International Cooperation on Criminal Justice in Cyberspace: Where we are and where are we heading to? – FA 02 Sub 03 2022: Difference between revisions

From EuroDIG Wiki
Jump to navigation Jump to search
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
21 June 2022 | 16:45 - 17:30  CEST | SISSA Main Auditorium | [[image:Icons_live_20px.png | Live streaming | link=https://youtu.be/u8R-1Vpx948]] | [[image:Icon_transcript_20px.png | Live transcription | link=https://www.streamtext.net/text.aspx?event=EuroDIG1]]<br />
21 June 2022 | 16:45 - 17:30  CEST | SISSA Main Auditorium | [[image:Icons_live_20px.png | Video recording | link=https://youtu.be/u8R-1Vpx948?t=24705]] | [[image:Icon_transcript_20px.png | Transcript | link=International Cooperation on Criminal Justice in Cyberspace: Where we are and where are we heading to? – FA 02 Sub 03 2022#Transcript]]<br />
[[Consolidated_programme_2022#day-1|'''Consolidated programme 2022 overview / Day 1''']]<br /><br />
[[Consolidated_programme_2022#day-1|'''Consolidated programme 2022 overview / Day 1''']]<br /><br />
Proposals: [[List of proposals for EuroDIG 2022#prop_64|#64]] [[List of proposals for EuroDIG 2022#prop_65|#65]] [[List of proposals for EuroDIG 2022#prop_72|#72]]<br /><br />
Proposals: [[List of proposals for EuroDIG 2022#prop_64|#64]] [[List of proposals for EuroDIG 2022#prop_65|#65]] [[List of proposals for EuroDIG 2022#prop_72|#72]]<br /><br />
Line 45: Line 45:


'''Key Participants'''
'''Key Participants'''
*Markko Kunnapu legal adviser in the Ministry of Justice of Estonia and member of the CoE Bureau of the Convention Committee on Cybercrime (T-CY) (attending in person)
*Markko Kunnapu legal adviser in the Ministry of Justice of Estonia and member of the CoE Bureau of the Convention Committee on Cybercrime (T-CY) ''(attending in person)''
*Isabella Brunner, Cybercrime Officer at UNODC (attending online)
*Isabella Brunner, Cybercrime Officer at UNODC ''(attending online)''
*Jesper Lund, IT-Pol Denmark and EDRi member, representing EDRi (attending online)
*Jesper Lund, IT-Pol Denmark and EDRi member, representing EDRi ''(attending online)''


Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance.  
Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance.  
Line 76: Line 76:


== Messages ==   
== Messages ==   
A short summary of the session will be provided by the Reporter.
*[[Messages_2022#Focus_Area_2_Reality_check_.E2.80.93_do_we_implement_effective_regulations_and_set_the_right_standards_to_solve_the_problems_of_the_future.3F | Go to the messages from Focus Area 2]]
*Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/event/eurodig-2022/international-cooperation-on-criminal-justice-in-cyberspace-where-we-are-and-where-are-we-heading-to.


== Video record ==
== Video record ==
Will be provided here after the event.
https://youtu.be/u8R-1Vpx948?t=24705


== Transcript ==
== Transcript ==
Will be provided here after the event.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-482-9835, www.captionfirst.com
 
 
This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.
 
 
>> CHAIR: Ladies and gentlemen, may I ask you to take your seat? We’re just about to start. Sub topic 3 of focus area 2, we’re now going into the topic International Cooperation on Criminal Justice in Cyberspace: Where we are and where are we heading to.
 
Ladies and gentlemen, if you would like to continue your discussions, please you can go outside to continue or please take your seat if you would like to join the discussion.
 
Thank you very much..
 
We’re joined by own our line moderator, Dr. Desara Dushi. I would like to give her the floor.
 
Please, go ahead.
 
>> DESARA DUSHI: Hello, everyone. Welcome to all of you who have joined us both in person and also online. Before I start, if you have question, either raise your hand or type in the chat and we’ll make sure that everyone’s voice is her. This is meant to be an interactive session, please don’t hesitate to come forward.
 
As many of you already know, this is not the first session on cybercrime at EuroDIG but a continuation of what’s become a tradition if I can say so of discussing over such a topic that never fails to attract attention.
 
Obviously, it is something that impacts all of us and in these few years a lot was going on in the I don’t remember.
 
In this year alone, we have to major changes going on, the second edition of protocol to the Convention on cybercrime that opened for signature in May and the ongoing negotiation force the new treaty on cybercrime held by the UN in May and also the E.U. taking – trying to take some measure on one side the use of AI by law enforcement authorities with the AI act proposal whose text was also made available in April of last year and we still don’t know how much it will change until it enters into force.
 
To discuss all of these issue, we have today three excellent speakers that are directly involved in this processes.
 
I have the pleasure to introduce to you Markko Kunnapu, currently working at the criminal department and a member of the cybercrime Convention Committee and a member of Bureau for several year, between 2010 and 2014 he was Chair and he’s currently a Vice-Chair to the new UN Ad Hoc Committee to elaborate new U.N. Convention on cybercrime.
 
Thank you very much for being here with us. I’m really sorry that you are the only one on stage.
 
We have Isabelle Brunner a cybercrime officer at UNODC supporting the Ad Hoc Committee cybercrime Convention we talked about. Previously she worked with the Austrian Minister of Foreign Affairs office as a legal advisor and researcher and lecturer in international law.
 
Last but not least, we have Jesper Lund, representing EDRi, a network of 45NGOs and also a Chairman of IT-Pol and he work was cross-border access to data. Thank you to all of you for being here with us.
 
Without further ado, I would like to start setting the scene by asking each of you to give a very brief talk, limited to 5 minutes. I would like to start with Markko Kunnapu and then Isabella Brunner and then Jesper Lund.
 
Markko Kunnapu, I leave the floor for you for a short talk. And before I do, I would like to jump directly to a question that maybe you can address during your talk, since you are directly involved in both the Council of Europe Cybersecurity Convention and also with the UN, can you tell us, how are these two Committees if they are at all and how they’re not overlapping.
 
>> MARKKO KUNNAPU: Thank you for the introduction.
 
You mentioned very correctly that we have been discussing these topics for several years. Cooperation with cybercrime, it is a topic that’s been discussed during the previous EuroDIG meetings as well and we have had some developments.
 
With regard to the situation concerning cybercrime, it is getting worse and then worse. You can just look at the statistics and read from the media. Not only the cybercriminal, the numbers, they’re rising, and the problem is that the cases also get more and more complicated, more and more complicated from tech, different kinds of fraud, scam, businesses compromised, so on. It is also the impact.
 
We have seen actually how devastating ransomware, how devastating cybercrime can be and the whole economy, national cybersecurity could be affected.
 
Of course, law enforcement authorities worldwide need to respond to this. It is not easy because most of the challenges we have discussed for years, they are still there. Luckily we actually – there are some additional developments and then we hope that this would bring added value and international investigations, cross-border investigations would become more effective in the future.
 
You also mentioned the protocol, the negotiations, they have started in 2017, the Committee, the cyber Convention Committee adopted the text and later the Committee of Ministers of the Council of Europe adopted the text in 2021. This year, in May, to be exact, the 12th of May, the protocol was opened for signature and already on the first day, 22 state parties to the Convention had already signed the protocol, more signatures were followed.
 
Actually right now there are 24 signatures already. When we think about the number of the state parties to the Budapest Convention, this is the 66th, this number, it is also increasing.
 
The protocol would provide some additional tools. It couldn’t replace or substitute the cyber Convention, the Convention is there and will be there, but there will be some additional tools. In addition to this classical, traditional government to government type, international cooperation, would introduce law enforcement or government to private sector, to service provider, or type of cooperation. Of course, measures are different, you Ned to just respect the procedures, plenty of safeguards in place, we hope that this would bring a change. The protocol is not enforce yet, we have to wait, we need five ratifications for this, and we hope that very soon these new tools, new measures would be available for law enforcement authorities.
 
Also, as wards UN treaty process, the negotiations for the new UN treaty has also started this year in January, February, and then in March, the first substantive session took place, the second session that discussed the substantive law provisions, law enforcement, procedural law provisions, and just a few weeks ago in August, in September we’re looking forward to having the third session so we have a pretty tight schedule.
 
To a certain extent, this new Convention could overlap with Budapest and I think it is not a problem. It would be very useful actually if there was something to complement. Again, the dynamic, when we look at the negotiations, when we look at actually what are the views of different countries or stakeholder, then the situation, the landscape is very different.
 
We had some difficult times and it took quite a long time actually to agree at the Council of Europe level to reach a compromise. Right now, at the UN we have very ambitious timeframe and then we need to see actually how the negotiations go and then whether and how it would be possible to reach the compromise because the countries have very diverse views starting from the scope of the Convention, what kind of offenses should be covered there, what kind of procedure measures, whether the procedure measures would be electronic evidence and in general or maybe just they should focus or address offenses provided by the Convention, also there are some discussions related to international cooperation so therefore there are so many different views and then, of course, countries have very different expectations on this as well.
 
Right now, the substantive discussions have just started and I think we should see hopefully next year actually what is the State of play there and then I think we can make some additional predictions, of what could be the outcome.
 
Thank you.
 
>> DESARA DUSHI: Thank you very much. Thank you for pointing out also the fact that there is a lot of debate going on with different countries having different expectations which obviously makes sense especially if we keep in mind that the differences in jurisdiction, it will be I also think a bit difficult to reach to a final text, maybe Isabella Brunner can tell us more about this. The floor is yours.
 
>> ISABELLA BRUNNER: Hello, everyone.
 
Yeah. I mean, Markko has touched a lot upon the process and what’s happened, I don’t have to touch on that any more.
 
Relating to the question as to how – I’m sorry. Can you repeat the question, I’m not sure if I have got it right.
 
>> DESARA DUSHI: The question regarding how will the countries come to a decision to make a –
 
>> ISABELLA BRUNNER: Yes. Yes. Of course.
 
I think first of all we have to consider that a UN treaty, the treaty on a global level with 193 Member States is definitely a different endeavor than it is regulating or negotiating a treaty on a regional level. First of all, I think you have to as has been said on the regional level you have perhaps more agreement as to certain jurisdictional questions, you know, also dealing with a civil, common law system, and on a global level you have to deal with other questions as well such as cultural values, certain understanding as to what could be regulated, what should not be regulated.
 
I think that of course poses a difficulty in terms of negotiation and of course the amount of Member States involved in this discussion, 193 is definitely much more than regional levels such as the African Union Convention or the league of Arab States. That’s also something to take into consideration.
 
At the same time, however, now speaking for the Secretariat, I think we can see that at the second session that just took place, end of May, beginning of June, that the more we go into detail and the more we look into the in-depth discussions taking place and the questions being raised, we see a lot of convergences in certain areas. Of course there are still different divergences in terms of what exactly to include the scope of the Convention as Markko had pointed out, it is perhaps something that may be tricky and at the same time what many realize, that has also been voiced by a lot of Member States in the room is that we in fact do have certain convergences and I think that was also raised a lot that now is the time to focus on the consensus and perhaps work from there and then try to figure out where we can – how far we can go with that.
 
>> DESARA DUSHI: Thank you.
 
Jesper Lund, the floor is yours.
 
>> JESPER LUND: Thank you.
 
I hope you can hear me.
 
So I will start or limit my comments to the protocol, to the treaty because it for the time being has decided not to work on the forthcoming UN treaty.
 
I will focus on the aspects of the protocol that in our view represents the most regular change of the modern Convention, the Budapest Convention from 2001, that decided criminalizing certain offenses also provides for mutual assistance and mutual legal assistance, it is something that we, of course, support and the advantage of mutual legal assistance, it that authorities in the requested state, with the provider, with possibly the personal data, they are involved in the process and it happens according to procedures under the domestic law where the service provider is established. That means that safeguards can be upheld, double criminality checks can be made and privileges and for instance, for lawyer, doctors, they can be respected. So the second protocol changes that, Article 6 and 7 provides for direct requests from law enforcement authorities to providers in other states. In principle, that is the main attention, the main rule without involvement of domestic authorities this theme in Article 6 and 7 ascribe to the domain information and nonetheless, it is a big difference in our opinion from the mutual legal assistance, there is no involvement of authorities in the state where the service provider is established. There are no checks of fundamental rights, if that’s relevant, no checks of double criminality, if that’s relevant, and also a request on order and production order, it could be issued in cases where it is not possible under the rules of the domestic law that in our view has huge potential negative implications for the rights.
 
There are safeguards in the protocol, for example it is possible for states to require notification, if they have an opportunity to get involved and possibly refuse some production orders in the same way that it can be done under mutual legal assistance with the various grants for refusal established in the Budapest Convention and there is no automatic guarantee that this will happen and it does not necessarily have the same effect, service providers may respond before domestic authorities had a chance to evaluate the production order from another state.
 
Some may say that while this is just ascribed information, it is a minor problem, but that’s not necessarily the case. Subscribing information, it could mean revealing the identity of an anonymous speaker. That may be a huge problem if – in certain states for the crime, the offending public officials, so forth, and also subscriber data can be sensitive if privileges are involved.
 
It should also be added that the Budapest Convention has a relative expansive definition of subscriber information that’s compared to E.U. law, IP addresses, they’re part of the definition of subscribed information in some cases.
 
For the European Union, there is a special problem with the segmentation protocol relating to data protection. You can receive production orders from law enforcement authorities in states outside of the European Union and in that case, a so-called third country transfer is involved which require as special legal basis in the GDPR.
 
The protocol, it tries to provide for that with a large data protection Article, Article 14, which is – compared to the GDPR and Convention 108 and 108 plus, it is a lighting weight data protection regime and we have serious concerns about this. It was also introduced at the very last minute.
 
For that reason, EDRi called on the European Parliament to request an opinion from the court of justice, whether the segmentation protocol is at all compatible with the primary law of the European Union before Member States start signing, before the Member States start ratifying it.
 
In procedure, we’re concerned that there is no automatic assessment of the data protection in the many third countries that may be party to the Budapest Convention and the protocol and also the data subject rights are dependent on domestic law that may not be essentially equivalent to equal law and last but not least, the possibility for data position authorities to suspend transfers to third countries are more limited than we think they should be according from the state law from the court of justice. Let us stop there with our introduction remarks.
 
Thank you for the attention.
 
>> DESARA DUSHI: Thank you. I raised interesting points. I would like to see if there is anyone from the audience that would like to say something, make a comment, a question.
 
I see no one raising questions online.
 
We can, I can continue with the question to Markko who I think would also want to say something about the points that were raised by Jesper Lund and also adding to that, Markko, do you see that there is a risk of increased legal fragmentation and we have talked about this in previous EuroDIG years at EuroDIG and do you think that we are at risk of finding agreements on a minimum standard with the second additional protocol and having now a UN treaty.
 
>> MARKKO KUNNAPU: Thank you for that question.
 
We look at the situation right now, what’s happening, countries having unilateral practices, this direct cooperation with law enforcement and service provider, this is happening already now. I think what the second protocol does, it creates new legislative framework and then also provides binding framework and standards, necessary conditions and then safeguards.
 
I think that there would be added value and also in terms of fundamental rights and data protection. As regards the possible ratification of the protocol by European Union Member States right now we have the decision of the Council of European Union which authorized E.U. Member States to create the protocol.
 
Of course, discussions concerning future ratification are not over, they’re still going on, and the protocol, yes, we can look at the different Articles and the different measures on mechanism that it provides, but almost every Article, every measure, it has certain options, possibilities for reservations and declarations. Here actually we have already instructions from the European Union that in case, of course, it is not adopted, it is not final yet, but in case the E.U. Member States wish to ratify then there are certain reservations, certain declarations they must make.
 
It is obvious that Member States need to comply with the European Union law, including GDPR and the fundamental rights.
 
Therefore, by having these and by making these reservations and declarations, we could also ensure that implementation of the protocol would be in line with E.U. law. Right now, this is also the assessment of the European Commission and also when we think about the negotiations that lasted for almost four years, then we also had E.U. institutions involved and this is right now the compromise.
 
Again, we don’t know yet actually how the future implementation would look like. Due to the complex mechanism possibilities for reservations and declarations we could see a different kind of implementation.
 
As regards to the negotiations at UN level, it was quite difficult to reach agreement at the Council of Europe, at the cybercrime Committee Convention level when we think about discussions at the European Union, then we have this proposal for the e evidence negotiations, discussions, they have lost it for more than four years already.
 
I think we need to be realistic.
 
It would be quite difficult, almost impossible, to go beyond what E.U. law provides for or what the second edition protocol. It could be somewhere. Countries are very different, different cultures, different legal traditions and also concerning the fundamental rights, data protection is different. We need to have some sort of compromise.
 
Again, actually, if it would be – let’s say minimum common denominator, then still actually I think it would be still good to have something actually which would work at global level which could be used by all UN Member States because right now actually, even if there would be an instrument for the E.U. then this would be meant for E.U. Member States when you talk about the second edition or protocol in order to ratify, in order to join the protocol, first you need to join the Convention. Again, it is not a very big number of countries but again slowly the number is increasing.
 
Again, in case you need to cooperate with other countries who are not E.U. Member States, who are not state parties to the Convention, then this new UN treaty could be used for that. Of course, discussions are still going on concerning scope of application, what kind of topic, what kind of elements it could address, it could also – there are different view, different proposals concerning international cooperation, tracing criminal procedures, recover Y additional measures concerning confiscation, witness protection, protection of witnesses, so definitely some elements of the U.N. Convention actually could overlap or maybe be similar to the Budapest Convention and definitely it wouldn’t be just a copy based because the audience, a number of Member States is different and also the views of countries, views of expectations from E.U. Member States is different.
 
>> DESARA DUSHI: We have a question from the chat.
 
Are there provisions for participating countries to deviate from the common minimum and to what extent? And in the case of countries that disproportionately exceed the normal deviation in abstract terms, are there diplomatic processes foreseen to moderate the accesses.
 
>> MARKKO KUNNAPU: If I could just say a few words.
 
Right now actually there are no provisions yet.
 
We have had two runs of discussions on general objectives, the elements, we had first round of discussions on substantive law and then procedure law. Actually that would be a provision but at a later stage and then actually we can see and then we can check what would be there and whether – how it would be possible to reach the compromise on certain wording, certain provisions, Articles.
 
Right now actually there are no text proposals yet. Of course, actually we’re looking at the conditions and the safeguards and everything because the Convention in order to be acceptable actually, it has to meet the requirements or maybe the needs of all UN Member States.
 
>> DESARA DUSHI: I’m getting notified that we have Nigel from the main room and then also someone else.
 
>> ISABELLA BRUNNER: Could I quickly reply to that question.
 
>> DESARA DUSHI: Yes, please.
 
>> ISABELLA BRUNNER: On the question on the common minimum – I hear an echo, maybe it will go away. Okay, it is gone.
 
I think – yeah, as Markko has pointed out, currently we are not in a stage of actually having draft revisions yet. This will be at the stage of the second reading which will take place at the beginning of the fourth session in January in New York.
 
In terms of international treaty law, treaty text in general, there are certain ways, of course, of making sure that certain states can go further than for example what’s been agreed as the compromise. You can think of on the one hand reservations, declarations to certain provision that Member States could, for example, make reservation to a specific paragraph or a specific provision if they do not feel comfortable with having ratifying that certain provision.
 
At the same time, you can also think of having – I think it is also the case with the Budapest Convention, certain paragraphs within a provision that allows states to regulate further content, going further than what’s been compromised on the treaty text. That’s two important points to bear in mind and to react to what Markko has said that we need something at a global level, I think we can see that there is a large agreement that there is a necessity to fight cybercrime at a global level. I’m being optimistic again but what makes us optimistic to look forward with the UN processes, it is that states are eager to fight a common enemy in a way, the individuals what are conducting criminal activities and that could be helpful for example for what’s the case with the other Committee, the First Committee dealing with the state to date conduct.
 
>> DESARA DUSHI: Okay. Let’s jump immediately to Nigel.
 
>> Thank you very much. Good afternoon. I will be brief, thank you very much for this session, and for the informative briefing. It is very interesting.
 
I remember for years many governments were opposing a UN wide discussion on a Convention and it does seem to have now been taken forward.
 
My question really is how can stakeholders that aren’t governments be involved in this process.
 
Although certain aspects of the Council of Europe, the update to the Budapest Convention there, it was well discussed, many stakeholders find it quite difficult to understand the UN process and be involved in the UN process here. I wonder what provisions in the first set of discussions in New York, was it Vienna and New York, maybe just New York, you addressed how you could illicit stakeholder input, consultations, briefings, it is very important provisions for governments and also very important provisions for people, for citizens and for other stakeholders globally.
 
Thank you.
 
>> ISABELLA BRUNNER: Should I answer this question?
 
>> DESARA DUSHI: Yes, please.
 
>> ISABELLA BRUNNER: Thank you again for an excellent question, stakeholder involvement is a very important issue. I think the Ad Hoc Committee is actually quite a historic process because it is one of the few that finally allowed multistakeholder participation although in a limited way.
 
I’m happy to – there is the website of the Ad Hoc Committee which also now contain as webpage on the modalities for multistakeholder participation. There is a caveat. First of all, I think maybe we have to start from the beginning.
 
There is a resolution that contains some modalities of the Committee, it has three paragraphs dedicated to stakeholders. That means inclusion on one hand of the UN institution, intergovernmental bodies, think about Interpol, et cetera, OPH and then on the other hand NGOs with ECOSOC, so economic and socioeconomic status and then you have the OP9 category, found in paragraph 9 of that resolution, which includes all other NGOs.
 
Those have to be voted upon, their participation, it had to be voted upon in the first session on the organizational session proceeding the first session on the 24th of February.
 
Meaning, now in December, stakeholders had the chance to register to participate and then they were decided upon already in February. This means this call for those other NGOs that don’t have ECOSOC status is now closed. Meaning no one else who has now found interest in the participation can join unless they are either intergovernmental organizations or NGOs with ECOSOC status or they are on the list of the stakeholders. You can find that information on the website. Bear in mind, if you have someone that wants to participate and has not registered, send the mail to us, cybercrimeuhc@un.org and we’ll make sure we recognize this and potentially, there is no final decision on this yet, but there may be an interest to open this call for registration again. Please make sure to take a look at that, also the webcast as well.
 
>> DESARA DUSHI: Maybe you can type the email address on the chat as well. There is someone else from the main room.
 
>> I’m part of the YOUthDIG group here. Thank you so much for managing to make this session very interactive and very interesting even though it is quite late in the afternoon.
 
You covered a lot of very interesting things and it was very interesting for me to see there is actually already so much thought and action to take this further, beyond just the limits of the Member States, particularly given the geographical situation we’re living. I was curious, I wanted to ask what is your stake on the harmonization of rules regarding eEvidence and other procedural rules and the relevance still for the investigation and prosecution cross border crimes.
 
>> MARKKO KUNNAPU: Thank you for this very interesting question.
 
Of course, actually new Convention would create kind of let’s say to a certain extent harmonization when it comes to substantive law, what would be –ed the criminal offense, cybercrime offense what, would be the minimum standards for procedure law, your standards for international cooperation and so on.
 
Still actually it leaves a lot of room, a lot of flexibility with Member States, Member States actually have to decide Member States, they need to check what would be the domestic rules, laws on what would be considered as evidence, what are the rules related to admissibility of evidence and this would be when we talk about cybercrime and the electronic evidence, what other practices, rules for digital forensics, the Best Practices worldwide and then so on. It would be possible maybe to harmonize to a certain extent and still I think we need to leave sufficient room for Member States as well because legal systems are different, also criminal justice system, they’re different. Of course, actually, when we have harmonization, when we have minimum standards on the most important elements such as substantive law, procedure law, conditions and then safeguards, then I think the whole framework would actually provide added value and could be used effectively for international cooperation purposes.
 
>> DESARA DUSHI: Would you like to add something?
 
>> JESPER LUND: Yes.
 
I just want to try to have a brief remark on what we will mean when we speak about cybercrime treaties. They really serve two purposes, one purpose, it is to sort of to some extent harmonize the definition of what is a cybercrime offense.
 
There is also a second person, a second purpose, it is related to cross-border access to data. This typically includes all criminal offenses where information systems are used and personal data evidence could be stored by service providers. That is a very large number of offenses, essentially covering every sense because we use the information technology, smartphones for almost everything. The notion of what is being – what a cybercrime treaty would be applied to, it is very broad. It is much broader than people tend to think because if certainly they have a narrow view related to cyber offenses.
 
>> DESARA DUSHI: Thank you. I do have someone else in the main room? No. I see there is a question in the chat.
 
If not drafted yet, is there something extraordinary that the E.U. could do, to ask about those with cybersecurity concerns focused on the cybersecurity agencies to propose a draft.
 
on who would like to answer this question.
 
>> ISABELLA BRUNNER: I could go ahead.
 
I mean, just I think Markko could be in a position to explain how it works from the E.U. side of view.
 
In terms of the UN, so it is of course – so we as the UN is accepting drafts, Member States input specifically and that we’ll work on that basis.
 
Of course, the European Union can very much engage with stakeholders when they’re drafting that provision, and I think they’re already doing that and are in the process of taking a multistakeholder input. That’s also why we have so-called intersessional multistakeholder discussions, there is a regular exchange of views after each session and before each session with stakeholders coming together to explain their views about the process.
 
Member States are taking note when multistakeholders are points out views and including that in their provisions. I’m giving the floor to Markko to explain the E.U. side.
 
>> MARKKO KUNNAPU: Just also to add, first, when talking about E.U. processes related to eEvidence, cybercrime conventions, second edition protocol, then these are criminal justice instruments, criminal justice treaties and this is also our wish and position that the future U.N. Convention should focus on criminal justice issue, not national cybersecurity, not cybersecurity. Therefore, when we talk about access to electronic evidence, then we’re talking about specified computer data for criminal investigation purposes, not for cybersecurity, not for national cybersecurity.
 
Then also, just wanted to comment, as regards the scope of application of procedure law power, when it comes to the Budapest Convention, it is not just about cybercrime but the electronic evidence as well because pursuant to Article 14 of the cybercrime Convention, the procedures and measures could be used to address any crime while you have electronic evidence.
 
What would be the decision, what would be the outcome for the United Nations treaty, we don’t know yet because this is also one let’s say theme or question where Member States have different views and then we shall see, yes, maybe in January actually what is the outcome. Right now actually it is too early, it is premature actually to give assessments actually of what would be the scope or what would be the contents of the future U.N. Convention.
 
>> DESARA DUSHI: Thank you to both of you.
 
It is an extremely interesting discussion, but unfortunately, our time is coming to an end. Before we close, I would like to give the floor to each of our speakers to say one word, two words on where are we heading towards, which is also the title of this session, where are we going in terms of criminal justice in cyberspace with all that’s going on now. We can start from Markko.
 
>> MARKKO KUNNAPU: Okay. Thank you.
 
I think right now when you look at the processes, the Council of Europe, then everybody is looking, everybody is waiting for the next signatures by state parties to the protocol.
 
Right now, we have 24 signatures, 24th one actually was from Costa Rica, the country that had suffered a lot recently from cyberattacks and ransomware texts.
 
We also are analyzing how to implement this new protocol because it is quite complicated and fully implemented, you may need to change different legislative acts, not only those related to criminal procedure but those also related to electronic communications, Information Society services and so on.
 
Of course, actually as E.U. Member States we need to wait for the final decision of the European Parliament as well actually. What’s the outcome, and what would be the conditions, what reservations, declarations would be needed to ratify the protocol by Member States.
 
The UN process has just started. I think the discussions are getting more and more productive, they’re going more and more into details. Yes, it is true that right now everybody is looking forward for the new treaty, but again, there is a common understanding about the overall objectives, then when we are going to discuss the details, particular elements, what should be there, what shouldn’t be there, what kind of language, what kind of wording needs to be used, then I think that these discussions would be quite difficult and the hardest part, the hardest work is still ahead of us.
 
>> ISABELLA BRUNNER: Yeah, where are we heading in terms of international cooperation and criminal justice in cyberspace, it is a very good question.
 
I do think that there is now that states have realized that this new Convention is an innovative thing and we have to get going and negotiate this text, there is a realization that we can use this for – as a force for good I would say. I think the more we have realized, the more we go into the process, we realize, All States are realizing that especially the developing countries, countries with lesser technical capabilities, they really will benefit or should benefit from this treaty.
 
I think that’s going to be – should be the main focus I’m guessing. It is not only, of course, developing countries, but it should, of course, benefit everyone.
 
At the same time, when thinking about fragmentation, et cetera, we need to be careful to make sure that there are no clashes with other international provisions on such a treaty but at the same time as Markko had also said, we’re most likely not going more into detail than already existing conventions.
 
My Outlook is positive and looking forward to the next stages of the process.
 
>> JESPER LUND: In general, I think we’re moving towards a situation where states would want to have greater powers to investigate in cyberspace, meaning potentially having direct requests to service providers in other states which are the hardest part of this protocol and this will raise a number of dilemmas because there are 200 states in the world with different legal systems and very different fundamental rights, safeguards, so there will be international negotiations trying to strike some balance as the evidence regulation of the proposal for the evidence regulation in the European Union going further than the segmentation of protocol of the Cybercrime Convention that’s understandable because it is limited to the European Union and I would say I see the second protocol as a sort of a test bed of what can be achieved for Member States of the European Union, to what extent is the primary law, especially the data protection regime going to limit the possibilities for the direct collaboration between law enforcement authorities in another state and service providers established in the European Union and that is something that we’ll be coming in the very coming years from the viewpoint of EDRi.
 
>> DESARA DUSHI: That’s an excellent wrap up. We’re right on time. Thank you very much to our excellent speakers for being here. Thank you to the audience for making this an interactive session.
 
I wish we had more time and we could continue with many questions that are still to be answered. Maybe that’s for next time. Let’s give our speakers a big round of applause, both digital and from the main room.
 
>> CHAIR: Of course we thank the moderator, Dr. Desara Dushi for her interactive session.
 
We will go straight into agreeing on the messages for focus area 2. To start off that session, I would like to invite Sandra Hoferichter to come to the podium. Thank you very much.


[[Category:2022]][[Category:Sessions 2022]][[Category:Sessions]][[Category:Security and crime 2022]]
[[Category:2022]][[Category:Sessions 2022]][[Category:Sessions]][[Category:Security and crime 2022]]

Latest revision as of 22:32, 21 July 2022

21 June 2022 | 16:45 - 17:30 CEST | SISSA Main Auditorium | Video recording | Transcript
Consolidated programme 2022 overview / Day 1

Proposals: #64 #65 #72

You are invited to become a member of the session Org Team! By joining a Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the mailing list to join the Org Team and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

This year saw a big step in the fight against cybercrime with the adoption of the second Additional Protocol to the Budapest Convention, the European Union’s AI Act proposal which regulates (restricts) the use of AI for law enforcement purposes, and the strengthened efforts towards a UN treaty on cybercrime. This session will address whether these new tools for international cooperation on criminal justice in cyberspace are the solution, or only the first step towards better protection against cybercrime and what will be their impact in practice.

Session description

On 12 May the Second Additional Protocol to the Convention on Cybercrime opened for signature. This new protocol introduces new tools for international cooperation, such as direct cooperation with service providers in other jurisdictions, enhanced cooperation in emergency situations and other such operational measures.

Starting 30 May, UN member states will kick off the 2nd negotiating session for a new treaty on cybercrime - considering criminalization, law enforcement & procedural measures.

This session is a continuation of the debate from previous years’ discussions on regulatory efforts to address the issues of cybercrime and the developments ever since.

Human rights issues will be an integral part of this discussion. The discussion related to human rights aims to include a special emphasis on the technological tools, such as the use of AI facial recognition technology and automated criminal profiling, especially in the light of the new European Union AI Act proposal which regulates the use of such technologies. The central message will revolve around the question whether these new regulatory initiatives allow LEA to do the right thing in the right way.

Format

The session will consist of short presentations from the key participants followed by Q&As with the session participants both on site and online.

Further reading

People

Please provide name and institution for all people you list here.

Focal Point

  • Desara Dushi

Focal Points take over the responsibility and lead of the session organisation. They work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat and are kindly requested to follow EuroDIG’s session principles

Organising Team (Org Team) List Org Team members here as they sign up.

The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.

  • Desara Dushi
  • Alève Mine
  • Megi Reci
  • Aida Mahmutović
  • Fotjon Kosta
  • Oliver Risteski

Key Participants

  • Markko Kunnapu legal adviser in the Ministry of Justice of Estonia and member of the CoE Bureau of the Convention Committee on Cybercrime (T-CY) (attending in person)
  • Isabella Brunner, Cybercrime Officer at UNODC (attending online)
  • Jesper Lund, IT-Pol Denmark and EDRi member, representing EDRi (attending online)

Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.

Moderator

  • Dr. Desara Dushi

The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.

Reporter

Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.

Messages

Video record

https://youtu.be/u8R-1Vpx948?t=24705

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-482-9835, www.captionfirst.com


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.


>> CHAIR: Ladies and gentlemen, may I ask you to take your seat? We’re just about to start. Sub topic 3 of focus area 2, we’re now going into the topic International Cooperation on Criminal Justice in Cyberspace: Where we are and where are we heading to.

Ladies and gentlemen, if you would like to continue your discussions, please you can go outside to continue or please take your seat if you would like to join the discussion.

Thank you very much..

We’re joined by own our line moderator, Dr. Desara Dushi. I would like to give her the floor.

Please, go ahead.

>> DESARA DUSHI: Hello, everyone. Welcome to all of you who have joined us both in person and also online. Before I start, if you have question, either raise your hand or type in the chat and we’ll make sure that everyone’s voice is her. This is meant to be an interactive session, please don’t hesitate to come forward.

As many of you already know, this is not the first session on cybercrime at EuroDIG but a continuation of what’s become a tradition if I can say so of discussing over such a topic that never fails to attract attention.

Obviously, it is something that impacts all of us and in these few years a lot was going on in the I don’t remember.

In this year alone, we have to major changes going on, the second edition of protocol to the Convention on cybercrime that opened for signature in May and the ongoing negotiation force the new treaty on cybercrime held by the UN in May and also the E.U. taking – trying to take some measure on one side the use of AI by law enforcement authorities with the AI act proposal whose text was also made available in April of last year and we still don’t know how much it will change until it enters into force.

To discuss all of these issue, we have today three excellent speakers that are directly involved in this processes.

I have the pleasure to introduce to you Markko Kunnapu, currently working at the criminal department and a member of the cybercrime Convention Committee and a member of Bureau for several year, between 2010 and 2014 he was Chair and he’s currently a Vice-Chair to the new UN Ad Hoc Committee to elaborate new U.N. Convention on cybercrime.

Thank you very much for being here with us. I’m really sorry that you are the only one on stage.

We have Isabelle Brunner a cybercrime officer at UNODC supporting the Ad Hoc Committee cybercrime Convention we talked about. Previously she worked with the Austrian Minister of Foreign Affairs office as a legal advisor and researcher and lecturer in international law.

Last but not least, we have Jesper Lund, representing EDRi, a network of 45NGOs and also a Chairman of IT-Pol and he work was cross-border access to data. Thank you to all of you for being here with us.

Without further ado, I would like to start setting the scene by asking each of you to give a very brief talk, limited to 5 minutes. I would like to start with Markko Kunnapu and then Isabella Brunner and then Jesper Lund.

Markko Kunnapu, I leave the floor for you for a short talk. And before I do, I would like to jump directly to a question that maybe you can address during your talk, since you are directly involved in both the Council of Europe Cybersecurity Convention and also with the UN, can you tell us, how are these two Committees if they are at all and how they’re not overlapping.

>> MARKKO KUNNAPU: Thank you for the introduction.

You mentioned very correctly that we have been discussing these topics for several years. Cooperation with cybercrime, it is a topic that’s been discussed during the previous EuroDIG meetings as well and we have had some developments.

With regard to the situation concerning cybercrime, it is getting worse and then worse. You can just look at the statistics and read from the media. Not only the cybercriminal, the numbers, they’re rising, and the problem is that the cases also get more and more complicated, more and more complicated from tech, different kinds of fraud, scam, businesses compromised, so on. It is also the impact.

We have seen actually how devastating ransomware, how devastating cybercrime can be and the whole economy, national cybersecurity could be affected.

Of course, law enforcement authorities worldwide need to respond to this. It is not easy because most of the challenges we have discussed for years, they are still there. Luckily we actually – there are some additional developments and then we hope that this would bring added value and international investigations, cross-border investigations would become more effective in the future.

You also mentioned the protocol, the negotiations, they have started in 2017, the Committee, the cyber Convention Committee adopted the text and later the Committee of Ministers of the Council of Europe adopted the text in 2021. This year, in May, to be exact, the 12th of May, the protocol was opened for signature and already on the first day, 22 state parties to the Convention had already signed the protocol, more signatures were followed.

Actually right now there are 24 signatures already. When we think about the number of the state parties to the Budapest Convention, this is the 66th, this number, it is also increasing.

The protocol would provide some additional tools. It couldn’t replace or substitute the cyber Convention, the Convention is there and will be there, but there will be some additional tools. In addition to this classical, traditional government to government type, international cooperation, would introduce law enforcement or government to private sector, to service provider, or type of cooperation. Of course, measures are different, you Ned to just respect the procedures, plenty of safeguards in place, we hope that this would bring a change. The protocol is not enforce yet, we have to wait, we need five ratifications for this, and we hope that very soon these new tools, new measures would be available for law enforcement authorities.

Also, as wards UN treaty process, the negotiations for the new UN treaty has also started this year in January, February, and then in March, the first substantive session took place, the second session that discussed the substantive law provisions, law enforcement, procedural law provisions, and just a few weeks ago in August, in September we’re looking forward to having the third session so we have a pretty tight schedule.

To a certain extent, this new Convention could overlap with Budapest and I think it is not a problem. It would be very useful actually if there was something to complement. Again, the dynamic, when we look at the negotiations, when we look at actually what are the views of different countries or stakeholder, then the situation, the landscape is very different.

We had some difficult times and it took quite a long time actually to agree at the Council of Europe level to reach a compromise. Right now, at the UN we have very ambitious timeframe and then we need to see actually how the negotiations go and then whether and how it would be possible to reach the compromise because the countries have very diverse views starting from the scope of the Convention, what kind of offenses should be covered there, what kind of procedure measures, whether the procedure measures would be electronic evidence and in general or maybe just they should focus or address offenses provided by the Convention, also there are some discussions related to international cooperation so therefore there are so many different views and then, of course, countries have very different expectations on this as well.

Right now, the substantive discussions have just started and I think we should see hopefully next year actually what is the State of play there and then I think we can make some additional predictions, of what could be the outcome.

Thank you.

>> DESARA DUSHI: Thank you very much. Thank you for pointing out also the fact that there is a lot of debate going on with different countries having different expectations which obviously makes sense especially if we keep in mind that the differences in jurisdiction, it will be I also think a bit difficult to reach to a final text, maybe Isabella Brunner can tell us more about this. The floor is yours.

>> ISABELLA BRUNNER: Hello, everyone.

Yeah. I mean, Markko has touched a lot upon the process and what’s happened, I don’t have to touch on that any more.

Relating to the question as to how – I’m sorry. Can you repeat the question, I’m not sure if I have got it right.

>> DESARA DUSHI: The question regarding how will the countries come to a decision to make a –

>> ISABELLA BRUNNER: Yes. Yes. Of course.

I think first of all we have to consider that a UN treaty, the treaty on a global level with 193 Member States is definitely a different endeavor than it is regulating or negotiating a treaty on a regional level. First of all, I think you have to as has been said on the regional level you have perhaps more agreement as to certain jurisdictional questions, you know, also dealing with a civil, common law system, and on a global level you have to deal with other questions as well such as cultural values, certain understanding as to what could be regulated, what should not be regulated.

I think that of course poses a difficulty in terms of negotiation and of course the amount of Member States involved in this discussion, 193 is definitely much more than regional levels such as the African Union Convention or the league of Arab States. That’s also something to take into consideration.

At the same time, however, now speaking for the Secretariat, I think we can see that at the second session that just took place, end of May, beginning of June, that the more we go into detail and the more we look into the in-depth discussions taking place and the questions being raised, we see a lot of convergences in certain areas. Of course there are still different divergences in terms of what exactly to include the scope of the Convention as Markko had pointed out, it is perhaps something that may be tricky and at the same time what many realize, that has also been voiced by a lot of Member States in the room is that we in fact do have certain convergences and I think that was also raised a lot that now is the time to focus on the consensus and perhaps work from there and then try to figure out where we can – how far we can go with that.

>> DESARA DUSHI: Thank you.

Jesper Lund, the floor is yours.

>> JESPER LUND: Thank you.

I hope you can hear me.

So I will start or limit my comments to the protocol, to the treaty because it for the time being has decided not to work on the forthcoming UN treaty.

I will focus on the aspects of the protocol that in our view represents the most regular change of the modern Convention, the Budapest Convention from 2001, that decided criminalizing certain offenses also provides for mutual assistance and mutual legal assistance, it is something that we, of course, support and the advantage of mutual legal assistance, it that authorities in the requested state, with the provider, with possibly the personal data, they are involved in the process and it happens according to procedures under the domestic law where the service provider is established. That means that safeguards can be upheld, double criminality checks can be made and privileges and for instance, for lawyer, doctors, they can be respected. So the second protocol changes that, Article 6 and 7 provides for direct requests from law enforcement authorities to providers in other states. In principle, that is the main attention, the main rule without involvement of domestic authorities this theme in Article 6 and 7 ascribe to the domain information and nonetheless, it is a big difference in our opinion from the mutual legal assistance, there is no involvement of authorities in the state where the service provider is established. There are no checks of fundamental rights, if that’s relevant, no checks of double criminality, if that’s relevant, and also a request on order and production order, it could be issued in cases where it is not possible under the rules of the domestic law that in our view has huge potential negative implications for the rights.

There are safeguards in the protocol, for example it is possible for states to require notification, if they have an opportunity to get involved and possibly refuse some production orders in the same way that it can be done under mutual legal assistance with the various grants for refusal established in the Budapest Convention and there is no automatic guarantee that this will happen and it does not necessarily have the same effect, service providers may respond before domestic authorities had a chance to evaluate the production order from another state.

Some may say that while this is just ascribed information, it is a minor problem, but that’s not necessarily the case. Subscribing information, it could mean revealing the identity of an anonymous speaker. That may be a huge problem if – in certain states for the crime, the offending public officials, so forth, and also subscriber data can be sensitive if privileges are involved.

It should also be added that the Budapest Convention has a relative expansive definition of subscriber information that’s compared to E.U. law, IP addresses, they’re part of the definition of subscribed information in some cases.

For the European Union, there is a special problem with the segmentation protocol relating to data protection. You can receive production orders from law enforcement authorities in states outside of the European Union and in that case, a so-called third country transfer is involved which require as special legal basis in the GDPR.

The protocol, it tries to provide for that with a large data protection Article, Article 14, which is – compared to the GDPR and Convention 108 and 108 plus, it is a lighting weight data protection regime and we have serious concerns about this. It was also introduced at the very last minute.

For that reason, EDRi called on the European Parliament to request an opinion from the court of justice, whether the segmentation protocol is at all compatible with the primary law of the European Union before Member States start signing, before the Member States start ratifying it.

In procedure, we’re concerned that there is no automatic assessment of the data protection in the many third countries that may be party to the Budapest Convention and the protocol and also the data subject rights are dependent on domestic law that may not be essentially equivalent to equal law and last but not least, the possibility for data position authorities to suspend transfers to third countries are more limited than we think they should be according from the state law from the court of justice. Let us stop there with our introduction remarks.

Thank you for the attention.

>> DESARA DUSHI: Thank you. I raised interesting points. I would like to see if there is anyone from the audience that would like to say something, make a comment, a question.

I see no one raising questions online.

We can, I can continue with the question to Markko who I think would also want to say something about the points that were raised by Jesper Lund and also adding to that, Markko, do you see that there is a risk of increased legal fragmentation and we have talked about this in previous EuroDIG years at EuroDIG and do you think that we are at risk of finding agreements on a minimum standard with the second additional protocol and having now a UN treaty.

>> MARKKO KUNNAPU: Thank you for that question.

We look at the situation right now, what’s happening, countries having unilateral practices, this direct cooperation with law enforcement and service provider, this is happening already now. I think what the second protocol does, it creates new legislative framework and then also provides binding framework and standards, necessary conditions and then safeguards.

I think that there would be added value and also in terms of fundamental rights and data protection. As regards the possible ratification of the protocol by European Union Member States right now we have the decision of the Council of European Union which authorized E.U. Member States to create the protocol.

Of course, discussions concerning future ratification are not over, they’re still going on, and the protocol, yes, we can look at the different Articles and the different measures on mechanism that it provides, but almost every Article, every measure, it has certain options, possibilities for reservations and declarations. Here actually we have already instructions from the European Union that in case, of course, it is not adopted, it is not final yet, but in case the E.U. Member States wish to ratify then there are certain reservations, certain declarations they must make.

It is obvious that Member States need to comply with the European Union law, including GDPR and the fundamental rights.

Therefore, by having these and by making these reservations and declarations, we could also ensure that implementation of the protocol would be in line with E.U. law. Right now, this is also the assessment of the European Commission and also when we think about the negotiations that lasted for almost four years, then we also had E.U. institutions involved and this is right now the compromise.

Again, we don’t know yet actually how the future implementation would look like. Due to the complex mechanism possibilities for reservations and declarations we could see a different kind of implementation.

As regards to the negotiations at UN level, it was quite difficult to reach agreement at the Council of Europe, at the cybercrime Committee Convention level when we think about discussions at the European Union, then we have this proposal for the e evidence negotiations, discussions, they have lost it for more than four years already.

I think we need to be realistic.

It would be quite difficult, almost impossible, to go beyond what E.U. law provides for or what the second edition protocol. It could be somewhere. Countries are very different, different cultures, different legal traditions and also concerning the fundamental rights, data protection is different. We need to have some sort of compromise.

Again, actually, if it would be – let’s say minimum common denominator, then still actually I think it would be still good to have something actually which would work at global level which could be used by all UN Member States because right now actually, even if there would be an instrument for the E.U. then this would be meant for E.U. Member States when you talk about the second edition or protocol in order to ratify, in order to join the protocol, first you need to join the Convention. Again, it is not a very big number of countries but again slowly the number is increasing.

Again, in case you need to cooperate with other countries who are not E.U. Member States, who are not state parties to the Convention, then this new UN treaty could be used for that. Of course, discussions are still going on concerning scope of application, what kind of topic, what kind of elements it could address, it could also – there are different view, different proposals concerning international cooperation, tracing criminal procedures, recover Y additional measures concerning confiscation, witness protection, protection of witnesses, so definitely some elements of the U.N. Convention actually could overlap or maybe be similar to the Budapest Convention and definitely it wouldn’t be just a copy based because the audience, a number of Member States is different and also the views of countries, views of expectations from E.U. Member States is different.

>> DESARA DUSHI: We have a question from the chat.

Are there provisions for participating countries to deviate from the common minimum and to what extent? And in the case of countries that disproportionately exceed the normal deviation in abstract terms, are there diplomatic processes foreseen to moderate the accesses.

>> MARKKO KUNNAPU: If I could just say a few words.

Right now actually there are no provisions yet.

We have had two runs of discussions on general objectives, the elements, we had first round of discussions on substantive law and then procedure law. Actually that would be a provision but at a later stage and then actually we can see and then we can check what would be there and whether – how it would be possible to reach the compromise on certain wording, certain provisions, Articles.

Right now actually there are no text proposals yet. Of course, actually we’re looking at the conditions and the safeguards and everything because the Convention in order to be acceptable actually, it has to meet the requirements or maybe the needs of all UN Member States.

>> DESARA DUSHI: I’m getting notified that we have Nigel from the main room and then also someone else.

>> ISABELLA BRUNNER: Could I quickly reply to that question.

>> DESARA DUSHI: Yes, please.

>> ISABELLA BRUNNER: On the question on the common minimum – I hear an echo, maybe it will go away. Okay, it is gone.

I think – yeah, as Markko has pointed out, currently we are not in a stage of actually having draft revisions yet. This will be at the stage of the second reading which will take place at the beginning of the fourth session in January in New York.

In terms of international treaty law, treaty text in general, there are certain ways, of course, of making sure that certain states can go further than for example what’s been agreed as the compromise. You can think of on the one hand reservations, declarations to certain provision that Member States could, for example, make reservation to a specific paragraph or a specific provision if they do not feel comfortable with having ratifying that certain provision.

At the same time, you can also think of having – I think it is also the case with the Budapest Convention, certain paragraphs within a provision that allows states to regulate further content, going further than what’s been compromised on the treaty text. That’s two important points to bear in mind and to react to what Markko has said that we need something at a global level, I think we can see that there is a large agreement that there is a necessity to fight cybercrime at a global level. I’m being optimistic again but what makes us optimistic to look forward with the UN processes, it is that states are eager to fight a common enemy in a way, the individuals what are conducting criminal activities and that could be helpful for example for what’s the case with the other Committee, the First Committee dealing with the state to date conduct.

>> DESARA DUSHI: Okay. Let’s jump immediately to Nigel.

>> Thank you very much. Good afternoon. I will be brief, thank you very much for this session, and for the informative briefing. It is very interesting.

I remember for years many governments were opposing a UN wide discussion on a Convention and it does seem to have now been taken forward.

My question really is how can stakeholders that aren’t governments be involved in this process.

Although certain aspects of the Council of Europe, the update to the Budapest Convention there, it was well discussed, many stakeholders find it quite difficult to understand the UN process and be involved in the UN process here. I wonder what provisions in the first set of discussions in New York, was it Vienna and New York, maybe just New York, you addressed how you could illicit stakeholder input, consultations, briefings, it is very important provisions for governments and also very important provisions for people, for citizens and for other stakeholders globally.

Thank you.

>> ISABELLA BRUNNER: Should I answer this question?

>> DESARA DUSHI: Yes, please.

>> ISABELLA BRUNNER: Thank you again for an excellent question, stakeholder involvement is a very important issue. I think the Ad Hoc Committee is actually quite a historic process because it is one of the few that finally allowed multistakeholder participation although in a limited way.

I’m happy to – there is the website of the Ad Hoc Committee which also now contain as webpage on the modalities for multistakeholder participation. There is a caveat. First of all, I think maybe we have to start from the beginning.

There is a resolution that contains some modalities of the Committee, it has three paragraphs dedicated to stakeholders. That means inclusion on one hand of the UN institution, intergovernmental bodies, think about Interpol, et cetera, OPH and then on the other hand NGOs with ECOSOC, so economic and socioeconomic status and then you have the OP9 category, found in paragraph 9 of that resolution, which includes all other NGOs.

Those have to be voted upon, their participation, it had to be voted upon in the first session on the organizational session proceeding the first session on the 24th of February.

Meaning, now in December, stakeholders had the chance to register to participate and then they were decided upon already in February. This means this call for those other NGOs that don’t have ECOSOC status is now closed. Meaning no one else who has now found interest in the participation can join unless they are either intergovernmental organizations or NGOs with ECOSOC status or they are on the list of the stakeholders. You can find that information on the website. Bear in mind, if you have someone that wants to participate and has not registered, send the mail to us, cybercrimeuhc@un.org and we’ll make sure we recognize this and potentially, there is no final decision on this yet, but there may be an interest to open this call for registration again. Please make sure to take a look at that, also the webcast as well.

>> DESARA DUSHI: Maybe you can type the email address on the chat as well. There is someone else from the main room.

>> I’m part of the YOUthDIG group here. Thank you so much for managing to make this session very interactive and very interesting even though it is quite late in the afternoon.

You covered a lot of very interesting things and it was very interesting for me to see there is actually already so much thought and action to take this further, beyond just the limits of the Member States, particularly given the geographical situation we’re living. I was curious, I wanted to ask what is your stake on the harmonization of rules regarding eEvidence and other procedural rules and the relevance still for the investigation and prosecution cross border crimes.

>> MARKKO KUNNAPU: Thank you for this very interesting question.

Of course, actually new Convention would create kind of let’s say to a certain extent harmonization when it comes to substantive law, what would be –ed the criminal offense, cybercrime offense what, would be the minimum standards for procedure law, your standards for international cooperation and so on.

Still actually it leaves a lot of room, a lot of flexibility with Member States, Member States actually have to decide Member States, they need to check what would be the domestic rules, laws on what would be considered as evidence, what are the rules related to admissibility of evidence and this would be when we talk about cybercrime and the electronic evidence, what other practices, rules for digital forensics, the Best Practices worldwide and then so on. It would be possible maybe to harmonize to a certain extent and still I think we need to leave sufficient room for Member States as well because legal systems are different, also criminal justice system, they’re different. Of course, actually, when we have harmonization, when we have minimum standards on the most important elements such as substantive law, procedure law, conditions and then safeguards, then I think the whole framework would actually provide added value and could be used effectively for international cooperation purposes.

>> DESARA DUSHI: Would you like to add something?

>> JESPER LUND: Yes.

I just want to try to have a brief remark on what we will mean when we speak about cybercrime treaties. They really serve two purposes, one purpose, it is to sort of to some extent harmonize the definition of what is a cybercrime offense.

There is also a second person, a second purpose, it is related to cross-border access to data. This typically includes all criminal offenses where information systems are used and personal data evidence could be stored by service providers. That is a very large number of offenses, essentially covering every sense because we use the information technology, smartphones for almost everything. The notion of what is being – what a cybercrime treaty would be applied to, it is very broad. It is much broader than people tend to think because if certainly they have a narrow view related to cyber offenses.

>> DESARA DUSHI: Thank you. I do have someone else in the main room? No. I see there is a question in the chat.

If not drafted yet, is there something extraordinary that the E.U. could do, to ask about those with cybersecurity concerns focused on the cybersecurity agencies to propose a draft.

on who would like to answer this question.

>> ISABELLA BRUNNER: I could go ahead.

I mean, just I think Markko could be in a position to explain how it works from the E.U. side of view.

In terms of the UN, so it is of course – so we as the UN is accepting drafts, Member States input specifically and that we’ll work on that basis.

Of course, the European Union can very much engage with stakeholders when they’re drafting that provision, and I think they’re already doing that and are in the process of taking a multistakeholder input. That’s also why we have so-called intersessional multistakeholder discussions, there is a regular exchange of views after each session and before each session with stakeholders coming together to explain their views about the process.

Member States are taking note when multistakeholders are points out views and including that in their provisions. I’m giving the floor to Markko to explain the E.U. side.

>> MARKKO KUNNAPU: Just also to add, first, when talking about E.U. processes related to eEvidence, cybercrime conventions, second edition protocol, then these are criminal justice instruments, criminal justice treaties and this is also our wish and position that the future U.N. Convention should focus on criminal justice issue, not national cybersecurity, not cybersecurity. Therefore, when we talk about access to electronic evidence, then we’re talking about specified computer data for criminal investigation purposes, not for cybersecurity, not for national cybersecurity.

Then also, just wanted to comment, as regards the scope of application of procedure law power, when it comes to the Budapest Convention, it is not just about cybercrime but the electronic evidence as well because pursuant to Article 14 of the cybercrime Convention, the procedures and measures could be used to address any crime while you have electronic evidence.

What would be the decision, what would be the outcome for the United Nations treaty, we don’t know yet because this is also one let’s say theme or question where Member States have different views and then we shall see, yes, maybe in January actually what is the outcome. Right now actually it is too early, it is premature actually to give assessments actually of what would be the scope or what would be the contents of the future U.N. Convention.

>> DESARA DUSHI: Thank you to both of you.

It is an extremely interesting discussion, but unfortunately, our time is coming to an end. Before we close, I would like to give the floor to each of our speakers to say one word, two words on where are we heading towards, which is also the title of this session, where are we going in terms of criminal justice in cyberspace with all that’s going on now. We can start from Markko.

>> MARKKO KUNNAPU: Okay. Thank you.

I think right now when you look at the processes, the Council of Europe, then everybody is looking, everybody is waiting for the next signatures by state parties to the protocol.

Right now, we have 24 signatures, 24th one actually was from Costa Rica, the country that had suffered a lot recently from cyberattacks and ransomware texts.

We also are analyzing how to implement this new protocol because it is quite complicated and fully implemented, you may need to change different legislative acts, not only those related to criminal procedure but those also related to electronic communications, Information Society services and so on.

Of course, actually as E.U. Member States we need to wait for the final decision of the European Parliament as well actually. What’s the outcome, and what would be the conditions, what reservations, declarations would be needed to ratify the protocol by Member States.

The UN process has just started. I think the discussions are getting more and more productive, they’re going more and more into details. Yes, it is true that right now everybody is looking forward for the new treaty, but again, there is a common understanding about the overall objectives, then when we are going to discuss the details, particular elements, what should be there, what shouldn’t be there, what kind of language, what kind of wording needs to be used, then I think that these discussions would be quite difficult and the hardest part, the hardest work is still ahead of us.

>> ISABELLA BRUNNER: Yeah, where are we heading in terms of international cooperation and criminal justice in cyberspace, it is a very good question.

I do think that there is now that states have realized that this new Convention is an innovative thing and we have to get going and negotiate this text, there is a realization that we can use this for – as a force for good I would say. I think the more we have realized, the more we go into the process, we realize, All States are realizing that especially the developing countries, countries with lesser technical capabilities, they really will benefit or should benefit from this treaty.

I think that’s going to be – should be the main focus I’m guessing. It is not only, of course, developing countries, but it should, of course, benefit everyone.

At the same time, when thinking about fragmentation, et cetera, we need to be careful to make sure that there are no clashes with other international provisions on such a treaty but at the same time as Markko had also said, we’re most likely not going more into detail than already existing conventions.

My Outlook is positive and looking forward to the next stages of the process.

>> JESPER LUND: In general, I think we’re moving towards a situation where states would want to have greater powers to investigate in cyberspace, meaning potentially having direct requests to service providers in other states which are the hardest part of this protocol and this will raise a number of dilemmas because there are 200 states in the world with different legal systems and very different fundamental rights, safeguards, so there will be international negotiations trying to strike some balance as the evidence regulation of the proposal for the evidence regulation in the European Union going further than the segmentation of protocol of the Cybercrime Convention that’s understandable because it is limited to the European Union and I would say I see the second protocol as a sort of a test bed of what can be achieved for Member States of the European Union, to what extent is the primary law, especially the data protection regime going to limit the possibilities for the direct collaboration between law enforcement authorities in another state and service providers established in the European Union and that is something that we’ll be coming in the very coming years from the viewpoint of EDRi.

>> DESARA DUSHI: That’s an excellent wrap up. We’re right on time. Thank you very much to our excellent speakers for being here. Thank you to the audience for making this an interactive session.

I wish we had more time and we could continue with many questions that are still to be answered. Maybe that’s for next time. Let’s give our speakers a big round of applause, both digital and from the main room.

>> CHAIR: Of course we thank the moderator, Dr. Desara Dushi for her interactive session.

We will go straight into agreeing on the messages for focus area 2. To start off that session, I would like to invite Sandra Hoferichter to come to the podium. Thank you very much.