Europol report: Insistence on data retention contradicts the threats presented
Europol has published its Internet Organised Crime Assessment (IOCTA) (PDF). The report assesses the cybercrime landscape and describes how threads have changed over the last two years.
Patrick Breyer MEP (German Pirate Party / Greens/EFA) and digital freedom fighter, comments:
“Europol’s support for indiscriminate data retention does not reflect the facts. The agency’s report identifies real threats that can’t be addressed with data retention or any other means of blanket mass surveillance of all citizen’s communication data. It is time for Europol and the European Union in general to refocus on targeted investigations and strenghening civil society.”
Europol’s role in the “Going Dark” program (#EUGoingDark)
In the report the European Union’s law enforcement agency focuses on cybercrime-as-a-service, underground communities, criminal markets for stolen credentials and victim data as well as on fraud strategies.
As member of the High-Level Expert Group on access to data for effective law enforcement which is also know as the “Going Dark” program Europol is tasked to “contribute to integrating a law enforcement perspective, including privacy and data protection requirements, in all relevant EU policies and actions (‘security by design’)” and to “explore how security by design could be a standard requirement in the development of new technologies.” Most pressing “challenges” identified are: Encryption (access, en clair, to stored content and digital communication data), data retention of localisation data and roaming data, as well as anonymisation, including VPN and Darknets. (Council document 8281/23 PDF)
Europol is a strong proponent of reintroducing provisions on the indiscriminate retention of citizen’s communications metadata such as IP addresses. In 2018 the agency was unsuccessful with a “Data Retention Matrix” – a proposal to introduce data retention in the European Union. (WK 3005/2018 INIT PDF)
Organised criminals can circumvent data retention – most law-abiding citizens cannot
According to the Internet Organised Crime Assessment Europol observes “a high level of specialisation inside criminal networks” and the agency faces the development that “[o]ffenders (…) mask their actions and identities as their knowledge of countermeasures increases.”
Patrick Breyer MEP comments:
“Europol’s report confirms the fact that blanket data retention is unsuitable for fighting organised crime because it can easily be circumvented, for example by using anonymisation services. What is needed instead of bulk storage of citizen’s communications meta data are fast, well equipped and targeted investigations.”
The role of Internet Service Providers
In the report, Europol presents Internet Service Providers as service providers for crimes: “Many Internet Service Providers (ISPs) frequently used by criminals do not engage in extensive customer monitoring practices such as Know-Your-Customer (KYC) procedures and storing of customer and metadata (e.g. IP address)”
Patrick Breyer MEP comments:
“Europol places Internet Service Providers under general suspicion and seems to expect them to violate privacy legislation. We have a right to use the Internet anonymously! Targeting ISP’s privacy policies is like generally blaming landlords for domestic violence.
The task and duty of Internet Service Providers in democracies is to enable citizens to communicate securely and confidentially.”
Child grooming
The report finds that “[c]hild sexual exploitation offenders make extensive use of social media to engage with their victims, interacting with them often behind a false identity. (…) Child sexual exploitation offenders groom victims in order to obtain sensitive information that can be then exploited for extortion purposes.”
Patrick Breyer MEP comments:
“In fact Europol’s report rightly underlines the need for better education and training of (potential) victims, especially children and teenagers. Instead of data retention and other means of mass surveillance, we need more competent and better equipped social workers, training young people on perpetrator strategies and how to defeat them, anonymous online counselling, awareness programs, privacy-friendly design of social media platforms and other measures that actually address the
problem.”
Prevent data theft
Addressing the economics of cybercrime Europol finds that “the central commodity of this illicit economy is stolen data”.
Patrick Breyer MEP comments:
“Europol’s report underlines the importance of privacy, anonymity and encryption to protect citizens from identity theft and other crimes. Bulk retention of personal data provokes hacks and leaks. Only data that is not being stored is secure data.”