[Home] [E-Mail Services] [Internet Services] [Some Cloak and Dagger Links] [Research Index]
|Investigation Tool: Knowledge|
Computer Crime Page 7 of 7:
A. General aspects
239. As modern society is heavily information-dependent, computer-related crimes are easily committed on an international scale. International access to information and the mobility of data are fundamental to the working of our economic systems. Distance, time and space have ceased to be obstacles in commercial transactions. There is no longer any need for the physical presence of human agents. As the manipulation and storage of data take place within the dimension of international telecommunication networks, the usual border controls are bypassed. International instruments containing principles of the transborder flow of data, such as those by the United Nations or OECD, focus clearly on the principle of free flow of information, tempered by concerns to protect the confidentiality and integrity of the transmitted information, particularly in the case of sensitive data. Given the utility of paperless commercial transactions in international commerce and the rapidly improving sophistication of electronic communications, the volume of cross-boarder computer has increased significantly.
240. Currently, whole sectors of economy, such as banking and international aviation, rely heavily or even exclusively on international telecommunication networks. With the continuing development of standards and norms for electronic data interchange (EDI), such as that under the auspices of the United Nation Electronic Data Interchange for Administration, Commerce and Transportation (UN/EDIFACT), the use of EDI will increase substantially in the decade to come.
241. The international element in the commission of computer crime create new problems and challenges for the law. Systems may be accessed in one country, the date manipulate in another and the consequences felt in a third country. Hackers can operate physically operate in one country, move electronically across the world from one network to another and easily access databases on a different continent. The result of this ability is that different sovereignties, jurisdictions, laws and rules will come into play. More than in any other transnational crime, the speed, mobility, flexibility, significance and value of electronic transactions profoundly challenge the existing rules of international crime law.
242. There are a number of complex issues to confront, given the multiplicity of countries potentially involved in a crime. How can it be determined which country the crime was actually committed? Who should have jurisdiction to prescribe rules of conduct or of adjudication? In crimes involving multinational contacts, there will be frequently be conflicts of jurisdiction. Countering computer crimes committed from a distance and having and increasing range of international targets (such as country of commission of the crime, the number of actors and victims involved, and the range of potential consequences) will require a well-developed network of inter-State cooperation to attain effective investigation and prosecution. In the light of the technicalities of international interaction, cooperation between nations in criminal matters is crucial.
243. These issues have to be addressed by all countries, whether they be producers, users or consumers of the new information technologies, since these technologies ate becoming an integral part of economic, social and culture development.
244. In seeking solutions to the above problems, the international community should strive for the following:
Maximizing cooperation between nations in order to address, firstly, the potential for enormous economic losses and, secondly, the general threat to privacy and other fundamental values that near-instantaneous cross-border electronic transactions may create;
Worldwide protection so as to avoid "data paradises" or computer crimes havens where computer criminals can find refuge or launch there attacks;
A lawfully structured cooperation scheme, taking into account and balancing the necessities of international trade and relations on the one hand and the rights and freedoms of the individual on the other hand.
B. The jurisdiction issue 1. The territoriality principle
245. There are a number of problems related to the issue of jurisdiction. In every computer crime, the determination of the locus delicti (the location of the offence) will affect the ability of a particular country to sanction the crime. Will the sanction arise by virtue of territorial jurisdiction and domestic law, or must extraterritorial principles apply?
246. Today, it is technologically possible for an operator to punch a keyboard in country A so as to modify data tored in country B, even the operator does not know that the ata are stored there, to have the modified data transferred over telecommunications network through several other countries, and o cause an outcome in country C. On the basis of the physical ct, the technical modification, the transmission of the alsified data and the consequences, three or perhaps more ountries will have been involved and may have a claim to urisdictional competency.
247. Depending on which elements or stages of the crime are given priority, several countries in the above scenario could, within their full sovereignty, declare the incident as having occurred on their territory, thus invoking the principle of territorial jurisdiction in order to prosecute and sanction. This raises a potential jurisdictional conflict, as well as the question of the appropriate arbitration of these equal claim for jurisdiction, the applicability of the non bis in idem rule, and the impact of the lex mitior rule.
248. The recurring threat of computer viruses worms in another striking example of transnationality. If a virus infects the system in one location, the infection can spread with destructive rapidity and affect programmes throughout the international network. What criteria should apply in determining which country may act? Once again, several choices are available: the country in which the virus was introduced, all countries in which software or databases were affected and all countries in which results were felt. It is possible that it may not manifest itself far away from the country of origin. It is also possible that it may not manifest itself until considerable time has passed, when retracing the technological path of the of the original offender has become difficult, as, for example, in cases of the so-called time-bomb virus. What, then, determines the competency to prosecute and sanction? Can it be the best evidence rule or the first-come, first-served principle, or do the traditional solutions discussed below still stand firm?
249. The primacy of the principle of territoriality is generally accepted in sphere of criminal jurisdiction. The principle is based on mutual respect of sovereign equality between States and is linked with the principle of non-intervention in the affairs and exclusive domain of other States. Even in the exceptional event that a country might apply extraterritorial jurisdiction for a sake of protecting its own vital interests, the primacy of the extraterritorial principle is not altered.
250. The ubiquity doctrine is often referred to in determining the place of commission. The offence will be considered to have been committed in its entirety within a country's jurisdiction if one of the constitutive elements of the offence, or the ultimate result, occurred within that country's borders. Jurisdiction is equally applicable to co-perpetrators and accomplices.
251. Common law countries also use the effects doctrine in addition to focusing on the physical act. This doctrine locates crimes in the territory in which the crime is intended to produce, or actually does produce, its effects. Thus, where various elements or effects of a crime may occur in more than one country, the two doctrines of territorial jurisdiction may lead to concurrent, legitimate jurisdictional claims.
252. These positive conflicts of jurisdiction, while at first glance not very problematic in determining the appropriate judicial response, do contain some inherent risks. The most fundamental problem is the general refusal, particularly in civil law systems, to apply the double jeopardy rule. Thus, the accused is submitted to a multitude of prosecutions for the same act.
253. Equally important is the manner of classification of the multiple acts potentially involved in a pattern of computer crimes. In particular, in cases of repeated data manipulation, data espionage or unauthorized access, it is unclear whether the acts should be considered as separate crimes or as a single act by application of the principle of international connexity, by which a single prosecution for the whole transaction would be justified.
254. States should, therefore, endeavour to negotiate agreements on the positive conflicts issue. These agreements should address the following issues:
An explicit priority of jurisdictional criteria: for example, of location of act over location of effect, of the place of physical detainment of the suspect over in absentia proceedings or extradition;
A mechanism for consultation between the States concerned in order to agree upon either the priority of jurisdiction over the offence or the division of the offence into separate acts;
Cooperation in the investigation, prosecution and punishment of international computer offences, including the admissibility of evidence lawfully gathered in the other countries, and the recognition of punishment effectively served in other jurisdictions. This would prevent unreasonable hardship to the accused, otherwise possible by an inflexible interpretation of the territoriality principle.
2. Other base of jurisdiction 255. The issue of international computer crime also requires an analysis of the principles of extraterritorial jurisdiction. State practice discerns the following theoretical grounds:
The active nationality principle, which is based on the nationality of the accused. The principle, when applied in conjunction with the territoriality principle, may result in parallel concurrent jurisdictions, creating a situation of double jeopardy. The use of the active nationality principle is therefore generally confined to serious offences;
The passive personality principle, which is based on the nationality of the victims. This principle has been highly criticized, since it could subject a national of State A, although acting lawfully in State A, to punishment in State B for acts done in State A to a national of State B, if the acts were unlawful in State B and State B were to apply the principle. On practice, therefore, this principle is seldom used;
The protective principle, which is based on the protection of the vital interests of a State. By this principle, a State may exercise jurisdiction over foreigners who commit acts that are considered to be a threat to national security. Given the potential for abuse of this principle if security is interpreted too broadly, the protective principle is not highly favoured; in practice, therefore, it is often linked to other doctrines, such as the personality principle or the effects doctrine;
The universality principle, based on the protection of universal values. It is usually effected on the basis of express treaty provisions but is otherwise rarely used. It is generally held that this principle should apply only in cases where the crime is serious, where the State that would have jurisdiction over the offence, based on the usual jurisdictional principles, is unable or unwilling to prosecute.
256. Other than the basic policy considerations as to whether a State should apply one or more of these bases of jurisdiction, it is unlikely that application of these principles of extraterritorial jurisdiction to information technology offences will create specific problems. Nevertheless, the characteristics of transnational computer crime do have the potential to involve an increasing number of States, thereby creating a jurisdiction network in which the ordering of the subsequent priorities is required.
257. There are no rules of international law, other than the principles of comity and non-intervention, that impose express limitations on the freedom of sovereign States in establishing extraterritorial criminal jurisdiction. Where there is strong international solidarity by way of customary or conventional international law, jurisdiction over important offences may be decided by the principle of universality, in addition to the applicability of other grounds of jurisdiction. No such conventions exist yet in relation to computer crime. Eventually, however, as has been the case in other major international crimes, international conventions will regulate this area.
258. A spirit of moderation might be expected from States in exercising these jurisdictional principles, in order to encourage international cooperation and to avoid significant conflicts of jurisdiction with other States. In that spirit, the passive personality principle, although sometimes used to protect the economic interests of nationals (natural or legal persons), is highly disputed, while universality is best limited to express treaty provisions. The protective principle may be relevant for certain types of computer offences, because it grants jurisdiction to a State over offences committed outside its territory, in the defence of fundamental (vital) interests.
259. There exists very little consensus on what constitutes vital interests. No doubt a sovereign State might consider attacks on data or telecommunication infrastructures, when related to basic government activities (police data, military data, State security systems etc.), to fall within its purview. However, a tendency may arise to consider certain economic interests, naturally involving a significant amount of transborder data flow, as a vital concern of the State. Nevertheless, caution is needed in regard to such extensions, since they can affect adversely the legitimate flow of information and data, as well as other economic and social interests. Therefore, the State concerned should be expected to take due account of the principles of cooperation, comity and reasonableness, which should govern State action in exercising extraterritorial jurisdiction.
260. Even if very few specific computer-related concerns seem apparent, the general issues in extraterritorial jurisdiction remain valid: the need for harmonized legislation (see paragraphs 268-273), the settlement of concurrent jurisdictional claims, the international validity of the non bis idem principle and the development of agreements on mutual cooperation and the transfer of criminal proceedings (see paragraphs 279-280).
C. Transborder search of computer data banks
261. One very specific transborder situation in relation to computer-related offences deserves particular attention. Within the international economic environment, in particular within multinational corporate structures, data are often stored centrally in one country (e.g. where headquarters are located), with on-line access available to company partners (e.g. subsidiary corporations) operating in the territory of other countries.
262. Criminal investigations in such situations are presented with the problem of how to retrieve the data, as potential evidence, that are stored abroad, when investigating by means of on-line access to that data. The question arises whether the investigating authorities may penetrate the database by direct access, without the intervention, knowledge or agreement of the State in which the data are located. Urgent situations compelling the preservation of evidence may require that data be made readily available or, at least, that they be seized and blocked, thereby securing their evidential value. A suspect with sufficient speed and expertise in the access to and the functioning of the system could otherwise interfere with the data and make them unavailable by, for example, erasing them or transmitting them to another data bank.
263. Traditional means for cooperation between States in criminal cases do exist, in the form of conventional mutual assistance agreements, particularly the procedure of the letters rogatory. This procedure, however, by which a State is requested to undertake an investigation on its own territory on behalf of the investigating State, is highly time-consuming. The investigation of crime in the computer environment requires quicker, more efficient action. Another problem arises when a person, natural or legal, is compelled by the investigating State to produce data located in another State, whether or not they are available by on-line access, even though under the law of the State of storage that person is obliged to secrecy.
264. There is no unanimity today on the solution to these problems. However, the view that the deliberate investigation of on-line data constitutes a violation of the sovereignty of the other State is probably correct, whether it is done by the investigating authorities from the premises of the suspect or from their own terminals. In fact, such access might even be considered in the other State as a form of computer crime, such as unauthorized access.
265. The only explicit rule in international public law relevant to this situation seems to be the non-intervention principle, which historically has been applied only when foreign agents have operated physically on a State's territory. Nevertheless, the direct penetration of data banks appears very similar to acts of physical intervention by official foreign agents. The analogy is strengthened if the acts of penetration also constitute an offence in the other State. However, some people will probably resist the analogy and accept the legality of this penetration.
266. There is a definite need to address these questions, which are indeed not hypothetical ones, and to find solutions that balance the requirement of quick action with the appropriate respect for the sovereign rights of the other State in matters of police or investigatory action within its territory. States could, therefore, strive to conclude agreements that make direct penetration acceptable only as an exception. Any exception should, in addition, be subject to a number of stringent conditions, such as the following:
The freezing of data, by which any further operation on the data is rendered impossible, would be permissible only for preserving the data for evidentiary purposes;
The use of this evidence in the investigating State would be subject to the explicit consent of the State where the evidence was stored;
The right to penetrate data banks directly would be limited to serious offences only;
Sufficient indication must exist that the usual method of mutual assistance would, for lack of rapidity, compromise the search for evidence;
Upon commencement of the investigation, a duty would be imposed to immediately inform the authorities of the State being investigated.
267. The problem of on-line transborder searches of computerized data has not been adequately addressed so far. By virtue of not being cooperative acts, such actions do not fall within the traditional category of mutual assistance in criminal matters. However, the appropriate solution is not to view States as having a complete unilateral freedom to act, provided there is no violation of the non-intervention principle by physical interference. This potential area of conflict between States could be solved by a solution based on the principles mentioned above.
D. Mutual assistance in transborder computer-related crime
268. As discussed above, transnational computer crime can be efficiently addressed only if the countries involved agree to provide maximum cooperation in countering it. This cooperation is usually organized by multi- or bilateral conventions may given rise to a number of problems of which States should be aware.
269. First, as for other forms of international cooperation, the requirement of dual criminality may be an issue. Refusal of assistance could be based on the ground that the act in relation to which the request is made is not an offence in the territory of the requested State. Thus there is a clear need to make the substantive criminal law of computer crime correspond from State to State.
270. Even if the dual criminality rule is not an aspect of all incidents of mutual assistance, it is often a requirement in cases of search and seizure, which is a particularly important means of assistance where data are concerned. Double criminality, furthermore, is basic to other common cooperation modes, such as extradition, or other schemes for solving jurisdictional conflicts as discussed above. Unless domestic criminal legislation, as it develops, moves beyond xpressions of sovereignty to espousing common principles as greed among nations, conflicts will not be avoided. Efforts by tates to harmonize their domestic laws will prevent conflicts of urisdiction and, at minimum, will lay the basic groundwork for ooperation.
271. It is, therefore, imperative that States undertake action to achieve this aim. Such action may range from the undertaking of consultations among States prior to enacting domestic legislation; solutions for harmonization, such as recommended guidelines for national legislation; and the elaboration of a convention of substantive law that defines computer crime under international law, including the governing principles in jurisdiction and cooperation.
272. Secondly, a form of mutual assistance rendered to requesting States is the search and seizure of data banks or carriers that store or transmit information. The target of request is not the carrier itself but the intangible specific data. If seizure remains applicable only to physical objects, the carrier is still at issue. The technical storage capacity of such data banks and carriers often far exceeds the volume of content requested by the investigating State. Explicit rules should be elaborated in relation to the surplus of information a data bank or carrier might contain, which would allow the execution of letters rogatorys upon only the targeted data. Notions such as relevance, proportionality and defined purpose should necessarily be included.
273. A final concern relates to potential grounds of refusal, which almost uniformly include the protection of the essential interests of the requested party. Data that relate to the privacy of nationals, including, for example, financial or medical information, could be considered sufficiently sensitive by a State, in its role of protecting its citizens, to be an essential interest. Many computer-related investigations may concern tax fraud or violations of customs, import and export rules, equally subject to the essential public interest qualification. Again, it is to be expected that States interpret their treaty obligations in a practical manner, in a spirit of cooperation and international comity.
274. Given the potential for multiple territorial and extraterritorial jurisdictions, resolving the resulting jurisdictional conflicts will often require an agreement between States. It is therefore possible that the effective exercise of an agreed jurisdiction will involve extradition, since the State of physical location of the suspect may not necessarily be the appropriate forum for prosecuting the crime.
275. The terms of traditional extradition treaties will remain applicable. Computer crimes do not appear to raise any specific difficulties, provided the requirements of the extradition law and/or treaty are met. The most important issues are the requirement, again, of double criminality, i.e. the impugned conduct would be an offence punishable under the law of both the requesting and the requested State, and the fulfilling of any other conditions that would include computer crime within the category of extraditable offences. This could be accomplished either by setting sanctions for the open formula, e.g. a maximum punishment of a certain number of months, or by including computer crime in the enumerated list of extradition crimes appended to the extradition treaty in question.
276. Both conditions require careful attention in the computer crime area. The first condition highlights once again the absolute need to legislate the substantive law in each State as consistently as possible, thus avoiding loopholes or conflicting interpretations of the requirements of criminality. Currently, there is insufficient international discussion in the definition of computer crime, or at least on the constitutive elements of the most significant criminal behaviour. The efforts of OECD, the Council of Europe and the United Nations have not yet produced conclusive results. Nevertheless, the reports of these bodies contain sufficient indicators to allow States to formulate criminal laws that are consistent with the criminal laws of partner States.
277. The second condition, the extraditable character of the offence, requires an attentive legislative drafting policy. In particular, offences such as unauthorized access to computers or telecommunications facilities are often characterized as minor offences, and penalty scales may not meet the minimum threshold standards of extraditable crimes. Unfortunately, experience shows that transborder hacking cases are common, significantly affecting important transnational economic networks. It might be advisable to consider serious penalties, at least in cases where the hacking affects the international relations of the victim, whether the victim is a legal or physical person or a State. Disregarding the use of extradition or other cooperation methods could seriously hinder the efficiency of the cooperative response to this important and disturbing phenomenon.
278. Other important concerns, not specific to networking but potentially magnified by it, relate to grounds of refusal where the offence for which extradition is requested is, under the law of the requested State, viewed as having been committed in whole or in part within the territory of that State. A second problematic scenario is possible if the invoked ground for jurisdiction is an extraterritorial one but the law of the requested State does not provide such jurisdiction in similar cases. These situations might also create positive or negative conflicts of jurisdiction. The creation of channels of consultation or negotiation on order to solve such conflicts is highly recommended.
F. Transfer of proceedings in criminal matters
279. As mentioned above, the exercise of jurisdiction in transborder cases involves the possibility of competing claims, which may eventually lead to multiple prosecutions and bring about friction between States. The technique of transfer of proceedings offers a rather effective mechanism to solve this problem in a harmonious way. By creating agreements by which one State can waive its jurisdiction rights on favour of another State, conflicting claims can be resolved. The reason for such an initiative, beyond avoidance of jurisdictional conflicts, are the effective administration of penal justice, the interests of the victim and the reintegration of the offender into society. In case where multiple proceedings are pending in two or more States, a provision can be made for compulsory consultation to reach a settlement.
280. Few conventions of this type are force today. The European Convention for the Transfer of Proceedings in Criminal Matters (1972), for example received a limited number of ratifications. However, the United Nations Model Treaty on the Transfer of Proceedings in Criminal Matters (General Assembly resolution 45/118, annex) represents an excellent basis for more effective international cooperation and deserves greater attention. The basic issues, e.g. the issues of double criminality and non bis in idem, remain similar to those in the other cooperation techniques, but again, any problems can be overcome. In the interests of the administration of criminal justice, which includes effective truth-finding and locating the most important or best items of evidence, agreements in this field may very well solve recurring, conflicting claims of jurisdiction while serving the interests of efficiency.
G. Concluding remarks and suggestions
281. In coping with the increase in transborder computer-related transactions, it is clear that a set of solutions elaborated by the international community represents an effective response. The problems predictable in confrontations among different States, whether common to all transborder crime situations or specific to computer crimes, require well-regulated solutions. Whether the problems are related to multiple jurisdiction conflicts, of a positive or negative nature, or to the requirements of mutual cooperation agreements, it is suggested that States should elaborate explicit rules to solve them.
282. Problems of concurrent jurisdiction based on the principle of territoriality are likely to be the most difficult to solve. Criminal law and jurisdictional questions are still integrated in national policy, and the implementation of that policy remains exclusively in the hands of the sovereign State.
283. Rather than seeking a solution through a conventional classification of priorities, a more effective action might be to develop a mechanism for mutual consultation and for allocating responsibilities on a case-by-case basis. A procedure for settling jurisdictional disputes by a body of experts knowledgeable in both jurisdictional issues and computer crime could also by developed. This could provide a speedy and flexible alternative to existing dispute-resolution mechanism, such as the Council of Europe Convention on Peaceful Settlements of Disputes.
284. It appears to be generally accepted that claims of extraterritorial jurisdiction are subsidiary to primary territoriality claims. Conflicts of extraterritorial jurisdiction should preferably also be settled by cooperative mutual consultation.
285. In the administration of criminal justice in a multi-sovereign environment, different cooperation techniques can be of relevance. Traditional techniques such as extradition or mutual assistance are generally applicable, provided that the basic requirements of double criminality and conditions for extradition are met. States must, therefore, operate with criminal laws that are as consistent as possible. Laws will be consistent only if there has been cooperation with international institutions such as the United Nations, the Council of Europe, the Organization of American States, the British Commonwealth of Nations, OECD and similar groups. The imposition of penalties sufficient to classify international computer crimes as serious offences is also required.
286. In the search and seizure of data, the mass storage of information in data banks and its transmission through carriers may necessitate additional safeguards, with regard to the criteria for limiting acceptable purpose of search and seizure and for determining relevance in the selection of the data.
287. Many key issues could be properly addressed by the more extensive use of, and consequent greater confidence in, a mechanism for transferring criminal proceedings. It would be advisable to develop conventional agreements that offer cooperative avoidance of conflict, mutual assistance and effective administration of justice.
288. Finally, and more specifically, the legality of direct access to computerized data stored abroad, for evidentiary purposes, should be examined to determine the appropriate balance between, on the one hand, preservation of evidence and efficient prosecution, and on the other hand, respect of exclusive sovereign territorial rights. The basis for a valid solution could be found by combining the notion of a right to immediate access to information for the purpose of freezing and conservation, with the requirement that clearance be given by the other State before the frozen data could be used as evidence. Few if any transborder problems in computer crimes will resist solution by appropriate, balanced legal rules. What is fundamental is the political willingness, in a spirit of international cooperation, to tackle a crime that has no frontiers.
289. This paper has attempted to provide a broad overview of the newest forms of computer and computer-related crime. It has exposed the history, extent and complexities of this phenomenon. The complexities, intrinsic to the technology itself and to the vagaries of human nature, are exacerbated by the inadequacies of current law. The paper has canvassed the various solutions that have been suggested and proposed some reform initiatives in the legal area. Pertinent issues for security in the electronic environment have been explored. In addition, the use of non-penal methods to combat this problem has been noted.
290. Many groups of experts in the computer and crime-enforcement fields have discussed, and continue to discuss, these issues. The discussions suggest that the phenomenon of computer crime has existed for some time and will not go away. Computer technology today is where automotive technology was in 1905. Significant developments lie ahead. Equally, we have not yet seen the full extent of computer-related crime.
291. Countries must be cognizant of the problem and realize its implications for their own social and economic well being.
Simcoe County, York Region, Toronto GTA, Ontario, Canada