The core part of this last day was a whole block on Cloud Computing. There were different presentations on the subject and then a panel discussion, which I had the opportunity to be part of. There are a few key conclusions for the cloud from my point of view:
- Looking at the presentations (mainly done by “Cloud Specialists), there is a huge gap between the lawyers and the IT security people. The presenters – in my opinion – were unable to explain the cloud to a lawyer. The presentations (and some of the statements) were very good – if you have an IT background but with a legal background and not being too IT literate (as most of the judges and prosecutors are), I guess they still do not know more about the cloud than before – a missed opportunity.
- We have therefore to find a common language. We have to be able and willing to channel our excitement and explain it to non-IT people. I once had a manager who told me that I have to be able to explain something to a 6-year-old child. We have to bring the cloud to that level. A lot of people I talked to do not understand the difference between Windows, Internet Explorer and Facebook or Twitter. That’s one and the same. And to be clear – they are not dumb. I have the same problem when they try to explain me the details of the Cybercrime Convention and the application within European and local law.
- The industry performs poor (I am kind of stuck in the communication channel). We either oversimplify (oh, security is solved in the cloud as the pros take care of – the typical message of one of the biggest cloud provider) or we ad too much complexity – this has to change.
- The panel has been in agreement that international – even global rules are needed for the cloud and the corresponding rules and regulations. One of the panelists compared it with Maritime or Air Traffic legislation. This is regulated on a global basis. Something similar is needed.
Finally, the conference always concludes with key messages and summaries from the workshops. The strongest one – I had the feeling – was the once for ICANN (see highlighted below). That’s the excerpt from the final document:
In this connection, participants in the conference underline that:
- For security and the protection of rights to reinforce each other, measures against cybercrime must follow principles of human rights and the rule of law.
- Security and the protection of rights is the responsibility of both public authorities and private sector organisations.
- Broadest possible implementation of existing tools and instruments will have the most effective impact on cybercrime in the most efficient manner.
Following detailed discussions, participants recommend:
- Making decision makers aware of the risks of cybercrime and encouraging them to exercise their responsibility. Indicators of political commitment include steps towards the adoption of legislation and institution building, effective international cooperation and allocation of the necessary resources.
- Implementation of the Budapest Convention on Cybercrime worldwide to sustain legislative reforms already underway in a large number of countries. Countries should consider becoming parties to make use of the international cooperation provisions of this treaty. Consensus on this treaty as a common framework of reference helps mobilise resources and create partnerships among public and private sector organisations. In this connection, the ratification of the Budapest Convention by Azerbaijan, Montenegro and Portugal prior and during the conference, and the expression of interest to accede by Argentina and other countries serve as examples to other countries.
- Establishing the Budapest Convention as the global standard goes hand in hand with strengthening the Cybercrime Convention Committee (T-CY) as a forum for information sharing network, policy-making and standard-setting. It is encouraged to address issues not (exhaustively) regulated by the provisions of the Cybercrime Convention such as electronic evidence, jurisdiction and liability of ISP’s.
- Coherent and systematic training of law enforcement, prosecutors and judges based on good practices, concepts and materials already available.
- The establishment and strengthening of high-tech crime and cybercrime units, and incidents response and reporting teams and systems.
- The development of cooperation procedures between law enforcement agencies, CERTs/CSIRTs as well as internet service providers and the IT industry.
- Due diligence by ICANN, registrars and registries and accurate WHOIS information. Endorsement of the “Law Enforcement Recommended Amendments to ICANN’s Registrar Accreditation Agreement (RAA) and Due Diligence Recommendations” in line with data protection standards. ICANN is encouraged to implement these recommendations without delay.
- The many networks and initiatives against cybercrime that exist already create a dynamic and innovative environment involving a wide range of actors. Stronger networking among networks is encouraged to allow for synergies and reduce duplication. The mapping of networks exercise initiated by the Council of Europe should be continued.
- A contact list for enhanced cooperation between industry and law enforcement should be established. A proposal for a secure portal for interest parties is in preparation.
- Initiatives aimed at preventing, protecting and prosecuting the sexual exploitation and abuse of children are most valuable but require stronger support and consistency. The “Lanzarote” Convention of the Council of Europe (CETS 201) offers guidance in this respect and provides benchmarks to determine progress.
- Making use of the guidelines for law enforcement – ISP cooperation adopted at the Octopus Conference in 2008.
- Completion and broad dissemination of the results by the Council of Europe of the typology study on criminal money flows on the Internet that is currently underway.
- In order to meet the law enforcement and privacy challenges related to cloud computing existing instruments on international cooperation – such as the Data Protection Convention (CETS 108) and the Budapest Convention – need to be applied more widely and efficiently. Additional international standards on law enforcement access to data stored in the “clouds” may need to be considered. Globally trusted privacy and data protection standards and policies addressing those issues need to be put in place and the Council of Europe is encouraged to continue addressing these issues in its standardsetting activities as well as by the Global Project on Cybercrime.
It was – once more – a very good conference. That the collaboration became closer could be seen as well that there was no single session the private sector was excluded. Talking about the private sector. It is a real shame that quite some key players from the industry are still not very active to support such activities. Just joining the conference does not solve the problems.