Informal Meeting of the Justice and Home Affairs Ministers, Amsterdam 25-26 January 2016 Discussion Paper on tackling cybercrime Meeting of Ministers of Justice, 26 January 2016 The criminal use of cyberspace borders to retrieve information, making it Cyberspace is borderless. Information flows possible to violate laws in one country simply by freely between countries providing citizens and complying in another. organisations almost unlimited access to information and digital services. Information is Criminals know law enforcement and judicial everywhere; the physical location of the servers authorities struggles to cope with these issues on which it is stored is often not known and and they exploit these. They use technical means deemed irrelevant to users. Information can be to hide their identity and move their criminal stored, changed and deleted, and internet activity between countries, using the snail’s pace services can be used from anywhere in the world. of existing procedures to their advantage. They Cyberspace has grown into an essential element also often know which countries do not have the of modern life. necessary legal framework, capability or legal assistance processes in place to fight them The protection of cyberspace from incidents, effectively. They can use these countries as safe malicious activities and misuse has become havens for their criminal activities. By effectively crucial for the functioning of our societies and evading the rule of law they enjoy an impunity economies. The borderless nature of cyberspace that is unacceptable. poses special challenges and opportunities for law enforcement and judicial authorities. European action Important information for law enforcement and The EU has recognized the challenge cyber judicial authorities, such as electronic evidence, criminality poses and has acted accordingly. can also be stored, changed and deleted in Almost all Member States are party to the seconds. It can be stored in one country by Budapest Convention on Cybercrime, providing criminals located in another country, and moved a baseline for tackling cybercrime and for when they suspect law enforcement is catching enhanced cooperation across borders. Europol up to them. The current procedures for mutual and Eurojust have stepped up to the challenge of legal assistance (MLA) are complex, time enhancing international cooperation both consuming, and not adapted to the requirements between Member States and with third countries. of cyber investigations leaving law enforcement The European Cyber Crime Centre (EC3) has and juridical authorities far behind technically evolved into a vital hub for international capable criminals. When criminals hide the cybercrime investigations. Several Joint location of their activities and identities with Investigation Teams were successful and the technical methods these MLA procedures efficiency of legal assistance procedures has become inadequate. In those cases it is not even increased. The implementation of the European known which country to request assistance from. Directive regarding the European Investigation Law enforcement agencies often rely on internet Order Directive in criminal matters will further service providers to provide e-evidence. improve cooperation between member states However, the laws for obtaining e-evidence are also for cyber investigations. not identical in all countries. Internet service providers themselves, who are mostly willing to Remaining challenges cooperate with law enforcement and judicial Unfortunately, some challenges remain authorities if legally required, often have to cross unaddressed. Criminals who are technically capable or hide in countries with limited law countries either regularly or when they enforcement capabilities against cybercrime are suspect they are being investigated by law well able to evade prosecution. Cyberspace still enforcement and judicial authorities, staying gives criminals the opportunity to make large ahead of these agencies due to slow MLA gains with little risk and technically advanced procedures. These examples often involve criminals can find a safe have in cyberspace. countries outside the EU. Two types of situations remain especially challenging: 2. Conflicting regulations hamper cooperation 1. Mutual legal assistance is not possible with private parties. Internet service because the location of information or the providers, especially those providing cloud origin of a cyber-attack is not known. Various computing services, often do not store effective ways to hide information about the information about clients and their activities location of information and activities have in the countries where those clients are. been developed and some hosting providers Those private companies may even be offer hosting in countries of choice, allowing established in one country while also criminals to choose countries with limited providing their services in other countries. law enforcement capabilities. This is called Suspects of criminal investigations can be “bullet proof hosting”. These hosters promise located in one country while information their clients not to log their activities and to about them is in another. It can be necessary inform them when law enforcement and for law enforcement and judicial authorities judicial agencies are requesting their data. to request information physically stored in Criminals use these hosters to store stolen another country. For internet service data, including credit card information, data providers, differences in regulations can for botnet herding or child abuse images in become an obstacle for cooperation. those countries. Dedicated communication Complying with a request for data in one servers are another example. Criminals can country could imply breaking the law in the use their own enterprise server to direct their other. communications while applying strong encryption techniques. Eavesdropping is not In situations as described in the above, the effective because of the encryption, and data investigation and any further action taken from the server cannot be obtained, because against cybercrime comes to a halt. These it is located in the criminal’s country of challenges cannot be resolved by further choice. There seems to be a lively trade in improving cooperation. The European these kind of servers. TOR and I2P techniques Agenda on Security1 recognises that this state are a third example. Although these techni- of affairs is unacceptable and prioritises ques of course also allow for legal use most “reviewing the obstacles to criminal investigations TOR and I2P traffic is of a criminal nature, in on cybercrime, notably on issues of competent particular the trade in drugs and weapons jurisdiction and rules on access to evidence and and the spread of child abuse images. information”. Identifying criminals, both buyers and sellers, is often not possible and many criminals are Common interest: the security of cyberspace untouchable. The security of cyberspace is of common interest to law enforcement and judicial authorities, In these situations mutual legal assistance is citizens, private organisations and other parts of not possible, no matter how efficient government. Solutions for these challenges procedures are. In these circumstances, should therefore take into account interests of all stopping a cyber-attack or acquiring these parties. e-evidence could violate the sovereignty of another country. In most cases this is not Law enforcement and judicial authorities are allowed under international law. MLA can charged with upholding the rule of law within the also be impossible for other reasons. For appropriate legal framework, also in cyberspace. example, the countries involved could have People and businesses should be protected only limited relations or be involved in against crime. A secure internet is vital to society. diplomatic issues. Second, legal differences Law enforcement and judicial authorities should could limit the possibilities for assistance. be given the ability to improve that security for Investigative powers can differ, or the dual social and economic activities and to counter criminality requirement might not be met. crime. The legal framework should provide law Third, the country could lack effective enforcement and judicial authorities with the capabilities for handling cybercrime and mutual legal assistance requests. Fourth, criminals move their activities to other 1 Doc. 8293/15 powers necessary to perform their duties 3. Do we need alternative approaches (e.g. legal effectively. At the same time, the investigative or other instruments) for situations when powers they hold can intrude into private lives mutual legal assistance is not possible? and business processes. Everyone should be 4. Which alternatives would you propose? confident that law enforcement and judicial 5. Conflicting national and international authorities will only use their investigative regulations regarding e-evidence hamper powers under strict conditions, their use being cooperation with private parties. Should we lawful, necessary and proportionate and subject develop a common approach to tackle this to proper procedural safeguards. Proper issue? regulation and transparency about the use of 6. Which elements should be part of such a investigative powers are essential for people and common approach? businesses to trust the law enforcement and judicial authorities and for their trust in cyberspace being safe and secure. Private enterprises are often valuable partners in the fight against cybercrime. The private sector not only has the information necessary to solve individual cases because of their control of applications on the internet but also has valuable knowledge about cyberspace and the possibilities it provides for effective investigation. So as to ensure that the cooperation with private partners remains constructive, clear regulations and points of contact are required. Moreover, the issue of conflicting regulations should be addressed. EU process Following the adoption of the EU Agenda on Security, valuable contributions were made to the debate on jurisdiction in cyberspace during Luxembourg’s EU presidency term. The current paper serves as a basis for an informal discussion at the ministerial level during their EU presidency term. Current practices in joint cybercrime operations are set to be evaluated through EMPACT. This is to be followed up on by an expert-level conference to build on the insights gained thus far. The results will thereafter be discussed by COSI and CATS, possibly leading to the development of a further programme of action. In the light of the above, ministers are invited to discuss the following questions2: 1. Do you support the development of a common view on jurisdiction in cyberspace in addition to improving operational cooperation? 2. Which issues do you think could be addressed in that respect and what is your view on those issues? ² As mentioned in the cover note, you are kindly invited to share (an outline of) your Minister’s response with the Presidency in advance, which will support us in focusing the discussion in the meeting on those points which require the most attention.