1It is undoubtedly commonplace to assert that information and communication technologies (ICTs) are having a fundamental impact on our society. In this sense, the success of the ‘information society’ has been considered essential for Europe’s growth, competitiveness and employment opportunities.  aking that success a reality requires nevertheless to face the persistent threat of integrity-related computer crime. More strikingly, the threat needs to be dealt with in the framework of the global challenge posed to criminal justice by the development and widespread use of new technologies.
2Already acknowledging this situation, the Council of Europe presented for adoption on November 2001 the Convention on Cybercrime, also known as the ‘Cybercrime Treaty’.  Open for ratification by the world at large and most notably recently ratified by the United States,  the Treaty contains provisions regarding both criminal law and law of criminal procedure and criminal investigation, as well as regarding mutual assistance. Offences need to fulfil two general conditions in order to fall within its scope : firstly, to qualify as criminal ffences and, secondly, to be committed deliberately and ‘without right’. They are divided into four main categories : 1) offences against the confidentiality, integrity and availability of computer data and systems, comprising illegal access, illegal interception, data interference, system interference and misuse of devices; 2) computer-related offences such as forgery and computer fraud; 3) content-related offences, in particular the production, dissemination and possession of child pornography (a protocol to the Convention covers the propagation of racist and xenophobic ideas); 4) offences related to infringement of copyright and related rights. Corporate liability for those offences is provided under certain conditions.
3Notwithstanding the harmonization of substantive ICT criminal law, the aim of the Treaty is also to induce the ratifying countries to adapt their criminal procedural legislation to technology developments. In this sense, the Convention contains specific procedural rules about expedited preservation of stored computer data, a production order, search and seizure of stored computer data, the real-time collection of computer data, and jurisdiction. Moreover, the Treaty’s provisions set out a series of general principles concerning international co-operation, extradition, mutual assistance, and spontaneous information. In order to stimulate international co-operation, a series of rules are provided on extradition of suspects under specific conditions, as well as on the establishment of other forms of co-operation in the field of criminal investigation and prosecution, such as a network of contact points with a 24/7availability.
4The Cybercrime Treaty was the first important international binding legal instrument to address the issue of cybercrime, but is no longer the only relevant transnational text for EU Member States. On 24th February 2005, the Council of the European Union (EU) adopted Framework Decision 2005/222/JHA on attacks against information systems (hereafter ‘the Framework Decision’), with the objective of improving cooperation between judicial and other competent authorities, including the police and other specialised law enforcement services, through approximating national rules on criminal law in the area of attacks against information systems.  The Framework Decision is structured around the definitions of ‘illegal access’, ‘data interference’, and ‘system interference’ as criminal offences. Whereas the Convention gives participating countries considerable options to make reservations and to set extra conditions for the described acts to be a criminal offence, the Framework Decision is often thought to contain stricter obligations for EU Member States to take the necessary measures to comply with its provisions, imposing 16th March 2007 as the deadline for implementation.  Nevertheless, the Framework Decision does leave Member States several options when implementing it, for example whether or not to require a ‘security infringement’ for penalising hacking, or to criminalize only ‘cases which are not minor’. In that respect, the Framework Decision is altogether similar to the Cybercrime Convention. The Framework Decision, however, is more limited, both in material and territorial scope, since it only covers a very select number of crimes and is only applicable to EU Member States.
5Why did the EU come up with its own legislative initiative four years after the Cyber-crime Convention ? The title of the Framework Decision, its limited focus, and a comment it explicitly bears  suggest that the EU approved it exclusively to combat computer crime harmful for the security of information systems and of their data. The truth is that the urgency felt in the EU to adopt such a text needs to be linked to the previous adoption of the Framework Decision on the European Arrest Warrant and the surrender procedures between Member States of the EU, adopted by the Council of the EU on 13 June 2002.  Article 2(2) of this decision contains a list of 32 generic types of offences for which the possibility for examining double criminality is removed : those offences, if punishable in the issuing Member State by a custodial sentence or a detention order for a maximum period of at least three years and if defined by the law of the issuing Member State, shall, under the terms of the Framework Decision and without verification of the double criminality of the act, give rise to surrender pursuant to a European Arrest Warrant.
6The removal of the double criminality requirement can pose serious problems for the requested Member State or for another Member State where the act was ‘committed’if the acts covered by the list are not in fact (criminal) offences there,. Moreover, the list provides extremely vague descriptions, containing references such as ‘sabotage’ or ‘racketeering’, generally not correlating to welldefined types of crimes. This situation can easily lead to abuse, either by negligence or by intent, making it possible for judicial authorities to treat as ‘listed’facts acts that can reasonably deemed not to fit the list, maybe hoping to obtain surrender with fewer data than otherwise required. The expression ‘computerrelated crime’ is precisely one of those terms on the Article 2(2) list which is not defined. The open character of the cybercrime notion  explains in this sense the need felt for the adoption of an EU definition, considered necessary in order the make the European Arrest Warrant fully operational.
7The emerging of two different but overlapping cybercrime instruments in Europe invites a comparison between the two. In this article, we analyse both instruments to determine the added value of the Framework Decision over the more comprehensive Cybercrime Treaty. This is not only interesting in the context of the fight against cybercrime, but also in view of the wider debate on the relationship – competition or complementarity – of the ‘two Europes’.
8This paper does not, however, provide a systematic, comprehensive comparison of the Council of Europe Convention and the Framework Decision, which would be a rather tedious exercise. Rather, it focuses in section 2 on a series of concrete cybercrime problems : hacking, data and systems interference, spam, spyware, identity theft and phishing. This is a rather personal choice, driven by what we consider particularly topical problems in today’s society. We place specific emphasis on the legal potential of both European legislative reactions to those threats, taking special care not to forget that, in practical terms, most of those acts are strongly interlinked. As the Framework Decision is not the only legal instrument configuring the policy response at the EU level, a wider overview of legal instruments is hinted at. Following this approach, the problem of policing cybercrime and criminal law in the era of cybercrime is considered as well, giving special attention to the need not only for suitable substantive legislation, but also for appropriate measures concerning criminal procedure and criminal investigation. The topical subjects of multi-loci problems and data retention serve the purpose of illustrating the discussion in section 3 of the paper. We end with a conclusion on the added value of the Framework Decision and on the merits of both European instruments at large in the fight against cybercrime.
2. Criminal law
2.1. Hacking, data interference, and systems interference
9The goal of the Framework Decision is to deal with significant gaps and differences in national laws that may hamper the fight against organised crime and terrorism, and which also complicate police and judicial cooperation, in the area of attacks against information systems. In this sense, it explicitly evokes the fact that “the transnational and borderless character of modern information systems means that attacks against such systems are often transborder in nature, thus underlining the need for the approximation of criminal laws in the area”. 
10Concerning substantive criminal law provisions, the crimes contained in the Framework Decision do not differ strongly from their counterparts in the Council of Europe Treaty. There are, however, small differences in wordings and logic. The Framework Decision covers three types of criminal offences : (i) illegal access to information systems,  (ii) illegal system interference,  and (iii) illegal data interference.  Member States need to take the necessary measures to ensure that these offences are punishable when committed ‘intentionally’ and ‘without right’.
11By virtue of the inclusion of the term ‘intentional’ – the same term is used throughout the Cybercrime Treaty –, Member States not requiring certain computer-related offences to be committed ‘intentionally’ in order to be punishable may consider changing their provisions in the field. Reference can be made, in this context, to the Belgian law on cybercrime of 28 November 2000,  according to which ‘external’hacking is punishable even if committed simply “knowingly”.  However, there is no obligation to do so, since parties can take more comprehensive measures, e.g., criminalizing more activities than is required by the international instrument, including acts committed not intentionally but merely knowingly.
12The rationale of the intentionality requirement resides perhaps in one of the specificities of cybercrime and related ICT security : the ease with which things are done on computer systems. It is, for example, easier to stray accidentally into an area one does not want to visit on a computer network than one strays in real space; in other words, computer trespassing is easier committed than house trespassing without an intent to trespass. Also, since computer data are intangible and rather volatile, they are easier to change or delete accidentally than are physical objects.
13Similarly, the Framework Decision, like the Cybercrime Treaty, systematically includes ‘without right’ as a threshold for criminalization. This is particularly important from an ICT security perspective, since security needs to be tested with the very same techniques as those used by ‘cybercriminals’. Therefore, legal texts need to be particularly careful to exclude from their scope acts committed only for testing, diagnostic or equivalent purposes. In the cybercrime jargon, the activities of the ‘whitehats’ cannot be punished as those of the ‘blackhats’ or malicious hackers they are precisely aiming to combat – provided, at least, that the whitehats take care to conduct their security testing on some kind of lawful basis, for example, with consent of the owner of the information system.
14Regarding illegal access to information systems, the Framework Decision establishes that Member States may decide that this offence will only be committed when access is obtained “by infringing a security measure”.  This statement keeps the text in line with the Treaty, which also allows states to pose this condition in their provisions concerning the access to the whole or any part of a computer system ‘without right’. 
15Article 3 on illegal system interference obliges Member States to “take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal offence when committed without right, at least for cases which are not minor.” Regarding the specific Framework Decision’s definition of ‘system interference’, also known as ‘tampering’, it needs to be noted that it is broad enough to include, for instance, what is generally referred to as ‘disruption of information systems’, lately operated in a great number of cases through the technique known as Distributed Denial of Service (DDoS) attacks.  This is an attack that blocks access to a computer system or network by a huge number of information requests coming from a huge number of sources, usually ‘zombie computers’ that a cybercriminal can control at a distance. It should be noted in this context that the definition is broader than the one offered by Convention.  Interestingly, the materiality issue has been dealt by the EU text via the limitation to “at least for cases that are not minor”, making unclear the necessity for the reference to seriousness in “serious hindering or interruption’’, especially as the goal of the provision is explicitly not to criminalize “minor nuisance or disruptions in the functioning of the services [which] should not be considered as fulfilling the threshold of seriousness”.
16New in the Framework Decision is the liability for the crimes described ‘of legal persons’,  ‘legal persons’ being defined as entities “having such status under the applicable law, except for States or other public bodies in the exercise of State authority and for public international organisations”.  Appropriate penalties are imposed, as (a) exclusion from entitlement to public benefits or aid; (b) temporary or permanent disqualification from the practice of commercial activities; (c) placing under judicial supervision; or (d) a judicial winding-up order.  The Treaty simply states that legal persons can be held liable for criminal offences committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within it, based on : (a) a power of representation of the legal person; (b) an authority to take decisions on behalf of the legal person; (c) an authority to exercise control within the legal person. 
17The EU text, which explicitly establishes that criminal penalties should be “effective, proportional and dissuasive”,  has been praised for not falling into the trap of ‘over-criminalization’ and for appropriately avoiding the criminalization of right-holders nd authorised persons.  The Framework Decision requires Member States to establish a maximum penalty of one to three years of imprisonment for the offences falling under its scope.  The maximum penalty shall be of between two and five years when aggravating circumstances apply, namely when the offence was committed within the framework of a criminal organisation, has caused serious damages, or has affected essential interests. 
18The problem of spam is clearly not independent from the interference of information systems. Actually, spamming can be both used as a tool to recruit computers – ‘zombies’ – that will be active in information system attacks, and as one of the aims motivating those attacks, as networks of remotely controlled hijacked PCs – botnets – are one of the common strategies implemented to massively spread junk e-mails. In any case, it is nowadays well-known that spam causes much more trouble than simple annoyance to ICT users. Spam is often problematic because of its content,  sometimes because of its volume,  and, in this sense, it has been recognised that "spam is both a wasteful activity and one that poses a threat to the security and reliability of Internet communications".  Addressing the issue of spam seems also a pertinent way of fighting against cybercrime.
19The term spam makes reference to different practices; the most generalised meaning of the term is unsolicited (‘junk’) e-mail sent via a Simple Mail Transfer Protocol (SMTP) server,  but it can also refer to promotional or commercial postings to discussion groups or bulletin boards.  Anti-spam measures have already been put in the forefront of political attention, at the EU and global level,  ut, nevertheless, and despite the widely admitted seriousness of the problem, attempts to legislatively curtail spam have been welcomed in contrasted ways. 
20The EU first dealt with unsolicited email in its Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, or e-Privacy Directive),  n the belief that the Single Market requires a harmonised approach in the area.  The text states that safeguards should be provided for subscribers of websites or bulletin boards against intrusion of their privacy by unsolicited communications for direct marketing purposes, in particular by means of automated calling machines, faxes, and e-mails, including SMS messages. Moreover, it is recognised that, if uncontrolled, the volume of spam may cause difficulties for electronic communications networks and equipment.
21The e-Privacy Directive established at EU level the ‘opt in’ obligation. Article 13 provides that e-mail and SMS can only be allowed for marketing if customers / subscribers have given their prior explicit consent to the practice.  An exception is provided for cases in which a customer relationship is already in place; in this case, the supplier is simply obliged to give the customer the opportunity to object, free of charge, to further use of the e-mail address. The implementation of the e-Privacy Directive has differed between Member States. Some impose fines for spam sent to both customers and businesses, others only penalise it when sent to individuals. Spain takes the view that messages can only be sent to those who have given their authorisation, but Denmark has banned the sending of messages unless the recipient has actually requested them. In the UK, participation in a draw would constitute consent to receive further e-mails. 
22As already hinted, spam is also indirectly dealt with by the Framework Decision, but only when the amount of email or its use is such that it could be considered a serious hindering f an information system. In that case, the activities of the sender are punishable under the scope of the Framework Decision if the system interference is intentional and caused damage to the legal or natural person.
23None of the already existing anti-spam measures have succeeded in eliminating spam, nor does there seem to be any truly promising solution to make it disappear. Actually, it seems unlikely that even well drafted legislation will be capable of solving the problem.  Nevertheless, it needs to be admitted that the main aspects of the spam problem (content-related, volume-related, and in relation to botnets) have been at least addressed at the legal level, which at least may have helped to control the impact of the phenomenon and to reduce the damage done.
24The idea that unsolicited e-mails can transmit viruses has been globally accepted for many years. More recently, a phenomenon similar to viruses has emerged and infiltrated popular global consciousness : spyware.  Spyware, currently part of worldwide concerns on security of public data,  pertains to the ‘malware’ or ‘malicious software’ family,  and its main special feature is that it is designed to obtain data from ICT users without their knowledge.
25Acting without the knowledge of users is, indeed, an essential characteristic of spyware. In this context, it has to be noted that most ICT users are perfectly familiar with the idea that some of their practices are ‘being watched’. Indeed, more and more users are conscious of the traces we leave when connected to the Internet, for instance, and of the value that those traces can have for commercial organizations. Cookies, which facilitate the gathering of data by interested parties, are particularly widespread, as is the knowledge of the fact that the user can determine whether cookies are to be used or not in a certain terminal. Contrary to cookies, spyware acts as a hidden surveillance technology, and therefore users are not even conscious of the fact that their data are being collected.
26Spyware is currently believed to be one of the most widely implemented examples of fraudulent spying, and no efficient measure against it seems to have been found yet, although a variety of approaches exist.  From a technological perspective, spyware has traditionally been combated with anti-virus-like measures that have failed to reduce the impact of the problem; nowadays, other approaches such as the ‘whitelisting’ strategy are receiving increasing support, but they remain too user-unfriendly and little implemented to have a real global effect. 
27Directive 2002/58/EC deals with spyware from the perspective that terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users, requiring therefore protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. Spyware is considered as seriously intruding upon privacy. Any data collecting devices may only be allowed if installed and used for legitimate purposes and with the knowledge of the users concerned.
28Concerning the Framework Decision, Article 3 be considered relevant in this context, as it enumerates the categories in which an illegal system interference may occur.  Nevertheless, it is probably Article 2, regarding illegal access to information systems, which will be more pertinent. In the Treaty, the use of spyware programs (installation and spying) is a criminal offence, since it often involves illegal access (Article 2)  and illegal interception (Article 3) when there is, in the latter case, an interception ‘without right’ made by technical means, of non-public transmissions of computer data to, from or within a computer system. Additionally, and contrary to the Framework Decision, the Cybercrime Convention bears a special provision on ‘misuse of devices’, which explicitly mentions “the production, sale, procurement for use, import, distribution or otherwise making available of”, as well as possession of devices “including a computer program, designed or adapted primarily for the purpose of committing” the offences considered in the Treaty. If the spyware is used with the intent of unlawfully intercepting data of the user’s computer or network, it can be considered a device which falls under the scope of Article 6 of the Treaty. The provision has been criticised for its limited character, as it only applies to the cases where the software is distributed, possessed etc. with the intention of using it for criminal purposes and if it has been primarily designed for those purposes,  but this limitations need to be understood in the context of the possible design of similar software for testing or similar practices, for instance.
2.4. Identity theft and phishing
29The data collected through spyware will in most cases be used either for illegal profiling or for ‘identity theft’, an act that has been described as the illegal use of somebody’s identifying records or numbers,  usually to obtain an economic benefit.  Identity theft, regarded by some as “the signature crime of the digital era”, can actually take place with data collected in very different ways. As identification via Internet will often simply require the use of an easily interceptable password, the opportunities for identity theft are numerous, thus contributing to the popularisation of a crime to an extent that was not known in the off-line world.
30Some Internet users might be aware of a series of risky practices that create opportunities for identity theft to happen, and certain authors have indeed interpreted the low disclosure rates for sensitive financial information such as credit card numbers on the Internet as a possible sign of consumer understanding of the phenomenon’s magnitude. However, maybe inevitably, consumers do provide this kind and other kinds of information that can result in identity theft or fraud, and they certainly do not always take all possible precautions. 
31The Data Protection Directive imposes in the EU a number of obligations on all data controllers, notably requirements relating to confidentiality and security of data.  Appropriate technical and organisational measures must be taken to ensure an appropriate level of confidentiality and security, and obligations for service providers are also foreseen by the e-Privacy Directive. 
32To combat identity theft generally, biometric authentication seems to be receiving increasing support. The resources required to implement those systems on a large scale may still be an obstacle to their general use,  but this kind of limitations are generally only temporary in the ICT world. In this context, it has to be underlined that wide implementation of biometric authentication systems would require rules providing special protection to avoid risky uses of biometric data.  Indeed, password interception might pose a problem, but passwords can eventually be cancelled, changed, and renewed. Biometric data, on the contrary, would be irremediably jeopardised if used for a system not duly secured. 
33As indicated, the techniques employed by identity thieves to gather data are multiple, and range from spyware to sniffers  and keylogging.  Nevertheless, the data are more and more often obtained through the so-called ‘phishing’ technique. ‘Phishing’ messages pretend to be legitimate invitations to submit personal information, for instance as fake PayPal, e-Bay r banking requests, referring to fake websites or using the ‘cross-site scripting’ that exploits security weaknesses in legitimate sites to unlawfully collect data. A number of offences in the Cybercrime Treaty are pertinent to this phenomenon, notably illegal interception (of the data transmitted by the victim's computer) and computer-related fraud (by using the stolen data to assume the victim's identity). The Data Protection Directive and the e-Privacy Directive may also apply, at least to the extent that the practices constitute illegal processing of personal data.  The Framework Decision has no specific provisions on identity theft nor on phishing, which is not illogical given its focus on attacks against information systems rather than on fraud, but which seems nonetheless a missed opportunity in the fight against cybercrime.
3. Criminal procedure and criminal investigation
34The absence of a clear distribution of responsibilities to establish information security and to prevent cybercrime is perhaps one of the most important factors explaining the success of computerrelated crime. The strategies more generally supported to ensure adequate information security and cybercrime prevention usually entail a mixture of legal, technological, and market-based solutions, as a strict law-enforcement agenda is in most cases believed to be unfeasible or inappropriate.  The problems related to investigation and prosecution of cybercrimes are numerous and can even concern the lack of balance between expenditure, which can be very important, and the multiplication of small-impact victimizations distributed across numerous jurisdictions. 
35Although it has to be underlined that investigation and prosecution of computer-related crimes is especially challenging, it should be pointed out that ICT can also render investigation and prosecution of ‘traditional’crimes particularly difficult.  This is all the more so, now changes in the organization of criminal activity and global social transformations are slowly leading to a situation where the implications of digital networks are every day less limited to strictly computer-related crime. Criminal justice has to adapt to these changes by transforming substantive criminal law in order to cover new and transnational crimes, but also by examining provisions related to procedural law and criminal investigations. We will now address some of the challenges in the information society to criminal justice in relation to two concrete issues, multi-loci problems and data retention.
3.1. Multi-loci problems
36There is probably no need to describe cyberspace as a new ‘social topology’ to acknowledge its structural and essential transnational dimension.  In any case, organized crime groups have not waited for explorations of the conceptual implications of widespread use of the Internet to see how they could take profit of the special nature of cyberspace. Very soon, they realised the potential of the absence of borders in the virtual world in contributing to the ‘free flow’ of crime and crime-related organisations, while the persistence of borders in the ‘real world’still renders difficult, slow, expensive, or impossible the movements and cooperation of lawenforcement authorities. Always looking for the least risky way of obtaining maximum benefits, they quickly discovered the advantages of moving their home bases or at least part of their operations to ‘weak states’ that provide safe havens.  Companies with servers located in those safe havens have on their side learnt the highly attractive force of positioning themselves as offering ‘bullet-proof hosting’, meaning that they guarantee their clients that their servers will not be closed down even if they receive requests of law-enforcement authorities.
37The practical and legal difficulties encountered in investigations and prosecution related to crime and cyberspace are multiple and of varied types, especially if the crime or the investigation has a transnational dimension. Anonymity and encryption make difficult the tracing of communications, which generally do not follow a strictly national path but rather use servers based in different countries. This implies a need to solve questions of jurisdiction, as well as specific issues related to the gathering of evidence and mutual assistance in criminal matters. Language difficulties and lack of knowledge of foreign legal difficulties are other common obstacles.  Cybercriminals are, of course, fully aware of all this, and focus precisely in exploiting those obstacles to make difficult and discourage police responses. The problem does not affect only cybercrime : it happens more and more frequently that relevant data for preliminary investigations and criminal proceedings are stored on foreign servers for other types of crimes as well. 
38The interference of information systems using remotely controlled infected and hijacked home PCs – the above-mentioned botnets – is an especially graphic illustration of a type of cybercrime that poses serious problems of location. The attack will use the information resources of thousands of computers – ‘bots’ or ‘zombies’ – located in numerous countries, and can be directed to a multitude of vulnerable terminals anywhere in the world. Cybercrime practices designed to render difficult the work of lawenforcement agencies also include, for instance, the use of distributed peer-to-peer networks, like Freenet or Tor, in which data are stored in a distributed way on computers across the world, sometimes even without the computer owners knowing which content is hosted on their system.
39Concerning jurisdiction in particular, it needs to be pointed out that although cybercrime jurisdiction provisions are generally quite broad, negative jurisdiction conflicts may still occur.  The case can notably occur if the perpetrator of a cybercrime not directed to a specific set of computers is a national of a country that is a cybercrime safe haven from which he operates.  ositive jurisdiction conflicts can also occur more often than expected. 
40The Framework Decision provides guidance for Member States confronted with cross-border cybercrime : a Member State has jurisdiction when the offence has been committed completely or partly within its territory, by one of its nationals, or for the benefit of a legal person that has its head office in that Member State.  Jurisdiction shall include cases where the offender commits the offences when physically present on its territory (whether or not the offence is directed against an information system on that territory), as well as where the offence is committed against an information system on its territory (whether or not the offender is physically present on that territory). 
41Most notably, the Framework Decision also has a specific approach for the issue of positive conflicts. Indeed, where an offence would fall under the jurisdiction of more than one Member State and when any of the Member States concerned can validly prosecute on the basis of the same facts, they shall co-operate and decide which one of them will prosecute the offenders with the aim, if possible, of centralising proceedings in one Member State.  Article 10(4) provides three options to determine which Member State should prosecute : in order of preference, the Member State shall be that in the territory of which the offences have been committed, or that of which the perpetrator is a national, or that in which the perpetrator has been found.
42This sequential preference for exercising jurisdiction is more specific than the Cybercrime Convention, which does not articulate any good guidance in the jurisdiction field. It merely states that “when more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution”.  According to the Explanatory Report, the mentioned consultation is not even obligatory : “Thus, for example, if one of the Parties knows that consultation is not necessary (e.g., it has received confirmation that the other Party is not planning to take action), or if a Party is of the view that consultation may impair its investigation or proceeding, it may delay or decline consultation.” 
3.2. Data retention
43The expression ‘data retention’ generally refers to the storage of data relating to telecommunications. They can cover telephony, Internet traffic and transaction data. When mandated by governmental authorities, data retention usually occurs with the objective of storing traffic data in the event it could be useful during future criminal investigations.
44In the EU, law-enforcement authorities have quite consistently expressed their support of mandatory systematic retention of communications data.  The pressure was all the greater since data retention had been subject to strong limitations for decades. Since the first initiatives for harmonized data protection laws in Europe in the 1970s, regulation in this area had been guided by the idea of limiting retention : in essence, EU legislation has placed on data controllers the reverse obligation to keep data only for a limited period of time, and only for as long as storage is necessary for the original purposes of their processing. 
45Despite the pressure since the late 1990s, strongly reinforced after 11 September 2001, data retention is not regulated in the Framework Decision nor in the Treaty, which bears only a datapreservation provision which enables law-enforcement authorities to instruct service providers to preserve specific data for the purposes of a concrete criminal investigation for a maximum period of 90 days. However, on 15th March 2006, the European Union adopted Directive 2006/24/EC, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.  This Directive needs to be linked to the Conclusions of the Justice and Home Affairs Council of 19 December 2002, which underlined that, because of the significant growth in the possibilities afforded by electronic communications, data relating to the use of electronic communications are a valuable tool in the prevention, investigation, detection and prosecution of criminal offences, in particular organised crime. 
46The Directive requires Member States to oblige communications providers to retain data (1) to trace and identify the source of communications; (2) to trace and identify the destination of communications; (3) to identify the date, time, and duration of communications; (4) to identify the type of communications; (5) to identify communication devices; and (6) to identify the location of mobile communication equipment. The data must be available to competent national authorities in specific cases, "for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law".  The misuse of such retained data, i.e., a use not permitted under national law adopted pursuant the Directive, must be punishable by penalties, “including administrative or criminal penalties, which are effective, proportionate and dissuasive”. The retention is specified for a period of between six months and two years, although, subject to notification to the Commission, Member States “facing particular circumstances that warrant an extension” may require data to be held longer.
47At the time the Directive was passed, there were only three countries in the EU with legal data retention actually in force. Notably, Italy (whose government published a decree “with urgent measures to fight international terrorism” in July 2005)  retained data for four years and Ireland for three years. The UK has an extensive system of data retention, under a voluntary agreement made with industry, but it had not yet been placed on a statutory basis. Belgium re-introduced the possibility of data retention on 13 June 2005 with a new telecommunications law, but the royal decree stipulating what kind of data should be stored, by which market parties and for what period of time was never issued.  France had included in its Daily Safety Act an obligation for retaining data of electronic communications, but the implementation Decree, required to define which data should be retained, was only published in late March 2006.  Given the variation in national legislations concerning data retention – which is a significant burden on telecommunications providers and hence a potential barrier to the free movement of services in Europe, it is perhaps not a bad development that data retention has now been approximated in the EU. However, the necessity and proportionality of mandatory data retention are contested, since there are few empirical studies to date that show that data retention effectively helps to reduce crime and terrorism. It is therefore to be applauded that the Data Retention Directive requires an evaluation within three years, among other things, on the “impact on economic operators and consumers”.
48It is widely recognised that the specificity of cybercrime requires special action to be taken. Ensuring the participation in the global fight against cybercrime of stakeholders such as companies may help,  as well as raising awareness with users to be careful with their computers in the face of malware, but the need of transnational legislative action in the field is clear. Harmonizing substantive criminal law represents a major step in the direction of coping with the borderless nature of computer-related crime.
49The legislative response to cybercrime, nevertheless, cannot avoid taking thoroughly into account also non-substantive issues, specifically related to criminal procedure and criminal investigation. Approximated definitions of crimes and sanctions is a prerequisite for the effectiveness of international cooperation, but they are not the only condition needed to be fulfilled. Jurisdictional questions will also play a critical role. In fact, aptly addressing the issues of criminal procedure and criminal investigation in relation to cybercrime might represent one of the most relevant contributions to the general development of criminal justice.
50Considering the current legal instruments in the field, we have compared the Cybercrime Treaty and the Framework Decision on attacks against information systems from the perspective of various specific issues. We have seen that the instruments in many respects are comparable and that the Framework Decision to a considerable extent overlaps with the Treaty. Provisions of substantive criminal law do not differ markedly between both legal instruments – which is fortunate, as a matter of fact, given the approximating aims of both instruments.
51However, in some respects, the Framework Decision has added value. In particular, the provisions regarding jurisdictional conflicts in the Treaty are especially weak, and those included in the Framework Decision turn out to be considerably stronger. The contribution to addressing jurisdictional problems can be considered, in this sense, the real added value of the Framework Decision and, therefore, the main added value element of the EU approach to the question. Whether it was worthwhile for this to establish a Framework Decision with criminalizations that do not substantially add value to the Council of Europe Treaty’s provisions is a question we leave to public-policy scholars to answer.
52The EU approach to cybercrime should, however, be seen as far more complex than is reflected by the mere content of the Framework Decision. The understanding of this approach benefits from a wide notion of cybercrime-related issues, allowing the identification of all relevant EU legal instruments both in the first and the third EU pillar. In the third pillar, the fight against cybercrime needs to be placed under the construction of the area of Freedom, Security, and Justice. Just as the adoption of the Framework Decision was a necessary step for the smooth implementation of the European Arrest Warrant system, the developments of the latter system will undoubtedly have an impact on the application of the former.
53On a more critical note, the fact that the Framework Decision was identified by the European Commission as affected by Case C-176/03 of the Court of Justice of the European Communities regarding the distribution of powers in criminal matters between the European Commission and the Council of the European Union, necessitates a reflection on the difficulties that legislating cybercrime can encounter at the EU level from an institutional perspective.  Concerning the new EU approach to data retention, greeted by many with not hidden scepticism and reserve, its concrete results will need to be carefully assessed, particularly in the light of its potential negative impact on data protection.
54Having noted that there is added value in the EU approach to fight cybercrime in an area of freedom, security, and justice, it should be stressed that the Council of Europe’s Cybercrime Treaty, of course, also has considerable added value. It is much more comprehensive than the EU Framework Decision, and it has the additional merit of being open to any country around the world interested in participating – a unique feature also within the ambit of Council of Europe instruments. The recent ratification by the United States of the Treaty opens up the way to a much wider, possibly global, joint effort to combat cybercrime.
55It is probably unrealistic to expect that there will someday be consensus concerning all measures required to deal with cybercrime, and it is even more unrealistic to ever expect a cybercrime-free cyberspace. The good news is, however, that there has been considerable progress in the search for common paths to address the question, and that these are based on a broad definition of cybercrime. To be sure, all problems related to cybercrime have not yet been addressed, or even discovered, but sharing a broad definition of cybercrime and having achieved considerable approximation of legislation are at least two essential steps in the European fight against this increasingly important new form of crime.
Paul De Hert is professor at the Vrije Universiteit Brussel and associate professor at Tilburg University (TILT); Gloria González Fuster is a researcher at Institute for European Studies (Vrije Universiteit Brussel); Bert-Jaap Koops is professor of Regulation & Technology at Tilburg University (TILT).
Commission of the European Communities, Communication from the commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions, Creating a safer Information Society by improving the security of information infrastructures and combating computer-related crime, COM(2000)890, Brussels, 26 January 2001, p. 1.
ETS No. 185, Convention on Cybercrime, Council of Europe, Budapest 23 November 2001. In this article, it will be referred to as ‘the Cybercrime Convention’, ‘the Convention’, or ‘the Treaty’.
The United States became a party to the Convention on Cybercrime on September 29,2006. The Convention entered into force in the United States on January 1,2007.
Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, O.J., 16.03.2005, L 69/67, § 1.
Council Framework Decision 2005/222/JHA, Art. 12(2).
“Criminal law in the area of attacks against information systems should be approximated in order to ensure the greatest possible police and judicial cooperation in the area of criminal offences related to attacks against information systems, and to contribute to the fight against organised crime and terrorism” (Council Framework Decision 2005/222/JHA, § 8).
Council Framework Decision on the European arrest warrant and the surrender procedures between Member States of the European Union, 13 June 2002, O.J. L 190/1 (18.07.2002).
Terms such as ‘cyber-crime’, ‘computer crime’, and ‘network crime’ have no universally accepted definitions. Part of the confusion arising from their use comes from the fact that criminals now use computers in the course of committing almost any crime. The computer’s role in an offence, however, can be characterized in one of three ways : as a tool, as a storage device, or as a victim. DOWNING, R.W., ‘Shoring up the Weakest Link : What Lawmakers Around the World Need to Consider Developing Comprehensive Laws to Combat’, Columbia Journal of Transnational Law, 2005, Vol. 43, no. 3, p. 711.
Council Framework Decision 2005/222/JHA, § 5.
Council Framework Decision 2005/222/JHA, Art. 2.
Council Framework Decision 2005/222/JHA, Art. 3.
Council Framework Decision 2005/222/JHA, Art. 4.
Moniteur belge, 3 February 2001.
VAN DE VELDE, P., ‘EU Council takes action against attacks on information systems’, Bird & Bird, 2005,2, available at www. twobirds. com.
Council Framework Decision 2005/222/JHA, Art. 2.
Convention on Cybercrime, Art. 2.
Council Framework Decision 2005/222/JHA, Art. 3 & 4.
RASDALE, M., ‘Denial of Service attacks, Legislation for Robots & Zombies’, Computer Law and Security Report, 2006, Vol. 22 no. 3, p. 222-7
Council Framework Decision 2005/222/JHA, Art. 8.
Council Framework Decision 2005/222/JHA, Art. 1(b).
Council Framework Decision 2005/222/JHA, Art. 9.
Convention on Cybercrime, Art. 12.
Council Framework Decision 2005/222/JHA, Art. 6(1).
VAN DE VELDE, P., l.c., p.2.
Council Framework Decision 2005/222/JHA, Art. 6.
Council Framework Decision 2005/222/JHA, Art. 7.
MOUSAKAS, E., RANGANATHAN, C. & DUQUENOY, P., Combating Spam through Legislation : Comparative Analysis of US and European Approaches, Stanford University, 2005, p 1, available at http://www.ceas.cc/papers-2005/146.pdf.
WALL, D.S., ‘Can we can the spam ?’ Computers and Law, 2004, Vol. 14, Issue 6, pp. 14-16.
SORKIN, E., D., ‘Technical and Legal Approaches to Unsolicited Electronic Mail’, U.S.F. L. REV. 2001, Vol.35, l.c. , p. 339.
DEUTSCH, N., Literature search on Email Laws, University of Phoenix, 2004, p. 2.
DIMITROV, D., Spam - an experiment exploring the relation between the amount of spam received after registering in different websites, Chapel Hill, North Carolina, 2005, p.4.
MOUSAKAS, E., RANGANATHAN, C. & DUQUENOY, P., o.c., p 1.
STOWE, C., R., B., ‘Spam is Not Delicious – An Update on the CAN-SPAM Act of 2003’, ACET Journal of Computer Education and Research, 2004, Vol.2, N°.1, p.1.
The European Parliament and the Council, Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Directive 2002/58/EC, 12 July 2002, O.J., 31 July 2002, L 201/37.
Directive 2002/58/EC, l.c., § 40.
MOUSAKAS, E., RANGANATHAN, C. & DUQUENOY, P., o.c., p. 3.
MOUSAKAS, E., RANGANATHAN, C. & DUQUENOY, P., o.c., p. 4.
SORKIN, E., D., l.c. , p. 383.
NIXON, A., Policy and Legal Implications of Spyware and Data Privacy, Educause Quarterly, 2006, no. 1, p.1.
United Nations Conference on Trade and Development. E-Commerce and Development Report 2003 Internet edition prepared by the UNCTAD secretariat Chapter 3 : ICT strategies for development, p. 135.
‘Adware’, which is software designed to recurrently present unwanted adverts, also pertains to this category.
ARRIE, D.B. & KAUFMANN, S.B., ‘Warning : Software May be Hazardous to Your Privacy !’, Legal, Privacy, & Sec. Issues In Info. Tech., 2006, vol. 1, p. 249.
BLOOR, Robin, ‘The Extraordinary Failure of Anti-Virus Technology : Whitelisting Succeeds Where AV Has Failed’, Hurwitz & Associates, 2007, 17p.
GARRIE, D. & WONG, R., ‘Parasiteware : Unlocking Personal Privacy’, SCRIPT-ed, 2006, Vol.3, Issue 3, p.18.
Except, for example, when the spyware is part of a program that the user knowingly installs, and where the fact of the spyware being part of the program is mentioned somewhere in the small print of the licensing agreement.
EENES, R., ID-related Crime : Towards a Common Ground for Interdisciplinary Research, Future of Identity in the Information Society (FIDIS), 2006, p. 23.
Mc CUTCHEON, M., Identity Theft, Computer Fraud and 18 U.S.C. § 1030(G): A Guide to Obtaining Jurisdiction in the United States for a Civil Suit Against a Foreign National Defendant, 13 LOY. CONSUMER L. REV. 48, 48 (2001) (discussing identity theft).
KEYSER, M., ‘The Council of Europe Convention on Cybercrime’, Journal Of Transnational Law And Policy, 2003, p. 291.
DUMORTIER, J., ‘Combining Personalised Communications Services with Privacy-Friendly Identity Management’, Proceedings of the 44th FITCE Congress Vienna, 1-3 September 2005, p. 142-146.
European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data O.J., L 281 of November 23rd 1995.
Article 4: “(1) Service providers should take appropriate technical and organisational measures to safeguard the security of their services, if necessary in conjunction with the network provider and having in regard the state of the art and the cost of their implementation”. According to the recitals, they have also the obligation to take, at their own cost, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service. (2) In case of a particular risk of a breach of the security of the network, the service provider must inform the subscribers of such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved. This information must be free of charge. According to the recitals of the directive, the service provider must also inform the users and subscribers of Internet communication services of measures they can take to protect the security of their communications, for instance, by using specific software or encryption technologies. Article 5 obliges Member States to guarantee the confidentiality of communication through national regulations prohibiting any unauthorised listening, tapping, storage or other kinds of interception of surveillance of communications and the related traffic data by persons other than users, without the consent of the users (except when legally authorised to do so, or when legally authorised for the purpose of providing evidence of a commercial transaction. In any case the subscriber or user concerned is provided with clear and comprehensive information in accordance with the Data Protection Directive). The confidentiality of communications applies both to the content of communications and to the data related to such communications.
LEENES, l.c., p. 105.
DE HERT, P. “Biometrics : legal issues and implications”, Background paper for the Institute of Prospective Technological Studies, DG JRC – Sevilla, European Commission, January 2005.
It can be pointed out that the technique of intercepting data sent for authentication purposes in systems protected by means other than mere passwords has already received a specific name, i.e. a ‘man-in-the-middle’ attack.
LEENES, R., l.c., p. 22.
MCCARTY, BILL. “Automated Identity Theft.” IEEE Security & Privacy, Sep-Oct 2003 (Vol. 1, No. 5) pp 89-92; see also : MITTAL, P., Cybercrime Case Study : Internet Bots in : Cybercriminal Activity, 2005, p. 18.
European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data O.J., L 281 of November 23rd 1995; and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector O.J.L 201 of 31 July 2002.
GRABOSKY, P., The Mushroom of Cyber Crime, Prepared for Presentation at the Symposium on The Rule of Law in the Global Village, Palermo,14 December 2000, p. 3.
WALL, D.S., The Internet as a Conduit for Criminal Activity, in Pattavina, A., The Criminal Justice System and the Internet, Thousand Oaks, CA : Sage, 2005, pp. 77-98.
WALL, D.S., The Internet as a Conduit for Criminal Activity, l.c., p.90.
SCHNEIDER, V. & HYNER, D., The Global Governance of Cybercrime : Issue Space and the Transnational Policy Network, University of Konstanz, 2003, p. 4.
WILLIAMS, Ph., Organized Crime and Cybercrime : Synergies, Trends, and Responses, Distributed by the Office of International Information Programs, U.S. Department of State.
SMITH, R., G., Travelling in Cyberspace on a False Passport : Controlling Transnational Identity-related Crime, Volume 5. Papers from the British Society of Criminology Conference, Keele, July 2002. This volume published August 2003. Editor : Roger Tarling. ISSN 1464-4088. o.c., p. 11
SEITZ, N., ‘Transborder Search : A New Perspective In Law Enforcement ?’, Yale Symp. L. & Tech., 2004, Vol. 7, (23-40) p. 24.
BRENNER, S., W., & KOOPS, B.-J., ‘Approaches to Cybercrime Jurisdictions’, Journal Of High Technology Law, 2004, Vol. IV No. 1, p. 40
BRENNER, S., W., & KOOPS, B.-J, l.c., p 40.
BRENNER, S., W., & KOOPS, B.-J, l.c., p 41.
Council Framework Decision 2005/222/JHA, Art. 10(1).
Council Framework Decision 2005/222/JHA, Art. 10(2).
Council Framework Decision 2005/222/JHA, Art. 10(4). See also : VAN DE VELDE, P., l.c., p.3.
Cybercrime Convention, Art. 22(5). See also : BRENNER, S., W., & KOOPS, B.-J, l.c., p 42.
Explanatory Report to the Convention on Cybercrime, 2001, l.c., § 239, 2001 WL 34368783, available at http://conventions.coe.int/Treaty/en/Reports/Html/185.htm.
WARNER, J., ‘The Right to Oblivion : Data Retention from Canada to Europe in Three Backward Steps’, niversity of Ottawa, Law & Technology Journal UOLTJ, 2005, Vol. 2, p.77.
Council of Europe, Project Group on Data Protection, Second evaluation of the relevance of Recommendation R (87)15 regulating the use of personal data in the police sector, done in 1998, (1999) at s. 5.2.3.
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, O.J., 13.4.2006, L 105/54.
Directive 2006/24/EC, l.c., § 7.
Law n.155,31.07.2005, see also : Italy decrees data retention until 31 December 2007, EDRI-Gram, 2005, N° .16, available at http://www.edri.org/edrigram/number3.16.
Wet betreffende elektronische communicatie, 13 June 2005, Belgisch Staatsblad, 20.06.2005, p. 1503.
Décret No. 2006-358 relatif à la conservation des données des communications électroniques, Journal Officiel No. 73,26 March 2006, p. 4609.
POCAR, F., New Challenges for International Rules Against Cyber-Crime, European Journal on Criminal Policy and Research, Springer Netherlands, 2004, Vol.10, no.1, pp. 27-37. Online
The Framework Decision is included in the list of the Annex to the Commission Communication to the European Parliament and the Council on the implications of the Court’s judgement of 13 September 2005 (Case C 176/03, Commission v. Council, COM(2005) 583 final).