged acts of incitement to terrorism that occur over the Internet, owing to
differences in the legal approach taken by States with respect to such conduct,
international cooperation requests might need to be based on inchoate offences
such as solicitation.
321. In addressing this issue, it is desirable that Governments, when

criminalizing the required unlawful conduct associated with terrorism, formulate
offences in terms that are as close as possible to those contained in relevant
instruments. Moreover, to the extent permitted under national legal systems,
legislation should be drafted in a way that is not unduly restrictive with respect to
the issue of dual criminality, providing central authorities and judges with
sufficient scope to focus on and assess the substance of the unlawful conduct that
is the subject of requests rather than adopting an unduly narrow approach. If this
legislative approach is adopted uniformly by States, the full benefits of legislative
harmonization intended by the instruments will be achieved and the potential for
problems with respect to dual criminality reduced.
322. While issues related to dual criminality can create difficulties in criminal
cases involving international cooperation generally, they can be particularly
problematic in cases involving certain terrorism-related crimes committed by
using the Internet (e.g. incitement) in which the risk of incompatibility
between the national legislative and constitutional frameworks of corresponding
States might be higher. An example, discussed at the expert group meeting,
relates to the position regarding extradition from the United States of persons
accused of the crime of incitement. In that country, there are strong constitutional
safeguards relating to freedom of speech, enshrined in the First Amendment to
the United States Constitution. Under United States law, statements amounting
to independent advocacy for any ideological, religious or political position are
not considered criminal acts per se, although they might constitute acts
amounting to the provision of information at the direction of or in order to
control a terrorist organization, or fall within the scope of the offence of
solicitation. Given this position, mutual legal assistance or extradition requests
related to alleged acts of incitement involving some constituent element within
the United States might be problematic from a dual criminality perspective,
requiring authorities in both countries to take a flexible and pragmatic approach.
323. In addition to having compatible legislation and a flexible approach to

applying such legislation, it is important that investigators, prosecutors and the
judiciary be well trained and that they understand the way international
cooperation mechanisms fit into the international community's response to
terrorism and transnational organized crime.
6. Differences in the application of constitutional and human rights safeguards
324. Matters related to human rights and constitutional safeguards touch on many
issues associated with the investigation and prosecution of terrorism, including
those related to international cooperation. Again, using acts relating to the
incitement of terrorism as an example, different national approaches to the
application of constitutional rights and/or human rights can be reflected in
different legal approaches. This can lead to difficulties in international
cooperation cases in which States seek to request or provide assistance. For
example, when authorities in one country make a request to their counterparts in
another country for Internet-related data relating to statements made over the
Internet amounting to incitement to commit terrorism in their jurisdiction; it will
be of great relevance whether the alleged acts also constitute a crime in
the
requested country. In the broader context of Internet content control, when
authorities in one country seek the removal of content that they consider incites
terrorism, and which is hosted on a server located in another jurisdiction,
applicable laws and constitutional safeguards for rights such as the freedom of
expression may differ.
325. The situation involving some types of terrorist-related e-mail or Internet

content being routed through, or stored on, ISPs based in the United States is
particularly relevant. Depending on the nature and context of such content, these
cases, which fall under United States jurisdiction, can be problematic given the
strong protections afforded to freedom of speech by the First Amendment to the
United States Constitution. In these cases, authorities in different countries
need to communicate closely to determine what, if any, preventive or prosecution
measures can be taken that are consistent with their respective national laws,
legal and cultural norms and international counter-terrorism obligations.
7. Concurrent jurisdiction
326. Terrorism cases in which constituent elements of crimes are carried out over
the Internet can raise complex jurisdictional issues, especially when a suspected
offender is located in one country and uses Internet sites or services hosted
by ISPs in another to carry out constituent acts of a crime. There have been cases
in which person’s resident in one country have set up, administered and
maintained websites used for promoting jihad and for other terrorism-related
purposes in another.
327. The Belgian case of Malaki el AROUD and Others (see para. 377) is one
such example. The defendant, who was living in Belgium, administered a
website, hosted in Canada, which she used for promoting jihad and for other
purposes aimed at supporting terrorist activities. The prosecution of terrorist-
related activities in these situations relies heavily on effective international
cooperation.
328. There are no binding rules under international law dealing with the issue of
how States should deal with situations in which more than one State might assert
jurisdiction to prosecute a crime involving the same suspect. Despite the fact that
States have broad discretion with respect to the criteria applied, this typically
involves balancing, or weighing up, different factors. These might include the
relative "connectivity" between the alleged crime and particular States,
including
the suspect's nationality, the location where various constituent acts forming the
crime took place, the location of relevant witnesses and evidence and the relative
potential difficulties in collecting, transmitting or producing evidence in a
particular jurisdiction. In some States, including Belgium, Canada and Spain,
certain forms of jurisdiction are considered to be subsidiary to others. States with
close connections to a crime (e.g. the crime is committed within their territory or
by one of their nationals) are considered to have primary jurisdiction, with States
holding jurisdiction on other bases acting only when the State with primary
jurisdiction is either unwilling or unable to prosecute,
329. Some countries, including Canada, apply a "real and substantial connection"
test when determining whether criminal jurisdiction exists.1s in Israel, when
international cooperation requests are received from other countries, these are
investigated domestically to determine if it can be proven that an offence under
Israeli law was committed which should be prosecuted in Israel. If no prosecution
results from such an investigation, Israeli authorities will transmit all available
evidence [and transfer the suspected offender) via formal channels to the
requesting country for the purpose of prosecution there. In the United Kingdom,
legislation and case law dealing with certain terrorism related crimes involving
activity outside the United Kingdom (including via the Internet) allow British
authorities to assert jurisdiction if it can be shown that a "substantial measure" of
the activities constituting the crime took place in the United Kingdom, and if
it can reasonably be argued that these activities should not be dealt with by
another country.
330. In resolving issues related to concurrent jurisdiction or related international

cooperation, central authorities (often prosecutors) need, at an early stage, to be
cognizant of the need for early and collaborative communication with their
counterparts in other jurisdictions that might have an interest in instituting
proceedings against the same suspected offender. The decision of when and
how to initiate this communication should be taken on a case-by-case basis, after
full consideration of the various factors that might be at play in the particular
case. Useful guidance for prosecutors considering such issues can be found in the
2007 Guidance for Handling Criminal Cases with Concurrent Jurisdiction
between the United Kingdom and the United States, issued by the Attorneys
General of the United Kingdom and the United States, which pro vides, in the
context of "the most serious, sensitive or complex criminal cases" (to which
the report related) for improved information-sharing and communication
between prosecutors in the
two countries. As the test for initiating such contact, the report provides the
following "does it appear that there is a real possibility that a prosecutor in the
[other country] may have an interest in prosecuting the case? Such a case would
usually have significant links with the [other country]" While the timing and
method of communication on jurisdictional and international cooperation issues
will vary according to the circumstances of the particular case, prosecutors
might consider this test a useful guide to apply in the course of their work.
8. National privacy and data protection laws
331. National data protection or privacy legislation can often restrict the ability
of law enforcement and intelligence agencies to share information with both
national and foreign counterparts. Again, striking the appropriate balance
between the human right to privacy and the legitimate interest of the State to
effectively investigate and prosecute crime is and ongoing challenge for
Governments and, in some cases (including responses to terrorism), has been the
subject of concern.157
332. In addition to legislation that provides clear guidance to investigators,

prosecutors and (in the case of Internet data) the ISPs holding data on the
obligations pertaining to the collection and use of personal data, it is equally
important that countries establish and operate effective mechanisms for the
oversight of intelligence and law enforcement agencies. Governments should
ensure that appropriate mechanisms are included in their national laws to enable
authorities to share, subject to appropriate privacy safeguards, information
relevant to the investigation and prosecution of terrorism cases with both national
and foreign counterparts.
9. Treaty-based versus non-treaty-based requests
333. National approaches to the facilitation of non-treaty-based requests for

cooperation vary, with some countries having restrictions on their ability to
provide formal cooperation in the absence of a treaty. In recognition of this, the
universal instruments against terrorism and transnational organized crime make
provision for the instruments themselves to be regarded as the legal basis for
cooperation and for specified unlawful conduct to be treated as qualifying
offences for mutual legal assistance and extradition purposes within the national
laws of States parties.
334. Many countries, including China, rely upon the principle of reciprocity as
the basis for providing international cooperation. Under Chinese law, law
enforcement agencies and judicial authorities can conduct international
cooperation, including mutual assistance or judicial cooperation (including
extradition), on a treaty basis. In the absence of a treaty, reciprocity can also be a
legal basis for mutual assistance and extradition cooperation. At the expert group
meeting, the expert from China highlighted one example of success full
cooperation between authorities in China and the United States that resulted in
the closure of the world's largest Chinese-language pornography website, which
was hosted in the United States and aimed at Internet users in China and other
Asian countries.
335. Several participants at the expert group meeting referred to issues related to
the sensitive nature of much information (often intelligence-based)
associated with terrorism investigations and the inherent challenges, not only in
the international cooperation context but also nationally, facing agencies wishing
to share such information with counterparts. Several experts highlighted that
information was often highly sensitive in nature and that sharing it became
difficult in the absence of a formal information sharing mechanism containing
appropriate conditions regarding its use and disclosure.
336. This issue is considered in more detail in the next chapter, relating to
prosecutions, in the context of evidential issues associated with translating
intelligence material into admissible evidence and the disclosure of evidence in
criminal proceedings.
VI. Prosecutions
A. Introduction
337. An integral part of the universal legal framework against terrorism, and
of the United Nations Global Counter-Terrorism Strategy, is the obligation
imposed on States to deny safe haven and bring to justice perpetrators of terrorist
acts, wherever such acts might occur. In order to achieve the last of these
objectives, countries not only require effective counter-terrorism legislation,
criminalizing terrorist acts and facilitating necessary international cooperation,
but also the capacity to apply specialized investigative techniques and
prosecution strategies to ensure the collection, preservation, production and
admissibility of evidence (often intelligence-based) when prosecuting suspected
terrorists, while ensuring international standards of treatment for accused
persons.
338. The role of prosecutors in the prosecution of terrorism cases has become
increasingly complex and demanding. In addition to responsibility for the
conduct of criminal proceedings, prosecutors are becoming more involved in the
investigative and intelligence-gathering phases of terrorism cases, providing
guidance or supervision on the legal and strategic implications of various
investigative techniques. In the present chapter, the role of prosecutors in
terrorism cases involving the use of the Internet by terrorists is considered, with a
view to identifying, from a prosecutor's perspective, common challenges or
obstacles and strategies and approaches that have been proven to be effective in
the successful prosecution of perpetrators.
B. A rule-of-law approach to criminal prosecutions
339. An investigation and prosecution that is not conducted in full accordance

with the principles generally associated with the rule of law and international
human rights standards risks the integrity of the very fabric of the social and
institutional norms and structures that terrorists themselves seek to undermine.
It is therefore of fundamental importance that any prosecution of the perpetrators
of terrorist acts be conducted with the utmost attention to the need to ensure a fair
trial and fair treatment of accused persons.
340. The well-recognized principle that suspected terrorists should be afforded
the same procedural safeguards under the criminal law as any other suspected
criminals is strongly embedded and reflected in the universal instruments against
terrorism and at the political level internationally. Just one of many examples of
high-level recognition of this principle is General Assembly resolution 59/195,
on human rights and terrorism, in which the Assembly highlighted the need for
enhanced international cooperation measures against terrorism, in conformity
with international law, including international human rights and humanitarian
law. In addition to incorporating this fundamental principal at a political level,
the United Nations, through its Special Rapporteur on the promotion and
protection of human rights and fundamental freedoms while countering terrorism,
regularly reports to the Human Rights Council and to the General Assembly on
areas of concern related to the human rights aspects of criminal justice measures
targeting terrorism and makes recommendations for remedial action by relevant
actors. Issues raised by the Special Rapporteur have included those related to the
detention and charging of suspects. 158
341. There are several publications dealing specifically with, and aimed at,
promoting respect for human rights and the rule of law within the remit of
prosecutors and criminal justice officers involved in terrorism prosecutions. In
2003 the Office of the United Nations High Commissioner for Human Rights
produced the Digest of Jurisprudence of the United Nations and Regional
Organizations on the Protection of Human Rights while Countering Terrorism.
Within the Council of Europe, which has fully recognized and integrated the
obligation to implement the protection of human rights as a fundamental
principle into its instruments dealing with crime prevention and criminal justice
issues, including terrorism, this principle is reaffirmed in the Guidelines of the
Committee of Ministers of the Council of Europe on Human Rights and the Fight
against Terrorism, adopted by the Committee of Ministers on 11 July 2002, 1
These documents provide valuable guidance for prosecutors working in the
counter-terrorism field.
C. Role of prosecutors in terrorism cases
342. The role of the prosecutor in the conduct of criminal proceedings, including
terrorism cases, varies between countries. In some countries, particularly civil-
law jurisdictions, prosecutors have formal responsibility for overseeing the
conduct of criminal investigations, supervising teams of investigators
throughout, making
decisions on search and surveillance activities and the laying of charges or
indictments and dealing with international cooperation issues and the conduct of
proceedings before the courts.
343. In an inquisitorial judicial system like the French one, for example, the
prosecutor is generally tasked with beginning the legal action and with initiating
preliminary investigations, defining the scope of the crimes; however, an
examining judge, or JUGE D'INSTRUCTION, will lead the formal judicial
investigation, collecting and examining evidence. When the culpability of the
subject can be excluded, the examining judge will close proceedings; otherwise,
the subject will be committed for trial before a different judge. In terrorism cases,
in addition to presenting the prosecution case to a judge, the chief prosecutor may
petition or submit a motion for further investigation.
344. In other countries, particularly common-law jurisdictions, prosecutors have

traditionally had less direct involvement with, or responsibility for, the conduct
of criminal investigations, which are usually led by law enforcement agencies.
Typically, in these jurisdictions, prosecutors assume formal responsibility for the
conduct of prosecutions at the point of charging or the laying of indictments
through to the final disposition of the proceedings. For example, in Nigeria, the
national police are responsible for con ducting criminal investigations. Upon
completion, cases are referred to a prosecution authority that hold responsibility
for the laying of charges and the conduct of the criminal proceedings.
345. A similar approach is taken in Indonesia, where a separation exists with

regard to the investigation and prosecution of a criminal case. After the
commencement of a criminal investigation, the investigator must report the
progress of the case to the public prosecutor (art. 109, para. 1, of the Indonesian
Criminal Procedure Code) and, once the investigation is concluded, must hand
the case files over to the Public Prosecutor (art. 110, para. 1, of the Criminal
Procedure Code), who will decide whether a case can be brought to trial (art. 139
of the Criminal Procedure Code).
346. Regardless of the specificities of the particular jurisdiction, however, the

role played by prosecutors in terrorism cases continues to evolve to meet the
increased demands placed on them by ongoing developments in the type,
methods and complexity of terrorism-related crimes, counter-terrorism laws, new
investigative techniques and international cooperation arrangements.
347. Experience shows that prosecutors are increasingly being required to play a
more direct role in the investigation of crimes, not merely during the prosecution
phase. Prosecutors are increasingly adopting a more technical and strategic role,
not only informing counter-terrorism policy and legislation but also providing
legal and strategic advice and guidance on legal issues during investigations that
influence the likely success of any resulting prosecution. Experience shows that
they are likely to undertake their role as part of a
multidisciplinary/multijurisdictional team.160
348. Moreover, with increased visibility and scrutiny of terrorism prosecutions,

including media coverage and monitoring by human rights groups and
international bodies, prosecutors play a crucial role in ensuring that investigations
and prosecutions not only are, but are seen to be, conducted in a way that is fair
and efficient and that upholds international human rights standards.
D. The investigative phase
349. During the intelligence-gathering or investigative phase of counter-terrorism

operations, prosecutors are often called upon to provide legal advice on issues
related to the use of specialized investigative techniques.

Technica Editorial

Uploaded by

Copyright:

Available Formats

Technica Editorial

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Technica Editorial

Uploaded by

Copyright:

Available Formats

Background

In connection with the development of the present publication, UNODC

B. Means by which the Internet is utilized for terrorist purposes

4. The promotion of violence is a common theme in terrorism-related

5. The promotion of extremist rhetoric encouraging violent acts is also a common

9. The Internet may be a particularly effective medium for the recruitment of

11. It is important to emphasize the distinction between mere propaganda and

12. Preventing and deterring incitement to terrorism in the interest of protecting

13. Recruitment, radicalization and incitement to terrorism may be viewed as

16. Financial support provided to seemingly legitimate organizations, such as

18. For example, inspire is an online magazine allegedly published by Al-

19. Instructional material available online includes tools to facilitate counter-

 Translated, encrypted, compressed and password-protected pro-jihadist materials, including

(a) Preparatory secret communication

(b) Publicly available information

28. A cyberattack generally refers to the deliberate exploitation of computer

C. Uses of the Internet for countering terrorist activity

30. Online discussions provide an opportunity to present opposing viewpoints or

31. The Center for Strategic Counterterrorism Communications, based in the

34. As noted in subsection B.1(b) above, the proscription of incitement to

38. Terrorist use of the Internet is a transnational problem, requiring an

39. The applicable international legal framework related to counter-terrorism is

42. The United Nations Global Counter-Terrorism Strategy was unanimously

a) To consistently, unequivocally and strongly condemn terrorism in all its

45. Recent United Nations reports and resolutions have specifically

C. Universal counter-terrorism legal instruments

48. As a result of the attention focused on countering terrorism following the

Member States to become parties to the universal counter-terrorism legal

49 There is currently no comprehensive United Nations treaty on terrorism that is

52. No universal convention has been adopted specifically relating to the

D. International human rights law

55. Several regional organizations have also developed conventions guaranteeing

56. While a comprehensive analysis of issues relating to human rights law is

E. Regional and sub-regional counter-terrorism legal instruments

57. In addition to the universal counter-terrorism instruments, several regional

60. For example, the Council of Europe Convention on Cybercrime requires

61. The Council of Europe Convention on Cybercrime also requires parties to

62. The Council of Europe Convention on Cybercrime may be applied in

66. Framework decision 2008/919/JHA provides a basis for prosecuting the

3. Additional legal instruments

67. Additional binding legal instruments adopted by regional or sub-regional

2. Commonwealth of Independent States

3. International Telecommunication Union

71. The International Telecommunication Union (TTU) is a specialized agency

74. In order to provide effective criminal justice responses to threats presented by

77. The Working Group's broad classification system is a useful conceptual

78. Another useful resource for policymakers and legislators, referred to in

79. Within the broad framework provided by universal counter-terrorism

80. Currently, few States have developed counter-terrorism legislation

82. In 2008, the Government of Saudi Arabia implemented new technology-

83. Also, in 2008, the Government of Pakistan enacted the Prevention of

85. Nevertheless, internationally, with some exceptions, in the absence of any

90. The powers required by law enforcement agencies to effectively investigate

92. In terms of specialized judicial or evidential procedures in the terrorism field,

(a) Internet-based acts or statements supporting terrorism

97. Section 54 of the Act makes it an offence to provide, receive or invite

98. Section 57 makes it an offence to possess articles in circumstances that give

107. In addition to criminal offences under anti-terrorism legislation, authorities

R v. BILAL ZAHEER AHMED