Comments to the Sixth Meeting of the UNODC Intergovernmental Expert Group on Cybercrime / April 6-8 2020 in Vienna

The APWG (apwg.org) is periodically asked our thoughts on issues of great importance to the cybercrime fightin’ community.

Background

After the Twelfth United Nations Congress on Crime Prevention and Criminal Justice, the Commission on Crime Prevention and Criminal Justice established an open-ended intergovernmental expert group to conduct a comprehensive study of the problem of cybercrime and responses to it by Member States, the international community and the private sector, including the exchange of information on national legislation, best practices, technical assistance and international cooperation, with a view to examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime.
The open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime has held five meetings to date, respectively from 17 to 21 January 2011, from 25 to 28 February 2013, from 10 to 13 April 2017, from 3 to 5 April 2018 and from 27 to 29 March 2019.
At its fourth meeting, the Expert Group adopted the workplan of the Expert Group for the period 2018-2021 (available at: http://www.unodc.org/unodc/en/organized-crime/open-ended-intergovernmentalexpert-group-to-conduct-a-comprehensive-study-of-the-problem-of-cybercrime2018.html). In accordance with the workplan, in 2020 the Expert Group will discuss international cooperation and prevention. Moreover, no later than 2021, the Expert Group will hold a stocktaking meeting and discuss its future work.

Our Submission to the Meeting

The upcoming Expert Group meeting will discuss a topic important to the APWG and its members: international cooperation. I have many thoughts about this topic and i want to share the two main points I submitted to the upcoming UNODC meeting in Vienna.

We Need Commonly Accepted Definitions

First, we need to develop a common definition for data that requires special handling or treatment. Every new regulation or directive has different  – or new – definitions for data items that the regulators deem private, sensitive, or scary. For example, the definition of personally identifiable information (PII) varies among EU regulation and many other states. Sharing data globally to detect and apprehend e-criminals is near impossible when you must change the data record every time it is shared to national law enforcement authorities or private crime investigators. A common definition for special data would allow investigators and enforcers in multiple states to get the same data at very fast speeds. Aligning the various definitions is a daunting task – and may take a while – but lacking such commonality is definitely slowing down e-crime mitigation, investigation, victim reduction, and apprehension.

The Crime Fightin’ wall is really a tripod.

Secondly, many privacy and data sharing regimes have a specific carve-out for public bodies doing crme investigation. For example, the EU GDPR has two versions one for such bodies and one for “everyone else”. Many studies show that over 95% of internet-based crime is detected and initially investigated  not by the public bodies, but by private organizations, such as the APWG (an anti-phishing and cryptocurrency exchange), SPAMHAUS (the well-known anti-spam group), CAIDA (the Center for Applied Internet Data Analysis), anti-virus companies (such as Sophos, McAfee, Microsoft or Eset), or anti-ransomware groups. Unfortunately, being part of “everybody else” means that these organizations (“e-crime figthters”) (we need a sexy word to describe us) are following the same rules as marketing and tracking organizations, which do no e-crime fighting and should be constrained. Adding additional barriers to sharing e-crime data among public bodies and private organizations impedes the flow of that critical, very useful, data. Many senior law enforcement executives have expressly stated that they rely on private sector e-crimefighters participation and data sharing to perform their law-enforcement duties.

Conclusion

Developing a regulatory regime that gives the e-crime fighters to perform initial investigation, victim notification, event correlation, and data sharing with law enforcement while not allowing “everyone else” that ability will be a challenge. Some have suggested properly accreditation of the e-crime fighters may work;  other ideas have surfaced but the perfect solution still awaits us.

There are many challenges to detect, investigate, and notify the proper authorities of e-crime activities at the same speed that the criminals do. We have identified two primary challenges and look forward to moving towards a solution.

The actual submission to the UNODC is: https://coopercain.com/?post_type=document&p=102