C Explanatory
memorandum by Mr Fischer, rapporteur
1 Mandate
1. Having tabled the motion for a resolution on “Improving
user protection and security in cyberspace” (
Doc. 12585), I was subsequently appointed rapporteur of the Committee
on Culture, Science, Education and Media on 23 June 2011.
2. As a result of the current affairs debate on “State interference
with privacy on the Internet” in the Parliamentary Assembly on 27
June 2013, the Assembly’s Bureau decided that the follow-up to this
debate should be part of this report. The Assembly debate of 27
June had been triggered by the PRISM/Snowden affair.
2 Preparatory
work
3. The Assembly´s Sub-Committee on Media and Information
Society organised a hearing in Strasbourg on 25 January 2012 with
Mr John Carr (Secretary of the Children’s Charities’ Coalition on
Internet Safety, London), Dr Catarina Katzer (President of the Association
against Cyber Mobbing, Cologne) and Mr Stefan Herwig (Partner, Mindbase
Strategic Consulting, Gelsenkirchen).
4. Following my instructions, a technical background report was
subsequently commissioned from Dr Kei Ishii (Technical University
Berlin) and a legal background report from Professor Hans Schulte-Nölke
(University of Osnabrück). Both reports were presented to the Sub-Committee
on Media and Information Society on 2 October 2012 by these experts
and constitute the basis for parts of this memorandum. I am particularly
grateful to both experts and the members of the sub-committee for
their contributions.
5. The Committee on Culture, Science, Education and Media considered
my preliminary draft report in Paris on 11 March 2013 and held an
exchange of views with Professor Wolfgang Schulz, Director of the
Hans Bredow Institute for Media Research (Hamburg), and Mr Thomas
Spiller, Vice President for Global Public Policy EMEA at the Walt
Disney Company (Brussels), speaking as an expert of the International
Chamber of Commerce (Paris).
6. On 1 October 2013, the committee organised a hearing in Strasbourg
on State interference with privacy on the Internet, with the participation
of Ms Dorothée Belz, Vice-President of Microsoft Europe, Mr Duncan Campbell,
journalist and forensic expert witness, as well as Mr Lawrence Early,
Jurisconsult of the European Court of Human Rights.
7. I have also built on my national parliamentary work as chairperson
of the Enquête Commission on Internet and Digital Society of the
German Parliament, which concluded its work on 28 January 2013 and adopted
inter alia a report on user protection.
Note
3 Council of Europe
and other international standards
8. The European Convention on Human Rights (ETS Nos.
5, “the Convention”) and its first Protocol (ETS No. 9) guarantee
also to users of online services the right to freedom of expression
and information, the right to the protection of private life and
personal data as well as the right to the protection of property.
9. Additional protection is afforded by the Convention on Cybercrime
(ETS No. 185), making it a criminal offence to illegally access,
intercept, or interfere with, computer systems or computer data,
as well as by the Convention for the Protection of Individuals with
regard to Automatic Processing of Personal Data and its additional
protocol (ETS Nos. 108 and 181). Both conventions have defined legal
standards on mutual assistance between Parties to those conventions.
10. The European Convention on Mutual Assistance in Criminal Matters
(ETS No. 30) of 1959 sets the framework for legal assistance in
transnational criminal matters including cybercrime matters. In
this context, important related work is currently under way under
the Convention on Cybercrime in order to draft an additional protocol
on jurisdiction and transborder access to data and data flows. This
protocol will clarify and expand Article 32 of the Convention on
Cybercrime, which deals with transborder access to stored computer data
with consent or where publicly available.
11. Personal data, correspondence and property of users are often
protected through conditional access systems to online services,
such as passwords or electronic authentication tools. The illicit
reproduction or use of such conditional access devices is punishable
by law under the Convention on the Legal Protection of Services
based on, or consisting of, Conditional Access (ETS No. 178).
12. As counterfeit medical products are often sold through the
Internet, user protection in this respect is achieved through the
Convention on the Counterfeiting of Medical Products and Similar
Crimes involving Threats to Public Health (CETS No. 211).
13. The physical and moral integrity of children is protected
under the Convention on the Protection of Children against Sexual
Exploitation and Sexual Abuse (CETS No. 201) and Article 9 of the
Convention on Cybercrime.
14. The Committee of Ministers of the Council of Europe has adopted
recommendations on:
- the protection
of freedom of expression and freedom of assembly and association
with regard to privately operated internet platforms and online
service providers (Declaration of 7 December 2011);
- the protection and promotion of the Internet’s universality,
integrity and openness (Recommendation CM/Rec(2011)8);
- the protection of human rights with regard to social networking
services (Recommendation CM/Rec(2012)4);
- the protection of human rights with regard to search engines
(Recommendation CM/Rec(2012)3);
as well as guidelines
for:
- internet service providers
(2008), developed in co-operation with the European Internet Service Providers
Association;
- online games providers (2008), developed in co-operation
with the Interactive Software Federation of Europe.
15. The Organisation for Economic Cooperation and Development
(OECD) has produced non-binding, but directly relevant standards:
the Guidelines for Consumer Protection in the Context of Electronic
Commerce (1999), the Guidelines for Protecting Consumers from Fraudulent
and Deceptive Commercial Practices across Borders (2003) and the
Recommendation on Consumer Dispute Resolution and Redress (2007).
16. Within the European Union, relevant legislation comprises
the Consumer Sales Directive (1999/44/EC), the E-Signatures Directive
(1999/93/EC), the E-Commerce Directive (2000/31/EC), the E-Privacy
Directive 2002/58/EC (as amended by
Directive
2009/136/EC), the Unfair Commercial Practices Directive (2005/29/EC), the
Consumer Rights Directive (2011/83/EU) and the Directive on attacks
against information systems (2013/40/EU).
4 State interference
with privacy on the Internet
17. The current public debate about the PRISM programme
of the National Security Agency of the United States and related
co-operation with security services in Europe reflects different
international approaches to the protection of personal data vis-à-vis
the protection of national security and law enforcement. Based allegedly
on documents disclosed by Edward Snowden to
The
Observer,
The Guardian reported
that “in addition to the UK – Denmark, the Netherlands, France,
Germany, Spain, and Italy have all had formal agreements to provide
communications data to the US. They state that the EU countries
have had ‘second and third party status’ under decades-old signal
intelligence (Sigint) agreements that compel them to hand over data
which, in later years, experts believe, has come to include mobile
phone and internet data”.
Note
18. In this context, reference must be made to the work of the
Assembly which had led to
Resolution
1843 and
Recommendation
1984 (2011) on the protection of privacy and personal data on the
Internet and online media, based on a report
Note by Ms Andreja Rihter (Slovenia, SOC),
as well as
Resolution
1877 and
Recommendation
1998 (2012) on the protection of freedom of expression and information
on the Internet and online media, based on a report
Note by Ms Zaruhi Postanjyan (Armenia,
EPP/CD).
19. More than a decade ago, a similar public debate had been held
about the alleged interception of radio and satellite communications
by the United States, the United Kingdom, Canada, Australia and
New Zealand. This situation had been analysed by the European Parliament
in its report and resolution of 2001 on the existence of a global
system for the interception of private and commercial communications
(ECHELON interception system).
Note Although the possibilities for the
large-scale screening of online communication data, traffic data
and other meta data were less developed then, the results of the
ECHELON debate are still of relevance to the PRISM debate today.
20. The rapid development of information technology (IT) communication
globally has enabled national security services and law-enforcement
authorities to focus on IT services in order to identify and trace
terrorists or other serious criminals who use such IT services.
Benjamin Franklin, one of the Founding Fathers of the United States
of America, said: “They who would give up essential liberty to purchase
a little temporary safety, deserve neither liberty nor safety.”
In a modern human rights debate, one would not sacrifice one human
right for another, but define both through their correlation.
21. While Article 8 of the European Convention on Human Rights
protects also personal data online, national security can limit
such right. The United States is not Party to the European Convention
on Human Rights, but is committed under the corresponding Article
17 of the United Nations International Covenant on Civil and Political
Rights. Member States of the Council of Europe collaborating in
the alleged PRISM programme are bound by the Convention. Any interference
on grounds of national security must be prescribed by law and proportionate
to the protection of national security.
22. The European Court of Human Rights has defined the requirements
in this regard: “In its case-law on secret measures of surveillance,
the Court has developed the following minimum safeguards that should
be set out in statute law in order to avoid abuses of power: the
nature of the offences which may give rise to an interception order;
a definition of the categories of people liable to have their telephones
tapped; a limit on the duration of telephone tapping; the procedure
to be followed for examining, using and storing the data obtained; the
precautions to be taken when communicating the data to other parties;
and the circumstances in which recordings may or must be erased
or the tapes destroyed.”
Note
23. Although the facts of the PRISM programme are not fully known,
it seems that vast amounts of IT communication data were intercepted,
stored and analysed in collaboration with the national security
services of certain States in Europe. Such processing or screening
of personal data was allegedly done, as soon as keywords were used
in IT communication which were part of a huge list of words typically
used by terrorists or criminals. In the end, a huge number of users
must have been screened and profiled. In this context, commercial
espionage was also alleged.
24. If such screening and profiling were pursued without sufficient
grounds of national security concerns, a violation of Article 8
of the European Convention on Human Rights could be assumed. The
recent motion for a resolution on massive eavesdropping in Europe
Note may lead to further analysis and
discussion of this particular case and its wider implications concerning
the correlation between national security and the protection of
privacy.
25. Edward Snowden had worked for the private security companies
Booz Allen Hamilton and Dell, which had been contracted by the National
Security Agency of the United States. Such outsourcing of Internet surveillance
for national security purposes may seriously lower the protection
of privacy and personal data. Edward Snowden is cited by
The Guardian: “The government has
granted itself power it is not entitled to. There is no public oversight.
The result is people like myself have the latitude to go further
than they are allowed to.”
Note Although with a different focus,
one might refer in this context also to Assembly
Recommendation 1858 (2009) on private military and security firms and erosion of
the State monopoly on the use of force.
26. Edward Snowden disclosed to
The
Guardian a large amount of secret information about the
activities of national security services in the United States, the
United Kingdom and other NATO countries.
The
Guardian journalist Glenn Greenwald testified before
a Brazilian Senate foreign relations committee that he had up to 20 000
secret government files, which he had received from Edward Snowden.
Note The disclosure of these files was
labelled as “whistle-blowing”. Following these events, the President
of Brazil decided to postpone her State visit to the United States
until the situation was clarified. After a month in Hong Kong (China),
Mr Snowden is now in Russia since June 2013.
27. Following Mr Snowden’s revelations of pervasive surveillance
of e-mail correspondence in France as well as the interception of
the mobile phone and SMS communication of the Federal Chancellor
of Germany by the national security service of the United States
for many years, the governments of France and Germany are leading
an initiative within the Council of the European Union in order
to clarify the level of privacy intrusion committed by the United
States and to develop mutual standards on surveillance and co-operation
in the field of national security. In addition, the Civil Liberties,
Justice and Home Affairs Committee of the European Parliament established
an inquiry on electronic mass surveillance of European Union citizens,
which held hearings since 5 September 2013 and produced its final
report on 21 February 2014.
Note On 30 September 2013, the Parliamentary
Assembly referred the motion for a resolution on massive eavesdropping
in Europe to its Committee on Legal Affairs and Human Rights for
report. At the level of the United Nations, on 8 November 2013,
Brazil and Germany introduced to the Third Committee of the United
Nations General Assembly a draft resolution calling for the protection
of privacy in accordance with international human rights law and
the cessation of excessive electronic surveillance. The latter Resolution
on the right to privacy in the digital age was adopted on 18 December
2013 by the United Nations General Assembly.
28. Assembly
Resolution
1729 (2010) on the protection of “whistle-blowers” outlined in paragraph
6.1.1: “[T]he definition of protected disclosures shall include
all bona fide warnings against various types of unlawful acts, including
all serious human rights violations which affect or threaten the
life, health, liberty and any other legitimate interests of individuals
as subjects of public administration or taxpayers, or as shareholders, employees
or customers of private companies.” Such whistle-blowing could as
an ultima ratio be done through the media, as stated in paragraph
6.2.3 of
Resolution 1729
(2010): “Where internal channels either do not exist, have
not functioned properly or could reasonably be expected not to function
properly given the nature of the problem raised by the whistle-blower,
external whistle-blowing, including through the media, should likewise
be protected.”
29. In any case, Article 8 would not permit the screening and
profiling of IT users by public authorities on purely political
grounds, for instance targeting political opponents. While most
States in the world might possess the technological and human resources
to do so, and while it could be assumed that non-democratic and
oppressive governments would wish to do this, no factual indications
have been revealed to this end with regard to the PRISM case.
30. In
Klass and others v. Germany,
Note the European Court
of Human Rights accepted under Article 8 “that the existence of
some legislation granting powers of secret surveillance over the
mail, post and telecommunications is, under exceptional conditions,
necessary in a democratic society in the interests of national security
and/or for the prevention of disorder or crime. … The Court, being
aware of the danger such a law poses of undermining or even destroying
democracy on the ground of defending it, affirms that the Contracting
States may not, in the name of the struggle against espionage and
terrorism, adopt whatever measures they deem appropriate. The Court
must be satisfied that, whatever system of surveillance is adopted,
there exist adequate and effective guarantees against abuse. This
assessment has only a relative character: it depends on all the
circumstances of the case, such as the nature, scope and duration
of the possible measures, the grounds required for ordering such
measures, the authorities competent to permit, carry out and supervise
such measures, and the kind of remedy provided by the national law”.
Note
31. In conclusion, it is necessary to have an adequate and efficient
internal oversight within, and judicial review over, national security
services and law-enforcement authorities, in order to prevent abuse
and hence violations of Article 8 of the Convention. The possible
damage done by irresponsible access to and use of such data is obvious.
32. Although on a smaller scale, the technological possibilities
for the screening and profiling of users are in principle also available
to commercial companies and private individuals, who might wish
to exploit such data for personal gain. States must therefore afford
users adequate protection also in this regard. The surveillance of
employees by their employers is restricted by Committee of Ministers
Recommendation No. R (89) 2 concerning the protection of personal
data used for employment purposes.
5 Developments in
IT security
33. IT security has become an important research area
in computing, aimed at developing sophisticated ways of avoiding
intrusion, manipulation or destruction of databases, but also at
preventing hackers from taking over the control of home or business
IT systems or threatening public administration IT systems (for
example police, judiciary or defence) or information-based critical
infrastructure which is essential to the daily life of our societies
(for example finance and banking, transports and energy).
34. The latter has resulted in international co-operation such
as the International Cyber Security Protection Alliance
Note as well as the recent establishment
by the European Union of the European Cybercrime Centre at Europol
in The Hague.
Note
35. However, despite decade-long efforts, protecting IT systems
against malicious threats still poses a challenge for organisations,
as media coverage of numerous break-ins into their IT systems indicates.
And with more powerful networked devices and e-services available
to the individual user, they become lucrative targets for malicious
attackers as well. IT security appears even less prepared here,
as regular news coverage about virus attacks illustrates.
36. Computers are accessible from remote places and data and software
can be rapidly exchanged. This leads to the development of technological
means to cope with the new IT security challenges – such as firewalls,
anti-virus software, or cryptographic tools. But the growing complexity
of the systems, combined with everyday actions (or inactions) of
the users, constantly expose vulnerabilities which attackers can
exploit.
37. As technological means on their own cannot provide a complete
solution, the focus shifted from technological solutions to organisational
factors. Technologically secured devices and software still can
be compromised if no sound security policies and procedures exist,
and if these policies are not properly enforced and supported. Policy
frameworks and certifications were developed which allowed organisations
to systematically evaluate their IT security needs and implement
the necessary products, policies and procedures. In this way, organisational
IT security was recognised as an important element of IT security.
38. Even after technological and organisational security measures
were put in place, IT security problems remained. The user is often
overwhelmed by security procedures or unaware of security consequences
of their action. Also, the growing need of users outside organisations
to protect their private IT environment has led to scrutiny of the
role of the end user in IT security.
39. Therefore, research recently shifted to personal IT security
as a crucial element of the overall security of IT system sand “Usable
[privacy and] security” has developed into a hot topic. It appears
that the mental model elaborated to assess the user's risk and actions
might not be adequate. Understanding better the role of mental models
and formulating more appropriate ones carries the promise to enhance
the effectiveness of user IT security. The shape of technology must
be “usable” in the sense that it supports both the user and the
IT security. It remains to be seen how the research results can
be translated into future devices, software and services as well
as educational efforts and home user support.
6 Current state of
IT security
40. With the rapid increase in Internet services in all
areas of life, the crime rate has equally grown exponentially. The
2012 Norton Symantec Cybercrime Report estimates 1.5 million victims
of cybercrime daily with an estimated annual value of US$110 billion
worldwide and US$16 billion in Europe.
Note Parallel to the growth in mobile
Internet access, the number of cybercrime attacks has doubled from
2010 to 2011.
41. Widely publicised cases have concerned the massive hacking
into user data, for instance by a group called Lulz Security into
the servers of Sony and Nintendo in 2011, the hacking attack on
the telephone directory Truecaller by a group called Syrian Electronic
Army in July 2013 as well as the theft of 2 million user data stored
on a Vodafone server in Germany in September 2013. In March 2011,
the Internet security firm McAfee reported that Internet hackers
in China had been committing massive commercial espionage of several multinational
oil companies since 2009, called “operation night dragon”.
42. Another spectacular case was the use of stolen credit card
data to withdraw US$45 million from banking machines in New York
and other cities around the world in December 2012 and February
2013. In May 2013, the Liberty Reserve online money transfer service
was closed by law-enforcement authorities in the United States and
16 other countries on suspicion of having run a massive money-laundering
scheme through the Internet of up to US$6 billion. While those spectacular
cases may hint at Internet security risks, the smaller but more
frequent attacks on individual Internet users are more harmful in
absolute terms and should therefore guide our analysis in this report.
43. Drawing from the experience with a German user-oriented Internet
information portal for IT security and privacy (
Verbraucher sicher online),
Note IT security can be outlined from
the vantage point of both attacker and user. The attacker is looking
for vulnerabilities which enable him or her to gain access to the
system. The user must take the appropriate action against these
vulnerabilities to minimise the risks of being attacked.
44. One can distinguish four different components of a user IT
environment which show different vulnerabilities and responses:
An attack can be raised against any of the devices (computers, smartphones, etc.)
of the user or against the networks (Internet, mobile networks)
the devices connect to, in order to interact with the e-services
employed by the user. Finally, the users themselves can be targeted
by an attack as well.
6.1 Attacks against
devices
45. Devices comprise the computers, laptops, smartphones
etc. that the user directly interacts with. They consist of the
hardware, the operating system and application software, and are
usually connected to local or mobile networks, and through these
to the Internet.
46. Attacks against devices use one or more technical vulnerabilities
such as software defects in the operating system and applications,
so called exploits, in order to install or “infect” it with malicious
software. Once infected, the malware regularly gains absolute control
over the device. All data can be accessed, all user actions intercepted
(for example the typing of passwords) and altered, and the device
can be used to infect or attack other devices and e-services.
47. The technological responses to these kinds of attacks are:
1) maintaining current backups of the data on the device, in order
to protect against data theft and alteration; 2) active and up-to-date
malware protection software which protects against malicious e-mails
or websites; and 3) continuously updating application and operating
system software in order to close known software defects, which
may otherwise be used by viruses to infect the system.
48. As there is no central authority for the protection of devices,
any security policies or procedures can only rely on personal responses,
namely the knowledge and awareness of the user. In this respect, the usability of the security features
has improved in recent years. With the media attention on IT security
issues, device and software makers have stepped up their efforts
to integrate security considerations into their development and offer
timely security updates. Also, more and more software can be configured
to install security updates automatically, relieving the user of
this task. The user has nevertheless to actively follow security
news, and actively install and maintain backups and anti-malware
software. In addition, constant attention is required in order to
recognise and prevent attacks through e-mail, websites etc. which
may lead to the infection of the device.
6.2 Attacks against
networks
49. Devices connect to various networks in order to reach
e-services over the Internet. It is more and more common to make
these connections wirelessly. Generally, entry points to networks
are either home routers, or public or private hotspots.
50. Common attacks against home routers try to gain access to
the router and either intercept the connections going through it,
or use the connection to raise further attacks against local or
remote devices. The main technological responses for routers consist
of enabling strong encryption of the wireless connections (currently
WPA2) with a strong password, securing the administrative interface
with a (different) strong password, and regular updates of the router
firmware. A recent usability response by router manufacturers is the
default activation of the wireless connection encryption, which
has led to a noticeable reduction of unsecured wireless home networks.
51. Attacks through public or private hotspots generally take
one of two forms: either the attacker gains controlling access to
the hotspot router, or he sets up another hotspot pretending to
be the legitimate one. In both cases, connections going through
the router can be intercepted. Hotspots are attractive targets for attackers
as many users are especially enticed by cost-free hotspots, and
underestimate the risks associated with them. Although technical
responses such as the employment of virtual private networks (VPN)
exist which might alleviate the risks connected to hotspots, they
are cumbersome or are sometimes even blocked by the hotspot.
52. Therefore the sensible personal response would be to find
an alternative, more secure means to connect to the Internet. In
the medium term, the proliferation of fast mobile Internet access
might lessen the problem with hotspots.
6.3 Attacks against
e-services
53. Gaining unauthorised access to the users' e-services
is certainly a main target for attackers. Access to most of these
services is still only dependent on simple security credentials,
such as username and a password, although some, notably e-banking
services, have developed more intricate schemes including single-use
passwords (transaction authentication numbers, TAN) and multi-factor
authentication (additional security credentials through various
technical means, such as mobile phone or TAN generators).
54. An often overlooked risk concerns the availability of the
user data stored by the e-service. Service providers might for example
not guarantee the confidentiality, integrity or availability of
the data, which leaves a risk that a direct attack against the e-service
itself might cause the loss of the user data. The appropriate technical
response is to have the data stored (backup) in more than one place
and to require the e-service provider to use regularly up-dated
security measures against attacks.
6.4 Attacks against
users
55. From the vantage point of an attacker, the user can
be successfully targeted in the same way as a device, network, or
e-service. These attacks are often subsumed under the term “social
engineering”, which can be defined as any “attack that uses social
means such as deception and manipulation in order to gain access
to information technology”. The phishing attacks, where malicious
e-mails try to entice the user to open an attachment containing
malware, to respond to a scam or to enter security credentials into
a fake e-service website fall into this category. For example, a
fake e-service website or a fake support e-mail invites the user to
send back the username and password “for security reasons”.
56. The most effective security response is non-technological
in nature, namely the secure handling of the username and password,
and caution against “phishing”. In contrast, technological responses
(for example automatic detection of phishing e-mails) have so far
proven largely ineffective against the countless variations of these
attacks.
57. Security risks may also stem from publicly accessible Internet
content which has been generated voluntarily by users. Such content
can be screened and collected by specific data-mining software.
A recent example is the Rapid Information Overlay Technology (RIOT),
which was developed by the American company Raytheon and has even
been used by public authorities for searching social networks in
order to profile people.
Note
7 Future risks: mobile,
cloud and Internet of Things
58. Mobile phones, especially smartphones, are computers
in the same way as laptop or desktop computers. They therefore share
similar vulnerabilities, threats and risks such as malware attacks.
But a number of characteristics of smartphones aggravate the challenges
inherent in mobile IT security.
59. These include:
- their
size, both in terms of physical size (ease of loss or theft) and
– compared to desktop or laptop computers – limited computing capabilities;
- the multitude of networking (mobile network, Wi-Fi, Bluetooth)
and other technical built-in capabilities (GPS, electronic payments
through near field communication);
- consequently, the complexity of the mobile operating system
with a heightened chance for vulnerabilities; and the large number
of applications (“Apps”) and uses.
60. Whereas cloud computing in general is aimed at business users
who might gain economic advantages by outsourcing various computing
resources (for example software, storage, execution time) to cloud computing
providers, current service offers such as Google services or Apple's
iCloud can be seen as the “consumer side” of cloud computing.
61. These offers integrate several otherwise independently available
services (e-mail, photo and video sharing, social networking, remote
storage, etc.) into one centrally accessed “cloud” ecosphere. Another characteristic
is the tight integration of software (web browser, operating system)
and devices (smartphone) into that ecosphere.
62. The consequences of cloud computing for IT security are twofold.
On one hand, there are claims that the personal data is better protected
against destruction in the cloud, as it is stored independently
from one device. Also, specific security features such as the remote
deletion of stolen devices or centralised authentication relieving
the user from memorising numerous passwords (assuming that the centralised authentication
is secure) can be seen as security benefits of cloud services.
63. On the other hand, some anecdotic evidence hints at possible
IT security problems. For example, a successful attack against the
centralised authentication opens access to all user data and services
available to the user. In the case of the incident involving the
Apple iCloud service, the attackers who successfully gained access
to a journalist's iCloud in summer 2012 were able to delete the
complete data stored on all his connected devices, including his
smartphone and laptop. This feature, proposed as a security feature
against theft, turned out to entail a severe security risk.
64. As cloud services are now including new IT security features,
it is possible that these might mitigate the inherent IT risks of
such centralised services. In any case, the user should carefully
assess the risks involved in such services.
65. Given the current problems with IT security, and the foreseeable
problems in already available technologies such as mobile Internet
access or cloud computing services, one may speculate what form
the IT security challenges will take with such potentially disruptive
technologies as the “Internet of Things”. Once everyday physical
“things” from home appliances to cars incorporate networked computing
capabilities, they may become targets or additional entry-points
for attacks. As those “things” with Internet are typically commercial
goods which require commercial services and allow the profiling
of a user (for example automated impulses for servicing the car,
repairing the heating, or replacing the toner in the printer), the
economic interest in an attack is obviously increased.
66. “Pervasive” or “ambient computing” may reach further into
the life of users, as computing and networking will be tightly integrated
to things, activities or even the human body, and “disappear” as
distinguishable technologies.
8 Steps towards enhanced
user protection and security
67. For nearly a century, consumer protection principles
have been established for traditional commerce of goods and services.
However, they are more or less absent in modern cyberspace. User
protection principles have been developed in some areas by the OECD
and the United Nations Commission on International Trade Law (UNCITRAL).
A few legal principles have been established by the United Nations,
the Council of Europe and, in particular, the European Union.
68. Co-operation between law-enforcement authorities should be
increased. This may require wider use of the Convention on Cybercrime
as well as international treaties on legal assistance such as the
European Convention on Mutual Assistance in Criminal Matters (ETS
No. 30).
69. Awareness of the latter norms and principles is rather low
among Internet service providers as well as users. In addition,
their legal force is rather limited. European Union law is, however,
in force in all European Union member States. Therefore, it seems
necessary to increase awareness of the already established legal standards
and seek to develop additional ones where there is a need.
70. Users buy computers or other devices and they subscribe to
Internet services. Those are typically commercial transactions between
a user and a commercial company. Based on this, users may have a legitimate
expectation that the goods and services they receive are without
defect and not potentially dangerous. Such a legitimate expectation
may require companies to sell their goods and services with certain precautionary
measures taken in favour of the security of their users.
71. For example, service providers can be expected to provide
encryption tools automatically (namely as a default option) and
free of charge. This will increase the security of users with regard
to passwords or other sensitive data. Modern computers or other
devices should have advanced anti-virus programmes set up automatically.
In addition, websites should disclose in a transparent manner if
they apply automatic signs or cookies to the access devices of users.
72. Companies may meet such standards voluntarily, but States
can usefully encourage or even prescribe them where deemed necessary.
In a globalised world, it is important to co-ordinate those approaches
among States, especially within Europe.
73. The Council of Europe is the first, and so far the only international
organisation to address cybercrime through an international convention.
The Convention on Cybercrime has also been signed by many States outside
Europe and is a model for more than 100 States worldwide. At the
Council of Europe conference on strategic priorities in the co-operation
against cybercrime (Dubrovnik, 15 February 2013), the ministers participating
adopted the following objectives:
- pursue cybercrime strategies to ensure an effective criminal
justice response to offences against and by means of computers as
well as to any offence involving electronic evidence;
- adopt complete and effective legislation on cybercrime
that meets human rights and rule of law requirements;
- strengthen specialised law-enforcement units and the specialisation
of prosecution services with respect to cybercrime and electronic
evidence;
- implement sustainable law-enforcement training strategies;
- support the training of judges and prosecutors on cybercrime
and electronic evidence;
- pursue comprehensive strategies to protect children against
online sexual exploitation and sexual abuse, in line with the Lanzarote
Convention;
- promote financial investigations and the prevention and
control of fraud and money laundering on the Internet;
- strengthen co-operation with the private sector, in particular
between law enforcement authorities and Internet service providers;
- engage in efficient regional and international co-operation;
- share our experience with other regions of the world to
support capacity building against cybercrime;
- promote adherence to the Convention on Cybercrime at global
level.
9 Examples of self-regulation
by market actors
74. In 2011, the European Advertising Standards Alliance
(EASA) released its Best Practice Recommendation on Online Behavioural
Advertising, which aims to ensure privacy protection across Europe.
Note The basic idea is to allow users
to identify online behavioural advertising via a uniform European-wide
icon. The icon shall be included in or around all online behavioural
advertisements and will signal to users that online behavioural
advertising is being used. The icon will be interactive, allowing
users to find out which companies are involved in serving the ad
and also to click through to a European-wide website. The website shall
provide information about online behavioural advertising in general
and means for users, in their national language, to exercise their
choice about whether they want to receive online behavioural advertising
ads.
75. This system, however, is not very effective, especially for
inexperienced users. Several dozens of companies have so far signed
the commitment – but by far not all providers of behavioural advertising.
The user would have to visit the many websites of the participating
companies and object to cookies used by these providers. He or she
would have to do this from all computers including mobile phones.
In addition, there is no regulation for the most stubborn “flash
cookies”, which do not embed themselves in the browser, but deeper
in the computer system and are very difficult to delete.
76. The Safer Social Networking Principles for the EU (2009) have
been developed by a number of social networking service providers
in consultation with the European Commission, as part of its Safer
Internet Plus Programme, and several non-governmental organisations
(NGOs). They aim to provide good practice recommendations for the
providers of social networking and other user interactive sites,
to enhance the safety of children and young people using their services.
The seven basic principles are:
- Principle
1: Raise awareness of safety education messages and acceptable use
policies to users, parents, teachers and carers in a prominent,
clear and age-appropriate manner
- Principle 2: Work towards ensuring that services are age-appropriate
for the intended audience
- Principle 3: Empower users through tools and technology
- Principle 4: Provide easy-to-use mechanisms to report
conduct or content that violates the Terms of Service
- Principle 5: Respond to notifications of illegal content
or conduct
- Principle 6: Enable and encourage users to employ a safe
approach to personal information and privacy
- Principle 7: Assess the means for reviewing illegal or
prohibited content/conduct.
77. The document contains some more concrete specific recommendations
for each principle. The document states, however, that, while providers
will support all seven principles, “it is for each provider to judge where
and how far to apply the document’s specific recommendations”.
78. The European Framework for Safer Mobile Use by Younger Teenagers
and Children (2007) has been signed by many European mobile providers
and content providers in order to ensure safer use of mobiles by teenagers
and children. It contains recommendations on safer mobile use, in
particular on access control mechanisms, raising awareness and education,
classification of commercial content as well as illegal content on
mobile community products or on the internet. Regular reports on
the implementation published by industry show some progress made
by mobile phone operators on their work to keep children safe while
using mobile phones.
79. Internet service providers as well as producers of Internet
access devices should be encouraged, supported and possibly obliged
to set up precautionary measures for the protection and security
of users and customers. This may be done through industry self-regulation
or a co-regulation based on a legal framework to be implemented
by industry action. Quality certification may be an important aspect
in this regard, for instance for tools against attacks on devices,
networks and services. The ISO (International Organization for Standardization)
in Geneva has produced a number of international technical standards,
such as the ISO/IEC 15408:1999, the Common Criteria for IT Security
Evaluation. For an effective and transparent protection of users
in a rapidly changing cyber environment, additional specific technical
standards should be developed, for example on software and hardware
security. Compliance with the latter ISO standards could serve as
a quality label, which can be recognised and trusted by users.
10 Conclusions
80. Greater awareness, transparency and accountability
are necessary for improving security in cyberspace. This is a challenge
for all stakeholders alike, the Internet industry, users and the
State.
81. For some IT security challenges, adequate technological responses
exist, some of which also have improved in usability. But the capability
of users to turn awareness and knowledge into appropriate actions hinges
on appropriate mental models, which have to be developed for IT
security. E-learning may be a useful and system-related tool in
this respect. Trusted institutional structures have to be established,
either by governments or the private sector, which support users
in making the appropriate risk assessment and offer concrete help,
similar to security policies and procedures and support staff in
organisations.
82. Anonymity of users is an issue for their direct accountability.
Large-scale surveying or monitoring of user behaviour on the Internet
is also unacceptable from a human rights perspective. Internet service
providers generally know the identity of their users through their
IP addresses or customer identification details. While law-abiding
Internet users should remain anonymous, law-infringing Internet
users must be identifiable. Where commercial web portals provide
a platform for law-infringing users, the operators of these portals
should be held liable unless they identify the law-infringing user.
83. National security services and law-enforcement authorities
can search and seize private online data within their jurisdiction
in accordance with domestic law and Article 8 of the European Convention
on Human Rights. Such interference must be proportionate to the
legitimate aim pursued, with national security being a legitimate
aim enumerated in Article 8.2. As the European Court of Human Rights
has consistently held, however, it is not enough that the interference
should merely be useful or desirable. Permanent and random interceptions
of private communications would be in violation of the principle
of proportionality and hence not compatible with the European Convention
on Human Rights.
84. User empowerment requires greater transparency of online service
providers and intermediaries. A lack of such transparency compromises
user protection and security. While transparency can be imposed
on commercial service providers and intermediaries, this may be
more difficult with regard to private social networks, peer-to-peer
services and user-generated content. Nevertheless, general principles
of transparency should be developed.
85. The Convention on Cybercrime protects the integrity of computer
networks. It may be necessary to analyse and possibly widen the
remit of such protection, in order to include also attacks on the
integrity through technical malware, as well as an intentional failure
to provide essential components necessary for the functioning of
computer networks in the public domain. For example, technical attacks
can stem from unsolicited messages or “spam”, automatic signs or
“cookies”, malicious software such as the external linking of computers
through “botnets”, as well as “flash cookies” which are embedded
deeper in the computer system and are very difficult to delete.
86. Public access points as well as “hotspots” for wireless Internet
access are typically weak points for user security, because they
can be used as an entry point for malicious software, hacking, data
manipulation or other attacks on the security of users. Mobile Internet
access may be more secure, where a single operator or service provider
functions as the contractual intermediary for a user.
87. Encryption can increase the secrecy of communications in cyberspace,
especially in wireless connections. In order to keep up with the
rapid progress in technical intrusions into communications, encryption software
needs to be updated and enhanced regularly. A default activation
of encryption will help less experienced users.
88. Commercial content should be made transparent and thus be
classified. Commercial service providers and intermediaries should
be barred from using fraudulent and deceptive commercial practices.
In this regard, it may be helpful to agree on a list of prohibited
commercial practices and on a Europe-wide benchmarking of quality
standards. The same may be applied to fair business advertising
and marketing practises. Sector-specific legislation can address
advanced user protection and security in a more targeted way, for
example for telecommunications, banking, insurance, financial instruments,
electronic payments as well as travel contracts. The use and technical
reliability of electronic signatures may be a relevant tool in this
context.
89. Through the international reach of online services, user rights
may be compromised by uncertainties in the jurisdiction of national
courts and the applicability of national laws. States should therefore
support mechanisms for online dispute resolution and redress, and
establish legal co-operation and assistance on the basis of public
international law.
90. Children are a high-risk group. Harm to children might be
caused by illegal or violent Internet content and contact with other
Internet users. In addition, children could harm themselves by posting
private pictures or data on the Internet or by bullying. Private
information and images are difficult to delete from the Internet, thus
causing a potential endless victimisation. The Internet is also
a potential entry point for outside dangers coming into a child’s
room. Also adults could be a danger for children, especially regarding
sexual abuse. It is therefore important to establish online help
systems for parents and children, as well as to support media education,
teacher training and peer-to-peer education.
