Interview in SC Online

Een paar weken geleden werd een interview (.pdf) met mij afgenomen over de plannen van Opstelten m.b.t. cybersecurity. In het interview wordt ingegaan op de meldplicht ‘security breaches’ en de toekomstige rol van het Nationaal Cyber Security Centrum (NCSC). Daarbij plaats ik vraagtekens bij sommige voorstellen en roep ik op tot debat over o.a. de meldplicht en informatieuitwisseling bij het NCSC.

Vergeet niet dat een soortgelijke discussie over dit soort maatregelen ook (of wél?) in het buitenland plaatsvinden. Nog niet zo lang geleden was veel van doen over de Amerikaanse ‘Cyber Security Act’ die meer informatie-uitwisseling mogelijk zou moeten maken en de oprichting van een instantie die dat zou moeten faciliteren. Zie bijvoorbeeld deze Q&A op de website van de Electronic Frontier Foundation. Dat wetsvoorstel heeft het uiteindelijk niet gehaald door privacyzorgen en tegenstanders van meer bureaucratie.

Seminar: Investigating Cybercrime

On September 28 2012, eLaw@Leiden in cooperation with Fox-IT is hosting a seminar about cybercrime. The seminar will take place from 13.00-16.30 hours at the Leiden Observatory in Leiden.

Aim of the seminar

The aim of the seminar is to provide expert legal and criminological knowledge to the participants about cybercrime and raise awareness about the subject matter.
During the afternoon, various cybercrime experts will answer the following questions:
–           What are cybercrimes and how are they perpetrated?
–           How are cybercrimes criminalized?
–           What obstacles arise in investigating cybercrime cases?
–           Are remote searches by law enforcement authorities necessary?
–           What is the way forward in fighting cybercrime?

Program

12.30-13.00 hours:
Registration at the Leiden Observatory
13.00-13.15 hours: Introduction
13.15-14.00 hours: Keynote speech – Prof. Susan W. Brenner
14.00-14.45 hours: Speech – Prof. Bert-Jaap Koops
14.45-15.05 hours: Coffee and tea break
15.05-15.30 hours: Live hacking demo
15.30-16.15 hours: Speech – Mr. Lodewijk van Zwieten
16.15-16.30 hours: Questions and Answers

Speakers

Our keynote speaker for the afternoon is Susan W. Brenner from the University of Dayton. Professor Brenner is the author of various books in the field of cybercrime and
cybersecurity, such as Cybercrime: Criminal Threats from Cyberspace (Praeger, 2010) and Cyberthreats: The Emerging Fault Lines of the Nation State (Oxford University Press, 2009).

Our second speaker for the day is Bert-Jaap Koops from the University of Tilburg. Professor Koops is a highly regarded legal scholar in the field of cybercrime.
Also, the national public prosecutor in the field of High Tech Crime & Telecom, Lodewijk van Zwieten, will provide a presentation in which the legal aspects of a fictional criminal case are analyzed.

Registration and fee

Participation in the seminar is free of charge and all people with an interest in the legal and criminological aspects of cybercrime are invited. Afterwards there is the possibility to have drinks and network with the participants at Café Babbels in Leiden.
Due to a limited amount of room, only 50 people can participate, including a maximum of 10 students. At September 14 2012 we will let people know if they are selected.
Participants must register by emailing seminarcybercrimeleiden2012@gmail.com,
giving:
–           Your name and affiliation (company or institution).
–           Your motivation why you want to be chosen to participate in the seminar.

Address and travel directions

The address of the Leiden Observatory is:
Oude Sterrewacht
Sterrenwachtlaan 11
2311 GW Leiden

You can find travel directions at: law.leiden.edu/visitors/sterrewacht.html
We look forward to seeing you on September 28!
eLaw@Leiden and Fox-IT

Our government should provide statistics about online data collection

Three weeks ago (June 25, 2012) our state secretary of the ministry of Safety and Justice answered parliamentary questions about ‘wiretapping social media services and online privacy’. A parliamentary member repeatedly requested (four times in total) statistics about the use of ‘social media wiretaps’ in collecting evidence by law enforcement authorities. Once again the Dutch state secretary Mr. Teeven refused to provide these statistics, stating that it would harm criminal investigations and prosecutions. Our minister of Safety and Justice also refused to provide transparency about ‘social media
wiretaps’ last Sunday (August 12 2012), according to this article on the popular Dutch news website Nu.nl. In this blog post I will make several observations on the subject. First of all, I believe it is wrong to speak of ‘social media wiretaps’ and secondly, in my opinion, the government should provide these statistics.

Social media wiretaps?

The parliamentary member who sent the written questions to the cabinet members responsible assumed that communication via social media services can be wiretapped, just as public (electronic) telecommunication services can. This is however not the case, as an electronic communication provider is, legally speaking, different to an electronic public telecommunication service or network provider. Not all electronic communication
providers have to change their infrastructure to facilitate wiretapping, unlike public electronic telecommunication service providers. They do, however, have to comply with requests for the collection of data.

One of the most common grounds for data collection requests by law enforcement is the collection of user data or registration data on the basis of article 126na, 126nc or 126n of the Dutch Code of Criminal Procedure. For law enforcement officials it is possible to
collect all other data on the grounds of article 126nd of the Dutch Code of Criminal Procedure, except ‘sensitive data’ such as data about the religious beliefs or health of an individual and stored communication data. Another commonly used investigatory power is article 126ng(2) of the Dutch Code of Criminal Procedure by which stored communication data – such as ‘private messages’ that are sent from one person to another via social media services – can be collected by law enforcement authorities.

In sum, it is (so far) not possible to legally wiretap a social media service without its cooperation, although law enforcement authorities can request this type of data from social media services.

Transparency about online data collection

In my view data collection from online social media services and other communication providers will become an increasingly important investigatory power of law enforcement authorities. There are two important reasons for this. The first reason is that people use
more and more online communication services to communicate with each other. It is difficult to wiretap all these different services and sometimes it is not legally (and some say technically) possible to force these services to place a wiretap. The second reason is that encryption makes data over Internet wiretaps unreadable for law enforcement authorities. By having that data collected by communication service providers directly, law enforcement authorities can obtain the communication data anyway (this is described in more detail in my (Dutch) article (.pdf) about Internet wiretaps). Note that the same trend is developing overseas, for example in the United States. Read for example this paper on SSRN from Peter Swire.

For the past couple of years – and because of the asserted pressure of members of the parliament and civil rights movements – our government has provided statistics about the use of (Internet) wiretaps. Although these figures are often misinterpreted by the media, they do provide an insight into the use of investigatory powers by law enforcement and also a reason to request an explanation from the cabinet members responsible.
Because online data collection partly replaces the investigatory technique of wiretapping, I believe it is important and logical to provide statistics about the use of this investigatory power as well. I do not see how providing this statistical data would harm investigations. Such statistical data would only tell us how often these privacy infringing investigatory powers are used. Therefore in my opinion the cabinet member(s) responsible should try their best to provide more transparency about online data collection, rather than using weak arguments to support their refusals to provide statistics.

This blog post is a crosspost from Leiden Law Blog.