Public Hearing on Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime Charlemagne Building, 170, rue de la Loi, Brussels 10407 March 2001, 9:30 to 17:30 h. [Please note: This is a draft report. The Commission would welcome any comments from those who disagree with the comments attributed to them in this report by 4 April 2001. Please send any comments to ?infso-jai-cybercrime-comments@cec.eu.int?] 1. Welcome 1.1 Robert Verrue, Director-General, DG Information Society welcomed representatives to the public hearing. He described the success of, and security risks facing, the Information Society. The Commission had responded through the eEurope Action Plan and now the Communication, which was the first comprehensive policy statement of the European Commission on the issue of cybercrime. Bridging the concerns of the various stakeholders was crucial in order to realise the full potential of the Information Society in the Internal Market. The EU approach aims at achieving both prevention of crime and a suitable response to it, while maintaining a proper balance between the various interests at stake. The Forum would bring these parties together to discuss various issues with the aim of enhancing co-operation at EU level. It would be operated in an open and transparent manner, with relevant documents published on a website. The purpose of the hearing was to clarify the positions of the various stakeholders, and to determine their perspectives on key issues. He hoped for a frank and open discussion in order to facilitate understanding and to enable the European Commission to develop proposals to create and reinforce a safer Information Society. 2. Introduction (Chair: Mr. Robert Verrue) 2.1 George Papapavlou, DG Information Society, presented a summary of the Commission Communication on ?Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime?, noting the complexity of the issue, the lack of hard data, which would demonstrate the extend of the problem and the need for a balanced approach, but also a swift response to the threats of information society 2.2 Erik Wenneström, Presidency of the European Union, Swedish Ministry of Justice, welcomed the Communication and made clear the Presidency regards cyber crime as a priority for the Area of Freedom, Security and Justice within the EU. Prevention through more secure networks was essential, and there was a need to examine how security was affecting consumer confidence and the growth of e-commerce. Ideally market generated solutions would resolve to an extend the issue of security. He recognised the EUs role in addressing the threat of cyber crime through the approximation of substantive criminal law, and saw the extension of the principle of mutual recognition to cybercrime investigations as a natural development for enhancing co-operation. Non-legislative measures such as specialised national units were also important. The proposed EU Forum was also valuable since dialogue was essential to tackle these problems. The Presidency looked forward to working with the Commission on taking these initiatives forward. In particular, the Presidency saw the need for further action in the following areas: - taking steps for the speedy adoption and implementation of the Council of Europe Convention; - bringing forward proposals to enhance law enforcement co-operation, eg through the 24hours/ 7 days a week network - ensuring appropriate consideration of law enforcement and judicial co-operation aspects when Community law is elaborated and implemented. The Presidency would ask its EU partners how best to do this. 2.3 Charlotte Cederschiöld, Member of the European Parliament and Rapporteur on the Communication, spoke of the detrimental effects and challenges of cyber crime, and the responsibility for each of the interested parties to understand the conflicting interests. No one party had the only true solution. The core issue was to find the right balance between law enforcement, fundamental rights, industry and consumer interests through mutual understanding. Previously work had been carried out behind closed doors among law enforcement experts. Industry should not be expected to play the role of the police or to bear unnecessary costs. Any form of interception operations should be allowed with appropriate and strict safeguards. The European Parliament had held the first open discussion on the issues in September 2000, which brought the relevant interests together. Attention was drawn to the work of the Article 29 Working Party on data protection, and the need to improve co-operation with the Working Party. There was a need for a long-term perspective to find global solutions. Transatlantic co-operation was vital, and the candidate countries should also be involved in EU Forum. The EU Forum could have a signing up system with a code of ethics. The US could also present a ?privacy tsar? in the same way as the EU will soon have a data protection officer. This corresponding structure might open up better day-to-day cooperation to develop efficient common policies for law enforcement, privacy and industry. 3. Keynote presentations (Chair: Mr. Robert Verrue) 3.1 Chief Superintendent Keith Akerman, UK Police and Chairman of the UK Internet Crime Forum, focused on the following areas: - legislation: this was not harmonised, there were different interpretations and was often out-of-date compared to technology. For example, there was a gap in UK law for denial of service attacks. - victims: they were often forgotten. The emphasis was on fundamental principles which protected offenders. - prevention / fraud: there was a need to reduce crime by reducing the opportunities for crime. Industry sometimes expected action from law enforcement, but law enforcement did not have the tools, expertise or resources. - data protection: the EC Data Protection Directives were a real hindrance to law enforcement, particularly given anonymous and flat rate access. An example was a race hate e-mail sent on a Friday and received on a Sunday. When law enforcement was notified on Monday, the traffic data had been destroyed and it was impossible to trace the sender. More recently, 500 people had been involved in the exchange of child pornography. When the police attempted to identify them, the traffic data vital to the investigation had already been destroyed. - non-legislative measures: practical co-operation had not kept pace with the Internet. Specialised national law enforcement units were important, but it was unrealistic for them to deal with all cases. Training was essential for law enforcement and the judiciary. There was a great opportunity for partnership with industry: ideas should be exchanged, and solutions found. - EU Forum: Dialogue was essential, and good practice needed to be shared. UK experience with the Internet Crime Forum had proved that even a simple common standard for a request form had major benefits. - Conclusion: it was time for action, inaction would lead to lack of confidence of users. In short, it could be summarised with the following equation: E-commerce E-crime = E-confidence 3.2 John Ryan and Ms. Camille de Stempel, AOL Europe, welcomed the communication and strongly supported the partnership dialogue between industry, law enforcement and government. Self-regulation should be favoured wherever possible. AOL wished to focus on the following issues: - EU Forum: AOL had been a member of the UK Internet Crime Forum since 1997 and welcomed the establishment of a similar forum at EU level. An EU Forum would be very helpful to share best practice, awareness and to focus on disparities that exist in requirements in different countries. - Substantive criminal law: AOL endorsed an international, comprehensive approach to legislation. The ?I Love U? virus was an example of a successful investigation floundering because of a lack of legal framework for prosecution. - Training: AOL underlined the need for training of law enforcement agencies. AOL was already working on a training video for European law enforcement. Better informed law enforcement would mean requests that AOL could fulfil and would help to stamp out activity on networks. Training was necessary not just for specialised law enforcement units but also for non-specialised law enforcement units and the judiciary. - Data retention: AOL supported the goals of law enforcement, but the nature and extent of data retained varied widely within industry. Preservation of data in specific cases was preferable to retention of data for long periods of time. A reasonable and effective solution could be found through dialogue which would avoid excessive storage requirements and financial costs incurred by industry. AOL also already had a 24/7 contact point with law enforcement - Data interception: this was the most sensitive issue with the greatest impact on the privacy. It is not primarily the role of the industry to monitor the activities on the Internet. It affected the fundamental relationship with customers who want their transactions and communications to remain confidential. 3.3 Peter Van Roste, EuroISPA, supported an open dialogue to enhance consistency in regulation and policy making. Industry was not only a direct victim of crime, but the damaged caused by loss of user confidence was even more important. The public hearing was a step forward in restoring that confidence. Key issues for EuroISPA were: - monitoring of content: monitoring and blocking citizens access to information should not be dealt with in a different way online than offline, and the tasks fulfilled by law enforcement in the off-line world should not be fulfilled by private companies, nor replaced by judicial intervention. The technical issues of blocking access over the Internet are fundamentally different from telephony. - financing: EuroISPA welcomed the Commissions initiative to discuss interception, and drew attention to the fact that most governments had not launched any discussions on allocation of costs. Different approaches could damage cross-border competition, and put incumbents at a competitive advantage by being able to pass on costs to customers. There is a risk of substantial price raise to the accessing of the Internet. Reimbursement provisions would also act as a safeguard against unnecessary search and seizure by government. - keeping logs: the distinction between connection data and traffic data was crucial. Connection data was time and duration of connections by users and, where appropriate and technically feasible, calling line identification. EuroISPA supported the European Parliaments concerns in the context of child pornography where, despite being sensitive to privacy issues, it expressed an opinion favouring a general obligation to preserve traffic data for a period of three months. This was also consistent with the Article 29 Committees recommendation of 1999. A 12 month retention period did not seem to meet the test of proportionality. EuroISPA agreed with the Commissions view that industry should not be confronted with measures that are unreasonably costly, and drew attention to the extremely significant cost of retrieving data from the logs by qualified personnel. - anonymity: EuroISPA would welcome further discussion about the principle that where the user can choose to remain anonymous off-line, ISPs should protect anonymity on-line, though this should not simultaneously protect or harbour cybercrime. - EU Forum: this was welcomed, particularly since it would offer transparency and the opportunity to examine national and international initiatives. - Self-regulation: despite the limits due to legislation, EuroISPA agreed with the Commission that it should be supported and enhanced. - Conclusion: existing approaches in Member States were far too different to lead to effective solutions to the global problem, and some of the initiatives go far beyond the draft Council of Europe Convention and have led unfortunately to unbalanced proposals. 3.4 Peter Hustinx, President Registratiekamer (Netherlands Data Protection Authority), and former Chairman of Article 29 Working Party, congratulated the Commission on the balanced approach in the communication taking into account the fundamental rights and liberties and welcomed the use made of the Article 29 Working Partys recommendation in the text. The Working Party was currently revisiting these issues: it will respond to the draft Council of Europe Convention and perhaps the Communication. The challenges of cyber crime need to be addressed simultaneously with the protection of individual rights to privacy, and a balance between the different interests and right is required in application of existing constitutional and legal frameworks. There exists already a form of balance in Europe. Article 8 of the European Convention on Human Rights did not give an absolute right to privacy. It provided for exceptions under the following conditions : the criteria of proportionality and specificity must be met, there must be a clear and precise legal basis, any exception to fundamental rights must be interpreted on a restrictive way and there must be strict safeguards. Routine retention of data, as a prospective tool for crime fighting, would be an infringement of Article 8. The European Convention for Human Rights requires a pressing social need based on convincing evidence for each case and demonstrably beneficial effects. According to these conditions provided in article 8, interception is acceptable only on the basis of a clear and precise legal basis, respecting the principles of specificity and proportionality, based on a restrictive approach and providing for strict safeguards. The same principles applied to the development of infrastructures for interception purposes. Finally, ?e-Privacy? must be added to Mr Akermans equation: this is an essential element without which user confidence could not develop fully. The Article 29 Working Party looked forward to participating positively in the Forum. 4. Presentations (Chair: Mr. George Papapavlou) 4.1 Richard Swetenham, DG Information Society, Internet Action Plan, explained the three main areas under which projects were being funded: creation of a European network of hotlines, development of filtering and rating systems, and raising awareness for safer use of the Internet. 4.2 Ivan Tallo, rapporteur of the Parliamentary Assembly of the Council of Europe on the Cybercrime Communication, reported that the CoE Convention was being finalised in order to provide for the harmonisation of substantive law, approximation of procedural law and fast and effective means of international co-operation. The hearing of the Parliamentary Committee examining the Convention on 6 March had provided an exchange of ideas about the convention, and would prepare an opinion for the Parliamentary Assembly in April. There had been criticism that the process was closed: the meeting on 6 March had tried to open it up. In general, there was a consensus that there was a clear need for the Convention. However, criticism had been voiced that it lacked balance between the stakeholders; there were insufficient privacy and data protection guarantees; and that there were unreasonable obligations on industry. Miscommunication was a clear problem. Race hate had been left out of the Convention, and may need to be addressed in a Protocol. Further comments on the convention could be sent directly to the Parliamentary Assemblys e-mail address or his own. 4.3 Malte Borcherding, Global Business Dialogue on e-commerce (GBDe), welcomed the communication and was pleased that many of the recommendations reflected a common position with the GBD. Although the GBD was in most parts in agreement with the Communication, it had the following specific comments: - any legal framework must be flexible and international to address the global aspect of cybercrime: this could have been emphasised more in the Communication. - on-line and off-line conduct must be dealt with consistently. Laws dealing with computer-specific forms of cybercrimes needed to be in place and vigorously enforced: these deserve most attention and action - sharing of information between government and industry was important, but this implied that governments would share information with the private sector on network vulnerabilities collected as part of work to protect national security. - the EU Forum was welcomed, and the GBD wished to play an active part in it. It was of vital economic interest to businesses world-wide to cooperage with all stakeholders, private and public, to provide for a secure infrastructure to ensure consumer trust. 4.4 Neil Gibbs, European Public Telecommunications Network Operators Association (ETNO), welcomed the Commissions initiative. He pointed to the issue of diverging national laws and the threat to create competition and market distortions due to this diversity. Moreover he made the following key points: - telecoms industry is best served with a clear and predictable legislative framework.. Proportionality was essential. Approximation of substantive criminal law in the areas of child pornography, racism, xenophobia and hacking and denial of service attacks was welcome. Standard definitions and harmonised minimum penalties would facilitate the application of substantive criminal law and create greater security and reliability. - approximation of procedural laws, such as the principle of mutual recognition of pre-trial orders, could serve as a helpful tool to combat cybercrime. But fundamental rights needed to be safeguarded, and cost allocation needed to be dealt with in all Member States in an equal manner. Vast differences between Member States lead to distortion of competition. - routine retention of traffic data: a general obligation to store traffic data would render it impossible for service providers to provide services in an anonymous way and on the basis of guaranteed confidentiality. There was a cost of building datawarehouses, and of making them secure and a risk of excessive data retention requests. These requests would have to be proportionate. Anonymity off-line should enable anonymity on-line. This issue should be debated in the EU Forum. - technical costs: interception and provision of traffic data can only be implemented by means of extensive additional investments and operational expenditure. Costs incurred for law enforcement purposes should be borne by law enforcement. The burden of cost for the development and maintenance of surveillance/interception would hinder innovation and distort competition. Member States should not impose design or technical standards for systems. - non-legislative measures were of great importance. The EU Forum was strongly supported, and ETNO was optimistic that the problems addressed in the Communication could be solved. 4.5 Jari Raman, University of Lapland, welcomed the efforts in the Communication but felt a wider view of network security was needed. Network security was not just about the security of information infrastructures: it was about controlling the risks of a network society in a comprehensive manner. There was a need for an approach that combines the different fields of law together with technological, administrative, social, personnel and organisational measures to control the risks. The consideration of regulative models together with the development of EU wide general principles, creation of a comprehensive regulatory policy and co-ordination of projects on information security was an important and urgent task for the EU. 4.6 Dr Irini Vassilaki, German Association for Law and Informatics, drew attention to two key areas: - Jurisdiction (international criminal law). The problems of jurisdiction because of varying national laws were highlighted, and Council of Europes approach was explained. For example, the offence of ?making available illegal contents? would inevitably lead to conflicts of jurisdiction. Appropriate international legislation needed to define under which conditions an offence is committed in the territory of a state, eg where the criminal law punishes the pure dissemination of illegal content. The clarification of this would prevent the boundless application of national criminal law. - Mutual Legal Assistance (International Criminal Procedural Law): The requesting and requested Member State both need safeguards. On interception of communications, there was a need for harmonisation at international level and a greater clarity of rules and procedures. 5. Presentations (continued) (Chair: Mr. Tung-Lai Margue, DG Justice and Home Affairs) 5.1 Nigel Hickson, Confederation of British Industry (CBI), welcomed the Commissions Communication and emphasised the importance of making the EU a safe place to do e-business. He identified a number of areas of concerns: - consumer trust and confidence: this depended on privacy and security. Surveys showed that crime was not an issue. - data retention: this was very important. Blanket retention of traffic data was not appropriate and would not work. Law enforcement and industry should accept preservation in specific cases. There was a danger of repeating the problems and loss of confidence in e-commerce similar to the key-escrow discussions on encryption. - denial of service & hacking: It is hoped that the approach of the CoE would be examined in an attempt to increase international convergence. - relationship with the Council of Europe Convention: there was a danger that too many different initiatives at international level would lead to inconsistency. The suggestion that the ?EU might go further? than the CoE could create uncertainty for business and other users. - EU Forum: this was very much welcomed by the CBI, but must also include broad representation from the business user community. It was a very positive step forward. 5.2 Peter Harter, Securify, Inc., thanked the Commission for a very good paper and welcomed the important recognition that cyber crime and cyber security were not isolated phenomena. A holistic approach is necessary. The Internet had originally been designed for sharing information between academics: it was not designed for business activity. It originally had no law governing it. As a result, it could now be considered to be sick. The symptoms were viruses, threats and vulnerabilities. It was possible to cure the symptoms: CEOs and Ministers must take responsibility and preventive action. Action needed to be taken, and tools developed and used. Knowledge and understanding of the networks were crucial: the government of Norway had recently submitted a paper to the OECD on the need to raise awareness amongst users, business and government. Through knowledge, assurance and accountability the Internet could be cured. 5.3 Claudio Murri, Electronic Data Systems (EDS) drew attention EDSs written statement, but wished to focus on a few specific issues: - the Communication contained statements which represented some basic principles: ?security is the responsibility of users?; ?no single standard to fit all users?; ?what is illegal off-line is illegal on-line?; ?new powers need to be assessed against Community law and fundamental rights to privacy? and ?proportionality in costs and in the measures taken in accordance to the seriousness of the crimes committed.?. - EU Forum: this was welcomed by EDS. Co-operation with industry was essential. The business user community also needs to be represented, and government as a major user of IT. - technology standards: despite the need for inter-operable internationally recognised standards, there should be no government involvement in developing these standards. - encryption: more action was needed at national level to meet the Commissions 1997 intention to remove restrictions on the free circulation of encryption products at the level of the European Community. 5.4 Jeffrey Pryce, Working Group on International Cyber Security, welcomed the Communication and the fact that it dealt with two different but deeply inter-related aspects of securing the benefits of the information society: information security and computer-related crime. But while the different themes of ?cybercrime?, ?cybersecurity?, ?cyberterrorism? and ?protection of critical communications infrastructures? needed to work in harmony, experience cautioned against confusing different categories of problems. There were three aspects to protecting information and communications systems from hacking, viruses and denial-of-service attacks: - prevention and awareness: industry and other users must be educated, participate in preventing misuse and play a leadership role, but that does not mean mandated standards or criteria; - response a good example was the US Information Sharing and Analysis Centres (ISACS) which involved rapid sharing of information, with limitations and protections against anti-trust claims or risk of public exposure of proprietary information. This is an area where government might co-operate with industry, but should not seek to mandate or control criteria. - deterrence/investigation/prosecution: it was important to find and prosecute those responsible for attacks against systems. But deterrence alone was unlikely to be an effective means of protecting information systems. Procedural law measures for access to electronic evidence particularly interception - needed to consider burdens on industry, and prevent undermining fundamental rights. Internet gives new opportunities for crimes but also new investigation capabilities. Businesses are against crime. However third parties should not be exposed to liability for the actions of others on their networks, and should be fully compensated for their costs in meeting law enforcement requirements. Effective anti-hacking statutes needed to be drawn carefully and be narrowly defined. Transparency in decision-making processes is key and self constrain in criminalizing. 5.5 Rainer Fahs, European Institute for Computer Antivirus Research (EICAR) welcomed the Commissions initiative, and explained the threat that internet viruses constituted to users and business, and the large scale economic damage caused by viruses. Existing laws were not sufficient, applying only to hackers and not to those producing viruses. There was a need for routine reporting of viruses: as a consequence of knowledge, laws would be tightened and enable effective action against virus creators. EU legislation on hacking and denial of service attacks should therefore apply also to viruses. Strengthening action against viruses would, in turn, improve the confidence of users. 5.6 Andrew Rathmell, Information Assurance Advisory Council (IAAC) focused on the security issues in the communication as opposed to crime ones, and from that stance believed the Communication would be of great benefit across the EU. However, there was a danger that looking at both cybercrime and security together could blur the issue. There were a few areas where further thought was needed and the Commission could add value: - offences against information infrastructures were critical. - information collection and exchange was very important. There was no good data, and a lot more work was needed to collect the statistics. Risk assessment and management tools needed to be developed to understand vulnerabilities and dependability of networks. - raising awareness: a great deal more needed to be done at all levels of government, industries and users. - EU Forum: this was welcome, though it was important for it not to be unwieldy or only focused to law enforcement authorities. It would be necessary also to include end users. It could therefore be split into several fora dealing with different specific issues. 5.7 Mr. Drew C. Arena, Verizon Communications, applauded the Commission for the Communication and the public hearing. Industry wanted to help law enforcement and victims, but did not want to bear an onerous or unreasonable burden. The EU Forum would be extremely valuable, and should urgently address some of the open questions left by the Convention of Europe including liability of service providers, handling of costs and data transfers to states outside the application of the EU data protection directives or CoE Convention 108. It should also consider the substantive and procedural law measures proposed in the Communication. There was also a real danger that the Commissions initiatives for Framework Decisions would lead to a mixture of rules. 5.8 Hans Jurgen Garstka, Datenschutz Berlin, International Working Group on Data Protection in Telecommunications, drew attention to the Working Groups common position on the Council of Europe Convention of the International Working Group on Data Protection in Telecommunication. He underlined the fact that this Convention will also apply outside Europe. He was pleased to see that the Communication stressed data protection. He welcomed the creation of a EU Forum, announced his participation and mentioned different points that should be discussed in the forum. There was a need for a balance between data protection and law enforcement, but the Working Party did not believe that traffic data should be retained only for law enforcement purposes. Any data preserved should be only in order to facilitate the use of the telecommunication facilities. Nor should infrastructures be developed in line with law enforcement needs. Infrastructures were usually developed in line with the needs of the users and should increase security and not criminalisation. The period for retention of data should vary in relation to the gravity of the criminal activity. Moreover the drafting of the provisions should not be abstract. There was also a risk of punishing innocent people. 5.9 Niraj Nathwani, European Monotoring Centre on Racism and Xenophobia (EUMC), welcomed the Communication, particularly the Commissions undertaking to propose a Framework Decision on racism and xenophobia which would apply to both ?off-line? and ?on-line? conduct. It was explained that racism on the Internet was growing very rapidly, in part because the web provides broad reach at low cost, and because it provided access to safe havens where racist material was protected by constitutional rights (particularly in the US). As an example, the StormFront web-site in Miami received 2,500 visitors each day. The problem of retention of traffic data had already been described by law enforcement, and the Monitoring Centre agreed with the concerns expressed about the difficult to trace and identify suspects. Current legislation was insufficient to deal with on-line racism. Other methods must be sought, such as filtering and blocking access of certain web-sites from the EU. 5.10 Meryem Marzouki, Imaginons un reseau Internet solidaire (IRIS), supported the Communication, particularly the way in which it addressed issues such as interception, data protection and the right to anonymity. Application of the principle of consistency between on-line and off-line to the approximation of substantive criminal law on child pornography and racism and xenophobia was also supported. It was suggested that a similar approach like the one taken in the TV without frontiers directive could be applied also for the creation of common standards on these issues. There was a need to respect fundamental rights including privacy and self-incrimination in the development of procedural law measures, and to apply the principle of dual criminality. Judicial control was essential to prevent unauthorised, vigilante action against individuals. The EU Forum was welcomed, particularly the involvement of civil liberty organisations. 5.11 Stephan Kronqvist, Information Technology Crime Squad, Sweden said it was vital for all cime-fighting authorities to have access to traffic data on crimes committed using computerised communications, and this applied increasingly to traditional crimes as well. Some of the proposals in the Communication would only be relevant if historical traffic data existed. There would be no chance of a successful investigation of child pornography, or use for preservation orders, if the traffic data had already been erased before anyone realised it could be of interest to law enforcement. The EU Forum might be a way forward on this issue, but the existing legislation made any discussion an uphill struggle. The need for traffic data should therefore also be considered when Community law is elaborated and implemented, even through voluntary schemes. The technical complexity of managing traffic data was described. Flat-rate or periodic subscriptions for broadband services, combined with legislation, could, in principle, lead to a situation where no traffic data would be available for investigations. For victims of threats or harassment, the prevention, tracing and arrest of the perpetrators was also a matter of security and privacy. An example of a joint French and Swedish investigation was given, in which the retention of traffic data had resulted in locating an individual who was part of a network of individuals disseminating a large number of paedophile photographs on the Internet. The suspect was subsequently found to have committed rape on his five-year-old stepson and ten other children. All the rapes were proven with photographs, and the stepchildren had been kept prisoner in the apartment. Without access to traffic data, it would have been practically impossible to monitor and investigate this type of serious crime. 6. Discussion Tung-Lai Margue (Chairman) wished to respond to the points made about the relationship between EU initiatives and the Council of Europe. The Commissions initiatives would be based on the progress made in the Council of Europe, and would be consistent with the Council of Europes approach. But the EU could and should go further in common definitions, incriminations and sanctions in this area, as had been agreed by the European Council in the conclusions of the Tampere Summit. This was not an incoherent approach. Peter Csonka, Secretary of the PCCY Committee of the Council of Europe, welcomed the Communication and endorsed the Commissions explanation of the relationship between the EU and Council of Europe initiatives. The EU could go further than the Council of Europe in approximating laws and improving co-operation. Tony Hutchings, UK National Hi-Tech Crime Project Team, said there was a misconception that anonymity was guaranteed in the off-line world. This was not true: it was often possible to find witness or other evidence. In the on-line world, however, all evidence and witnesses would be destroyed as a result of the data protection directives. A representative of the Belgian Police agreed that traffic data was often the only lead to the crime. Without retention of traffic data, there would be no evidence. Other data protection interests were also compromised by the destruction of traffic data. For example, retention of traffic data had been necessary in order to trace stolen medical data. 7. Presentations (continued) (Chair: Mr. Tung-Lai Margue) 7.1 Roland Perry, London Internet Exchange (LINX) welcomed the communication and was pleased to see that many of the proposals were in alignment with the approach of the UK Internet Crime Forum. Co-operation could not be built up overnight. Both parties needed to make efforts to educate each other about the nature of their requirements and scope of their capability. Industry must educate law enforcement about what it was possible to achieve, and at what cost. UK had been leading the way with the Internet Crime Forum and other initiatives. These were instrumental in establishing a mutual understanding of requirements, capability and costs. The aim was to develop and maintain a working relationship between ISPs and law enforcement describing what information could be reasonably and lawfully provided to law enforcement, under what circumstances and the procedures to be followed. Industry also needed to understand consumer and privacy interests. LINX had published best practice guides for all ISPs on traceability, illegal material, SPAM and, coming shortly, privacy. 7.2 Ms. Beatrice Rogers, Computer Services and Software Association (CCSA) said the organisation represented the UKs IT service and software sector, with over 700 members with combined revenues of £18 billion. The communication was a good document, but could be enhanced by taking account of the following points: - EU Forum: IT product, service and solutions providers (hardware and software) should be elevated from ?other interested parties? to key participants. - PKI and digital signatures should be addressed within the Forum: market and suppliers were slow to take up these technologies, and the Commission should address the fundamental barriers to this. - R&D: this was vital, and must include the IT Product, Services and Solutions Providers. - level of awareness of security: this was very low in the UK. Awareness was fundamental, and IT trade associations could play a useful role in the non-legislative measures proposed by the Commission. - regulatory framework: any legislation in the area of information security must take account of existing standards such as BS 7799 7.3 Neil Mitchison, European Commission, JRC Ispra explained the mission of the JRC, and offered to provide scientific and technical support to the EU in fighting cyber crime. Information on the nature and extent of cybercrime was crucial, and the JRC would shortly start a feasibility study on this issue. 7.4 Christian Dressel, KirchGruppe, welcomed the Communication. EU, CoE and G8 needed to adopt a technology neutral form of regulation. Many of the measures fell behind the need for regulation, and in other areas they went too far. Concern was expressed about certain aspects of the CoE Convention, particularly Article 19(4) which gave law enforcement the power to require encryption keys. Protection of content on the Internet was essential. Prevention and investigation of crime was the responsibility of States, and States should therefore bear the cost. Regulations should be consistent with each other and existing regulations, because of the many conflicting views and interests. There was a need for research into the efficacy of measures to prevent digital counterfeiting. In the EU Forum, content providers should be fully represented. Mr Margue (Chairman) confirmed that copyright industries would be invited to participate in the EU Forum. 7.5 Mario Correa, Business Software Alliance (BSA) expressed appreciation for the inclusion of those with copyright interests in the Forum. BSA represented the worlds leading software developers and hardware producers world-wide. While welcoming of course the opportunities presented by the Internet, the BSA was concerned that the borderless and anonymous character of the Internet made it an ideal forum to market and distribute illegal content, including pirated copies of software and other copyrighted works. Piracy already cost the creative sectors an estimated _4.5 billion each year in Europe. BSA and other copyright-based associations already devoted substantial resources to fighting Internet piracy, but there was a need for improved commitment and co-operation by public authorities. The EU Forum was welcomed, and Europols remit should be extended to cover cybercrime including piracy. The importance of access to subscriber and traffic data was stressed, since this allowed identification of operators of piracy sites. Privacy on-line was strongly supported by BSA, but that did not mean that criminals should be able to hide behind data protection laws. Of course, any rules should take into account the technological limits and resource burdens that service providers face in collecting and preserving traffic data. Moreover, governments should not mandate technical standards for communications systems since this would severely inhibit innovation. Overall, cybercrime was an area where a workable balance could be struck. 7.6 Mr. Dara McGreevy represented the International Video Federation (IVF), but also represented the FIAPF and the Motion Picture Association. The IVF represented the interests of publishers and issuers of videos and DVDs. Movies were unlike other content: they would often only be watched once. Sharing of pirated movie files on-line would cause enormous damage to the industry and eventually the user. The following points were made: - legislative measures: piracy should be taken into account when creating legislation.. As a major victim, effective procedures and legislation were strongly supported and were needed now. - Europol: the extension of its remit to cybercrime was supported, and it should include copyright offences. - retention of traffic data: pirates should not be able to hide behind data protection laws. Satisfactory solutions could be found by clarifying and improving data protection legislation. Access to subscriber data was also essential to combat piracy. 7.7 Chris Merchant, International Federation of Phonographic Industry (IFPI) fully agreed with the points made by the previous speakers on copyright issues. The IFPI represented 1,700 producers, revenue of _38 billion in 2000, and employed 600,000 people. Many issues identified in the Communication were not new: parallels could be drawn with previous industries where a balance had been found, for example on money laundering. Law enforcement needed effective powers to combat cybercrime, and privacy issues needed to be resolved in a sensible way. Theft was theft, whether committed on-line or off. 8. Discussion A representative of the Dutch Government asked whether the meeting on the dependability of the Internet on 2 February had been taken into account. George Papapavlou (DG INFSO) said that he was aware of the meeting, and the Commissions work on dependability was in line with the Communication. A representative of EuroISPA, was concerned about confusion with some of the terms used during the hearing. He called for the EU to develop definitions, particularly of traffic data, pointing out there is a broad range between connection data and content data. Narrow definitions of traffic data are acceptable to most parties, but broader ones may give strong indications of the content and meet with many objections. Tung-Lai Margue (Chairman) said that the issue of definitions would be addressed in the EU Forum. Nigel Jones, Secretary of the UK Internet Crime Forum, made a number of points - The Forum would need a fair representation of all parties - In the UK Forum the sub-groups are particularly effective - There is a need for better knowledge of cyber crime and good quality data from Member States, due to the total lack of statistics. To that end Member States should work more. - There was a need to clarify terminology on the difference between general retention of traffic data and preservation of specific traffic data - Greater emphasis must be given to victims rights to see perpetrators brought to justice and victims privacy. - There was a business requirement for retention of certain traffic data to protect network security and detect attack. Such traffic data was already being kept by many ISPs, and was the same data required by law enforcement. The outstanding question was for how long data should be kept. Tung-Lai Margue (Chairman) confirmed that the EU Forum would be based on the principles of fair representation of interests, openness and transparency. Neil Mitchison, European Commission, JRC Ispra agreed that accurate information on cybercrime was essential, and that it would help to illustrate the need for law enforcement powers. Dr Irini Vassilaki, German Association for Law and Informatics assured the hearing that data protection was not intended to protect offenders. John Haskins, a representative of the Department of Justice, Republic of Ireland, welcomed the Communication and spoke of the responsibility of Departments of Justice to find the appropriate balance. Effective law enforcement was necessary, and needed negotiation between all parties. The replication of the EU Forum at national level should be encouraged: the Republic of Ireland was already looking at this. Helena Lindberg, Ministry of Justice in Sweden and Chairperson of the Police Co-operation Working Group (technical part), reinforced the importance of co-operation and the need for a Forum. There was also a need to take account of law enforcement requirements in the elaboration of Community law, since this would avoid the need for Member States to adopt differing legislation. In the area of interception, there was a need for law enforcement to clarify their requirements and to come forward with standard EU requirements. A non-standardised approach to these issues would create a difficult situation for industry. Nigel Hickson, CBI, reiterated his concerns about the danger of incompatibility between the Council of Europes work and the Commissions initiatives. There was a need for international coherence. Tung-Lai Margue (Chairman) pointed that there is work done in order to achieve consistency between the results of the work of the CoE and the EU approach. However the relatins between the EU member states are more coherent and thus there exists the possibility of being able to go further than the draft convention of the CoE, while bridging the differences. Simon Watkins, UK Home Office, welcomed the Communication. Much needed to be taken forward, particularly a common understanding of terminology. The Commissions was in the middle of the balance that must be struck. There must be policy consistency between the various EU pillars involved in this issue. Tung-Lai Margue (Chairman) said that the Communication and the public hearing were an attempt to find that balance and consistency between the EU pillars. Chief Superintendent Keith Akerman, UK Police and Chairman of the UK Internet Crime Forum, said that there was a real opportunity to be proactive by developing a predictive analysis of threats and developments. Co-operation and dialogue between all the actors could predict and prevent criminal activity: an example was the success in the UK of reducing car crime by law enforcement and the car industry working together. This needed to be done without causing market disadvantage to industry. He also asked whether the Article 29 Committee had consulted law enforcement in reaching all its recommendations on data protection in the law enforcement area. Tung-Lai Margue (Chairman) invited a response from a representative of the Article 29 Working Party. Marie-Helene Boulanger said that there were no direct discussions between the Working Party and law enforcement, but that the Working Party relied on its representatives to draw on consultations and experience at national level. Chief Superintendent Keith Akerman said this needed to be put right: the UK Internet Crime Forum had involved a senior representative of the UK Data Protection Commissioner in its discussions on these issues. 9. Closing remarks Commissioner António Vitorino, responsible for Justice and Home Affairs, explained that the Communication attempted to bring together a coherent package of proposals to tackle the threat from cybercrime. The Commissions approach was based on finding an appropriate balance between three key interests: (i) Law enforcement. Law enforcement agencies needed the powers to be able to tackle cybercrime effectively. This involved the protection of victims of cybercrime, and the need to identify, locate, gather evidence on and prosecute those responsible. In the case of child pornography, a cybercrime investigation could very quickly become a ?real-life? investigation into serious sexual and violent abuse of children. In the case of hacking or virus attacks, a successful and rapid conclusion to an investigation could help to prevent further economic damage from those responsible for producing viruses and carrying out hacking attacks. (ii) Industry. Apart from the vital role of industry on network security and prevention issues, there was also a need to recognise that law enforcement requirements may place additional burdens on industry. Any such burdens should be kept to the minimum necessary. (iii) Privacy. Law enforcement powers had implications for the fundamental right to privacy of users and consumers on the Internet. Any such intrusion must be limited to situations where it was necessary and proportionate. The Commissioner explained why there was a need to make progress at EU level on approximation of high tech crime offences by identifying specific legislative initiatives in this area. For offences of illegal content on the Internet, the Commission would apply the principle that there should be an equivalence between conduct off-line and conduct on-line. Retention of traffic data by service providers was recognised as one of the most difficult issues addressed in the Communication. The different interested were described. It was clear, however, that there was not yet a consensus on how to resolve this issue. For that reason, the Commission proposed that the issue should be addressed as a matter of priority through consultation with all interested parties within the framework of the EU Forum. It was necessary to find appropriate, balanced and proportionate solutions which enabled cybercrime to be tackled effectively while fully respecting the fundamental rights to privacy and data protection. On the basis of the outcome of this work, the Commission would be able to assess the need for any legislative or non-legislative actions at EU level. The Commissioner ended by thanking all those who had contributed to the public hearing, and hoped that everyone present would be willing to play an equally active part in the EU Forum. It was hoped that the Forum would begin work in May, and would contribute towards finding appropriate solutions to the problems addressed by the hearing. Tung-Lai Margue (Chairman) closed the conference by thanking everyone once more for their helpful contributions, and asking for their continued support in the EU Forum.