Technological advancements in computer science have made it possible for a wider range of criminal activities particularly with the new and innovative means of online communications. Cybercrime is described by the Council of Europe’s Cybercrime Treaty as criminal conduct against data to infringement of copyright laws. Other experts have provided wider definitions of cybercrime to include cyber-stalking, fraud and child pornography. Symantec provides a more concise definition and describes cybercrime in the following terms: “…any crime that is committed using a computer or network, or hardware device.
” Along with the introduction and evolution of cybercrimes jurisdictional and investigative challenges have complicated the detection and control of this new class of criminal activity. The discussion that follows focuses on the ongoing difficulties with solving cross-border cybercrimes and the international efforts made so far to stifle those difficulties. By and large the discussion focuses on how those efforts are beneficial to law enforcement agents and what can be done to improve upon the current international efforts.
While multinational cooperation appears to be the most productive method of fighting cybercrime, a joint effort by national governments to actively investigate and prosecute cybercrime is necessary if multinational cooperation is going to function effectively. Legal Complexities with respect to cybercrime In an article published in the New York Times on January 27, 2003 it was revealed that in a survey of 500 companies, conducted by the Federal Bureau of Investigations and the Computer Security Group the previous year computer fraud cost losses in excess of US$4 million and theft of company information cost losses in excess of US$6 million.
According to Nir Kshetri of Bryan School of Business and Economics, these losses reflect the tenacity of cybercriminals and the ease with which they are permitted to operate. Kshetri goes on to explain that while cybercrime involves essentially the same conduct, the lack of comity of nations which lends itself to different legal consequences for that conduct permits the success of cybercrime. Therefore the most obvious difficulty in respect of cybercrime is its multi-national dimensions.
Patricia Bellia, Assistant Professor at Notre Dame University noted that law enforcement agencies have to overcome difficult challenges in their pursuit of cyber criminals co-existing in several jurisdictions. These challenges are fairly “common in internet crime. ” Professor Suzan Brenner provides an excellent example of the complications surrounding the investigation and prosecution of cybercrime in her synopsis of a cybercrime referred to as the “love bug”. The love bug was the name given to a computer virus that surfaced sometime in May of 2000 and spread rapidly on an international level.
It was calculated to destroy many different types of files and within its opening hours it had affected more than 279,000 computers worldwide. The love bug had infected the computers of large companies including the House of Lords, Dow Chemical Company and Ford Motor Company. Once it had been determined that the love bug had originated in the Philippines, law enforcement officials from both the United States and the Philippines set about tracing the person or persons responsible for the creation and deployment of the love bug.
From the onset, there were legal difficulties of mammoth proportions. To start with the Philippines were sorely lacking in definitions of and provisions in respect of cybercrimes. Moreover, it was difficult to justify grounds for the issuing of a search warrant for a suspect on the basis of some undefined cybercrime. Making matters worse the Philippine law had not specific crime capable of applying to conduct encompassing the breaking into of a computer system or for deploying a virus and/or using a computer for the purpose of committing the offence of theft.
In order to compensate for the shortfall in Philippine law the prosecutor charged the suspect with theft and fraud under credit card legislation since there was no specific common law or statutory offence reflective of the actual cyber misconduct. Eventually the Department of Justice withdrew the case claiming that: “…the credit card law [did] not apply to computer hacking and that investigators did not present adequate evidence to support the theft charge. ” As a result of this fiasco the Philippines enacted legislation defining specific cybercrimes and penalties for offenders.
Brenner maintains that the love bug case identifies with reasonable clarity the difficulties for law enforcement in respect of the investigation and prosecution of cybercrimes. Brenner identified four key areas of concern. They are: 1. A legislative failure in identifying and making provision for cyber specific criminal conduct. 2. A lack of international treaty agreements in respect of cybercrimes. 3. Difficulties identifying the country with jurisdiction over the cybercrime complaint. 4.
Difficulties identifying the number of persons and the specific crimes committed and the breadth of the resulting damages. International Cooperation The Council of Europe Cybercrime Convention 2001 The Council of Europe Cybercrime Convention 2001 is the first international treaty of its kind. It is specifically designed to regulate and control criminal activity via the internet and over computer networks on a global level. In a summary of its Cybercrime Convention the Council of Europe explains its purpose as follows:
“Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation. ” In 1997 the European Council organized a committee of experts with a view to design and draft a Cybercrime Convention specifically for the purpose of controlling criminal conduct via the internet. Non member states to the European Community such as Japan, the United States, Canada and South Africa also contributed to this organization.
Several drafts were completed and the final version received approval from the European Council on Crime Problems in 2001 and was published. By November 2001 the Convention was open for ratification by Member States and third parties such as Japan, the United States, Canada, Mexico, South Africa and the Vatican. On August 3rd last year the United States ratified the Convention 2001. The Parliamentary Assembly to the European Council recommended the addition of a protocol on the control and regulation of published racism via the internet by criminalizing such activities.
The recommendation appeared in Opinion No. 226 (2001) and specifically provides as follows: “Finally, the Assembly recommends immediately drawing up a protocol to the new convention under the title “Broadening the scope of the convention to include new forms of offence”, with the purpose of defining and criminalising the dissemination of racist propaganda, abusive storage of hateful messages, use of the Internet for trafficking in human beings, and the obstruction of the functioning of computer systems by spamming (sending junk e-mail).
” The protocol on racism was available for signatures in January of 2003 and while thirty member states signed it only a handful of members ratified it. The ratifying states are Cyprus, Albania, France, Slovenia, Denmark and the former Yugoslav Republic of Macedonia. The protocol became binding in March 2006. The Council of Europe Cybercrime Convention 2001 has as its primary goal the harmonizing of cybercrime substantive and procedural laws on a global level.
Specifically, Section 1 requires that members to the Council of Europe Cybercrime Convention 2001 implement domestic legislation that criminalizes a broad range of improper and intentional computer related activities. These activities are entitled “Offences against the confidentiality, integrity and availability of computer data and systems” as “illegal access” , “illegal interception” , “data interference” , “system interference” and “misuse of devices”.
Title 2 of The Council of Europe Cybercrime Convention 2001 goes on to make provision of the implementation by member states of domestic laws criminalizing “computer-related offences” such as “computer-related forgery” and “computer-related fraud. ” Title 3 of The Council of Europe Cybercrime Convention 2001 requires that member states criminalize the publication of child pornographic material via a computer system. It further dictates a common definition of child pornography.
Title 4, Article 10 makes provision for harmonizing of criminal offences relating to copyright infringement and Title 5, Article 11 requires that member states make provision for criminalizing complicity in all cybercrime activities. Article 12 of Title 5 establishes a cohesive means of enforcing corporate liability in respect of cybercrime on an international level among its member states. Article 13 of the Council of Europe Cybercrime Convention 2001requires that member states establish cohesive sanctions in respect of the criminal offences created by domestic legislative provision.
Article 13(1) and (2) provide as follows: “1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that the criminal offences established in accordance with Articles 2 through 11 are punishable by effective, proportionate and dissuasive sanctions, which include deprivation of liberty. 2 Each Party shall ensure that legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions or measures, including monetary sanctions.
” Section 2, Title 1 of the Council of Europe Cybercrime Convention 2001 makes provision for common procedural laws among member states. Article 14 states simply that: “Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings. ” Title 3 of Section 2 requires that member states make common provisions for production orders of a “computer system or a computer-data storage medium”.
Title 4, Article 19 makes similar provisions in respect of search and seizure procedures. These specific provisions are necessary for cross-border considerations as they permit authorities in each member state to have consistent search and seizure laws and will facilitate and eliminate jurisdictional complications. A cybercrime offence committed in one member state will be exactly the same as an offence committed in another member state. It will therefore make little difference which member state assumes jurisdiction over the matter.
Article 25 of Title 3, Chapter III provides perhaps the most enlightening provision by stating that: “The Parties shall afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. ” Although a number of countries did not indorse the Council of Europe Cybercrime Convention 2001 they did take steps to bring their countries legislation in respect of cybercrime into harmony with the Council of Europe Cybercrime Convention 2001.
For instance the Parliament of Australia enacted the Cybercrime Act 2001 which was assented to on October 1st, 2001. Author Jody Westby explains that with or without the Council of Europe Cybercrime Convention, many nations responded to the widespread potential of cybercrime following the September, 11th terror attacks on US soil. The response was to introduce or modify existing criminal legislation and codes so as to permit jurisdiction by one nation over another in instances where it was necessary to prosecute a party or parties of one nation who committed a crime against a computer in another nation.
The Council of Europe Cybercrime Convention is the only international treaty in place at the moment. It is encouraging that industrialized countries that have not ratified the Convention have at least legislated laws consistent with the Convention because one of the biggest challenges to the prosecution and investigation of cybercrime arises out of conflicting laws of the nations affected by misconduct over the internet. Even when both the victim and the offender originate out of the same jurisdiction the evidence may exist in another jurisdiction.
Moreover the offence complained of could encompass several jurisdictions, for instance a “telemarketing scam. ” The challenges and difficulties with the dynamics of cybercrime are endless and resolving these issues will depend on the co-operation of the countries impacted. In the spirit of the Council of Europe Cybercrime Convention, harmony of laws and mutual assistance goals is the only realistic means of controlling and deterring cybercrime globally. As Westby maintains, any resolution first requires co-operation between national borders at the investigative process all the way to the prosecutorial process.
This might involve an initial consensus as to which jurisdiction is to have the lead charge over the matter. But none of these options would be remotely possible without some international treaty such as the Council of Europe Cybercrime Convention. Mark M. Richard, Counselor for Justice Affairs to the US Mission to European Union in an address to the EU’s meeting on the 29th Article at Brussels on April 14, 2005 made the following observation: “With the globalization of communications networks, public safety is increasingly dependent on effective law enforcement cooperation across borders. ”
As there is no conceivable way to draft and implement a single codified law capable of application in every country without compromising the sovereignty of nations, the Council of Europe Cybercrime Convention is by far perhaps the best method of accomplishing goals calculated to close the gap between the conflicting laws of different nations. The United Nations On December, 4, 2000 the United Nations’ General Assembly passed resolution 55/63 which provides as follows: “(a) States should ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies.
(b) Law enforcement cooperation in the investigation and prosecution of international cases of criminal misuse of information technologies should be coordinated among all concerned States; (c) Information should be exchanged between States regarding the problems that they face in combating the criminal misuse of information technologies; (d) Legal systems should protect the confidentiality, integrity, and availability of data and computer systems from unauthorized impairment and ensure that criminal abuse is penalized. “
At the 11th UN Workshop on Crime Prevention and Criminal Justice held in Bangkok from April 18th to April 25th, 2005, Ambassador Henning Wegener emphasized that the global nature of cybercrime required more than mere international co-operation on a voluntary basis for the successful control of cybercrime. He maintained that it was necessary to construct a single international code providing for mandatory compliance on the part of all UN member states. He stressed that it was imperative that anti-cybercrime laws operate in a “global culture of cyber security.
” Despite the ongoing talks and the suggestions put forth by the United Nations there are no uniform codes regulating anti-cyber crime laws on an international level. The closest instrument to date is found in the Council of Europe Cybercrime Convention which sets out guidelines for harmonizing anti-cybercrime laws among member states. The Organization of American States At a meeting in Peru in 1999 the Organization of American States recommended that a group of experts on the issue of cybercrime be established.
In 2002 the group of experts were established at a meeting in Trinidad and Tobago and they were given the following instructions: “To consider the preparation of pertinent inter-American legal instruments and model legislation for the purpose of strengthening hemispheric cooperation in combating cybercrime, considering standards relating to privacy, the protection of information, procedural aspects, and crime prevention. ” The experts met with the Ministers of Justice of the Organization of American States in Washington D. C. in April of 2003 and recommended as follows:
“That Member States evaluate the advisability of implementing the principles of the Council of Europe Convention on Cybercrime (2001), and consider the possibility of acceding to that convention. ” As a result of this recommendation the Organization of American States under the auspice of the European Council and Spain met in Madrid in 2005 with the Group of Governmental Experts on Cybercrime. At this meeting it was acknowledged that the Council of Europe Convention on Cybercrime was the only international treaty on anti-cybercrime measures and stated that they:
“Strongly encourage States to consider the possibility of becoming Parties to this Convention in order to make use of effective and compatible laws and tools to fight cybercrime, at domestic level and on behalf of international cooperation…” Three meetings followed the Madrid meeting and at a final meeting held in 2006 and essentially concluded that member states of the Organization of American States would adapt the Council of Europe Convention on Cybercrime, Moreover, they would be required to accede to the UN Resolution 55.
63/2000 particularly in respect of information sharing among nations. The Asia Pacific Economic Cooperation Like the Organization of American States, the Asia Pacific Economic Cooperation met in 2002 for the express purpose of engaging in a campaign for the enactment of anti-crime laws that were consistent with the UN’s Resolution 55/63/2000 mandate and the guidelines set forth by the Europe Convention on Cybercrime.
Several meetings followed and by November 2005 the Organization of American States made a final commitment which reads in part as follows: “Encourage all economies to study the Convention on Cybercrime (2001) and endeavour to enact a comprehensive set of laws relating to cybersecurity and cybercrime that are consistent with international legal instruments, including United Nations General Assembly Resolution 55/63 (2000) and the Convention on Cybercrime (2001). ” The Association of Southeast Asian Nations
The Association of Southeast Asian Nations set up a Ministerial Meeting on Transnational Crime and in a statement made by that Ministerial group in Bangkok on January 8, 2004 cybercrime was acknowledged together with a need to come together on some common ground with a view to regulating and controlling it. Previously in 2003 a treaty with China and the Association of Southeast Asian Nations entitled “A Plan of Action to Implement the Joint Declaration on ASEAN-China Strategic Partnership for Peace and Prosperity” was signed in Bali, Indonesia. The ASEAN-China treaty pledged the following:
“Formulate cooperative and emergency response procedures for purposes of maintaining and enhancing cybersecurity, and preventing and combating cybercrime. ” In July 2006, the Association of Southeast Asian Nations Regional Forum noted that anti-cybercrime legislation needed immediate attention as a result of a rapidly growing global fear of terrorism and cyber attacks in general. As a result member states were urged to implement anti-cyber laws consistent with existing “international instruments” and they were also required to adapt the recommendations set forth in the UN’s Resolution 55/63/2000.
Interpol Interpol has been actively fighting all levels of information technology crime including cybercrime for a number of years by organizing groups of experts in the field called “regional working parties. ” The regional working parties consist of computer crime unit experts and are deployed in the Americas, Europe, Asia and Africa. The European Working Party branch of Interpol was formed in 1990 and consists of representatives from a number of European states. The party meets three times a year and reviews information about information technology and related crimes.
There are several projects under this party that are ongoing among them are current and potential criminal activity and the means for investigating and detecting those crimes. Interpol also uses the information gathered for the purpose of preparing effective manuals on investigative techniques. The African Regional Working Party is currently headed by a member of the South African Police Services’ Cybercrime Unit. The chairman is assisted by a representative from Kenya and a representative from Tanzania and a technical advisor from the University of South Africa.
They have generally agreed to work closely with other Interpol groups in the sharing of information and the investigation of cybercrime. Regional Working Parties in the remaining areas are broadly similar to those found in Africa and Europe with a singular goal of enhancing cross-border co-operation between law enforcement officials. Recommendations As it is the Europe Convention on Cybercrime 2001 is the only international treaty of its kind on anti-cybercrime laws.
Advocates in favor of the convention argue that it is an effective means of deterrence since it obviously sends message to cybercriminals that they do not enjoy impunity. They also argue that the convention significantly increased the number of countries in which offenders can be detected and prosecuted. It is certainly true that while many countries have not adapted the convention they have implemented national laws similar to it and therefore it is fair to state that international co-operation has had the consequence of improving anti-cyber crime laws globally.
However, it goes without saying that if there is going to be optimal cooperation more nations are going to have to indorse either directly or indirectly the substantive and procedural legal guidelines set forth in the convention. It appears that those states subscribing to the convention are not in and of themselves problem states since: “Hackers frequently route cyber attacks through portals in Yemen or North Korea, neither of which are part of the convention. ”
The best way to combat cybercrime on an international level with a view to capturing offenders in non convention or non complying nations is by the passage of an international law that binds all sovereign nations. In order to maintain public trust and confidence in such a powerful instrument it would be necessary to limit this international instrument to serious cybercrimes such as acts of terrorism which could have the potential for prosecution under the International Criminal Court. In order for treaties like the Europe Convention on Cybercrime 2001work at an optimal level of effectiveness the private sector should become involved.
As Jody Westby notes: “When private and public sectors share and coordinate information relating to such crimes, they can each better understand how to respond and mitigate their impact. ” This method of information sharing is a means of broadening security measures. Moreover, private organizations will serve as a deterrent principle once cybercriminals are aware that they are at risk of being exposed by private members as well as public authorities. Westby explains that: “Neither government nor the private sector can address these problems standing alone.
Governments cannot solve the complex and multilayered problem of cyber security and critical infrastructure protection without the assistance of private organizations. ” Private organizations do play a vital role in the detection and stifling of cybercrime activity. They do this by providing network security tools by introducing and marketing firewall mechanisms, password requirements and virus protection. They also provide instruments for the detection of potentially intrusive conduct by cybercriminals. By using these monitoring devices private organizations and individual users have the advantage of heightening security.
The difficulty with private sector and individual monitoring is that there is very little effort to report these security breaches to the authorities. In order for the private sector to assist public enforcement reporting these suspicious security breaches will necessarily have to be reported. This is where information sharing will achieve its optimal goal of detecting, investigating and prosecuting cybercriminals. Richard Stiennon, Chief Research Analyst at Harvest’s IT said in Network World suggests that the individual can play a part in controlling cybercrime as well.
He notes that there are far too many persons subscribing to fake messages and “tricky URL obfuscation, and elaborately crafted Web sites. ” If the individual used more caution this kind of cybercrime would not be as successful and as a result would taper off. Stiennon submits that individual caution will go a long way provided private organizations improve and increase efforts and funding to study and research effective means of securing data and computers against the risk of cybercrime contamination.
This kind of effort would assist the individual by improving means by which tricky electronic messages and web pages can be identified. Apart from encouraging private sector participation by way of information sharing and self protective awareness the harmonizing of national laws as encouraged by the United Nations and the European Convention are the best means of regulating and controlling cybercrimes on an international level. It might not be possible to obtain the cooperation of all countries but it will serve to notify cybercriminals that the chances of escaping detection and prosecution are growing slimmer.
The effectiveness of wide scale international cooperation was manifested in the recent arrest of a Ukrainian national in Turkey who was suspected of a cybercrime in respect of an American business. Maksym Yastremskiy, a Ukrainian national was suspected of theft of customer records from TJX, a US retailer. John Dunn reports that: “The TJX breach compromised the customer records of 45. 7 million people, and is believed to have happened through the hacking of open wireless routers at subsidiaries of the company. ”
This particular case indicates that the net is widening under the auspices of co-operation among authorities on an international level. In another case, the US Department of Justice reported success in a joint investigation between Chinese and US law enforcement authorities in both countries. In an operation knows as “summer solstice” which commenced in 2005 ended in the arrest of at least twenty-five persons and “the search of multiple businesses and residential locations” in China. In the United States, the FBI executed at least 24 search and seizure warrants.
The summer solstice was described by the FBI as an operation which: “…encompasses multiple investigations currently being conducted by the FBI in Los Angeles and the MPS, Economic Crime Investigation Department (ECID), in which criminal organizations responsible for manufacturing and distributing counterfeit software have been identified in both Shanghai and Shenzhen; as were distributors located in the United States. ” The facts reveal that one of the groups was an organization doing business as Ma Ke Pei, a Shanghai based company was distributing counterfeit Microsoft software to US customers.
In 2003 Ma Ke Pei was indicted in New York for this conduct and fled the jurisdiction. Ma Ke Pei later materialized in China where its counterfeit sales continued on an international level. When the Chinese Ministry of Public Security commenced investigations they received information and assistance from the US FBI. As a result of this cooperative investigation the counterfeit material was seized and the suspects arrested notwithstanding the global implications and jurisdictional disparities.
Margaret Killerby, Head of Department of Crime of Problems, DGI, Council of Europe pointed out the combined efforts necessary for the control and regulation of cybercrime as a means of improving the current global efforts. Her suggestions point to global participation beginning with the individual and ending with government involvement and cooperation at all levels. Killerby notes that prevention is ideal but cannot be successful without some means of promoting individual awareness of the scope and means of cybercrime.
In other words a knowledgeable individual is an armed individual. With the requisite knowledge, individuals should be encouraged to work closer with law enforcement. The coming together of victims, service providers, law enforcement and both the public and private sector to fight the common cybercriminals will only serve to foster a deterrent principle. The Internet Corporation for Assigned Names and Numbers (ICANN) which coordinates global internet connections can only go so far with the identification of online criminal conduct.
In an effort to heighten security stakeholders of ICANN meet annually. However, with users cooperation, ICANN can work more effectively to provide security and anti-cybercrime policies. Quite obviously ensuring minimum standards of law on an international level together with national cooperation is the only method that will work to contain cybercrime. The knowledge that there are very few safe havens in a legal and social sense is an ideal means of detecting, investigating and prosecuting cybercrime.
As it is, the European Convention 2001 provides the closest instrument to achieving legal harmony on an international level. All that is left is for national governments to educate the public and encourage individual and private sector participation. Conclusion In an age of information technology the risk of cybercrime is heightened with the increase of globalization. Cybercrime is a criminal activity that crosses borders. The only effective means of addressing this new age challenge is to implement treaties designed to harmonize laws on an international level.
This is exactly what the European Convention on Cybercrime attempts to do. While it compromises some measure of sovereignty and individual privacy, these losses are offset by the huge financial losses incurred on wide scale levels as a result of cybercrime. Cybercriminals function primarily because they have safe havens from which to escape liability. It therefore makes sense that a legal framework for the harmonizing of anti-cybercrime laws is the best method for the reduction and control of cybercrime on a global level.
Moreover, coordinated efforts such as those manifested in the joint investigation between Chinese and American officials would not have been possible if both sides of the border did not have similar laws which both define the substantive and procedural laws for the investigation and prosecution of suspected cybercrime. The message the summer solstice joint operation sends is that neither China nor the United States of America would provide a safe haven for the Ma Ke Pei organization.
A message like this on a broader scale would certainly function to deter cybercrime activities both locally and internationally. Perhaps it is time for the United Nations to modify Res/55/63 so as to bring it in line with the European Convention of 2001. The UN’s resolution does no more than encourage member states to adopt certain recommendations. In order to be effective the UN should set out clear guidelines for the enactment of procedural and substantive anti-cybercrime laws in as much detail as the European Convention of 2001.
Moreover it should be mandatory for all Member States to ratify the new and improved resolution. This kind of binding resolution has the capacity to encapsulated problem states that are not members of the European Council and have no duty to subscribe to its convention. Works Cited Web Resources Akdeniz, Yaman, Dr. (2006) An Advocacy Handbook For Non Governmental Organizations: The Council of Europe’s Cyber-crime Convention 2001. http://www. shadowmonkey. net/images/stori