Cybercrime Developments in Europe

Cybercrime in Europe
Recent Legal & Policy Developments
Cédric Laurant
Presentation available at http://blog.cedriclaurant.org
2nd Congress on Cybercrimes and Protection Measures
(II Congresso Crimes Eletrônicos e formas de proteção)
São Paulo - BRAZIL – Sept. 27-28, 2010
(http://www.fecomercio.com.br/?option=com_eventos&view=interna&Itemid=11&id=2730)

Outline
• 1. Impact of cybercrime in the EU
• 2. General overview of the latest legal and public policy
developments in the field of cybercrime in Europe
• 3. Recent cybercrime developments (case law and new
laws) in a few EU Member States
• 4. How Europe’s recent legal and policy developments
may provide lessons for Brazil and Latin America
2
Cédric Laurant: “Cybercrime in Europe:
Recent Legal & Policy Developments"

Outline
4

1. Impact of cybercrime in Europe
• Uncertainty of the scope in the world: absence of reliable
statistical information about extent of problem, and about
arrests, prosecutions and convictions.
• Why?
– Difficult to estimate extent of financial loss and number of
offences committed by cybercriminals. (Some extrapolate
cybercrime-related losses to businesses and institutions in the United
States to about USD 67 billion per year, to 750 billion in the world.)
– Uncertain extent to which victims report cybercrime for
negative publicity and reputation damage concerns.
•  Difficult to quantify impact of cybercrime on society and
develop strategies to address the issue.
5

From: Norton Cybercrime Report: The Human Impact (August 2010)
6

7

8

• Impact on EU-based companies, European computer users
and consumers whose personal information is misused,
leaked, stolen.
– The European Commission reported recently that governments and
society lose some €750 billion every year in the EU
– Other pan-European law enforcement agencies (Interpol and ENISA)
hesitate to come up with a number because of the lack of a single
Europe-wide definition of cybercrime.
–  We will refer to the very recent Ponemon Institute, First Annual
Cost of Cybercrime Study, July 2010 to provide us with numbers on
the cost of cybercrime for US companies.
9

• Key conclusions from the Ponemon Institute study of July 2010 that
quantifies the economic impact of cyber-crime attacks:
– “Cybercrime attacks” include criminal activity conducted via the
Internet: theft of a company’s intellectual property, confiscation of online
bank accounts, creation and distribution of viruses on other computers,
posting confidential business information on the Internet, and disruption
of a country’s critical national infrastructure.
– “Cost” includes: “direct, indirect and opportunity costs that resulted from
the loss or theft of information, disruption to business operations,
revenue loss and destruction of property, plant and equipment, and the
external consequences of the cybercrime. The survey also captures the
total cost spent on detection, investigation, containment, recovery and
after-the-fact or “ex-post” response.
– Cybercrimes can do serious harm to an organization’s bottom line. The
median annualized cost of cybercrime of the 45 organizations
surveyed is $3.8 million per year. It can range from $1 million to $52
million per year per company.
10
1. Impact of cybercrime in Europe the US

From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010
11

• Impact of cybercrime on US companies:
– Key conclusions from a recent study that quantifies the
economic impact of cyber-crime attacks:
• Cybercrime attacks are now common occurrences. The
companies surveyed experienced 50 successful attacks per week
and more than one successful attack per company per week.
• Cybercrime attacks can get costly if not resolved quickly:
average number of days to resolve a cyber attack was 14 days;
average cost per company of $17,696 per day. Malicious insider
attacks can take up to 42 days or more to resolve. Quick resolution
is needed for today’s cybercrime attacks.
• Information theft represents the highest external cost, followed
by the costs associated with the disruption to business operations.
12

13

– Key conclusions from a very recent study that quantifies the economic
impact of cybercrime attacks:
• Detection and recovery are the most costly internal
activities.
14

15

– Key conclusions from a very recent study that quantifies the economic
impact of cybercrime attacks:
• All industry sectors are impacted.
16

17

• 2. Impact on European computer users whose personal
information is misused, leaked, stolen.
• 3. Impact on European consumers and e-commerce in the
EU.
The Norton Cybercrime Report: The Human Impact of August 2010
finds that:
– “For nearly 3 in 10 victims, the biggest hassle is the time it takes to
sort things out: […] 4 weeks to resolve an average cyber-crime
incident.”
– “There’s the emotional baggage, with around 1/5 of victims finding it
made them stressed, angry and embarrassed (19%), and 14%
mourning the loss of irreplaceable data or items of sentimental value,
such as photo collections.”
18

19

Outline
• 2. General overview of the latest legal
and public policy developments in
the field of cybercrime in Europe
20

• Everything really started in 2007 with large-scale cyber
attacks on Estonia:
21

2. General overview of the latest legal and public policy developments in the
field of cybercrime in Europe
“Cyberattacks on Estonia (also known as the Estonian
Cyberwar or Web War 1) refers to a series of cyber attacks that
began April 27, 2007 and swamped websites of Estonian
organizations, including Estonian parliament, banks, ministries,
newspapers and broadcasters, amid the country's row with
Russia about the relocation of the Bronze Soldier of Tallinn, an
elaborate Soviet-era grave marker, as well as war graves in
Tallinn. Most of the attacks that had any influence on the general
public were distributed denial of service type attacks ranging
from single individuals using various low-tech methods like ping
floods to expensive rentals of botnets usually used for spam
distribution. Spamming of bigger news portals commentaries and
defacements including that of the Estonian Reform Party website
also occurred.”
(Extract from: http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia)
22

23
From “Times Comes to Its Senses on Cyber War”. Wired (24 June 2007) http://
www.wired.com/dangerroom/2007/06/httpwwwnytimesc/

• A. Developments in the European Union
– Council of the EU (composed of ministers from the 27 EU
Member States)’s work:
• Council has adopted work strategies and practical measures
against cybercrime since 2008., i.e. “the multiple crimes
committed by means of electronic networks”. It is mainly
concerned with child pornography and other forms of sexual
violence, terrorism, threats and large scale attacks to
electronic networks, and other traditional Internet crimes
such as "identity fraud, identity theft, fraudulent sales,
financial offenses, illicit trading on the Internet, particularly
narcotics and arms dealing.”
25

• A. Developments in the EU
– EU’s “Stockholm Programme”:
• 5-year plan (2010-2014) for the EU’s DG Justice and Home
Affairs in the area of "freedom, security and justice”.
• Call on Member States to ratify the CoE Cybercrime
Convention as soon as possible, to give their full support to
the national alert platforms in charge of the fight against
cybercrime and the need for cooperation with countries
outside the European Union; invitation to the Commission to
take measures for enhancing/improving public private
partnerships, and Europol to step up strategic analysis on
cyber crime.
26

– Council of the EU proposed 3 basic measures to respond
to cybercrime:
• strengthen partnership between public and private sector
to detect and prevent criminal activities
• improve knowledge and training among authorities
involved in the fight against cybercrime in Europe;
particularly, to set up a network of Head of police against
cybercrime, and
• reinforce technical and international co-operation with
countries that most actively deal with cybercrime.
27

– Council of the EU: “Council conclusions concerning an Action Plan to
implement the concerted strategy to combat cybercrime” (26 April
2010):
• Call to action: how the main points of the strategy to combat cybercrime should
be implemented, both in the short and medium term; Council invited Member
States and the European Commission to introduce technological measures to
combat cybercrime; called for shot-term and medium-term measures to be
included in the Action Plan accompanying the Stockholm Programme
(2010-2014) and the future Internal Security Strategy.
• Short-term measures: update the functions assigned to Europol's European
Cybercrime Platform in order to facilitate the collection, exchange and analysis of
information; Member States are invited to set up their national cybercrime
reporting systems; set up a platform to report criminal acts committed on the
Internet; promote cross-border law enforcement cooperation and public-private
partnership, particularly in the fight against child pornography; enable data
exchange at a European scale and according to domestic laws; resort to joint
investigation and enquiry teams; promote the use of joint investigation teams.
28

– Council of the EU: “Council conclusions concerning an Action Plan to
implement the concerted strategy to combat cybercrime” (26 April
2010):
• Medium-term measures: to ratify the CoE Cybercrime Convention; raise the
educational standards of specialization of the police, judges, prosecutors and
forensic staff in order to carry out cybercrime investigations; encourage
information sharing between Member States’ law enforcement authorities; assess
the situation of the fight against cybercrime in the EU and EU Member States in
order to better understand trends and developments and adopt a common
approach in the fight against cybercrime internationally; promote relationships
with European agencies (EUROJUST, EUROPOL, ENISA, etc.), international
bodies (INTERPOL, ONU, etc.) or third countries on new technology subjects;
promote and boost activities to prevent cybercrime by promoting best practices.
• The Council also called for the European Commission to draw up a feasibility
study on the idea of a new European cybercrime agency that would tie together
law enforcement agencies and other entities dedicated to fighting cybercrime.
29

– 3 agencies:
• Europol (training national police, judges and prosecutors in
cybercrime)
• Eurojust
• European Network and Information Security Agency (“ENISA”)
– Next steps:
• Summer 2010: European Commission to propose new directive on
improving protection against attacks on networks and information
systems
• October 2010: European Commission to present “EU Internal
Security Strategy”, which includes cybersecurity.
30

– General critique:
• “Quis custodiet ipsos custodes?” (Juvenal)
"Who will watch the watchers?”
• Oversight
• Council of the EU (represents EU countries’ governments
absence) of >< European Parliament (represents EU
citizens; increased powers since last year)
• Example of law providing such oversight: Directive 2009/136:
data breach notification requirements. Will provide better
information on cybercrime activities affecting businesses and
their customers.
31

A. Developments in the European Union and the Council
of Europe
• 2 different approaches to dealing with cybercrime and its 3
main challenges (transnational dimension, necessity for
international cooperation and differing legal standards):
– a. Compatibility of legislation: develop and standardize
relevant legislation.
– b. Territorialization: Internet access restricted by country or
region.
32

• a. Compatibility of legislation in the EU:
Several regional approaches have been undertaken in recent years in the EU:
– Harmonization of legislation on cybercrime within the EU’s 27
member States:
• Directive 2000/31/EC on certain legal aspects of information society
services, in particular electronic commerce, in the internal market
• Council of the European Union Framework Decision 2000/413/JHA on
combating fraud and counterfeiting of non-cash means of payment
combating the sexual exploitation of children and child pornography
attacks against information systems
• Directive 2006/24/EC on the retention of data generated or processed in
connection with the provision of publicly available electronic communication
services or of public communications networks and amending directive
2002/58/EC
• Council of the European Union Framework Decision 2008/919/JHA
amending framework decision 2002/475/JHA on combating terrorism.
33

• a. Compatibility of legislation in the EU:
– Differences between EU approach and other regional
approaches:
• Implementation of instruments adopted by the EU is mandatory for all
member States. (“Directives”, “framework decisions” and EU Member
States’ national laws)
• Pre-Lisbon Treaty: limited powers of the EU to legislate in the field of
criminal law constituted the main obstacle to harmonization within the
EU. Diversity of approaches because EU’s ability to harmonize national
criminal laws was limited to special areas.
• Post-Lisbon Treaty (amending the Treaty on the EU and the Treaty
establishing the European Community): Lisbon Treaty now gives the EU
a stronger mandate to harmonize legislation on computer-related crimes
in the future, although still limited to the 27 member States.
34

• a. Compatibility of legislation in the Council of Europe:
– Council of Europe has developed 3 major instruments to
harmonize cybercrime legislation:
• Convention on Cybercrime (or “Budapest Convention”): developed
between 1997 and 2001; provisions on substantive criminal law, procedural
law and international cooperation. As of 2010, has been signed by 46 States
and ratified by 26; 11 EU Member States have not ratified it yet.
• Additional Protocol to the Convention on Cybercrime, concerning the
Criminalisation of Acts of a Racist and Xenophobic Nature Committed
through Computer Systems: introduced in 2003. (As of end 2009, 34
States have signed it and 15 of them have ratified it.)
• 2007: CoE Convention on the Protection of Children against Sexual
Exploitation and Sexual Abuse opened for signature. Specific provisions
criminalizing the exchange of child pornography, and the knowing obtention
of access, through information and communication technologies, to child
pornography. As of late 2009, it has been signed by 38 States, 3 of which
have ratified it.
35

• The Council of Europe’s Cybercrime Convention:
– Adopted and opened for signature in 2001, entered into force on July
1, 2004.
– As of 2010, 46 States have signed it, 26 have ratified it.
36

• Problems with the Council of Europe’s Cybercrime
Convention:
– No possibility for broad involvement of non-member states: Non-CoE
member states may not actively participate to its revision (exception:
Canada, Japan, South Africa and the United States), even though
Convention may be acceded to by any State that is not a CoE member.
• Article 37: accession requires States to consult with and obtain the
unanimous consent of the contracting States to the Convention.
• Article 44: participation in the debate about possible future
amendments is limited to parties of the Convention.
– Experience has shown that States prove to be reluctant to ratify or
accede to conventions they have not contributed to developing and
negotiating.
37

• Problems with the Council of Europe’s Cybercrime
Convention:
– Slow signature, ratification and implementation process: compared
to global standards, the number and speed of signature and ratification
is slow. In the nine years since the first 30 States signed the Convention
in Nov. 2001, only 16 additional States have become signatories. Since
2001, no non-member of the Council of Europe has acceded to the
Convention, although five States (Chile, Costa Rica, the Dominican
Republic, Mexico and the Philippines) have been invited to do so. The
pace of ratification has been similarly slow. Also, in addition to being
ratified, the Convention needs to be implemented in national law to
become fully efficient, and proof of full adaptation is needed.
38

• Privacy issues with the Council of Europe’s
Cybercrime Convention:
– Convention lacks adequate safeguards for privacy: a significant number of provisions
grant sweeping investigative powers of computer search and seizure and government
surveillance of voice, e-mail, and data communications in the interests of law enforcement
agencies, but are not counterbalanced by accompanying protections of individual rights or
limit on governments' use of these powers.
– To protect individual privacy is a fundamental part of ensuring good security practices.
– Vague and weak privacy protections: for example, provisions on expedited preservation
of stored computer data and expedited preservation and partial disclosure of traffic data
make no mention of limitations on the use of these techniques with an eye to protection of
privacy and human rights.
– References to the protection of human rights, including the right to privacy, are restricted to
a minimum, and not well balanced against the interests of law enforcement authorities.
– The Convention ignores a multitude of treaties relating to privacy and data protection,
including the Council of Europe's 1981 Convention for the Protection of Individuals with
regard to the Automatic Processing of Personal Data and the European Union's 1995 Data
Protection Directive.
40

• Council of Europe’s “Global Project on Cybercrime” (running
between March 1, 2009 – June 30, 2011)
– Objective: promote broad implementation of the Convention on
Cybercrime.
– To be achieved through results in the following areas:
• Legislation and policies
• International cooperation
• Law enforcement – service provider cooperation in the investigation of cybercrime
• Financial investigations
• Training of judges and prosecutors
• Data protection and privacy
• Exploitation of children and trafficking in human beings.
• Cooperation with 120+ countries
• Legislation strengthened in more than 100 countries, including in Argentina,
Colombia, Dominican Republic.
• Contributes to the organization of regional legislative workshops in Latin America
41

• b. Territorialization: Internet access restricted by country or
region
– Technical solutions range from a manipulation of the domain name system
and the use of proxy servers, to hybrid solutions that combine various
approaches.
– Practised by about two dozen countries, including several European
countries (Italy, Norway, Sweden, Switzerland and the United Kingdom), and
countries such as China, Iran and Thailand.
– The EU is also discussing the implementation of such obligations.
(“Proposal for a Council framework decision on combating the sexual abuse,
sexual exploitation of children and child pornography, repealing framework
decision 2004/68/JHA”, 25 March 2009.) Concerns: all technical solutions
currently available can be circumvented and risk of being overzealous in
blocking access to information on the Internet. Importance of protecting
fundamental rights (emphasized by Council of Europe’s Committee of
Ministers’ Recommendation on measures to promote respect for
freedom of expression and information with regard to Internet filters).
42

Outline
• 3. Recent cybercrime developments
(case law and new laws) in a few EU
Member States
• 4. Impact of European developments on Brazil and Latin
America
43

• The “European Privacy and Human Rights” project:
– Builds upon the legacy of EPIC's publication Privacy & Human Rights, a
survey on privacy regulations and developments worldwide, established 12
years ago (http://www.privacyinternational.org/phr).
– Objectives:
• inform and raise Europeans’ awareness about privacy and data
protection in the 27 EU Member States + ECTA countries (Iceland,
Norway, Switzerland and Lichtenstein) + all EU candidate countries
(Croatia, Macedonia, and Turkey;
• survey national privacy laws and improve the coverage of privacy
regulations and developments at the EU level;
• provide a digest on policy trends on privacy in Europe;
• highlight best practices, and shed light on areas subject to
improvement;
• provide a summary of pan-European trends and a comparative analysis
of policy implications with practical policy recommendations, and privacy
ranking (charts and maps).
3. Recent cybercrime developments (case law and new laws) in a few EU
Member States

• ESTONIA
– The Parliament has stated in its approval of development trends of criminal
policy until 2018 that the fight against cybercrime has to focus on
prevention of sexual abuse of minors, major computer-related fraud and
spreading of computer viruses. Also, the Parliament has declared that
cooperation with the private sector in crime prevention is needed in
order to raise the awareness of potential victims. Therefore the
existence of sufficient amount of IT specialists in law enforcement
authorities has to be assured.
– The Cyber Security Strategy Committee is focused on preventing and
combating cyber threats at a state level. The committee is led by the
Ministry of Defence. Estonia hosts the Cooperative Cyber Defence Centre of
Excellence (CCD COE) that was formally established on the 14th of May,
2008, in order to enhance NATO’s cyber defence capability. In spring 2010,
the Ministry of the Interior submitted Estonia’s official proposal to host the
Agency for the operational management of large-scale IT systems in the
area of freedom, security and justice.
Member States

• FINLAND
– Finnish Communications Regulatory Authority (FICORA)’s
Computer Emergency Response Team (CERT-FI) reported in its
2008 Annual Information Security Review that there had been few
cases reported where access to confidential information of Finnish
organizations were accidentally available on websites. After doing
an international survey they concluded that the slip-ups were fairly
common world-wide.
– In December, 2008 the Finnish Science and Technology Policy
Council adopted the “Review 2008,” which outlines policy on
education, science, technology, and innovation. The policy
measures will be redefined on the basis on an international
assessment to be completed in fall 2009. On January 28, 2009
Finland celebrated Data Protection Day with a theme of “Raising
Awareness,” focused on finding ways to improve citizen awareness
of data protection issues.
Member States

• FINLAND
– The Annual Review of 2009 reported on the computer worm
Conficker spreading to millions of computers in 2009. Also, during
2009, a troijan has been reported to interfere with Finnish
online banking sessions and to make several unauthorized
bank transfers. The Annual report states further that international
information security communities and authorities have
tightened their cooperation over the course of the year. In
addition to dealing with the Conficker worm, this cooperation
ensured that certain companies offering malicious content have now
been shut off from the Internet. The report notes that CERT-FI
completed a research on European CERT organisations during
2009. This research was the first of its kind in Europe, and its results
were met with international interest. The report notes further that a
new act concerning signals intelligence in Sweden came into force
on 1 Dec. 2009. FICORA has issued regulations for the telecom
operators concerning informing their customers of
international information security threats targeted to services
offered to Finnish customers.
Member States

• IRELAND
– Ireland does not have a mandatory data security breach notification law, but in
July 2010 the Data Protection Commissioner (“DPC”) published a data security
breach code of practice. If the code were approved by the Oireachtas, it would
have the force of law and the Data Protection Acts specifically provide for an
approved code to be taken into account in court proceedings. However, the code
has not been approved and is therefore of guidance only.
– The code provides that where there is a data security breach, the data
controller must give immediate consideration to informing those affected
and that, if appropriate, other organisations should be informed such as An
Garda Síochána (the police force) and financial institutions. It states that if the
data is encrypted to a high standard the data controller “may conclude that there
is no risk to the data and therefore no need to inform data subjects”. Data
processors must report loss of control of personal data to the relevant data
controller as soon as the processor becomes aware of the incident.
– All data security breaches should be reported to the DPC as soon as the
data controller becomes aware of the incident and at least within two working
days of becoming aware, unless the breach affects less than 100 data subjects
who have all been informed of the breach without delay and where the data is not
sensitive nor of a financial nature. The DPC may require a detailed report of the
incident and may carry out its own investigation.
Member States

• LITHUANIA
– It has signed and ratified the CoE Convention on Cybercrime. On May 1, 2004,
Lithuania joined the European Union. On February 1, 2007, Lithuania signed the
Additional Protocol to the Convention on cybercrime.
– The Criminal Code of Lithuania provides for criminal liability for crimes against
security of electronic data and information systems. Article 196 states, "A person
who unlawfully destroys, damages, removes or modifies electronic data or a technical
equipment, software or otherwise restricts the use of such data thereby incurring major
damage shall be punished by community service or by a fine or by imprisonment for a
term of up to four years”.
– A fine or imprisonment for a term of up to four years is intended to a person who
unlawfully disturbs or terminates the operation of an information system thereby
incurring major damage, or a person who unlawfully observes, records, intercepts,
acquires, stores, appropriates, distributes or otherwise uses the electronic data which
may not be made public. A legal entity shall also be held liable for these acts.
– A person who unlawfully connects to an information system by damaging the
protection means of the information system shall be punished by community service or
by a fine or by arrest or by imprisonment for a term of up to one year. A person who
unlawfully produces, transports, sells or otherwise distributes the installations or
software, also passwords, login codes or other similar data directly intended for the
commission of criminal acts or acquires or stores them for the same purpose shall be
punished by community service or by a fine or by arrest or by imprisonment for a term
of up to three years. A legal entity shall also be held liable for these acts.
Member States

• NORWAY
– In 2006 a government appointed commission delivered its report on the protection of
critical infrastructure and critical societal functions in Norway. One of the
recommendations from the commission is that all Internet service providers should
be required to deliver security software as part of their services, and that all
vendors of wireless networks should be required to deliver equipment with
satisfactory security installations and user manuals in Norwegian.
– The Norwegian Centre for Information Security (NorSIS) is a Government
funded centre for information security. They target small and medium sized
enterprises as well as public authorities and the general public. NorSIS provides:
• Awareness-raising through training and information
• Compilation and creation of guidelines and tutorials concerning information
security topics
• An overall awareness towards information security
– Internet banking has a very high penetration in Norway. In 2009 85% of the adult (over
16) population used internet banking. Even in the group over 65 years of age, the
penetration is 74%. Most banks use a BankID for secure logon. This type of login
requires a token or a mobile phone that generates a code, in addition to the
customer's username and PIN. BankID can also be used as a digital signature. There
has generally been very few security breaches related to internet banking in
Norway. If a customer falls victim to a security breach, the burden of proof is on
the bank to prove that the customer has exhibited gross negligence or wilfully
tried to deceive the bank.
Member States

• POLAND
– Cybercrime legislation is developing fast in Poland. The list of
computer offences has expanded in size pursuant the 2004
amendment of the Penal Code. This legal change was related to
accession of Poland to the European Union and it was aimed at
harmonising the Polish criminal legislation with the Council of Europe
Convention on Cybercrime. In effect, three new offences: system
interference (Article 269a), misuse of devices (Article 269b), and data
interference (Article 268a) were introduced to the Penal Code. Additionally,
the possession of child pornography was prohibited (Article 202).
– The change of cyber criminal law of 2008 was aimed at implementation of
regulations contained in two EU Framework Decisions to the legal
system of Poland. This goal was accomplished in the case of the
criminalisation of hacking (Article 267 § 2) and the so-called virtual child
pornography (Article 202 § 5) in the Penal Code. A newly established
provision of hacking (Article 267§ 2) implements literally Article 2 of the
2005 Framework Decision and penalizes anyone who, without authorisation
obtains access to the whole or any part of an information system. An official
explanation for this legislative change stresses the usefulness of
punishability of “pure access” as a legal weapon against distributors of
spyware and other malicious software used for taking control over infected
computers.
Member States

• POLAND
– The Council of Europe Convention on Cybercrime was not ratified by
Poland despite many steps of the legislator to implement its provisions.
The ratification procedure commenced by the Ministry of Justice in May
2008 is still pending due to not fully solved implementation problems.
According to a memorandum obtained from the Department of
International Cooperation and European Law of the Ministry of Justice,
the only inconsistency concerns the child pornography regulation.
Article 202 § 4a of the Penal Code sets a lower age-limit of a child
protection against exploitation for pornography than it is required (as a
minimum) under Article 9 (3) of the Convention. There are however
some other, more significant gaps in the domestic law of Poland vis-à-
vis the Cybercrime Convention.
Member States

• SWEDEN
– In 2008, a proposed bill would allow the National Defense Radio
Establishment (Försvarets Radioanstalt - FRA) permission to use data
mining software to search for sensitive keywords in all phone and e-
mail communication passing through cables or wires across the
country’s borders without a court order. Until then the FRA could only
listen to radio transmissions and did not have the authority to monitor the
Internet. The FRA would still has to get approval from a parliamentary
committee on military intelligence affairs and it would only be permitted to
“tap into communications through pattern analysis and key word
searches, and would not be entitled to target specific individuals.”
Before the passing of this act, such traffic can only be monitored with court
approval if police suspect a crime, although the agency is free to spy on
airborne signals, such as radio and satellite traffic. The new legislation
became widely controversial and has posed a threat to cross-border
communications. The Act allows for the interception of e-mail, telephone
and faxes, and is therefore a threat to anyone dealing with a Swedish
organization. Even though domestic Internet communication is intended for
two persons residing in Sweden, the same information may cross national
borders through Germany, Denmark and USA. The implication is that
Swedes as well as people residing outside of Sweden may be subject to the
surveillance of FRA.
Member States

• SWEDEN
– The FRA wiretapping law adopted in June 2008 consists of four statutes,
including a newly adopted statute on signals intelligence and changes in
three other statutes. The law entered into force by January of 2009 and the
actual operations started later the same year. “FRA has a mandate to
search for ‘external threats’, which involves everything from military
threats, terrorism, IT-security, supply problems, ecological imbalances,
ethnic and religious conflicts, migration to economic challenges in the
form of currency and interest speculation.” Causing further controversy
is the lack of any requirement that the FRA should have a reason to
suspect crime or a court order before being allowed to partake in
surveillance of Swedish residents. After criticism by privacy groups and a
massive public debate about such sweeping powers, the Act was amended.
In addition, “a legal complaint has been made to the EU in July about this
Act’s possible breach of the EU’s privacy and discrimination law with
regard to cross-border legal consultations.” The European Commission,
who would have to bring formal infringement procedures against Sweden,
has not yet made any such action
Member States

• Conclusions
– Data retention
– Security breach notification laws
– Progress on cybersecurity goes hand in hand with
improvements on data protection legislation (ex.: data
protection quality principles help build efficient
cybersecurity rules
55
Member States

Outline
• 4. How Europe’s recent legal and
policy developments may provide
lessons for Brazil and Latin America
56

Outline
• How Europe’s recent legal and policy developments may
provide lessons for Brazil and Latin America
– Lessons about what to do and not to do…
57

• The challenges of cybercrime in Latin America
– 1. Challenges to international cooperation on cyber-
crime:
• Transnational character of computer crimes
• Lack of appropriate legislation on cyber-crime
• Lack of harmonization between different national laws
• Legal powers for investigation are insufficient (e.g.,
inapplicability of seizure powers to intangibles such as
computer data)
• Lack of specialized personnel and equipment
(Extract from: Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,”
Regional Workshop, Mexico City, August 26-27, 2010.)
58
4. How Europe’s recent legal and policy developments may provide

– 2. Challenges to fighting cyber-crime:
• Policies and awareness of decision-makers
• Harmonized and effective legislation
• Regional and international cooperation
• Law enforcement capacities and training
• Judicial training
• Law enforcement and cooperation among ISPs
59

– 3. Difficulties of regional and international cooperation:
• Limitations regarding skills, knowledge and training of judges, and to some
extent prosecutors. Direct impact on mutual legal assistance process (e.g.,
difficulty to understand cyber-crime matters; reluctance to open a case or
issue search warrants).
• Insufficient use of possibility provided by international agreements for direct
contacts between judicial authorities in urgent cases and efficient
communication channels.
• Involvement of Contact Points (“CP”) network established under Cyber-crime
Convention in the MLA process is too limited.
• Not all CP sufficiently trained, resourced or available to assist competent
authorities and facilitate the process.
• Authorities for MLA of many countries receive a large volume of requests.
60

• Are there any advantages of using the CoE Cybercrime Convention
as a model of legislation in Latin America?
– Provides important tools for law enforcement to investigate cyber-crime.
– Provides for Latin American countries:
• Harmonization of criminal law provisions on cyber-crime with those
of other countries.
• Legal and institutional basis for international law enforcement and
judicial cooperation.
• Participation in the Consultations of the Parties. (T-CY: “Convention
Committee on Cybercrime”).
• The treaty as a platform facilitating public-private cooperation.
 Convention provides global standards and a framework for an
effective fast international cooperation.
(Extract from: Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional
Workshop, Mexico City, August 26-27, 2010.)
61

• Relationship between data protection, cyber-security and
cyber-crime:
– A strong data protection framework is necessary to provide
support to cyber-crime laws.
– Implementing data protection processing rules during cyber-crime
investigations improves its accuracy and efficiency.
– Security breach notification requirements in the US since 2005:
triggered by leaks, disclosures or theft of personal information.
• Lack of data protection frameworks in LAC (with a few
exceptions: Argentina, Uruguay, Mexico).
62

• Differences in national approaches: create safe havens and
prevent international cooperation.
• Necessity to harmonize legislation and regional or global
conventions: close gaps in existing legislation and promote
consistency, coherence and compatibility of laws.
• Current legal instruments have a limited, mostly regional, reach:
applicable only to the Member States of the regional organizations
to which they belong. So far no efforts have been made at the global
level to harmonize legislation on cybercrime.
• Calls were made for the development of an international
convention on cybercrime at various recent international expert
meetings.
– Proposal made last April at the UN, but rejected as Russia, China and a number
of developing countries could not reach agreement with the United States,
Canada, the U.K. and the EU because of disagreements over national
sovereignty issues, concerns for human rights and the existence of the CoE
Cybercrime Convention.
63

• Inadequate means for law enforcement authorities and the judiciary
branch? Recent discussion in international fora have agreed about
the poor preparation and insufficient capacity to address
developments in cybercrime, and gather and use evidence from
cybertechnologies in the preparation of prosecutions.
• There is universal agreement that national laws are not keeping
pace and that amendments are needed to support investigation,
prosecution and conviction of offenders on the basis of evidence
captured through cybertechnology.
• Urgent need for common rules and cooperation between States
so that authorities can act more effectively across jurisdictions to
bring offenders to justice.
• Cybercrime is constantly changing and using new technologies
that current global standards could not have foreseen.
64

Cédric Laurant
Attorney (Washington, DC)
Independent Privacy Consultant (Brussels)
Senior Research Fellow, Center for Media and
Communication Studies, Central European University
(Budapest, Hungary)
65
E-mail: cedric [at] laurant - dot- org
Websites: http://cedriclaurant.org
http://security-breaches.com

 Independent consultant based in Brussels, Belgium.
 Attorney, member of the District of Columbia Bar.
 Specialty areas: international privacy, data protection and information security.
 Senior Research Fellow, Central European University (Budapest, Hungary). Currently directing the research
of the "European Privacy and Human Rights”, a European Commission-funded privacy research and advocacy
project. Info at: http://phr.privacyinternational.org/
 Former Research Director, Privacy & Human Rights – An International Survey of Privacy Laws and
Developments (EPIC & Privacy International 2003, 2004, 2005).
 Former Visiting Law Professor, Universidad de los Andes (Bogota, Colombia) and International Privacy
Project Director, Electronic Privacy Information Center (Washington, DC).
 Lic. Jur., University of Louvain (Belgium); LL.M., Columbia Law School (New York, NY); M.A. (London).
 Profile/CV: http://www.linkedin.com/in/cedriclaurant
 Blogs: http://blog.cedriclaurant.org; http://blog.security-breaches.com
Cédric Laurant
Bio
66

Cybercrime Developments in Europe

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (8)

Similaire à Cybercrime Developments in Europe

Similaire à Cybercrime Developments in Europe (20)

Plus de FecomercioSP

Plus de FecomercioSP (20)

Dernier

Dernier (20)

Cybercrime Developments in Europe