A European cybercrime breakthrough is good news but only half the battle

While the e-evidence framework is an important step, major differences with other parts of the world must be overcome to achieve real progress in the fight against cybercrime.

Expert comment
Published 9 February 2024 3 minute READ

Cybercrime is a global challenge on a massive scale. If cybercrime was a country, it would have one of the largest economies in the world. Statista estimates that the cost of cybercrime was $8.15 trillion in 2023. Meanwhile, 37 per cent of large companies in the UK say they have experienced cybercrime in the past year. Why is the cost of cybercrime so high? Because the first rule of cybercrime is that no one goes to prison.

Cybercriminals have reaped the benefits of a decade of virtual impunity largely due to the challenges of sharing data between law enforcement agencies who are working hard to police cyberspace within the constraints of real-world laws.

The first rule of cybercrime is that no one goes to prison.

The difficulty of sharing data between the US and EU has been a major contributor to this impunity. But things may finally be changing for the better. After an eight-year negotiation, the EU has adopted a new legal framework –known as the eEvidence Regulation – to enable the preservation and sharing of electronic evidence between US platforms and EU law enforcement, as well as between EU member states.

Sharing electronic evidence – or any data – between the US and EU is surprisingly difficult. And it is not just cybercrime: more than 80 per cent of criminal prosecutions, including murder, human trafficking and other ‘offline’ crimes, rely on electronic evidence. Most frequently, that data is held by platforms based in the US, such as Facebook, Google and Microsoft. 

EU member states and the US are close allies and like-minded democracies with a shared respect for the rule of law and human rights, but tensions have simmered since Edward Snowden’s revelations and have resulted in severely limited data sharing across the Atlantic. Of course, there is also the General Data Protection Regulation (GDPR) which introduced turnover-based fines and long-arm jurisdiction, adding to the complexity and tensions.

There are tensions in the domain name world too, particularly through the WHOIS, a free service that provides instant information about domain name registrations, including the name and address of the domain name holder or registrant. This issue has raged for over 20 years within the domain name system’s governing body, the Internet Corporation for Assigned Names and Numbers (ICANN), swinging wildly between two extremes.

At first, human rights and data protection experts highlighted the risks to individuals whose name, address, phone and fax (yes, fax) numbers were exposed to the public without any opt-out. After GDPR came into force in 2018, all the personal data was redacted – for privacy reasons – to the dismay of public safety and brands.

WHOIS illustrates just how painful it can be to transition from voluntary systems to regulated frameworks. WHOIS began as a technical protocol but its unintended usefulness to brand protection and law enforcement led to private law contracts requiring registries and registrars to provide a public WHOIS service.

Beyond the contractual requirements, it was largely voluntary measures that made the whole thing function – like the ‘reveal’ for registration data hidden behind proxies, or the rapid takedown of bad domains where there was threat to life.

Despite the legal risks inherent in publishing personal data to the world, this system continued to function in Europe for two decades under the previous data protection framework. Even after GDPR was introduced, there were respectable opinions that WHOIS could stay: the data protection authorities had never levied fines against EU-based domain providers for publishing personal data under WHOIS; and regulations governing the .eu registry – overseen by the European Commission itself – specifically required public WHOIS provision.

But the risk calculus changed with GDPR. Faced with a new massive legal liability, companies simply dropped personal data from the service.

There is an obvious question to be asked: if everyone agrees on the need to share data to tackle real-world crimes, why has it proved so difficult to reach agreement and move forward? Eight years to negotiate the e-Evidence Act sounds like the worst kind of bureaucratic molasses.

Most people in the ICANN community agree on the fundamentals, but the WHOIS debates have descended into the worst kind of intractable family feud.

My years of volunteer work trying to break the 20-year stalemate on WHOIS within the ICANN community have given me some insights into why it has taken so long. It is, put simply, the narcissism of small differences.

The phrase, coined by Sigmund Freud, is the idea that the more a community shares commonalities, the more likely people in it are to fall out with one another because of hypersensitivity to minor differences. Most people in the ICANN community agree on the fundamentals, but the WHOIS debates have descended into the worst kind of intractable family feud.

The rule of law is hard. For democracies, respect for human rights is not an inconvenience but a necessity; an insurance policy. Safeguards and oversights need to be baked into the public safety apparatus at every level, and those mechanisms tend to be local, closely reflecting their society and culture.

Moving from the intensely local to the inherently international nature of the digital environment is difficult. It takes time, especially in democracies where respect for fundamental rights is integral.

Privacy laws are not going to go away, nor should they.

It has now been half a decade since the loss of WHOIS data and the grief experienced by law enforcement and brands shows no signs of abating. But resolve, it must. Privacy laws are not going to go away, nor should they. The only solution is to find a way to share evidence across borders in a way that respects rights – and that means the focus must fall on safeguards, oversight and due process.

Reaching agreement between EU member states in the e-evidence framework is an important step, and one that fits alongside other regulations and international agreements, such as the OECD principles, the Second Additional Protocol to the Budapest Convention and the NIS2 Directive.

content

The OECD process overcame a major roadblock between the EU and US on the form of oversight required to enable free flow of data. By emphasizing effective and impartial oversight of the relevant public safety bodies, the OECD principles create a results-based measure, rather than imposing one bloc’s preferred structure on others. This pragmatic approach could offer a way forward, at least between close allies like the EU and US.

But there is a wider problem. These are instruments between like-minded participants and many of the organized criminal gangs involved in cybercrime sit outside such frameworks, exploiting the limited geographical reach of the existing international agreements on cybercrime cooperation. Cybercrime is global in nature but criminal laws are still intensely local.

While like-minded people and nations are caught up in the narcissism of small differences, there are daunting differences, geopolitical competition and profound ideological clashes with other parts of the world that must be addressed to achieve real progress. At the current pace of resolution, cybercriminals can feel confident they will not be seeing a prison cell any time soon.