A European Cybercrime Breakthrough Is Only Half The Battle

Cybercrime is a global challenge on a massive scale. If cybercrime was a country, it would have one of the largest economies in the world. Statista estimates that the cost of cybercrime was $8.15 trillion in 2023. Meanwhile, 37 per cent of large companies in the UK say they have experienced cybercrime in the past year.

Why is the cost of cybercrime so high? Because the first rule of cybercrime is that no one goes to prison.

Cybercriminals have reaped the benefits of a decade of virtual impunity largely due to the challenges of sharing data between law enforcement agencies who are working hard to police cyberspace within the constraints of real-world laws.

The  First Rule Of Cybercrime Is That No One Goes To Prison.

The difficulty of sharing data between the US and EU has been a major contributor to this impunity. But things may finally be changing for the better. After an eight-year negotiation, the EU has adopted a new legal framework -known as the eEvidence Regulation - to enable the preservation and sharing of electronic evidence between US platforms and EU law enforcement, as well as between EU member states.

Sharing electronic evidence – or any data – between the US and EU is surprisingly difficult. And it is not just cybercrime: more than 80 per cent of criminal prosecutions, including murder, human trafficking and other ‘offline’ crimes, rely on electronic evidence.

Most frequently, that data is held by platforms based in the US, such as Facebook, Google and Microsoft. 

EU member states and the US are close allies and like-minded democracies with a shared respect for the rule of law and human rights, but tensions have simmered since Edward Snowden’s revelations and have resulted in severely limited data sharing across the Atlantic. Of course, there is also the General Data Protection Regulation (GDPR) which introduced turnover-based fines and long-arm jurisdiction, adding to the complexity and tensions.

There are tensions in the domain name world too, particularly through the WHOIS, a free service that provides instant information about domain name registrations, including the name and address of the domain name holder or registrant. This issue has raged for over 20 years within the domain name system’s governing body, the Internet Corporation for Assigned Names and Numbers (ICANN), swinging wildly between two extremes.

At first, human rights and data protection experts highlighted the risks to individuals whose name, address, phone and fax (yes, fax) numbers were exposed to the public without any opt-out. After GDPR came into force in 2018, all the personal data was redacted – for privacy reasons – to the dismay of public safety and brands.

WHOIS illustrates just how painful it can be to transition from voluntary systems to regulated frameworks.

WHOIS began as a technical protocol but its unintended usefulness to brand protection and law enforcement led to private law contracts requiring registries and registrars to provide a public WHOIS service.

Beyond the contractual requirements, it was largely voluntary measures that made the whole thing function – like the ‘reveal’ for registration data hidden behind proxies, or the rapid takedown of bad domains where there was threat to life.

Despite the legal risks inherent in publishing personal data to the world, this system continued to function in Europe for two decades under the previous data protection framework. Even after GDPR was introduced, there were respectable opinions that WHOIS could stay: the data protection authorities had never levied fines against EU-based domain providers for publishing personal data under WHOIS; and regulations governing the .eu registry - overseen by the European Commission itself - specifically required public WHOIS provision.

But the risk calculus changed with GDPR. Faced with a new massive legal liability, companies simply dropped personal data from the service.

There is an obvious question to be asked: if everyone agrees on the need to share data to tackle real-world crimes, why has it proved so difficult to reach agreement and move forward? Eight years to negotiate the e-Evidence Act sounds like the worst kind of bureaucratic molasses.

Most people in the ICANN community agree on the fundamentals, but the WHOIS debates have descended into the worst kind of intractable family feud.

My years of volunteer work trying to break the 20-year stalemate on WHOIS within the ICANN community have given me some insights into why it has taken so long. It is, put simply, the narcissism of small differences.

The phrase, coined by Sigmund Freud, is the idea that the more a community shares commonalities, the more likely people in it are to fall out with one another because of hypersensitivity to minor differences. Most people in the ICANN community agree on the fundamentals, but the WHOIS debates have descended into the worst kind of intractable family feud.

The rule of law is hard. For democracies, respect for human rights is not an inconvenience but a necessity; an insurance policy. Safeguards and oversights need to be baked into the public safety apparatus at every level, and those mechanisms tend to be local, closely reflecting their society and culture.

Moving from the intensely local to the inherently international nature of the digital environment is difficult. It takes time, especially in democracies where respect for fundamental rights is integral.

Privacy Laws Are Not Going To Go Aaway, Nor Should They.

It has now been half a decade since the loss of WHOIS data and the grief experienced by law enforcement and brands shows no signs of abating. But resolve, it must. Privacy laws are not going to go away, nor should they. The only solution is to find a way to share evidence across borders in a way that respects rights – and that means the focus must fall on safeguards, oversight and due process.

Reaching agreement between EU member states in the e-evidence framework is an important step, and one that fits alongside other regulations and international agreements, such as the OECD principles, the Second Additional Protocol to the Budapest Convention and the NIS2 Directive.

The OECD process overcame a major roadblock between the EU and US on the form of oversight required to enable free flow of data. By emphasizing effective and impartial oversight of the relevant public safety bodies, the OECD principles create a results-based measure, rather than imposing one bloc’s preferred structure on others. This pragmatic approach could offer a way forward, at least between close allies like the EU and US.

But there is a wider problem. These are instruments between like-minded participants and many of the organized criminal gangs involved in cybercrime sit outside such frameworks, exploiting the limited geographical reach of the existing international agreements on cybercrime cooperation. Cybercrime is global in nature but criminal laws are still intensely local.

While like-minded people and nations are caught up in the narcissism of small differences, there are daunting differences, geopolitical competition and profound ideological clashes with other parts of the world that must be addressed to achieve real progress.

At the current pace of resolution, cybercriminals can feel confident they will not be seeing a prison cell any time soon.

Emily Taylor is Associate Fellow, International Security Programme at Chatham House.

Image: Bignai

You Might Also Read:

Why The Public Directory Of Domain Names Is About To Vanish:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Major US Mobile Network Failure
Cybersecurity, Volt Typhoon & The Grid »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cloud Credential Council (CCC)

Cloud Credential Council (CCC)

The CCC is a leading provider of vendor-neutral certification programs that empower IT and business professionals in their digital transformation journey.

Hotlava Systems

Hotlava Systems

HotLava network adapters enable today's powerful servers and workstations to deliver more productivity by reducing congestion at the network interface.

BruCERT

BruCERT

BruCERT is the referral agency for dealing with computer-related and internet-related security incidents in Brunei Darussalam.

Lloyd's

Lloyd's

As an insurance market, Lloyd’s can provide access to more than 65 expert cyber risk insurers in one place.

Applause

Applause

Applause provides real-world software testing for functionality, usability, accessibility, load, localization and security.

Verve Industrial

Verve Industrial

Verve specialize in providing software and services to help protect and secure critical industrial control systems.

Securicon

Securicon

Securicon provides expert consulting for application, system and network security.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

Data Protection Commission (DPC)

Data Protection Commission (DPC)

The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected.

CyberX9

CyberX9

CyberX9 helps you protect against a wide range of cyber attacks whether you are a business or a high-net worth individual under risk.

Intel Ignite

Intel Ignite

Intel Ignite is an internationally renowned acceleration program for early-stage deep tech startups.

IT-Schulungen.com / New Elements GmbH

IT-Schulungen.com / New Elements GmbH

Under the name IT-Schulungen.com, the Nuremberg-based New Elements GmbH has been operating one of the largest training centres in the German-speaking world for over 20 years.

Edera

Edera

Edera is changing the way containers are run and secured, making isolation a reality and fundamentally transforming computing in the process.

Instil Software

Instil Software

Instil helps technology brands transform, innovate and disrupt their markets with category-defining software products that challenge us to think, feel and act in new ways.

tmc3

tmc3

tmc3 is an award-winning, people-centric consultancy that is transforming cyber security from an overhead into an organisational enabler.