EU Commission proposal for a directive on cybercrime (2010/0273) of wichich we talked in a previous post is currently waiting for its first reading by the Parliament, probably in July 2012. Meanwhile it was the subject of a hearing by the LIBE Commission on Civil Liberties, Justice and Home Affairs. LIBE heard different points of view on the text, coming from the public sector, the private sector, research bodies and groups of interest. This originated a legislative resolution introducing several important amendments to the original text.
Proposed modifications to the original text can be grouped into four broad subjects: involvment of ENISA and more European cooperation, cooperation with the private sector on cybercrime prevention at the European level mainly through the adoption of common standards, both technical and legal, a few points aggravating the means for prevention of criminal offences but many inprovements from the point of view of individual rights and liberties in their balanca vis-a-vis legislative tools for law enforcement.
In the directive recital an explicit reference is introduced to specialized agencies of the Union among subjects charged with cooperating in approximating mamber states’ criminal laws. Coherent with this, an amendment to Article 15 now includes ENISA, along the Commission and Europol, among the organizations to which member states shall transit crime and police activity statistics “for the purpose of conductiong threat assessment and strategic analyses of cybercime”, in accordance with the Regulation establishing ENISA.
Amendment 8 follows , urging Europol to “host a European platform which will be the point of convergence of national platforms and will have as its purpose, iner alia, to collect ancd centralise information about offences noted on the Internet. This should include information about perpetrators and their modus operandi”. This formulation is quite vague and open-ended: from a privacy point of view we can only hope only information about convicted perpetrators and judged offences will be included, but that cannot be guaranteed. And what about the right to be forgotten? For how long the information even on convicted perpetrators will be included in the database, and for which type of offences?
Amendment 2 introduces a new paragraph in the recital, point 2, singling out attacks on critical infrastructures (among attacks on information systems in general) as vital for security (and safety), particularly for their “significant cross-border inpacts”, given the high grade of co-dependency among states. Obviously this explicit recall includes a call for stronger transnational cooperation.
Two amendments (15 and 16) introduce new points in the recital regarding the training of actors involved in various ways in contrasting cybercrime. New point 13a -always in the recital- invites the Commission and the member states to provide adequate training to law enforcement agencies in cybercrime contrast and to facilitate cooperation and good practice interchange, for instance via European Judicial Network, Europol, Eurojust. Amendment 16 underlines that training should raise awareness of differences in national legal systems among members.
Security standards for public and private organizations
This second group of amendments seems to aim to underline the importance of standardization in the cybersecurity field. This applies both to the technical and the legal side and all stakeholders managing data and information, public and private alike, should be involved and adopt common standards.
Amendment 5 precise better recital point 9, which define “tools” (hardware and software) used to attack information systems, specifying that tools are not the only possibility for an attacker and in that context, a Unionwide strategy for standadization should be continued and intensified, in particular for cloud systems. This stragegy should include both technical standards and a commol legal framework. This is very important; it would have been useful though to mention the national standardization bodies and the European organization reuniting them, lile CEN and CENELEC as important actors in this process. They seem to be the natural candidates to implement such a strategy. At ISO level a guide line on cybersecurity already exist (ISO/IEC 27032), together with guidelines on digital evidence management and of course on the management of the security of an information system (ISO/IEC 27001). Also new guidelines are under development specifically for cloud computing (ISO/IEC 27017 e 17018). A Cybersecurity Coordination group has been esteblished in late 2011, including members from national bodies, CEN, ETSI, ENISA, the Commission and the Parliament -of which the author is a member- and that semms to be also a natural candidate to help implement standardization strategies.
Amendment 9 also introduces new phraseology in the recital (12b) expliciting how it is necessary to better the resilience of information systems. In this context, development and adoption of common standards should be encorauged, because repression by penal law is seen as the extrama ratio against cyberattacks and standards improve their prevention.
Point 12c, introduced be amendment 10, reccomends to member states to protect their information systems and data at least at a “reasonable” level.
Amendment 11 completes the new point 12 with paragraph 12d, inviting MS to introduce legislation to oblige legal persons to protect personal data in their possession from cybercrime. Levels of protection should be reasonable and the consequent cost proportionate to the likely level of damage (a.ka. “risk”). So we see the principles of, for instance, ISO 27001 with its risk-based approach is endorsed here.
We will see shortly that taken together, the amendments proposed go towards a better balance of rights between public tools for crime prevention and individuals’ rights, some critical points remain.
Amendment 6 introduces the concept that the use of tools -albeit only “intentional” and “without rights”- of software “designed to remove evidence” should be punished as on offence in itself. This refers to the so-called “antiforensics” software, like for instance secure eraser of files. These tools are not included in the definition of “tools” used in the text and can be used also for very legitimate purposes, e.g. protecting a citizen’s privacy. There is a danger of introducing legislation punishing legitimate use of such tools.
Amendments 12 and 13 follow on on the concept of compulsory cooperation with law enformcement agencies imposed to ISPs, to the point of shutting down “illegal” services or systems. It is not clear if before or after a trial, if purely on a LE request or not. Furthermore MS “[..] should define the cases in which the failure to act [not collaborate] should constiture a criminal behaviour by itself.”. It is true that the text introduced considers the rule of law, the rights of the suspect and the presumption of innocence explicitly, but the text is prone to be abused, in the light of the recent trends in legislation and sentences towards restriction on Internet use and “crime prevention”. Amendment 31 reiterates the concept of cooperation with ISP and software houses, albeit according with data protection laws.
A better balance of rights
Several of the proposed amendments tend to mitigate some critical formulations of the original text, which could have been used to undermine individual rights and privacy, even if for the purpose of offence prevention. Amendment 22 in particular, deletes the mere possession of tools (software) from the list of criminal offences that should be punishable, closing a dangerous gap. With the prior formulation information security practitioners and researchers, and users in general, would have been exposed to penal law sanctions just for “possessing” a tool, when it is widely recognized that most if not all software can have a “dual-use” (just like a knife…).
Amandment 23 goes on eliminating Article 7’s reference to devices, as means for criminal activity, given that “device” is not clearly defined and could lead to uncertainty. So only a reference to “computer programmes” is left and those shouild be “clearly” designed for illegal purposes, not only “primarily”, limiting in this way interpretations too repressive and completing modifications made with the previous amendment to this critical article.
The expression “without rights”, defined in Article 2, is modified by amendment 17 with the inclusion of the provision that it mean access, use (Added), or interference not authorised by the owner [with information systems] “in as much as the withholding of such authorisation does not constitute an abuse of rights by itself…”. In the justification (“The free flow of information must not be restricted”) is explicitly mentioned tha case in which negation of access goes against other important rights such as the right to freedom of information.
A couple of amendments concer themselves with a better specification of the expression “minor cases”, present in the original text, meaning the cases in which offences included in codes should not be punished by national legislation. A clear definition was lacking though, and amendment 18 introduces it, adding it to article 2. The definition given concerns cases when the damage and/or the risk to public or private interest is “insignificant” or when the imposing of criminal liability is not necessary. Amendment 21 introduces the exclusion of minor cases in Article 6 (“Illegal interception”) where it was strangely absent.
For reasons of clarity a definition of “Critical infrastructure” is added.
Amendment 20 modifies Article 3 (“Illegal access to information systems”), allowing each member state to decide that the the conduct is punishable only “if committed by infringing a security measure”.
Wisely amendment 33, includes a formulation where the Commission, when submitting its periodical report on the application of the Directive, shall keep into account technical and legal developments in the field of cybercrime.
Overall the balance is positive: most of the amendments go in the direction of preserving better individuals’ rights and liberties, balancing them better with the necessities of crime prevention and repression. The worst defects of the original text from this point of views have been corrected; clarifications and defintions that were lacking have been introduced. We will have to see what will happen in the reading by the Parliament, probably in July 2012, and most of all how the member states will adapt their legislation to the directive.