Data Protection and CybercrimeThe dilemma of Internet Service Providers

CEENET Workshop22 September 2002

Joe McNameeRegulatory Affairs Manager, EuroISPA

22 September 2002 CEENET Workshop Slide: 2

Introduction• EuroISPA was born on 6 August 1997 in Brussels

• Pan European association of ISP associations in EU Member States.

• Grown from 6 to 9 members since its inception.

• Represents an estimated 800 ISPs across the European Union.

• Put simply, it is the largest ISP Association in the world.

22 September 2002 CEENET Workshop Slide: 3

Aims• Protect and promote European interests within

global Internet.

• Deliver benefits of new technologies to individuals whilst meeting legitimate concerns of parents and weaker members of society.

• Encourage development of free and open telecommunications market.

• Promote the Interests of our Members and provide common services to them.

22 September 2002 CEENET Workshop Slide: 4

AEPSI

AFA

AIIP

ISPA AT

ECO

ISPAI

NLIP

ISPA UK

Members & PartnersFull Members International Partners

Associate MemberLINX - London Internet Exchange

US ISPA - United States Internet Service Providers Association

APIA - Asia & Pacific Internet Association

IIA - Australian Internet Industry Association

CAIP - Canadian Association of Internet Providers

HKISPA - Hong Kong Internet Service Providers Association

TELESA - Telecom Services Association, Japan

ISPA SA - Internet Service Providers Association South AfricaECOMLAC - Latin America and Caribbean Federation for Internet and Electronic Commerce

22 September 2002 CEENET Workshop Slide: 5

An important distinction...

HARMFUL

vs

ILLEGAL

22 September 2002 CEENET Workshop Slide: 6

The Internet is full of surprises

• Age Anonymous• Gender Anonymous• Identity Anonymous• Not easily traceable• Many different

technologies• Changing and growing

22 September 2002 CEENET Workshop Slide: 7

Introduction• Data protection: the obligations of ISPs• Law enforcement: the obligations of ISPs• The problem of the ISP ‘in the middle’• The legal framework to the rescue?• Conclusion: every option is the wrong one

22 September 2002 CEENET Workshop Slide: 8

ISP Issues with cybercrime• Legal and Technical Framework

– illegal vs harmful

• Interception• Data Retention – integrity and security• Liability-issues• Expedited Retention/Interception• Data Protection• Cost Sharing• Disruption of normal business

22 September 2002 CEENET Workshop Slide: 9

ISP Role in Law Enforcement• Log file retention• Technical Advisor• Expert Witness• Notice & Takedown Procedures• Mutual Legal Assistance• Interception• Evidence Preservation

22 September 2002 CEENET Workshop Slide: 10

Data Protection• The protection of consumer’s private data

– is an obligation for ISPs, – is a prerequisite for keeping customers’ trust and

staying in business.

• ISPs have every incentive to take every possible measure to protect consumer’s personal data, however...

22 September 2002 CEENET Workshop Slide: 11

Law enforcement

• ...ISPs also have legal obligations to aid law enforcement in the combat and prevention of cybercrime.

• BUT: Law enforcement officials may consider data protection a secondary concern, and often make demands on ISPs that effectively assume data protection violations by the ISPs.

22 September 2002 CEENET Workshop Slide: 12

The problem• ISPs responsibilities to the consumer (its

clients) • ISPs responsibilities to help fight cybercrime

CONFLICTING DEMANDS on ISPs: what to do?

22 September 2002 CEENET Workshop Slide: 13

Answers from the legal framework?• The legal environment in which ISPs find themselves

with respect to these two issues is VERY complex and, at times, arbitrary:– 95 Data Protection Directive

• Implementation

– E-commerce Directive• Implementation

– New Communications Package (forthcoming)– National sets of laws, regulations– UNCERTAIN LEGAL FRAMEWORK

22 September 2002 CEENET Workshop Slide: 14

Privacy Conclusions• ISPs are stuck in a trap with the demands of

consumers, data protection authorities and reputation on the one hand…

…and the demands of law enforcement officials on the other.

• The problem is compounded for ISPs operating in more than one Member State as data protection attitudes, laws and practices vary considerably from state to state.

22 September 2002 CEENET Workshop Slide: 15

Activities• G8 – Cybercrime • Council of Europe – Cybercrime convention

• EU – Directives, Policy, Data Protection

• UN – Cybercrime

• ICRA – Internet Content Rating Association

• INHOPE – Internet Hotline Providers in Europe

• Europol• Interpol

22 September 2002 CEENET Workshop Slide: 16

Other Content Liability issues• Copyright Directive - temporary internet files• Electronic Commerce Directive

– Mere Conduit– Caching– Hosting– No obligation to monitor

22 September 2002 CEENET Workshop Slide: 17

Competition Issues• All accession countries have completed

“telecoms chapter”• Framework Directive• Access and Interconnection Directive• Licencing and Authorisation Directive• Telecoms Data Protection Directive• The chapter has been completed so

everything is okay then?

22 September 2002 CEENET Workshop Slide: 18

Competition Issues• Local loop unbundling is a mess• Leased line provisioning is a mess• Numerous complaints about interconnection

for ISPs.• Having the legislation is one thing - having

effective,

Contact Points:

Joe McNamee

European Affairs Manager , EuroISPA

Secretariat@euroispa.org

T: +32 2 503 2265F: +32-2-503 4295

W: www.euroispa.org