Computer Crime in the European Union
Storage of communication data is the 'weak link' in the fight against computercrime says EU study
How serious is the threat of computer crime in the European Union? What are the Member States of the Union doing to counter the threat? France and Sweden asked their European counterparts in November 2000 this questions. The answers are now circulating in the Police Cooperation Working Party of the EU.
In the questionnaire a distinction is made between computer-targeted offences and offences committed through the medium of computers. As regards the first kind of offences, most member states have adopted national legislation embodying the main features of the Council of Europe Recommendendation R(89)9, which aims at combatting computer crime, the questionnaire shows.
However, differences between member states existst. Portugal for instance incorporated the recommendations into their national law. Germany made unlawfull access only a criminal offence when directed against an information system specififically protected, whereas countries like the United Kingdom, France and Belgium proposed comparable criminalisation, but without any specific protection of the communication systems being required. The questionnaire concludes:
"Taking European legislation as a whole, the conclusion is that computer data and programmes are adequatly protected. However, if the aim remains to protect the data themselves, definitions in criminal terms vary enormously and there are many subtle differences from one set of legislation to another."
The other kind of offences are 'ordinary offences' committed using a computer or facilitated by the use of a network. Especially fraud has become increasingly common with the rise in the number of Internet users, the questionnaire notes.
"Conventional offences can all be perfectly executed using information technology. For this reason the majority of European States have opted for assimilation rather than specification in criminalising ordinary criminal conduct using a new medium," the study concludes. The adaption of broad, generic legislation for 'conventional' offences is a protection against future aberrations, as the study states.
The study further notes that no State has made provision in its criminal procedure for a specific framework of investigation for the Internet and the digitial networks. According to the study, this is 'certainly due' to the fact that the fight against computer crime fits 'perfectly' into the existing frameworks.
The storage of connection data and the length of that storage is according to the questionnaire "clearly the weak link" in the fight against cyber crime. Few countries have a legal requirement concerning the length of time connection data must be kept. The Netherlands requires Internet service providers to store connection data for three month, Belgian legislation requires providers to store call data for a period which may not be less than 12 month and France is currently preparing an obligation to store data for 12 month. Other countries have informal arrangements with providers, like the United Kingdom and Italy.
"Nevertheless, voluntary cooperation, however spontaneous, is always conditional on the good will off the operator and does not constitute a legal obligation."
The questionannaire also makes clear what the member states would like to see the European institutions tackle in the near future:
- Standardisation or at least harmonisation of legislation and ratification and implementation of the draft Convention on Cyber Crime of the Council of Europe. This would represent 'considerable progress' in the fight against computer crime
- Storage of technical data. The Belgian example, providing for a minimum period of 12 month, is called "the most balanced solution both from the point of view of the principle of protection of privacy and in terms of the need for judicial investigation in order to respect the rights of victims to obtain compensation for damage suffered".
- Encouriging industry to speed up the establishment of version 6 of the Internet Protocol, "having regard to the new safeguards proposed to achieve a considerable reduction in piracy via the Internet".
- A solution should be found to problems raised by the various forms of anonymity on the WWW, "the most significant example being cybercafés, which have been the source of a number of cases of fraud."
- Developing coordination between the private sector, laboratories, universities and state bodies to provide appropriate repsonses to new modes of operation by cyber criminals
- The creation at European level of an observatory or cell for the protection of networks
The study concludes that at the beginning of the third millenium computer crime is developing "extremely well" in a supranational context in which national criminal law is generally inappropriate and Community law is still at the embryonic stage."
The study gives some figures about computer crime in the European Union. However, the figures are not reliable, due to a great range of difficulties, like the reluctance of companies to report incidents, some Member States have no system for the centralisation of information, and unprecise definitions of computer crime.