Monday, 14 September 2009, 16.15 – 17.45

 

 

What are the current issues in cyber security and cybercrime? How to build effective public-private partnerships to meet new and emerging threats? How do we increase robustness while, at the same time, limiting the impact of stress on IT infrastructure, services and users? What has to be done on global, what on regional and national level? How can we assure that privacy and freedom of expression are respected while security is encanced at the same time?
 

 

 

Facilitator: Marco Gercke, University of Cologne, DE
Filippa de Laval, Ung Media, SE 
Yuliya Moronets, TAC-Together against Cybercrime, FR
Michael Rotert, EuroISPA, DE
Christina Schulman, Council of Europe, FR
Alexander Seger, Council of Europe, FR

 

 

 

 

 

 

 

John Carr, European NGO Alliance for Child Safety Online, UK
Andrea Kolb, Minister of Justice of Saxony Anhalt, DE

Alexander Seger, Council of Europe, FR

 

 

  

 

 

The session started with an introduction from Marco Gercke, who passed the session to Alun Michael MP as the main moderator. It had been decided beforehand that there would be three sessions within the workshop period.

John Carr introduced the first theme on Prevention of Crime which he illustrated by reference to child protection. He explained the UK approach to the blocking of child abuse sites and stressed that there was a focus on the illegal content and that protected “innocent sites”. Not all blocking schemes achieved this. Blocking was done by the industry against a list notification and was therefore open to judicial challenge. Most people were agreed that child abuse – which is in itself illegal – was an appropriate subject for intervention and blocking was not the subject of controversy. Other issues tended to be more controversial and did not command the same consensus – blocking was not necessarily an approach to be considered in other cases.

The moderator asked members of the audience to respond in a word or a sentence by indicating what other issues they believed to be priorities for action and/or intervention. The issues raised included phishing, hotlines, malware, botnets and criminal money on the internet. The moderator expressed a some surprise that participants had been slow to respond – if the “Internet Community” was not quick to identify issues of crime and nuisance behaviour on the internet (bullying, libel, interference with freedom of speech, identity theft, fraud and issues that undermine public confidence) in order to seek consensus on appropriate and proportionate responses, they should not be surprised if public concern leads to parliamentarians and governments feeling under pressure to legislate. The response to online activities that might already be illegal offline might require a different approach online – though that which is illegal offline is generally illegal online. Proportionality was essential. Laws rarely prevent what they forbid and the preferable approach was for the Industry and users to “design out crime”. There was general agreement that strategies to fight cybercrime were needed and that they should be consistent with democratic principles, respect for human life and the rule of law.

Alexander Seger (Council of Europe) introduced the second theme of Data protection vs authentication to enhance security. He pointed at threats to privacy and personal data as a threat to democracy and fundamental rights. Challenges in this respect are enhanced by new technological developments (cloud computing, IPv6, DNSSEC etc). At the same time, cybercrime is a major threat, and the anonymity of criminals and the lack of traceability of cyberattacks are key problems in this respect. Authentication policies will therefore be inevitable. In order to avoid such policies from further undermining privacy and the protection of personal data, he proposed that:
• Measures against cybercrime are taken on the basis of existing treaties, in particular the Conventions on Cybercrime and on the Protection of Children against sexual exploitation and sexual abuse
• Global trusted privacy and data protection policies and systems are established, for example on the basis of the Council of Europe Convention on data protection (CETS 108)
• Trusted authentication systems are put in place with privacy guarantees.

Michael Rotert (EuroIspa) introduced the third theme of New technology – new threats? He touched on the potential impact of new technology such as cloud computing, IPv6, DNS SEC, Web 3.0 on issues of cybercrime and cybersecurity and referred to their capacity also to provide potential solutions. A final contribution was given by Prof Angela Kolb who is Justice Minister for Saxony Anhalt in Germany.

In concluding the session Alun Michael stressed the lessons learned from both legislation and crime prevention in the traditional “offline” world.
(a) There was a need to be creative in framing appropriate and proportionate responses,
(b) The best approaches started by involving users and those who understand the environment and/or technology relevant to the problem, and
(c) above all it was best to start by understanding the problem and sharing perspectives with all stakeholders.
Obvious though that might seem, it was not usually the way that intervention or legislation was generally approached. He stressed the challenge of developing a new model, of “co-operative regulation” (or stakeholder regulation – mentioned from the floor in discussion as a specific challenge for the Internet). There should not be an assumption that an approach that worked in one context – for example the blocking of child abuse sites – would work in another context, and there should be proper analysis and research to show whether interventions had successfully dealt with the problems they were intended to address. Principles already agreed - for example through Council of Europe Conventions - should be applied wherever possible rather than developing new or narrower legislative approaches.