Convention on Cybercrime
It is extremely difficult, if not impossible, to define 'cybercrime' as a special type or category of crime in the same way that other crimes are defined in penal codes. The fact that the perpetrator uses a computer system or makes use of other IT facilities in order to commit the crime is not always the only decisive element in defining an offence as a cybercrime. For this reason, no definition can be found in either legislation or accompanying literature; instead, a description of several types of conduct that may be regarded as cybercrime is offered. The following categories of behaviour can be regarded as cybercrime:
- obstructing the operation of an information system;
- fraud; and
- offences relating to expression.
Obstructing the Operation of an Information System
Information systems are only secure and reliable if they fulfil three requirements:
- integrity; and
Pursuant to several statutory provisions, certain persons and legal entities are subject to a duty of confidentiality. A breach of any of these provisions by these persons and/or entities constitutes a criminal offence pursuant to the Penal Code. In addition, the Penal Code contains a separate provision punishing the disclosure of business secrets and the disclosure of data obtained by illegal means from a company's IT equipment.
Integrity of data
The integrity of information systems is protected by relatively new penal provisions. With regard to the protection of email, it is necessary to distinguish between the phase during which email is transmitted through a telecommunications network, and the phase during which an email is saved on a computer. During transmission email is protected, as is every other form of telecommunication, by the provisions prohibiting tapping.
Saved emails are protected because they can only be obtained from the relevant internet service provider (ISP) by means of a password. A breach of this security is punishable under the Penal Code provision prohibiting hacking. It is unclear whether an ISP would be guilty of this offence if it were to look into the mailboxes of subscribers without permission, given that it owns the IT equipment in which the mailbox is located.
Availability of data
The availability of data can be obstructed through the spreading of viruses. Such conduct is only punishable in the Netherlands in a limited number of cases, for example if it causes IT equipment, telecommunications equipment or data-processing systems - used in the service of the general public - to be destroyed, damaged or rendered unusable.
Instances of cybercrime-related fraud can, for example, include the use of equipment that make it possible to receive coded pay-television signals without payment. Such behaviour is punishable under Article 326c of the Penal Code.
The Convention on Cybercrime is the result of four years' work by experts from both member states of the Council of Europe and non-member countries such as the United States, Canada and Japan. On November 23 2001 30 countries signed the convention, including the Netherlands, the United Kingdom, Germany, France and the non-European countries mentioned above. However, the convention has not yet entered into force because it has yet to be ratified by the requisite number of signatory countries.
The convention's main objective is to pursue a common penal policy aimed at protecting society against cybercrime, in particular by adopting appropriate legislation and fostering international cooperation.
Although most of the convention's provisions are either already part of Dutch law or included in the Computer Crime 2 Bill, the convention also raises a number of new matters. The convention makes mere possession of devices that are suitable for breaching the integrity of computer networks a punishable offence. However, those in the possession of 'hacking' tools for the purpose of testing the security of computer systems have no cause for concern. The provision relates solely to devices (ie, objects, data and computer programs) that are only suitable for criminal use, for example:
- lists of passwords;
- viruses, with no evidence of use for legitimate research purposes; or
- computer programs that can only be used for large-scale disruption of computer systems (spamming).
An article relating to the obstruction of computer systems is only partly included in Netherlands law, in the Penal Code provisions applicable to data processing performed in the service of the general public. Therefore, additional provisions will need to be enacted when the convention takes effect in the Netherlands, covering similar acts in relation to the IT networks of businesses.
The annual survey of the Computer Security Institute and the Federal Bureau of Investigation has shown that businesses are increasingly affected by cybercrime, in particular the spreading of viruses and the theft of information. The 'I Love You' virus is said to have caused global losses of $15 billion and 'Code Red' virus $8.7 billion. In order to combat cybercrime, the Dutch Corps of National Police Services has a separate department for the investigation of cybercrime, which steps in if local expertise is inadequate. In addition, a permanent study group within the Department of Public Prosecutions devotes itself to computer crime. The subject is also a fixed part of the training programme for judges.
However, it is expected that cybercrime will still be difficult to combat, since it can be committed remotely and the perpetrator can easily conceal his or her identity. For example, a hacker can launch his or her attacks from a number of innocent host computers. Even if the attack can be traced back to a single computer, there may still be a problem if more than one person has access to that computer (eg, in an open-plan office).
For further information on this topic please contact Rogier de Rijk or Ruprecht Hermans at NautaDutilh by telephone (+31 20 5414940) or by fax (+31 20 5414700) or by email ([email protected] or [email protected]).