Cybercrime has been much in the news lately, from phishing, to botnets, ATM hacking, stock price manipulation and hacking cars, to mention but a few of the many forms online crime can take. Though it is difficult to quantify just how much cybercrime is going on, one FBI source put the annual losses to businesses in the United States alone at $67 billion in 2005. In all likelihood, this figure has grown since. Mirroring the international openness of the internet, cybercrime is to a significant extent a transnational phenomenon. The perpetrator and the victim will frequently be located in different jurisdictions, which poses acute difficulties for law enforcement agencies in investigating and prosecuting online crimes. Despite the clear need for international cooperation on cybercrime, there is as yet no genuinely global multilateral treaty (convention) dealing with the issue.
The issue of international cooperation in the fight against cybercrime will be on the table at the Twelfth United Nations Congress on Crime Prevention and Criminal Justice, due to take place in Salvador, Brazil, from April 12-19, 2010 (see introduction and draft agenda here). The main theme of the Congress will be “comprehensive strategies for global challenges: crime prevention and criminal justice systems and their development in a changing world.” The Secretariat of the United Nations Office on Drugs and Crime (UNODC), in a working paper prepared in anticipation of the Congress, has suggested that “the development of a global convention against cybercrime should be given careful and favourable consideration” (see report by heise.de (in German), Google translation here). Four regional preparatory meetings were held in advance of the Congress and, as the UNODC’s working paper notes, calls were made at all four for the development of an international convention to tackle cybercrime. The Latin American and Caribbean countries were strongly in favor, noting “the imperative need to develop an international convention on cybercrime” (see Latin American and Caribbean Regional Meeting Report, at para. 41). Will 2010 see the launch of negotiations for a UN Convention on Cybercrime?
A Transnational Problem
In its working paper, the UNODC notes that cybercrime is to a large degree transnational in nature. Issues of national sovereignty can impede criminal investigations in the absence of active cooperation between law enforcement agencies of the jurisdictions involved. The speed at which cybercriminals can inflict harm and move on to evade detection also puts enforcement agencies under heavy time pressures, making the need for international cooperation all the more pressing. The UNODC identifies legislative convergence as crucial to effective cooperation. This is because many countries base mutual legal assistance on the principle of dual criminality, which requires that the offense in question be punishable in both jurisdictions. Divergence in legislation can therefore undermine effective enforcement. Where a particular jurisdiction lacks comprehensive cybercrime legislation or enforces it poorly, it may turn into a safe haven for cybercriminals. This kind of divergence can only be tackled by concerted efforts to harmonize legal standards and enhance cooperation between jurisdictions.
Already On the Job: the Council of Europe’s Convention on Cybercrime
Currently, the leading international convention on cybercrime is the Council of Europe‘s Convention on Cybercrime, which was signed in Budapest in 2001 and entered into force in 2004. The Council of Europe, which is not an organ of the European Union, was founded in 1949 to promote human rights, democracy and the rule of law in Europe (see Wikipedia entry here). It current has forty-seven members, including the twenty-seven members of the European Union and Russia. As at December 2009, the Convention on Cybercrime had been signed by forty-six states and ratified by twenty-six (i.e. approved in accordance with domestic constitutional requirements and thus rendered enforceable). Though the Convention was drafted under the aegis of the Council of Europe, it is open to signature by non-members. Four non-members participated in the negotiations of the treaty and signed it (the United States, Canada, Japan and South Africa), and one non-member has ratified it (the United States). The Convention is not, therefore, strictly a regional agreement. Yet the fact that it has only been ratified by one non-European state suggests that it cannot at present be described as a global convention.
The Convention lists a number of crimes which signatories are required to implement in their domestic law, including hacking, child pornography offenses, and certain offenses related to intellectual property violations. It also sets out a number of procedural mechanisms which signatories must put in place, including granting the power to law enforcement authorities to compel Internet Service Providers to monitor a person’s online activities. Chapter III calls upon signatories to cooperate to the widest extent possible in the investigation and prosecution of cybercrime offenses (see the Electronic Privacy Information Center’s summary of the Convention and other resources here).
The Convention on Cybercrime: Can it Become a Global Standard?
The Council of Europe’s Convention on Cybercrime has now been in force for more than five years and has the widest coverage of any international agreement dealing with cybercrime (estimated to cover one third of current internet users). As we have seen, signature is open to countries which are not members of the Council of Europe, and four non-European countries have signed it already. Could the existing Convention on Cybercrime provide a global standard? If so, should the upcoming conference focus on generating the momentum for wider signature and ratification of the Council of Europe Convention?
In his Contribution to the upcoming Congress, the Secretary General of the Council of Europe, Thorbjørn Jagland, notes that the Convention on Cybercrime provides a “clear and comprehensive solution” and has received strong support from the Asia-Pacific Economic Cooperation, the European Union, Interpol and the Organization of American States, among others. Mr. Jagland concedes that it is understandable that, for political reasons, countries may be reluctant to accede to a treaty which they have not participated in drafting. He notes, however, that accession to the Convention guarantees a signatory membership of the Cybercrime Convention Committee and thus involvement in any further development of the treaty. Another downside of launching negotiations on a new, global convention is that it could have the effect of suspending the implementation of legislative reform already underway. Mr. Jagland further questions whether consensus could be reached within the framework of the UN on the kind of procedural law and cooperation measures which the current Convention provides.
The Secretary General of the International Telecommunication Union (a branch of the UN), Hamadoun Touré, is reported to be critical of proposals to adopt the Convention as a global standard. The Convention was drafted mostly by and for European states, and is also now somewhat outdated (see heise.de report here (in German), and Google translation here). Russia, which is a member of the Council of Europe but has not signed the Convention, reportedly backs Mr. Touré’s position. Brazil considered signing the Convention, but then declined to do so, voicing reservations about certain aspects of the Convention, including the provisions relating to the criminalization of intellectual property infringements (see here).
These reservations about the Convention on Cybercrime suggest that negotiating a new UN Convention could prove difficult: globally, there is clearly a divergence of views regarding the appropriate global standards. Furthermore, the procedural and cooperation commitments under the Convention could be difficult to scale up to a global level. The issues these commitments can give rise to are illustrated by the domestic criticisms directed at the government of the United States when it adopted the Convention. For example, it was alleged that the Convention could have the effect of requiring the United States to enforce foreign laws curbing free speech or to monitor the communications of political dissidents on behalf of foreign governments (see Ars Technica report here). Spurious as some of the criticisms may have been, it can be anticipated that attempting to reach a consensus on these matters in a global forum would be fraught with difficulty. Can crucial players such as the Russian Federation or the People’s Republic of China, which are widely suspected of sponsoring various forms of cyberattack for political purposes, be expected to agree to high standards of international cooperation in investigating and prosecution cybercrime? (See, e.g., the 2007 distributed denial of service attacks on Estonia, or the China-based attacks on Google). The UN has a long history of divisions between developed and developing countries, and the Brazilian reservations regarding intellectual property offenses suggest that these divisions could play out once again in negotiations on cybercrime.
A Global Solution Is Needed
Cybercrime does not only affect developed economies: there are now more internet users in developing countries than in developing countries, and one study suggests that emerging economies may be particularly at risk from cybercrime (see here). It is clear that effectively combating cybercrime will require global cooperation, involving a much broader group of countries than the current signatories of the Council of Europe’s Convention on Cybercrime. This will undoubtedly prove a challenge: going back to the drawing board to draft a global convention from scratch could involve years of diplomatic wrangling that may never bear fruit. Given that the existing Convention has proven reasonably effective and that signatories have gained valuable experience in implementing it, it seems wasteful to ignore it. Yet seeking to make the Council of Europe Convention a global standard in its current form is likely to prove no less controversial, as it would likely be seen as being thrust upon countries which have had no say in drafting it. But the Council of Europe has recognized that the nearly ten-year-old treaty could do with being updated, and it is already open to signature to non-members. Perhaps the upcoming Congress could provide an opportunity to suggest updating the Convention on Cybercrime with a view to extending its membership, building on what it has already achieved while addressing the concerns of non-members.Scridb filter