European Commission Wants To Tackle Cybercrime
'Enfopol-papers' currently not being discussed; Europol get new tasks in fighting cybercrime; approximation of national laws concerning high tech crime needed
The European Commission launched last week a discussion paper on combating computer-related crime. The document doesn't contain concrete legislative proposals, but gives an outline of the ways the European Commission thinks cybercrime can be tackled. A European Forum consisting of law enforcement agencies, service providers, network operators, consumer groups and data protection authorities must enhance the co-operation at EU level.
The communication of the European Commission, 'Creating a Safer Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime', states that effective action to combat computer-related crime is necessary at both national and international level, as cybercrime is committed across cyber space and do not stop at the conventional state-borders. National laws show remarkable differences, for instance with respect to criminal law provisions on hacking, trade secret protection and illegal content. Considerable differences also exist with respect to the coercive powers of investigative agencies, especially with respect to encrypted data and investigations in international networks. Although the Commission admits there are no reliable statistics on cybercrime, it states 'there is little doubt that these offences constitute a threat to industry investment and assets, and to safety and confidence in the information society'.
The Commission states it is necessary that substantive law in the area of high tech crime is approximated. European leaders called during the special EU-summit in Tampere (1999) for common definitions, incriminations and sanctions in the area of high tech crime. In the draft proposal of the Cyber Crime Treaty of Council of Europe there are four areas where such approximation is taken forward: offences against the confidentiality and integrity of computer data and systems; computer-related offences; content-related offences; offences related to infringements of copyright and related rights.
The European Commission however wants the European Union to go further than this. This year, the Commission will be launching proposals for combating child pornography as a first step in harmonising European laws. In the longer run, the Commission will propose legislative action relating to hacking and denial of service attacks. The proposal will include standard definitions for the European Union in this area. 'It will ensure that serious cases of hacking and denial of service attacks are punishable by a minimum penalty in all Member States,' the Commission announces. Further, the Commission will propose action against racism and xenophobia on the Internet. Finally, the Commission will consider how to improve the effectiveness of efforts against the illicit drugs trade on the Internet.
Regarding procedural law, the Commission wants to ensure that speedy, international co-operation in investigations is possible. The Commission supports the creation of new interception possibilities regarding new technologies, and states that international co-ordination is necessary in introducing new technical interception requirements on telecommunications operators and Internet service providers. In this context, the Commission hints at the so-called Enfopol-papers, which Telepolis revealed in 1998. According to the Commission, 'the draft Council Resolution has not been actively considered by the Council or its working parties in recent months'.
This may be true, but parts of the plan are still worked out. For instance, the Working Party on Police Co-operation is currently considering the drawing up of a list of net numbers of operators of mobile phones and their roaming agreements. Investigative authorities are frequently observing suspects by tracking the identification signal of their mobile phones. "This simple investigative method could be disturbed when suspects cross borders. Therefore it is necessary to know the roaming agreements between operators,' the working party states in a document of 15 September 2000. 'When a list of net numbers of operators of mobile telephones is being put together on the base of the telephone numbers, the IMSI-numbers and the roaming agreements, a police force can directly ask a foreign police force to trace the subscriber, without having to force the national operator to co-operate. In the same way, a police force can observe the foreign GSM-number in use by a national suspect.'
The former French Presidency of the European Union also proposed new measures, hidden in proposals to step up the fight against drugs. The French Presidency asked the working group on mutual assistance in criminal matters in a document dated 16 October 2000 to consider the possibility of 'the identification of telephone numbers without using the formal, procedural framework'. The French asked further the informal international working group ILETS to look at the 'technical problems regarding the interception of conversations made by mobile phones, and the problems of intercepting mobile phones which make use of pre paid cards.'
The European Commission doesn't take a stand on highly controversial matters like anonymous access and use of the Internet, transborder search and seizure, and the retention of traffic data. It just states these difficult questions have first to be discussed by law enforcement agencies and the industrial world, to find acceptable solutions, which balance rights and obligations. The Commission wants to create a European Forum to discuss these, and other questions. 'Effective co-operation between government and industry within the legal framework has been considered as an essential element of any public policy to tackle computer-related crimes,' the Commission states. Civil liberties groups, consumer representatives and data protection authorities will also be invited to join the Forum.
Finally, the Commission supports the extension of Europol's remit to cover cybercrime. France, when it had the six-month rotating presidency of the European Union, tabled proposals for the extension of Europol's mandate to the fight against cybercrime. The possibility of Europol's involvement in fighting cybercrime was already mentioned in the Europol treaty. According to France, the new role of Europol is intended 'first and foremost' to be pragmatic and to provide a basis for an 'operational response to the problems involved in combating cybercrime'. Attacks on automated data-processing systems - creating and spreading viruses, breaking in, altering or interfering with the operation of a system, altering or modifying data - fall outside the scope of Europol's mandate. France wants therefore to extend Europol's mandate to these kinds of attacks.
The official definition of computer crime in this context will be 'all forms of attack on automated data-processing systems'. According to France, this extension has the advantage of being limited to a type of offence to which 'no ambiguity' is attached regarding it's definition or what is actually covered by it. Further, 'as a result of this clearly identified objective', it allows Europol to 'optimise its efforts and rationalise the use of its resources'.
The Management Board of Europol has to give advise on the French proposals and indicate the implications for the Europol's budget and staff, before the European Council on Justice and Home Affairs can formally agree on the new task of Europol. Europol then is mandated to exchange information on computer attacks between the Member States. Also, Europol can open Analytical Work Files on computer attacks, which are meant for strategic analyses, and operational work files in concrete cross-border investigations. France states the new mandate for Europol is necessary to 'encourage the flowering of new information and communication technologies without creating a security deficit.'
The European Commission is inviting interested parties to comment the proposals. Comments can be sent up to 15 February via e-mail to:
infso-jai-cybercrime-comments@cec.eu.int
The comments will be published at:
europa.eu.int/ISPO/eif/InternetPoliciesSite?Crime/crime1.html
The Commission also will organise a public hearing on the issues addressed in its communication. The hearing will take place on 27 February 2001. Requests for an invitation to submit a statement at this hearing may be sent up to 31 January via e-mail to:
infso-jai-cybercrime-hearing@cec.eu.int