FULL STUDY ( 68 pages) ACCESSIBLE HERE
Abstract : This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. With a number of high-profile criminal cases, such as ‘Silk Road’, cybercrime has been very much in the spotlight in recent years, both in Europe and elsewhere. While this study shows that cybercrime poses significant challenges for law enforcement, it also argues that the key cybercrime concern for law enforcement is legal rather than technical and technological. The study further underlines that the European Parliament is largely excluded from policy development in the field of cybercrime, impeding public scrutiny and accountability. AUTHOR(S): Dr. Ben Hayes, Dr. Julien Jeandesboz, Dr. Francesco Ragazzi, Dr. Stephanie Simon, and Prof. Valsamis Mitsilegas.
Cybercrime has become one of the key priorities for EU law enforcement agencies, as demonstrated by the establishment of the European Cybercrime Centre (EC3) in January 2013 and the development of specific European threat assessment reports in this field. High-profile criminal investigations such as the ‘Silk Road’ case, major data breaches or particularly nefarious hacks or malware attacks have been very much in the spotlight and widely reported in the media, prompting discussions and debates among policymakers and in law enforcement circles. Over the last few months, the cybercrime debate has specifically evolved around the issue of encryption and anonymisation.
In this context, this Study argues that debates on the law enforcement challenge of cybercrime in the EU should steer clear both of doomsday scenarios that overstate the problem and scepticism that understates it, and that the key cybercrime concern for law enforcement is legal in nature rather than simply technical and technological. Indeed, the Study finds that the key challenge for law enforcement is the lack of an effective legal framework for operational activities that guarantees the fundamental rights principles enshrined in EU primary and secondary law.
In order to address this core argument, this Study starts by analysing claims and controversies over the Internet ‘going dark’ on law enforcement (Section 2). It shows that these claims have been made for quite some time and should be considered as moral panics rather than accurate reflections of the challenges posed by cybercrime to law enforcement. Moreover, current controversies rehash older ones, conflating law enforcement concerns with intelligence-gathering and surveillance concerns. Without denying the fact that criminal activities do take place online, pose technical difficulties to law enforcement services and require the availability of specific capabilities, this section demonstrates that these difficulties do not impede criminal investigation to such an extent that exceptional means should be envisaged. While these technical aspects need to be considered, they raise issues related to policy and law rather than technology as such. The policy and law-related challenges are made greater by the fact that defining cybercrime is not an easy task. Very broad definitions have been adopted at the EU level, often leading to overlapping and sometimes conflicting mandates.
Section 3 thus analyses the institutional architecture of EU cybercrime policy. It shows that the complexity of cybercrime measures and the expansive mandates and number of actors involved in their implementation make it difficult to ascertain and circumscribe the full scope of EU cybercrime policy. Whereas the Council of Europe (CoE) sought to codify cybercrime powers into an international convention, much of the EU’s policy to fight cybercrime is based on non-legislative measures, including operational cooperation and ad hoc public-private partnerships. Furthermore, important distinctions and restrictions designed to ensure a ‘separation of powers’ between state agencies concerned with law enforcement (cyber-policing), civil protection (cybersecurity), national security (cyber-espionage) and military force (offensive cyber capabilities) are harder to distinguish in the area of cybercrime, at both national and EU level. Section 3 underlines that, within this complex architecture, and with the blurring of the boundaries between those responsible for policing the Internet, for gathering intelligence from it, for conducting cyber-espionage against foreign targets, and for ensuring the safety of critical internet infrastructure, the European Parliament and civil society are largely excluded from policy development, impeding public scrutiny and accountability. This compounds the EP’s existing problems in ensuring that fundamental rights and data protection are diligently protected in the area of justice and home affairs.
In light of these gaps in oversight and accountability, Section 4 analyses in particular the challenge of jurisdiction, cooperation and fundamental rights safeguards. This section argues that operational challenges in cybercrime law enforcement do not change the obligation of EU institutions and Member States to ensure the safeguarding of EU fundamental rights in any operating framework of internal or transnational cooperation in law enforcement and criminal justice. Cybercrime law enforcement frequently cites the challenge of accessing and transferring data through existing Mutual Legal Assistance agreements. Yet practices taken outside of established legal channels cannot guarantee rights protections and run the risk of raising mistrust in the general public, the private sector and in transatlantic relations. Furthermore, across the spectrum of cybercrime prevention, investigation, and prosecution, the particular geography of the digital environment is said to complicate the traditional territorial foundations of law. Law enforcement bodies make continuous reference to the ways in which traditional legal structures stand in the way of operations. However, an updated legal framework designed to overcome these challenges should foreground fundamental rights concerns, which are essential to ensure due process and a necessary condition for the successful prosecution of cybercriminal offences.
In light of these findings, the Study concludes with key recommendations for the European Parliament.
In particular, to ensure that the Parliament is not marginalised altogether with respect to the implementation and review of EU cybercrime policies by the exercise of delegated powers, EU agency discretion and non-legislative decision-making bodies, further monitoring of EU council structures, Europol and international cooperation agreements is required (Recommendation 1).
Moreover, the EP should ensure that the development of any cooperation/information-sharing framework guarantees the respect of fundamental rights (Recommendation 2).
In light of the current discussions on a revised CoE Cybercrime Convention, the European Parliament should, further, ensure that the Convention’s obligations are consistent with EU law and fundamental rights protections (Recommendation 3).
The EP must also ensure that cybercrime is not used as a justification to undermine new information security protocols and the right to privacy in telecommunications, both of which are fundamental components of the functioning of the Internet (Recommendation 4).
Finally, if European law enforcement agencies need to keep pace with technological change, it is imperative that training courses on cybercrime forensics and digital evidence include an applied fundamental rights component (Recommendation 5).