Here's the problem I see with tackling "cybercrime", most of it happens outside the jurisdiction of western countries. When it comes to things like hacking, selling stolen data, scams you name it, most of it happens in countries where enforcement is either lax or just non-existent.
And "access" here is completely asymmetric, if someone opens up say a scam store in London that victimizes it's visitors in some way, the authorities have access to the business just like the business has access to the residents of London, here the "access" is symmetric as the authorities can just show up and shut down the business and throw the criminal org running it in jail.
With cybercrime though, the criminal has access to the victim, but the authorities do not have access to the criminal. The criminals can victimize folks all day long but besides stern warnings to potential victims, there's nothing the authorities can do. The criminals know this and this is why most of your online scams and cybercrime occurs in places outside the jurisdiction of western states / states that care about this stuff.
A cybercrime bill like this will inevitably be kneecapped by virtue of it's jurisdiction. As a result they won't have any "real" crime to go after and will increasingly go after lower hanging fruit that one could interpert as "crime". So expect the real criminals will still be in business while these agencies will go after folks for saying mean things on the internet that could be construed by a court to be a "crime"
Maybe it's naive, but I wonder if escalating fines then sanctions against countries responsible for a lot of cybercrime could work.
Right now the incentives are all messed up. If citizens from country A lose millions from scammers in country B, country B has little incentive to spend precious resources on making it stop. In some cases it's even worse as country B might be benefiting from the scam.
Telling some countries "we won't let you route calls to our country because a disproportionate amount is scams" might provide an incentive, and if it doesn't it makes the scamming harder. Of course this needs to be weighed against the potential costs.
> Maybe it's naive, but I wonder if escalating fines then sanctions against countries responsible for a lot of cybercrime could work.
Unfortunately that gets wrapped in Geopolitics. I'm sure the cybercrime unit will love to issue sanctions against certain countries but the higher ups will never allow that because they need that country as an ally in the region more than they need to stop cybercrime from that country. Ie. bigger fish to fry.
And those are mostly third world countries so I doubt it would look good to basically sanction countries that have enough trouble with national debt as it is. And is there any country where the "bilateral" cybercrime is more significant than the legitimate bilateral trade? India is notorious for the phone scam centers but it also has a giant legitimate call center business.
> Of course this needs to be weighed against the potential costs.
On both ends. Listening to Darknet Diaries [1] recently with a story on email fraud, and they mentioned that the estimated yearly take for one particular fraud group in Nigeria amounted to roughly a third of Nigeria's GDP. Even if we interpret this as inflated, it's hard to imagine that the Nigerian government is highly motivated to put a stop to that flow of capital.
How can you prove what country a criminal is from? You would have to make vpns and tor illegal so that it is impossible to mask your connection and that will never happen. I believe right now they can sometimes gleam hints as to the source country of malware but it’s not a certainty as of course a smart hacker would take steps to mask their work.
Indeed, cybercrime is cross-border because that makes it difficult to reverse fraudulent transactions. There should simply be an international treaty such that fraudulent transactions crossing a border can be reclaimed from the government of the destination country, leaving them with the problem of reclaiming it within their own country.
Suppose you want to impose tariffs on China because of cybercrime originating from there. Then China comes back and says they've investigated your claims, the computer you say the attack was coming from was actually another victim being used as a proxy and the real perpetrators are in North Korea or wherever. Then they make up some IP address in North Korea and tell you to go after them, which you can't because they don't have any money or don't trade with you or already hate you.
Or cybercriminals in whatever country actually do just compromise some machines in other countries and use them as proxies to keep their own local authorities from having to care, and then you legitimately don't know where they are.
Any such crime involves a transfer of money, and the destination country is easily determined. The point is not to figure out where the criminals are, but to place responsibility on the country that can act on it. That's why I said the refund should come from the destination country, not the country where the criminals are located. If the criminals are not located there, then that country will have a claim on the next country that the money is transferred to, etc.
Money isn't any easier to trace than data packets.
Dollars get converted into bullion or Monero some other fungible commodity with no tracking attached, then back into money. The country where the conversion happens isn't inherently the country where the criminals are, and you can't plausibly make it illegal to buy <fungible commodity> for every value of <fungible commodity>.
Is it completely implausible to tell the country where that exchange took place that it's their problem if they failed to enforce KYC/AML laws and check who is exchanging those fungible commodities and its origins?
The transaction you know how to track is the unlawful one. Some ransomware requires you to pay them, so you do, and they take possession of whatever untraceable commodity and then give you the decryption keys (or don't). Or they buy a commodity on a stolen credit card and have possession of it before the fraud is reported. Then the victim goes to the police or files a dispute with the credit card company. The KYC/AML data is just going to give you the name of the account holder, i.e. the victim. The criminal didn't receive government currency, they received something they can anonymously resell for government currency, which could be anything with a market value.
I mean, one can easily make the argument that this an incredibly rare instance where the global south get to be the exploiters as opposed to the exploited, and online scams could be argued as a "colonialism tax" on the richer, dumber citizens of western nations that are used to a government that at least feigns giving a shit about their security.
I'm not saying that's right, of course, something something two wrongs. I don't condone it but I don't judge them for it either. As with most crime, the answer largely seems to be elevating the communities from which the crime comes, because while there's certainly a non-zero population out there that will just fuck shit up for their own gain, regardless of how harmful and risky it is, numerous studies on the subject and the successful rehabilitation programs in other countries not using a punitive system of justice demonstrate that the vast majority of the time, what "criminals" really need is a legal option to make a decent living. That can require a wide spectrum of things from proper education/skills training for that given person, to environmental or medical help to address untreated mental/physical illnesses, to systemic improvements so jobs pay enough to actually live and are available where people are.
Basically: Our society demands people have money to survive, and most people given a reasonable opportunity to earn money in a pro-social way will do that, because if for no other reason, it's easier and less risky. However if you live in a place where you are denied the opportunity to make that living, what do you expect people to do? Lie down and wait for the cold embrace of death, or start stealing shit? Put in that position I'd tell you exactly what I'd do.
> online scams could be argued as a "colonialism tax" on the richer, dumber citizens of western nations that are used to a government that at least feigns giving a shit about their security.
Which brings us to the actual problem that causes these others.
We don't put the consequences of bad security practices on the people who could have taken better precautions because they're "the victim" even though they're also the only person who could have prevented it. So instead we move the cost to the merchant via the credit card companies etc., or some other intermediary whose fault it was not.
Which removes the incentive for ordinary people to care about security, and then they don't. Who cares if your IoT garbage provides an entry point into your home network and some Russians get your credit card number? Don't spend time choosing a device with open source firmware that gets indefinite community support. Don't worry about giving your credit card number to scammers. Just buy whatever's cheap and when it happens you can call the credit card company and make it their problem.
Which in turn makes it the credit card company's problem, which they don't like, so they start asking for awful cybercrime bills to do something about this, even though the only something that works is to make consumers feel meaningful consequences for not caring about security.
> We don't put the consequences of bad security practices on the people who could have taken better precautions because they're "the victim" even though they're also the only person who could have prevented it. So instead we move the cost to the merchant via the credit card companies etc., or some other intermediary whose fault it was not.
Eeeeeehhhhhhhhhhh waves hand The fact that tons and tons of what constitutes the backend of modern finance tech is the exact same shit that was originally built in the 70's is not something that I think can be overlooked so easily. A lot of what constitutes that ecosystem is just, practically allergic to security.
Your social security number (if you're American) for example is basically a unified ID number that corresponds to everything from your medical records to your credit report to bank accounts to insurance, on and on, and accessing information with that number is nearly completely insecure. If someone gets ahold of yours and your basic public info, they can turn your life upside-down in such a way that will take hundreds of hours and thousands of dollars to resolve. And it would be like, trivial to lock that behind some sort of MFA situation with a state-centralized solution.
The entire ecosystem around EFTs is just incredibly needlessly bloated and slow. I understand why they were slow when I was born, right? But we have advanced so much since then and yet EFTs despite just being like... digital checks remain basically inaccessible to working class people, despite them being objectively useful and, again, literally just checks in a different form. And their difficulty in use and desire for people to use something like them has given birth in turn to entire new financial products and services, many of which are pretty scammy in their own right, and subject to their own risks of abuse with even less overall security since most are tech companies and not insured with the FDIC.
That's not to say that people shouldn't be security conscious, of course they should be. But that requires education on how to be that, and frankly I don't think it's unreasonable to say that the finance sector could, itself, make being security conscious quite a bit easier without dinging their own profits too badly.
> The fact that tons and tons of what constitutes the backend of modern finance tech is the exact same shit that was originally built in the 70's is not something that I think can be overlooked so easily.
Which is the thing enabled by moving the responsibility somewhere else. Because then their customers don't care, and the industry doesn't lose business to an alternative by failing to improve security.
> Your social security number (if you're American) for example is basically a unified ID number that corresponds to everything from your medical records to your credit report to bank accounts to insurance, on and on, and accessing information with that number is nearly completely insecure.
Which is why it should never be used for authentication, and isn't for companies with reasonable security, and doesn't have to be. You authenticate the user with passwords, cryptography, one-time email tokens, etc., not unchangeable not-so-secret numbers shared across all institutions. But see above regarding what causes them to not care about security.
What we could have done, and maybe still should, is limit social security numbers to use as a tax ID and ban their use for any other purpose. Why does your healthcare provider need your social security number? They can issue their own patient ID if they need something like that, and then if that gets compromised it limits the scope of what it can be used for.
> But we have advanced so much since then and yet EFTs despite just being like... digital checks remain basically inaccessible to working class people, despite them being objectively useful and, again, literally just checks in a different form.
So this is also part of the scam.
Credit cards charge the merchant ~3%. That's way more than the cost of handling chargebacks, especially because they also put the cost of chargebacks on the merchant. But then the finance industry doesn't want to make EFT easier to use, because then merchants would want to use it instead of paying 3% to the credit card companies, who are really the same companies and therefore drag their heels in making EFT easy to use.
And the chargebacks are part of what enables this, because the customer might be willing to use a more secure payment system in order to save 3%, if they had any reason to care about security. The other part is credit card rewards programs, which make the user think they're getting rewards, when really they're paying twice that much or more to the credit card companies for the transaction.
People are indifferent specifically in the cases that it can be clawed back. They keep their valuables in a safe etc. But they're much more willing to give their credit card to shady websites than their bank routing info, specifically because it's easier to claw it back if there is fraud.
But it isn't the criminal who pays for that. They get your credit card number via their shady website, then use it on a legitimate one, take possession of the goods and leave the legitimate merchant to take the chargeback when the user sees the fraudulent transaction on their credit card statement weeks later.
The users also persist in using credit cards, instead of demanding a system with better security, e.g. one in which the card contains a chip that can connect to a PC or phone and requires the card to be physically present for the first remote transaction with a given merchant (you sign their key as authorized to charge you going forward), so you couldn't just breach one merchant, get all their customers' credit card info and use them fraudulently at any other merchant.
Every piece of legislation that has anything to do with privacy or surveillance will inevitably be corrupted to make surveillance worse, either directly by inserting or modifying language, or indirectly by interpretation or optimizing right up to the letter of the law, but not the spirit. And then there's the fact that intelligence agencies will just outright lie to oversight bodies. No consequences. We're in a dystopia that still has sunshine, NetFlix, and arguing over trivialities to distract us.
I don't know why you're making fun of him, because he's absolutely right.
"Bread & Circus" has been used for a long fucking time already and if you have no knowledge of the history of the CIA, or Mossad, then you should educate yourself.
It's not a conspiracy theory when it's the world we live in. You should definitely feel shame.
All hail our beneficent global bureaucracy! Filled with smart people who care deeply about our freedom and individual wishes. Now if I could just contact one of its accountable elected representatives to voice some concerns...
Treaties need to be adopted by legislatures, lobby your national executive if you want to influence the text and the legislature if you want to influence its adoption or not.
Also these treaties aren't generally self executing nor enforceable, so you'll also be able to lobby your legislature when they'll be drawing up the implementing acts.
Like the US became a pariah when it didn't adopt the Ottawa Treaty that banned anti-personnel mines? Or when it didn't ratify the treaty that established the International Criminal Court and later withdrew its signature?
The EU has teeth, because EU law overrides domestic laws according to the member states themselves. The UN hasn't, because it's an organization of sovereign states. UN treaties are only as strong as the states choosing to enforce them.
I suspect we should be blaming the diplomats and the national leaders giving them orders, who should be responsible to the people, not the UN bureaucracy or the people who work there that doesn't actually that much decision making power AFAIK.
I can and actually did contact my European Parliament representative with my concerns. ACTA protests were very successful. These people are answerable to their constituents in the same way as in any other representative democracy.
But the internet is already completely decentralized and has been since the 1990s when we switched from EGP to BGP. EGP used to have a single, global "backbone", BGP doesn't.
The only semi-centralized part of the internet are the regional registries, although IANA is still the supreme numbers authority, but they don't care about what you do with your assigned numbers unless you hijack other numbers or acquired yours fraudulently.
You may be confusing what exactly decentralization is referring to in this case.
BGP may be fully decentralized for IP, but if your only providers are your ISP and Amazon then your local industry has consolidated to the point that decentralization of the last mile and services don't matter. Two entities have full control of how your packets get to other people.
The decentralized networking the above poster is talking about is a layer on top of this existing 'polluted' network where your traffic is encrypted in it's own layer and goes to servers/services not controlled by said providers.
The particular problem I have with OPs idea this will give them some measure of privacy or safety. This isn't how law enforcement works. They will bust individual nodes and force the operators to keep them running all while gathering information on users of the network. They'll capture more nodes and unmask users with threat of even longer jail time to those that do not defect.
You interpreted me mostly correctly. I had in mind more nesh networking than node/point (i.e. having root access to a single node, whether by purchase or by pipe wrench, doesn't infiltrate the network sufficiently to bring it down).
As a non native english speaker I have some trouble understanding this.
Is this just another bill that uses cyber secruity as an excuse to pass some bullshit laws?
This is common practice in Germany, so it would not surprise me if that kind off stuff also reached the UN...
This is a treaty proposed by Russia, and heavily supported by the growing number of dictatorships around the world, such as China, the Arab states, and more recently the growing number of African countries, that will effectively allow them to prosecute anyone who says something bad about their countries under vague "terrorism" charges. If a western country refuses, then they can cut off any legal collaboration for any other more serious crimes. Example: UAE says this French national said something bad about their sheik. France must arrest and hand over that guy because they would be breaking an international treaty otherwise, and may be vulnerable to sanctions and UAE (and others refusal) to cooperate in France's legal investigations, such as economic fraud, terrorism, and such. It's basically a cleverly designed document to enforce and give more power to dictators across their borders, and inside other democratic countries.
If you haven't paying attention, the number of autocratic countries has been rising, with many (Solomon Islands, Mali, Chad, Togo, Sudan, Niger, etc.) receiving military help from China and Russia (aka Wagner troops, social media troll farms) to stage coups and take over.
From my (limited) reading it seems like this is a UN treaty to allow for better co-operation between states when prosecuting/investigating cybercrime.
The main issues I see is that there is little distinction in what constitutes a crime that would fit under the "cybercrime" banner, potentially allowing a state that has e.g. anti-LGBT laws to request assistance in prosecuting that crime by e.g. getting de-anonymized data from a US-based social network.
The UN is mostly about talking to others IMHO. The UN is not supposed to be the world government and actually doing things specially against the consent of the great powers is just not its job or what it was designed to do.
>Ah yes, isolationism, Authoritarians love when countries do that, makes them easier to take over.
Withdrawing from the united nations does not mean by default isolationism. NATO would still exist. Our alliance with EU would still exist. I believe our alliance with brexit still stands as well?
I'm not saying isolationism, I'm saying United Nations doesn't do anything.
No, you don't understand the purpose of the UN. It is not really supposed to do anything. It is supposed to allow a forum where everyone is allowed to talk, it allows nation state actors to signal their intentions to each other, rather than to guess about what their intentions are.
Based on that signaling you can take that back to NATO to turn into actions.
And "access" here is completely asymmetric, if someone opens up say a scam store in London that victimizes it's visitors in some way, the authorities have access to the business just like the business has access to the residents of London, here the "access" is symmetric as the authorities can just show up and shut down the business and throw the criminal org running it in jail.
With cybercrime though, the criminal has access to the victim, but the authorities do not have access to the criminal. The criminals can victimize folks all day long but besides stern warnings to potential victims, there's nothing the authorities can do. The criminals know this and this is why most of your online scams and cybercrime occurs in places outside the jurisdiction of western states / states that care about this stuff.
A cybercrime bill like this will inevitably be kneecapped by virtue of it's jurisdiction. As a result they won't have any "real" crime to go after and will increasingly go after lower hanging fruit that one could interpert as "crime". So expect the real criminals will still be in business while these agencies will go after folks for saying mean things on the internet that could be construed by a court to be a "crime"