Anna Lucia Valvo
Ordinario di Diritto dell’Unione europea presso l’Università “Kore” di Enna. Avvocato del Foro di Roma
Abstract: In the era of post-globalization development and dissemination of information and communication technologies and the assertion of the right to freedom of information with positive implications connected with it has, however, also produced disastrous results in terms of the proliferation of new forms of digital crime and in terms of network usage for the realization of illicit purposes.
Under this specific profile, therefore, it is clear the urgent need for the establishment of appropriate discipline of the phenomenon through legislation which, without affecting the rights and freedoms related to access to the internet, can prevent or suppress any activity distorted use of network and/or the sabotage of computer systems.
The diffusion of technologies and tools, therefore, can identify different and contemporary forms of crime due to the fact that the world of crime immediately sensed the many possibilities offered by the network for illegal purposes, and to make use of it tools in order to take actions against criminal.
As for the European union, since the ‘90 eu institutions have begun to address the problem of cyber terrorism in key integrationist believing, rightly, that the Internet and its applications would affect more and more evidence on relations socio-economic and financial framework of the international community.
The spread of cyber terrorism and the delineation of a new concept of digital war, within the eu, has led to the establishment of the famous enfopol organization responsible to implement a system of control of the means of communication, drawn up at the European Council in Madrid 15 and 16 December 1995, and considered by many, rightly or wrongly, a sort of European Echelon, the global interception network created by the "007" of the usa, Britain, Canada, Australia and New Zealand.
In 2004, confirming the fact that the rampant spread of the attacks of so-called cybercrime has made no longer put greater cooperation between Member States in order to protect the significant interests of the States for increasing use of information technology and safe, the European Union has established the enisa, the Centre of Excellence Strategic and Operation of the European Union in the field of computer security.
With this work, the Author analyzes the European legislation for new, contemporary forms of crime and “international insecurity” related to the use of the Internet.
Nell’epoca della post-globalizzazione lo sviluppo e la diffusione delle tecnologie informatiche e telematiche e l’affermazione del diritto alla libertà informatica con le implicazioni positive ad esso connesse ha, tuttavia, prodotto anche risultati nefasti sotto il profilo della proliferazione di nuove forme di criminalità digitale e sotto il profilo dell’utilizzo della rete anche per la realizzazione di illecite finalità. Sotto tale specifico profilo, dunque, appare evidente l’urgente necessità di predisporre un’adeguata disciplina del fenomeno attraverso una legislazione che, senza incidere sui diritti e le libertà collegate all’accesso ad internet, possa prevenire o reprimere ogni attività di utilizzo distorto della rete e/o il sabotaggio dei sistemi informatici. La diffusione delle tecnologie e degli strumenti informatici, dunque, consente di individuare differenti e contemporary forms of crime in ragione del fatto che il mondo della criminalità ha intuito immediatamente le ampie possibilità offerte dalla rete per fini illeciti e per avvalersi degli strumenti informatici allo scopo di compiere azioni penalmente rilevanti. Per quanto riguarda l’Unione europea, fin dagli anni ‘90 le Istituzioni comunitarie hanno cominciato ad affrontare il problema del cyber terrorismo in chiave integrazionista ritenendo, a giusto titolo, che la rete internet e le sue applicazioni avrebbero inciso con sempre maggior evidenza sulle relazioni socio-economiche e finanziarie nell’ambito della Comunità internazionale. La diffusione del cyber terrorismo e il delineamento di un nuovo concetto di guerra digitale, in ambito ue, ha condotto alla istituzione di enfopol la famosa organizzazione preposta ad attuare un sistema di controllo dei mezzi di comunicazione, elaborata in occasione del Consiglio europeo di Madrid del 15 e 16 dicembre 1995 e da molti ritenuta, a torto o a ragione, una sorta di Echelon europeo, la rete di intercettazione globale creata dagli “007” di usa, Gran Bretagna, Canada, Australia e Nuova Zelanda. Nel 2004, a conferma del fatto che la dilagante diffusione degli attacchi di cosiddetta cyber criminalità ha reso non più rinviabile una maggior cooperazione fra gli Stati membri ai fini della tutela dei rilevanti interessi degli Stati per un utilizzo sempre più diffuso e sicuro delle tecnologie informatiche, l’Unione europea ha istituito la enisa, il Centro di Eccellenza Strategico ed Operativo dell’Unione europea nell’ambito della sicurezza informatica.
Keywords: computer crimes; international “insecurity”; enfopol; enisa.
In the era of post-globalization the development and the diffusion of the computer and online technologies as well as the affirmation of the right to freedom of information along with the related positive implications has, however, produced even inauspicious results under the profile of the proliferation of new forms of cybercrime and under the profile of the use of the network even for the achievement of illicit finalities.
Under this specific profile, therefore, appears to be evident the urgent necessity of prearranging any adequate regulation of the phenomenon by the mean of a legislation which, without affecting the rights and liberties connected to the internet access, may prevent or repress any activity of disported use of the network and/or the sabotage of the computer systems.
The spread of the technologies and of the computer instruments, therefore, renders necessary the study of the phenomenon eve under the criminal profile of the contemporary forms of crime in reason of the fact that the world of the crime has immediately grasped the ample possibilities offered from the network for illicit purposes and for taking advantage of the computer instruments with the intent to commit criminal actions.
2. Classification of computer threats
At this regard, seems to be worthy to mention the classification carried out by copasir (The Italian Parliamentary Committee for the Security of the Republic) which classifies the threats deriving from the cyberspace in four categories: “1. cybercrime: otherwise, the ensemble of the threats forwarded by criminal transnational or national organizations, which take advantage of the cyberspace in order to commit crimes as fraud, identity theft, misappropriation of information, of creation or of intellectual properties; 2) cyber-terrorism: that is, the use of the network by the terroristic organizations, for the purposes of propaganda, denigration or affiliation. Particularly significant seems to be case of the cyber-propaganda, that is the manipulation of the information conveyed in the network with the purpose of political denigration and manipulation, personal or social discrimination. In extreme cases, by the mean of the sophisticated use of internet or the online control is aimed the default of the ganglion cells of the national security transmission structures 3) cyber-espionage, that is the ensemble of the activities aiming the exploitation of the potentiality of the network in order to get industrial secrets for the purposes of the unfair competition (if connected to the market of the civil patents) and of the strategic superiority (in case of misappropriation of military or dual-use projects or devices); 4) cyber war: otherwise, the scenario connected to a real conflict among Nations, fought by the systemic demolition of the barriers of the critical protection of the adversary, that is by the disturbance or the “extinguishing” of the networks of the strategic communication, and the integration of these activities with those properly belligerent.
In turn, The National Strategic Framework for the Security of the Cyberspace adopted in December 2013, in line with what provided for in the d.p.c.m. (Decree of the President of the Council of Ministers) of 24 January 2013 distinguishes the cyber threats in four macro-sectors: 1. cybercrime, defined as the complex of the activities with criminal purposes (swindle, cyber-fraud, identity theft, misappropriation of information, of creation or of intellectual properties); 2. cyber espionage, concerning the illegal acquisition of sensible or classified information and data; 3. cyber-terrorism related to the actions ideologically motivated aiming to condition any State or international organization; cyber-warfare, with regard to the activities and military operations planned with the purpose to achieve goals in the mentioned field.
For what regards the European Union, since the Nineties the Community institutions tried to deal with the problem of cyber terrorism under an integrationist point of view believing, rightly, that the internet and its applications would have affected with an ongoing greater evidence the financial and socio-economic relations of the international Community.
The spread of the cyber terrorism and the birth of the new concept of cyber warfare, within the limits of EU, brought to the creation of the Enfopol, the famous organization aiming the realization of a control system over the means of communication, elaborated in the occasion of the European Council of Madrid on 15 and 16 of December 1995 and by the majority considered, rightly or wrongly, a kind of European Echelon, a global interception network created by the “007” of usa, Great Britain, Australia and New Zealand.
In 2004, in confirmation of the fact that the widespread diffusion of the cyber-attacks perpetuated by the cyber criminality rendered necessary a greater cooperation among the Member States with the purpose of the protection of relevant interests of the States for an increasingly and safer use of the computer technologies, was created Enisa, the European Union Agency for Network and Information Security.
Nevertheless, by the mean of the Framework Decision of 2005 (recently amended with the Directive 2013/40/eu of August 12, 2013) the European Institutions enacted dispositions aiming to “improve cooperation between judicial and other competent authorities, including the police and other specialized law enforcement services of the Member States, through approximating rules on criminal law in the Member States in the area of attacks against information systems”
3. The European Cybercrime Centre
The post-global era characterized by the diffused use of cyber technology in an increasingly larger scale of activities requires the individualization of the regulation of the relationship between law and technology.
Therefore, becomes necessary the law, intended in its traditional function of instrument of protection and conflict resolution, to be “reconsidered” and re-shaped in base of the consequences provoked by the virtual revolution even under the profile of the illicit use of the network, and to be fully adapted with the rapidity the technological innovation imposes.
In front of the new technologies, the traditional criminal institutes and the existing legislative instruments have shown their inadequacy and incapacity to regulate legal relationships undocked by any material dimension which, being created in the cyberspace, may rise regardless of the physical presence of the contractors or of the active or passive subjects of the crime.
In the eu sphere, the cyberspace and the new frontiers of the fight against cyber criminality brought to the creation of the European Cybercrime Centre (ec3) which, by January 2013 operates within the europol with the purpose of supporting Member States Police agencies in conducting investigations in the field of cyber frauds, abuses on children and other cybercrimes.
The European Cybercrime Centre main goal is the supervising of any illicit activity carried out by the mean of internet including the frauds on credit cards and bank accounts and the protection of the social networks profiles from the interferences of the cybercrime, beside the task to transmit to the Member States the threats and protection instruments and to procure sustain to the investigating activities at national level even through the use of common investigative teams.
The intention to create the European Cybercrime Centre was announced in the Communication “The eu internal security strategy in action: Five steps towards a more secure Europe” an represents one of the several measures undertake by the European Union in favor of the protection of the citizens by the cybercrimes.
Indeed, as explicitly underlined in the quoted Communication, the security of the computer networks is an essential condition for the good functioning of any information society; as well as the fight against cybercrime, the cyber security and the secure use of internet are fundamental premises in order to create the conditions for confidence and security for internet users.
The European Commission, aware of the inadequacy of the national normative instruments for the purposes of the prevention and the repression of the transnational crimes, but aware even of the damages the cybercrime could provoke, has underlined the necessity to establish the mentioned ec3 Centre in order to permit to Member States and to the European Institutions to develop analytic and operative capacities to the purposes of the investigations and to the cooperation with international partners.
Among the objectives prefixed by the Commission, the Centre at issue should aim the improvement of the evaluation and the supervision of the existing preventive and investigative measures, the development of training activities and of the awareness of the police and justice authorities in order to establish a cooperation with enisa and to serve as a connection with a network of cyber-emergency governmental or national groups (cert). In the intentions of the Commission, substantially, the European Cybercrime Centre should become the core of the fight against cybercrime in Europe.
Nevertheless, always by the mean of the Communication “The eu internal security strategy in action”, the action 3 related to the improvement of the capabilities for dealing with cyberattacks connected with the objective 3 related to raising levels of security for citizens and businesses in cyberspace provides for that “[a] number of steps must be taken to improve prevention, detection and fast reaction in the event of cyberattacks or cyber disruption. Firstly, every Member State, and the eu institutions themselves should have, by 2012, a well-functioning cert. It is important that, once they are set up, all cert and law enforcement authorities cooperate in prevention and response. Secondly, Member States should network together their national/governmental cert by 2012 to enhance Europe's preparedness. This activity will also be instrumental in developing, with the support of the Commission and enisa, a European Information Sharing and Alert System (eisas) to the wider public by 2013 and in establishing a network of contact points between relevant bodies and Member States. Thirdly, Member States together with enisa should develop national contingency plans and undertake regular national and European exercises in incident response and disaster recovery. Overall, enisa will provide support to these actions with the aim of raising standards of cert in Europe”.
In Italy, the decree of the President of the Council of Ministers of 24 January 2013 in the logic of the strategy for the cyber security has fixed up the institutional architecture in favor of the national protection of the material and immaterial critical infrastructures with specific regard to the cyber protection and the national computer security and has highlighted the specific tasks of each component, the mechanisms and the procedures to follow in order to deal with the vulnerability, the risk prevention, the prompt response to the attacks and with the immediate restoration of the system functionality in case of crisis.
The European Union, aware even of the criminal capabilities of internet, since long time appears to be well intentioned to adopt a European policy of prevention and repression towards the cybercrimes and other crimes committed by the mean of the technologies; however, the substantial lack of a “European” competence in criminal field, prohibits factually the adoption of efficient European instruments dealing with the cybercrime.
4. The EU competencies in the field of criminal law
In effect, the European Commission, since the adoption of the Communication of May 2007 (memo /07/199), acknowledged the incapability of the Member States to elaborate legislative measures up to the standards requested by the new criminal activities underlining even the non-negligible obstacles in favor of an efficient legislation against cybercrime, considering the transnational nature of the mentioned criminal activities as well as the extreme rapidity these crimes could be committed.
Nevertheless, in the mentioned Communication, the European Commission considered through and through negligible, under legal aspects, the circumstance of the lack of a common definition of the term “cybercrime” sustaining that the cyberspace is to be considered as a new instrument used for committing crimes anything but new and used to indicate three categories of criminal activity to be included in the larger genus of cybercrime: the first category regards the traditional crimes as fraud and the falsifications committed by cyber instruments; the second concerns activities of publication of illegal material as, for example, the juvenile pornography and, the third, involves classic crimes of the web as, for example, hacking and the attacks against information systems.
In addition, the Commission identified specific problems directly connected to the internet development ant to the new criminal activities related to them indicating these specific problems in the increasing vulnerability towards cybercrime among the society, the enterprises and the citizens; in the greater frequency and sophistication of the cases of cybercrime; in the absence of a policy and a European legislation on the fight against cybercrime; in the existence of objective difficulties to cooperate in reason of the transnational nature of the crimes at issue, of the great distance between active and passive subjects of the crime and of the extreme velocity these crimes could be carried out; in the absence of a clear repartition of the responsibilities and tasks in relation to the security of the applications; in the lack of awareness among the consumers on the risks which may derive from cybercrimes and, lastly, in the lack of a cooperation structure between public and private in this field.
Problems aggravated by the substantial absence of specific competencies in this field for the European Institutions and partly resolved by the Lisbon Treaty which has provided for a legal base in some way attributing European competencies in the criminal field.
5. The Budapest Convention on cybercrime
Different considerations may be released with regard to another important legislative instrument specifically oriented to suppress cybercrimes. We are referring to the principal international instrument in this field, the Convention of the Council of Europe on cybercrime, entered into force in 2004, which contains common definitions of several types of cybercrimes and prepares the ground for an operative judicial cooperation among the ratifying States.
Signed by all eu Member States and other non-European States, among which usa, Canada, Japan and South Africa, the Convention of Budapest of 23 November 2011, however, has not been ratified yet by all signatory States while some of these States, though having ratified the Convention, have not ratified yet the additional Protocol concerning the criminalization of acts of racist or xenophobic nature committed through computer system.
Meanwhile, Italy ratified the Convention of the Council of Europe through the law of authorization to ratify of 18 of March, 2008, no. 48, which has implied the insertion in the Italian criminal code new forms of crime (as mentioned supra) and the updating of the criminal procedure code in the field of computer search and requisition, as well as in the field of protection of privacy and liability of legal persons.
Elaborated with the special purpose of balancing exigencies of preventive and repressive nature concerning crimes committed through computer systems and the respect for fundamental rights and liberties according to several Treaties on human rights, the Budapest Convention is composed of four chapters relative to the definitions of terms like computer system, computer data, service provider and data transmission; norms on substantial and procedural criminal law to be enacted by States; norms concerning the international cooperation in the field.
Essential goal of the Convention was (and remains) to introduce common (substantial and procedural) elements of criminal law in the field of cybercrimes and to prepare a rapid and efficient international cooperation system in this field.
As to the norms of substantial criminal law, the Convention divides them in two Titles the first of which is dedicated to the crimes against confidentiality, the integrity and availability of computer data and systems (arts. 2-6), spacing from illegal access to a computer system to data interference, from system interference to misuse of devices; the second title regards computer-related offences (arts 7-8) with special concern to offences related to child pornography and offences related to infringements related to copyrights and related rights.
All the crimes listed in the Convention are punishable even at level of attempted and involvement crime and is also provided for the criminal, civil and administrative liability of legal persons.
At art. 13 the Convention prescribes the obligation, upon the Parties, to adopt effective, proportionate and dissuasive sanctions which include deprivation of liberty.
As to the measures of criminal procedural nature, these concern criminal investigation, the expedited preservation of stored computer data, of traffic data, the production, search and collection order of computer data etc.
The final part of the Convention concerns the International cooperation and the principles regarding the discipline of extradition, judicial mutual assistance, spontaneous information, procedures concerning the mutual assistance requests in the absence of applicable international agreements in the field, confidentiality and limitation on use of the collected data.
As to the Italian law of ratification of the Budapest Convention on cybercrime, not being this the occasion for a detailed examination and critical considerations, please see the considerations, anything but enthusiastic, of the doctrine.
Despite the diffusion of the new forms of crime, still has to be underlined the substantial legislative absence and the lacking of provision, to date, of a category well defined under legal profile regarding cybercrime, (with the exception of the Budapest Convention of 2001); and neither exists any international agreement on the common definition on cybercrime.
Conclusively, is confirmed the necessity of clear and certain norms ruling the use of internet, considering that the freedom of internet is not and could not be synonymous of internet anarchy. To the contrary, only by fixing up rules and, therefore, only the certainty of the law even under the technological context which characterizes the post-global era, could guarantee that freedom and neutrality of internet invoked by all.
In other terms, the freedom of internet should provide for a system of rules aiming the resolution of eventual conflicts arising among internet users with special regard to the balance of the various and opposed interests.
Neither, by other side, the typical characteristics of internet and its being simultaneously de-contextualized and out of national schemes legitimates an unanchored use from any legitimate legislative regulation, being it of national, European or international origin.
As also sustained, in fact, “the State, in order to maintain the social order, creates first the law, under forms of general and abstract laws, then applies these laws, that is enforces in concrete to single cases which need regulation”, and neither could be found any reason relying on which, in the context of technologies, the State (or the European Union or the international Community) should renounce to any of its primary roles which is, rightly, the one to guarantee the order of the society.
Undoubtedly, for the legislator are innumerable, and often not of easy solution, the challenges provoked by the development of technology and, however, if really internet has to be considered an instrument of freedom and guarantee for the exercise of rights, even those fundamental, States need to assume proper responsibilities and consider the ruling of internet an important objective and unavoidable instrument even to prevent the initiatives of those States which through the political control of internet exercise functions of censure, cultural homogenization, political control and, ultimately, even of espionage.
* Paper deliverd at “International Scientific Conference” 2-3 June 2015, Ochrid,University “St. Kliment Ohridski”- Bitola Faculty of Security – Skopje.
 See, “Relazione sulle possibili implicazioni e minacce per la sicurezza nazionale derivanti dall’utilizzo dello spazio cibernetico” of copasir of 7 July 2010 available at: http://www.parlamento.it, p. 17.
 Visit www.sicurezzanazionale.gov.it.
 Enfopol 112, 10037/95
 European Network and Information Security Agency: to this regard visit www.enisa.eu.int.
 See Council Framework Decision 2005/222/jha of 24 February 2005 on attacks against information systems.
 The European Police Office is established in The Hague through the Convention signed in Cannes on 25 July 1995, entered into force on 1 October 1998, later modified through an act of the Council on 30 November 2000 and integrated with the Protocol adopted by the Council on 28 November 2002. The tasks of Europol are sanctioned in art. 88 of the Treaty on Functioning of the European Union.
 See art. 88, par. 2, lett. b) of the Treaty on Functioning of the European Union and the Decision 2008/615/JHA of the Council of 23 June 2008 on stepping up of cross-border cooperation, particularly on combating terrorism and cross-border crime.
 See the Communication of the European Commission to the Parliament and the Council “The eu Internal Security Strategy in Action: Five steps towards a more secure Europe” of 22 November 2010, [com 2010 (673) final].
 See Regulation (eu) No. 580/2011 of the European Parliament and of the Council of 08 June 2011 amending Regulation (ec) No. 460/2004 establishing the European Network and Information Security Agency as regards its duration, prolonged until 13 September 2013.
 Computer Emergency Response Team. Among the objectives provided for in the Digital Agenda for Europe appear the one to establish cert at national level in each Member State and consequent greater connection between national cert and the European cert in order to create a European system of information sharing and alarm (eisas).
 Italy has not yet created the proper national cert which, however, according to legislative decree no. 70, of 28 My 2012 (in application of Directive 2009/140/ec) has been identified within the competencies of the Ministry for the Economic Development and with any probability will be established within the Superior Institute of Communication and Technology of Information. Actually in Italy is operative the cert-psc (Computer Emergency Response Team of the Public System of Connectivity) established at the Digit-pa with competencies of prevention, monitoring and analyses of security incidents for the users of public administration and the cert-Defense created at the General Staff of Defense, with the task to provide assistance to the Defense administration.
 Directive concerning indications in the field of cyber-protection and the national computer security, in GU no. 66 of 19 March 2013.
 At this regard, Brenner, Defining Cybercrime: a review of Federal and State law, in Clifford (edited by), Cybercrime, iii Ed., Durham (North Carolina), 2011, p. 15, talks about “old wine in new bottles”.
 See, at this regard, Sarzana di S. Ippolito, Informatica, internet e diritto penale, Milano, 2010 which, at p. 56, claims that «… sometimes the term “computer fraud” is used to indicate generally the crimes committed in the computer field. Indeed, the term at issue indicates a specific category of “computer-crimes”, that is those related to the patrimonial field and aiming the creation of an illicit economic benefit».
 According to art. 36 of the Convention, for its entry into force is requested the ratification of, at least, five States among which, at least, three belonging to the Council of Europe.
 See gu 4 April 2008, no. 80, Supplemento ordinario.
 With the exception of those provided for in art. 2 (illegal access to a computer system) and in art. 9, lett. b, d and e.
 Art. 23 of the Convention of 2001 sanctions that “The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.”
 About this issue see, for all, Sarzana di S. Ippolito, Informatica, internet e diritto penale, cit., p. 631 ff.
 See, in this field, Weismann, International Cybercrime: recent developments in the law, in Clifford (edited by), Cybercrime, cit., pp. 257-258. From his point of view, Sarzana di S. Ippolito, Informatica, internet e diritto penale, cit., at p. 56 sustains that it is almost impossible the identification of a legal definition of cybercrime “considering that its complex and singular aspects impede a general vision and a strictly legal placement of the phenomenon itself”.
 In this sense, Calamandrei, Non c’è libertà senza legalità, Roma-Bari, 2013, p. 14.