Cybercrime.

What is cybercrime?

Cybercrime refers to a variety of criminal acts committed online and with digital devices. Two predominant offences that fall routinely within this category are mischief to computer data (contrary to s. 430(1.1) of Canada’s Criminal Code) and unauthorized use of a computer service (s. 342.1). Cybercrime also relates, however, to an even broader array of criminal conduct when conducted through digital means. This includes theft (s. 322), extortion (s. 346), the possession of criminal proceeds (s. 354), fraud (s. 380), identity theft (s. 402.1), trafficking in identity information (s. 402.2), money laundering (462.31), criminal harassment (s. 264), hate speech (s. 319), the dissemination of child pornography (s. 163.1(3)), luring children (s. 172.1), and the distribution of intimate images without consent (162.1).

In reality, the boundary between what is actually criminal and non-criminal conduct in cyberspace is often unclear. Indeed, no area of criminal law is as rapidly evolving and as misunderstood as cybercrime. This is due largely to changing technologies and digital trends, which have outpaced the development of corresponding rules and regulations. Most computer offences in the Criminal Code actually pre-date the Internet as it exists today. At the time those offences were enacted, modern problems in cybersecurity and privacy protection were not yet foreseen. Applying traditional law to newly emergent digital practices can create significant uncertainty over what is a crime and over exactly what evidence is required to prove it. This leaves courts to shape cybercrime law piecemeal, while they grapple with novel issues and untested legal theories.

Data breaches and hacked information

In recent years, a considerable amount of cybercrime activity has centred around the misappropriation of login credentials (namely usernames and passwords) and the exploitation of data breaches to commit further offences. For this reason, trafficking in passwords is now largely criminalized. Likewise, exploring security weaknesses in the online storage of data risks attracting legal scrutiny, particularly when done for financial gain.

This is not, however, without controversy. As an example, a legitimate online business might innocently compile “log-in” credentials that were leaked in various database hacks. This would be in order to warn their own customers not to reuse already compromised old passwords. Whether such a business would run afoul of current criminal prohibitions depends on the details of how these credentials are discovered, stored, shared and used.

Digital theft and scams

One trending example of misappropriating credentials is SIM swapping. In a SIM swap, a victim’s phone number is fraudulently taken over. The phone number can then be used, by way of two-factor authentication (2FA) procedures, to surreptitiously access that victim’s financial accounts and online wallets. This has led to the theft of cash, cryptocurrencies, non-fungible tokens (NFTs) and other digital assets.

Investigating, prosecuting, and defending against allegations of theft through SIM swapping often involves a complex process of “wallet-tracing.” This is a method of tracking the location of stolen assets by examining a series of transactions recorded on a public ledger system known as a blockchain. The proliferation of cryptocurrency tumblers or mixers, which obfuscate digital transactions, have made this process highly intensive. Moreover, there are separate complex processes for determining the identities of those behind such thefts. This entails ascertaining IP addresses, confirming whether WiFi networks used to commit the crime were open or secure, gathering various digital footprints, and piecing together other forms of circumstantial evidence.

In addition to SIM swapping, similar digital thefts have occurred by way of phishing scams. For instance, fake websites are often made to resemble real services. Unsuspecting victims are then lured into sharing access to their finances under the guise that they are obtaining some kind of service or benefit instead. The process of investigating, prosecuting and defending against phishing allegations can be as complex as any other serious criminal case.

Defending against cybercrime allegations

Cybercrime activities can take a variety of forms. A direct consequence is that the facts, legal issues, forms of evidence, and trial strategies engaged will vary significantly from case-to-case. Luka Rados is highly experienced in handling all cybercrime matters. Please contact us for further information.