Combating cybercrime is one of the top priorities of the European digital agenda. For the second time, Europol and Eurojust jointly presented a paper on “Common Challenges in Combating Cybercrime”. As an input to the political debate, it was sent to the Council on March, 13th, 2017. The paper is worth reading to get an overall picture of the challenges, law enforcement agencies in Europe are facing, when trying to deal with current cybercrime cases.
(1) Loss of data for law enforcement purposes
Not surprisingly, the law enforcement community suffers from the overturning of the data retention directive by the EU Court of Justice. Although some of the EU member states have data retention regulation still in effect or adjusted their regulation to the court decision (such as Germany), the 2014 decision has led to a fragmented retention policy in Europe. Especially for keeping track of cyber attacks, fighting online child sexual exploitation and combating payment card fraud, the absent of stored data impedes the work of police investigators. Furthermore, Eurojust and Europol recognize an increase of encrypted electronic data. More than three-quarters of EU cybercrime investigations have – to some extent – to deal with encrypted data. The growing number of providers implementing default encryption and the better availability and usability of encryption tools are seen as the major reasons for this development. According to the report, legislative measures to mitigate the encryption challenge have been taken only in a few number of member states. Similar to encrypted communication, virtual currencies pose a significant challenge to law enforcement. “Follow the money” as a standard means of criminal investigations is made more and more difficult by crypto currencies.
(2) Loss of location data
Encrypted messages and the use of anonymizers, payments with crypto currencies or the involvement of the Darknets have led to a growing lack of reliable information about the location of the perpetrator. Therefore, cooperation between law enforcement agencies across Europe has to be organized at early stages of investigations. Sometimes, competing claims to prosecution lead to bureaucratic burdens and time delays in law enforcement.
(3) Legal Framework Differences
While international cooperation is crucial to combatting cybercrime and international frameworks exist in general, the transposition of the existing legal frameworks to the domestic law of the member states differs considerably. Criminal cyber offenses are defined slightly different in the EU member states. Provisions to investigate cybercrime are not harmonized. Law enforcement agencies have to engage in time-consuming alignments of different domestic laws. One of the problems is the growing need for conducting online investigations, e.g. for underground criminal forum takedowns. There is a very limited consensus of EU member states on the legal framework required for online investigations.
(4) Public-private partnership obstacles
Different legal systems are also an obstacle for the cooperation between law enforcement and private companies. The relevant legal frameworks do not exist in all member states or vary strongly. Transparency obligations of the public agencies can make PPPs less promising. Data protection regulation complicates the necessary data transfers between private and public organizations. In particular, Europol and Eurojust point to the growing need for cooperation on the field of the Internet of Things, where the design of the systems often lack any security or privacy measures. Both agencies support EU policymakers to impose mandatory design requirements for IoT devices and a cybersecurity rules even for the consumer IoT market.
(5) Burdens for International Cooperation
The main instrument for law enforcement cooperation between member states is the process of Mutual Legal Assistance (MLT). Eurojust and Europol claim, that the MLT process is to slow for combatting cybercrime. They suggest a streamlining of the MLT process, for example by defining a common taxonomy for cybercrime.
(6) Law Enforcement’s Expertise Gap
The landscape of cyber threats is evolving quickly. A major issues of law enforcement agencies is to maintain the necessary expertise within the agencies. Law enforcement agencies are hiring in competition to big companies. The European agencies propose to increase European education and training capacities to meet the agencies’ growing demand.
Eurojust and Europol present a convincing analysis of the serious challenges, that European cybercrime investigators have to meet. Harmonizing the legal framework, facilitating the investigators’ ability to cooperate and taking firm steps to close the “expertise gap” are the major action fields for European policymakers.
Martin Schallbruch, 29. März 2017