A European Cybercrime Breakthrough Is Only Half The Battle

Cybercrime is a global challenge on a massive scale. If cybercrime was a country, it would have one of the largest economies in the world. Statista estimates that the cost of cybercrime was $8.15 trillion in 2023. Meanwhile, 37 per cent of large companies in the UK say they have experienced cybercrime in the past year.

Why is the cost of cybercrime so high? Because the first rule of cybercrime is that no one goes to prison.

Cybercriminals have reaped the benefits of a decade of virtual impunity largely due to the challenges of sharing data between law enforcement agencies who are working hard to police cyberspace within the constraints of real-world laws.

The  First Rule Of Cybercrime Is That No One Goes To Prison.

The difficulty of sharing data between the US and EU has been a major contributor to this impunity. But things may finally be changing for the better. After an eight-year negotiation, the EU has adopted a new legal framework -known as the eEvidence Regulation - to enable the preservation and sharing of electronic evidence between US platforms and EU law enforcement, as well as between EU member states.

Sharing electronic evidence – or any data – between the US and EU is surprisingly difficult. And it is not just cybercrime: more than 80 per cent of criminal prosecutions, including murder, human trafficking and other ‘offline’ crimes, rely on electronic evidence.

Most frequently, that data is held by platforms based in the US, such as Facebook, Google and Microsoft. 

EU member states and the US are close allies and like-minded democracies with a shared respect for the rule of law and human rights, but tensions have simmered since Edward Snowden’s revelations and have resulted in severely limited data sharing across the Atlantic. Of course, there is also the General Data Protection Regulation (GDPR) which introduced turnover-based fines and long-arm jurisdiction, adding to the complexity and tensions.

There are tensions in the domain name world too, particularly through the WHOIS, a free service that provides instant information about domain name registrations, including the name and address of the domain name holder or registrant. This issue has raged for over 20 years within the domain name system’s governing body, the Internet Corporation for Assigned Names and Numbers (ICANN), swinging wildly between two extremes.

At first, human rights and data protection experts highlighted the risks to individuals whose name, address, phone and fax (yes, fax) numbers were exposed to the public without any opt-out. After GDPR came into force in 2018, all the personal data was redacted – for privacy reasons – to the dismay of public safety and brands.

WHOIS illustrates just how painful it can be to transition from voluntary systems to regulated frameworks.

WHOIS began as a technical protocol but its unintended usefulness to brand protection and law enforcement led to private law contracts requiring registries and registrars to provide a public WHOIS service.

Beyond the contractual requirements, it was largely voluntary measures that made the whole thing function – like the ‘reveal’ for registration data hidden behind proxies, or the rapid takedown of bad domains where there was threat to life.

Despite the legal risks inherent in publishing personal data to the world, this system continued to function in Europe for two decades under the previous data protection framework. Even after GDPR was introduced, there were respectable opinions that WHOIS could stay: the data protection authorities had never levied fines against EU-based domain providers for publishing personal data under WHOIS; and regulations governing the .eu registry - overseen by the European Commission itself - specifically required public WHOIS provision.

But the risk calculus changed with GDPR. Faced with a new massive legal liability, companies simply dropped personal data from the service.

There is an obvious question to be asked: if everyone agrees on the need to share data to tackle real-world crimes, why has it proved so difficult to reach agreement and move forward? Eight years to negotiate the e-Evidence Act sounds like the worst kind of bureaucratic molasses.

Most people in the ICANN community agree on the fundamentals, but the WHOIS debates have descended into the worst kind of intractable family feud.

My years of volunteer work trying to break the 20-year stalemate on WHOIS within the ICANN community have given me some insights into why it has taken so long. It is, put simply, the narcissism of small differences.

The phrase, coined by Sigmund Freud, is the idea that the more a community shares commonalities, the more likely people in it are to fall out with one another because of hypersensitivity to minor differences. Most people in the ICANN community agree on the fundamentals, but the WHOIS debates have descended into the worst kind of intractable family feud.

The rule of law is hard. For democracies, respect for human rights is not an inconvenience but a necessity; an insurance policy. Safeguards and oversights need to be baked into the public safety apparatus at every level, and those mechanisms tend to be local, closely reflecting their society and culture.

Moving from the intensely local to the inherently international nature of the digital environment is difficult. It takes time, especially in democracies where respect for fundamental rights is integral.

Privacy Laws Are Not Going To Go Aaway, Nor Should They.

It has now been half a decade since the loss of WHOIS data and the grief experienced by law enforcement and brands shows no signs of abating. But resolve, it must. Privacy laws are not going to go away, nor should they. The only solution is to find a way to share evidence across borders in a way that respects rights – and that means the focus must fall on safeguards, oversight and due process.

Reaching agreement between EU member states in the e-evidence framework is an important step, and one that fits alongside other regulations and international agreements, such as the OECD principles, the Second Additional Protocol to the Budapest Convention and the NIS2 Directive.

The OECD process overcame a major roadblock between the EU and US on the form of oversight required to enable free flow of data. By emphasizing effective and impartial oversight of the relevant public safety bodies, the OECD principles create a results-based measure, rather than imposing one bloc’s preferred structure on others. This pragmatic approach could offer a way forward, at least between close allies like the EU and US.

But there is a wider problem. These are instruments between like-minded participants and many of the organized criminal gangs involved in cybercrime sit outside such frameworks, exploiting the limited geographical reach of the existing international agreements on cybercrime cooperation. Cybercrime is global in nature but criminal laws are still intensely local.

While like-minded people and nations are caught up in the narcissism of small differences, there are daunting differences, geopolitical competition and profound ideological clashes with other parts of the world that must be addressed to achieve real progress.

At the current pace of resolution, cybercriminals can feel confident they will not be seeing a prison cell any time soon.

Emily Taylor is Associate Fellow, International Security Programme at Chatham House.

Image: Bignai

You Might Also Read:

Why The Public Directory Of Domain Names Is About To Vanish:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Major US Mobile Network Failure
Cybersecurity, Volt Typhoon & The Grid »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

Featurespace

Featurespace

Featurespace is a world-leader in Adaptive Behavioural Analytics and creator of the ARIC platform for fraud and risk management.

SOOHO

SOOHO

SOOHO helps to detect security vulnerabilities earlier. Our blockchain security platform audits from smart contracts to on-chain transactions.

Cyan Securiy Group

Cyan Securiy Group

Cyan provide best-in-class cyber security solutions for mobile Internet and mobile devices that are extremely effective and highly intuitive in their use.

BLOCKO

BLOCKO

BLOCKO is a blockchain specialized technology company that has experienced and achieved the largest amount of business in South Korea.

Charterhouse Voice & Data

Charterhouse Voice & Data

Charterhouse is your trusted technology partner - designing, provisioning and supporting the technology that underpins your operations including network security and data compliance.

Melius CyberSafe

Melius CyberSafe

Melius CyberSafe has developed a world-leading SaaS platform built around continuous assessment and improvement through vulnerability scanning and penetration testing.

NVISIONx

NVISIONx

NVISIONx data risk governance platform enables companies to gain control of their enterprise data to reduce data risks, compliance scopes and storage costs.

Cyber Defense Technologies (CDT)

Cyber Defense Technologies (CDT)

Cyber Defense Technologies provides services and turn-key solutions to secure and maintain the integrity of your organization’s systems and data against attacks.

RSK Cyber Security

RSK Cyber Security

RSK Cyber Security are a leading cyber security services company that uses services, consulting, and product knowledge to lower security risk across the board.

BSS

BSS

BSS is a solutions and services business based in the UK with a focus on Cyber Security, Data, Financial Crime, Internal Audit, Change, Risk and Resilience.

Iolo

Iolo

Iolo develops patented technology and award-winning software that repairs, optimizes, and protects computers, to maximize system speed and performance while keeping them safe.

Elitery

Elitery

Elitery is an IT-managed service company that focuses on cloud and cybersecurity services.

DeepSurface Security

DeepSurface Security

DeepSurface is the first risk-based vulnerability management platform that allows cybersecurity teams to automate the process of analyzing and prioritizing vulnerabilities.

Seezo

Seezo

Seezo leverages Gen AI to make world-class AppSec accessible to every engineering team.