Comments to the Sixth Meeting of the UNODC Intergovernmental Expert Group on Cybercrime / April 6-8 2020 in Vienna

The APWG ( is periodically asked our thoughts on issues of great importance to the cybercrime fightin’ community.


After the Twelfth United Nations Congress on Crime Prevention and Criminal Justice, the Commission on Crime Prevention and Criminal Justice established an open-ended intergovernmental expert group to conduct a comprehensive study of the problem of cybercrime and responses to it by Member States, the international community and the private sector, including the exchange of information on national legislation, best practices, technical assistance and international cooperation, with a view to examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime.
The open-ended intergovernmental Expert Group to Conduct a Comprehensive Study on Cybercrime has held five meetings to date, respectively from 17 to 21 January 2011, from 25 to 28 February 2013, from 10 to 13 April 2017, from 3 to 5 April 2018 and from 27 to 29 March 2019.
At its fourth meeting, the Expert Group adopted the workplan of the Expert Group for the period 2018-2021 (available at: In accordance with the workplan, in 2020 the Expert Group will discuss international cooperation and prevention. Moreover, no later than 2021, the Expert Group will hold a stocktaking meeting and discuss its future work.

Our Submission to the Meeting

The upcoming Expert Group meeting will discuss a topic important to the APWG and its members: international cooperation. I have many thoughts about this topic and i want to share the two main points I submitted to the upcoming UNODC meeting in Vienna.

We Need Commonly Accepted Definitions

First, we need to develop a common definition for data that requires special handling or treatment. Every new regulation or directive has different  – or new – definitions for data items that the regulators deem private, sensitive, or scary. For example, the definition of personally identifiable information (PII) varies among EU regulation and many other states. Sharing data globally to detect and apprehend e-criminals is near impossible when you must change the data record every time it is shared to national law enforcement authorities or private crime investigators. A common definition for special data would allow investigators and enforcers in multiple states to get the same data at very fast speeds. Aligning the various definitions is a daunting task – and may take a while – but lacking such commonality is definitely slowing down e-crime mitigation, investigation, victim reduction, and apprehension.

The Crime Fightin’ wall is really a tripod.

Secondly, many privacy and data sharing regimes have a specific carve-out for public bodies doing crme investigation. For example, the EU GDPR has two versions one for such bodies and one for “everyone else”. Many studies show that over 95% of internet-based crime is detected and initially investigated  not by the public bodies, but by private organizations, such as the APWG (an anti-phishing and cryptocurrency exchange), SPAMHAUS (the well-known anti-spam group), CAIDA (the Center for Applied Internet Data Analysis), anti-virus companies (such as Sophos, McAfee, Microsoft or Eset), or anti-ransomware groups. Unfortunately, being part of “everybody else” means that these organizations (“e-crime figthters”) (we need a sexy word to describe us) are following the same rules as marketing and tracking organizations, which do no e-crime fighting and should be constrained. Adding additional barriers to sharing e-crime data among public bodies and private organizations impedes the flow of that critical, very useful, data. Many senior law enforcement executives have expressly stated that they rely on private sector e-crimefighters participation and data sharing to perform their law-enforcement duties.


Developing a regulatory regime that gives the e-crime fighters to perform initial investigation, victim notification, event correlation, and data sharing with law enforcement while not allowing “everyone else” that ability will be a challenge. Some have suggested properly accreditation of the e-crime fighters may work;  other ideas have surfaced but the perfect solution still awaits us.

There are many challenges to detect, investigate, and notify the proper authorities of e-crime activities at the same speed that the criminals do. We have identified two primary challenges and look forward to moving towards a solution.

The actual submission to the UNODC is:

Why Do Security Groups Seem to Have Issues Complying With the new GDPR?

The new European Union Privacy Regulations, fondly known as the GDPR (EU-2016/679) took effect in late May, 2018. If you listened to some crime fighters we would all be dead by now as the criminals would have taken over the world. And the Internet. We at the APWG try to reduce the amount of phishing and fraud on the internet. We have been working on understanding and preparing for compliance with the GDPR for over a year. It’s hard to understand, has lots of details to comply with, but definitely not the world ending event some have imagined.

If the regulation is so exacting, why is compliance so hard? From personal experience, many organizations legal and compliance teams are overworked; when new regulations appear the teams hope that there is also some guidance on how to comply and how soon – or a hint as to how severe- non-compliance will be.(If you don’t agree with me, you’ve never worked in a legal or compliance team.) So I’m taking a wild stab here, but from my experience there are three large issues:

  1. Not all data sharing is contract-based nor covered by “binding corporate rules” as defined in the GDPR. The APWG’S Data Sharing Agreement (DSA) – a contract – was put in place to specify what parties taking our datasets could do with it. It made the sharing-field very level – everyone who sent us data or took data new exactly the boundaries of what they could do with the data. Many data sharing organizations, both formal and informal, are not contract-based and now need to quickly develop contracts.
  2. When new regulations arrive, there is an amount of guesswork to figure out how to minimally comply with it. Most organizations do not want to violate the law, but new laws require new thinking, new paperwork, new processes, on how to comply with it. The EU and its members has not been very forthright in specifying how an organization could minimally or consistently comply with the regulation.
  3. The regulation has onerous enforcement provisions. Although the EU or its members may not attack non-compliant organizations on day one, the regulations allows any EU natural person to bring enforcement action by themselves upon an organization. The volume and expense of these actions are all unknown making the previous bullet even harder.

Just my thoughts, but I bet I’m close to the target.