A secure and non-fragmented cyberspace: rule of law in a cross-border environment – PL 06 2014

From EuroDIG Wiki
Jump to navigation Jump to search

13 June 2014 | 16:30-17:30
Programme overview 2014


Multi-stakeholder approach to cybersecurity: the role of intermediaries and law enforcement

Session subject

  • Handling cybersecurity in a multi-stakeholder manner
  • Intermediaries and law enforcement
  • Rule of law and other frameworks

Session description

The issue of fighting cybercrime and maintaining cybersecurity nowadays goes far beyond the discussion on how to investigate or prevent crime in a digital environment. An extremely complex ecosystem of securing cyberspace includes constantly growing number of international and national actors (both public and private) linked to the information infrastructure networks and services. The new emerging threats and legal, technical and policy responses to the cybersecurity problems in a cross-border environment raise broader concerns on how to avoid fragmentation of Internet along national boundaries to cope with those challenges.

The session is going to consider cybersecurity from this broader perspective of universal, secure and non-fragmented cyberspace.

The key issues to be discussed at the Plenary 6 are:

-Institutional frameworks for cybersecurity (including multi-stakeholderism)

-Rule of law and legal frameworks, including self- and co-regulatory frameworks in a cross-border environment, law collision

-The issue of intermediaries (including ISPs, global service providers, platforms and others) in a cybersecurity ecosystem

-Universality of Internet and non-fragmentation

-Safeguards and human rights see also Discussion.


Format of this working group at EuroDIG

Plenary. Discussion panel

Further reading


Reporter: Tatiana Tropina, Max-Planck Institute for Foreign and International Criminal Law

  1. Council of Europe Convention on Cybercrime provides a good basis to avoid conflicting legal frameworks for cyber security and the fragmentation of the Internet. It can be considered as a starting point for a global multi-stakeholder dialogue to achieve global commitments on fighting cybercrime. Internet governance therefore could be seen as one of the keys to continue promoting the Convention on Cybercrime and encourage more governments to support and sign this important framework.
  2. Though Cybercrime Convention is a potentially good instrument for harmonizing fragmented approaches, capacity building in a multi-stakeholder environment is one of the key challenges in cross-border cyberspace. Collaboration between public and private parties shall go beyond the issues of the role of the ISPs in fighting cybercrime and consider all possible intermediaries, including platforms, global service providers, e-commerce provides and other entities.
  3. Proper and harmonised legal frameworks, capacity building and confidence building measures should complement each other. It also should be taken into account that some issues, such as illegal content removal, are still very far from the point where consensus can be reached, and there are no legal instruments for real harmonization of approaches. Thus, to avoid the fragmentation of the cyberspace, all the stakeholders involved should work together on how to handle the issues when national legal frameworks differ significantly.

Video Record



Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com

This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.

>> OLIVER SUME: Good afternoon, ladies and gentlemen. I’m not sure if the people who are standing outside are hearing me. If you hear me, it would be great and kind if you would enter the room, because we would like to start with the final plenary of the EuroDIG this year. Thank you very much.

Okay. Welcome to plenary 6. The last panel discussion for this day at the EuroDIG. The title of the panel is secure and non-fragmented cyberspace: Rule of law in a cross-border environment. And I’m very happy to be the moderator of this panel.

My name is Oliver Sume. I’m the Deputy Chair of the Eco Association, which is hosting this wonderful conference, and I’m also President of EuroISPA, which is the European ISP Association. We are the largest ISP Association in the world, representing currently roughly 2300 ISPs across Europe and the FDOT countries. And we are engaged for quite a number of years at Internet governance and also at ICANN.

And I’m happy to start the panel now. And before we start with the discussion, I would like to introduce the panelists. And I start with Professor Jeanne Pia Mifsud Bonneci, who holds the Chair of European Technology Law and Human Rights at the Department of European and Economic Law at the University of Groningen.

Next to her we have Nicholas Lansman, running a political consultancy, and he has been the Secretary-General of the UK ISP Association, ISPAUK. And this association has grown from a handful of ISPs back in 1995 and nowadays you are representing over 250 ISPs, which covers roughly 95 percent of the UK Internet market.

Next to Nic, we have Tatiana Tropina, our reporter for this session. She is a researcher at the Max Planck Institute for Foreign and International Criminal Law.

And next to her, we have Jan Malinowski, Director General of Human Rights and Law at the Council of Europe.

Thanks for being here.

Let’s start with the session. I mentioned the title, and if you go to the wiki and programme of the EuroDIG site there is a substrate, which is “multistakeholder approach to cybersecurity. Role of intermediaries and role of enforcement”. So we are not talking about not only the fragmented and non fragmented roles, we would like to discuss the role of intermediaries and the ways for a multistakeholder approach as cyber security. If you attended the last panel you know it was discussed there.

We have a slightly different approach. We might have some overlapping. But we will focus on if, for example, national laws have an impact of a fragmented or non fragmented cyberspace.

And before we get into this discussion I would like to ask the panelists for a very first statement. I already introduced you. But we would be happy to hear just some remarks on what your view on cybersecurity and a possible impact on a non-fragmented cyberspace would be.

And I’d like to start with you first.

>> JEANNE PIA MIFSUD BONNECI: When I read the panel title I was taken aback. How does security and non fragmented cyberspace have anything to do with the rule of law and what do we mean by non-fragmented cyberspace here? So I’m keen to develop that during our panel and to think of what types of fragmentation we’re thinking about. I think most of it is going to relate to law, but are we also thinking of fragmentation from a technological perspective, from a – is it boarders that we’re talking about? What is it that we will be talking about?

>> OLIVER SUME: So I think the issue of definitions came up in the previous session. I think this also applies to this session. And earlier we were talking about the problem that we have in defining “cybersecurity”, and I’m sure this will be worthy of a bit more detail.

Just as an introduction, we have the term “cybersecurity” used for International cyber warfare, corporate espionage, attacks on national infrastructure, fraud of company, and I mean that is targeted attacks on companies where perhaps larger sums of money are being extorted, and then fraud of individuals where smaller amounts of money are extorted from large numbers of people. And all these are forms of cybercrime and need to be addressed by security.

And I think we do need to drill down in the session to what are we exactly talking about to have an effective discussion and debate.

>> Yes. Thank you very much. It was really a good starting point for me as well. I also see a lot of misconceptions and confusions about security because, well, people do confuse terms. For example, we are talking about public/private partnerships in fighting cybercrime, and people confuse these with attacks on the level of cyberwar. And we will have different stakeholders and different consequences. And I believe that this confusion contributes to what we call fragmentation of cyberspace.

Because recent revelations made some country, for example, like Russia talking about information security in the realm of national security saying okay, we have digital security. We have to have our own sovereign segment of the Internet where we can protect our citizens. And I believe that these debates are mixed with the debates on cybercrime, where stakeholders and frameworks would be totally different compared to national security.

So coming back to the issue of this session, I believe that we probably have to discuss all these and also discuss these differences between different dimensions of cybersecurity.

>> Well, I think that it has already been said, to some extent. There is an overlap, but there is no identity between cybersecurity and cybercrime. If we are talking about cybercrime, the way in which it is dealt with in different jurisdictions will not have necessarily an impact on fragmenting the Internet. It will mean that there are different legal regimes and different consequences for the activities that people engage in different parts of the world. And it may have the impact of weakening the protection of the users, or the systems, but it won’t have a negative impact on fragmenting the Internet. That’s why there is a need for harmonization in the cyberspace, which the Council of Europe does with the Cybercrime Convention.

>> OLIVER SUME: That’s a good start for the discussion if we talk about the legal framework that we have for cybercrime and cybersecurity. And when I was preparing this session I noticed that the cybersecurity Convention will have its 10th birthday in a couple of days. It was enforced in July 2004. And I’m not sure, but if anybody knows what the Cybercrime Convention is, could you ramp up to the Cybercrime Convention, what kind of framework is it? What impact does it have on national law? And what is the idea behind it?

>> JAN MALINOWSKI: Okay. Let me start from the very beginning. It is a piece of International law. So it is a Convention. What it means is that it works together – it brought together a number of countries, together, to discuss how do we take forward cybercrime. What it does, it defines certain activities and identifies them as falling within the criminal realm, as cybercrimes. And indeed there are a list of these crimes. If one were to quickly look at the Cybercrime Convention, it covers a lot of the crimes that we hear about every day, illegal access, illegal interception, data interference, system interference, misuse of devices, et cetera. Basically, it defines a number of crimes that can be called cybercrimes. And it gives also a number of powers or processes that police can or law enforcement can use to collect evidence for these crimes, so that these crimes will be prosecuted.

Like any other International law, States have to first sign it and then make it part of the legal system. And 42 countries have done so. And what you are referring to, Oliver, it came into effect ten years ago, and in these ten years it has been put into practice. There are a number of mechanisms that law enforcement can use to collect evidence across borders for these types of cybercrimes.

That’s, if I can put it in a nutshell.

>> OLIVER SUME: Okay. So this sounds like a bracket, right, for a legal framework in these 42 States that signed the contract.

And this sounds like there is a non fragmented institutional framework for cybercrime at least.

However, the national laws might be different, and I heard from Nic that there have been some recent activities in the UK regarding not only cybercrime activities and cybercrime law, but also activities on a self regulatory basis together with the ISPs.

Could you --

>> I’ll quickly say one word about what you said. There is no fragmentation. There are different levels of how you could define this. You either belong to this group of countries that have passed this legislation or you don’t. And there are a number of countries that aren’t. The U.S. is in, but other countries are out of this. So there is a level fragmentation there. And that’s not something we should be striving for. We need to remove that fragmentation.

I’ll pass it on for the others.

>> OLIVER SUME: For those who signed the Cybercrime Convention, that is at least a good basis to avoid the fragmentation of laws and the Internet?

>>It’s a good start. It’s not perfect, because it’s implemented in different ways in different countries. Yet it is a good start to avoid this fragmentation. And why do you want fragmentation? Otherwise, you have criminals avoiding the system.

>> OLIVER SUME: Let’s hear from the UK. After that, it looks like you have a different view on that, but maybe we can do that in the next step.

>>NICOLAS LANSMAN: So this is where we might disagree, which wakes you up in the last session. Laws rarely prevent what they forbid. And I think it’s wonderful to have this umbrella of law that may or may not work. But we all know that in the technology sector, laws cannot keep up. As soon as they are written, they go out of date.

And, of course, what we’re talking about on this panel is a global issue of cybercrime and of laws. Even when they are transposed from a European level into a national level, there are many differences in that process.

So I do think this is an area where a multistakeholder partnership approach can play a part. I’ll preface that and I’ll explain what I mean that we do need a legal underpinning for various reasons. But just one example, last year in the UK, the UK Government passed – well, not passed. It wasn’t a law. It was guiding principles on cybersecurity. You can see it on the UK Government website. And what it was was an agreement between U.S. ISPs, including ISPA, and the Government.

And three parts are to it. One is what can the ISPs do to help reduce cybercrime? And the element there was for ISPs to be able to inform customers about what tools were available to warn if there were attacks and so forth from the Government perspective.

There was the setting up of the NCA, the National Crime Agency, to look at these sorts of areas, and also inform and provide education in these areas.

And the third element was working together, both Government and industry working together to again educate people about threats, whether there are viruses, botnet attacks and so forth. It’s a start. It’s not perfect. Before I said it can only go a certain distance without the need for underpinning. So one of the particular areas in the UK that we have looked at is how far should ISPs go to stop attacks and PCs and laptops being infected?

Of course from the Government’s position, they would like the ISPs to block PCs that are infected. So the idea that something gets sent, and we will warn the customer and also block their computer. I think that’s a step too far. While the industry in the UK has done it for child abuse images, and Sir Richard explained that process and how it was proportional.

In this area, they just block – just blocking people’s PCs is a step too far. They said no, you need a court order to do that or we have to update the law.

So a certain amount can be done. Two weeks ago there was a warning from the National Crime Agency that because of the imminent two-week attacks, we have to be aware because thousands more PCs will be expected. I expect that Monday either the world will fall in or maybe they were slightly exaggerating the issue. But either way, these principles are a step in the right direction. Fundamentally, we have to explain, educate, and provide tools for users out there to protect themselves.

>> OLIVER SUME: Thank you, Nic.

>> TATIANA TROPINA: I want to make a short disclaimer because we have a member of the organizing team. Bertrand de La Chapelle, I believe we will have to give the floor to him to explain his position on non-fragmented cyberspace, because it would be very interesting. It’s not only about legal framework, but coming back to the issue of legal frameworks, I do believe that the Cybercrime Convention is an amazing instrument. Because it’s not only influenced legislation in Europe, because it influenced some of the European documents, like the European framework decision on attacks against information system and so on. But it also influenced some countries who sign this Convention or didn’t join the Treaty. But still, in some African countries, for example, or in some Latin American countries, legislation is based on the Cybercrime Convention.

Back to the fragmentation of legal frameworks. The Convention is in parts fragmented itself. It’s like, for example, take one simple crime, illegal access to a computer system. The Convention provides several options, like illegal access which is committed with dishonest intent. And the interesting thing is that this fragmentation in pieces comes from legislation which already existed in different countries, who were drafting Cybercrime Convention, and of course they didn’t want to amend their laws but they wanted to put all the stuff in there. Now it’s a patch work of different norms. And concerning implementing, for example, implementation of the European framework decision, again crime on the illegal access, there is an opportunity not to criminalize cases of minor importance.

And if you go to the countries and see what they meanby case of minor importance, you will see cases which didn’t cause big damage. It’s the case of minor appointments. Is it worth legislative amendment? Having an amazing instrument is one thing, how you actually implement it is totally a different thing. And it does contribute to the fragmentation from the legal point of view.

But, really, I think that we can give the floor now to Bertrand with his position on non fragmented cyberspace.

>> OLIVER SUME: I’m happy to do that, if you are ready. You’re near the microphone anyway. You are part of the team. You had part of the discussions.

>> BERTRAND de La CHAPELLE: Thank you. This was the plan. Just one thing that I can contribute at this stage. When we talk about fragmentation, there might be an interest in the discussion to make a distinction between the fragmentation of the infrastructure, like the IP addresses, the domain system, and the fragmentation of the legal framework, applicable to cyberspace and what people do on the Internet. Because there is less likely – it is less likely that there will be a fragmentation of the technical naming system, because everybody wants it to remain completely interoperable. On the other hand, on cyberspace, the legal framework is fragmented today because it is the national basis. Whereas for the naming and addressing system, it has been conceived as a non fragmented and non territorial thing.

So when we talk about fragmentation, because the technical system is not fragmented and it’s likely to remain so. Whereas the legal framework is fragmented as a starting point. And harmonization is unlikely to happen. So it’s more the structure of cyberspace than the fragmentation or non fragmentation.

>> OLIVER SUME: Nick mentioned blocking as a tool against some certain criminal content, for example. If you look at different countries in Europe, you would say that the laws regarding blocking and the legal conditions for blocking measures are very different. So that would mean you have a fragmented space in terms of the legal system. Doesn’t that also have a link to the technical system? Because if you block, you’re doing something on a technical level. So – at least in that case, where we have different law, it has an impact also on the technical level, right?

>> BERTRAND de La CHAPELLE: Well, the thing is, there is a difference in the laws. For example, Germany and France have rules on hate speech that don’t fit with the first amendment interpretation in the U.S. That means that the U.S. has troubles respecting the law in certain European countries.

What is happening is the technical solution, it’s GOYP filtering. Either platforms themselves to prevent the blocking by the countries are introducing on their own system GOYP filtering. Now it’s contradicting, somehow, the non geographical location of IP addresses, which used to be a tenet of the architecture of the routing system. Meanwhile, it encourages the different countries to ask for the national distribution of IP addresses, which is likely to lead in some countries where the Government is not very Democratic, to increase surveillance, because they can attach the IP address to the device.

So there is an interconnection between the technical layer and the legal layer. But I just wanted to make the distinction, because it’s easier to deal with the overlap, when they do, but start from the separation of the two.

>> OLIVER SUME: Thank you. Jan, you had an additional remark?

>> JAN MALINOWSKI: There is a difference, and we have to distinguish content and criminal activity. There is, indeed, a great disparity in the aspiration to regulate content across the world. And that has certain impacts. There is a considerable degree of harmony in respect of cybercrime legislation. It is not complete. But the countries that are parties to the Cybercrime Convention have aligned their national legislations.

But, in addition, there is another 80 or so countries that have relied on the standards set out in the Convention in order to develop their own legislation. So there is – it is – there is no absolute homogeneity across the world. But there is a significant degree of harmony, which is what the Convention seeks, and it’s delivering that already now.

And it’s delivering, in addition to the legal framework, it is delivering also tools and means of cooperation and dialogue, in order to implement in a way which is coherent and which can deliver maximum effectiveness. As I said, another thing entirely is the question of content. And there are certainly disparities.

>> TATIANA TROPINA: You know, I’m reading the Twitter wall. Basically, the Cybercrime Convention, you have a catalog of the kinds of tools the spying agencies use in their surveillance. So maybe we can come to this later if we agree or disagree.

>> Cybercrime Convention is the law enforcement. And law enforcement has to use tools to find out criminals. And what is the important thing is that in a rule of law, you have a basis of law within which to function. And this is what the Convention gives. It gives a basis for law enforcement to be able to protect us from crimes or protect us perhaps too much. But to bring criminals to prosecution. And that’s a very important responsibility of law enforcement, but they can only do it if they have the right tools.

I am always – I can’t find the right word. What is it? It makes me anxious to read a comment like this saying okay, this is what is giving – giving the spying agencies for their surveillance. The issue with spying agencies is that we don’t – it’s not transparent. The legal basis is not transparent. The basis for their tools is not transparent. Law enforcement should not be put in the same category. Because if the police take evidence to court, which is illegal or brought – is collected in an illegal manner, the whole case falls. There is another level where we are protected in this rule of law. And so it is an interesting comment to put there.

But perhaps we shouldn’t be so quick and to just evaluating the two, because they are not equal.

>> TATIANA TROPINA: I want to make this clear, the tools that exist in the Cybercrime Convention, they are actually also safeguards. You can be sure that you will not be brought into court without using proper tools and frameworks and you can always change them. That’s my point. So it’s not about spying agencies and tools.


>>NICHOLAS LANSMAN: I’m not sure that laws are tools. We have lots of laws. I think for me the Cybercrime Convention sits up here and sets out what shouldn’t be done. But if you’re talking about tools, then we’re talking surely about ways of, you know, disrupting criminal networks. We’re talking about finding the intelligence to look at how criminal activities take place, providing tools to the user to protect themselves. Now, the law works to a degree, but we can’t rely on it, particularly in a global environment. We have to make sure that, in many ways, discussions, partnerships between Government, industry, and the end-user are taking place, so people are educated. And it’s only with that education that people start protecting themselves. And I think we cannot wait for the laws to be implemented across the globe in a perfect way because it will not happen.

>> OLIVER SUME: Thank you.

>> JAN MALINOWSKI: I wanted to respond to that aspect of criminal law that Nicis referring to. And I hope that we have the opportunity to come back to the other question of the activities of before, whether national services are involved in activities that would qualify as criminal activity.

But in respect of the question of education, there are two levels at which people have to be educated. One is they have to be educated to protect themselves from that kind of criminal activity. That is very clear. And there is a lot of effort to be done there.

There is also the criminal law – it does not sell it. When I was traveling to the UK a year ago, I read, as I was going, that 70 percent of reported crime in the UK is not clarified, is not – there is no final consequence in accountability in the prosecution and so on. So 30 percent remains unpunished. There are certain areas where the proportion falls to 10 percent.

We have heard in UNESCO meetings that when journalists are attacked, there is only 10 percent of effective and successful investigation of the criminal activity.

Now, the law is not going to – and we have all of these things. There is mafias everywhere. There is criminal activity going on. And law enforcement is not capable of stopping it.

Now, the criminal law has different purposes. One is to educate. It tells people you cannot do this. You shouldn’t be doing it.

Second, it dissuades people. Many people say well, I know I shouldn’t do it, but why not? And they then are told: But there is a consequence. You will be punished if you are caught. So they feel dissuaded.

And then there are others who are not prepared to be dissuaded, and those are to whom the criminal law applies or seeks to be applied. And if it is successful, they will be punished. Don’t expect that giving more and more and more law enforcement tools to the law enforcement agencies is going to stop crime. We would end up in a police state. We would end up in a surveillance society. But we will not manage to stop crime.

So certainly we have to insist more on the educational aspect, both of the criminal law and education, empowering users to protect themselves better.

>> OLIVER SUME: I’m not sure if a representative of a law enforcement agency would agree with you here. Because at least my experience is if I talk with people from law enforcement agencies, you often hear the arguments that it’s a question of the criminal law.

For example, if we have more data or more data retention, then we would have another quote of clearing up criminal acts.

So I think – I mean, I don’t know if anybody from a law enforcement agency is here in the auditorium. If so, feel free to speak up. But at least these are the answers that I get.

>> JAN MALINOWSKI: You are right. It’s a matter of giving the tools to law enforcement agencies, but that is the reality of all areas of criminal activity. So you’ll not be able, unless you go overboard in terms of the capacity to investigate, to penetrate the systems, to gather and sift through information. There will always be criminals that wise up to that and are capable of dodging the law and dodging the investigation. And that is happening today in all areas of criminal activity. And we should not be expecting that in the area of cybercrime it’s going to be different. It is not going to be different.

But we have law enforcement that has to do the best they can. They have the duty to protect people. But they won’t be able to do it 100 percent all the time.

>> Thank you.

>> I was thinking about this. I agree, there is no solution and we will still have crime around us. But what is the good thing of having something like this, the Cybercrime Convention, is that the law enforcement cannot use any tool they come up with. There are – there’s a measure of balance. This is what the Convention does. It balances rights of people to the needs of law enforcement. And it tries to achieve this balance. Sometimes well, sometimes perhaps less well. But it is – that is the role of law, after all, in a role of law as well. So we should not perhaps --okay. I am a lawyer. So I will defend laws. But I think there is more into law than we sometimes think. There is a balance that is put in, that is very precious. It’s precious for us as citizens, and it’s precious for us as citizens to be protected by the police. And it’s citizens who maneuver in this space.

>> OLIVER SUME: But the balance that we have with the Cybercrime Convention has only been signed by 42 countries. So can you tell us something about activities that are carried out in order to encourage other countries to sign this? And do you think that Internet governance or the multistakeholder approach could be one mechanism in order to, well, encourage countries to sign the Cybercrime Convention?

>> I’ll start with a multistakeholder involvement in this. And a lot of times we hear about criminal law is only the agreement of States, full stop. But States cannot do much without the help of all other actors, especially on the Internet. If it were not for ISPs, then the police would be quite helpless in any of the proof they need to collect. And what the Cybercrime Convention has done is, to some extent, given some parameters of this action. So the document that you showed us, Nic, comes from those parameters.

>> NICHOLAS LANSMAN: I think we can get caught up in this issue around law. And it’s important, but I think we have to drill down to what is practically possible to understand that the citizens of the world become safer online and to encourage more Internet use. These are three examples, and these are not perfect. I’m referring to the UK, because that’s what I’ve been covering so far. I mention these principles, which was a document between the Internet industry, ISPA and Government, which sets out nice ideas. But there are some practical examples. Here we go.

One, cyber essentials. So this is a Government backed, industry supported scheme to help organisations, particularly small and medium-sized enterprises, protect themselves against common cyber attacks. You can go online and find out about it and you even get a badge that you can put on your website. SMEs need to start doing their education of their customers, and this is just one example.

Interestingly, as of the 1st of October, this coming year, 1st of October the UK Government will require all its suppliers bidding for certain personal and sensitive contracts to have that cyber essentials badge. So then it takes something that is quite theoretical into practical. You want to deal with the Government and sell goods and services to the Government, you have to be aware of cyber attacks and security. And some insurers offer a preferential rate to those who have this badge or mark.

The second one, there is for several years now, I think, “get safe online,” which is a jointly funded initiative between Government departments and private sector businesses. And this is really a sign posting. It’s a website where individual users, business can go to get information about some cybersecurity. A glitch reported about in the BBC that when the National Crime Agency last week announced danger, we have got all the threats coming in, it was so successful, “get safe online”, that it fell over the website with so many people desperate to get information so the website went offline. And we have to correct that.

The last one is cyber street. It’s graphic. Have a look. You can click and get information. These are just some of the examples I think we should start thinking about, and not only in the UK but across Europe. Education of customers, individuals, and businesses I think is a way forward. Not that we don’t need an underpinning law, of course we do.

>> TATIANA TROPINA: I’ll shortly contribute and then I’ll pass the microphone.

It’s about capacity building and so on. I used to think, 10 or 12 years ago, that without proper legal frameworks we cannot make any capacity building. Now I’m totally turning this point around and I think, for example, what the Council of Europe is doing, even for countries who didn’t sign or join the Cybercrime Convention, we are trying to build capacity. Of course, sometimes it’s very hard without legal frameworks. But we have to start somewhere. But concerning fragmentation and the things which are happening on the Internet, like referring to sovereignty and maybe like national digital sovereignty or like totally national Internet, which is a fear for some of us now. This is happening not because of fighting cybercrime, this is happening because of legal frameworks which cannot work sometimes.

For example, some of the countries don’t want to join the Cybercrime Convention because it provides the possibility to – for there to be transborder access to data stored abroad, and there is a big discussion. Some countries say this is a violation of sovereignty. And here we are in a kind of a dead lock. We cannot harmonize legal frameworks, but we cannot really investigate the crimes without the proper legal frameworks. Here we can build whatever capacity. We can invent amazing tools for the police. We can educate users, but when it comes to a crime per se, we do need legal frameworks.

>> OLIVER SUME: Thank you. So are there questions from the remote?

>> FARZANEH BADII: Yes, two comments. A comment and question.


>> FARZANEH BADII: Yes, so we have a comment from Vladimir. What Jan has said is important. Education is the key. 3D printers allowed to print guns, soon everyone will be able to have a gun. Education must, not criminal laws. Criminal law will protect some people, sometimes only. Education can prevent crime.

And also I have a question from Casper, an independent researcher. Casper asks: Do you believe, does the panel believe that the EU court data retention decision, paragraphs 56 to 59, prohibit the collection versus targeted preservation and geographic zones, suspected persons and sometimes?

>> OLIVER SUME: Thank you. Anyone from the panel would like to answer the question?

>> JAN MALINOWSKI: If I can venture an answer to that precise question. If I understand it rightly, the European Court of Justice, the Court of Justice of the European Union invalidated the Data Retention Directive. So it means the data retention obligations that derive from that, that have to be put into national law in order to make operators retain data, that directive has been invalidated.

Now, it will have to percolate down to national laws that may be different legislative efforts that will be carried out in the meantime. And it is in respect of the purpose of the directive. So that is the reality. But the laws that have been developed and put in place in the different countries have not been invalidated as a result of that, not automatically.

In the same way as the directive has to be transposed into national legislation, it will be necessary some kind of adjustment there.

But coming back to the other questions and in particular to the question of the moderator and respect of what is being done in order to promote the ratification and the harmonization of the standards, and I would start by saying although there were reactions as if I was not supporting the Cybercrime Convention, I am. Of course I am.

>> OLIVER SUME: It’s your job.

>> JAN MALINOWSKI: But on top of that, it is a very important tool. My comment was that it won’t resolve all the problems. And even good laws and good law enforcement will not always resolve all the problems all of the time.

Now, it is a legal framework. So it says basically those States that sign up to it commit to criminalising in domestic law this catalog of offenses. It is a framework for cooperation. It permits the States Parties to set up a system of cooperation. But it is also an educational tool. It is being used. It has inspired many other countries in their legislation. And the Council of Europe is carrying out a considerable effort to bring the Convention to the knowledge, to the attention, and its implementation, the experience, good practice in different countries, to bring it to the knowledge, the attention of countries all over the world.

And there is a regular big conference which is called the Octopus conference on the Cybercrime Convention that usually gathers around 100 representatives from 100 different countries in the cybercrime Committee meetings. There are at least 60 or 70 countries that regularly participate and so on. So it is – the impact is far beyond Europe.

And in respect of what else we are doing on this, and we are doing it with the strong support of some of our Member States, with very strong support of the European Union as well. There are other organisations and other communities that could contribute to supporting the Cybercrime Convention, of course.

>> OLIVER SUME: What do you think, you mentioned the Conference that promotes the Cybercrime Convention, the Octopus conference. And how important is the Internet governance ecosystem in order to promote the Cybercrime Convention? Is that a communication channel as well? Is that the right place not only to discuss but also to promote this Convention in order to – well, encourage more countries, if they have not signed it, even at least to, well, incorporate it in part where they think it’s useful?

>> JAN MALINOWSKI: I think it’s a very good idea. But it is for community to say. It’s not for me to say.

>> OLIVER SUME: You are the community, the multistakeholder. Anybody say on this?

>> JAN MALINOWSKI: If the community wants that message to be transmitted from EuroDIG to the IGF, why not?

>> OLIVER SUME: It could be a message from the EuroDIG to the IGF in Istanbul. No ideas? No questions? Come on.

Then I give the question back to the panel.

>> Definitely. Well, education starts at many levels. It starts of us being aware that it exists and participating and improving this mechanism and seeing how we contribute to the whole system of preventing and reducing cybercrime. It’s not just a law. But it’s a whole community in this.

>> NICHOLAS LANSMAN: I’ll go back to Casper’s question, which I thought was quite interesting, where the ECJ’s ruling was about data collection. We don’t know. ISPs have been asking the home office for clarification. And for me this flags up this classic debate for ISPs and intermediaries, which is what is their role? At one point we collect data, because we’re required to under peace regulations, the Regulation Investigative Repairs Act. On the other hand, we have data protection laws to destroy data if it’s not needed for business purposes. And I think this gets to the heart of the debate for the ISP community is knowing, wanting clarity in the law so that we can behave appropriately. In some places we have it. But in lots of areas, I think the intermediary is in a difficult position.

Not just ISPs, but in the UK they get leaned on by law enforcement to do more than the law allows. So we need clarity on the point that Casper made. We are either still waiting for it. But it does flag up the whole area, not just in this space but it flags it up in copyright issues, and other content issues of this concept and the e-commerce directive of the ISP being a mere conduit or a dumb pipe.

Clearly that doesn’t exist. Because the ISPs are doing more. They are looking at protecting people from anti viruses, that protect people from spam and so on, which is more than the strictly mere conduit role. But clarity is what we need and we need it legally to make sure that the ISPs keep it in the law. Provide it to the customers so they can use the Internet for all sorts of wonderful purposes, and it’s a good question to ask.

I haven’t gotten a good answer. I wonder if anyone else on the panel can answer that.

>> I can’t answer that. But legal certainty is important. But there is a political game. You mentioned the directive and the UK. Why can’t you get, even as an ISP organisation, you have no clarity yet? Because the UK was one of the ones that had the basis for this even before the directive.

So it can very well stand back and say yes, this doesn’t affect us at all. And they are not saying anything, but we’re not surprised why there isn’t any certainty. And this is the role I think of all of us is to push for these certainties, because a certainty is very important. It’s part of the process of openness, of knowing what is going to happen to you if you do this. This is where we need to go, legal certainty. But it’s a longish process.

>> OLIVER SUME: Thank you.

I’m looking again into the audience. There is a question. Please, go ahead. Thank you. Or a comment. Can you please say your name and who are you speaking for?

>> AUDIENCE: Yes. Okay.

Lorenzo Pupillo. I have a question from the panel. More than once has been mentioned, you know, the role of the European Convention on cybercrime. Okay?

But also I get the feeling that, to some extent, even the panel – or maybe this is my impression – considers that there is still a lot of work that needs to be done. So probably the Convention is a good starting point, but it’s not enough to some extent.

From what I know, it has something to do with the fact that it’s still perceived as a regional initiative. In other words, it’s – what is lacking is the global framework from one side. From the other side, there are some criticisms, like the one from Professor Trackman from the Fleischer School, it’s considered the Cybercrime Convention is a cybercrime law enforcement Convention, not a cyber terrorism Convention.

I’d like to get your idea. In other words, do we need a broader framework, like an International Treaty for that? Thanks.

>> OLIVER SUME: Thank you for the question.

>> TATIANA TROPINA: Well, we have a set of questions. I would like to give you an answer briefly. Yes, the Cybercrime Convention is criticized for being a regional instrument and contributing to the fragmentation of the legislation. It’s like a one way ticket. You are either in the club and you can influence what is developed or you’re out.

But the problem is that the Council of Europe was dealing with this totally on their own. When organisations like the United Nations or the ITU stepped in several years ago when there was already this instrument, with very high standards. So, for example, last year they met in Vienna with the content to negotiate the new instrument, and they couldn’t. It always comes to the question of digital sovereignty. And all the things that are offered are basically blocked. This is why we have what we have now. Europe will never sign anything – for example, will not sign a Convention coming from the African Union. So the question is why African countries can sign this document. But at the same time, they are doing this and they are implementing the standards, just because there is no better instrument right now. And I believe that we have to work with what is done.

Concerning cyber terrorism, I’m sorry, there is no such definition of terrorism on the International level. Even if you check the United Nations Conventions, there is no definition on terrorism. The United Nations Convention on terrorism has been negotiated for more than 12 years with no success, because they cannot agree on the definition of terrorism. So how can we talk about cyber terrorism if we don’t know on the International level what terrorismis. So it’s like a joke for me.

>> AUDIENCE: I’m Manuel Braga Monteiro for Deutsche Telekom. I’m a lawyer, so people say I like laws. And I do like laws. And when I started to read in this Internet governance topic a couple months ago, I was quite happy to find this Cybercrime Convention because it has clear rules, clear definitions, ruleson exhortation. And my question is what is the practical application of this Cybercrime Convention? It has been used often, because it’s based on a collaboratory regime between countries, which I assume some of them won’t be very collaborative despite signing the Convention.

>> OLIVER SUME: Thanks for the question. Jan, can you answer it? Are there practical experiences or examples where the Cybercrime Convention has been implemented and has led to new – who can –

>> JAN MALINOWSKI: Yes, thank you.

The Convention doesn’t apply directly. So it is not a criminal law instrument as such that a Judge or a law enforcement official, prosecutor, can say “I charge this person for suspicion of having committed a criminal offense under article 2 of the Convention”.

What it says is the countries that subscribe to it have the obligation to transpose that, to create a criminal offense within its own criminal law system. And that of course has happened, as I was saying earlier, in respect of the 40 plus countries that have done it, that have acceded to the Convention. But also in respect to a large number of other countries that have aligned their national legislations to the provisions of the Convention. So that is a very practical and very broad impact.

In addition to that, there is a system of cooperation, and thereis an exchange of information, of good practice, and there is all the training. And even in respect of digital forensics and so on, that is being conducted on an ongoing basis. So there is a lot coming out of it.

Now, if I can address briefly the question of cyber, so-called cyber terrorism as well. The Convention doesn’t – and I don’t think it needs to address specifically the question of labeling some activity as terrorism. Maybe some people think it would be necessary. It is to be discussed. But if you see the way it is drafted, you have the answer. If you are talking about illegal access, if it is done on the basis of terrorist activities or for terrorist purposes, illegal access is covered by the Convention already. If it’s about system interference, it’s covered by the Convention. If it’s about data interference, it’s covered by the Convention. If it’s massive fraud, it is covered by the Convention.

So I think that the Convention is already there, it is a very valuable tool. And it is a question of – I wouldn’t say implementation. It is being implemented. It’s about further implementation and broadening its implementation.

>> OLIVER SUME: We have five more minutes because we started a bit late. So I would like to give the next question to the auditorium.

>> AUDIENCE: I’m Christian Hawellek.

I would like to come back to a topic that we talked about. The relation of intelligence services and the cybercrime. A couple weeks ago here in Berlin, Shindler announced a strategy called “Support for cyber defense”. So using our capacities to wire tap cables to detect cyber attack and to some extent cyber criminality. And this is a tool not to prosecute cybercrime but to prevent it. And we have a couple partner services involved in it, it has a involvement of roughly 300 million Euros that will be developed over the next years. I find this a remarkable statement.

I would like to hear from the panel whether any member of the panel thinks that this is the right way forward or whether there are any objections or anything.

Thank you.

>> OLIVER SUME: We have a quick answer from the panel on that? Thank you.

>> TATIANA TROPINA: I do believe that all the confusions about deterring cybercrime and mass surveillance comes from the fact that for cybercrime to have proper safeguards, for preventive police law, for early prevention and disruption for national security laws, we don’t have the proper safeguards and the legal regimes are overlapping, unfortunately. And either we have to separate completely, which is impossible, or we have to reconsider surveillance, preventive police law, national security laws to implement the safeguards. There is no other way.

>> NICHOLAS LANSMAN: In the UK we have the Investigative Powers Act. A lot of people criticize that. But we have the Commissioner for Interception. And every year he has to do a full report disclosing exactly how many requests were sent to the ISPs, and that report goes to the Prime Minister. So there is a level of transparency.

So my answer is saying, to answer directly your question, that is precisely what should happen. That security services should also have to be taken – there has to be accountability for what they’re doing. And so we can judge whether it’s proportioned or not. In fact, the report this year for the Interception Commissioner said he is concerned that the number of requests, which number half a million in the UK, is a little high.

>> OLIVER SUME: Bertrand, please.

>> BERTRAND de La CHAPELLE: Just a contribution on a few distinctions. There has been a distinction regarding the status under which the ISPs are – and the situation of Telco operators is different from the situation of platforms. Because in most cases you need a license to operate in the country. And it’s the moment where the arm twisting takes place. It’s a distinction that is very important for the different actors.

The second thing is the characteristics of the Cybercrime Convention, as most cybercrime cooperation is based on the principle of dual incrimination. Here it is trying to harmonize on the level of the substance. The different criminal frameworks in the different countries as a precondition for cooperation. The problem is that when you deal with content, particularly on platforms, there will be no harmonization of the substance. Because there is no agreement on what hate speech is or not.

And so the only way forward in that kind of situation, not on cybercrime, but on content-related issues, is to actually deal towards – with the harmonization or at least the convergence of the process aspect, and making sure that there is a due process framework that can emerge from the discussion of the different stakeholders.

I just use this because it’s of course an advertisement for the project, Internet Jurisdiction, that I lead. But the question of rule of law is fundamentally a question of establishing due process frameworks for cross-border spaces. It’s different from cybercrime. But for these issues, we need procedures for the interaction between law enforcement and platforms.

>> OLIVER SUME: The last question and we have to close the session after this. Thank you.

>>Oksana Prykhodko, Ukraine. We are talking about legislation for peaceful times. Is there legislation for war time?

>> OLIVER SUME: Was it a question to the panel?

>> AUDIENCE: For anybody.

>> TATIANA TROPINA: You ask about legislation for war? For cyberwar?

>> AUDIENCE: No. Just for war. As far as I know, for example, regarding freedom of speech, there are some restrictions for war time. What is this specifically? This is an example.

>> TATIANA TROPINA: Well, I’m not aware of anything like this. I think this should go on the national level. I’m not aware of any International kind of frameworks for these.

I know that there are some kind of tensions and negotiations on the state level how to deal with war time, but I – I never heard they came to any conclusions. Maybe there is something at NATO, but I’m not aware. I don’t think so.

>> JAN MALINOWSKI: Yes, answering that question first, the Human Rights Convention has parts to several of its articles, and parts to include the circumstances where the fundamental right that is consecrated in part one can be interfered with. And one of the causes for interference is usually national security.

So that has to – but the question I think is so open ended that one can simply not answer it in this way.

But I wanted to say something in respect, and I did flag it earlier, that I would like to come back to that, to the question of mass surveillance. A year and two days ago the Committee of Ministers of the Council of Europe, the 47 Member States, adopted a declaration on tracking and surveillance. And one of the indents there is – reads as follows. “Draws attention”, the Committee – so the 47 Member States “draw attention to the criminal law implication of unlawful surveillance and tracking activities in cyberspace, and the relevance of the Budapest Convention in combating cybercrime”.

Now that we know that the domestic law in certain cases tells the security, the national defense agencies and so on, tells them if you do these things you are okay. We are not going to consider it a crime. You are exempt from responsibility. This is excluded. Your activities are excluded from the criminal law.

But that doesn’t apply in other countries. So what you have is a situation where the activities that may not be criminal in country A, if they interfere with rights of people in country B, they can be a criminal offense. And it has been signaled very clearly in country B.

We have examples of that. We have seen how in the U.S. criminal procedures are initiated against Chinese military actors, and the other way around. It can happen.

So the answer I think is something that was said on that side of the room earlier, which is de-escalation. It is about cyber disarmament. Instead of continuing to escalate the system, can’t we have a system of de-escalation?

>> OLIVER SUME: Thank you for that additional and final remark.

We come to an end. It would be great if we could suggest something as a message to the IGF in Istanbul, and this session I think the cybercrime Convention has been clearly in the focus. Would you think that something like the EuroDIG promotes the Cybercrime Convention as a starting point for a discussion about a cybercrime in a multistakeholder manner, something like that as a message from EuroDIG for the panel? Would you agree on that, or the auditorium agree on that?

>> Except for the legal content issues.

>> OLIVER SUME: That was just a suggestion. I appreciate your time and effort, two packed days. Thanks to the panelists and – well, thank you.


Preparatory meetings

Pictures from working group


Session twitter hashtag

Hashtag: #eurodig_pl6