Background
History
Aims
Key Points
Ireland has ratified a new international treaty aimed at helping prevent criminal activity over computer networks, including the Internet. The minister for justice, equity and law reform signed the Council of Europe’s Convention on Cybercrime on February 28 2002. This update explains the background to this new international agreement and explores its effects.
The e-commerce revolution is fundamentally altering society. While both economic and social changes are being wrought, there are also negative aspects associated with the new technologies. Foremost among these is the emergence of cybercrime – that is, the materialization of new types of crime as well as the committal of traditional crimes by means of new technologies. The effects and impact of such cybercriminal activities can be more far-reaching than traditional crimes, because they are not restricted by geographical or national boundaries. Practical examples include the spread of computer viruses throughout the globe, and attempts to defraud or steal money from financial institutions by accessing their computer networks from distant locations.
Legislation and legal systems need to prevent and deter such criminal activity in an effective manner. However, the new technologies pose a huge challenge to both existing legal concepts and systems, and they require international solutions to be effectively dealt with. The Cybercrime Convention aims to meet this challenge while continuing to protect and respect human rights, such as the right to privacy.
The European Committee on Crime Problems (CDPC) decided to establish a committee of experts to deal with cybercrime in November 1996. It was felt that there was a need for an international treaty, primarily due to the character of these types of offence, which frequently involve more than one state.
Therefore, the Committee of Ministers decided to set up a new expert committee, the Committee of Experts on Crime in Cyberspace, in February 1997. The committee began work in April 1997 and, after protracted negotiations, an early version of the draft convention was released in April 2000 to facilitate consultation with interested parties. The revised and finalized draft convention and its explanatory memorandum were submitted for approval to the CDPC at its 50th plenary session in June 2001. The convention was opened for signature in Budapest on November 23 2001, following adoption of both the convention and its accompanying explanatory report by the Committee of Ministers of the Council of Europe at its 109th Session (November 8 2001). Ireland ratified the convention on February 28 2002.
The convention is primarily aimed at:
- harmonizing substantive criminal law related to cybercrime among states which are signatories to the convention;
- ensuring that effective procedural law powers necessary for the investigation and prosecution of such criminal offences exist in these states; and
- setting up a fast and effective system of international cooperation.
The need for uniform recognition of offences, appropriate definitions and international cooperation in this area was well illustrated by the facts surrounding the Lovebug virus. In that case huge damage was caused to networks on a global basis by a virus emanating from the Philippines. However, although the originator was apprehended, it subsequently transpired that there was no legislation under which he could be prosecuted in that jurisdiction. This treaty should eliminate the potential for such events occurring among convention states and the convention is divided into four chapters related to these aims. These are:
- use of terms;
- measures to be taken at domestic level;
- international cooperation; and
- final clauses.
The inclusion of definitions in Chapter 1 was viewed as necessary to ensure a uniform approach among parties to the convention. The convention therefore includes definitions for the following key terms: 'computer systems', 'computer data', service provider' and 'traffic data'. States are not obliged to copy the concepts defined in Article 1 into their domestic laws verbatim, provided that their laws cover such concepts in a manner consistent with the principles of the convention and contain equivalents. The definition of 'computer data' given in the convention is slightly broader than the definition of 'data' contained in Irish legislation relating to cybercrime (ie, the Criminal Damage Act 1991). However, both include 'information' and 'computer programs' within their scope.
Chapter 2 of the convention is divided into two parts. Section 1 deals with substantive law issues relating to criminal offences connected to computer-related crime, while the second section deals with procedural matters. The primary purpose of this section is to establish a common minimum standard relating to relevant offences. As such, it will facilitate international cooperation between convention states and thereby assist in preventing and suppressing computer-related crime. Nine offences, grouped into the following four different categories, are defined in Section 1 of Chapter 2:
- offences against the confidentiality, integrity and availability of computer data and systems;
- computer-related fraud and forgery;
- content-related offences (including child pornography); and
- infringements of copyright and related rights.
The offences stemming from these broad titles or categories include illegal access (hacking), illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography, and offences related to copyright and similar rights. The convention goes on to deal with a fifth category- ancillary liability, as well as sanctions for offences.
Irish legislation already deals with these areas in a general manner not confined to computer-based offences or cybercrime. Examples of legislation applicable to such activities include the Criminal Damage Act 1991, the Child Trafficking and Pornography Act 1998, the Copyright and Related Rights Act 2000 and the Data Protection Act 1988. At the same time, however, the specific terms of this treaty include slightly broader definitions of what constitutes criminal activity in certain areas than are currently provided for under Irish law.
The convention gives national legislatures an element of flexibility in determining their criminal policy in relation to certain of these areas. In particular, it allows states to make use of qualifying defences in relation to certain acts. This allows them to decide whether to take a hardline or restrictive approach towards activities which potentially fall within the scope of cybercrime definitions, or on the other hand whether to take a less severe approach. However, this must be done within the scope of the convention's boundaries, so that a broadly uniform position will be achieved among convention signatories.
For example, in relation to 'hacking' - that is, unauthorized access to third-party computer systems, an activity which falls within Title 1 - states can take a wide approach to the definition of the offence and criminalize all hacking; or alternatively they can narrow the scope of the offence and require a number of qualifying elements (listed in the convention), such as dishonest intent, infringing security measures or special intent, before criminal sanctions will apply.
In addition to granting states the right to include such safeguards against 'innocent' or technical breaches of cyberlaw, the convention also requires states to ensure that the establishment, application and implementation of the powers and procedures contained in the convention are done in such a manner as to protect human rights. In particular, these must be achieved in compliance with domestic law and international agreements such as the Council of Europe’s Convention for the Protection of Human Rights and Fundamental Freedoms, and the United Nation’s International Covenant on Civil and Political Rights.
Some of the offences under this convention stem from obligations assumed under other international agreements and build on these. For example, in relation to the offence of copyright infringement, the convention requires states to make it a criminal offence to use a computer to breach any copyright recognized under obligations which the state has undertaken through other agreements. These include:
- the Berne Convention for the Protection of Literary and Artistic Works;
- the Trade-Related Aspects of Intellectual Property Rights agreement;
- the World Intellectual Property Organization Copyright and Performances and Phonograms Treaties; and
- the International Convention for the Protection of Performers and the Producers of Phonograms and Broadcasting Organizations (Rome Convention).
Hence, this convention not only introduces new arrangements, but also strengthens the existing position in a range of areas.
Section 2 of Chapter 2 applies to any offence committed by means of a computer system or where the evidence of such an offence is in electronic form. It sets out procedural powers including:
- search and seizure of computer data;
- accelerated preservation of stored data;
- accelerated preservation and disclosure of traffic data;
- evidence production order;
- real-time collection of traffic data; and
- interception of content data.
The basic approach followed by the convention is to adapt traditional procedural measures, such as search and seizure, to the new technological environment. In addition, new measures have been created in order to ensure that these traditional measures remain effective in the contemporary technological environment.
In Ireland, the Criminal Evidence Act 1992 already contains provisions relating to the admissibility of computer-generated evidence in criminal trials under Irish law, and the Electronic Commerce Act 2000 further adds to this body of legislation, particularly in relation to contractual and civil matters. However, these may not be sufficient to comply with the convention. For example, there are no provisions in Irish law which specifically allow the authorities to compel individuals to reveal access codes, personal identification numbers or encryption keys, unlike in the United Kingdom, where the Regulation of Investigatory Powers Act 2001 has granted the authorities sweeping investigatory powers. As the convention requires states to enact legislation that allows the authorities to 'search or similarly access' computer systems and storage mediums located in their jurisdiction in which data may be stored, it may be that this will be interpreted as requiring that such powers be granted to the authorities.
This section of the convention also deals with provisions relating to jurisdiction, one of the most problematic areas in cybercrime cases from a practical viewpoint. It stipulates that states are to adopt measures to ensure that they can exercise jurisdiction over offences committed in their territory, on board a vessel or aircraft, or even by one of its nationals outside the state, in certain circumstances.
Following on from the jurisdiction issues, Chapter 3 of the convention contains provisions concerning mutual assistance between contracting states as well as extradition rules in relation to computer-related crime. It covers mutual assistance in situations where no legal basis (eg, a treaty or reciprocal legislation) exists between the parties, in which case its provisions apply, and also situations where such a basis does exist, in which case the existing arrangements apply. The convention requires states to afford each other assistance to “the widest extent possible”. To facilitate this, it includes provisions which necessitate the creation of a point of contact in each member state which is available 24 hours a day, seven days a week, and which can provide or facilitate the provision of technical advice, data preservation and evidence collection.
Chapter 4 contains general provisions on the convention. It provides that disputes between the parties to the convention must be resolved through submission of the dispute to the CDPC, the International Court of Justice or a binding arbitration tribunal. It also contains provisions relating to proposals for amendments to the treaty, and makes arrangements for parties to engage in consultation on the implementation and effectiveness of the treaty with a view to exchanging information on significant related developments and potential improvements to the treaty. Therefore, this treaty both represents a significant milestone in international cooperation in countering the menace of cybercrime, and will also serve as a legal base on an ongoing basis from which future initiatives may be launched in response to emerging issues.
For further information on this topic please contact David Sanfey at A & L Goodbody by telephone (+353 1 649 2000) or by fax (+353 1 649 2649) or by email ([email protected]). The A & L Goodbody website can be accessed at www.algoodbody.ie.