A while back I had the chance to visit the headquarters of the Greek Cyber Crime Unit and speak with the head of the team. The informal interview lasted more than an hour and left me with mixed impressions. I spoke mostly with the head of the Unit and not so with its members but all in all I was left with a sense that they are good but perhaps not good enough.
Clearly, pretty much everyone I spoke with was passionate about their work and definitely not just filling in the hours before heading back home. They claimed shifts that voluntarily extended from 8 a.m. till 12 p.m. â€“ and I could tell they werenâ€™t exaggerating. And the time spent at the office seems to be paying off as they claim to handle lots of cases successfully.
Someone would say that thatâ€™s enough. But I wasnâ€™t that entirely convinced. For one thing, apart from a few people, the average profile of officers working there is: male, around 25, a graduate (or even undergrad) of a public or a private IT school. I suppose thatâ€™s way better than having a 45yo that types with two fingers but still Iâ€™d expect something more â€“ in terms of experience basically. Also, the technical aspect of the job seemed pretty absent from the place. The apparent lack of specialised equipment, the laymanâ€™s terminology used in the interview, the fact that â€œonline â€˜social engineeringâ€™ skills are valued more than a good hardware/software knowledgeâ€, the lack of a webpage, the lack of a clear protocol when handling what seem like commonplace cases as well as a number of other small things tarnish the impression I got.
In any case, the types of crime they tackle include credit card and online auction frauds, phishing, child pornography, cracking, attempted suicides and a host of others. I was showered with examples of cases in most of the categories and the ways they had been handled. The zeal was pretty evident in the case studies â€“ esp. in attempted suicide and teenage pornography cases but also in financial fraud cases. The weight seemed to fall however in the supportive role rather than the preventive (or at least the arresting part) I would expect from the police.
Anyway, you can probably judge for yourself from the highlights of the interview below (I’ve done very little editing other than translate) where I try to focus on the material that isnâ€™t relevant just to Greece. Photos follow in the end.
D: How is your team split up?
H: A group of 3-4 people is browsing the chat rooms for hints of attempted suicides, pornography and drug trafficking. Another team is involved in finding “offline” evidence using standard police procedures and thus crosschecking online information sources. A third team is charged with compiling the dossier that will be used in court.
D: What measures do you take in terms of online crime prevention?
H: We maintain a presence in chatrooms and track would-be criminals in public rooms, intervening whenever we see possible criminal activity. If, for example, we see someone, trying to molest a minor we will intervene without asking for permission from a Public Prosecutor. In time-critical cases (like attempted suicides) we might phone the Public Prosecutor to ask for oral permission â€“ but this is rare. Generally, no ISP will disclose personal data without the Public Prosecutor’s written approval. In all other cases we have to go through a certain procedure. We must undertake an investigation, create a dossier and then send it to the Head of the Public Prosecutorâ€™s Office of Athens. If he sees a punishable act he will make a petition to the judge for all relevant data to be disclosed.
D: Do you keep an eye on chatrooms, forums, portals, blogs etc?
H: Apart from the chatrooms we have so much work that we canâ€™t be checking the blogs, the forums etc. Weâ€™re not the Echelon. Weâ€™re only where thereâ€™s some kind of criminal activity. If thereâ€™s no crime, we canâ€™t intervene. For example, when bloggers call each other names, their identities remain unrevealable. Even if there is a suit against a blogger, the Public Prosecutor cannot issue an order to the ISP to reveal the bloggerâ€™s identity.
D: How is the CCU cooperating with agencies abroad?
H: For training, various CCUs are gathered in the Interpol HQ in Lyonnes, France or in the Europol HQ, in Hague, Holland. So, if something has happened in France, we are trained and weâ€™re ready to deal with it as a country. That way weâ€™re one step ahead of whoever might try something ‘imported’ from from abroad. Also, thereâ€™s very good cooperation with Eurojust, a European unit ensuring cooperation between the various judicial institutions of the European countries. There are also simultaneous operations going on i.e. raids occurring at the same time in more than one country while itâ€™s all being organised by Europol.
D: Is the current legislation regarding online matters adequate?
H: The legislation regarding the internet is to be adopted soon. There is the Budapest Convention which has been signed and just needs to be adopted. In it, every type of online behaviour is outlined and its legality is provided. Greece signed the convention in 2001 and soon it will go into the process of passing as an Act of Parliament. Until now we have been applying common criminal law. If you hack into a server and alter the data it, you will be charged under the property damage law. If you are accused of verbally abusing someone and are found guilty, you will be punished under the law for insult.
D: What will the main online danger be in the future?
H: The most popular crime will be financial fraud. Within five years broadband will require that together with the phone you will also have internet in your house. That way anyone who is totally new to the internet will have to get involved with it. People will try to exploit them and there will be a surge of financial fraud. We will also see a rise in cracking cases.
D: What can I do to protect myself as an end user and as a businessman?
H: You have to be very careful in the ways you exchange money. Right now there are many fake credit cards online. There are websites that create or sell credit cards, e.g. from a supermarket database they have cracked and such fraud will be the no. 1 danger in the future. There are methods of certification (e.g. Verisign) but it can also be done using companies like Western Union, MoneyGram etc. People should also use online Electron Visa or prepaid cards, which cannot be charged over a certain limit.
The pictures that follow show the better part of their offices and have been photoshopped to hide any identifying information.
Many thanks to EV for help with the legalese.tags: report