Perspectives for an effective European-wide fight against

cybercrime

Anne FlanaganInstitute for Computer and Communications Law

Centre for Commercial Law Studies, Queen Mary, University of London

Introductory Remarks

Transnational crime– Substantive & procedural harmonisation

EU: ‘First Pillar’, ‘Third Pillar’ & the Lisbon Treaty Sanction & remedies

Policing cyberspace– Public & private law enforcement

The role of intermediary service providers– Council of Europe Guidelines for Co-operation (2008)– Controlling content & monitoring communications

Safeguarding rights

Sanction and remedy Sentencing

– statutory minimums, judicial discretion Cyber Security Enhancement Act of 2002

– ‘aggravating circumstances’ e.g. EU Framework Decision, art. 7

Restraint orders– Collard [2004] EWCA Crim 1664

“..prohibited from owning, using, possessing or having any access to any personal computer, laptop computer or any other equipment capable of downloading any material from the Internet…”

Compensation– Civil enforcement, e.g. 18 U.S.C. § 1030(g)

Policing cyberspace

Public law enforcement– Industrial-scale & organised crime

e.g. US Landslide investigations & the UK 7000

– Local, national & international policing structures e.g. reporting crimes

– International co-operation e.g. www.virtualglobaltaskforce.com

– ‘Operation PIN’

– community policing in cyberspace: ‘simply another public place’

Policing cyberspace

– Interaction with private sector Exchanging information

– e.g. Single Points of Contact (SPOCs)

– Prosecution expertise And judicial training

– Pro-active intervention? To ‘attack’ online resources

Policing cyberspace

Private law enforcement– private prosecutions

e.g. Federation Against Software Theft (FAST)

– investigative & reporting functions e.g. Computer Emergency Response Team (CERT) e.g. Internet Watch Foundation

– vigilantes e.g. US v Jarrett 338 F.3d 339 (Va., 2003)

– an ‘unholy alliance’?

Protected data

Biggest challenge for computer forensics in the 21st Century– Access & conversion protections

Obtaining access– Requirement to provide in intelligible form– Requirement to hand over ‘key’

“any key, code, password, algorithm or other data” Failure to disclose in ‘a national security case’: 5 years

Self-incrimination?– S and A [2008] EWCA Crim 2177

Criminals and actors

Perpetrator– a criminal type?

– motivation, opportunity & skill From ‘script-kiddies’ to ‘überhackers’

Inchoate offences – Attempt, conspiracy & incitement

Demanding supply Misuse of devices, e.g. Convention, art. 6

Intermediaries– communications service provider

limitations on liability

Intermediary liability

Service providers as gatekeepers– User-generated content

indecent or obscene, encouragement of terrorism……

Electronic commerce Directive (00/31/EC)– ‘mere conduit’, ‘caching’ & ‘hosting’

‘actual knowledge’ Duties to report?

– Monitoring and action LVMH v Google (2009)

Commission review– Content aggregation, search engines, linking

Controlling illegal content

Notice and take-down (in jurisdiction)– Terrorism Act 2006, s. 3 ‘internet activity’

Liability for endorsement

Blocking access (out jurisdiction)– e.g. Internet Watch Foundation

database of URLs for child sexual abuse images Voluntary, but with threat of mandation International reach, e.g. Google & Yahoo! Web-based traffic, but not P2P & other services

– Problem of collateral interference e.g. Wikipedia & Scorpions ‘Virgin Killers’

Monitoring communications

Interception of content– For law enforcement purposes

e.g. Airline bombers, Madrid bombers

– For commercial purposes Phorm & behavioural targeted advertising

Accessing communications data– Attributes: Traffic, usage, location & subscriber data

e.g. 21/7 bombers (?) – from London to Italy

– Data retention: 6-24 months (Directive 06/24/EC) Google agreement with EU

Safeguarding Rights

European Convention on Human Rights– Fair trial (art. 6), privacy (art. 8) & freedom of expression (art.

10) ‘chilling effect’

Derogations– In accordance with the law

Legal certainty

– Applicable interest i.e. national security

– Necessity and proportionality

Concluding remarks