Crime and Security in Cyberspace

Crime and Security in Cyberspace

Cyberspace become pervasive in and between modern societies, the vulnerability of this transnational networked resource to criminality has become an important issue of international policy for Governments.

Ian Walden

As Gibson’s notional ‘cyberspace'[1] has materialised as the ‘network of networks’ that constitutes the internet and the communication and content services made available over it, so there has been an inevitable growth in the criminality associated with this environment. Cyberspace spawns cybercrime: ‘Since crime tends to follow opportunity and the internet provides many new opportunities, then new crimes will certainly emerge.[2] Cybercriminals will be driven by a range of motivations, from intellectual joy riding to political protest.[3] Post-September 11th , cybercrime has inevitably become one element of the developed nation’s fascination with terrorism. Attention has focused on the possibilities for ‘cyber-terrorism’, cybercrime with a premeditated political motivation,[4] as well as for ‘cyberwar’, State-based activity, with the image of a future ‘electronic pearl harbour’ haunting policy-makers.[5]

As cyberspace has become pervasive in and between modern societies, the vulnerability of this transnational networked resource to criminality has become an important issue of international policy for Governments: ‘the healthy functioning of cyberspace is 6 essential to our economy and our national security.[6] However, as with other areas of internet-based activities, addressing cybercrime raises complex issues in international relations, challenging traditional conceptions of sovereignty, jurisdiction and territoriality, though not inevitably or necessarily to their detriment.[7] For the purposes of this paper, such complexities are recast as three core questions: regulate what, regulate when and regulate how?

In terms of the ‘regulate what’, there is a need to identify those activities that threaten the security of cyberspace without over-criminalising

[1] Gibson, W., Neuromancer, Harper Collins, 1984

[2] Wall, D.S., Cyberspace Crime, Dartmouth, 2003, p.xv

[3] Jordan. T., Taylor, P., “A sociology of hackers”, Sociological Review, November 1998, pp. 757 – 780

[4] Denning, D., “Cyber-terrorism: The Logic Bomb versus the Truck Bomb”, Global Dialogue, Autumn 2000, pp. 29-37

[5] Smith, G., “An Electronic Pearl Harbor? Not likely”, Issues on Science and Technology, 15, pp. 68 – 73

[6] United States Government, The National Strategy to Secure Cyberspace, February 2003

[7] Perritt, H. H., “The internet as a threat to sovereignty? Thoughts on the internet’s role in strengthening national and global governance”, 5 Ind. J. Global Legal Stud. 2, 1998, pp. 475 – 491; Krasner, S.D., Sovereignty: Organised Hypocrisy, Princeton University Press, 1999; Addis, A., “The Thin State in Thick Globalisation Sovereignty in the Information Age”, Vanderbile Journal of Transnational Law, January 2004, pp. 3-107

enforcement activities to safeguard the rights of others, whether sovereign rights or privacy rights. In terms of ‘when’ to regulate, the problem has been succinctly stated in the following terms: ‘That in a networked world, where ail points are equidistant from all others and all are accessible from anywhere, the principles of the international legal system cannot impose obligations on everyone to comply with all law.”[8] If this is considered a self-evident truth, what criteria render a nation’s criminal law and procedure applicable? Is it one of mere accessibility from the territory or actual effect or harm on those in the territory? The ‘how’ of regulation involves issues of legal treatment and law enforcement. To minimise regulatory arbitrage, the exploitation of differential laws by cybercriminals, Governments have both extended the application of national law as well as promoted harmonisation between legal systems.

This paper examines recent legislative initiatives designed to harmonise the response of nations to cybercrime and facilitate the pursuit of cybercriminals, defining the acts constituting criminal behaviour and the procedural rules governing their investigation and prosecution by law enforcement agencies. However, as with other aspects of the ‘war on terrorism’, concerns can be raised about whether such laws are appropriate and balance the differing interests present in cyberspace, the public interest in preventing cybercrime, the rights of users and the commercial interests of suppliers of cyberspace-related services.

1. Cybercrime Vulnerabilities

Cybercrime can be distinguished into three broad categories of activity. First, computer-related cybercrime, such as fraud and theft, where computers are simply the tools for the crime, manipulating data to commit traditional criminal activities. Second, content-based cybercrimes, such as criminal copyright infringement and child pornography, where computer and communications technologies facilitate the distribution of illegal data. The third category of cybercrime are those activities where the intention is to compromise the integrity, availability and confidentiality of the computers and systems connected to the internet and the data being processed on them, such as hacking and the distribution of viruses.[9]

In terms of numbers, while few reliable statistics exist, the first two categories would seem to currently represent the bulk of cybercrime. As traditional crimes simply utilising a new medium, described as ‘old wine in new bottles'[10] , it is inevitable that

[8] Post, D., text of slide presented at ‘The Internet and the Law: A Global Conversation’ Symposium, University or Ottawa, 1″ – 2″ October 2004 (available at <http

[9] Walden, I., “Computer Crime”, Chapter 8, Computer Law, 5th Edition, Edited by Reed, and Angel, Oxford University Press, 2003, pp. 295 – 329 at p. 295

[10] Grabosky, P., Smith, R.G., Dempsey, G., Electronic Theft: Unlawful Acquisition in Cybespace, Cambridge University Press, 2001

criminal networks are quick to recognise the potential of cyberspace and seize the opportunity. However, it is the latter category, computer integrity offences, which are mi generis in raising broader security and vulnerability concerns for both users and Governments alike, and are the focus of this paper.

For perpetrators of computer integrity crimes, cyberspace offers individuals and criminal networks possibilities unparalleled in other environments, in terms of anonymity, mobility, geographical reach and the scope of damage that can be inflicted. The range and scale of potential loss that may flow from attacks against computers and data is substantial and well reported[11] from individual inconvenience when a virus infects and corrupts a system, to billions of Dollars in lost revenue resulting from business interruption, or the loss of life when medical systems malfunction. Where such attacks are targeted at, or inadvertently impact on, a nation’s critical national infrastructure, such as power systems or transportation networks, the consequences of such attacks are obviously of great significance and concern. In 2003. for example, the Port of Houston in the United States (US) was brought to a standstill after a denial-of-service attack crippled the computer system on which the Port’s operations were dependent .[12]

To address the threat of cybercrime and to enhance the security of cyberspace, Governments have been keen to establish an appropriate legal framework that deters such attacks. Such a framework must not only appropriately criminalise the different forms of cybercrime, but also enable law enforcement agencies to adequately investigate and prosecute such activities. The transnational nature of cybercrime activities, as well as concerns to avoid the proliferation of jurisdictional havens, has driven harmonisation initiatives within a number of international fora, such as the G8 and the Council of Europe.

1.1 Lies, Damn Lies and Statistics

Reliable statistics about the scale of cybercrime are notoriously difficult to come by.[13] A lack of consensus about what constitutes cybercrime is clearly one obstacle to the collection of data. However a range of factors contribute to this absence of data. First, there is a lack of reporting by victims as commercial organisations avoid adverse publicity to protect their reputation and share price. In a survey in the United States, it was reported that only 30 percent of respondents who suffered an intrusion had

[11] Computer Security Institute and Federal Bureau of Investigations, Computer Crime and Security Survey, 2003 (available at <:> )

[12]”Blunkett plans to lift court ban on covert evidence”. Guardian Newspaper, September 23 2004

[13] Smith, R., Grabosky, P., Urbas, G., Cyber Criminals on Trial, Cambridge University Press, 2004

reported it to law enforcement agencies.[14] One approach to this problem is to impose a legal obligation to report incidents of security breach, as adopted in the state of California in respect of public authorities.[15] However, as well as deliberate non-reporting, it may also be the case that many victims are unaware that they have suffered an incident of cybercrime.

Second, a lack of experience and resources among law enforcement and prosecuting authorities has often meant that investigations and prosecutions are not considered a priority area, particularly when competing for attention with other public concerns, such as violent crime. This second factor obviously contributes to the first, underreporting, since where victims perceive that they will receive a poor response from law enforcement agencies, they will be less likely to make the effort to report.

A third factor is the recording of relevant statistics. Law enforcement agencies often fail to specifically collate data in relation to cybercrime. This may be due to a lack of resources, but is more likely due to the complexities of recording such events, since a fraud committed over the internet can be recorded as both fraud and cybercrime, which may artificially inflate the crime statistics through double counting.

  A fourth factor is the transnational nature of cybercrime and the associated jurisdictional problems that contribute to the complexity of investigating and prosecuting offenders. All law enforcement agencies are under pressure to perform and are short of resources. Tackling transnational crime is resource intensive, yet has low clear-up rates, in terms of successful prosecutions.

Finally, computers, particularly when networked, create significant forensic challenges to law enforcement agencies when obtaining evidence and subsequently presenting it 16 before the courts . [16]

Where figures are published, it is often from commercial entities operating in the data security sector, including those linked to the defence establishment, which clearly have an incentive to overstate the problem, extrapolating the economic costs or security threat of cybercrime on the basis of scam real data .[17] The absence of strong empirical data to support the publicity given to and public perception of, cybercrime is a problem for policy makers. Adopting legislative measures against a phenomenon that is insufficiently understood may result in an inappropriate set of rules, either failing to

[14] National Criminal Intelligence Service (NCIS), Project Trawler

[15] California Senate Bill 1386 (available at < bill 20020926_chaptered.html>)

[16] Sommer, P., “Evidence from Cyberspace: Downloads, Logs and Captures”, Computer and Telecommunications Law Review, 2002, Vol.8, No.2, pp.33 – 42

[17] Kabay, M., Studies and Surveys of Computer Crime, 2001 (available at < Surveys_of_Computer_Crime.pdf> )

adequately address the mischief or over extending criminal law to activities that should not be criminalised.

1.2 Enforcing Laws

Despite continuing public ignorance, it is now widely recognised that the internet does not suffer from a lack of law, but an excess of law coupled with an enforcement problem.[18] As noted above, one central issue in tackling cybercrime is the availability of law enforcement resources. Law enforcement can be seen as a two-stage process: the investigation of illegal activities and the prosecution of offenders. Both stages are traditionally perceived as tasks to be carried out by the police, with the intelligence services operating where issues of national security are involved. However, the reality is that the ‘policing’ of cybercrime will involve a diverse range of public and private sector entities.

In most developed nation jurisdictions, a wide range of regulatory authorities are granted powers to investigate and prosecute persons for offences within their regulatory jurisdiction. These authorities have functions to investigate specific types of conduct, such as the Financial Services Authority (e.g. in an internet securities fraud) or local authority trading standards bodies (e.g. preventing the sale of illegal signal decoders).

For certain offences, a private person as well as a public authority may be able to pursue a prosecution. In the area of criminal copyright infringement, for example, rights holders may lead the investigation and prosecution of perpetrators, such as the Business Software Alliance and the International Federation of Phonographic Industries. Most notably, in France, the League Against Racism and Anti-Semitism and the French Union of Jewish Students brought a successful action against Yahoo! for the sale of 19 Nazi memorabilia available via its auction service in breach of the French Penal Code.[19]

In terms of criminal investigations, the private sector is needed to assist public law enforcement and may, through self-regulatory initiatives, establish entities with a specific remit to receive complaints, investigate and report on illegal activities. In the United Kingdom (UK), for example, the Internet Watch Foundation (IWF) was established in 1996 by Internet Service Providers (ISP) to monitor and report on the distribution of child abuse images. Whether such initiatives are actively encouraged by public agencies or are a self-defence response, the development of an ‘unholy alliance'[20] between States and the private sector to enhance enforcement is an inevitable feature of cyberspace, although raising concerns in terms of vigilantism, infringement of rights and a blurring of accountability.

[18] Reed, C, Internet Law: Text and Material, Cambridge University Press, 2004

[19] Reidenberg, 2001

[20] Birnhack, 2003

2. Securing Data and Systems

Prevention being better than cure, policy-makers have recognised that criminalising specific activities is not a complete or sufficient response to the threat of hackers, virus writers and cyber-terrorists. The targets or potential victims of such attacks are usually best placed to implement the appropriate physical, logical and organisational security measures that will prevent, deter or limit the consequences of such attacks. However, while the virtuous link between data security and cybercrime should clearly be in the interests of users, there is much evidence that data security measures are not given 21 adequate attention or are not properly understood within many organisations.[21] However, since an interconnected and interdependent environment means significant negative externalities and collateral vulnerabilities from a failure to take measures, policy-makers have recognised the need to facilitate data security through a variety of mechanisms, including the imposition of legal obligations.

In terms of express obligations, for example, European data protection law requires the implementation of ‘appropriate security measures’ by those processing personal data, ‘in particular where the processing involves the transmission of data over a network.[22] In terms of providing implicit incentives for organisations to implement security measures, the criminal code in some countries provides that illegal access to a computer system only occurs where it involves the infringement of security measures, which places the onus upon the victim to have such measures in place.

As concern about cybercrime as cyber-terrorism has increased, Governments have expressly addressed the vulnerabilities created by cyberspace for so-called ‘critical infrastructures’, those ‘facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of Governments.[23] While the specific scope of what constitutes ‘critical infrastructure’ may vary between countries, computer and communications networks including the internet are always explicitly identified. In South Africa, for example, requirements exist for the identification and management of ‘critical data’, defined as that which the Minister of Communications considers ‘of importance to the protection of the national security of the Republic or the economic and social well-being of its citizens.[25] Obligations are placed upon ‘critical database administrators’ to implement measures to protect such databases and a failure to comply may itself be the commission of an offence. At a G8 level, member States have

[21] Schneier, B, Secrets and Lies,- Digital Security in a Networked World, Wiley, 2000

[22] Article 17

[23] Commission Communication to the Council and the European Parliament on ‘Critical Infrastructure Protection in the fight against terrorism’, Brussels, October 20th 2004, COM(2004) 702 final

[24] Article 52(1)(a), Electronic Communications and Transactions Act 2002 (South Africa)

adopted a set of principles specifically addressed at the protection of ‘critical information infrastructures.[25]

In the United States, the Government has published a ‘National Strategy to Secure Cyberspace’, which is a component of its broader national strategy for homeland security. The phraseology used in the document makes clear the potential or perceived scale of vulnerability, by stating that cyberspace is ‘the control system of our country’ and that ‘the healthy functioning of cyberspace is essential to our economy and our national security.[26] Five national priorities are then outlined, including a ‘threat and vulnerability reduction program’, and recognising the need for ‘international cyberspace security cooperation.’

While Governments are keen to promote security and trust in cyberspace, as a mechanism for facilitating its development, security technologies themselves present a source of vulnerability. Cryptographic products, in particular, as the dominant technological solution to the need for authentication, integrity and confidentiality in cyberspace, are categorised as ‘dual-use’, having military as well as civil applications. As a consequence, cryptographic technologies are subject to export control regimes designed to limit the proliferation and use of products and services that can threaten us.[27] Governments need to achieve a balance, encouraging the implementation of security technologies of sufficient strength to provide ‘appropriate’ protection for cyberspace users, while preventing such security becoming a weapon in the hands of cybercriminals, cyber-terrorists and for cyber-warfare.

We can therefore see a duality in the nature of the vulnerability created by cyberspace; as a. source of vulnerability, the conduit for those that wish to attack State infrastructure, such as ports and power stations, as well as a vulnerable entity in its own right, as an essential infrastructure. Our vulnerability to the loss of the internet as a critical information infrastructure is particularly ironic given the origins of the internet as a US Defence Department initiative designed to provide a robust communications.[29]
network against attack.

[25] G8 Principles for Protecting Critical Information Infrastructure, adopted May 2003 (available at < events/g82004/g8_CIIP Principles.pdf > )

[26] US Government, The National Strategy to Secure Cyberspace, February 2003

[27] Andrews, S., “Who Holds the Key? – A Comparative Study of US and European Encryption Policies”, The Journal of Information, Law and Technology (JILT), 2000 (2) (available at <> )

[28] OECD, Guidelines for Cryptography Policy, adopted March 27th 1997

[29] Grewlich, K., Governance in Cyberspace, Kluwer Law International, 1999, p.34

3. The Transnational Dimension

Cybercrime crime has an obvious transnational dimension. However, the limitations of territorial sovereignty mean that cybercriminals may not have much to fear from laws in jurisdictions where their activities have effects and cause harm.[30] To address this enforcement problem, Governments have made attempts within various international organisations and fora to achieve a harmonised approach to outlawing cybercrime activities and thereby try to prevent the appearance of ‘cybercrime havens.’ The most significant inter-governmental institution in the area has been the Council of Europe, although initiatives have been pursued at various levels, including the United Nations (UN) and the G8[31] group of nations.

3.1 Inter-governmental Harmonisation

The Council of Europe first examined the issue of computer crime in 1985, with the establishment of a committee of experts. The Committee produced guidelines for national legislatures on a ‘Minimum List of Offences Necessary for a Uniform Criminal Policy’, which outlined eight offences seen as critical areas of computer misuse requiring criminalisation, including damage to computer data and programmes. In addition, the report put forward an ‘optional list’ of four offences that failed to achieve consensus among member States, but were thought worthy of consideration, including unauthorised use of a computer. The report was endorsed in a Council of Ministers Recommendation urging Governments to review and legislate accordingly.[32] A similar instrument was adopted in 1995 addressing procedural issues.[33]

The Council of Europe Recommendations are not binding legal instruments and, inevitably, such measures had limited effect. However, as cyberspace emerged as a new environment for the commission of crime, the attention of policy-makers was refocused on the need for a harmonised response. In April 1997, the Council of Europe embarked on the adoption of a Convention, which Member States would have a legal obligation to implement. In November 2001, the Council of Ministers adopted the ‘Convention on Cybercrime’ [34], which was opened for signature in Budapest on November 23rd 2001, and has since been signed by 34 of the 46 members of the Council of Europe. However, of particular significance to the status of the Convention, is that four non-members also were involved in the drafting process, the United States,

[30] Goldsmith, 1998

[31] Communique Annex: Principles and Action Plan to Combat High-Tech Crime, adopted in Washington D.C. in December 1997 (available at <> )

[32] Recommendation No. R(89) 9

[33] Recommendation No. R(95)13

[34] Council of Europe Convention on Cybercrime, European Treaty Series No. 185. Hereinafter. “Cybercrime Convention” or in the alternative “the Convention.” See also. Explanatory Report.

Japan, South Africa and Canada, and became signatories. The Convention also contains a mechanism whereby other non-members can sign and ratify the Convention. The Convention entered into force as of the March 18 2004, when Lithuania became the fifth ratifying State.

The comprehensive nature of the Convention, as well as the geographical spread of its signatories, means it is likely to remain the most significant international legal instrument in the field for the foreseeable future. The success of the Cybercrime Convention as a spur to harmonisation can be measured not only on the basis of the number of signatories, including non-European countries, but also as the source of other harmonisation initiatives, such as the Commonwealth ‘Model Computer and Computer-related Crimes Bill’ of October 2002 and within the European Union.

At a European Union level, many aspects of criminal law have historically been outside the competence of the European Union. However, under Title VI of the Treaty on European Union issues of ‘police and judicial co-operation in criminal matters’ were brought within the EU’s sphere of activities, including the ‘approximation… of rules on criminal matters in the Member States.[35] In April 2002, the Commission published a 56 proposal for a Council Framework Decision on ‘attacks against information systems.[36] Whilst the Framework Decision is intended to be consistent with the Cybercrime Convention, the nature of the European Union permits more comprehensive harmonisation between Member States than that achievable within the Council of Europe, such as the applicable sanctions. Although not yet adopted in its final form, the Framework Decision was one of the ‘necessary’ measures identified in the ‘Declaration on Combating Terrorism’ agreed between European ministers in March 2004, following the Madrid train bombing.

The Cybercrime Convention addresses the objective of harmonisation on various levels, representing different aspects of a response to the security threat that criminal or terrorist networks pose in cyberspace. First, harmonising the criminal code treatment of certain activities, as well as extending the jurisdictional reach of such offences. Secondly, the forensic and evidential challenges of obtaining data in a networked environment. Finally, improving international cooperation between law enforcement agencies.

3.2 Harmonising the Criminal Code

The Cybercrime Convention harmonises certain offences in respect of computer-related, content-based and computer integrity activities, while the Commonwealth Model Law and the Framework Decision focus on computer integrity offences. The computer integrity activities addressed in these instruments can be broadly distinguished into four categories:

[35] Article 29

[36] It Hereinafter, “Framework Decision”

Offences concerning access to data and systems,

Offences relating to interference with data and systems,

Offences concerning the interception of data in the course of its transmission,

Offences concerning the use of tools or ‘devices’ to carry out any of the above acts.

The two key elements of all these offences are intention, the traditional criminal law requirement for the necessary mental element or metis rea, and that the person must be acting ‘without right’, ‘authorisation1 or ‘lawful excuse’.

Interference is generally considered of greater seriousness than the ‘mere’ access offence, since the main mischief being addressed is threats against the integrity of data being processed and the operation of systems. Obviously, access may be obtained to commit any number of further offences, whether fraud, pornography or terrorism. In the UK, for example, a terrorist act is defined as including actions ‘designed seriously to interfere with or seriously disrupt an electronic system.[37] In such cases, the access offence may be viewed as primarily ‘facilitative’, in terms of the investigation and prosecution of cybercrime activities, since it will rarely be the main charge laid against the accused.[38] However, by criminalising all forms of computer ‘trespass’, such as access sought simply as an intellectual challenge or from curiosity, an anomaly can be created with the legal treatment of analogous situations in the physical world.[39]

In terms of interference, whether with data or systems, the concept is elaborated to cover all forms of modification, including deletion and suppression, as well as rendering such data or systems inaccessible or inoperable. The latter would be applicable to activities known as ‘denial-of-service’ attacks, where a person or persons bombard a system with data requests thereby overloading the system and leading to its eventual shut-down. Such techniques have been used against electronic commerce sites and as a political gesture, for example, by anti-capitalist demonstrators against the World Trade Organisation’s web site. In April 2001, denial of service attacks were reportedly launched against US web sites by Chinese hackers, following the collision of a US Navy spy place and a Chinese fighter.[40] In the Framework Decision, interference which has ‘affected essential interests’, a term presumably designed to encompass

[37] Section 1 (2)(e), Terrorism Act 2000 (UK)

[38] Smith, R.. Grabosky, P., Urbas, G., Cyber Criminals on Trial, Cambridge University Press. 2004

[39] Wasik, M., Crime and the Computer, Clarendon Press, Oxford, 1991, p. 74 – 75

[40] Council on Foreign Relations, ” Cyber-terrorism, 2004 (available at < cyberterrorism.httml#Ql> )

‘critical infrastructure’, is considered an ‘aggravating circumstance’ which should be subject to more substantial penalties.[41]

The interception of data in transmission is carried out in order to compromise the confidentiality of communications. Such espionage or surveillance will generally be for reasons of political or economic gain. Indeed, the political overtones behind interception activities have meant that communications privacy is given statutory or even constitutional protection in most jurisdictions. Historically, legal controls in respect of interception have been more directed against the manifestations of the State, particularly law enforcement agencies, than individuals or networks of cybercriminals or cyber-terrorists.

The provisions in respect of ‘devices’ are intended to address those that supply or possess the tools that are used to access or interfere with data or systems, or intercept communications, such as password ‘cracking’ software and other ‘hacker tools’. [42] These provisions have been controversial, since such tools will often encompass both legitimate and illegitimate purposes. In relation to supply, such offences could also be categorised as ‘facilitative’, to the extent that they address the availability of the tools needed to commit cybercrimes. While the possession offence may be categorised as a ‘preparatory’ offence, criminalising the steps taken prior to the commission of an integrity offence, similar in kind to the recent spate of ‘internet grooming’ offences, designed to address the steps taken in preparation for the commission of sexual abuse.[43]

Harmonisation of substantive offences is a pre-requisite inter-governmental response to network-based crime. Identifying and criminalising specified activities places a common legal framework upon decentralised, informal and mobile transnational criminal and terrorist networks. However, concerns about over criminalisation may also be raised in respect of the sui generis computer integrity offences, particularly concerning access and devices.

3.2.1 Locating Cybercrime

The transnational nature of most cybercrime can give rise to complex jurisdictional issues; involving persons and systems located in many different countries. Even where the perpetrator and the accused are located in the same jurisdiction, relevant evidence may reside on a server located in another jurisdiction, such as a ‘Hotmail’ account. In terms of locating cybercrime, the transnational dimension encompasses both the commission of offences and the obtaining and collation of evidence used in the prosecution of such offences. As with many aspects of cyberspace, traditional concepts and principles are sometimes challenged by the nature of the technologies involved.

[41] Article 7(2), Framework Decision

[42] Explanatory Report, para. 71 et seq

[43] e.g. Section 15, Sexual Offences Act, 2003 (UK)

The general principle of international criminal law is that a crime committed within a State’s territory may be tried there, although the territoriality of criminal law does not coincide with territorial sovereignty. [44] Under English law, the general principle for determining jurisdiction is either whether ‘the last act took place in England or a substantial part of the crime was committed here and there was no reason in comity why it should not be tried here.[45] The ‘last act’ rule echoes the civil law principle lex loci delicti commissi, whereby torts are governed by the law of the place where the act was committed. However, an act may be initiated in one jurisdiction and completed or terminated, i.e. the effect or harm felt, in another jurisdiction. While with physical crimes the initiatory and terminator elements of a crime are generally concurrent, such as murder, where criminal activity is information-based, such as cybercrime, a jurisdictional distinction between the initiation and termination of an act becomes the norm.

One consequence of this jurisdictional dissonance, especially in a cyberspace environment, is that criminal law has had to be amended to extend the territorial reach of certain offences. Indeed, due to widespread concerns about the growth and societal impact of such crime, Governments have also looked to apply extra-territorial principles to cybercrime activities, i.e. apply national law to acts initiated and terminated outside the territory. While the jurisdictional norm of criminal law is the territorial principle, there are four broadly recognised principles under which extra-territorial jurisdiction may be claimed or exercised in cases of transnational criminal activity:

the ‘active nationality principle’, which is based on the nationality of the perpetrator

the ‘passive personality principle’, which is based on the nationality of the victim

the ‘universality principle’, for crimes broadly recognised as being crimes against humanity, such as genocide or piracy

the ‘protective principle’, to safeguard a jurisdiction’s national interest, such as the planning of an act of cyber-terrorism.

The territorial principle has also expanded over the years, extending the locus of the 46 crime to include acts committed abroad which have an effect in the jurisdiction.[46]

In terms of ensuring legal certainty, general principles of international criminal law are made concrete through express jurisdictional provisions in the criminal code. Such

[44] Casses, A., International Criminal Law, Oxford University Press, 2003, p.277

[45] Smith (Wallace Duncan)(No.4), (2004) Q,B. 1418

[46] Bantekas, I., Nash, S., Mackarel, M., International Criminal Law, Cavendish Press, London, 2001, p.l51 et seq

rules generally claim jurisdiction if one of the elements of the offence occurs within the State’s territory. Under the UK’s Computer Misuse Act 1990, for example, jurisdiction is asserted through the concept of a ‘significant link’ being present in the domestic jurisdiction. Where an unauthorised access offence has been committed, a ‘significant link’ exists if either the accused or the target computer is in the UK.[47] In the US, the USA Patriot Act of 2001 amended the Computer Fraud and Abuse Act to extend the concept of a ‘protected computer’ to include ‘a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.[48] This effectively extends the territorial scope to the global arena, since any computer connected to the internet would potentially be encompassed.

The Cybercrime Convention, the Framework Decision and the Commonwealth Model Law all address the question of establishing jurisdiction, adopting a similar approach containing both territorial and extraterritorial elements. The Convention states that jurisdiction should exist when committed:

1. in its territory

2. on board a ship flying the flag of that party

3. on board an aircraft registered under the laws of that party

4. by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.[49]

The fourth scenario, based on the nationality of the offender, is an example of the extra-territorial ‘active personality’ principle.

Extending jurisdictional reach in response to cybercrime can be viewed as an inevitable consequence of the transnational nature of such activities. While generally perceived as an issue of substantive criminal law, questions of jurisdiction also have important implications for criminal procedure and in the investigation of cybercrime.

3.3 Addressing the Data Problem

Cybercrime investigations and the gathering of appropriate evidence for a prosecution, 50 the science of forensics, can be an extremely difficult and complex issue. Steps will

[47] Section 5, Computer Misuse Act 1990 (UK)

[48] l030(e)(2)(B)

[49] Article 22

obviously be taken by perpetrators to hide or disguise their activities, such as ‘communications laundering’, routing transmissions through a series of jurisdictions to frustrate attempts to trace the source, or the extensive use of cryptographic techniques to render data unintelligible. However, the environment itself also raises significant challenges due, in part, to the intangible and often transient nature of data involved. The nature of the technologies bestows upon data the duality of being notoriously vulnerable to loss and modification, as well as being surprisingly ‘sticky’, at one and the same time. The ‘stickiness’ of data is attributable, in part, to the multiple copies generated by the communications process, as well as the manner in which data is stored on electronic media. Such technology renders the process of investigation and recording of evidence extremely vulnerable to defence claims of errors, technical malfunction, prejudicial interference or fabrication, which may lead to such evidence being ruled inadmissible.[51] A lack of adequate training of law enforcement officers, prosecutors and, indeed, the judiciary, will often exacerbate these difficulties.

Relevant evidential data may be found on the systems of the victim, the suspect and, or, some third party, such as a communications service provider. Alternatively, evidence may be obtained from data in the process of being transmitted across a network, generally referred to as intercepted data. Specific rules of criminal procedure address law enforcement access to both sources of evidence, data at rest or data in transmission, although cyberspace raises a range of issues in relation to the operation of such rules.

3.3.1 Remote Data

One aspect of the use of search and seizure warrants in a cyberspace environment concerns the geographical scope of a warrant, issued by a court, authorising such acts. Under the Cybercrime Convention, for example, it states that the right to search and access should extend to any other computer system on its territory which ‘is lawfully accessible from or available to the initial system.[52] Thus, an authorised search at a single site can potentially be extended to interconnected systems located anywhere within the jurisdiction.

However, where the remote computer is based in another jurisdiction, important issues of sovereignty and territorially may arise. In 2000, for example, as part of an investigation into the activities of two Russian hackers, Vasiliy Gorschkov and Alexey Ivanov, the Federal Bureau of Investigation (FBI) accessed computers in Russia via the internet, using surreptitiously obtained passwords to download data from computers operated by the accused already under arrest in the US. In retaliation for this breach of

[50] Casey, E., Digital Evidence and Computer Crime, Academic Press, 2004.

[51] Sommer, P., “Evidence from Cyberspace: Downloads, Logs and Captures”, Computer and Telecommunications Law Review, 2002, Vol.8, No.2

[52] Article 19(2)

sovereignty, the Russian authorities charged the FBI agent responsible for the intrusion.[53]

To address these potential conflicts, member States under the Cybercrime Convention accepted that access to data stored in another jurisdiction might be obtained without authorisation of the State in which the data resides in two situations:

1. access publicly available (open source) stored computer data, regardless of where the data is located geographically; or

2. access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose 54 the data to the Party through that computer system.[54]

The former situation would presumably be applicable where information was contained on a public web-site. The latter would extend, for example, to a person’s email stored in another country by a service provider.

Article 32 details two circumstances all parties to the Convention could accept, but does not preclude other situations being authorised under national law. An example of a more aggressive stance to accessing remote data is Australia, where a specific warrant-based procedural mechanism was adopted to enable the Australian Security Intelligence Organisation to access remotely held data. These provisions not only authorise the seizure of data, but also permit the modification of any obstructive access control and, or, encryption systems to obtain access to the data. Such proactive policing, utilising the techniques and tools of the cybercriminal in the course of an investigation, or even potentially to launch an attack against a foreign perpetrator, raises serious issues of legitimacy, due process and the potential for sovereignty disputes.[55]

While the Convention provision could be viewed as eroding traditional sovereign rights, it also represents an extra-territorial extension of criminal procedure jurisdiction, which may strengthen sovereignty in a transnational cyberspace environment. From an instrumentalist perspective, the threat of cybercrime makes such compromises palatable to Governments.

3.3.2 Intercepting Content and Traffic Data

As well as stored data, evidence may be obtained during its transmission between computers across communication networks. Such evidence may comprise the content

[53] Brenner S., and Koops B-J., “Approaches to Cybercrime Jurisdiction”, 4 Journal of High Technology Law 1, 2004

[54] Article 32

[55] Reidenberg, 2004

of a communication, such as a list of passwords, or the attributes of a communication session, such as the duration of a call or the location of the caller, referred to as ‘traffic data’ in the Cybercrime Convention.

As noted previously, the interception of the content of a communication is usually subject to relatively strict procedural controls, designed more to protect against privacy infringements from law enforcement agencies than to deter cybercrime. Interception in the course of a criminal investigation will generally require authorisation from a third party, usually in the form of a judicial or executive warrant. The Cybercrime Convention provides that authorisation should only be available for ‘serious offences’, which would obviously include cyber-terrorist activities, but not necessarily all forms of computer integrity offences, such as mere unauthorised access.

A feature of some interception regimes is that they do not permit information obtained through an interception being adduced as evidence in legal proceedings. Such evidence is garnered for the purpose of further investigation, and not for any subsequent prosecution. The primary justification given for such a stance is to protect from disclosure information about the investigative activities of law enforcement agencies, as such activities would enter the public domain if intercept evidence was used in court and became subject to challenge by a defendant’s counsel. Rendering the product of interception inadmissible also effectively operates as a disincentive to interception activity. However, the UK Government has recently suggested that this position may need to be altered in respect of certain offences, specifically terrorism.[56]

Historically, national legal systems have distinguished between the interception of the content of a communications and the traffic data related to the communication session itself, such as number called. Access to the latter has generally been subject to less stringent procedural hurdles, such as the need for a warrant. Such a distinction would seem be based on a commonly held perception that access to the content of a communication represents a greater threat to personal privacy than access to the related traffic data.

However, developments in communications would seem to have led to a qualitative and quantitative shift in the nature of traffic data, from the generation of location data in mobile telephony to the ever expanding range of daily activities carried out online. As a consequence, the volume of traffic data potentially available to law enforcement agencies and its value as an investigative tool has increased considerably.[57] It would therefore seem arguable that the threats to individual privacy from accessing traffic data, compared with communications content, is of a similar nature in terms of revealing a person’s private life and activities and should therefore be subject to comparable access regimes.

[56] “Blunkett plans to lift court ban on covert evidence”, Guardian Newspaper, September 23 2004.

[57] Home Office Consultation Paper, Access to communications data: respecting privacy and protecting the public from crime. May 2003

One procedural issue raised by differential legal treatment is that in a cyberspace environment the distinction between traffic data and content is becoming increasingly blurred. A web-based Uniform Resource Locator (URL), for example, may not only contain details of the IP address of the web site being accessed, akin to a traditional telephone number, but further information in relation to the content of the requested communication, such as a particular item held on the site or a search string containing the embedded parameters of the search


While touch-tone technology enables individuals to communicate their credit card details and text messages using the same keypad that dials the number to establish the communications session.

In the URL example above, how should the ‘traffic data’ be separated from the associated content? Reliance on the law enforcement agencies to distinguish such data would seem unacceptable, which requires us to consider the role of the communications service provider, over whose network the data is being sent during the interception process. The relevant service provider would need to be able to identity the relevant data and then automatically separate traffic data for forwarding to the appropriate requesting authority.

The consequences of the blurring between traffic data and content in a cyberspace context and their differential legal treatment are potentially significant in terms of eroding an individual’s traditional privacy rights. In addition, communication service providers face legal, procedural and operational uncertainties with regard to the obligations to obtain and deliver-up data that has been requested by an investigating agency.

3.3.3 Preserved or Retained Data

The patterns created by the communications attributes of criminal and terrorist networks in cyberspace are increasingly valuable to law enforcement agencies for discerning the operational nature of such networks; forming, dissolving and reforming according to the logic of the opportunities being pursued. Such evidential data will be generated by the networks that comprise the internet, as traffic passes into, across and out of each network, and will often be as transient as the communication session itself. To address such transience, Governments have looked to the imposition of express preservation and retention obligations upon the providers of communication services.

The Cybercrime Convention addresses the right of law enforcement agencies to request that stored or transmission data is preserved upon notice for certain periods of time, the so-called ‘fast freeze-quick thaw’ model. Such an order will normally be made against an Internet Service Provider (ISP). However, in the normal course of business traffic

[58] Article 29

data is generally retained for relatively short periods of time, due to the cost to the ISP as well as compliance with data protection rules, designed to protect the privacy interests of subscribers and users.

Concerns about security threats from cyberspace, led to calls for the imposition of general data retention obligation on ISPs to enable law enforcement access to historic as well as real-time traffic data.[59] Prior to September 11th, most Governments rejected such calls, recognising that such wholesale retention obligations were a threat to privacy as well as an unnecessary cost burden for ISPs. Only expedited data preservation rules made it into the Cybercrime Convention, not general retention obligations, primarily due to trenchant opposition from the US.

In the rush to legislate post-September 11th , a number of Governments have committed a volte-face on the issue. In the UK, for example, provisions were incorporated in the Anti-Terrorism Crime and Security Act 2001, establishing a voluntary regime for the retention of communications data, with the possibility of imposing mandatory directions. In April 2004, the Governments of the UK, Ireland, France and Sweden proposed a Council Framework decision to harmonise traffic data retention among EU Member States.

However, large scale data retention must itself be seen as vulnerable to abuse, a new security risk, and considerable concern has been voiced that such provisions breach European data protection and Human Rights laws, as a disproportionate response to an unmeasured threat.[60]

3.4 International Co-operation

A third aspect of the Governmental response to cyberspace crime is to improve co-operation between national law enforcement agencies. At one level, co-operation will involve mutual assistance in the obtaining and exchange of information, whether as intelligence or evidence. In this regard, agencies have established ‘network’ structures, in an attempt to mimic the responsiveness and flexibility of other networks.[61] However, such an approach would not seem appropriate where the co-operation involves the movement of suspected perpetrators, further up the enforcement chain, although initiatives have been adopted to enhance enforcement and reduce the formalities involved.

[59] National Criminal Intelligence Service (NCIS), Looking to the Future, Clarity on Communications Data Retention Law: Submission to the Home Office for Legislation on Data Retention, 2000

[60] It Article 29

[61] Slaughter, 2000

3.4.1 Moving information

The investigation and prosecution of transnational cybercrime will usually require mutual assistance between national law enforcement agencies, prosecuting authorities and private sector entities, such as ISPs. Obtaining such assistance in a timely and efficient manner will often be critical to the success of a cybercrime investigation. Historically, however, such mutual legal assistance procedures have been notoriously slow and bureaucratic.

Requests for evidence from another jurisdiction are known as a ‘letter rogatory’, and will generally only be issued where it appears that an offence has been committed and that proceedings have been instituted or an investigation is underway. The request may be sent either to a court in the relevant jurisdiction; to a designated authority or, in cases of urgency, through the International Criminal Police Organisation (INTERPOL). The evidence, once received by the requesting State, should then only be used for the purpose specified in the request, known as the ‘specialty principle’, a principle also present in extradition treaties, requiring the requesting State only to prosecute the accused for the crimes detailed in the extradition request.

Despite the existence of mutual legal assistance procedures, there is always a time lag created by the need to channel a request through the appropriate authorities. As a consequence, law enforcement agencies have adopted alternative informal approaches to the need for a rapid and flexible exchange of information. In the US, for example, the extension of the concept of a ‘protected computer’ to include non-US based computers, as noted above, means that when a foreign (and friendly) law enforcement . agency contacts the US authorities, they can provide assistance informally on the basis that the perpetrator’s activities also constitute an offence under US law, rather than comply with mutual legal assistance procedures.[62] Such an approach may be seen as an alternative version of the ‘double criminality’ principle, discussed below, where the act is in actuality an offence in both jurisdictions, rather than theoretically. While the US authorities may have no intention to pursue a domestic prosecution, the possibility provides an informal alternative to the mutual legal assistance route.

Many of the international harmonisation initiatives have been designed to address the institutional and procedural obstacles to the investigation of a crime, as much as the substantive offences themselves. One key mechanism is the establishment of a network 63 of designated law enforcement contacts, available 24 hours a day, 7 days a week. [63] Such networks are designed not only to facilitate a rapid response, but also the improve the quality of information supplied, by ensuring that each contact has the necessary training and expertise to appropriately assist, as well as engendering interpersonal trust.

[62] Sussman, M., Senior Counsel, US Department of Justice, Criminal Division, Computer Crime and Intellectual Property Section, presentation made at an Academy of European Law conference in Trier, Germany, February 20 2003

[63] Article 35, Cybercrime Convention; Article 11, Framework Decision; Point 1, G8 Communique’ Annex: Principles and Action Plan to Combat High-Tech Crime, 1997

As well as reacting to requests, such networks offer a channel for the proactive exchange of intelligence. The Cybercrime Convention, for example, envisages the provision of ‘spontaneous information’, i.e. intelligence, where agencies in one State disclose information uncovered during their investigations to another State for the purpose of initiating or assisting an investigation,[64] However, such disclosures should be subject to the domestic law of the disclosing State, such as data protection rules, which may impose restrictions on the transfer of personal data.

3.4.2 Moving People

Clearly when a system is attacked, the perpetrator may be located anywhere in the world. Therefore, if a prosecution is to be mounted, the accused has to be brought to the prosecuting State. The formal procedure under which persons are transferred between States for prosecution is known as ‘extradition’. Either bilateral or multilateral Treaties or agreements between States generally govern extradition. In the absence of such a Treaty, the State where the perpetrator resides is not required under any rule of public international law to surrender the person. In such situations, informal mechanisms may be used to bring the perpetrator to justice. In the case of Vladimer Levin, for example, a hacker who broke into Citibank’s US-based funds transfer system, the accused was enticed to leave Russia, with whom the US did not have an extradition treaty. As soon as he landed in the UK, a country with which the US did have an extradition arrangement, he was arrested and subsequently extradited.[65]

In an action for extradition, the applicant State is generally required to show that the actions of the accused constitute a criminal offence exceeding a minimum level of seriousness in both jurisdictions, the country from which the accused is to be extradited and the country to which the extradition will be made. This is referred to as the ‘double criminality’ principle and is generally a threshold of a minimum 12-months imprisonment in both States.[66] Meeting the ‘double criminality’ standard is clearly an objective of harmonisation initiatives in respect of substantive offences discussed above.

In some jurisdictions, such as France, a distinction is made between nationals and foreign persons, extradition being only available in respect of non-nationals. To address this potential lacuna, both the Cybercrime Convention and Framework Decision provide that member States shall establish jurisdiction over and prosecute offenders that they refuse to extradite.[67]

[64] Article 26

[65] Walden, I,, “Computer Crime”, Chapter 8, Computer Law, 5’* Edition, Edited by Reed, and Angel, Oxford University Press, 2003, pp. 295-329

[66] Article 24

[67] Article 22 (3) and Article 11(4)

Extradition is a complex and often lengthy process, involving, at least in common law jurisdictions, both judicial and executive decision-taking. In order to simplify the process in the European Union, Member States have implemented the concept of a ‘European Arrest Warrant’.[68] The Decision abolishes the formal extradition procedure in favour of a simplified process in which a warrant issued by a Member State court will be granted mutual recognition by other Member States and will result in the arrest and surrender of the requested person. The surrender may be conditional upon the acts detailed in the warrant being an offence in the executing State. However, in respect of certain offences, including ‘computer related crime’, which are punishable in the issuing Member State by a custodial sentence of a maximum of at least 3 years will be subject to automatic execution of the warrant, i.e. surrender, without consideration of 69 the ‘dual criminality’ requirement.[69]

4. Concluding Remarks

Cyberspace can be viewed as the ultimate transnational communications network, offering an unrivalled capability to access data and computer systems on a global level. It also provides a unique source of vulnerability for the nation State, whether from political dissent, economic liberalism or cyber-terrorism. As economies and society become dependent on cyberspace, it becomes a critical information infrastructure over which nearly all Governments, with perhaps the exception of the US, have limited control.

Evidence of the scale of the threat from cybercrime and cyber-terrorism remains scant, though Governments and, indeed, the wider general public are convinced of the need for action. Cyberspace can be used to undermine State control and circumvent State laws

In response to threats to the integrity of computer systems and the data that they process, Governments have pursued the harmonisation of legal rules and greater law enforcement co-operation. Whereas public perception of cybercrime revolves around specific types of criminal behaviour, such as ‘hacking’, policy-makers have primarily been concerned with reforming the procedural aspects of investigating and pursuing cyber criminals. Since the events of September 11th 2001, we have seen law enforcement agencies being granted substantially enhanced powers of investigation.[70] However, significant trepidation exists that the desire to secure cyberspace may result in a

[68] Council Framework Decision 2002/584/JHA

[69] Article 2(2)

[70] Walden, I., McCormack, E., “Retaining and accessing communications data”, Communications Law, Vol.8, No.2, 2003 pp. 220-224

concomitant erosion of individual privacy and other liberties that have been the bedrock, if comparatively briefly, of cyberspace.

As cybercrime has become an element of the ‘war on terrorism’, harmonisation and co-operation has gathered pace and re-engaged the attention of legislators. Such initiatives can be seen as extensions of State authority in the face of the erosion of State control, different faces of national sovereignty. Despite the early a-territorial assertions for cyberspace,[71] cybercrime activities take place and have effects in and between territories. As such, Governments may be prepared to trade a loss of some degree of de jure State control, in terms of criminal procedure, reflecting their loss of de facto control, in return for extended jurisdictional reach, enhancing State authority. The deal may not be viewed as good, but simply the best available!

[71] Barlow., Perry, John., “A Declaration of the Independence of Cyberspace”, February 9th 1996 (available at ) Johnson, David., Post, David., “Law and Borders – The Rise of Law in Cyberspace”, 48 Stanford Law Review, 1996, 1367