SELECTED ISSUES: CYBERCRIME, TECHNOLOGY AND
SURVEILLANCE
INHOUDSOPGAVE
Selected issues: cybercrime, technology and surveillance ............................................................................. 1
Introduction ............................................................................................................................................... 4
Cybercrime: policy & legislation ................................................................................................................ 13
1) Council of Europe: cybercrime convention (= Budapest convention) ........................................................ 14
(First) Additional protocol concerning the criminalisation of acts of a racist and xenophobic nature
committed through computer systems ......................................................................................................... 20
European Union .................................................................................................................................................. 22
A) Directive 2013/40/EU on attacks against information systems ........................................................... 23
B) Directive (EU) 2019/713 on combating fraud and counterfeiting of non-cash means of payment .... 25
Illegal content online: the role of private actors ........................................................................................... 28
Towards a convention at UN level? ............................................................................................................... 32
New technologies & law enforcement ............................................................................................................... 34
Introduction ................................................................................................................................................... 34
Internet of things (IoT) ................................................................................................................................... 37
Drones ............................................................................................................................................................ 39
CCTV ............................................................................................................................................................... 40
Biometrics ...................................................................................................................................................... 42
Track & trace .................................................................................................................................................. 42
Critical discussion & conclusion ..................................................................................................................... 43
New technologies & law enforcement: policy & legislation............................................................................... 44
Focus on privacy & data protection (in the context of law enforcement activities) ..................................... 45
Spotlight on facial recognition ....................................................................................................................... 58
Challenges for LEA Spotlight on deep fakes and Generative AI .................................................................... 64
Surveillance, intelligence and security ....................................................................................................... 67
background & introduction ................................................................................................................................ 67
US & Five Eyes ................................................................................................................................................ 67
EU & Member States ..................................................................................................................................... 70
EU data protection ............................................................................................................................................. 71
essentials & relevance ................................................................................................................................... 71
CJEU case law ................................................................................................................................................. 72
CJEU data retention-collection-storage standards ........................................................................................ 73
Privacy Shield EU-US........................................................................................................................................... 73
intelligence access & use ............................................................................................................................... 73
LE or public interest access & use.................................................................................................................. 74
Towards selective data retention? (including at EU level) ................................................................................. 75
Legal barriers for a plan B (selective retention): ........................................................................................... 75
PLAN B - checklist: evidence, feasible, lawful? .............................................................................................. 76
PLAN B - possible selectors or discriminants (not limited) ............................................................................ 77
1
,Spotlight: online child sexual abuse and cyberviolence .............................................................................. 78
ONline child sexual abuse................................................................................................................................... 78
united nations..................................................................................................................................................... 80
Council of europe................................................................................................................................................ 81
European union .................................................................................................................................................. 86
Cyberviolence ..................................................................................................................................................... 98
Volodina v. Russia .......................................................................................................................................... 98
AI legal perspective on AI & Law Enforcement ........................................................................................... 99
Police technology.............................................................................................................................................. 129
Police technology: a long history ................................................................................................................. 129
Police technology: changing times .............................................................................................................. 129
Contemporary police technology ................................................................................................................ 130
Predictive policing ........................................................................................................................................ 130
Examples: place-oriented ............................................................................................................................ 131
Examples: person-oriented.......................................................................................................................... 131
Legal & ethical issues ....................................................................................................................................... 133
Bias & inaccuracy ......................................................................................................................................... 133
In practice .................................................................................................................................................... 135
Opacity & unaccountability ......................................................................................................................... 135
Data protection ................................................................................................................................................ 136
Relevant provisions (LED) ............................................................................................................................ 137
Human rights .................................................................................................................................................... 138
Privacy & data protection ............................................................................................................................ 138
Fair trail & due process ................................................................................................................................ 139
Freedom of speech & association................................................................................................................ 140
Non-discrimination & equal treatment ....................................................................................................... 140
A new development – AI Act ............................................................................................................................ 141
module 6: Jurisdiction & e-evidence ........................................................................................................ 144
Jurisdiction & e-evidence: the issue.................................................................................................................. 144
Cross-jurisdictional e-evidence ......................................................................................................................... 145
EU (current framework; cross-border access) ............................................................................................. 145
EU-US (ECPA; the CLOUD Act) ..................................................................................................................... 145
Cases and Clashes............................................................................................................................................. 146
Google Spain; Microsoft Warrant; Facebook; Yahoo! & Skipe Belgium...................................................... 146
Competing, legitimate interests/rights at stake .............................................................................................. 147
Fundamental rights considerations & concerns ............................................................................................... 148
Solutions ........................................................................................................................................................... 149
EU: practical measures / legislative measures: 2023 Regulation + Directive.............................................. 149
Coe level: Budapest Convention; guidance note to art. nd Additional Protocol ................................ 154
Module 7: Cybersecurity: policy & legislation .......................................................................................... 155
The EU’s cybersecurity strategy for the digital decade ............................................................................... 156
Directive (EU) 2016/1148 concerning measures to ensure a high common level of network and information
security across the Union (NIS Directive) ......................................................................................................... 158
2
, NIS Directive................................................................................................................................................. 158
CSIRTs ........................................................................................................................................................... 159
NIS Cooperation group ................................................................................................................................ 159
Directive (EU) 2022/2555 concerning measures to ensure a high common level of cybersecurity across the
Union (NIS 2 Directive) ..................................................................................................................................... 161
Cybersecurity Act .............................................................................................................................................. 163
EU Cybersecurity act .................................................................................................................................... 163
ENISA ............................................................................................................................................................ 164
Proposal for a Cyberresilience Act .................................................................................................................... 164
Proposal for a Cybersolidarity Act .................................................................................................................... 166
Sector-specific legislation ................................................................................................................................. 167
Other initiatives ................................................................................................................................................ 167
ECCC – European Cybersecurity Competence centre.................................................................................. 168
EU cybersecurity skills academy .................................................................................................................. 169
3
, INTRODUCTION
Aim:
= to gain a multi-perspective understanding of and insight into
̶ cybercrime phenomena and online risk behaviour
̶ the use of technology and data analytics for law enforcement and intelligence
purposes, and
̶ public and private sector surveillance strategies
Dimensions:
o Technology
o Legal
o European & international policy
o Multi-actor
Final competences:
1. Identify, understand and interpret the relevant criminological and legal principles, instruments
and case-law with regard to cybercrime, technology and surveillance.
2. Develop, articulate and orally present a critical and argumented opinion on the various
criminological and legal dimensions and aspects of cybercrime, technology and surveillance.
3. Independently consult, analyse and critically and scientifically assess (historical) sources,
(scientific) literature and (empirical) research data concerning cybercrime, technology and
surveillance and reactions thereto.
4. Write a clear report on the results of (own) scientific research and own critical opinion.
5. Develop a life-long learning attitude with regard to issues related to cybercrime and
surveillance, by identifying, interpreting and reflecting on actual developments.
Evaluation:
o Research paper (50%)
o Oral exam (50%)
→ when the student does not pass at least one of the components, they can no longer pass the
course unit as a whole !
Research paper (50% of the overall grade)
Aim = to provide a critical legal or criminological scientific answer to an original question in the
field of cybercrime, surveillance and technology
Structure = problem statement, research question, methodology, analysis, critical reflection,
bibliography / reference list
4
SURVEILLANCE
INHOUDSOPGAVE
Selected issues: cybercrime, technology and surveillance ............................................................................. 1
Introduction ............................................................................................................................................... 4
Cybercrime: policy & legislation ................................................................................................................ 13
1) Council of Europe: cybercrime convention (= Budapest convention) ........................................................ 14
(First) Additional protocol concerning the criminalisation of acts of a racist and xenophobic nature
committed through computer systems ......................................................................................................... 20
European Union .................................................................................................................................................. 22
A) Directive 2013/40/EU on attacks against information systems ........................................................... 23
B) Directive (EU) 2019/713 on combating fraud and counterfeiting of non-cash means of payment .... 25
Illegal content online: the role of private actors ........................................................................................... 28
Towards a convention at UN level? ............................................................................................................... 32
New technologies & law enforcement ............................................................................................................... 34
Introduction ................................................................................................................................................... 34
Internet of things (IoT) ................................................................................................................................... 37
Drones ............................................................................................................................................................ 39
CCTV ............................................................................................................................................................... 40
Biometrics ...................................................................................................................................................... 42
Track & trace .................................................................................................................................................. 42
Critical discussion & conclusion ..................................................................................................................... 43
New technologies & law enforcement: policy & legislation............................................................................... 44
Focus on privacy & data protection (in the context of law enforcement activities) ..................................... 45
Spotlight on facial recognition ....................................................................................................................... 58
Challenges for LEA Spotlight on deep fakes and Generative AI .................................................................... 64
Surveillance, intelligence and security ....................................................................................................... 67
background & introduction ................................................................................................................................ 67
US & Five Eyes ................................................................................................................................................ 67
EU & Member States ..................................................................................................................................... 70
EU data protection ............................................................................................................................................. 71
essentials & relevance ................................................................................................................................... 71
CJEU case law ................................................................................................................................................. 72
CJEU data retention-collection-storage standards ........................................................................................ 73
Privacy Shield EU-US........................................................................................................................................... 73
intelligence access & use ............................................................................................................................... 73
LE or public interest access & use.................................................................................................................. 74
Towards selective data retention? (including at EU level) ................................................................................. 75
Legal barriers for a plan B (selective retention): ........................................................................................... 75
PLAN B - checklist: evidence, feasible, lawful? .............................................................................................. 76
PLAN B - possible selectors or discriminants (not limited) ............................................................................ 77
1
,Spotlight: online child sexual abuse and cyberviolence .............................................................................. 78
ONline child sexual abuse................................................................................................................................... 78
united nations..................................................................................................................................................... 80
Council of europe................................................................................................................................................ 81
European union .................................................................................................................................................. 86
Cyberviolence ..................................................................................................................................................... 98
Volodina v. Russia .......................................................................................................................................... 98
AI legal perspective on AI & Law Enforcement ........................................................................................... 99
Police technology.............................................................................................................................................. 129
Police technology: a long history ................................................................................................................. 129
Police technology: changing times .............................................................................................................. 129
Contemporary police technology ................................................................................................................ 130
Predictive policing ........................................................................................................................................ 130
Examples: place-oriented ............................................................................................................................ 131
Examples: person-oriented.......................................................................................................................... 131
Legal & ethical issues ....................................................................................................................................... 133
Bias & inaccuracy ......................................................................................................................................... 133
In practice .................................................................................................................................................... 135
Opacity & unaccountability ......................................................................................................................... 135
Data protection ................................................................................................................................................ 136
Relevant provisions (LED) ............................................................................................................................ 137
Human rights .................................................................................................................................................... 138
Privacy & data protection ............................................................................................................................ 138
Fair trail & due process ................................................................................................................................ 139
Freedom of speech & association................................................................................................................ 140
Non-discrimination & equal treatment ....................................................................................................... 140
A new development – AI Act ............................................................................................................................ 141
module 6: Jurisdiction & e-evidence ........................................................................................................ 144
Jurisdiction & e-evidence: the issue.................................................................................................................. 144
Cross-jurisdictional e-evidence ......................................................................................................................... 145
EU (current framework; cross-border access) ............................................................................................. 145
EU-US (ECPA; the CLOUD Act) ..................................................................................................................... 145
Cases and Clashes............................................................................................................................................. 146
Google Spain; Microsoft Warrant; Facebook; Yahoo! & Skipe Belgium...................................................... 146
Competing, legitimate interests/rights at stake .............................................................................................. 147
Fundamental rights considerations & concerns ............................................................................................... 148
Solutions ........................................................................................................................................................... 149
EU: practical measures / legislative measures: 2023 Regulation + Directive.............................................. 149
Coe level: Budapest Convention; guidance note to art. nd Additional Protocol ................................ 154
Module 7: Cybersecurity: policy & legislation .......................................................................................... 155
The EU’s cybersecurity strategy for the digital decade ............................................................................... 156
Directive (EU) 2016/1148 concerning measures to ensure a high common level of network and information
security across the Union (NIS Directive) ......................................................................................................... 158
2
, NIS Directive................................................................................................................................................. 158
CSIRTs ........................................................................................................................................................... 159
NIS Cooperation group ................................................................................................................................ 159
Directive (EU) 2022/2555 concerning measures to ensure a high common level of cybersecurity across the
Union (NIS 2 Directive) ..................................................................................................................................... 161
Cybersecurity Act .............................................................................................................................................. 163
EU Cybersecurity act .................................................................................................................................... 163
ENISA ............................................................................................................................................................ 164
Proposal for a Cyberresilience Act .................................................................................................................... 164
Proposal for a Cybersolidarity Act .................................................................................................................... 166
Sector-specific legislation ................................................................................................................................. 167
Other initiatives ................................................................................................................................................ 167
ECCC – European Cybersecurity Competence centre.................................................................................. 168
EU cybersecurity skills academy .................................................................................................................. 169
3
, INTRODUCTION
Aim:
= to gain a multi-perspective understanding of and insight into
̶ cybercrime phenomena and online risk behaviour
̶ the use of technology and data analytics for law enforcement and intelligence
purposes, and
̶ public and private sector surveillance strategies
Dimensions:
o Technology
o Legal
o European & international policy
o Multi-actor
Final competences:
1. Identify, understand and interpret the relevant criminological and legal principles, instruments
and case-law with regard to cybercrime, technology and surveillance.
2. Develop, articulate and orally present a critical and argumented opinion on the various
criminological and legal dimensions and aspects of cybercrime, technology and surveillance.
3. Independently consult, analyse and critically and scientifically assess (historical) sources,
(scientific) literature and (empirical) research data concerning cybercrime, technology and
surveillance and reactions thereto.
4. Write a clear report on the results of (own) scientific research and own critical opinion.
5. Develop a life-long learning attitude with regard to issues related to cybercrime and
surveillance, by identifying, interpreting and reflecting on actual developments.
Evaluation:
o Research paper (50%)
o Oral exam (50%)
→ when the student does not pass at least one of the components, they can no longer pass the
course unit as a whole !
Research paper (50% of the overall grade)
Aim = to provide a critical legal or criminological scientific answer to an original question in the
field of cybercrime, surveillance and technology
Structure = problem statement, research question, methodology, analysis, critical reflection,
bibliography / reference list
4
