This cross-border conspiracy indictment was one of the first of its kind in 2009, but that statement seems almost quaint today. Modern cybercriminals routinely victimize citizens from opposite sides of the world; in fact, it would be surprising to see a cyberattack that began and ended in a single jurisdiction. Some notable cybercrime enforcement actions illustrate the point.
In 2018, in a rare ransomware-related indictment, the Department of Justice (DOJ) charged two Iranian nationals with developing and deploying the strain of malware known as “SamSam,” which they used to extort the City of Newark, a hospital in Los Angeles, and a hospital in Kansas. In January 2021, the DOJ announced an operation with Canada, France, Germany, the Netherlands, the United Kingdom, Lithuania, Sweden, and Ukraine that disrupted the infrastructure of the prolific “Emotet” botnet that had infected around 45,000 computers in the United States and 1.6 million computers worldwide. In 2021, the DOJ announced the disruption of the REvil, or Sodinikibi, ransomware group, including the arrest of a Ukrainian national in Poland (at the request of US authorities) and the seizure of over $6 million in cryptocurrency, as part of an international law enforcement effort involving 16 different countries.
In an investigation running between summer 2022 and January 2023, Europol identified 260 suspects in Serbia, Germany, Bulgaria, and Cyprus who participated in a criminal network dedicated to “pig butchering,” a type of fraud in which victims are tricked into believing they are investing cryptocurrency in a sort of modern-day Ponzi scheme. Losses can be staggering; Europol estimates that victims all over the world lost hundreds of millions to this group alone. And, worse, these frauds are often fueled by human trafficking, relying on forced labor, primarily in Cambodia and other parts of Southeast Asia.
As one would imagine, investigating and prosecuting these technologically complex crimes requires that law enforcement and prosecutors collect evidence from several jurisdictions to have any hope of identifying and apprehending the perpetrators. And, because the majority of evidence is now stored digitally by third parties, it is often located in places that have nothing to do with the crime itself. This could include data from an instant messaging provider in one country, a server image from another, government records from the country where the suspect is a citizen, statements from financial instructions and decentralized cryptocurrency platforms, and evidence from the suspect’s home or electronic devices in the country where the suspect lives.
The challenge is that, of course, each country is its own sovereign and is responsible for determining and enforcing its own criminal laws. The Department of Justice’s handbook (the Justice Manual) notes that efforts to investigate crimes or gather evidence inside the borders of another nation may be considered a violation of sovereignty: “Even such seemingly innocuous acts as a telephone call, a letter, or an unauthorized visit to a witness overseas may fall within this stricture … [and] can generate diplomatic protests and result in denial of access to the evidence or even the arrest of the agent or Assistant United States Attorney who acts overseas.” Prosecutors investigating cross-border offenses (including almost all cybercrimes) must instead follow one of a few different procedures for obtaining evidence overseas. Most are time-consuming, labor-intensive, and costly, and none is ideal. With transnational cybercrime impacting businesses and municipalities at staggering rates, we need better processes for law enforcement to obtain the data that are critical to solving these devastating crimes.
In this article, we describe the primary tools available to law enforcement to gather data in transnational cybercrime investigations, and the benefits and challenges that accompany them. Focusing on the United States and Europe, we then offer some practical takeaways for moving forward and enhancing law enforcement’s ability to combat global cyber threats more efficiently.
Letters Rogatory
In the absence of a treaty between nations, a court in one country can submit a request for certain information to a court in another country by sending letters rogatory via diplomatic channels. Letters rogatory must comport with several requirements and be signed by a judge. They can take over a year to be executed. As a result, they are used relatively infrequently by prosecutors.
Subpoenas
Subpoenas to compel a foreign company to turn over records to US prosecutors can be used in certain limited circumstances. This practice was upheld in a series of cases involving the Bank of Nova Scotia, in which the 11th Circuit determined that a bank doing business in the United States could be compelled by subpoena to turn over records held by a branch of that bank in a foreign country. In re Grand Jury Proceedings (Bank of Nova Scotia), 691 F.2d 1384 (11th Cir. 1982); In re Grand Jury Proceedings (Bank of Nova Scotia), 740 F.2d 817 (11th Cir. 1984). But the practice upset the Canadian government, who felt that the US had bypassed traditional means of obtaining information from its international partners. See, e.g., T. Levin, Business and the Law: U.S. v. Bank of Nova Scotia, N.Y. Times, Dec. 13, 1983. Today, serving this type of subpoena, known as a “Bank of Nova Scotia Subpoena,” is disfavored, and often implicates concerns related to data privacy laws in the relevant jurisdiction. See, e.g., U.S. Dep’t of Just., Justice Manual § 9-13.525.
Mutual Legal Assistance Treaties
To secure evidence that can be used in court, prosecutors generally need to invoke what is called a Mutual Legal Assistance Treaty (MLAT). MLATs are agreements between two or more countries that set out the nature and type of assistance that each country agrees to provide. Evidence provided pursuant to an MLAT is typically certified in some way by the government that gathered it; as a result, it is likely to be admissible at trial and other court proceedings, unlike evidence gathered in a more informal way.
To ensure consistency and compliance across both incoming and outgoing MLAT requests, they are funneled through a single division of the Department of Justice: the Office of International Affairs (OIA). OIA is staffed by attorneys who cover designated countries and have deep familiarity with the requirements and nuances of their MLAT processes. This model generally worked well when most crimes were committed within the confines of a single country, and only in unusual circumstances did prosecutors need to obtain evidence from overseas. But as the job of investigating and prosecuting crime (particularly cybercrime) becomes increasingly international, the resources of OIA have been stretched thinner. As DOJ’s 2022 “Comprehensive Cyber Review” stated, “The MLAT process … is overwhelmed with requests as evidence increasingly exists overseas for even the most domestic of crimes.” U.S. Dep’t of Just., Comprehensive Cyber Review (July 2022), https://bit.ly/40WHmeJ. And OIA is only the beginning of the process; even after OIA compiles the voluminous paperwork and information necessary to submit an MLAT to another jurisdiction, the requesting agency often must wait months for the recipient jurisdiction to review it and provide the requested evidence. In some cases, this can take years.
In the 2009 Manhattan DA case described above, MLATs were used successfully to obtain evidence and even execute a search warrant at a residence in Ukraine. But partially as a result of the time involved in preparing, submitting, and obtaining results from these requests, the investigation took years to develop. The meant, for example, that many members of the investigative team had left government service by the time the case went to trial. When Egor Shevelev was convicted in 2013, 12 years had passed since the earliest conduct charged in the indictment.
To avoid statutes of limitation expiring before necessary evidence has been collected, 18 U.S.C. § 3292 permits federal prosecutors to file a request to toll, or pause, the statute of limitations when they file an “official request,” like an MLAT, with another country. While this provision provides some relief, bringing a case years after the conduct in question occurred is inherently problematic. For one thing, it disadvantages defendants, whose ability to defend themselves diminishes with the passage of time: Records may be gone, witnesses may not be available, and memories have faded. For the same reasons, the government’s case will invariably be weaker, and the burden of proof beyond a reasonable doubt harder to meet. And there is the perception that the government can use the MLAT process as a tactical maneuver to save a case that would otherwise be time-barred; in 2020, a former Assistant US Attorney filed an internal memo alleging that prosecutors on two cases had submitted MLAT requests pretextually, purely to extend the statute of limitations, requesting records that they either already had or didn’t need. See, e.g., United States v. Bases, 2020 U.S. Dist. LEXIS 185089 (N.D. Ill. Oct. 6, 2020) (even if the government’s MLAT request was purely pretextual, 18 U.S.C. § 3292 requires tolling of the statute of limitations). And, perhaps more importantly, § 3292 applies only in federal proceedings, meaning that state and local prosecutors—who increasingly play a role in investigating and prosecuting cybercrime—cannot avail themselves of its tolling protections.
CLOUD Act
Inside the United States, law enforcement requests for electronic evidence are typically governed by Stored Communications Act, 18 U.S.C. § 2703. The SCA sets out the legal standards and procedures required for the government to access certain categories of electronic information stored by “electronic communications service providers,” like Google or Microsoft. Different standards apply to different types of data: For example, it is easier for the government to obtain “metadata,” like the logs of which IP addresses accessed an account, than it is to obtain “content,” like the actual body of email messages. The SCA essentially fills a Fourth Amendment gap, recognizing that although these data are stored by the user with a third party (the provider), users have certain rights and expectations with regard to the privacy of their online accounts. But in today’s environment, electronic data isn’t just stored outside a user’s home—it is often stored in another country altogether.
In 2013, federal prosecutors in New York got a search warrant, pursuant to the SCA, for a Microsoft email account based on probable cause to believe evidence of criminal activity (specifically, drug trafficking) would be found in the account. Microsoft moved to quash the warrant, claiming that because some of the data sought was located on servers in Ireland, the SCA did not govern the request and the government instead needed to submit an MLAT. Microsoft v. United States, No. 14-2985 (2d Cir. 2016).
While Microsoft’s motion to quash was making its way through the appellate process, Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). The CLOUD Act essentially does two things: It amends the SCA to clarify that US-based providers must disclose data pursuant to valid US legal process, regardless of where the provider stores the data, and it attempts to streamline the process for both the US and its international partners to obtain electronically stored evidence. The second prong permits the US to enter into bilateral agreements with foreign partners, provided that the foreign country demonstrates certain substantive and procedural protections for privacy and civil liberties. The agreements can only be used to collect evidence of “serious crime” but are still broader in scope than existing bilateral agreements (as discussed above).
In theory, CLOUD Act agreements provide an attractive alternative to the MLAT process. They make gathering electronic evidence stored by third parties easier and more efficient and create a framework for each party to assess the other’s protections related to civil liberties and human rights. To date, however, the US has entered into only two such agreements, with the UK and Australia. Agreements with EU member states seem to have stalled, potentially because the first provision of the CLOUD Act—allowing US law enforcement to obtain data from service providers even when the data are stored overseas—may conflict with the GDPR’s provisions about transfers of data from the EU to the US. As discussed below, resolving that conflict, and restoring the ability to transfer data more efficiently between the US and the EU, is one of the most significant and important steps the US can take right now to empower law enforcement to investigate transnational cybercrime.
EU-US Data Privacy Framework
The European Court of Justice ruled in 2020 that the “limitations on the protection of personal data arising from the domestic law of the United States . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under E.U. law,” and invalidated the existing EU-US “privacy shield” that had permitted data transfers between the two regions for commercial purposes. Data Prot. Comm’r v. Facebook Ireland Ltd., Maximillian Schrems, Case No. C-311/18 (2020) (Grand Ct.). The privacy shield was based on the notion that the US and EU member states all had adequate protections in place related to individual privacy, including from government intrusion. Prior to that, in the fall of 2019, the US and EU had embarked on a series of talks meant to facilitate sharing of information among law enforcement agencies, but the decision had a chilling effect on these efforts.
In October 2022, President Biden issued an Executive Order directing that certain steps be taken to address the concerns raised by the EU and implement the EU-US Data Privacy Framework that the US and EU have been trying to negotiate to replace the former privacy shield. Exec. Order No. 14,086, Enhancing Safeguards for United States Signals Intelligence Activities (Oct. 7, 2022) About a month later, the European Commission published a draft adequacy decision for US-EU data transfers. European Comm’n, Commission Implementing Decision of [XXX] pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (Dec. 13, 2022), https://tinyurl.com/3mapzps5. The decision determines that the US, through the provisions of the new framework, provides comparable safeguards to those of the EU and ensures an adequate level of protection for data transferred from the EU to the US. An encouraging development, this is not the end of the story; on February 14, 2023, the European Parliament Committee on Civil Liberties, Justice, and Home Affairs issued a draft opinion criticizing the opinion, concluding that the Framework “fails to create actual equivalence in the level of protection” offered to personal data in the US. European Parliament, Draft Motion for a Resolution to wind up the debate on the statement by the Commission pursuant to Rule 132(2) of the Rules of Procedure on the adequacy of the protection afforded by the EU-US Data Privacy Framework (2023/2501(RSP)) (Feb. 14, 2023).
Law Enforcement Partnerships
US law enforcement has entered into several strategic partnerships with its counterparts overseas, some of which facilitate sharing of electronic evidence. For example, the US and Europol have a data-sharing agreement that allows for the exchange of evidence in certain scenarios. But the agreement only covers particular categories of criminal activity, like trafficking in drugs or nuclear substances, human trafficking, and terrorist activities. It does not apply in scenarios where evidence of, for example, financially motivated cybercrime happens to be on a server in another jurisdiction. Similarly, the US-EU Terrorist Finance Tracking Program allows data sharing related to suspected terror finance; again, this would not extend to records held by electronic communications providers that may constitute evidence of cybercrime.
At the Manhattan District Attorney’s Office, we recognized the importance of information sharing across borders and entered into partnerships with the City of London Police, the Paris Prosecutor, and the Singapore Attorney General, among others. These partnerships involved personnel from each office being temporarily assigned to our office, and vice versa, allowing us to understand the nuances of criminal procedure in each jurisdiction. These partnerships required upfront investment and resources that many jurisdictions lack. But for us, they were worthwhile, particularly in the investigation and prosecution of cybercrime.
For example, in 2019, our Cybercrime Bureau received a complaint from the team representing a popular recording artist. Unreleased recordings had been stolen from the artist’s online storage and posted for sale on a “leak” site. The hacker, who went by the online alias “Spirdark,” had stolen music from several prominent artists and was offering it for sale in exchange for Bitcoin. The investigation led us to a UK national living in Ipswitch. Leveraging our partnership with the City of London Police, we were able to work jointly to execute a search warrant and seize that person’s devices, including a drive that contained unreleased music from over 80 artists. Because the perpetrator was a UK citizen and UK musicians had equally been victimized, we referred the matter there, and the defendant was prosecuted and ultimately sentenced to 18 months in jail thanks to the hard work of the City of London Police and Crown Prosecutor. Similarly, when two hackers in France breached prominent accounts belonging to New York–based video sharing site Vevo, our office helped gather evidence needed to identify and prosecute the offenders in France.
But partnerships like this one present challenges, too. Often, the information exchanged is “for intelligence purposes only,” meaning it can’t be put into evidence or used, on its own, as the basis for charges. And data protection rules in some countries may prohibit sharing user information at all, without a binding court order via a more formal process like an MLAT.
Finally, smaller law enforcement agencies at the state and local levels—who increasingly find themselves on the front lines of the fight against transnational cybercrime—are unlikely to have the bandwidth to invest the time and resources to cultivate these relationships.
United Nations
The United Nations is in the process of negotiating a Cybercrime Convention that aims to, among other things, establish international norms for investigating and prosecuting malicious cyberactivity and facilitate sharing of evidence across member states. The Convention will be the product of the newly established ad-hoc intergovernmental committee to “Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purpose.”
The committee met in Vienna in January 2023 and produced a negotiating document that draws on submissions from the various member states. The document defines “cybercrime” extremely broadly to include all activity that uses “communications technologies for criminal purposes.” This definition could reasonably include almost any criminal conduct in today’s world. And some human rights groups have fairly pointed out that the scope of criminalized activity, which includes conduct like “advocacy or justification of terrorism,” risks running afoul of international standards about freedom of expression. Some of the procedural aspects of the document are likewise problematic; it directs member states to, for example, adopt legislation that would require a person to submit computer data in their possession to the government based on reasonable belief that an offense was committed, a standard lower than the Fourth Amendment’s probable cause requirement (and possibly in contravention of Fifth Amendment principles about self-incrimination).
The UN effort is in its early stages and will doubtless be refined many times over before it is due to be presented to the General Assembly’s 78th Session in September 2023. But given the challenges and complexities already identified, it seems unlikely that, at least in the near term, this Convention will supplant the existing processes around obtaining evidence.
Budapest Convention on Cybercrime
The Budapest Convention was the first international treaty that aimed to address transnational cybercrime by standardizing cybercrime laws and facilitating cross-border cooperation. It was first signed in 2001 and came into effect in 2004. Over 80 countries have ratified the Convention, including the United States in 2006. One of its most significant provisions is the establishment of the “24/7 Network,” which creates single points of contact in member nations who can facilitate requests for, and preservation of, electronic evidence in exigent circumstances. Law enforcement agencies routinely use this network to obtain things like subscriber information, or to prevent evidence from being destroyed. In 2022, the Second Additional Protocol to the Budapest Convention was opened for signature. It is intended to bring the Convention in line with the modern internet, and specifically the advent of cloud computing, but it enables law enforcement to request domain registration information and “subscriber information and traffic data” directly from internet service providers in other signatory jurisdictions. The United States signed the Second Amended Protocol in December 2022; it has yet to be ratified here, and will not enter into force in any jurisdiction for some time.
In short, although methods certainly exist for law enforcement to obtain electronic evidence in other countries, navigating the various options is confusing and time-consuming. If we want to empower our governments, especially at the state and local levels, to address cyberthreats in a more meaningful way, we have to streamline this process.
In many ways, the United States is at the epicenter of this problem. As a world financial capital, we experience the most large-scale cyberattacks of any nation: According to the 2021 Microsoft Digital Defense Report, between June 2020 and July 2021, the United States was the target of 46 percent of the world’s cyberattacks. As a result, our federal, state, and local law enforcement agencies are overwhelmed with investigations related to cybercrime, many of which require us to collect evidence from overseas. We are also home to many of the world’s largest tech companies, whose servers contain troves of evidence of criminal activity all over the world.
It makes sense, then, for the US to lead the way in improving access to electronic evidence in transnational cybercrime (and other international) investigations. Perhaps ironically, these efforts have to some extent been hamstrung by concerns about our law enforcement and national security rules for access to data. While the US-EU Data Transfer Framework relates principally to commercial data, the debate over the adequacy of US data privacy protections has seemingly chilled efforts to foster law enforcement evidence-sharing initiatives.
Potentially complicating matters further, section 702 of the US’s Foreign Surveillance Intelligence Act (FISA), which was the focus of the 2020 European Court of Justice Decision invalidating the Privacy Shield, is due to expire at the end of 2023. The director of the NSA and head of US Cyber Command has emphasized the importance of renewing section 702, saying that it plays a critical role in investigating cyber threats and terrorism. See, e.g., News Release, Nat’l Sec. Agency, Gen. Nakasone, NSA General Counsel Engage in FISA Section 702 Forum (Jan. 26, 2023).
But the path to renewal is sure to be bumpy. Privacy advocates cite the need for more transparency about how the law is used, while the Republican majority in the Senate has become increasingly critical of our law enforcement and national security agencies and has expressed skepticism about their desire to continue using this investigative tool.
The US must forge a path forward and ensure that the Framework for transfers of data with the EU is codified. This will set the stage for the negotiation of CLOUD Act agreements, or similar vehicles for law enforcement, between EU member states and the US. And because the EU leads on the world stage for questions related to data privacy, this will set a significant precedent for our efforts to negotiate similar agreements with our other partners overseas.
These bilateral, or multilateral, agreements are the best option available for establishing efficient and meaningful sharing of data. They are appropriately limited in scope, applying only to certain providers and categories of data that are most relevant in cybercrime investigations: content and metadata housed by electronic communications providers. They can be crafted based on the data protection standards in the relevant jurisdictions. They incentivize our international partners to share data with us, in exchange for our promise to share data more efficiently with them. And, most importantly, they obviate the need to follow the MLAT process, saving years in these increasingly important investigations. This has the added benefit of reducing strain on the attorneys tasked with reviewing and submitting MLATs, presumably improving response times for requests that fall outside the scope of CLOUD Act agreements.
Ad-hoc international partnerships, like the ones we cultivated at the Manhattan DA’s Office, are also incredibly worthwhile. They foster trust among agencies, the value of which is immeasurable. But these arrangements are necessarily limited. When it comes to obtaining admissible evidence, there is only so much that can be done outside the boundaries of a formal data-sharing agreement.
Formal mechanisms to obtain evidence in other jurisdictions benefit us all. Cybercrime is a growing threat, not only to the financial security of our businesses but to our critical infrastructure, our governments, and our citizens. We should formalize data transfer agreements that help combat this threat not in spite of our concerns about privacy rights, but because of them. When law enforcement can identify and apprehend members of ransomware groups, networks that launch wire transfer fraud schemes, and operators of botnets and other cybercrime infrastructure, our data are more secure.
The 2009 indictment described at the beginning of this article prevented millions of credit card numbers from being sold and used for fraud. And it demonstrates that state and local law enforcement can, and must, have a role to play in disrupting the transnational cybercrime economy.
The landscape has changed since then: Threats have proliferated and the monetization of personal data has become a business. We can no longer afford to spend a decade investigating and prosecuting a single financially motivated cybercrime group. We need governments to work together to enable prosecutors to do their jobs and gather the data they need to disrupt these criminal organizations. The United States and the European Union can lead the way, by establishing bilateral agreements to preserve and share electronic evidence. This will set the stage for enhanced cooperation and sharing around the world, helping us combat one of the most significant criminal threats of our lifetime.
