Hotline Operations Manual

From Future Worlds Center Wiki
Revision as of 03:32, 12 September 2011 by Elena (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Introduction

What is SafenetCY?

SafenetCY is the Cyberethics Safer Internet Hotline through which illegal or disturbing content can be reported. The hotline operates island-wide (serving also Turkish-Cypriots and other minorities) and focuses on reports of child sexual abuse images and racism/xenophobia. The project engages actors from the government and civil society, therefore contributing towards the eradication of cyber crime in more than one sector. The hotline offers the opportunity to all people to report through the various different reporting methods that it entails (i.e. telephone, email and website).

What are the specific Objectives for the Hotline?

  • Operate an island-wide hotline for Internet users in Cyprus to report illegal and harmful material and activities, so as to reduce the circulation of illegal content on the Internet.
  • Inform users of the hotline’s scope of activity and how to contact it; clarify to the users the difference between the hotline’s activities and those of public authorities, and inform them of the existence of alternative ways of reporting illegal content.
  • Establish, if necessary, and operate a hotline to receive information from the public relating to illegal
  • Content which will act as a national alert platform or as an alert platform common to several Member States;
  • Draw up a manual of procedures in cooperation with law enforcement authorities and in accordance with best practice guidelines;
  • Deal rapidly with complaints received;
  • Where permitted under national law and the manual of procedures, undertake a preliminary assessment of the legality of the content reported and trace its origin;
  • Forward the report to the appropriate body for action (police, ISP, correspondent hotline);
  • Conduct systematic notice to the host service provider of content assessed as illegal child abuse material, unless the police have requested the hotline not to do so;
  • Participate actively in networking with other local stakeholders;
  • Take part in cross-border discussions and exchange of best practice with other co-funded hotlines and with other stakeholders as part of the network.
  • Contribute to the European URL database once set up by the network coordinator.

GENERAL PROCEDURES

The person who wants to report illegal content on the Internet that s/he came across may choose one of the following ways to submit a report. Online reports are preferable since they are accepted automatically. A guidelines section is given in the SafenetCY website in order to provide a complete set of information, about the reporting procedure.

  • Online: Filling in the online reporting form.
  • Telephone: 22674747
  • Email: Reporting by sending us an email with your report to the following email address: reports@cyberethics.info

In order to make the processing of any report as effective as possible the Hotline requires to be provided with specific information on the location and type of illegal content that the person who wants to make the report encountered.

For each different type of report it is required to provide SafenetCY Hotline with the corresponding information:

  • Website: Website address (URL), type of content, a free text description of the content.
  • Newsgroup: Name of newsgroup, message ID, message sender, message subject, date of the message, type of message content, a free text description of the content.
  • Peer-to-peer: File link, Server link, date that came across with the content, type of content, a free text description of the content.

Any actions taken by SafenetCY are within the limits that are determined by the Cyprus Law. Illegal content is also considered any content that is defined illegal by the Cyprus Law.

ANONYMITY POLICY

Anonymity

Persons filling reports have the option to choose to remain anonymous by not providing any contact information. Making an online report does not automatically imply that they lose their anonymity. The Hotline registers only information that the person making the report enters to the Hotline’s online form. The Hotline does not register any other information, not even the IP address of the machine used to submit the report.

Contact Information

In the case where the person making the report wishes to be notified about the outcome of their report, they should provide sufficient contact information. The minimal information includes: First Name, last Name, and email.

REPORTING PROCEDURES

Chart Flow

Procedures Chart

Reporting Procedure

Receiving a report: The person that wants make a report of an illegal content has to fill the relevant form depending on the source that contains the illegal content.

1. Website:

If the source is a website (URL) then in the relevant form must be reported:

Information Field
The URL of the website Necessary Field
The type of the content i.e. Child pornography, Racism/Xenophobia Necessary Field
The Date that the person came across with the illegal content Optional Field
Some comments or description on the content that is reported Optional Field
Personal details Optional Field









2. Newsgroup:

If the source is a newsgroup then in the relevant form must be reported:

Information Field
The name of the Newsgroup Necessary Field
The Message ID Necessary Field
The type of the message content i.e. Child pornography, Racism/Xenophobia Necessary Field
The message sender Optional Field
The message subject Optional Field
Date of the message Optional Field
Some comments or description on the content that is reported Optional Field
Personal details Optional Field













3. Peer-to-peer:

If the source refers at a P2P then in the relevant form must be reported:

Information Field
file|… Necessary Field
The type of the message content i.e. Child pornography, Racism/Xenophobia Necessary Field
server|… Optional Field
Date that the person came across with the illegal content Optional Field
Some comments or description on the content that is reported Optional Field
Personal details Optional Field














Indoor investigation and Procedures made by SafenetCY:

Every report is recorded at SafenetCY’s Database. From that point every procedure has to be processed no later than 24 hours from the time the report was made. The following steps are made by SafenetCY:

1. Verification: Due to changes in our rules and regulations, the hotline no longer accesses the content that is reported. Instead, it follows directly to tracing the content.

2. Tracing the source: An attempt is made, using technical means, to trace the country where the reported content originates.

3. Cyprus Police notification: SafenetCY forwards reports that are hosted in Cyprus to the Cyprus Police, irrespective of their legal or illegal status.

4. Reports forwarded to Helpline: If the reporting source originates in Cyprus and the form of the report could hurt an involved child then the helpline will take the appropriate actions to support the child.

5. Foreign hotline notification: If the reported content originates from abroad, the report is forwarded to a hotline in the country of origin (if one exists) through the IHRMS (URL database) system established by INHOPE.

6. Feedback: If the user that made the report wishes feedback for the outcome of his/her report, then SafenetCY informs him/her of the actions taken based on his/her report.

7. Database update: SafenetCY informs its database for the outcomes of the illegal report as received by the Local Authorities.

8. Inform Safer Internet Center: If the content does not have to do with anything illegal, but still needs national attention the Awareness Node is informed about the possible threats.

Note that no information is given about the report, but only about the existence of the specific “threat” on the Internet.


Actions taken by the Cyprus Police:

The Cyprus Police Department runs a specific unit (Cyber Crime Unit) in order to deal with the situation of illegal content on the Internet. After SafenetCY notifies the Police about the report hosted in Cyprus, the Police will make the following steps:

1. Determine whether the content is illegal or not illegal.

2. If the content is illegal then the Cyprus Police makes any necessary actions to deal with the situation and informs the hotline of the outcomes.

3. If the content is not illegal then the Cyprus Police notifies the hotline mentioning what the content was referring to in order for the hotline to register it on its database and/or notify where necessary the Safer Internet Center.

CYPRUS LEGISLATION

The Republic of Cyprus has signed, ratified, acceded or succeeded and essentially incorporated into the Republic's municipal law all international treaties and conventions concerning child protection, elimination of racism, fortification and efficient application of Human Rights and Fundamental Freedoms in general. A list of all relevant international treaties and conventions is provided by the official website of the [Ministry of Foreign Affairs][1]. A comprehensive overview of the underlying local legislative framework as well as relevant to the functionality of the SafenetCY Hotline is outlined in this section.

Laws relevant to the Internet

  • Ο περί της Σύμβασης κατά του Εγκλήματος μέσω του Διαδικτύου (Κυρωτικός) Νόμος του 2004 (22(III)/2004)
  • Convention on Cybercrime, Budapest 23.11.2001


The incorporation of the Convention on Cybercrime of Budapest into the Republic's municipal law is stated in Law 22(III)/2004. The following table lists the articles of Chapter II (Measures to be taken at the national level), Section 1 (Substantive criminal law) of the Convention on Cybercrime:

Article Title
2 Illegal access
3 Illegal interception
4 Data interference
5 System interference
6 Misuse of devices
7 Computer-related forgery
8 Computer-related fraud
9 Offenses related to child pornography
10 Offenses related to infringements of copyright and related rights
11 Attempt and aiding or abetting
12 Corporate liability
13 Sanctions and measures



















In Chapter II: Section 2 is concerned with issues of Procedural law and Section 3 with Jurisdiction. Chapter I of the Convention provides the use of terms; "international co-operation" and "final provisions" are the subjects of Chapters III and IV respectively. The full text of the [Convention on Cybercrime][2] can be accessed through the website of the Official Journal of the European Union.

Child Pornography

  • Ο περί Καταπολέμησης της Εμπορίας Προσώπων και περί Σεξουαλικής Εκμετάλλευσης Ανηλίκων Νόμος του 2000 (3(I)/2000)
  • Ο περί της Συμβάσεως περί των Δικαιωμάτων του Παιδιού (Κυρωτικός) Νόμος του 1990 (Αρ. 243 του 1990)'
  • (UN) Convention on the Rights of the Child
  • Convention on Cybercrime, Budapest 23.11.2001

Ο περί Καταπολέμησης της Εμπορίας Προσώπων και περί Σεξουαλικής Εκμετάλλευσης Ανηλίκων Νόμος του 2000

Definitions according to the Cyprus law
«...

  • «child»: a person under the age of eighteen years.
  • «trafficking»: any action that facilitates the entrance, transit or residence in, or egression from the state of the Republic of Cyprus of adults or children, and aims at the sexual exploitation of these persons.
  • «pornography»: the by any means visual or audio recording of any form of sexual act on any person.
  • «child sexual exploitation»:
    • Exhortation or force over a child to participate in any form of sexual act.
    • Sexual exploitation of a child through its prostitution or participation in other forms of sexual practices.
    • Sexual exploitation of a child through its participation in pornographic material, including the production, distribution and selling, trading or possessing of such material.

...»
Article 3 of the Law prohibits sexual exploitation and maltreatment of children.
Article 4 of the Law prohibits the production, acquisition, possession, distribution, import and export of child-pornographic material.

Ο περί της Συμβάσεως περί των Δικαιωμάτων του Παιδιού (Κυρωτικός) Νόμος του 1990 (Αρ. 243 του 1990) – (UN) Convention on the Rights of the Child
The [Convention][3] has been signed and ratified by nearly all countries ― members of the UN organization (the USA and Somalia have signed but not yet ratified the Convention).

The incorporation of the Convention on the Rights of Child into the Republic's municipal law is stated in [Law 243 of 1990][4]. The [ratification][5] of the Convention by the Republic is also recorded in the website of the Office of the United Nations High Commissioner for Human Rights. The Convention has been repeatedly mentioned in statements made by the Representative of the Republic to the UN ([1998][6], [1999][7], [2000][8]).

The full text of the Convention can be accessed through the websites of [UNICEF][9], the Office of the United Nations High Commissioner for Human Rights, and the English edition of the [Social Welfare Services of the Ministry of Labour and Social Insurance][10].

Article 34, listed below, is of particular importance:
«...
Article 34

States Parties undertake to protect the child from all forms of sexual exploitation and sexual abuse. For these purposes, States Parties shall in particular take all appropriate national, bilateral and multilateral measures to prevent:

  • The inducement or coercion of a child to engage in any unlawful sexual activity;
  • The exploitative use of children in prostitution or other unlawful sexual practices;
  • The exploitative use of children in pornographic performances and materials.

...»

Ο περί της Σύμβασης κατά του Εγκλήματος μέσω του Διαδικτύου (Κυρωτικός) Νόμος του 2004 (22(III)/2004) – Convention on Cybercrime, Budapest 23.11.2001

The Convention on Cyber crime and Law 22(III)/2004 have been mentioned in the "Internet Usage" section. In respect to child pornography, the Convention states the following:
«...
Article 9 ― Offenses related to child pornography

1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally and without right, the following conduct:

  1. Producing child pornography for the purpose of its distribution through a computer system;
  2. Offering or making available child pornography through a computer system;
  3. Distributing or transmitting child pornography through a computer system;
  4. Procuring child pornography through a computer system for oneself or for another person;
  5. Possessing child pornography in a computer system or on a computer-data storage medium.

2. For the purpose of paragraph 1 above, the term "child pornography" shall include pornographic material that visually depicts:

  1. a minor engaged in sexually explicit conduct;
  2. a person appearing to be a minor engaged in sexually explicit conduct;
  3. realistic images representing a minor engaged in sexually explicit conduct.

...»

Other conventions:
[The Hague Convention on the Civil Aspects of International Child Abduction][11]
[The European Convention on Recognition and Enforcement of Decisions Concerning the Custody of Children ][12]

Racial Discrimination

(UN) The International Convention on the Elimination of All Forms of Racial Discrimination
Status of ratification of the Convention..
Status of ratification of amendment of Article 8 of the Convention..
The Republic of Cyprus has signed and ratified the International Convention on the Elimination of All Forms of Racial Discrimination on 1966 and 1967 respectively. The Convention has been repeatedly mentioned in statements made by the Representative of the Republic to the UN ([1999][13], [2002][14]).
The full text of the Convention can be accessed through the websites of the Office of the United Nations High Commissioner for Human Rights.

Ο περί πρόσθετου πρωτοκόλλου στη Σύμβαση κατά του Εγκλήματος μέσω του Διαδικτύου αναφορικά με την Ποινικοποίηση Πράξεων Ρατσιστικής και Ξενοφοβικής Φύσης που Διαπράττονται μέσω Συστημάτων Ηλεκτρονικών Υπολογιστών (Κυρωτικός) Νόμος του 2004 (26(ΙΙΙ)/2004)
The law contains illegal action for distributing without any right racist or xenophobic content that promotes racial discrimination, hate or violence. In addition, it includes as illegal threats or swearing through the computer people that is based on hate, racism or xenophobia.

Internet Security ― Protection of Personal Data

  • Ο περί ρυθμίσεως ηλεκτρονικών επικοινωνιών και ταχυδρομικών υπηρεσιών νόμος του 2004 (112(I)/2004) (Μέρος 14)
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)



Issues concerning Internet Safety and Protection of Personal Data are addressed in Part 14 of the Law 112(I)/2004. Part 14 of the above mentioned law (Security, Secrecy and Data Protection) is essentially the incorporation of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the ?protection of privacy in the electronic communications sector into the Republic's municipal law. The [Directive 2002/58/EC][15] can be accessed through the Portal to the European Union Law.

In addition to Law 112(I)/2004, the Office of the Commissioner of Electronic Communications & Postal Regulations has published a number of regulations and decrees governing relevant issues.

Sexual Exploitation (of adults) ― Trafficking

Ο περί Καταπολέμησης της Εμπορίας Προσώπων και περί Σεξουαλικής Εκμετάλλευσης Ανηλίκων Νόμος του 2000 (3(I)/2000)

Law 3(I)/2000 has been mentioned in the "Child Pornography" section. In respect to adults, the Law states the following:
(Article 3: Sexual exploitation)
The following are prohibited:
a) Profiteering by sexually exploiting adult persons in the cases that:

  1. coercion, force, violence or threats have been used or
  2. the subjects have been deceived or
  3. essential pressure, or authoritative power have been used in the extent that the subjects were forced to submit.

b) Profiteering by trafficking of adult persons for sexual exploitation, given that any of the conditions listed above holds true.

References

  1. http://www.mfa.gov.cy/mfa/mfa2006.nsf/All/616D9952B6191B85C2257419005129D4?OpenDocument List of International Treaties and Conventions
  2. http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=2&DF=10/03/05&CL=ENG Convention on Cybercrime
  3. http://treaties.un.org/Pages/Treaties.aspx?id=4&subid=A&lang=en United Nations Treaty Collection
  4. http://www.mlsi.gov.cy/mlsi/sws/sws.nsf/dmllegislation_gr/dmllegislation_gr?OpenDocument&Start=1&Count=1000&Expand=3
  5. http://www.unhchr.ch/tbs/doc.nsf/0/63ac64e773bf0ddac1256b6700638dbb?OpenDocument Convention on the Rights of the Child
  6. http://www.un.int/cyprus/children.htm Statement by the Representative of Cyprus to the 3rd Committee Mr. Demetris Hadjiargyrou on Promotion and Protection of the Rights of Children
  7. http://www.un.int/cyprus/child54.htm Statement by the Representative of Cyprus to the 3rd Committee Mr. Demetris Hadjiargyrou on Agenda Item 112: Promotion and Protection of the Rights of Children
  8. http://www.un.int/cyprus/child55.htm Statement by the Representative of Cyprus the 3rd Committee Mr. Demetris Hadjiargyrou on Agenda item 110: Promotion and Protection of the Rights of Children
  9. http://www.unicef.gr/reports/symb.php H Σύμβαση για τα Δικαιώματα του Παιδιού
  10. http://www.mlsi.gov.cy/mlsi/sws/sws.nsf/dmllegislation_en/dmllegislation_en?OpenDocument&Start=1&Count=1000&Expand=2 Social Welfare Services Legislation
  11. http://www.hcch.net/index_en.php?act=conventions.text&cid=24 Convention of 25 October 1980 on the Civil Aspects of International Child Abduction
  12. http://conventions.coe.int/treaty/en/Treaties/Html/105.htm European Convention on Recognition and Enforcement of Decisions concerning Custody of Children and on Restoration of Custody of Children
  13. http://www.un.int/cyprus/racial54.htm Statement by the Representative of Cyprus to the 3rd Committee Mr. Demetris Hadjiargyrou On Agenda Item 114: Elimination of Racism and Racial Discrimination
  14. http://www.un.int/cyprus/racial56.htm Statement by the Representative of Cyprus to the 3rd Committee Mr. Demetris Hadjiargyrou On Agenda Item 114: Elimination of Racism and Racial Discrimination
  15. http://eur-lex.europa.eu/ Access to European Union law

SECURITY MEASURES

Access to Hotline Investigations Office

The following measures guarantee maximum security regarding the access to the office spaces in which investigations and reporting is made.

  • The office must be held locked at all times.
  • The Hotline Operator is in charge of keys to the office and keeps records of who has copies of such keys.
  • Only staff authorized by the Hotline Operator can access the office in which reports are processed.
  • Only staff authorized by the Hotline Operator can access the computers, which are used for investigation and processing of reports.
  • Only staff authorized by the Hotline Operator can perform maintenance tasks on any computers used for investigation and processing reports.

Computer

  • Only staff authorized by the Hotline Operator can access computer for report processing
  • All external drivers (CD-ROM, floppy, etc) are disabled
  • Computer enclosure must be locked to prevent access to the computer from others
  • Computer hard drive is encrypted and password protected
  • Computer BIOS is password protected
  • Log in is password protected
  • Computer for report processing has a minimal configuration and only absolutely necessary software installed
  • Network access is limited with a firewall.

Web/Database Server

The database in which reports are stored is located physically on a separate server. The following measures guarantee the safety of this server and its data:

  • The database Server is located within the secure space of the Hotline Operator’s office.
  • Only staff authorized by the Hotline Operator can access server for repairs, hardware upgrades, etc
  • If any other person needs to access the Hotline database server, s/he must be accompanied by the Hotline Operator, or by a person authorized by the Hotline Operator.
  • The Hotline’s database is backed up on a daily basis automatically.
  • The Hotline’s database backups are encrypted and stored at a location different from the Hotline Operator’s office secured by the management of the implementing organization.
  • All sensitive information stored on the Hotline server’s database is encrypted.
  • The server on which the Hotline’s database is hosted has a minimal configuration and only absolutely necessary software installed.
  • The Hotline Database includes the following records: Report ID (created automatically by the software); date and time of the reporting; text inserted by the person making the report in the subject line; type of content reported by the person that filed the report.
  • Every other record (traceroute, whois, etc.) is stored in database in form of encrypted files.
  • Screenshots are not recorded at all; instead a link to those is recorded.
  • Site mirror is provided for case of primary server failure.