MINUTES OF THE EXPERT MEETING ON

APPROXIMATION OF CRIMINAL LAW FOR

ATTACKS AGAINST COMPUTER / INFORMATION SYSTEMS

OF 25 JUNE 2001

These are the minutes of an informal expert meeting prepared by the Commission services (Directorate-General for Justice and Home Affairs, and the Directorate-General for the Information Society), and should not be taken to represent a formal position or opinion of the European Commission. Any further comments on the issues raised in the expert meeting should be sent via e-mail to the European Commission by 9 September 2001 please.

SUMMARY

As announced in the Commission’s Communication "Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime" (COM 2000 890), available at /information_society/topics/telecoms/internet/crime/index_en.htm, the European Commission will shortly propose a Council Framework Decision under Title VI of the Treaty on European Union to approximate criminal law in the area of attacks against computer/information systems. In particular, the proposal will address criminal law dealing with hacking, denial of service and virus attacks.

The purpose of the expert meeting was listen to the views of the experts on the questions set out below and hence to assist the preparation of the Framework Decision.

Issues like Intellectual Property Rights (IPR) violations or unlawful access to / disclosure of personal data will as such not be included in the scope of the proposal. These are important issues, but they are covered by existing European Community legislation. Any approximation of criminal law in these areas will need to be considered in the framework of European Community law, and requires a different legal basis than the forthcoming Framework Decision, which will be based on Title VI of the Treaty on European Union.

In addition to general comments about this proposal, the expert meeting was asked for its views on the following specific issues:

(1) definitions. Are the definitions described below appropriate, precise, technology neutral and legally effective? Should the Framework Decision refer to computer systems or information systems? Do the definitions correspond to the current industry practice, technical reality and the perceived future development of computer networks and services? In particular, does the proposed approach to using the term "authorised person" adequately exempt important and legitimate activities from the scope of criminalisation such as the legitimate actions of users and network managers?

(2) intent. Should there be a definition of intent that limits it to "specific intent", combined with the notion that such intent does not need to be directed at a specific system?

 

(3) illegal access. Should the European Union adopt the principle that unauthorised access to a protected system is a criminal offence? Are any of the reservation possibilities included in the draft Council of Europe Convention necessary for approximation at the level of the European Union?

(4) interference with computer/information systems. Is it the right approach for the European Union to adopt the principle that the hindering or interruption, without authorisation, of the functioning of a computer/information system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data should be a criminal offence? Does this offence need to be subject to a "serious hindering" test? Does this offence adequately cover so-called "denial of service" attacks?

(5) "spamming". Should the Framework Decision criminalise the activity of "spamming" only insofar as it is accompanied by a specific intent to hinder the operation of a computer/information system? Should it fall within the concept of a Denial of Service attack? Is it possible to separate between spamming that is undesirable but does not cause damage and spamming that is intended to overwhelm the system?

(6) viruses, website defacement and interference with computer data. What approach should the European Union adopt for dealing with these issues? Should there be specific offences dealing with virus attacks and website defacement, an offence which is a subset of interference with a system, or should these be dealt with as part of a more general offence of interference with computer data?

(7) penalties: are the penalties suggested appropriate, proportionate and effective as a basis for approximation at the level of the European Union?

(8) liability of legal persons. Are there any issues which are unique to the liability of legal persons in the context of attacks against computer/information systems?

(9) jurisdiction. Should the Framework Decision include specific criteria for jurisdiction in respect of offences against systems?

 

PARTICIPANTS

Industry Experts

• Mr. Steve Barnett, Managing Director, Checkpoint Software, UK
• Mr. Mark Brewis, EDS, UK
• Mr. Pieter van Dijken, Manager of Information Security Consultancy, Shell Services International, Netherlands
• Mr. Kurt Einzinger, ISPA - Internet Service Providers Austria
• Mr. Roland Perry, Regulation Officer, London Internet Exchange (LINX)
• Mr. Joel Rowbottom, Chief Technical Officer, CentralNic Ltd., UK
• Mr. Reiner Fahs European Institute for Computer Antivirus Research, Germany
• Mr. Alain Hocquet, France Telecom
• Mr. Joe McNamee, EuroISPA, Brussels
• Mr. Teus Hagen, Director, Internet Software Consortium, Netherlands

 

Law Enforcement Experts

• Mr. Eric Freyssinet, Head of Computer and Electronics Department, Institut de Recherche Criminelle de la Gendarmerie Nationale, Ministère de la Défense, France
• Mr. Patrik Hakansson, Swedish National Police Board
• Mr. Rolf Hegel, Group Leader in the Organised Crime Department, Regional Approach and Other Projects, Europol
• Mr. Kai Küllmer, IT Crime Unit, Bundeskriminalamt, Germany
• Mr. Phil Swinburne, National Hi-tech Crime Unit, UK

 

Member-States Representatives

• Austria: Mr. Roland Heurex, Ministry of Justice
• Belgium: Mr. Rudi Troosters, Ministry of Justice
• Denmark: Ms. Katja Mattfolk, Ministry of Justice
• Finland: Mr. Ilari Hannula, Ministry of Justice
• Germany: Mr. Manfred Möhrenschlager, Ministry of Justice
• Greece: Mr. Efstratios Papathanassopoulos, Permanent Representation of Greece to the European Union
• Ireland: Mr. John Haskins, Minsitry of Justice
• Italy: Mr. Rolando Russo, Ministry of Justice
• Netherlands: Mr. Arno van Oosterhout, Ministry of Justice
• Portugal: Mr. João Pedro Cabral, Ministry of Justice
• Spain: Mr. Alfredo Pascual Martinez, Ministry of Justice
• Sweden: Ms. Lotta Gustavson, Ministry of Justice
• United Kingdom: Mr. John Gilbert, Home Office

 

European Commission

• Mme. Gisèle Vernimmen (DG Justice and Home Affairs; co-chair)
• Mr. George Papapavlou (DG Information Society; co-chair)
• Mr. Christopher Jones (DG Justice and Home Affairs)
• Mr. Luigi Soreca (DG Justice and Home Affairs)
• Ms. Susannah Sisson (DG Justice and Home Affairs)
• Mr. Rogier Holla (DG Information Society)
• Mr. Ilias Chantzos (DG Information Society)
• Mr. William Dee (DG Information Society)
• Mr. Laurent Cabirol (DG Information Society)
• Mr. Philippe Gerard (DG Information Society)
• Ms. Marie-Hélène Boulanger (DG Internal Market)

 

WELCOME AND BRIEF PRESENTATION OF THE WORKING PAPER

 

Mme Vernimmen (DG JAI) was the Chairman for the morning session. She made the following key points:

 

• The eEurope Action plan, prepared by the Commission and the Council, adopted by the Feira Summit of the European Council in June 2000, included actions to enhance network security and the establishment of a co-ordinated and coherent approach to cybercrime by the end of 2002.

 

• The European Council in Tampere called for approximation of offences in a limited number of areas including high tech crime. The Commission’s Communication "Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime" (COM 2000 890) supported this proposal, and announced that the European Commission will shortly propose a Council Framework Decision under Title VI of the Treaty on European Union. More recently, earlier that month, the Commission Communication called "Network and Information Security: Proposal for a European Policy Approach" also referred to the need to approximate criminal law in the area of attacks against computer / information systems.

 

• Approximation of substantive law in the area of high tech crime would ensure that national legislation is sufficiently comprehensive to guarantee that all forms of attacks against computer systems could be investigated using the techniques and methods available under the criminal law. It would also improve international co-operation by ensuring that the dual criminality requirement is fulfilled (an activity must be an offence in both countries before mutual legal assistance can usually be provided to assist a criminal investigation).

 

• The objectives of the Council Framework Decision were to approximate criminal law in the area of attacks against computer systems, in particular to contribute to the fight against organised crime and terrorism, and by doing so to ensure the greatest possible judicial and police co-operation in the area of criminal offences related to attacks against computer systems.

 

• The purpose of the meeting was to provide the Commission services with the views of the experts.

 

• It was intended that the proposal should address criminal law dealing with hacking, denial of service and virus attacks. It was not intended to address the issues of unlawful access to / disclosure of personal data or intellectual property violations on the Internet. These were important issues, but were already covered by existing Community legislation. Any approximation of criminal law in these areas would therefore need to be considered using the framework of Community law rather than Title VI of the TEU.

 

GENERAL COMMENTS FROM EXPERTS

Mme. Vernimmen invited experts to make general comments on the proposal and the area of criminal law to combat attacks against computer/information systems.

The main points raised were:

• A representative of the Belgian Presidency supported the Commission Service’s initiative and assured the meeting that the Belgian Presidency was hoping to deal with the initiative during its Presidency.

• The Commission was asked about EU competencies for dealing with attacks against computer/information systems through legislation, and why it was not proposed to cover interception and misuse of devices. In response, Mme. Vernimmen agreed it was a complex issue and some aspects should be dealt with under the First Pillar, and so would not be addressed at the meeting. In particular, misuse of devices and illegal interception were already dealt with by Community law. However, certain types of attack against computer/information systems (such as hacking, viruses and denial of service attacks) could be covered by Third Pillar instruments where the objective was to fight organised crime, terrorism and improve judicial co-operation.

 

• An industry expert agreed that there was a complex relationship between illegal access and interception, as demonstrated by the ability to intercept wireless keyboards to assist in gaining illegal access to computer/information systems.

• A representative of a Member State pointed out that interception was a different concept from illegal access, and hence was normally a different offence under national law.

• An industry expert was concerned about the lack of factual knowledge about attacks against computer/information systems. He drew attention to what he considered to be exaggeration in the media of the effects of hacking and denial of service attacks compared to his experience. He called for more facts and an objective way to measure attacks against computer/information systems.

• Law enforcement experts and other industry representatives agreed that there was an underreporting of crimes, except when the damage was great, in order to avoid a loss of confidence in e-commerce. It was also pointed out that it was increasingly easy to perpetrate crimes, for example with virus toolkits available on the Internet. An industry expert said that financial companies were unwilling to report crimes because of trust problems with investors and brand equity; such companies would report attacks first to lawyers, next to their public relations people and only occasionally to the police.

• A representative of a Member State welcomed the forthcoming Framework Decision to establish laws to protect computer/information systems. He welcomed the expert meeting since it showed that lessons had been learned from the lack of an early consultation process with industry during the negotiations on the Council of Europe Convention. It was important, however, not to "reinvent the wheel". By "going further" the Commission should not build in levels of inflexibility which would prevent implementation. He was also concerned that the concept of "without right" needed to be built on and that there was a need to cover misuse of devices.

 

• A representative of a Member State the following points:

            - A Framework decision would be a good way to bring forward the           work of the Council of Europe convention, which could take several years to ratify and enter into force.

            - Care must be taken to avoid duplicating the work done in the Council of Europe, where many issues had been covered after lengthy negotiation.But the EU could go further, as the draft Council of Europe Convention represented a minimum level of harmonisation.

            - The "systems" approach was a sensible one.

            - Illegal interception of communications should also be covered.

 

• A law enforcement expert suggested that the term "infrastructures" was too narrow and, if used, small and single users would not be protected. With particular reference to denial of service attacks, he emphasised the need for updated laws, as current legislation was insufficient to cover certain forms of cybercrime.

 

DEFINITIONS

The Expert Group was asked for its views on the following definitions suggested by the Commission services:

(a) "Electronic communications network"

This means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, networks used for radio and television broadcasting, and cable TV networks, irrespective of the type of information conveyed.

(b) Computer system / Information System

(i) Computer [system] means any device or group of inter-connected or related devices, one or more of which, pursuant to a program, performs automatic processing or transmission of data.

(ii) Information system means computers, communication facilities, computer and electronic communication networks, and data and information that may be stored, processed, retrieved or transmitted by them, including programs, specifications and procedures for their operation, use and maintenance.

(c) "Conditional access"

This means any suitable technical measure and/or other arrangement whereby access to a computer/information system in an intelligible form is made conditional upon prior authorisation.

(d) "Protected system"

This means the whole or any part of a computer/information system which is subject to conditional access.

(e) "Computer data"

This means any representation of facts, information or concepts [which has been created or put into a form] suitable for processing in a computer / information system, including a program suitable to cause a computer system to perform one or more functions.

(f) "Legal person"

This means any entity having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations.

(g) "Authorised person"

This means any natural person who has the right, permission or responsibility to use, operate, manage, control, test or carry out research on a computer system for private or business purposes and who is acting in accordance with that right, permission or responsibility.

 

Question (1) Definitions. Are the definitions described above appropriate, precise, technology neutral and legally effective? Should the Framework Decision refer to computer systems or information systems? Do the definitions correspond to the current industry practice, technical reality and the perceived future development of computer networks and services? In particular, does the proposed approach to using the term "authorised person" adequately exempt important and legitimate activities from the scope of criminalisation such as the legitimate actions of users and network managers?

Mme Vernimmen asked the experts for their response to Question 1:

"Electronic communications network" and "Computer/Information system"

Key points raised were:

 

• Several experts questioned the legal need for separate definitions.
• Industry experts preferred to use a definition of information system rather than computer system. Electronic communications networks could be a subset of an information system.
• Some representatives of Member States asked to stick with the definitions from the draft Council of Europe Convention on Cybercrime. For some others the definition of information systems seemed acceptable.
• Industry experts supported the notion of "information systems" and stressed the need for the concept of an information system to encompass software and hardware.
• There was a need to consider how to distinguish between "information and data", and personal data.
• There was a need to use flexible, technology-neutral definitions, in particular by removing technology-specific examples in the definition of electronic communications network. As an example, it was pointed out that power grids were now being linked in a way which could be considered to be an information system.

 

"Conditional access" and "Protected system":

 

Key points raised were:

 

• Two representatives of Member States argued for a criminalisation threshold for illegal access based on the need to overcome technical security measures employed to protect the system. Other illegal access would be dealt with as an administrative sanction.

 

• A majority of other representatives of Member States argued against such a limitation, which was an optional limitation of the scope of the illegal access offence in the Council of Europe Convention. The lack of technical protection should not exclude the protection of the criminal law. This was the same as saying that leaving a window open meant that it was no longer an offence for a burglar to enter someone’s house.

 

• Industry experts stressed the need for consumer protection. Many users’ systems would not be protected by technical means: should they not be covered by criminal law? Attackers could also use "protection" as a loophole to avoid incrimination if the method of gaining access was through an unprotected, unforeseen route (i.e. a system with vulnerabilities). And what was "suitable" technical protection? Users had no technical protection on their systems. The notion of security was difficult to define and depended on the circumstances. Security was a relative concept and the levels of security would vary.

 

• Other industry experts wished to avoid over-criminalisation

 

• Other representatives suggested that all modern systems had some form of access control.

 

"Computer data"

 

Key points made were:

 

• The addition of the phrase "created or put into a form" was a sensible improvement on the Council of Europe text. An industry expert expressed serious concern about the accuracy and technical insight of the definitions in the CoE Cybercrime Convention.

 

• The use of the word "program" seemed a bit out of place, and should be reconsidered. Several experts from industry offered various suggestions to improve on the definition. Among the suggestions received were the use of "one or more information systems," "information systems" as opposed to "computer systems," "code" instead of "program," reference to "cryptographic keys" and "data" instead of "computer data."

 

• Some representatives of Member States wished to stick on the existing Council of Europe definition, particularly because it was based on an ISO definition.

 

"Authorised person"

 

Key points made were:

 

• Some scepticism was expressed as to the use of the notion of "authorised person" rather than "with right" (as used in the draft Council of Europe Convention).

 

• Several suggestions for improvement of the definition of "authorised person" were given, including inclusion of "legal persons," "government purposes" (such as military purposes and interception) and "exceptional circumstances."

 

• Industry experts remarked that it was not always clear whether permission had been given to use certain data, e.g., in the case of location data implied permission is there to use the data only for certain limited purposes.

 

• A legal person should also be covered in the notion of having "a right" to access a system.

 

• The phrase "without right" should be used: the current approach of authorised persons was too limiting. There was a need to recognise all rights in domestic law, including legitimate grounds for defence against prosecution.

 

INTENT

 

Question (2) intent: Should there be a definition of intent that limits it to "specific intent", combined with the notion that such intent does not need to be directed at a specific system?

 

Mme. Vernimmen asked the experts to consider whether specific intent was necessary to address instrumental behaviour and whether the behaviour needed to be directed to a specific system.

The following concerns were voiced:

• Many participants expressed a preference to set the threshold for criminalisation low.
• Representatives of some Member States argued strongly that dolus eventualis should be included. This involved an intention, and knowledge that certain consequences would occur.
• Industry experts argued that the law must be broad enough to avoid loopholes and make individuals responsible for collateral damage, eg by deliberately sending a virus to one person, knowing the it was likely that this would cause damage elsewhere.
• It was suggested that intention should be left to national legal principles, as in other Title VI proposals. In the longer-term, consideration could be given to harmonisation of the different concepts of intent in the Member States.

 

ILLEGAL ACCESS

Question (3) illegal access. Should the European Union adopt the principle that unauthorised access to a protected system is a criminal offence? Are any of the reservation possibilities included in the draft Council of Europe Convention necessary for approximation at the level of the European Union?

During the afternoon session, Mr. George Papapavlou from DG INFSO was the Chairman. Many issues raised earlier were iterated, including lack of protection of systems, threshold for criminality, "without right" and the difficulty of proving intent.

Other issues raised were:

• Representatives of two Member State repeated their preference for a threshold to criminalisation in the form of a requirement of a protected system. Others repeated a preference for scrapping the requirement that a system be protected.
• A representative of one Member State mentioned that different thresholds were established for different levels of penalties under their domestic law.
• Experts agreed stand alone systems should be covered under illegal access.
• Illegal access should not be limited to instances where the intention was to obtain information. There was a difference between gaining access and gaining access with intent to interfere or other dishonest intent. The latter qualification was probably not necessary in the context of the EU.
• The Commission asked experts to consider whether all forms of illegal access should be illegal. In response, the following points were made:

 

- a representative of one Member State explained that their legislation allows courts to decide on the criminal threshold depending on the level of risk considered.

- an industry expert spoke of the need for a threshold to remove legal uncertainties for legitimate users and expressed concerns for over-criminalisation. Officials from DG INFSO pointed that the criminal scope to which the views of the group of experts seemed to converge was rather broad

- a law enforcement expert outlined his national law which only made access illegal if all of the following conditions are met: access is unauthorised, intended and the person is aware the action is unauthorised. These conditions ensured that persons acting unintentionally were not liable for prosecution.

- an industry expert made the point that too much protection through legal means would reduce the responsibility of users to protect their own systems and that a threshold should be employed. Other experts argued against the need to have a limitation based on overcoming technical security measures.

 

INTERFERENCE WITH INFORMATION SYSTEMS

Question (4) interference with computer/information systems. Is it the right approach for the European Union to adopt the principle that the hindering or interruption, without authorisation, of the functioning of a computer/information system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data should be a criminal offence? Does this offence need to be subject to a "serious hindering" test? Does this offence adequately cover so-called "denial of service" attacks?

The following main points were made:

• Experts from industry remarked that under some circumstances it is possible to carry out denial of service (d.o.s.) attacks with authorisation, e.g., in the case of system testing. Moreover, in addition to the "classic" denial of service attacks, there were other different types of d.o.s. attacks, e.g., blocking users from legitimate access by entering wrong passwords for correct usernames following which the system would block access for that username, or triggering a d.o.s. alert without an actual d.o.s. attack following which the system may restrict access itself.

• Some participants from industry asked for the inclusion of "serious hindering"

• It was pointed out that what is meant by "serious" hindering needs to be clarified. The question was raised whether the Commission’s proposal would also cover unauthorised use of computer time, power and communication infrastructures. Officials from DG INFSO clarified that they felt that this kind of conduct could be trivial and therefore not worthy of criminalisation.

• Some industry representatives also felt it was useful to include an explanation of what was meant by "with authorisation."

• Alternative wordings were suggested such as "interruption and / or hindering of operations."

 

• A representative of the Member States suggested to follow the CoE text using hindering without right, and not to specify individual actions.

SPAMMING

Question (5) "spamming". Should the Framework Decision criminalise the activity of "spamming" only insofar as it is accompanied by a specific intent to hinder the operation of a computer/information system? Should it fall within the concept of a Denial of Service attack? Is it possible to separate between spamming that is undesirable but does not cause damage and spamming that is intended to overwhelm the system?

Mr. Papapavlou noted that the Commission had proposed a Directive which would cover spamming under the First Pillar, but asked experts for opinions on if and how it should be addressed in this context.

• An industry expert spoke of the damage caused by collateral spamming, a form of denial of service attack, and so the importance of clear legislation against it.
• An industry expert called for legislation to cover spamming specifically, as although there may be no be an intent to cause damage, the spammer’s actions could impose customer services charges on the recipients.
• Participants generally agreed that d.o.s. attacks through spamming should not be treated differently from other d.o.s. attacks.
• A representative of a Member State expressed concern about whether there should be an emphasis on the term "serious" when discussing the hindering caused by any d.o.s.

 

VIRUSES AND WEBSITE DEFACEMENT

Question (6) Viruses, website defacement and interference with computer data. What approach should the European Union adopt for dealing with these issues? Should there be specific offences dealing with virus attacks and website defacement, an offence which is a subset of interference with a system, or should these be dealt with as part of a more general offence of interference with computer data?

Mr. Papapavlou raised the issue of whether viruses and web-site defacements should be addressed as separate offences or as part of an offence on interference with computer/information systems.

• An industry expert pointed out that this kind of behaviour will evolve and hence he advised against giving a specific definition.
• A representative of one Member State expressed concerns about the minimum level of criminal threshold and pointed out that reservations under Article 6 of the CoE cybercrime Convention left the matter open.

 

AIDING, ABETTING AND ATTEMPT

Mr Papapavlou asked whether instigation of, aiding or abetting offences against information systems should be criminalised. It was also suggested that attempt to commit these offences should also be criminalised.

• A representative of one Member State asked for attempt not to be covered by the proposal for the illegal access offence. Prosecution of attempt was only possible for serious crimes.

 

PENALTIES

It was proposed by the Commission services (DG JAI and DG INFSO) that all offences should be punishable by effective, proportionate and dissuasive penalties. Based on an analysis of Member States’ legislation, views were sought on what might be an appropriate penalty in the following situations:

• illegal access where there is no intention to interfere with or obtain computer data. Member States could ensure that this can be punished by a term of imprisonment, though no minimum duration of imprisonment is necessary.

• illegal access where there is a specific intention to interfere with or obtain computer data. Member States could ensure that it is punishable by terms of imprisonment with a maximum penalty that is not less than one year (the so-called "minimum maximum" approach).
• interference with computer / information systems. Member States could ensure that it is punishable by terms of imprisonment with a maximum penalty that is not less than one year.

The Commission services (DG JAI and DG INFSO) requested the views of the experts on whether the following two specific types of circumstances would merit a more serious penalty (for example, a maximum penalty of not less than four years):

• where the offence generates – or was intended to generate - substantial proceeds.
• where the offence resulted – or was intended to result - in substantial harm for a natural or legal person, regardless of whether the offence generated substantial proceeds.

 

Question (7) Penalties: are the penalties suggested appropriate, proportionate and effective as a basis for approximation at the level of the European Union?

• An industry expert stressed the need for compatibility of penalties so that legal assistance may be effective. A representative of a Member State explained that, in general, there was no need for penalties to be equivalent for mutual assistance to take place. The only exceptions were very intrusive measures such as interception of communications, where a certain minimum threshold of penalties may be necessary.

 

Question (8) Liability of legal persons: are there any issues which are unique to the liability of legal persons in the context of attacks against computer systems?

As a result of time constraints, there was no substantive discussion on this issue.

 

Question (9) Jurisdiction: should the Framework Decision include specific criteria for jurisdiction in respect of offences against systems?

As a result of time constraints, there was no substantive discussion on this issue.

CONCLUSION

Mr Papapavlou thanked the participants for their contributions. The participants were given the opportunity to contribute further via e-mail.