I'm,
along with Steve Saxby, in snowy Freiburg at the moment attending a very
interesting conference on the future of the Council of Europe Cybercrime Convention. It is
advertised as a meeting of experts
(about 15 of us). Especially in the later sessions I have the feeling that I am here under false
pretences!
At
first the focus was on substantive law
and the specific offences laid down in the Convention. There was a lot of
discussion how the technology had moved on since the Convention was drafted. A
couple of points which may be of interest. A lot of concern was expressed that trying to tie criminal provisions to telecommunications terminology
no longer works. The notion of messages being in the course of communication
(or not) is problematic. One issue which attract a lot of attention is when and
to what extent emails are protected legally against interception? Generally
once it has read by the recipient a message
is classed as being stored and ( at least in continental legal systems)
gets a lot less protection than when it is being communicated. As one person
commented, in the age of the cloud, storage is merely a slow form of
communication. In a slightly different context, there is evidence that
criminals/terrorists are using email systems such as google or yahoo. Member
one can post a message in draft format n the mail server. If member 2 ( or 3 or
4 ...) can access the email box they can amend the message but in traditional
terms there is no communication. But
there is communication!
We considered
also the need to harmonise the provisions of data protection and computer crime
legislation. A linked topic was the suggestion that we need to extend data
protection laws to include commercial data (as happens to some extent under the
Communications Privacy Directive. This might give criminal law protection to
things like trade secrets without having to wrestle with the thorny topic
whether data might be consider property. In the UK , and moving away from Freiburg, there is a very interning High
Court decision on the point - Fairstar v.Adkins ([2012] EWHC 2952).
A good
deal of time was spent on the topic of copyright law. Perhaps surprisingly,
there was little support from copyright owners attempts to involve the criminal
law. We has a senior German policeman present and he indicated that the German
police were not interested in acting against ordinary users. He recounted a
tale of one copyright owner who, with the aid of dishonest lawyers, actually
uploaded materials to a file sharing web site and then got the lawyer to demand
money with menaces from individuals who had downloaded materials.
Day one
saw a bit of momentum for (limited changes to the Convention), At the start of
day 2 we heard from a senior Council of Europe person who spoke in some detail
about the problems any attempt to make changes would be. What the Council are
planning is to make more use of Guidance Notes. There were he considered ( and
those of us from the UK will know the truth of his comments) too many
misunderstandings by police, prosecutors and judges as to what the legislation
means. The criminality of denial of
service attacks was an example he gave. In addition, there might be more
protocols attached to the Convention although the basic instrument is likely to
email unchanged. A number of new countries ( including Japan) have now ratified
the Convention and more are in the pipeline.
The focus
of the second day was on procedural issues and we started with a discussion
about transborder issues. If police in England execute a search warrant and
find a computer with a link to an email account in the United States, can they
access it. he general consensus was that laws were rather vague but that law
enforcement agencies would access data unless they knew that it was held outside
their jurisdiction. A difficult test! There are tensions in the field. We talk
much about cyber terrorism and it got publicity in the UK last week with the
publication of a Ministerial statement on the working of the UK's cyber
terrorism strategy. All countries need to build defences against such attacks
but the danger or difficulty is that attempts to pre-empt attacks may involve
accessing sites on foreign territories.
The analogy was drawn with sending troops into foreign territories to rescue
citizens being held hostage. Politically risky if done without the knowledge
and consent of the territory in question.
Perhaps
not surprisingly but rather depressingly, there was little confidence in cross
border cooperation between law enforcement agencies and aspects of the session
had me first baffled by some of the technologies that scientific experts were
talking about but also with the feeling that only clever criminals have any
real expectation of privacy in the modern world. Encryption poses real challenges
to law enforcement and the only real solution identified was to attack
suspected computers at source - before data was encrypted for transmission.
Again, arrangements for intercepting communications have become more complex in
recent years and again the point came
over that there was too much reliance on telecommunications terminology. Can
SKYPE be required to maintain a capability to intercept communications at the
behest of law enforcement?
I have to
say that I can only hope that I have given an accurate account of the
procedural discussions. There were times when, although all the sessions were
conducted in English, I could have benefited from simultaneous translation of
the technologies.
All in
all, a fascinating 2 and a half days ( and rather long days). I certainly
learned a lot ( and also found an Irish pub to watch the Celtic Champions
League game) but suspect we are still at the stage which does make IT law both
fascinating and frustrating. We are increasingly aware that old models are not
working but are not sure what can replace them. In a networked world we need
global solutions but as we can see in the Euro crisis, this is not easy to
achieve even at a regional level. The Council of Europe Convention is achieving
success in being ratified but it is very general in its provisions, especially
at the procedural level.
Hopefully
I will be able to post more formal minutes of the meting in a month or so. In
the meantime, maybe this account will be
f interest in showing the possible form of future developments.
I agree completely about the challenges of interception at the moment — it's posing me not inconsiderable problems in my employed life, along with the more general issue of law enforcement assistance and communications, in terms of data retention / access to retained data and the like.
ReplyDeleteOff to Westminster today to discuss this, and try to make life a little easier...