The council of europe and cybercrime

Council Of Europe & The Convention On Cybercrime

The Council of Europe was founded in 1949 by 10 member countries. Today, it is made up of 47 countries, including all members of the European Union. Its primary aim is ‘to create a common democratic and legal area throughout the whole of the continent, ensuring respect for its fundamental values: human rights, democracy and the rule of law.' The COE believes that cooperation between its member states is the only way to solve societal problems. Based on its fundamental values, solutions to problems such as CYBERCRIME among others are sought between member countries.

Various commentators and specialists have identified cybercrime as one of the fastest growing activities engaged in by criminals. This is not surprising due to the phenomenal, ever-increasing growth of the internet and its users; indeed, popular internet terms have become part of daily English vocabulary. Every growth comes with its effects, both positive and negative. Cybercrime is what I often refer to as the side effect of internet usage.

The advent of computer misuse started as early as the days of mainframe computers in the 1940s & 1950s but real public attention began around the 1970s. However, cybercrime in those years will seem like child's play when compared to its levels in modern years obviously because the use of computer systems and networks was practically exclusive to financial institutions and governments. Today, computer networks are in use in practically every institution and industry. Margaret Killerby of the Council of Europe rightly stated that ‘cybercrime attacks individuals, the private sector, States, cultural and legal traditions and the global economy.' Due to our irreversible dependence on cyber technology the cyberrestrial realm has been firmly established and coexists alongside the terrestrial.

The nature of cybercrime has evolved over the years from simple manipulations of computer systems to gain access, to advanced methods of identity theft, phishing, botnets (computer zombies), distributed denial of service attacks etc.

The Cybercrime Convention

The COE Convention on Cybercrime was opened for signature in Budapest, 23/11/2001. The treaty is open for signature by member states and non-member states that participated in putting it together. It is open for accession by other non-member states. More than 100 other countries are currently using the convention as a model law, especially ‘developing countries' e.g. Brazil, Countries of the Caribbean, India, Nigeria, Pakistan, etc.

The Convention came into effect on the 1st day of July 2004 and is the first (and till date remains the leading) International treaty on computer related crimes. A Protocol on racist & xenophobic acts in cyberspace was added to the Convention and signed in January 2003; coming into force on the first day of March 2006.

The Convention seeks to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation. The provisions of the convention deal with copyright infringement, computer related fraud, child pornography and breach of network security, illegal access, data interference, system interference, misuse of devices, computer-related forgery... etc. All states that ratify or accede to the Convention agree to ensure that their domestic laws criminalize conducts defined therein.

The convention covers three principal areas:

  1. Harmonisation of substantive criminal law in the area of cyber crime;

  2. Harmonisation of procedural law; and

  3. Enactment of rules of international judicial cooperation.

It is divided into four chapters:

  1. Use of terms;

  2. Substantive & Procedural Law issues;

  3. Transborder issues; and

  4. Final clauses.

Section 1 of Chapter 2 covers substantive law issues. It gives definitions to offences under the convention and then deals with ancillary liabilities and sanctions.

Definition Of Terms

Article 1 gives definitions to terms considered important for the purpose of the convention and its implementation. It defines “Computer system” as a device consisting of hardware and software developed for automatic processing of digital data. The device may include input, output and storage devices. ‘Computer program' is defined as a set of instructions that can be executed by the computer to achieve the intended result.

Article 1(b) of the convention states that “Computer data” should be in a form suitable for processing in a computer system, meaning it must be in a form that can be directly processed by the computer.

“Service provider” encompasses a broad category of persons that play a particular role with regard to communication or processing data on computer systems. This includes private & public entities and those acting on their behalf.

The definition given to ‘traffic data' is quite open to national legislatures using the Convention as a model to introduce differentiation in the legal protection of traffic data in accordance with its sensitivity. Traffic data is stated to be a category of computer data that is subject to a specific legal regime and is generated by computers in the chain of communication in order to route a communication from its origin to its destination. Thus, it is auxiliary to the communication itself. If an offence is committed, and a party to the convention is conducting an investigation, it is the traffic data that is used to trace the communication and to collect more evidence. Under articles 16 & 17 of the Convention, Internet Service Providers (ISPs) have been given the responsibility of preserving traffic data in view of the possibility of data being required for an investigation. Section 1 of the Convention contains articles 2-13 of the Convention which cover offences against the confidentiality, integrity, and availability of computer data & systems, computer-related offences, content-related offences, offences related to infringement of copyright 7 related rights and finally, ancillary liability and sanctions – these are all substantive criminal laws. It is required that signatories enact domestic legislation and include these crimes in such legislation. The purpose of these laws is ‘to improve the means of preventing/suppressing computer & computer related crime by establishing a minimum standard of relevant offences.

The drafters of the Convention have been very careful, using technology-neutral language so that these substantive law offences may be applied to current and future technologies. However, there is a debate as to whether the Convention actually covers contemporary methods of cybercrime e.g. phishing, botnets, identity theft, pharming, etc. These forms of cybercrime did not exist or were not of a serious cause of concern at the time the Convention was being drafted and it is indeed clear that existing criminal law is struggling to catch up with the speed of technology advancement. In response to this, Marco Gercke has stated that, ‘while we don't need a new model law, we could have added protocols to deal with new issues'. The Convention on Cybercrime is not a law itself, it is only a framework for signatories to adopt, modify and implement. Hence, parties can still draft laws using the Convention as a guideline but still address current developments and methods in cybercrime which were not in existence at the time the Convention was drafted.

The element of ‘intention' is very important under the Convention. Criminal liability can only be inferred when the offences have been committed “intentionally”. Articles 2-9 & 11 contain the words “when committed intentionally” while Art 10 states “committed wilfully”. But interpretation of “intentionally” has been left to signatories to give in their own domestic legislations. Similarly, the offences must be committed “without right” as the definitions do not intend to criminalize legitimate activities e.g. those inherent in the design of systems and networks.

Article 2 – Illegal Access

Article 2 relates to “Illegal Access”, the Convention states:

‘Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.'

This is the basic offence of ‘dangerous threats to and attacks against the security (i.e. the confidentiality, integrity and availability) of computer systems and data. “Access” has been stated to comprise of ‘entering of the whole or any part of a computer system (hardware, components, stored data of the system involved, directories, traffic and content-related data.” Sending an e-mail message or a file to a computer system will not be considered as access. The Convention has given parties room for a wide or narrow application of Art 2 by attaching any or all such qualifying elements in the second sentence. The last part of the sentence which states, “... or in relation to a computer system that is connected to another computer system” allows parties to exclude physical access of a stand-alone computer without any use of another computer system.

Article 3 – Illegal Interception

The intentional interception, without right, of communications is outlawed by this article. The essence of this provision is to protect the right of privacy of data communication and applies only to non-public communications. The interception by ‘technical means' is an important element of the offence. Keyser is of the opinion that this definition does not state which interceptions are lawful and which are unlawful.

Articles 4 & 5: Data & System Interference

Malicious codes, viruses, Trojan horses etc are usually used to damage, delete or negatively alter computer data. This eventually leads to an interruption of the proper functioning of the computer system under attack. Thus, data interference will in most cases lead to an interference of the computer system, though there is a difference between the two. Activities that may come under Article 5 include ‘mail bombing' seeking to overload a system and causing it to crash, and denial of service attacks.

Article 6 – Misuse Of Devices

This article seeks to deter the activities of those involved in marketing devices and software used in pursuit of cybercrime. There obviously exists a black market where tools for disruption of computer systems and networks are distributed and this appears to be a source of cybercrime activities. The effective way of combating such activities is by criminalising them. But the Convention excludes application of the criminal law to “dual-use devices”. It only applies to ‘devices that are objectively designed, or adapted, primarily for the purpose of committing an offence.' The problem is that the same devices and tools designed for legitimate purposes are very useful and attractive to those who wish to use it for a purpose at variance with its original creator or designer.

Title 2 covers computer-related offences to wit: Computer-related forgery in Art 7 and computer-related fraud in Art 8.

Article 7- Computer Related Forgery

This provision criminalises forgery of computer data. Anne Flannagan had this to say: ‘The offence can be limited to those involving intent to defraud or similar dishonest intent. There is no requirement that the data be considered or acted upon or that there be any resulting harm or loss.' The Convention has been drafted such that the minimum standard is the authenticity of the issuer of the data, regardless of the correctness of the actual data.

Article 8 – Computer-Related Fraud

The offence involves modification of computer data and interference of a computer system with fraudulent or dishonest intent of making economic gains. This differs from computer-related forgery because under this provision, it is required that there be mens rea of fraudulent intent to procure economic gain. ‘The actus reus requires the loss of property to another by the described use of computer data or interference with the system's functioning.

This article in the Convention is very important due to the amount of computer-related fraud perpetrated on a daily basis. Keyser stated:

‘The creation of a uniform criminal structure that outlaws the practice of fraud across the globe and facilitates the cooperation of countries in policing and preventing fraud in the sales of merchandise online, is a positive step toward securing the internet as a safe place to do business.'

Other Cybercrime Legislations

Before the Council of Europe Convention on Cybercrime came into force in 2004 there already existed, in some jurisdictions, laws to tackle the ever rising challenges of cybercrime. In another instance, seemingly poor level of support & ratification of the COE Convention on Cybercrime (as at 2002) led to agitations for other legislative frameworks. One author had this to say:

Whilst the Convention was opened for signature in November 2001, all substantive work on the Convention was concluded before the attacks of September 11, 2001. In the light of legislative responses to these events, the provisions of the Convention now appear almost mild by comparison.

For some others, the Convention on Cybercrime is and will always be a regional Convention therefore a global framework is required.

In this chapter, we shall look at some of the existing legislations on cybercrime as well as proposals for regional and global frameworks.

Some global institutions like the United Nations, G8 and the Organisation for economic Cooperation and Development (OECD) have contributed in various ways in the fight against cybercrime.

United Nations

The UN is the largest assembly of sovereign states and ought to be in the lead in the fight against cybercrime, especially considering that cybercrime is blossoming on an international scale. The United Nations General Assembly has adopted two resolutions on cybercrime calling for serious global action against cybercrime, but ‘they are nothing more than exhortations as resolutions of the UN General Assembly have no binding force on member states.'

G8

The Group of 8 industrialised nations is made up of heads of state its members and they have been meeting since 1975 on issues including cybercrime. Its major contribution in the war against cybercrime is in Article 35 of the Convention on Cybercrime which requires parties to create high tech crime points of contacts available 24hours daily & 7days weekly to aid international cooperation. The 24/7 Contact point was created by the G8 in 1997 to create a 24/7 network of law enforcement points of contact. In a recent G8 ministerial meeting, the ministers called on states to ‘strengthen the existing forms of international cooperation such as the G8 24/7 High Tech Crime Points of Contact'. But apart from technical initiatives, the G8 has not brought up any legal framework on cybercrimes instead it calls for action to encourage implementation of the provisions of the Council of Europe Convention on Cybercrime.

Just like the bodies briefly discussed above, the OECD does not have any legal framework in the fight against cybercrime but has been active with some initiatives recommendations and guidelines. It has recommended that legal measures be enacted to combat cybercrime and these measures should be ‘at least as comprehensive as, and consistent with, the Council of Europe Convention on Cybercrime.

The Commonwealth of Nations is a body of 54 sovereign states, all but two of which were part of the former British Empire. It has been largely involved in the fight against cybercrime and has come up with a Model Law on Computer and Computer Related Crime which is largely based on the provisions of the Council of Europe's Convention on Cybercrime. The Commonwealth recommended the law for endorsement by Law Ministers of its member nations.

In preparing a final draft of the Model Law, some changes were made to some provisions as contained in the Cybercrime Convention and in some sections provided alternate provisions so countries could pick which to apply depending on their legal context. The modifications with regards to definitions and offences are of importance to this essay.

Section 3 - Computer System

The previous drafts of the Convention on Cybercrime had the words ‘or any other function' included in the definition of computer system under Art 1a but in the final draft, the words were excluded apparently because those words were too vague. But the drafters of the Commonwealth Model Law were of the opinion that the words be retained in the Model Law to encompass developing technologies. The words ‘the internet' was also inserted into the definition to be certain that the definition adopted would cover the internet.

Section 9 - Illegal Devices

This section is derived from Art 6 of the Convention (Misuse of Devices). The Model Law, in view of the debate on “legal & illegal purpose”, excludes Art 6(2) which is the exclusion clause for those engaged in dealing with devices for legitimate purposes. Instead, the drafters were of the opinion that ‘the combination of “without lawful excuse or justification” and the requirement for a specific intention of criminal purpose were sufficient to prevent an overly broad application of the section.'

Under Section 3(3), the Model Law gives two optional provisions, any of which may be adopted by parties. The sub-section provides that any person in possession of one or more of the items mentioned in sub paragraphs i & ii will have to disprove or clear any doubts that he possesses them for illegal purposes.

Alan Reid vividly stated:

‘The disappointing level of ratifications of the Cybercrime convention and the events of September 11th 2001, led the European Union to propose a Council Framework Decision on Attacks against Information Systems. This Decision was published on the 27th of August 2002 and would have required the Member States to enact domestic laws to comply with the Decision by 31st December 2003. The Decision was to a large extent based on the Cybercrime Convention of the Council of Europe. It was hoped that this Decision would have strengthened and harmonised the provisions against cybercriminal activities across the European Union.'

This is the most outstanding effort of the EU with regards to cybercrime till date. The Framework decision criminalised the offences of; inter alia, illegal access to information systems, illegal system interference and illegal data interference. These offences appear similar to those already contained in the Cybercrime Convention. Indeed, the Framework Decision was intended to be consistent with the approach adopted by the council of Europe in its Convention on Cybercrime.

The Framework Decision in Articles 6(2) & 7(1) stipulates penalties for illegal access to information systems by infringing a security measure, illegal system interference & illegal data interference. This is quite different from the Convention on Cybercrime & the Commonwealth Model Law on Computer and Computer-Related crimes. Although the Model law has provisions for penalties, it doesn't make any specifications or recommendations on the penalty. The Convention makes no provisions for penalties.

‘The Framework Decision was adopted in February 2005 and required to be implemented in the member States by March 2007.

The UK came up with one of the earliest legislations to deal with cybercrime – The Computer Misuse Act 1990. The act was ‘self-evidently not drafted for the internet era'. As a result, this piece of legislation failed to generate any landmark success in the fight against cybercrime. The Act seemed to deal more with stand alone computers than with computer networks and the most lethal of cybercrimes involved a network of computers. The definitions given to offences in the Act were also very short of meeting up with developing trends in cybercrime.

The CMA 1990 provided for 3 offences under Sections 1-3 respectively as follows:

  • Unauthorised access to computer material;
  • Unauthorised access with intent to commit or facilitate commission of further offences; and
  • Unauthorised modification of computer material.

These provisions are similar to some of the articles in the Convention on Cybercrime. However, due to some of its shortcomings, the Act was amended by the Police & Justice Act 2006. For instance, the CMA 1990 had no provision dealing with Misuse of Devices. But the Police & Justice Act 2006 introduced a new Section 3(a) to deal with misuse of devices. The amendments introduced by the Police & Justice Act clearly took account of the provisions of the Convention on Cybercrime.

Similarly, UK legislation dealing with Computer forgery & fraud have been ‘significantly influenced' by the Council of Europe's Cybercrime Convention.

The USA being a Federation shares legislative powers between the Federal and State authorities. This applies to legislation on cybercrime. The states have their own separate legislations without being bound to any form of harmonization.

The American approach has been to bring up crime-specific legislations to deal the various types of cybercrime. Thus, there are quite a number of US legislations dealing with cybercrime. The basic cybercrime legislation is the Computer Fraud & Abuse Act 18 U.S. Code § 1030 which creates seven offences dealing with cybercrime. The offences bother on unauthorised access & intentional damage to a computer. Initially, these offences only applied to conducts within the United States but the Patriot Act in 2001 made it clear that the statute also applies to conducts outside the United States.

Other US legislations are;

18 US Code § 1028(a) 7 which deals with identity theft & identity fraud,

18 US Code § 1029 which deals with fraud in connection with access devices.

The states also have a similar approach with each state having a separate law for each type of cybercrime e.g. laws for hacking & cracking, malware, computer forgery, fraud & theft. Statistics show that Anti-phishing bills have also been introduced in some states.

The American approach to legislating for Cybercrime has been agreeably criticised. Warren Chik had this to say:

‘The diversity in procedural augmentation has led to a confusing cacophony of state laws that exacerbates the jurisdictional problems of adjudication and enforcement… As one of the more technologically advanced countries in the world, the non-uniformity of treatment and lack of comprehensiveness of its substantive computer-related crime legislation is disappointing. The way the United States and many other jurisdictions have dealt with computer-related crime, that is, piecemeal and as it arises, can be analogized to how Microsoft continues to issue “patches” for its programs. It works to some extent, but not in a particularly satisfactory manner. Indeed, the United States has produced more than forty different federal statutes that contain criminal provisions for computer-related crimes.'

Conclusion

Several approaches or strategies have been suggested to be used in the fight against cybercrime. However, the term that has appeared as a common denominator is ‘international cooperation'. Thus, whatever legislation that might be adopted as a model for global legislation in the field of computer crime must be internationally acceptable as a minimum standard.

Bibliography

http://www.coe.int/aboutcoe/index.asp?page=nosObjectifs&l=en http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.stm

http://mba.tuck.dartmouth.edu/digital/Programs/Seminars/WEIS/WEIS_media.pdf

Samuel C. McQuade, III, editor, Encyclopaedia of Cybercrime (Westport, London: Greenwood Press, 2009)

Ian J. Lloyd, Information Technology Law: (fifth edition, Oxford: Oxford University Press, 2008)

Margaret Killerby, The Convention on Cybercrime, Available at - http://www.itu.int/osg/csd/cybersecurity/2006/presentations/killerby-15-may-2006.pdf

COE Chart of Signatures & Ratifications: http://www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=23/12/2009&CL=ENG

Council of Europe & Cybercrime, Factsheet 11: https://wcd.coe.int//ViewDoc.jsp?Ref=FS+11&Language=lanEnglish&Ver=original&BackColorInternet=F5CA75&BackColorIntranet=F5CA75&BackColorLogged=A9BACE

Cybercrime: A threat to democracy, human rights and the rule of law - http://www.coe.int/t/dc/files/themes/cybercrime/default_en.asp

Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems CETS No: 189, Available at http://conventions.coe.int/Treaty/en/Treaties/Html/189.htm

Summary of the Convention on Cybercrime: http://www.conventions.coe.int/Treaty/en/Summaries/Html/185.htm

Convention on Cybercrime: Explanatory Report http://www.conventions.coe.int/Treaty/en/Reports/Html/185.htm

First World Conference of Penal Law 2007 Conference proceedings: Penal Law in the XXIst Century. Guadalajara (Mexico), 18-23 November 2000 - Joachim Vogel: ‘Towards a Global Convention against Cybercrime'

Council of Europe, Committee of Experts on Crime in Cyber-Space, European Convention on Cybercrime, Nov. 23, 2001, Europe. T.S. No. 185, available at http://conventions/coe/int/Treaty/ENprojects/FinalCybercrim.htm.

Brown Ian, Edwards Lilian and Marsden Christopher, Information Security and Cybercrime (June 30, 2009); Law and the Internet 3rd Ed., L. Edwards, C. Waelde, eds., Oxford: Hart, 2009. Available at SSRN: http://ssrn.com/abstract=1427776

Stein Schjolberg, A Global Protocol on Cybersecurity and Cybercrime (June 2009) Available at http://www.cybercrimelaw.net/documents/The_Chairmans_model_law.pdf

McAfee 2008 Virtual Criminology Report: Cybercrime versus Cyberlaw

Mike Keyser, ‘The Council of Europe Convention on Cybercrime', Journal of Transnational Law & Policy Vol. 12 No. 2 (2003) p. 301. Available at http://www.law.fsu.edu/journals/transnational/vol12_2/keyser.pdf

A. Flannagan, ‘The Law and Computer Crime: reading the Script of Reform', International Journal of Law and Information Technology Vol. 13 No. 1(2005). P.114

Dejo Olowu, ‘Cyber-crimes and the Boundaries of Domestic Legal Responses: Case for an Inclusionary Framework for Africa', Journal of Information Law & Technology (2009) 1

Privacy International, ‘The Group of 8' (09/08/2004) available at http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-65438&als[theme]=Cyber%20Crime

Richard W. Downing, ‘G-8 Initiatives in High-Tech Crime' available at www.unescap.org/.../Cybercrime%20meeting/.../RDowning%20-%20G8%20initiatives%20and%20COE.ppt

G8 Ministerial Meeting of Justice & Home Affairs, ‘Final Declaration', Rome, 29th-30th May 2009, p.7 available at http://www.g8italia2009.it/static/G8_Allegato/declaration1giu2009,0.pdf

Communique of G8 Ministers of Justice and Interior Ministers meeting, Washington DC, 11th May, 2004 available at http://www.g7.utoronto.ca/justice/justice040511_comm.htm

http://www.oecd.org/dataoecd/23/11/31670189.pdf

http://en.wikipedia.org/wiki/Commonwealth_of_Nations

Model Law on Computer and Computer Related Crime available at http://www.thecommonwealth.org/shared_asp_files/uploadedfiles/{DA109CD2-5204-4FAB-AA77-86970A639B05}_Computer%20Crime.pdf

Alan S. Reid, ‘RFID Tags and the European Union: really free distribution?', Journal of International Trade Law & Policy, 2005, 4(1/2), 1-30

Commission of the European Communities, ‘Proposal for a Council Framework Decision on Attacks against Information Systems, COM (2002) 173 Final

Warren B. Chik, ‘Challenges to Criminal Law Making in the New Global Information Society: A Critical Comparative Study of the Adequacies of Computer-Related Criminal Legislation in the United States, the United Kingdom and Singapore.' Available at www.law.ed.ac.uk/ahrc/complaw/docs/chik.doc

Susan W. Brenner, ‘U.S. Cybercrime Law: defining Offenses', Information Systems Frontiers (2004) Vol. 6 No.2

http://www.ncsl.org/programs/lis/phishing06.htm