[CB20] Defending Computer Criminals by Andrea Monti

Defending Computer Criminals
Andrea Monti
Adjunct Professor of Law and Order
University of Chieti-Pescara

Agenda
• What this talk is all about
• A Few Caveats
• The Investigation
• What is a ‘Computer Criminal’?
• Taxonomy of the defendants
• Common mistakes in the defence
design
• Tuning the defence
• Defence arguments
• Procedural defence issues
• Conclusions
Defending Computer Criminals - Andrea Monti - Adjunct Professor of Law and Order - University of Chieti-Pescara (IT)
© Andrea Monti 2020 - All Rights Reserved

What this talk is all about
• This talk is about computer crime
advocacy from the defendant
perspective.

• It deals with practical matters,
therefore it assumes at least a basic
knowledge of how a criminal
investigation is performed and how a
criminal trial works.

• Tries to be ‘jurisdiction independent’.

• Outlines the basic knowledge and
strategies to handle a computer crime
trial.

A Few Caveats
• ‘Nobody really wants justice’ (Dershowitz, A.
‘The Best Defense’, 1982).

• ‘The more experienced a judge is, the less
his decision in a new case will be
influenced by the evidence and arguments
in that case—which infuriates
lawyers’ (Posner, R. ‘How Judges Think’,
2008).

• Corollary: procedural defense may have a
different effectiveness according to the
specific legal Zeitgeist of the Country.

The Investigation
• Victim’s reactions, in order
• Making sense about what happened,

• Damage control,

• Internal (often improper) forensics,

• Legal assessment,

• Law Enforcement Involvement

• Law Enforcement course of action
• Crime Scene: impromptu forensics, hard disk/
computer seizure, logs’ collection, employees’
interview, security policy analysis, prior
convictions database query,

• Carrier/ISP: Traﬃc Data Request

• Internet Governance Entities: information
request on Domains and IP registrations,

• Suspect: calls, IM, email eavesdropping/
wiretapping, searches and seizures, digital
forensics.

What is a ‘Computer Criminal’?
• The archetype of the ‘computer
criminal’ is the mighty
übermensch called ‘the
hacker’.

• Do ‘hackers’ exist? Are they
‘criminals’? Are there criminals
who are not ‘hackers’?

• Hackers as scapegoats and law
enforcement’s reputation
enhancers.

• Why do these issues matter?
Artwork by Alberto Maderna for Monti&Ambrosini Editori - All Rights Reserved

A Taxonomy of the Defendants
• Knowledge vs Motivation
• Knowledge is Motivation
independent,

• The same technical skills can
be exploited by a hacktivist,
an intelligence operative, an
‘ordinary’ criminal or an
average citizen,

• What matters to the defence
counsel is to position the
defendant in the right part of
the diagram.
Elaboration of a diagram initially published in Winkler, Ira, ‘Corporate Espionage’, 1997 Prima Publishing p. 86 and presented at the lecture  
ＩＴ捜査と防御権 – イタリアおよびヨーロッパの２０年間の司法史 - 2017年6月10日（土）- 慶應義塾大学

Common Mistakes in the Defense Design
• Blindtrusting hired experts,

• Mounting a defense based on exoteric and
non Daubert-compliant technical theories,

• Failing to challenge commonly accepted
assumptions (i.e. ‘cyberspace’, ‘online vs
oﬄine’, AI capabilities, etc.),

• Disregarding the weight of traditional
evidence,

• Lecturing the court.

Designing a Defense Strategy
• A computer criminal defense is made of
• Technical knowledge

• Strategy

• Eﬀectiveness

• Technical knowledge is needed to
• Win the heart of the (tech-savvy) defendant,

• Spot possible procedural mistakes of the
investigation,

• Understand when law enforcement and
prosecutor’s expert witness are trying to ‘muddy
the water’ by releasing ‘poisoned technical
statements’,

• Design a strategy.

• Strategy must change according to
• the proﬁle of the defendant,

• the moment when the lawyer becomes involved,

• the IT skill level of the law enforcement,
prosecutor and court.

Tuning the Defense Design
A standard defense design implies taking into account:

• The victim statements, in particular about what it did
before handing out the targeted computer (and/or
information) to the police,

• If the police took for granted what the victim handed
them out without further investigations,

• If the police operated the defendant’s seized devices
with improper forensics care,

• How a police-operated malware has been designed,
deployed and exploited,

• How did the police get technical information and
logﬁles from carriers and ISPs. Were these information
acquired by a police technician or (insecurely) provided
by the ISPs?

• How the police did get information from foreign entities.
Did they operate under an MLAT or just get a simple e-
mail with the data?

• How the police matched a computer user with a
physical identity.

Defense Arguments
• Lack of digital forensics best-practice compliance as
a way to challenge the digital evidence admissibility and/
or weight (United States v. Allen, 106 F.3d 695, 700, 6th
Cir. 1997 v. Italian Supreme Court, Vth Criminal Branch,
ruling 25 March 2015, n. 1105)

• Relevance of data integrity preservation (Italian
Supreme Court Criminal Branch, ruling 6 September
2012 n. 44851)

• Planted evidence in the defendant’s device. Although
held as unpresentable because of its highly speculative
nature, this argument gained new momentum from the
use of law enforcement-operated malware. The use of
this argument must be grounded on solid hints,
otherwise it would fall back into the ‘highly speculative’
category.

• Carefully assessing the burden of proof. Stipulation
with the prosecutor in technical matters should, as a rule
of thumb, be avoided.

• Ascertain the mens rea

Procedural Defense Issues
• When the procedural defense is the main
strategy, it is often implicitly seen by the court
as evidence of guiltiness,

• This perception can be exploited by the
prosecutor, especially in jury-based trials,

• To contain the potential exploitation against
the defendant of the procedural defense, it is
important to stress the point that respecting
the rules of due process is as important as the
merit of the trial.

Conclusions
• The protocol to follow in the design of a defense strategy
for a computer crime trial is:

• Understanding the client's criminological proﬁle,

• Carefully analysing the technical police activities and look
for prosecution's mistakes,

• Choosing whether to adopt a procedural defence,
challenge the merits of the accusations or both.

• Bear in mind that a procedural defense must be handled
with high care because
• It can be seen by the court, and exploited by the
prosecutor as an implicit admission of guilt,

• Must be based on solid arguments, otherwise it will be
dismissed as a ‘wild speculation’,

• Can be obliterated by traditional evidences.

• Manage the relationship with the judge with extreme care
• Do not expose his limited knowledge of the technological
aspects,

• Restrain from a professorial attitude,

• And, above all, do not exploit his limited grasp over
technical matters to confuse him.•

www.ictlex.net - Italian
blog.andreamonti.eu - English
monti.jp - 日本語
www.linkedin.com/in/amonti/
Sorry, no other social networks available
すみません、他のSNSはやっていません。

Thank you!
ありがとございます！
:)
Thank you!
ありがとございます！
:)

[CB20] Defending Computer Criminals by Andrea Monti

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to [CB20] Defending Computer Criminals by Andrea Monti

Similar to [CB20] Defending Computer Criminals by Andrea Monti (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (17)

[CB20] Defending Computer Criminals by Andrea Monti