In a tweet, EU commissioner for the Information Society Neelie Kroes congratulates OPTA on the spam fine for the golf ball printing company Backsound. Since 2004 the Dutch OPTA is the number one spam and malware fighter of the EU with a total of €1.9 million in fines. It made me ask two question to myself:
How come that we seldom hear of other spam fines in the EU? And can the EU change this in any way? I am not going to speculate on the first question. The second one is after all much more interesting.
Spam and the damage done
I know that some of OPTA’s colleagues work on this problem, but on the other hand there are too many countries that do not have anything to show except the implementation of the e-privacy directive art. 13 and a nominal enforcement agency. This “surprises” me for several reasons. When the EU wrote spam legislation circa 2001, spam was mostly a nuisance. Since then spam has become a root of many evils. Those who have seen my presentation ‘From spam to warfare’ know how intricately spam and crime have become intertwined. The creation of botnets and zombie computers have made countries, industry and end users alike vulnerable to attacks of different sorts. A country should protect itself, the economy and it’s citizens, so why not start at the root: spam and malware? If the source is not taken away, the problem only grows, with more money spent on security as a result. This form of security is built on quicksand.
The weakest link
Countries that do not step up efforts in fighting spam, malware and cyber crime nor work on cyber security in all earnest, become liabilities for other nations. Criminals can use the infrastructure of those countries without hindrance, while they remain highly vulnerable themselves to cyber attacks and hacking as well. The weakest link in the chain in the end determines how safe the EU is.
Possible ways forward
Some ideas for DG Information Society to seriously look in to:
1. Install a head of spam enforcement agencies meeting
Spam and malware agencies are very different in character. Privacy commissioners, consumer authorities, telecommunication authorities, ministries, police, etc. In some members states there are up to four authorities involved with spam and malware investigations. They each fall under different EU DGs, Infoso, Home Affairs, Sanco, Justice, or under the Council itself. Heads never meet as spam authorities. So on spam and malware nothing is coordinated, prioritized, harmonised, discussed at a decisive level. This has to change in order to give the fight against spam (related cyber crime) more body.
2. prioritize the topic at the highest level
Only if nations are made to understand the risks involved in spam and the dependency on each other for mutual cyber safety and security it is possible to change the course of cyber crime and cyber security for the better.
3. Coordinate between member states
Cyber crime and spam are cross border phenomena. A EU coordination centre for spam and malware would:
a) give a boost to investigation in the respective member states;
b) raise the level of knowledge and investigations;
c) force countries into action;
d) push back spam and cyber crime in the EU member states;
e) enhance cooperation on the most difficult cross border spam cases.
The new ENISA could be equipped to have this role. Also it would be wise to interact strongly with the EU cyber crime centre to be. Both are to start in 2013, I understand. Spam, malware and cyber crime interact in such a way, that close cooperation between the two centres will offer opportunities and a synergy the EU may not want to miss.
4. Train representatives
The EU could invite representatives from the respective enforcement agencies on the highest level for training and awareness raising sessions.
5. Do a survey on investigative tools and budgets
By not only looking at the law enforcement bodies work with, but specifically at the investigative tools that they are to work with, it is possible to see whether an agency can actually investigate spam and/or malware successfully. There are several agencies that truly lack any powers needed for investigations. The budget for fighting spam is also telling.
6. Tackle cross border investigation hinder
The EU needs to start looking into ways that make investigations with cross border components -and spam investigations usually have these- within the EU easier and more swift(, without infringing on national jurisdiction).
7. Public – private cooperation
In order to make this a success it is necessary that two things become clear:
a) what are sincere arguments of industry and how can they be dealt with accordingly by governments and/or regulators?;
b) who stands what to gain from cyber crime and may have a different perspective or incentive against cyber crime mitigation then expected?
8. Declare a spam fine valid in all member states
If a fine for spam or malware is given in one member state is valid and collectible in other member states, this would drop a major hindrance to cross border investigations. Cases do no longer need a referral, e.g. to member states that are not well equipped to fight spam or malware.
9. What makes a spam violation?
If the perpetration is not only the moment of sending or the commissioning of spam, but also the moment it is received on the desk- or laptop, cell phone, tablet, etc., this could make the decision to investigate different for an LEA. The violation is made in her own country and not abroad. Combined with ad 8., this would make all spam and malware violations equal within the EU. A spammer does not get away because of a cross border jurisdictional issue between member states.
The bigger picture
Looking at all this, the question rises in my mind in how far can spam, malware, identity theft, cyber crime and security breaches still be seen as loose components, spread out over different DGs? Can the EU afford to have different approaches, different priorities and cases handled, while they are so deeply entwined at the criminal side of the fence? What do you think?
Wout de Natris, De Natris Consult
Leiderdorp, 18 April 2011