Veera Si. Annan
The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or just the Budapest Convention, is the first international treaty seeking to address Computer crime and Internet crimes by harmonizing national laws, improving investigative techniques and increasing cooperation among nations. It was drawn up by the Council of Europe in Strasbourg with the active participation of the Council of Europe’s observer states Canada, Japan and China.
The Convention and its Explanatory Report was adopted by the Committee of Ministers of the Council of Europe at its 109th Session on 8 November 2001. It was opened for signature in Budapest, on 23 November 2001 and it entered into force on 1 July 2004. As of 28 October 2010, 30 states had signed, ratified and acceded to the convention, while a further 16 states had signed the convention but not ratified it.
On 1 March 2006 the Additional Protocol to the Convention on Cybercrime came into force. Those States that have ratified the additional protocol are requited to criminalize the dissemination of racist and xenophobic material through computer systems, as well as of racist and xenophobic-motivated threats and insults.
The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, hate crimes and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and Lawful interception.
Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.
The Convention aims principally at:
- harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime
- providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form
- setting up a fast and effective regime of international co-operation.
The following offences are defined by the Convention: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighbouring rights.
It also sets out such procedural law issues as expedited preservation of stored data, expedited preservation and partial disclosure of traffic data, production order, search and seizure of computer data, real-time collection of traffic data, and interception of content data. In addition, the Convention contains a provision on a specific type of transborder access to stored computer data which does not require mutual assistance (with consent or where publicly available) and provides for the setting up of a 24/7 network for ensuring speedy assistance among the Signatory Parties.
The Convention is the product of four years of work by European and international experts. It has been supplemented by an Additional Protocol making any publication of racist and xenophobic propaganda via computer networks a criminal offence. Currently, cyber terrorism is also studied in the framework of the Convention.
Accession by the USA
Its ratification by the United States Senate in August 2006 was both praised and condemned. The U.S. became the 16th nation to ratify the convention. Forty-three nations have signed the treaty. The Convention entered into force in the USA on January 1, 2007.
“While balancing civil liberty and privacy concerns, this treaty encourages the sharing of critical electronic evidence among foreign countries so that law enforcement can more effectively investigate and combat these crimes,” said Senate Majority Leader Bill Frist.
“The Convention includes a list of crimes that each signatory state must transpose into their own law. It requires the criminalization of such activities as hacking (including the production, sale, or distribution of hacking tools) and offenses relating to child pornography, and expands criminal liability for intellectual property violations. It also requires each signatory state to implement certain procedural mechanisms within their laws. For example, law enforcement authorities must be granted the power to compel an Internet Service Provider to monitor a person’s activities online in real time. Finally, the Convention requires signatory states to provide international cooperation to the widest extent possible for investigations and proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal offense. Law enforcement agencies will have to assist police from other participating countries to cooperate with their mutual assistance requests.”
Although a common legal framework would eliminate jurisdictional hurdles to facilitate the law enforcement of borderless cyber crimes, a complete realization of a common legal framework may not be possible. Transposing Convention provisions into domestic law is difficult especially if it requires the incorporation of substantive expansions that run counter to constitutional principles. For instance, the U.S. may not be able to criminalize all the offenses relating to child pornography that are stated in the Convention, specifically the ban on virtual child pornography, because of its First Amendment free speech principles. Under Article 9(2)(c) of the Convention, a ban on child pornography includes any “realistic images representing a minor engaged in sexually explicit conduct.” According to the Convention, the U.S. would have to adopt this ban on virtual child pornography as well, however, the U.S. Supreme Court, in Ashcroft v. Free Speech Coalition, struck down as unconstitutional a provision of the CPPA that prohibited “any visual depiction” that “is, or appears to be, of a minor engaging in sexually explicit conduct.” In response to the rejection, the U.S. Congress enacted the PROTECT Act to amend the provision, limiting the ban to any visual depiction “that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct.” 18 U.S.C
The United States will not become a Party to the Additional Protocol to the Convention on Cybercrime.
Ten Years On: The Budapest Convention – A Common Force against Cybercrime
The 10th anniversary of the Budapest Convention received special attention last week at the Octopus Conference (21 – 23 November), part of the Council of Europe’s Global Project on Cybercrime.
After ten years the Budapest Convention remains the only accepted international text on how to “protect against and control online crime while at the same time respecting human rights”, the Secretary General, Thorbjørn Jagland emphasized in his concluding speech at the close of the Strasbourg held three-day Octopus Conference.
The overall consensus of the conference was that despite some criticism of the Convention it provides the only effective and practical tool to fight global on-line crime.
In its new role as Chair of the Council of Europe, the UK representative, Parliamentary Under-Secretary for Crime and Security, James Brokenshire, took the opportunity to outline the continued support that the UK intends to give to the Budapest Convention as “the most important international agreement on cyber crime.” UK support is evidenced in the UK Cyber Security Strategy, released on Friday, where it commits to using its chairmanship to encourage a wider adoption of the Budapest Convention. A key element of the UK plan will be to enable ‘compatible frameworks of law and effective cross-border law enforcement to deny safe havens to cybercriminals.’ The UK plans to achieve this by: promoting greater levels of international cooperation; by sharing understanding on cyber crime as begun ‘by the London Conference on Cyberspace’; by promoting the Council of Europe’s Convention on Cyber crime (the Budapest Convention); and by building on the new EU Directive on attacks on information systems. There is also a further commitment to contributing to the review of security provisions of the EU Data Protection Directive and the proposed EU Strategy on Information Security.
At the close of the Conference, Mr Brokenshire admitted that the London conference had raised questions about some parts of the Convention’s articles, although he repeated the view of William Hague, UK Foreign Secretary, that there was ‘no appetite’ for an alternative Convention. Brokenshire paid tribute to the Convention’s “great achievement” and to those who developed it. As well he emphasized the effectiveness of the Convention during an era of great technical change and of the need to ensure that it stays relevant which will require all parties to “develop additional protocols and other changes as the need arises.”
Ahead of Australia joining the other 32 parties of the Convention, Australian Attorney General, Robert McClelland, spoke of the ‘duality of modernity’ that Internet connectivity has brought where the positives are tempered by the darker side of the human condition, as evidenced in crimes and exploitation. Major cyber intrusions, McClelland said, is costing Australian organizations “an average of $2 million per incident” and more than a billion dollars a year to the Australian economy. This requires a global response, McCelland emphasized.
The Attorney General praised too the drafters of the Convention and their ‘remarkable’ foresight adding that any suggestion that it (the Convention) is ‘out of date’ was unfounded. McClelland gave examples of the practical approach offered by the Convention and the reason why it remains the world’s leading international legal tool in combating cybercrime. For example; Article 24 requires parties to provide real time assistance to one another; Article 35 requires that assistance be made available on a 24 hour 7 day a week basis facilitated through a central contact point; that parties ensure that their law enforcement responders are properly trained and equipped and that parties have an obligation to provide appropriate technical assistance to others.
McCelland noted that a further two dozen countries will soon be joining the Convention and called for all to “rise to the challenge to ensure that Governments, businesses and individuals realize the full benefits of cyberspace” whilst also ensuring that current and emerging risks are managed.
The Deputy Secretary General of the Council of Europe, Maud de Boer-Buquicchio, acknowledged that there were challenges ahead for all members, although there was reason for optimism, and summed up the magic formula in one word: CO-OPERATE. Challenges include the need for:
- More engagement from political decision-makers in the co-operation against cybercrime.
- More co-operation with and between countries from all regions of the world.
- A stronger public-private co-operation against cybercrime.
- A stronger co-operation between international organizations.
- More technical co-operation to assist countries worldwide in the implementation of the Budapest Convention and related tools and good practices.
Ms de Boer-Buquicchio further emphasized that the Budapest Convention is not a static treaty and allows for an effective response to new challenges, for example, the problems of jurisdiction and law enforcement as posed by cloud computing. One thing is certain, The Deputy Secretary General stated, the Budapest Convention is the “best tool that exists to effectively fight crime on-line.”
In summing up Secretary General, Thorbjørn Jagland, used recent events in his home country, Norway, to highlight the threat that online criminality poses. Norwegian key defense and energy companies have found themselves the target of recent and ongoing attacks illustrating that the need for global cooperation has never been greater. The Secretary General iterated the commitment of the Council of Europe to enhancing cooperation and in furthering the Budapest Convention as a “treaty with global impact.”
“Together, we can take pride in the results,” Jagland said:
“The convention has proven to work. Thanks to it, there has been a broad harmonization of cybercrime legislation. Not only in Europe but worldwide. In addition, offences such as illegal access to computer data or illegal interception of computer data or computer-related forgery or fraud, have been criminalized.”
By way of caution, Jagland reminded delagates that technology and, with it, the techniques used by cybercriminals evolve much faster than legal responses and although the Budapest Convention is certainly not a static treaty no one can claim to have “all the answers to all the emerging challenges.” The multistakeholder approach has its part to play as does the need to look for “complementarity rather than duplication.”
Jagland concluded, “The Budapest Convention is the international community’s most forceful and agreed upon response. It serves as a common ground for international co-operation and partnerships and has the interest of you and me in mind: to protect our rights in cyberspace!”
Dream Dare Win