|G8 Conference on Cyber-Crime (2) : Internet is Not a Legal No-Man's Land |
G8 Conference on Cyber-Crime (2) : Internet is Not a Legal No-Man's Land
Source: G8 Conference on Cyber-Crime, Paris, May 15-17, 2000. Speech by French Ministry of the Interior Mr. Jean-Pierre Chevènement (Paris, May 13, 2000).
It is a pleasure for me to welcome you to Paris for this important meeting of G8 experts and representatives of over 130 companies from your respective countries. France is offering you its hospitality and this setting for your work, and is happy to assist the Japanese G8 Presidency in ensuring the success of the conference.
The events of the past few days have been an extremely timely reminder that the spectacular growth of the Internet and digital networks in general is not risk-free. We are getting to know more about the risks involved and the national efforts deployed by many countries to counter these risks, together with the many international discussions which have been going on for several years now, are proof that governments and the international community are taking very seriously the challenges our companies are facing as a result of the rapid spread of communication technology.
At our last meeting of the G8 Justice and Interior Ministers in Moscow last October, we sought to take further the work done by the experts in the Lyon group and asked them very specifically to prepare a new type of conference which would, for the first time, bring together a large number of companies working in the information technology and communication technology fields and government security and judicial authorities. Back in 1998, at the Birmingham summit of Heads of State and Government, it had become clear that any progress towards improving cyberspace security would be fruitless without very good cooperation between the security authorities and the private sector.
Because technology is moving so fast and new developments can radically alter whole swathes of public and private activity, very close consultation is essential.
The recommendations of the G8 Heads of State on consultation with the private sector were followed up in each of the G8 countries in 1998 and 1999, and it was normal for the next step to be to pool the work done separately in our own countries to give this public sector/private sector debate a vital international dimension. I am happy to see that today your work goes beyond the narrow framework of the G8, since representatives of the European Commission, Council of Europe, OECD, Interpol, Europol and many private international bodies and groups concerned with web security are also with us today.
There is no doubt that everyone must be able to benefit from the work already begun in the framework of the G8, a pioneer in this field. However, the global dimension of the Internet, with all its positive and negative developments, means that we have to involve as many people and organizations as possible the world over in this vast project. What would be the point of implementing our technical and legal solutions to the problems concerning us today, such as traceability, localization, the storage life of traffic data, mechanisms for mutual assistance in criminal matters and extradition, if those solutions were applied only to the group of the most highly industrialized countries in our world? This is a vital issue for my own country, to which I shall return.
Cybercrime 1) Cybercrime: what are we talking about?
As public authorities, experts and professionals working in IT, we have a duty to speak plainly. Internet users throughout the world - individuals, companies or States - must be quite clear about the problems they could encounter in cyberspace. In France, the police and Gendarmerie know that it is hard to register or even count all the offences. Among the documents handed to you, you will find a fact sheet on this important question highlighting the rapid rise in the number of criminal investigations. Even so, users do not always report the attacks or damage they have suffered to the police authorities. This is either because they think that the Internet is a legal no-man’s land and they have no way of obtaining justice or, as is the case of many businesses, they aren’t keen to disclose any difficulties they may have encountered, precisely because they don’t want to fuel concerns about the vulnerability of networks. Nevertheless, I can tell you that in 1999 our agencies registered over 2,500 cases involving the Internet in some way or another, but that this figure certainly fails to include all the offences committed, regardless of their gravity.
It is also very important not to lump all the different types of crime together. Recently there has been much talk in France about credit/debit-card security, confusing this with the Internet. In fact, most instances of the fraudulent use of these cards have nothing to do with the Internet: the fraudsters use the credit card slips which the customer throws away or leaves at the ATM hole in the wall. However, the microchip technology used by these cards seems for the time being to offer the highest degree of security and it could perhaps be used universally on computers to protect access to the Internet. This, I believe, will be one of the important points you will be discussing during this conference, and here the industry’s contribution is vital.
We are here to think about how to improve security on the Internet. The incidents we know about, both the conventional crimes now being committed using the Internet - with the web being no more than an efficient carrier on a par with the telephone or fax - and the new computer-specific crimes such as introducing viruses into computer systems or breaking into IT systems must be carefully analysed and identified. The spectacular nature of the "ILOVEYOU" virus or the past few months’ attacks against certain major American sites should not pressurise us into unduly hasty action. The subject is too complex for us to rush into decisions which don’t address the real problem, under the pressure of events which, albeit serious, all too easily take on an emotional dimension. We have to be aware of any faults/bugs in network security systems, but we must also get the problems into proportion and not create a psychosis leading us to take the wrong action on security. It’s the duty of governments and the industry to send a clear message: we are working together to find technical and legal solutions that will raise the levels of security and confidence in new technology. Cyberspace falls within the scope of legal rules which many countries have already defined. We are working to supplement them and make them easier to apply through new forms of international cooperation.
Spectacular episodes such as those we have experienced over the past few days, with which France has coped reasonably well, must not discourage users from continuing to use this extraordinary tool, the Internet.
Measures to combat Cybercrime
2) In France, we have adopted many measures.
I should like to return to what is a fairly prevalent idea in international public opinion: that the Internet is a lawless area, or that, because of its very nature, cyberspace calls for a specific legal system or a "cyber police force" going beyond the framework of individual nations and their sovereign responsibilities.
Nothing could be further from the truth. States retain their own responsibilities and power to act.
It clearly falls to sovereign States to find practical ways of addressing the problems, first at domestic level and then through international cooperation.
First of all, at the domestic level. In France the Government began giving thought to the problems some time ago. In 1998 it asked the Conseil d’Etat (highest administrative court) to state its views. The Council’s conclusions were clear: "all legislation applies to Internet users. (…) There is no law specific to the Internet and networks, and no need for one". The bulk of the offences committed are of the conventional type, and the Internet is merely a carrier. Other offences are computer-specific, and therefore call for new definitions in our criminal law, new rules and new methods of action.
The task of strengthening the instruments for tackling this crime is being addressed under the Government Action Program for the Information Society announced by the Prime Minister, in operation for two years now, to adapt France to changing technology. Some measures have already been taken to improve security and confidence in the Internet, such as the creation of a Central Information Systems Security Directorate, an interministerial agency, and CERT/A, an alert and help center providing support in the event of computer intrusion. The Gendarmerie, customs and national police are there to enforce the law. Among the cases recently cleared up, I could cite the one where a hacker broke into a university network and found out users’ passwords, thereby allowing a student to consult and make fraudulent use of fellow students’ theses stored on their hard disks. There was also the case where a member of a company’s staff copied its customer management software, passing it on to a rival firm. Here, the damage done to the company owning the rights to the software was assessed at 6 million francs. Then there was the "Trojan horse" installed by a young hacker in the computer of a medical practice, giving him access to its patients’ medical records. In all these cases, the offenders were identified as a result of technically complex investigations led by our central brigade responsible for enforcing the law on computer crime.
As the Prime Minister announced, a Central Office, established today by a decree (to be published in tomorrow’s Journal Officiel to mark the holding of our conference!), is now going to take overall charge of these criminal investigations. This Central Office to Fight IT-related Crime, an interministerial body set up within the DCPJ (Direction centrale de la police judiciaire - central directorate which conducts all major criminal investigations) will at the same time be the natural international partner for equivalent agencies abroad, and particularly for the network of contact points set up at the instigation of the December 1997 Washington G7 summit. Its creation will, of course, have to be accompanied by the recruitment and training of experts in these new technologies.
But you can’t enforce the law without identifying offenders and obtaining and preserving evidence. For Internet crimes, this raises the issue of the assistance the police must be able to expect from Internet operators, such as service providers, who hold and, where appropriate, store the customer and traffic data on which the "traceability" of messages depend.
It’s up to the enforcement agencies to consider these issues and it’s my job, as Interior Minister, to present them here, in what I know is a very open discussion on the common national and international rules we have to define.
Cyberspace & Personal Privacy
3) Of course, when doing this, our aim is to ensure a balance between the requirements of the law enforcement agencies and the obligation to guarantee respect for personal privacy.
Computers are increasingly invading every corner of our professional and private lives and soon their memories will be able to store every trace of even the most insignificant of our daily activities. This is a valuable asset in the fight against cybercrime, indeed against crime in general. But at the same time, how do we safeguard our privacy, prevent "profiles" being drawn up of each and every one of us which could be used by any salesman/woman wanting to hassle us, or by public or private, national or foreign agencies which could easily find out about our political ideas, religious or even sexual practices, consumption patterns and personal and business relationships?
We have to strike the right balance and ensure that the new technologies don’t become a universal instrument of control and enslavement.
In France, we attach enormous importance to this. Ever since 1978, the French Parliament has been aware of the dangers emerging with the progress of IT. The task of the National Commission on Computers and Civil Liberties (CNIL) is to ensure that no abuses occur. But we aren’t the only ones with these concerns: all the politicians in our countries committed to democratic values and respect for basic human rights have expressed their opinion about these societal issues. In every country, decisions must be taken to reconcile these different requirements and I imagine that identical discussions are going on in your respective countries to the ones we are having in France - and have had in the course of the preparation of this conference. It’s important for this conference to be a forum for a very broad debate where we will be able to talk both about the techniques for tracing and storing personal data and about the imperatives arising out of the need to protect personal privacy.
4) But what brings us together today is the need, perhaps the urgent need, to strengthen international cooperation.
Taking as our starting point the fact that communication networks are obviously governed by clear legal rules in all our countries and that, from the point of view of the law, cyberspace doesn’t exist, or at any rate isn’t a legal void, and that our countries’ domestic legislation recognizes the same IT-related offences, we now need to adapt to the imperatives of speed and effectiveness imposed on us by the new methods of committing crime. The G8 countries have already proposed and set up the network of contact points permitting instantaneous exchanges of information. It’s a tool which warrants being strengthened and expanded to include many more countries.
It’s obvious to us all that we can’t move away from the basic principles governing inter-State cooperation in investigations and the area of mutual legal assistance. Even if e-mail is used to access files on a suspect’s computer, the proper procedures have to be followed, judicial supervision is necessary and it’s inconceivable for investigations to be carried out directly in a foreign country without reference to that country’s authorities. So we have to think together about the ways we need to cooperate at a very practical level.
Now that the G8 has provided the impetus, it’s vital that we formalize the new legal rules and procedures for cooperation in a legal instrument applying world-wide. For France, the negotiations under way in the Council of Europe on a Convention on Cyber-Crime are of fundamental importance for several reasons. The draft currently under discussion defines the offences which all States would have to recognize. It goes on to propose ways in which they could cooperate, taking up, for example, the idea of national contact points. It also proposes extradition procedures. In short, this agreement is an essential instrument, which France wants to see concluded within a reasonable period of time. The important thing about these negotiations is that the countries involved include some major countries outside the Council of Europe and that, once signed, this convention will be opened for signature by all States wishing to accede to it. The idea is in fact to get a convention which applies world-wide so that there can be no more "digital havens" or "Internet havens" in which anyone wanting to engage in shady activities can find all the facilities they need, including financial ones, for laundering the product of their crimes. Since we must never lose sight of the fact that the Internet is a global system and that no country can isolate itself from the rules under which it has to operate.
Interpol We also think that we need to make the most of the existing structures for cooperation between our police forces. I’m referring to Interpol. This is a long-established, solid institution promoting cooperation between police forces which has a network of central national bureaux in 178 countries. These NCBs would be very well-placed to offer support for the national contact points proposed by the G8. It will very probably be necessary to make some changes in the way Interpol operates so that it can ensure round-the-clock monitoring of the NCBs and have at its disposal highly qualified technical personnel capable of reacting as fast as the cybercriminals. But I know that Interpol, like all intergovernmental organizations, will be able to adapt - indeed it is almost ten years ago now that a working group took up this issue, liaising in fact with the G8 network. It is, I think, the natural framework for institutionalizing and universalizing our operational cooperation.
EU For France, this approach to cybercrime must of course be reflected in a European initiative. The European Union has cooperation mechanisms in the spheres of Justice and Home Affairs. It will have to tackle these new types of crime. The European Commission is envisaging presenting a communication on this issue in the next few months and, during its presidency, France will energetically support the EU effort in this sphere.
Member States’ criminal investigations agencies must step up joint training and develop a common culture in the field of investigation techniques and the analysis of the threat. During its EU presidency, France is going to bring these agencies together, with the Commission’s support, in a seminar at Futuroscope in Poitiers from 13 to 17 November, in order to develop the technical procedures for investigating offences targeting computer systems or committed with the help of IT.
At the same time, there needs to be a greater exchange of operational information between these agencies: this is the role of Europol, whose jurisdiction in the sphere, currently confined to offences committed with the help of IT, should be extended to include those against the computer systems and networks themselves (piracy, etc.) - under the treaty establishing Europol, this requires only a Council decision.
Finally, France doesn’t believe international cooperation should be limited to the G8, European Union and Council of Europe countries, since it is risky to leave out countries which have great technological potential or might be transformed into "Internet havens". We would like the discussions widened to include other countries directly concerned by the development of IT (India, China, South Africa, Israel, central European countries, etc.).
5) Finally, and here lies both the origin and the originality of our meeting, the dialogue with the industry is crucial.
The massive presence at this conference of the world’s most important Internet firms shows that security is no longer a concern only of States. Among the companies represented here are firms offering technical solutions for increasing security and others which have been victim of criminal practice or which feel vulnerable. It’s by examining all our common problems from every possible angle that we will make headway. Obviously, we can’t base security solely on law enforcement. Prevention is fundamental and requires both rules drawn up together and what we call co-regulation, or cooperation in policing, which we very much want to see, since we can’t, as some envisage, rely entirely on self-regulation either. Many private groups present here have already done a great deal of work on what are technically very complex problems which also have an ethical dimension (I’m thinking in particular of incitement to racial hatred and child pornography). Moreover, the industry must give top priority to devising new ways of increasing security on the Internet and showing it’s ability to make individual or organized crime on the net increasingly risky and difficult. Firms have a decisive role to play in detecting cybercriminals’ new methods of operation and must assist the public authorities in sending out warning messages a soon as a threat is detected.
More broadly, we have to educate users. They must all understand what they can and can’t do on the Internet and be warned of the potential dangers. As use of the Internet grows, we’ll naturally have to step up our efforts in this respect. Teenagers will have to realize that, even though they are very gifted in IT, the jokes they can play on the Internet can be serious offences leading to a prison sentence. The Internet is no longer a toy.
There’s an economic side to this problem, given the cost to firms of holding massive stocks of data and to service providers of their possible contribution to the identification of offenders. Above all, it raises the issue of civil liberties, which I have talked about, and which has different aspects depending on whether we’re considering freedom of expression or the rights of ordinary consumers. We are meeting to study the practical forms this necessary "co-regulation" will have to take and compare our views on what is effective from the security point of view and acceptable from that of civil liberties.
I’m sure that if we firmly believe in a few sound and common-sense principles, we will be able calmly to confront all these threats which are clearly real, but must not lead us to go in directions at odds with our fundamental values. The solutions which will progressively have to be found and implemented will be the fruit of a close dialogue between the private sector and governments, of which this conference is a splendid illustration./.