Computer and Cybercrime are of a global dimension and can be felt universally. It has therefore become an International problem which requires international solution. Governments and organisations have seen the dangers of the internet as an environment for cybercriminals and have realised the need to work together in the fight against cybercrime. While the Internet may be borderless for criminals, law enforcement agencies must respect the sovereignty of other nations. Unfortunately, differing legal systems and disparities in the law often present major obstacles in their efforts.
The only realistic way to fight cybercrime is by demolishing the Jurisdictional and territorial boundaries that exist between nations and harmonising legal protection thereby preventing the appearance of “Computer safe havens”.
This has spurred various international Organisations into action leading to the adoption of Communications, Guidelines, Communiques and Action plans aimed at achieving a harmonised approach to legislating against cybercrime. Amongst these has emerged the Council of Europe’s Convention on Cybercrime. The Council of Europe’s Convention on Cybercrime has become accepted as the leading International instrument in the field of Computer crime. The Comprehensive nature of the Convention as well as the geographical spread of its signatories, means that it is likely to remain the most significant International legal Instrument in the field for the foreseeable future. The Convention has also attracted its share of criticisms. This essay considers how well the Substantive provisions of the Cybercrime Convention will serve as a model for Global legislation on cybercrime. Chapter one talks about various international organisations and their efforts in combating cybercrime. Chapter two discuss the Substantive part of the Council of Europe’s Cybercrime Convention and analyses its suitability as a model law for global legislation. Chapter three is the conclusion and the writers opinion.
Computer Crime And International Reactions
Computer and cybercrime has an obvious International dimension and governments have recognised the need to ensure that legal protection is harmonized among nations. Attempts have been made within various International Organisations and Fora to achieve a harmonized approach to legislating against computer crime so as to prevent the appearance of “Computer Crime havens.”
In 2002, in the wake of the September 11 attack, the OECD, drew up a new guideline for the “Security of Information Systems and Networks,” in order to counter Cyberterrorism, Computer viruses, hacking and other threats. This Guideline which replaced the 1992 guideline was a product of consensus between OECD governments, Information Technology Industries, Business users and civil society. Parties are expected to use it as a guide in drawing up policies, measures and training programmes for online security. All users of information are urged to implement the nine basic principles of Awareness, Responsibility, Response, Ethics, Democracy, Risk assessment, Security Design and Implementation and Security management. Governments in other countries were invited to adopt a similar approach, while businesses were asked to factor security into the design and use of their systems and networks and provide security information and updates to users. Individual users were urged to be aware and responsible and take preventive measures to lessen the security risks inherent in an interconnected world.
An implementation plan for the Guidelines was published in 2003 which included a recommendation for “a substantive criminal, procedural and mutual assistance legal measure for combating crime and ensuring cross-borders co-operation… It should be at least as comprehensive as, and consistent with the Council of Europe Convention on Cybercrime.” There was a further supplement to the guideline in 2005 with the Publication of ”The promotion of a culture of security for information systems and Networks in OECD countries” by the Working party on Information Security and privacy.
The European Union (EU)
The EU, in a Communication on “Creating a safer information Society by improving the security of information infrastructures and combating computer-related crimes,” laid out four key points that must be present in any cybercrime policy:
“1) The adoption of adequate, substantive, and procedural legislative provisions to deal with both domestic and transnational criminal activities; (2) The availability of a sufficient number of well-trained and well-equipped law enforcement personnel; ; (3) The improvement of the cooperation between all stakeholders, users and consumers, industry, and law enforcement; and (4) The need for ongoing industry and community-led initiatives.”
In October 2004, Communication on the “Critical Infrastructure Protection in the fight against Terrorism” was issued, providing for the actions of the commission in relation to protection of critical infrastructure and proposes additional measures to strengthen existing instruments and to meet Council mandates in this area. In February 2005, a council framework decision on “Attacks Against Information Systems” binding on all member states and seeking to harmonize cybercrime laws by describing the specific kinds of conduct to be criminalized by individual legislatures was adopted. The Framework Decision also aims to complement and develop activities carried out at the international level, such as the work of the G8 and the Council of Europe Convention on cybercrime. Another Communication “Towards a general policy on the fight against cybercrime” was issued in 2007.
The G8 has become increasingly active in the fight against cybercrime, since 1995. While lacking the institutional structure of other intergovernmental bodies, its membership ensures that it has a significant influence in setting international policy agendas. It has adopted several declarations with respect to Computer and cybercrime. In 1997 it adopted a set of ten principles. The first principle has to do with harmonizing the criminal laws to prevent the emergence of safe havens for cybercriminals.
In 2000, the G8 countries, after a 3 day conference in Paris on internet crime said that they wanted to crack down on digital crime, rapidly spreading across the globe, but without stifling the growth of e-commerce. The communiqué noted that “the ability to locate and identify Internet criminals through different systems is critical to deterring, investigating, and prosecuting crime that has an electronic component.” It recommended that the creation of “faster or novel solutions should be developed and that government and industry must work together to achieve them.” Following the September 11 2001 attacks, the G8 adopted a “Recommendations on Transnational Crime” and stated their intention to be parties to the Cybercrime Convention (all where signatories already except Russia).
United Nations (Un)
The UN is made up of agencies that deal with many international issues. It is an Intergovernmental institution with interests mainly in the developing countries. In relation to Computer crime, one of its concerns is to help and provide developing countries with capacity and expertise to deal with computer crime issues. In 1994, they published a “manual on the prevention and control of computer-related crime” which addressed the need for substantive and procedural reforms, crime prevention through data security and International co-operation. They also adopted two resolutions on computer crime in 1990 and in 2001. At the 2005 congress in Bangkok, they reported that the UN was in the process of negotiating a UN Convention on Cybercrime, both to build on the achievements of the Council of Europe Cybercrime Convention, and to address some of the criticisms particularly, effective protection of human rights, protection of customer privacy and the high cost of cooperating with law enforcement investigators. The Treaty is still awaited.
The commonwealth comprises of fifty-three developed and developing nations, particularly African states. They engage in various capacity-building activities, which include law reform as a development strategy. They have a “Model Computer and Computer-related Crimes Bill” which was drafted in reaction to the Council of Europe Convention on Cybercrime and was recommended by the Law Ministers conference in 2002.
The Council Of Europe
The Council of Europe has over the years published an extensive number of reports in the fields of criminal law as well as adopting recommendations and treaties, addressing law reform on both substantive and procedural issues. In 1989, the Council of Europe published a study and recommendation on the appropriate forms of substantive offences in the field of cybercrime. They also addressed issues of procedural and International aspects. These recommendations were not binding on member states, and inevitably such harmonizing measures had limited effect. The growth of the internet as a global environment and the growth of computer crime made it necessary for a harmonised law on computer crime. In 1997, the council proposed a convention, which member states will be obliged to implement. Reports were collected and a committee of experts was established to draft the instrument. The Council of Europe Convention on Cybercrime was opened for signature in November 2001 both for member and non-member states. Currently, it has 46 signatory states including countries like the United States, Canada, South Africa, and Japan. It has been ratified by 21 countries including the United States. United Kingdom has not ratified. It specifies attributes which must be found in the national laws of its signatory states and by ratifying this Convention on Cybercrime, the contracting states agree to make sure that their domestic laws criminalize conduct described in the substantive criminal law section and establish the procedural tools necessary to investigate and prosecute such crimes.
Council Of Europe Convention On Cybercrime
The Convention aims principally at (1) harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime (2) providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form (3) setting up a fast and effective regime of international co-operation.
*The Convention contains four chapters: (I) Use of terms; (II) Measures to be taken at domestic level – substantive law and procedural law; (III) International co-operation; (IV) Final clauses.*
Substantive Criminal Law
The Substantive part of the Convention describes the different conducts which are required to be the subject of criminal offence thus:
- Offences against the confidentiality, integrity and availability of computer data and systems.
- Computer-related offences:
- Content-related offences:
- Offences related to infringements of copyrights and related rights.
Title 5 provides for Ancillary liability and Sanctions.
- Offences Against The Confidentiality, Integrity And Availability Of Computer Data And Systems. (Art 2-5 Of The Convention)
Article 2- Illegal Access
“Intentional access, to the whole or any part of a computer system without right”. The key elements are Intention, Access and without right. There are further conditions which parties may or may not adopt. Parties can take the wide approach and criminalise mere hacking in accordance with the first sentence of Art 2. Alternatively, Parties can attach any or all of the qualifying elements listed in the second sentence: infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system. It follows that “Intentional access without rights” may or may not be a criminal offence depending on whether or not the parties incorporate the infringement of security measures into their domestic laws. The Scottish Law Commission has argued that the mere fact of obtaining unauthorised access should suffice, however the offence should be regarded as a minor one. Lithuania Provides that illegal access will only be criminal if security measures are infringed. In the UK, the provision of Section 1 of the Computer Misuse Act 1990 is similar to this provision. (This has now been amended by Sec 35 of the Police and Justice Act 2006). It provides for the elements of Intention and unauthorised access to constitute the offence. The legal issues concerning unauthorised access by authorised users were laid to rest by the appeal court in R v Bow Street Magistrates’ Court, exp Allisonwhere it held the accused liable. US federal Law does not criminalize mere unauthorised such access has to be linked to some further purpose, such as obtaining national security information or financial records. It also provides two scenarios with respect to authorization: Knowingly accessed a computer without authorisation or exceeding authorised access. The “exceeding authorised access” covers employees or insiders. According to Lloyd, Most instances of computer fraud (and perhaps fraud in general) are committed by insiders.
Article 3- Illegal Interception
Protects the right of privacy of data communications and applies to all forms of electronic data transfer including electromagnetic transmissions. The key elements of the offence are: Interception, made by technical means, of non-public transmissions of computer data to or from within a computer system. This constitutes the act, and becomes criminal where it is done intentionally and without right. In the UK, this is covered by Sec 2 of the Regulation of Investigatory Powers Act 2000. This Act however, provides that transmissions can be either public or private. In 2005, a UK court fined a man £500 pounds and sentenced him to 12 months conditional discharge for accessing a wireless broadband connection.
Article 4- Data Interference
This criminalizes the act of intentional damaging, deletion, deterioration, alteration or suppression of computer data without right. Parties may provide that “serious harm” be committed. What constitutes “serious harm” is left to the respective government. The aim of this provision is to provide computer data and computer programs with protection similar to that enjoyed by corporeal objects against intentional infliction of damage. The legal interest sought to be protected here is the integrity and the proper functioning or use of stored computer data or computer programs. The value of a computer system normally resides in the information it contains, software and data, rather than the physical hardware. This provision is covered in the UK by the Police and Justice Act 2006 which amended Section 3 of the Computer Misuse Act. Several cases have been successfully prosecuted under this section in the UK. In the US, it is covered by the Computer Fraud and Abuse Act of 1986.
Article 5- System Interference
This creates the offence of “hindering” the functioning of a computer system without right by imputing, transmitting, damaging, deleting, deteriorating, altering and suppressing computer data.
Hindering must be “serious” and Parties are to determine what criteria that must be fulfilled in order for the hindering to be considered “serious”. The drafters consider as “serious” the sending of data to a particular system in such a form, size or frequency that it has a significant detrimental effect on the ability of the owner or operator to use the system, or to communicate with other systems. Spam mails, viruses come under this provision. Article 4 and 5 are overlapped, the distinction being “Data” and “System” respectively.
Article 6- Misuse Of Devices
Production, Possession, import, distribution or sale of “Tools” for the commission of all the offences listed in article 2-5, intentionally and without right constitutes an offence under this article. Parties are free to adopt the number of items that will be in possession before it becomes an offence. This provision targets the “hacker tools”. In many cases, black markets are established to facilitate the sale or trade of “hacker tools,” or tools used by hackers in the commission of cybercrimes. To protect those who produce software or data for the protection of computer systems, a second requirement of intent to use the device for the commission of the offences listed in article 2-5 is required.
- Computer Related Offences
These are ordinary crimes and regular offences but committed through the use of computer.
Article 7- Computer-Related Forgery
This creates a parallel offence to the forgery of tangible documents. This covers a scenario where one intentionally causes inauthentic data to be acted upon as authentic. Parties may add dishonest intent. Because concepts of forgery vary greatly, it was agreed that the deception as to authenticity refers at minimum to the issuer of the data, regardless of the correctness or veracity of the contents of the data.
Article 8-Computer-Related Fraud
These are fraudulent acts which cause “loss to another” and “gain for the perpetrator”. It also requires a specific fraudulent or other dishonest intent to gain an economic or other benefit. This specific intent requirement is another effort by the drafters to filter serious misconduct from minor crimes.. It is reported that internet fraud has become the most prevalent type of fraud.
- Content-Related Offences
This deals with offences related to child pornography. Child pornography is defined in Art 9(2) as Including “any pornographic material that visually depicts
(a) a minor engaged in sexually explicit conduct;
(b) a person appearing to be a minor engaged in sexually explicit conduct;
(c) realistic images representing a minor engaged in sexually explicit conduct.”
Broadly speaking, any act involving child pornography, done intentionally and without right is an offence under this section. Parties can put the age of a child between 16 and 18 years. The internet is notorious for the display and transfer of pornographic materials. Concern at the implications of using the internet for pornography especially child pornography has spawned series of International, governmental and industry-based initiatives. The inclusion of this provision in what is intended to be a template for computer crime legislation at a global level highlights the point that there is near-universal legislative condemnation of child pornography. In the UK, the Protection of Children Act 1978 as amended by the Criminal Justice and Public Order Act 1994, are the principal statutes that deal with Child pornography. Others include The Sexual Offences Act, 2003, of England and Wales, and the Protection of Children and Prevention of Sexual Offences (Scotland) Act, 2005 The Obscene Publications Act 1959 places severe controls and sanctions over printed and electronic pornographic materials in the UK. The Protection of Children Act, 1978 as amended by the Criminal Justice and Public Order Act, 1994, makes it an offence to take, make, permit to be taken; distribute or show; or possess any indecent photograph or indecent pseudo-photograph of a child. Also the Optional Protocol to the UN Convention on the Rights of the Child on the Sale of Children, Child Prostitution and Child Pornography entered into force in January 18, 2002.
- Offences Relating To Infringement Of Copyrights And Related Rights.
Article 10 relates to the reproduction and dissemination on the Internet of protected works, without the approval of the copyright holder. Copyright offences “must be committed ‘willfully’ for criminal liability to attach.” “Willfully” was used instead of “intentionally,” because it is the term employed in the Agreement on Trade-Related Aspects of Intellectual Property Rights (“TRIPS”), which governs the obligations to criminalize copyright violations. The provisions are intended to provide for criminal sanctions against infringements ‘on a commercial scale’ and by means of a computer system. Paragraph 3 allows Parties not to impose criminal liability under paragraphs 1 and 2 in “limited circumstances” (e.g. parallel imports, rental rights), as long as other effective remedies, including civil and/or administrative measures, are available.
Article 11- Attempt And Aiding Or Abetting
This Section provides for a third party or any person who aids or abets any of the offences listed in Article 2 to 10, or attempt those listed in Articles 3 through 5, 7, 8 and 9 (1) a and c Intentionally. A party may declare that it reserves the right to apply sub section 2 in whole or in part.
Article 12- Corporate Liability
By this provision, legal persons are liable for the criminal offences provided in this Convention, committed by a natural person for their benefit. The natural person must be working for the legal person, hold a power of representation, and have authority to take decisions and exercise control on behalf of the legal person. This provision seeks to enforce the doctrine of vicarious criminal liability against the company in respect of acts of employees and agents of the company who in course of their performance of their duties commits any of the afore-mentioned crimes. This prevents people from hiding in the cloak of corporate liability to escape prosecution for cybercrimes.
Article 13- Sanctions And Measures
Parties are to adopt measures to ensure that offences in Article 2 to 11 are punishable by effective, proportionate and dissuasive sanctions. Prison sentences may be imposed on Natural persons, while Liability for legal persons may be criminal, administrative or civil including monetary sanctions. Parties have the discretionary power to create a system of criminal offences and sanctions that is compatible with their existing national legal systems.
Cybercrime Convention As A Model For Global Legislation.
The Convention is the first binding and leading international treaty on cybercrime. It has done a good job in addressing the most urgent issues in the domain of Cyber-Security and serves as a guideline for many countries lacking comprehensive legislation in the area of cybercrime. The Convention is a result of 4 years drafting by European and International experts. It was drafted with different legal cultures in mind to enable the harmonization of criminal laws in the fight against cybercrime. Article 46 of the Convention, provides for periodic consultation between the parties with regards to legal, policy, technological developments and possible amendment of the convention. The first consultation was in March 2006 where it was reported that a comprehensive review of the Convention will be done in 2007. In the last meeting in 2009, it was suggested that the emphasis must be on promoting the Convention on Cybercrime worldwide and encouraging more countries to sign and ratify it as it stands now, rather than changing it. The US proposed to work at the political and technical level, focusing on a few candidates. It was underlined that Parties should use their special relationships and links with other states to encourage their accession to the Convention. According to Alberto Gonzales (US Attorney General as he then was)
“the Treaty provides important tools in the battles against terrorism attacks on Computer networks…by strengthening the US cooperation with foreign countries in obtaining electronic evidence
The Business Star Alliance, comprising of Microsoft, IBM, Apple Computer, Cisco Systems and Intel believed that the treaty will serve as an important tool in the global fight against Cybercriminals and engage greater cooperation among nations. Also the Cyber Security Industry Alliance made up of Juniper Networks, McAfee, RSA Security and Symantec held that Ratification marks an important milestone in the fight against International Cybercrime. Software industries support the Convention as it includes a requirement that nations exact criminal penalties for Copyright infringers.
The Convention has been criticized on different grounds from different people and groups.
The drafting process has been criticized for lack of transparency, saying it was conducted in a very secretive and undemocratic manner, and did not take human rights groups concerns into account. It has been cited as a political instrument, which serves the participating countries political agenda and is being pushed on developing countries for their own reasons. The Convention allows for the collection of electronic evidence on crimes not included in its substantive law, ignores fundamental protection against arbitrary interference by public authorities and grants far reaching powers under the procedural provision without appropriate safeguards or limitations on use. Providers of Communication service protest the burden placed on them to assist law enforcement agencies. There is no limit to mutual assistance and no provision of dual criminality. Some of the countries are regarded as countries with poor human rights record where the rights of the citizens are suppressed (citing Ukraine, Romania, Azerbaijan) therefore applying Article 25 of the convention (not discussed in this essay) will require ratifying nations “to give each other mutual assistance to the widest extent possible for the purpose of investigations or proceedings or collection of evidence in electronic form of a criminal offence”. According to McCullagh,
“In reality, the Convention on cybercrime will endanger America’s privacy and civil liberties and place the FBI’s massive surveillance apparatus at the disposal of nations with much less respect for Individual liberties.”
The convention has been criticized as being too wide and will result into conflicting terms and definitions by different nations thereby undermining the essence of the harmonisation.
In response to this, the US Department of justice, explained that;
“the Convention itself is not to create the specific substantive offences…but just to ensure that parties make certain categories of conduct criminal…Multilateral Convention must consider the other legal systems, and the level of specificity in this convention is consistent with other multilateral law enforcement convention… and the explanatory note is more detailed as to conducts to be criminalized”.
It may be worthy to note that majority of the criticisms and complaints were from the US citizens who felt that certain provisions of the Convention went against their fundamental human rights and will be forcing people to be accountable to often un-constitutional laws of other countries. They hold that the Convention threatens core civil liberties protection currently afforded to US citizens and the Treaty fails to provide meaningful privacy and civil liberties protections.
From the discussions above, it is established that the convention on cybercrime is the leading International treaty currently. The drafting process involved experts and was not done hurriedly. The provisions are wide enough as to allow signatories a little discretion. More Importantly, is the fact that most International bodies endorse the Convention which shows acceptance. Many member states and non-member states have also signed and ratified the Convention and many laws have been based on the model. Though many countries have their own national laws which are similar to the Convention, those laws cannot bind other countries. Hence the need for an International treaty, like the Convention. If Cybercriminals are threatening the world through the internet which has no boundaries, then there should be a law to fight them, which should have no boundaries either. If there is a law, then it should be binding. This goes to say that the first step has been taken, the Convention. The second step is that Countries ratify the Convention so that it may become more effective. As the law applies, then there will be room for Changes to provision that are unsuitable and for new innovations.
The Substantive part of the convention did not undergo as much criticism as the procedural section. However, the Convention does not provide for other Intellectual property offences except copyright. Cybercriminals perpetuate all kinds of crimes against the Intellectual property right of individuals through the internet and as such there is the need for an effective provision to cover all other aspects of Intellectual property.
According to Walden, The success of the Convention as a spur to harmonisation can be measured not only on the basis of the number of signatories including non-European countries, but as the source of other harmonization initiatives such as the Commonwealth’s “Model Computer and Computer-Related Crimes Bill” of 2002.
“Cybercrime activities take place and have effect between territories. As such, governments may be prepared to trade a loss of some degree of de jure state control, in terms of criminal procedure, reflecting their loss of de facto control, in return for extended jurisdictional reach, enhancing state authority. The deal may not be viewed as good, but simply the best available”.
- Senate ratifies controversial Cybercrime treaty. CNET NEWS (AUGUST 4 2006 http://news.cnet.com/Senate-ratifies-controversial-cybercrime-treaty/2100-7348_3-6102354.html
- Declan McCullagh, Perspective: Fuzzy logic behind Bush’s Cybercrime treaty. http://news.cnet.com/Fuzzy-logic-behind-Bushs-cybercrime-treaty/2010-1071_3-5969719.html
- Electronic Privacy Information Centre (EPIC): The Council of Europe’s Convention on Cybercrime. http://epic.org/privacy/intl/ccc.html
- http://www.justice.gov/criminal/cybercrime/COEFAQs.htm#QD4 United States Department of Justice, Computer Crime and Intellectual Property Section, Council of Europe on Cybercrime Convention FAQ.
- http://www.oecd.org/document/53/0,3343,en_2649_34487_1946997_1_1_1_1,00.html OECD
- Kevin DiGregory, Fighting Cybercrime – What are the Challenges facing Europe? Meeting Before the European Parliament, September 19 2000 http://www.justice.gov/criminal/cybercrime/EUremarks.htm