Information Policy

By Dean Carroll

In May of last year, Europol director Rob Wainwright told PublicServiceEurope.com how he hoped that the new European Cyber crime Centre – with an annual budget of €3.6m and 30 staff - would fall under his agency's remit. "I think it should, frankly, because the vision for this is very much in keeping with what we have here," he said. "We have a cyber-crime capability already and if that was boosted by the establishment of this new centre at our headquarters, then we have the ideal home ready for this. Europol has the architecture, the IT capabilities, the professional analysts and forensic experts that are able to crack major cases." Well, Europe's most powerful cop got his wish and today the European Commission has revealed – after three years of deliberation - comprehensive plans for the new centre, likely to be in operation from January 2013.

So is there really a need for such a huge cross-border operation to tackle cyber crime that will, in the opaque lexicon of the European Commission "fuse information from open sources, private industry, police and academia"? Clearly, Wainwright believes there is. He claimed that the centre "could achieve a great deal through focusing on the most significant cyber criminals out there and by developing cutting-edge capabilities to support frontline policing operations", adding: "It could also develop a community platform for enlisting support, joining up law enforcement, the academic world, industry - if not, the public at large - in a more integrated way to fight crime, including by reporting things online.

"The expansion of internet and mobile technologies makes the threat from cybercrime even more multi-dimensional. It targets citizens, businesses as well as governments and because of its non-conformity with traditional national boundaries and penal codes - it calls for a coordinated response. Our concern is also rising in terms of changes in the illegal drugs market, especially with the expansion of synthetic drugs and the emergence of so-called legal highs. Identity theft is also an emerging problem. Identity itself has become a criminal commodity that is bought and sold. It holds the key for criminal groups to carry out major fraud operations. These groups are recruiting hackers in their early twenties, who are developing the malware deployed to steal the identities of consumers – which is then sometimes used to target the individual's own bank account, but also to create new identities to conduct benefit fraud and VAT fraud. This cycle in the underground economy is then completed when the proceeds of these fraudulent operations are even laundered online through virtual payment systems."

But beyond Europol's public relations charm offensive – what are the facts? Well, we know that more than one million people are victims of cyber crime every day and that 73 per cent of European households are now online. And the commission predicts that cybercrime is likely to become more profitable than the global trade in marijuana, cocaine and heroin combined. Many of us use e-banking, online shopping and social networks – major targets for cyber criminals. Organised crime gangs sell credit card details for as little as €1 per shot. And bank account credentials go for just €60. In addition, some 600,000 Facebook accounts are blocked on a daily basis by hackers. We know that there are thought to be 150,000 viruses and other types of malicious code in existence. And in 2009, around 148,000 computers were compromised every day – according to Europol. In fact, anti-virus company Norton puts the annual global cost of cyber-crime at somewhere between $114bn and $388bn.

European Commissioner for Home Affairs Cecilia Malmström says: "Millions of Europeans use the internet for home banking, online shopping and planning holidays, or to stay in touch with family and friends via online social networks. But as the online part of our everyday lives grows, organised crime is following suit - and these crimes affect each and every one of us. We can't let cybercriminals disrupt our digital lives. The centre will become a hub for cooperation in defending an internet that is free, open and safe. Cyber crime spreads fear; it erodes confidence. Lots of the best brains will now come together to identify the main offenders in cyberspace. But the centre will not hunt individual file sharers; it will focus on severe cyber crime only. Some member states are quite advanced on this and others have to do more."

In addition to the new centre, there are moves in the European Parliament to make hacking a criminal offence punishable by at least two years in prison. Where there are "aggravating circumstances" or large-scale botnet attacks, the sentence could jump to five years. European Union institutions themselves have faced a number of such attacks over the last 12 months. And MEPs are keen to learn the lessons from the crippling attacks on Estonia and Lithuania four years ago that left governments and industry temporarily paralysed by "zombie" infected-computers.

But while politicians, police and officials in the EU and across member states will see tougher sentences and the creation of the cyber-crime centre as desirable and necessary, critics will see this new direction of travel as at best a 'snooper's charter' and at worst an attack on freedom of speech. Indeed, we are being asked to trust the unelected agency Europol with more of our data when the authorities are telling us that the said data is a valuable commodity to criminals. When asked previously about the huge amounts of personal data on citizens that Europol stores and the alleged lack of democratic accountability linking the organisation to the appropriate political checks and balances. Wainwright insisted he had been a champion of increased scrutiny since taking on the role of director four years ago. "The transformation has really brought us into centre stage in the security architecture of the EU and, by default, given scrutiny power over us to the European Parliament," he claimed. "I am a much more regular visitor to the parliament than my predecessor was. For any policing agency, democratic accountability is very important. Europol has unique responsibilities in this regard because we collect so much personal data about the private lives of citizens in Europe and we don't hide that fact. We do it in a highly-responsible way.

"I have been working in the policing and security fields for more than 20 years and the data-protection framework we have at Europol is certainly the most robust that I have ever experienced. We collect, use and store that data according to very tightly-defined criteria, which is regularly inspected by a fully-independent external organisation called the Joint Supervisory Body – formed of government data protection specialists from the 27 member states – to make sure we don't abuse the system. They have access to all of our material so we are very conscious of the fact that we must handle personal data in a very careful way as well as providing accountability and transparency before national governments as well as the EP. In the future, I think that EP scrutiny of the agency will increase and I would welcome that. It's about creating a more open Europol – although, clearly we have to keep some of our techniques and intelligence close to our chest. But we are a responsible police agency, acting in a responsible way with a very clear purpose to protect the citizens of Europe from very dangerous threats."

So there you have it, the EU is now entering a new frontier in the fight against cyber crime. We can only hope that the promises from the commissioner that Europol will target only "severe cyber crime" rather than using intrusive surveillance on ordinary citizens is one that is kept. Otherwise, there is likely to be yet another public backlash against the union - especially, among the Eurosceptics out there that see it as a remote, unelected super-state. It is time to deliver on your fine words Mr Wainwright.