Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, São Paulo, Brazil, 28 Sept. 2010)

Cybercrime in Europe Recent Legal & Policy Developments Cédric Laurant Presentation available at http://blog.cedriclaurant.org 2nd Congress on Cybercrimes and Protection Measures (II Congresso Crimes Eletrônicos e formas de proteção) São Paulo - BRAZIL – Sept. 27-28, 2010 (http://www.fecomercio.com.br/?option=com_eventos&view=interna&Itemid=11&id=2730)

2 Outline • 1. Impact of cybercrime in the EU • 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • 3. Recent cybercrime developments (case law and new laws) in a few EU Member States • 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

5 1. Impact of cybercrime in Europe • Uncertainty of the scope in the world: absence of reliable statistical information about extent of problem, and about arrests, prosecutions and convictions. • Why? – Difficult to estimate extent of financial loss and number of offences committed by cybercriminals. (Some extrapolate cybercrime-related losses to businesses and institutions in the United States to about USD 67 billion per year, to 750 billion in the world.) – Uncertain extent to which victims report cybercrime for negative publicity and reputation damage concerns. •  Difficult to quantify impact of cybercrime on society and develop strategies to address the issue. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

6 1. Impact of cybercrime in Europe From: Norton Cybercrime Report: The Human Impact (August 2010) 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

9 1. Impact of cybercrime in Europe • Impact on EU-based companies, European computer users and consumers whose personal information is misused, leaked, stolen. – The European Commission reported recently that governments and society lose some €750 billion every year in the EU – Other pan-European law enforcement agencies (Interpol and ENISA) hesitate to come up with a number because of the lack of a single Europe-wide definition of cybercrime. –  We will refer to the very recent Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010 to provide us with numbers on the cost of cybercrime for US companies. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

10 1. Impact of cybercrime in Europe the US • Key conclusions from the Ponemon Institute study of July 2010 that quantifies the economic impact of cyber-crime attacks: – “Cybercrime attacks” include criminal activity conducted via the Internet: theft of a company’s intellectual property, confiscation of online bank accounts, creation and distribution of viruses on other computers, posting confidential business information on the Internet, and disruption of a country’s critical national infrastructure. – “Cost” includes: “direct, indirect and opportunity costs that resulted from the loss or theft of information, disruption to business operations, revenue loss and destruction of property, plant and equipment, and the external consequences of the cybercrime. The survey also captures the total cost spent on detection, investigation, containment, recovery and after-the-fact or “ex-post” response. – Cybercrimes can do serious harm to an organization’s bottom line. The median annualized cost of cybercrime of the 45 organizations surveyed is $3.8 million per year. It can range from $1 million to $52 million per year per company. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

11 1. Impact of cybercrime in Europe the US From: Ponemon Institute, First Annual Cost of Cybercrime Study, July 2010 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

12 1. Impact of cybercrime in Europe the US • Impact of cybercrime on US companies: – Key conclusions from a recent study that quantifies the economic impact of cyber-crime attacks: • Cybercrime attacks are now common occurrences. The companies surveyed experienced 50 successful attacks per week and more than one successful attack per company per week. • Cybercrime attacks can get costly if not resolved quickly: average number of days to resolve a cyber attack was 14 days; average cost per company of $17,696 per day. Malicious insider attacks can take up to 42 days or more to resolve. Quick resolution is needed for today’s cybercrime attacks. • Information theft represents the highest external cost, followed by the costs associated with the disruption to business operations. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

14 1. Impact of cybercrime in Europe the US • Impact of cybercrime on US companies: – Key conclusions from a very recent study that quantifies the economic impact of cybercrime attacks: • Detection and recovery are the most costly internal activities. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

16 1. Impact of cybercrime in Europe the US • Impact of cybercrime on US companies: – Key conclusions from a very recent study that quantifies the economic impact of cybercrime attacks: • All industry sectors are impacted. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

18 1. Impact of cybercrime in Europe • 2. Impact on European computer users whose personal information is misused, leaked, stolen. • 3. Impact on European consumers and e-commerce in the EU. The Norton Cybercrime Report: The Human Impact of August 2010 finds that: – “For nearly 3 in 10 victims, the biggest hassle is the time it takes to sort things out: […] 4 weeks to resolve an average cyber-crime incident.” – “There’s the emotional baggage, with around 1/5 of victims finding it made them stressed, angry and embarrassed (19%), and 14% mourning the loss of irreplaceable data or items of sentimental value, such as photo collections.” 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

21 • Everything really started in 2007 with large-scale cyber attacks on Estonia: 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

22 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe “Cyberattacks on Estonia (also known as the Estonian Cyberwar or Web War 1) refers to a series of cyber attacks that began April 27, 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's row with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn. Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various low-tech methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred.” (Extract from: http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia) 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

23 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe From “Times Comes to Its Senses on Cyber War”. Wired (24 June 2007) http:// www.wired.com/dangerroom/2007/06/httpwwwnytimesc/ 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

25 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • A. Developments in the European Union – Council of the EU (composed of ministers from the 27 EU Member States)’s work: • Council has adopted work strategies and practical measures against cybercrime since 2008., i.e. “the multiple crimes committed by means of electronic networks”. It is mainly concerned with child pornography and other forms of sexual violence, terrorism, threats and large scale attacks to electronic networks, and other traditional Internet crimes such as "identity fraud, identity theft, fraudulent sales, financial offenses, illicit trading on the Internet, particularly narcotics and arms dealing.” 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

26 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • A. Developments in the EU – EU’s “Stockholm Programme”: • 5-year plan (2010-2014) for the EU’s DG Justice and Home Affairs in the area of "freedom, security and justice”. • Call on Member States to ratify the CoE Cybercrime Convention as soon as possible, to give their full support to the national alert platforms in charge of the fight against cybercrime and the need for cooperation with countries outside the European Union; invitation to the Commission to take measures for enhancing/improving public private partnerships, and Europol to step up strategic analysis on cyber crime. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

27 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • A. Developments in the EU – Council of the EU proposed 3 basic measures to respond to cybercrime: • strengthen partnership between public and private sector to detect and prevent criminal activities • improve knowledge and training among authorities involved in the fight against cybercrime in Europe; particularly, to set up a network of Head of police against cybercrime, and • reinforce technical and international co-operation with countries that most actively deal with cybercrime. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

28 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • A. Developments in the EU – Council of the EU: “Council conclusions concerning an Action Plan to implement the concerted strategy to combat cybercrime” (26 April 2010): • Call to action: how the main points of the strategy to combat cybercrime should be implemented, both in the short and medium term; Council invited Member States and the European Commission to introduce technological measures to combat cybercrime; called for shot-term and medium-term measures to be included in the Action Plan accompanying the Stockholm Programme (2010-2014) and the future Internal Security Strategy. • Short-term measures: update the functions assigned to Europol's European Cybercrime Platform in order to facilitate the collection, exchange and analysis of information; Member States are invited to set up their national cybercrime reporting systems; set up a platform to report criminal acts committed on the Internet; promote cross-border law enforcement cooperation and public-private partnership, particularly in the fight against child pornography; enable data exchange at a European scale and according to domestic laws; resort to joint investigation and enquiry teams; promote the use of joint investigation teams. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

29 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • A. Developments in the EU – Council of the EU: “Council conclusions concerning an Action Plan to implement the concerted strategy to combat cybercrime” (26 April 2010): • Medium-term measures: to ratify the CoE Cybercrime Convention; raise the educational standards of specialization of the police, judges, prosecutors and forensic staff in order to carry out cybercrime investigations; encourage information sharing between Member States’ law enforcement authorities; assess the situation of the fight against cybercrime in the EU and EU Member States in order to better understand trends and developments and adopt a common approach in the fight against cybercrime internationally; promote relationships with European agencies (EUROJUST, EUROPOL, ENISA, etc.), international bodies (INTERPOL, ONU, etc.) or third countries on new technology subjects; promote and boost activities to prevent cybercrime by promoting best practices. • The Council also called for the European Commission to draw up a feasibility study on the idea of a new European cybercrime agency that would tie together law enforcement agencies and other entities dedicated to fighting cybercrime. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

30 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • A. Developments in the EU – 3 agencies that currently deal with cybercrimes at the EU level: • Europol (training national police, judges and prosecutors in cybercrime) • Eurojust • European Network and Information Security Agency (“ENISA”) – Next steps: • Summer 2010: European Commission to propose new directive on improving protection against attacks on networks and information systems • October 2010: European Commission to present “EU Internal Security Strategy”, which includes cybersecurity. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

31 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • A. Developments in the EU – General critique: • “Quis custodiet ipsos custodes?” (Juvenal) "Who will watch the watchers?” • Oversight • Council of the EU (represents EU countries’ governments absence) of >< European Parliament (represents EU citizens; increased powers since last year) • Example of law providing such oversight: Directive 2009/136: data breach notification requirements. Will provide better information on cybercrime activities affecting businesses and their customers. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

32 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe A. Developments in the European Union and the Council of Europe • 2 different approaches to dealing with cybercrime and its 3 main challenges (transnational dimension, necessity for international cooperation and differing legal standards): – a. Compatibility of legislation: develop and standardize relevant legislation. – b. Territorialization: Internet access restricted by country or region. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

33 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • a. Compatibility of legislation in the EU: Several regional approaches have been undertaken in recent years in the EU: – Harmonization of legislation on cybercrime within the EU’s 27 member States: • Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the internal market • Council of the European Union Framework Decision 2000/413/JHA on combating fraud and counterfeiting of non-cash means of payment • Council of the European Union Framework Decision 2004/68/JHA on combating the sexual exploitation of children and child pornography • Council of the European Union Framework Decision 2005/222/JHA on attacks against information systems • Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communication services or of public communications networks and amending directive 2002/58/EC • Council of the European Union Framework Decision 2008/919/JHA amending framework decision 2002/475/JHA on combating terrorism. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

34 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • a. Compatibility of legislation in the EU: – Differences between EU approach and other regional approaches: • Implementation of instruments adopted by the EU is mandatory for all member States. (“Directives”, “framework decisions” and EU Member States’ national laws) • Pre-Lisbon Treaty: “Pillar” approach; limited powers of the EU to legislate in the field of criminal law constituted the main obstacle to harmonization within the EU. Diversity of approaches because EU’s ability to harmonize national criminal laws was limited to special areas. • Post-Lisbon Treaty (amending the Treaty on the EU and the Treaty establishing the European Community): Lisbon Treaty now gives the EU a stronger mandate to harmonize legislation on computer-related crimes in the future, although still limited to the 27 member States. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

35 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • a. Compatibility of legislation in the Council of Europe: – Council of Europe has developed 3 major instruments to harmonize cybercrime legislation: • Convention on Cybercrime (or “Budapest Convention”): developed between 1997 and 2001; provisions on substantive criminal law, procedural law and international cooperation. As of 2010, has been signed by 46 States and ratified by 26; 11 EU Member States have not ratified it yet. • Additional Protocol to the Convention on Cybercrime, concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems: introduced in 2003. (As of end 2009, 34 States have signed it and 15 of them have ratified it.) • CoE Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse (2007) opened for signature. Specific provisions criminalizing the exchange of child pornography, and the knowing obtention of access, through information and communication technologies, to child pornography. As of late 2009, it has been signed by 38 States, 3 of which have ratified it. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

36 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • The Council of Europe’s Cybercrime Convention: – Adopted and opened for signature in 2001, entered into force on July 1, 2004. – As of 2010, 46 States have signed it, 26 have ratified it. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

37 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • Problems with the Council of Europe’s Cybercrime Convention: – No possibility for broad involvement of non-member states: Non-CoE member states may not actively participate to its revision (exception: Canada, Japan, South Africa and the United States), even though Convention may be acceded to by any State that is not a CoE member. • Article 37: accession requires States to consult with and obtain the unanimous consent of the contracting States to the Convention. • Article 44: participation in the debate about possible future amendments is limited to parties of the Convention. – Experience has shown that States prove to be reluctant to ratify or accede to conventions they have not contributed to developing and negotiating. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

38 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • Problems with the Council of Europe’s Cybercrime Convention: – Slow signature, ratification and implementation process: compared to global standards, the number and speed of signature and ratification is slow. In the nine years since the first 30 States signed the Convention in Nov. 2001, only 16 additional States have become signatories. Since 2001, no non-member of the Council of Europe has acceded to the Convention, although five States (Chile, Costa Rica, the Dominican Republic, Mexico and the Philippines) have been invited to do so. The pace of ratification has been similarly slow. Also, in addition to being ratified, the Convention needs to be implemented in national law to become fully efficient, and proof of full adaptation is needed. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

40 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • Privacy issues with the Council of Europe’s Cybercrime Convention: – Convention lacks adequate safeguards for privacy: a significant number of provisions grant sweeping investigative powers of computer search and seizure and government surveillance of voice, e-mail, and data communications in the interests of law enforcement agencies, but are not counterbalanced by accompanying protections of individual rights or limit on governments' use of these powers. – To protect individual privacy is a fundamental part of ensuring good security practices. – Vague and weak privacy protections: for example, provisions on expedited preservation of stored computer data and expedited preservation and partial disclosure of traffic data make no mention of limitations on the use of these techniques with an eye to protection of privacy and human rights. – References to the protection of human rights, including the right to privacy, are restricted to a minimum, and not well balanced against the interests of law enforcement authorities. – The Convention ignores a multitude of treaties relating to privacy and data protection, including the Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data and the European Union's 1995 Data Protection Directive. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

41 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • Council of Europe’s “Global Project on Cybercrime” (running between March 1, 2009 – June 30, 2011) – Objective: promote broad implementation of the Convention on Cybercrime. – To be achieved through results in the following areas: • Legislation and policies • International cooperation • Law enforcement – service provider cooperation in the investigation of cybercrime • Financial investigations • Training of judges and prosecutors • Data protection and privacy • Exploitation of children and trafficking in human beings. • Cooperation with 120+ countries • Legislation strengthened in more than 100 countries, including in Argentina, Colombia, Dominican Republic. • Contributes to the organization of regional legislative workshops in Latin America 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

42 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • b. Territorialization: Internet access restricted by country or region – Technical solutions range from a manipulation of the domain name system and the use of proxy servers, to hybrid solutions that combine various approaches. – Practised by about two dozen countries, including several European countries (Italy, Norway, Sweden, Switzerland and the United Kingdom), and countries such as China, Iran and Thailand. – The EU is also discussing the implementation of such obligations. (“Proposal for a Council framework decision on combating the sexual abuse, sexual exploitation of children and child pornography, repealing framework decision 2004/68/JHA”, 25 March 2009.) Concerns: all technical solutions currently available can be circumvented and risk of being overzealous in blocking access to information on the Internet. Importance of protecting fundamental rights (emphasized by Council of Europe’s Committee of Ministers’ Recommendation on measures to promote respect for freedom of expression and information with regard to Internet filters). 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

43 Outline • 1. Impact of cybercrime in the EU • 2. General overview of the latest legal and public policy developments in the field of cybercrime in Europe • 3. Recent cybercrime developments (case law and new laws) in a few EU Member States • 4. Impact of European developments on Brazil and Latin America 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • The “European Privacy and Human Rights” project: – http://phr.privacyinternational.org – Builds upon the legacy of EPIC's publication Privacy & Human Rights, a survey on privacy regulations and developments worldwide, established 12 years ago (http://www.privacyinternational.org/phr). – Objectives: • inform and raise Europeans’ awareness about privacy and data protection in the 27 EU Member States + ECTA countries (Iceland, Norway, Switzerland and Lichtenstein) + all EU candidate countries (Croatia, Macedonia, and Turkey; • survey national privacy laws and improve the coverage of privacy regulations and developments at the EU level; • provide a digest on policy trends on privacy in Europe; • highlight best practices, and shed light on areas subject to improvement; • provide a summary of pan-European trends and a comparative analysis of policy implications with practical policy recommendations, and privacy ranking (charts and maps).

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • ESTONIA – The Parliament has stated in its approval of development trends of criminal policy until 2018 that the fight against cybercrime has to focus on prevention of sexual abuse of minors, major computer- related fraud and spreading of computer viruses. Also, the Parliament has declared that cooperation with the private sector in crime prevention is needed in order to raise the awareness of potential victims. Therefore the existence of sufficient amount of IT specialists in law enforcement authorities has to be assured. – The Cyber Security Strategy Committee is focused on preventing and combating cyber threats at a state level. The committee is led by the Ministry of Defence. Estonia hosts the Cooperative Cyber Defence Centre of Excellence (CCD COE) that was formally established on the 14th of May, 2008, in order to enhance NATO’s cyber defence capability. In spring 2010, the Ministry of the Interior submitted Estonia’s official proposal to host the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • FINLAND – Finnish Communications Regulatory Authority (FICORA)’s Computer Emergency Response Team (CERT-FI) reported in its 2008 Annual Information Security Review that there had been few cases reported where access to confidential information of Finnish organizations were accidentally available on websites. After doing an international survey they concluded that the slip-ups were fairly common world-wide. – In December, 2008 the Finnish Science and Technology Policy Council adopted the “Review 2008,” which outlines policy on education, science, technology, and innovation. The policy measures will be redefined on the basis on an international assessment to be completed in fall 2009. On January 28, 2009 Finland celebrated Data Protection Day with a theme of “Raising Awareness,” focused on finding ways to improve citizen awareness of data protection issues.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • FINLAND – The Annual Review of 2009 reported on the computer worm Conficker spreading to millions of computers in 2009. Also, during 2009, a troijan has been reported to interfere with Finnish online banking sessions and to make several unauthorized bank transfers. The Annual report states further that international information security communities and authorities have tightened their cooperation over the course of the year. In addition to dealing with the Conficker worm, this cooperation ensured that certain companies offering malicious content have now been shut off from the Internet. The report notes that CERT-FI completed a research on European CERT organisations during 2009. This research was the first of its kind in Europe, and its results were met with international interest. The report notes further that a new act concerning signals intelligence in Sweden came into force on 1 Dec. 2009. FICORA has issued regulations for the telecom operators concerning informing their customers of international information security threats targeted to services offered to Finnish customers.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • IRELAND – Ireland does not have a mandatory data security breach notification law, but in July 2010 the Data Protection Commissioner (“DPC”) published a data security breach code of practice. If the code were approved by the Oireachtas, it would have the force of law and the Data Protection Acts specifically provide for an approved code to be taken into account in court proceedings. However, the code has not been approved and is therefore of guidance only. – The code provides that where there is a data security breach, the data controller must give immediate consideration to informing those affected and that, if appropriate, other organisations should be informed such as An Garda Síochána (the police force) and financial institutions. It states that if the data is encrypted to a high standard the data controller “may conclude that there is no risk to the data and therefore no need to inform data subjects”. Data processors must report loss of control of personal data to the relevant data controller as soon as the processor becomes aware of the incident. – All data security breaches should be reported to the DPC as soon as the data controller becomes aware of the incident and at least within two working days of becoming aware, unless the breach affects less than 100 data subjects who have all been informed of the breach without delay and where the data is not sensitive nor of a financial nature. The DPC may require a detailed report of the incident and may carry out its own investigation.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • LITHUANIA – It has signed and ratified the CoE Convention on Cybercrime. On May 1, 2004, Lithuania joined the European Union. On February 1, 2007, Lithuania signed the Additional Protocol to the Convention on cybercrime. – The Criminal Code of Lithuania provides for criminal liability for crimes against security of electronic data and information systems. Article 196 states, "A person who unlawfully destroys, damages, removes or modifies electronic data or a technical equipment, software or otherwise restricts the use of such data thereby incurring major damage shall be punished by community service or by a fine or by imprisonment for a term of up to four years”. – A fine or imprisonment for a term of up to four years is intended to a person who unlawfully disturbs or terminates the operation of an information system thereby incurring major damage, or a person who unlawfully observes, records, intercepts, acquires, stores, appropriates, distributes or otherwise uses the electronic data which may not be made public. A legal entity shall also be held liable for these acts. – A person who unlawfully connects to an information system by damaging the protection means of the information system shall be punished by community service or by a fine or by arrest or by imprisonment for a term of up to one year. A person who unlawfully produces, transports, sells or otherwise distributes the installations or software, also passwords, login codes or other similar data directly intended for the commission of criminal acts or acquires or stores them for the same purpose shall be punished by community service or by a fine or by arrest or by imprisonment for a term of up to three years. A legal entity shall also be held liable for these acts.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • NORWAY – In 2006 a government appointed commission delivered its report on the protection of critical infrastructure and critical societal functions in Norway. One of the recommendations from the commission is that all Internet service providers should be required to deliver security software as part of their services, and that all vendors of wireless networks should be required to deliver equipment with satisfactory security installations and user manuals in Norwegian. – The Norwegian Centre for Information Security (NorSIS) is a Government funded centre for information security. They target small and medium sized enterprises as well as public authorities and the general public. NorSIS provides: • Awareness-raising through training and information • Compilation and creation of guidelines and tutorials concerning information security topics • An overall awareness towards information security – Internet banking has a very high penetration in Norway. In 2009 85% of the adult (over 16) population used internet banking. Even in the group over 65 years of age, the penetration is 74%. Most banks use a BankID for secure logon. This type of login requires a token or a mobile phone that generates a code, in addition to the customer's username and PIN. BankID can also be used as a digital signature. There has generally been very few security breaches related to internet banking in Norway. If a customer falls victim to a security breach, the burden of proof is on the bank to prove that the customer has exhibited gross negligence or wilfully tried to deceive the bank.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • POLAND – Cybercrime legislation is developing fast in Poland. The list of computer offences has expanded in size pursuant the 2004 amendment of the Penal Code. This legal change was related to accession of Poland to the European Union and it was aimed at harmonising the Polish criminal legislation with the Council of Europe Convention on Cybercrime. In effect, three new offences: system interference (Article 269a), misuse of devices (Article 269b), and data interference (Article 268a) were introduced to the Penal Code. Additionally, the possession of child pornography was prohibited (Article 202). – The change of cyber criminal law of 2008 was aimed at implementation of regulations contained in two EU Framework Decisions to the legal system of Poland. This goal was accomplished in the case of the criminalisation of hacking (Article 267 § 2) and the so-called virtual child pornography (Article 202 § 5) in the Penal Code. A newly established provision of hacking (Article 267§ 2) implements literally Article 2 of the 2005 Framework Decision and penalizes anyone who, without authorisation obtains access to the whole or any part of an information system. An official explanation for this legislative change stresses the usefulness of punishability of “pure access” as a legal weapon against distributors of spyware and other malicious software used for taking control over infected computers.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • POLAND – The Council of Europe Convention on Cybercrime was not ratified by Poland despite many steps of the legislator to implement its provisions. The ratification procedure commenced by the Ministry of Justice in May 2008 is still pending due to not fully solved implementation problems. According to a memorandum obtained from the Department of International Cooperation and European Law of the Ministry of Justice, the only inconsistency concerns the child pornography regulation. Article 202 § 4a of the Penal Code sets a lower age-limit of a child protection against exploitation for pornography than it is required (as a minimum) under Article 9 (3) of the Convention. There are however some other, more significant gaps in the domestic law of Poland with respect to the Cybercrime Convention.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • SWEDEN – In 2008, a proposed bill would allow the National Defense Radio Establishment (Försvarets Radioanstalt - FRA) permission to use data mining software to search for sensitive keywords in all phone and e- mail communication passing through cables or wires across the country’s borders without a court order. Until then the FRA could only listen to radio transmissions and did not have the authority to monitor the Internet. The FRA would still has to get approval from a parliamentary committee on military intelligence affairs and it would only be permitted to “tap into communications through pattern analysis and key word searches, and would not be entitled to target specific individuals.” Before the passing of this act, such traffic can only be monitored with court approval if police suspect a crime, although the agency is free to spy on airborne signals, such as radio and satellite traffic. The new legislation became widely controversial and has posed a threat to cross-border communications. The Act allows for the interception of e-mail, telephone and faxes, and is therefore a threat to anyone dealing with a Swedish organization. Even though domestic Internet communication is intended for two persons residing in Sweden, the same information may cross national borders through Germany, Denmark and USA. The implication is that Swedes as well as people residing outside of Sweden may be subject to the surveillance of FRA.

3. Recent cybercrime developments (case law and new laws) in a few EU Member States • SWEDEN – The FRA wiretapping law adopted in June 2008 consists of four statutes, including a newly adopted statute on signals intelligence and changes in three other statutes. The law entered into force by January of 2009 and the actual operations started later the same year. “FRA has a mandate to search for ‘external threats’, which involves everything from military threats, terrorism, IT-security, supply problems, ecological imbalances, ethnic and religious conflicts, migration to economic challenges in the form of currency and interest speculation.” Causing further controversy is the lack of any requirement that the FRA should have a reason to suspect crime or a court order before being allowed to partake in surveillance of Swedish residents. After criticism by privacy groups and a massive public debate about such sweeping powers, the Act was amended. In addition, “a legal complaint has been made to the EU in July about this Act’s possible breach of the EU’s privacy and discrimination law with regard to cross-border legal consultations.” The European Commission, who would have to bring formal infringement procedures against Sweden, has not yet made any such action

55 3. Recent cybercrime developments (case law and new laws) in a few EU Member States • Conclusions – Data retention – Security breach notification laws – Progress on cybersecurity goes hand in hand with improvements on data protection legislation (ex.: data protection quality principles help build efficient cybersecurity rules) 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

57 Outline • How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America – Lessons about what to do and not to do… 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

58 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America • The challenges of cybercrime in Latin America – 1. Challenges to international cooperation on cybercrime: • Transnational character of computer crimes • Lack of appropriate legislation on cybercrime • Lack of harmonization between different national laws • Legal powers for investigation are insufficient (e.g., inapplicability of seizure powers to intangibles such as computer data) • Lack of specialized personnel and equipment (Extract from: Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.) 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

59 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America • The challenges of cybercrime in Latin America – 2. Challenges to fighting cyber-crime: • Policies and awareness of decision-makers • Harmonized and effective legislation • Regional and international cooperation • Law enforcement capacities and training • Judicial training • Law enforcement and cooperation among ISPs (Extract from: Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.) 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

60 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America • The challenges of cybercrime in Latin America – 3. Difficulties of regional and international cooperation: • Limitations regarding skills, knowledge and training of judges, and to some extent prosecutors. Direct impact on mutual legal assistance process (e.g., difficulty to understand cyber-crime matters; reluctance to open a case or issue search warrants). • Insufficient use of possibility provided by international agreements for direct contacts between judicial authorities in urgent cases and efficient communication channels. • Involvement of Contact Points (“CP”) network established under Cybercrime Convention in the MLA process is too limited. • Not all CP sufficiently trained, resourced or available to assist competent authorities and facilitate the process. • Authorities for MLA of many countries receive a large volume of requests. (Extract from: Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.) 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

61 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America • Are there any advantages of using the CoE Cybercrime Convention as a model of legislation in Latin America? – Provides important tools for law enforcement to investigate cyber-crime. – Provides for Latin American countries: • Harmonization of criminal law provisions on cyber-crime with those of other countries. • Legal and institutional basis for international law enforcement and judicial cooperation. • Participation in the Consultations of the Parties. (T-CY: “Convention Committee on Cybercrime”). • The treaty as a platform facilitating public-private cooperation.  Convention provides global standards and a framework for an effective fast international cooperation. (Extract from: Cristina Schulman, CoE, “Meeting the challenge of cybercrime in Latin America,” Regional Workshop, Mexico City, August 26-27, 2010.) 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

62 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America • Lack of data protection frameworks in LAC (with a few exceptions: Argentina, Uruguay, Mexico). • Differences in national approaches: create safe havens and prevent international cooperation. • Necessity to harmonize legislation and regional or global conventions: close gaps in existing legislation and promote consistency, coherence and compatibility of laws. • Current legal instruments have a limited, mostly regional, reach: applicable only to the Member States of the regional organizations to which they belong. So far no efforts have been made at the global level to harmonize legislation on cybercrime. • Calls were made for the development of an international convention on cybercrime at various recent international expert meetings. – Proposal made last April at the UN, but rejected as Russia, China and a number of developing countries could not reach agreement with the United States, Canada, the U.K. and the EU because of disagreements over national sovereignty issues, concerns for human rights and the existence of the CoE Cybercrime Convention. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

63 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America • Inadequate means for law enforcement authorities and the judiciary branch? Recent discussion in international fora have agreed about the poor preparation and insufficient capacity to address developments in cybercrime, and gather and use evidence from cybertechnologies in the preparation of prosecutions. • There is universal agreement that national laws are not keeping pace and that amendments are needed to support investigation, prosecution and conviction of offenders on the basis of evidence captured through cybertechnology. • Urgent need for common rules and cooperation between States so that authorities can act more effectively across jurisdictions to bring offenders to justice. • Cybercrime is constantly changing and using new technologies that current global standards could not have foreseen. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

64 4. How Europe’s recent legal and policy developments may provide lessons for Brazil and Latin America • Relationship between data protection, cyber-security and cybercrime: – A strong data protection framework is necessary to provide support to cybercrime laws. – Implementing data protection processing rules during cybercrime investigations improves its accuracy and efficiency. – Security breach notification requirements in the US since 2005: triggered by leaks, disclosures or theft of personal information. 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

65 Cédric Laurant Attorney (Washington, DC) Independent Privacy Consultant (Brussels) Senior Research Fellow, Center for Media and Communication Studies, Central European University (Budapest, Hungary) E-mail: cedric [at] laurant - dot- org Websites: http://cedriclaurant.org http://security-breaches.com 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

66 Bio Cédric Laurant  Independent consultant based in Brussels, Belgium.  Attorney, member of the District of Columbia Bar.  Specialty areas: international privacy, data protection and information security.  Senior Research Fellow, Central European University (Budapest, Hungary). Currently directing the research of the "European Privacy and Human Rights”, a European Commission-funded privacy research and advocacy project. Info at: http://phr.privacyinternational.org/  Former Research Director, Privacy & Human Rights – An International Survey of Privacy Laws and Developments (EPIC & Privacy International 2003, 2004, 2005).  Former Visiting Law Professor, Universidad de los Andes (Bogota, Colombia) and International Privacy Project Director, Electronic Privacy Information Center (Washington, DC).  Lic. Jur., University of Louvain (Belgium); LL.M., Columbia Law School (New York, NY); M.A. (London).  Profile/CV: http://www.linkedin.com/in/cedriclaurant  Blogs: http://blog.cedriclaurant.org; http://blog.security-breaches.com 2nd Congress on Cybercrimes and Protection Measures Cédric Laurant: “Cybercrime in Europe: (II Congresso Crimes Eletrônicos e formas de proteção) Recent Legal & Policy Developments" São Paulo - BRAZIL – Sept. 27-28, 2010

http://gianniskarlis.wordpress.com	111
http://sitebuilder.atservers.net	16
http://912.by	12
http://www.linkedin.com	1

Cybercrimes in Europe - Recent Legal and Policy Developments (Fecomercio-SP, São Paulo, Brazil, 28 Sept. 2010)

by Cédric Laurant

Accessibility

Categories

Upload Details

Usage Rights

4 Embeds 140

Statistics