Global Fight Against Cybercrime Undoing the Paralysis Zahid Jamil As the Internet exploded across the globe in the mid-1990s, the Council of Europe was the only intergovernmental treaty organization to recognize that “only a binding international instrument can ensure the necessary efficiency in the fight against [cybercrime]”1 and began the work of drafting a convention as early as 1996 that would “not only deal with criminal substantive law matters, but also with criminal pro– cedural questions as well as with international criminal law procedures and agreements.”2 At the time, the developed countries from across the globe, which possessed the infrastructure and the majority of Internet users, came together out of a common interest to negotiate a draft convention. Four years of negotiations later, in 2001, they finalized the Treaty – the Budapest Convention on Cybercrime (“the Convention”).3 The Convention not only assisted in the convergence, consistency and compatibility of cybercrime legislation between infrastructure countries but also guided developing nations towards best practices in writing their own cybercrime legislation. For instance, in 2002, having drafted and assisted my country, Pakistan, in enacting its Electronic Transactions Ordinance, my government sought my advice

Zahid Jamil is a Senior Partner with the family law firm of Jamil and Jamil. He qualified as a Barrister from Gray’s Inn and is currently practicing law in Pakistan specializing in corporate and commercial law, technology, intellectual property rights, cybercrime and counterterrorism.

[ 1 0 9]

GLOBAL FIGHT AGAINST CYBERCRIME

on cybercrime legislation.4 The only model of effective legislation for international cooperation for combating cybercrime available then and now was the Convention; my advice was to promulgate legislation consistent with the Convention and consider accession. Today, even after ten years, the Convention represents the only international instrument and the best hope for countries to establish common minimum standards of relevant offenses, prevent criminals operating from jurisdictions with lower standards and enable speedy and 24/7 international cooperation between law enforcement. Nonetheless, the continued growing support for the Convention, particularly in developing nations, is by no means assured or inevitable. The Convention faces opposition from certain quarters that traditionally tend to promote a greater role for the regulation of the Internet by UN bodies.5 This article attempts to raise awareness about the challenges faced by those advocating in favor of the Convention in many developing countries, with the hope that a coalition of ‘friends of the convention’ can help reverse the permeating but weak narrative of its opponents, which seems to have embedded itself in the hearts and minds of some developing nation policymakers.

Internet frequently span jurisdictions. Law enforcement investigations and mutual legal assistance, however, are hampered by the inefficiencies underlying conventional international cooperation and mutual legal assistance treaties, not the least of which is the snail’s pace at which such cooperation proceeds, if at all. Consequently, any jurisdiction that does not have legislation equivalent to the Convention’s minimum standards for offences or procedural powers or is not a party to the Convention, may become a safe haven for cybercriminals committing crimes in other jurisdictions. Such jurisdictions connected to the Internet are a threat to the entire international community. Since this global problem cannot be tackled by a regional or fractured patchwork of laws, it requires an international solution and a multilateral approach, which only the Convention currently provides. It is essential that conduct on the Internet criminalized in one jurisdiction be similarly criminalized in other jurisdictions. In order to investigate cybercrime across jurisdictions, law enforcement needs to have the legal and procedural tools to do so; rules for the collection and securing of digital evidence need to be compatible across jurisdictions around an international standard.7 This has been successfully The Case for the Convention. achieved, to a great extent, in infraIn a globally interconnected world, a structure countries. However, in the threat emanating from one part of the developing world the necessary legislaInternet threatens the entire Internet. tion is either not sufficiently consistent It is not enough to rely upon firewalls with this international standard or simand blocking threats, since the Inter- ply does not exist. net’s very architecture is designed to In a sense, the Convention proves overcome obstructions to communi- more valuable in its utility to developing cation.6 Crimes committed over the countries than to infrastructure coun-

[ 1 1 0] Georgetown Journal of International Affairs

JAMIL

tries. Infrastructure countries tend to have trust mechanisms both established (mutual legal assistance) and ad hoc. Cooperation between infrastructure country law enforcement tends to be far more efficient and forthcoming. The most common grievances of developing country law enforcement tend to be that their requests for assistance from infrastructure countries, both law enforcement and the private sector, are rarely readily forthcoming due to the lack of established mutual legal assistance treaties between them and the reluctance on the part of infrastructure country law enforcement to trust developing country law enforcement requests.8

International Engagement on Cyber 2012

economies and infrastructure states. The Convention, therefore, provides the best hope for developing countries for an international mechanism for binding cooperation. Ratification of the Convention ensures that if a country were to “request help from another country, they can be certain that their request can be considered efficiently, and the recipient will have in place the appropriate laws and procedures to assist. This is a significant advantage over a country saying that it has the right legislation, because it means that a country has agreed that not only does it have the right legislation, but that it is equivalent to that for

One of the unique advantages of the Convention is its ability to enable cooperation across borders. This is particularly problematic for developing countries since cooperation in terms of information and evidence for investigation and prosecution from several key cyberspace infrastructure and resources9 is vital. Most developing countries seem to be unanimous in their desire to have law enforcement of other countries and foreign private sector entities such as Google, Yahoo and Facebook provide information and evidence on an expedited basis. One of the unique advantages of the Convention is its ability to enable cooperation across borders. It is the only effective international mechanism in force for ensuring this expeditious exchange of critical information that legally binds members to cooperate, which is in use by a substantial number of major

the requesting country,” as James Brokenshire, the United Kingdom’s Parliamentary Under-Secretary for Crime and Security has explained; this enables law enforcement agencies to efficiently “cooperate with each other to prevent, detect and investigate crime.”10 Although most developed nations have become signatories – just in the last year (2011-2012) Belgium, Austria, Japan, Georgia, Malta, Switzerland and the U.K. have ratified bringing total ratifications to thirty-seven in addition to numerous nations having requested accession pending completion of internal procedures – this is not enough. The developed world remains exposed to threats from developing countries where the Convention is being lobbied against. Conversely, developing

[111]

GLOBAL FIGHT AGAINST CYBERCRIME

countries grow vulnerable as a result of recent economic (outsourcing, e-payments) and social (social networks) progress. The rest of the world needs to be brought on board.

The Problem: Opposition to the Convention. Most countries

and organizations are working towards genuine international cooperation in support of the Convention. However, a handful of nations11,12 are spearheading efforts to limit support for the Convention. Since these nations are active members of various international organizations,13 it is perhaps not surprising that these organizations may be seen lobbying their political views.14 These nations have intensively been promoting what may be described as myths about the Convention and diverting energies of many nations to support an alternative cybercrime treaty under the aegis of the UN.15 These efforts have consisted of well-organised and well-resourced opposition in partnership with ministries of certain develop-

As a result, many developing country governments find it an internal challenge to take a decision with respect to the Convention, giving cybercriminals more time to act with impunity while the developing world waits for the dust to settle on the divisive politics energized by the opposition. At regional workshops for developing countries and international forums organized by such international organizations, the narrative tends to focus on presenting arguments largely based on myths against the Convention,18 as opposed to its benefits to cybersecurity, global trade and prosperity. These forums tend to be weak on substance or solutions and strong on the promotion of political arguments for an alternative UN treaty or the development of new regionally focused model legislations inconsistent with the Convention. The forums thus promote divergence, inconsistency and incompatibility between regions and across the globe. Developing countries and small developing states across the Pacific19 in

Many developing countries find it an internal

challenge to take a decision with respect to the Convention, giving cybercriminals more time to act. ing countries responsible for Foreign Affairs, Information Technology and Telecommunications (interestingly not Ministries of Interior or Justice16). The opposition to the Convention argues that developing countries should wait until a new UN Treaty on Cybercrime/ Cybersecurity.17 Any such agreement is likely to take years and will likely be a less effective version of the Convention.

[ 1 1 2 ] Georgetown Journal of International Affairs

regional workshops20 appear to have been discouraged from acceding to the Convention or using it as model legislation and have instead been motivated towards a UN Treaty or new regional model laws. Similarly, various representatives of IT and Foreign Ministries of my country were dissuaded from the Convention by myth-building at a regional workshop organized by an

JAMIL

international organization21 and subsequently at the UN 12th Crime Congress in 2010.22 This is just one of several examples where efforts towards the Convention were thwarted by the opposition. Such developing countries often walk away opposed to the Convention, overwhelmed by the politics, and thinking it best to avoid entirely; they leave with confusing and mixed messages and a general aversion to the Convention that then translates into a lack of momentum towards converged legislation and accession, slowing the development of an effective global response to cybercrime. An example of mixed messages is the ITU Project,23 which spearheads most of the aforementioned lobbying efforts away from the Convention, contrary to its donors’ (EU) policy. The project promotes regionally based cybercrime model laws24 with differing provisions and definitions. This patchwork approach of regional cybercrime models mandates into law technology specific, frequently unclear, or technically incorrect definitions and overreaching provisions related to “search engines,” “hyperlink providers” and “caching providers,” “access provider,” “hosting provider.” It notably fails to provide either adequate or any provisions for mutual legal assistance or international cooperation25 and also criminalizes “religious acts” which may include blasphemy.26 These programs have done much to dispel developing countries’ interest in the Convention. The Project incorrectly projects a perception that the European Commission looks favorably upon this divergence from the Convention, driving recipient

International Engagement on Cyber 2012

developing countries further away from the Convention. Similarly, the Commonwealth Cybercrime Initiative, initiated by donors27 favoring convergence, compatibility and consistency around the Convention,28 has witnessed ITU (for the moment) take a lead role in projects; the Initiative has diluted its literature and redefined itself as calling itself “neutral” and “agnostic” towards the Convention. Even some countries, such as Singapore, that traditionally may have been expected to partner with infrastructure countries appear reluctant to demonstrate all out support. This is despite Singapore’s cybercrime legislation being consistent with the Convention and its hosting of the Interpol cybercrime and digital security complex in 2014.29

Myth Busting. A key challenge to

advocates of the Convention are the myths spread about the Convention by opponents and proxy international organizations. These arguments span three broad categories: labeling the Convention as a regional instrument; developing countries’ non-participation during its drafting; and the allegation of it being out-datedness, technology non-specific, and non-prescriptive. With respect to labeling the Convention as regional,30 the fact is that members of the Convention include nations from North America, the majority of Europe including the U.K., France and Germany, Japan, and South Africa,31 with numerous others requesting accession.32 To refer to a Convention that includes the whole of North Amer-

[ 1 1 3]

GLOBAL FIGHT AGAINST CYBERCRIME

ica, Europe, soon Australia33 and parts of Africa, South America and Asia with thirty-seven nations having ratified and eighteen others signed on or having been invited to accede as regional is factually incorrect. Moreover, it detracts from the central benefit of the treaty, namely that developed ‘infrastructure nations’ are members, i.e, that it binds developed nations to cooperate with developing nations. This falsity directly undermines the Convention. Opponents also criticize the fact that developing nations did not participate in the drafting process.34 This is meant to create an ‘us against them’ dynamic between developing and developed nations. However, the Internet and its

more beneficial as opposed to the politics, prejudice, and strategic interests of others. Another criticism is that the convention is outdated and does not take into account new threats.37 It is argued that the Convention does not specifically mention interception of VoIP (voice over Internet protocol, i.e., Skype). This argument fails to take into account Article 21 on the “Interception of content data”38 which enables real-time collection and recording of any type of content data, which includes VoIP data. The argument turns an advantage of the Convention on its head and favors technology specific and prescriptive provisions such as VoIP. Such a detailed

The Convention also only establishes a

minimum standard of crimalized behavior internationally. threats are identical for users in developed and developing countries. The tools, both technical and legal, required to investigate and prosecute cybercrime are the same for a developed as well as a developing nation. Unlike today, in 2001 most developing countries did not view Cyber as a priority. Moreover, many treaties, including ones dealing with technical issues, led and drafted by mostly developed nations were acceded to later by others: The Paris Convention of 1919 which established the International Commission for Air Navigation35 or the Hague Rules 1924 and Hague-Visby Rules 1968 for Carriage of Goods by Sea.36 For developing countries, an analysis on merits, utility and their own national interest proves

[ 1 1 4 ] Georgetown Journal of International Affairs

prescriptive approach would limit the ability of nations to adapt to changing technologies in the future; limit their flexibility in drafting their own laws for implementation; and demonstrate a lack of respect for the sovereignty and jurisprudence of nations that might join in the future.39 The Convention also only establishes a minimum standard of criminalized behavior internationally. It in no way impedes the ability of nations to establish offences that go beyond this threshold. Another criticism is that the Convention does not address botnets or phishing.40 Botnet attacks consist of illegally accessing a computer through the use of malware, usually for the purposes of interception, data interference and

JAMIL

International Engagement on Cyber 2012

system interference. The Convention criminalizes and establishes offences against illegal access (Article 2), illegal interception (Article 3), data interference (Article 4), system interference (Article 5) and the misuse of programs (Article 6). Phishing is generally the sending of an email with a false reply-address and false header information, impersonating another person or organization to fraudulently obtain personal information from a victim followed by the theft of the funds and causing of economic loss. The Convention’s provisions on computer-related forgery (Article 7) and computer-related fraud (Article 8) apply to phishing. That most subsequent attempts to draft legislations, model laws, regional treaties or legislative guides have used the Convention as a base document41 along with the technology non-specific definitions of its offences, speaks volumes about the enduring value of the Convention.

it the “world’s leading international legal tool to combat cybercrime”, referring to it as “effective” and attributing “foresight” to its drafter and even stating that “any suggestion that [the Convention] is out of date” as “totally without foundation”45 and has recently passed legislation designed to enable accession to the Convention.46 Several developing countries have been helpful in speaking out in support of the Convention, such as Costa Rica, when it passed its recent cybercrime law consistent with the Convention47 and Sri Lanka, when it declared it “would soon become a signatory,”48 and that their “legislation provides adequate checks and balances, consistent with the Budapest Convention,” whilst thanking “the Council of Europe for getting us on these international lines.”49 More of such efforts with and statements from developing countries would be useful. These views are unfortunately rarely communicated effectively enough to developing countries. It is therefore imperative that ‘friends of the convenSolutions. First and foremost, the tion’ expand and improve their mythConvention’s supporters should make busting efforts and conduct greater its adoption a policy priority, ensur- outreach with developing countries ing that all funded projects and policy through unambiguous and vigorous statements unambiguously support and support of developed country governadvocate for ratification in the public ments and international donor agendiscourse. Recent steps in this direc- cies with the assistance of partners and tion include the United States’ Inter- friends of the Convention through a national Strategy for Cyberspace42, large body of experts enlisted in the the United Kingdom’s Cyber Secu- advocacy efforts ranging from practirity Strategy43, and various statements tioners, academics, the technical comby member states of the Convention munity and the private sector from the upon its tenth anniversary in 2011. In developed as well as developing world. response to criticism, the British govCountries can support these efforts ernment has said “there was no appetite by taking their international cyber for an alternative Convention”44, whilst security strategies and implementing the Australian Government, has called them through various policy directives.

[ 1 1 5]

GLOBAL FIGHT AGAINST CYBERCRIME

Possible ways of doing this include: tasking economic officers at embassies with the advocacy of accession to the Convention as part of foreign policy, having Ministries of Interior or Justice more engaged in international processes by having their representatives, rather than representatives from IT or Foreign Affairs, participate in international cybercrime forums, workshops and negotiations, as they are the ones with the responsibility for handling cybercrime; or treating the accession to the Convention as a metric when measuring a country’s status and progress towards cybersecurity.50 In the case of the United States, this could be treated

as criterion in the United States Trade Representative’s Annual Special 301 Report on Intellectual Property.51 The debate about cybercrime needs to consist of practical cooperation in areas where the Convention can be of greatest value, not of political posturing. Only a collaborative effort can provide an effective international strategy towards combating cybercrime. This will not just be of benefit to the developing countries but will benefit the developed world and the global economy, rooting out cybercrime havens and securing the Internet.

NOTES

1 Council of Europe, “Convention on Cybercrime,” Internet, http://conventions.coe.int/Treaty/EN/Reports/Html/185.htm, paragraph 9 (date accessed: 30 September 2012). 2 Ibid, paragraph 10. 3 Council of Europe, “Convention on Cybercrime – What Do You Want to Know?” Internet, http:// conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG (date accessed: 30 September 2012). 4 Based upon the UN Commission on International Trade Law (UNCITRAL) model law, http:// unpan1.un.org/intradoc/groups/public/documents/ apcity/unpan010245.pdf (date accessed: 30 September 2012). The Electronic Transactions Ordinance is the bedrock of everything cyber in Pakistan and overnight it gave recognition to electronic documents, signatures and records and provided the principles of evidential admissibility both in civil as well as criminal cases. 5 International Telecommunications Union (ITU) and UN Treaties, promoted by Russia, China, Iran, see L. Gordon Crovitz, “The U.N.’s Internet Power Grab,” Wall Street Journal, 17 June 2012 and Nina Easton, “Where’s the outcry on the U.N. push to regulate the Internet?” CNNMoney.com, 30 May 2012, http://tech.fortune.cnn.com/2012/05/30/unitednations-internet-regulation/ (date accessed: 30 September 2012). 6 A globally interconnected network without a single point of failure where data packets would find a route to their destination even if they came across an obstruction or had to use alternative routes to reach their destination.

[ 1 1 6 ] Georgetown Journal of International Affairs

7 Currently, the Convention is the only binding international treaty and therefore serves as the standard agreed upon by sovereign states under international law. 8 Law enforcement of developed countries hesitates to comply with these requests because of issues such as the authenticity of the requests from developing country law enforcement, their compliance with human rights and civil liberty requirements, and their susceptibility to corrupt practices and abuse of process due to weak governance. 9 Evidence from vital platforms such as social networks, search engines, Web mail services, ISPs, etc. tends to concentrate in infrastructure countries. 10 James Brokenshire, “Speech delivered at the 10th anniversary of the Budapest Convention, Council of Europe, Strasbourg,” Internet, http://ukcoe. fco.gov.uk/resources/en/22792210/pdf-brokenshire (date accessed: 30 September 2012) 11 Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cooperation against Cybercrime,” (presentation at Octopus Conference, June 6-8 2012), Internet, http://www.coe.int/t/DGHL/ cooperation/economiccrime/cybercrime/cy_Octopus2012/presentations/Conclusions_E_Chernukhinpresentation-2012%20Octopus.pdf (date accessed: 30 September 2012). 12 “Is Convention enough to respond effectively to the new dynamic challenges in the computer sphere? NO” [slide 19] “Convention on Cybercrime does not provide any systematic response to the new trends of cybercrime” [slide 20] “….encourage the international community to establish a comprehen-

JAMIL

sive international legal instrument …..” [slide 22] “possible structure of the UN Convention on cybercrime..” [slide 23-28], from Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cybercrime: New Threat and Global Response,” presentation at Octopus Conference, 6-8 June 2012, Internet, http://www.unodc.org/documents/treaties/ organized_crime/EGM_cybercrime_2011/Presentations/Russia_1_Cybercrime_EGMJan2011.pdf (date accessed: 30 September 2012); see also, Sixth Annual Meeting of the Internet Governance Forum, “Main Session - Security, Openness and Privacy,” transcript, 29 September 2011, Nairobi, Kenya, Internet, http://www.intgovforum.org/cms/component/ content/article/108-transcripts/862-main-sessionsecuirt-openness-and-privacy (date accessed: 1 October 2012), especially: “I am from Ministry of Foreign Affairs of China.... In September 12, China, Russia, Tajikistan and Uzbekistan sponsored a code of behavior on the cybersecurity to the General Assembly as an official document to be circulated among the General Assembly....We call upon countries to discuss this question under the framework of United Nations.... China and Russia, in response to this kind of call, have tabled this motion to the General Assembly to provide business to take this kind of action. However, United Nations as a universal organization is the best forum to come to consensus on these kind of code of behavior. Including ITU and other international organizations, we have already reached some consensus which has already been reflected in these documents....This is a formal document that doesn’t have any binding effect on any country. We call upon all countries to join this motion voluntarily.”; see also especially response of Zahid Jamil in transcript further below; see also, Internet Governance Forum 2, “Security Session,” transcript, 14 November 2007, Rio de Janeiro, Brazil, Internet, http://intgovforum.org/cms/Rio_Meeting/IGF2-Security-14NOV07.txt (date accessed: 1 October 2012), especially: “I am Elena Batueva from the Ministry of External Relations of the Russian Federation...The importance of this international security was confirmed in the 62nd session of the general assembly when there was a unanimous vote on a proposal by Russia as to how to have security for information at international level. And this confirms that international security and Internet security, which is a very important part of it, they have a technical aspect and a political and military aspect. The whole thing has to be considered en bloc...The preparation of an international approach in the field of security for information will allow us to simplify the work of international organisms that don’t exist right now and should exist. And there should be international agreements on the subject…”; see also, “Conflict over proposed United Nations cybercrime treaty,” ComputerWeekly.com, 15 April 2010, Internet, http://www. computerweekly.com/news/1280092581/Conflictover-proposed-United-Nations-cybercrime-treaty

International Engagement on Cyber 2012 (date accessed: 1 October 2012). 13 In particular the ITU and the UNODC, supra notes 10 and 11. 14 Marco Gercke, International Telecommunication Union, “Understanding Cybercrime: A Guide for Developing Countries,” Internet, http://www. itu.int/ITU-D/cyb/cybersecurity/docs/ITU_Guide_ A5_14092011_rev.pdf (date accessed: 30 September 2012). 15 Twelfth United Nations Congress on Crime Prevention and Criminal Justice, “Cyberspace Treaty – A United Nations Treaty or Protocol on Cybersecurity and Cybercrime,” Internet, http://www.cybercrimelaw.net/documents/UN_12th_Crime_Congress. pdf (date accessed: 30 September 2012); “….examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime.”; Twelfth United Nations Congress on Crime Prevention and Criminal Justice, Salvador, Brazil, 12-19 April 2010, “Salvador Declaration,” esp. paragraph 42, http://www.unodc.org/documents/crime-congress/12th-Crime-Congress/Documents/Salvador_Declaration/Salvador_Declaration_E. pdf (date accessed: 30 September 2012); the UNDOC study as a precursor for “development of an international instrument” see: United Nations Office on Drugs and Crime, Organized Crime & Illicit Trafficking Branch, Division of Treaty Affairs, “UNODC & the Global Response to Cybercrime,” esp. Slide 12, PowerPoint Presentation, Internet, http://www.itu. int/ITU-D/arb/ARO/2011/CyberSecurityForum-Eg/ Docs/Doc2-UNODC.ppt (date accessed: 1 October 2012). 16 This is despite Interior and Justice Ministries being the ones with the relevant expertise and responsibility for investigation and prosecution with established cross border cooperation mechanisms, mutual legal assistance and extradition. 17 Ministry of Foreign Affairs of the People’s Republic of China, “China, Russia and Other Countries Submit the Document of International Code of Conduct for Information Security to the United Nations,” 13 September 2011, Internet, http://www. fmprc.gov.cn/eng/zxxx/t858978.htm (date accessed: 1 October 2012). 18 UN Office on Drugs and Crime (UNODC), “An International Treaty on Cybercrime?”, PowerPoint presentation, September 2011, http://www. itu.int/ITU-D/asp/CMS/Events/2011/CyberCrime/ S5_UNODC.pdf (date accessed: 1 October 2012); a UNODC presentation from May 2012 stated as a goal of the UNODC Cybercrime study that it “will examine options for strengthening existing and proposing new national and international legal or other responses to cybercrime: UNODC, Organized Crime & Illicit Trafficking Branch, “Comprehensive Study on Cybercrime,” PowerPoint presentation, May 2012, http://www.unodc.org/documents/eastasiaandpacific//2012/05/cyber-crime/Bangkok_intro_presentation.pdf (date accessed: 1 October 2012); for infor-

[117]

GLOBAL FIGHT AGAINST CYBERCRIME

mation on UNODC Cybercrime study, see: UNODC, “Regional experts meet to support UNODC global cybercrime study,” 17 May 2012, Internet, http:// www.unodc.org/eastasiaandpacific/en/2012/05/cybercrime-workshop/story.html (date accessed: 1 October 2012); for information on an Asia-Pacific regional workshop, see UNODC East Asia and Pacific, “AsiaPacific acts to counter cybercrime,” 29 September 2011, Internet, http://www.itu.int/ITU-D/asp/CMS/ Events/2011/CyberCrime/index.asp (date accessed: 1 October 2012), esp. “The UN-sponsored conference of prosecutors and information communications technology (ICT) experts called for a strengthened international response to security threats from cyberspace.”; “THE BAD NEWS – Non[sic] of the above listed offences is covered by the “old” regional approaches such as the Budapest Convention on Cybercrime (2001)”, “An Overview of Cybercrime Offences,” PowerPoint presentation at ITU AsiaPacific Regional Workshop on Fighting Cybercrime, 21-23 September 2011, Seoul, South Korea, Internet, http://www.itu.int/ITU-D/asp/CMS/Events/2011/ CyberCrime/S2_Marco_Gercke.pdf (date accessed: 1 October 2012). 19 ITU event for Pacific Islands, ITU, ICB4PAC, 3 March 2011, Vanuatu. “Regional and International Approaches,” esp. slides 16-19, PowerPoint presentation at ITU ICB4PAC 3 March 2011, Internet, http:// www.trr.vu/attachments/article/14/Presentation_3%20 ICB4PAC%20workshop_Vanuatu.pdf (date accessed: 1 October 2012), Presentation concludes with a scathing criticism of the Convention. 20 “THE BAD NEWS – Non[sic] of the above listed offences is covered by the “old” regional approaches such as the Budapest Convention on Cybercrime (2001)”, “An Overview of Cybercrime Offences,” PowerPoint presentation at ITU Asia-Pacific Regional Workshop on Fighting Cybercrime, 21-23 September 2011, Seoul, South Korea, Internet, http://www.itu. int/ITU-D/asp/CMS/Events/2011/CyberCrime/S2_ Marco_Gercke.pdf (date accessed: 1 October 2012). 21 Ibid. 22 Twelfth United Nations Congress on Crime Prevention and Criminal Justice, “Cyberspace Treaty – A United Nations Treaty or Protocol on Cybersecurity and Cybercrime,” Internet, http://www.cybercrimelaw.net/documents/UN_12th_Crime_Congress. pdf (date accessed: 1 October 2012). 23 International Telecommunications Union, “Support for the Establishment of Harmonized Policies for the ICT Market in the ACP,” Internet, http:// www.itu.int/ITU-D/projects/ITU_EC_ACP/index. html (date accessed: 1 October 2012). 24 For examples of regional cybercrime model laws, see: Caribbean - HIPCAR (http://www.itu.int/ ITU-D/projects/ITU_EC_ACP/hipcar/index.html), Sub-Saharan Africa - HIPSSA (http://www.itu.int/ ITU-D/projects/ITU_EC_ACP/hipssa/index.html), Asia Pacific- ICB4PAC (http://www.itu.int/ITUD/projects/ITU_EC_ACP/icb4pis/index.html) (all

[ 1 1 8 ] Georgetown Journal of International Affairs

accessed: 1 October 2012). 25 ITU Telecommunication Development Bureau, “Establishment of Harmonized Policies for the ICT Market in the ACP: Countries Cybercrime/e-Crimes: Model Policy Guidelines and Legislative Texts,” PowerPoint presentation, 2012, Internet, http://www.itu. int/ITU-D/projects/ITU_EC_ACP/hipcar/reports/ wg2/docs/HIPCAR_1-5-B_Model-Policy-Guidelinesand-Legislative-Text_Cybercrime.pdf (date accessed: 1 October 2012). 26 Part II Article 21 simply stating without any definition, explanation or guidance that: “A country may criminalize racial and religious acts committed by using means of electronic systems.” “Pacific Island Regional Model Cybercrime Legislation: Prepared as part of the ITU-EC project on “Capacity Building and ICT policies, Regulations and Legislative Frameworks” for Pacific Islands Countries (ICB4PAC)”. The project is for ACP member countries in the Pacific Islands, with the Assistance of the Pacific ICT Regional Regulatory Center (PIRRC). April 2012 27 UK and Malta, both having ratified and supported the Convention. 28 Note changes in versions of Commonwealth Cybercrime Initiative from 2011, Commonwealth Secretariat, “Commonwealth Cybercrime Initiative Proposal,” Internet, http://www.comnet.org.mt/wpcontent/uploads/2011/07/Cyber-Crime-ProposalVer-6-.pdf (date accessed: 1 October 2012), 10; and from 2012: Lara Pace, Commonwealth Secretariat, “Commonwealth Cybercrime Initiative: Project Description,” August 2012, Internet, http://www. commonwealthigf.org/wp-content/uploads/2012/08/ CCI-Project-Description-August-2012.pdf. 29 Daniella Cheslow, “Interpol Ups the War Against Cyber Crime,” 8 May 2012, Huffington Post, http://www.huffingtonpost.com/2012/05/08/interpol-cyber-crime_n_1499734.html (date accessed: 1 October 2012). 30 “…….regional initiatives, including the Council of Europe Convention on Cybercrime.” in UN General Assembly Resolution 64/211, 17 March 2010, http://daccess-dds-ny.un.org/doc/UNDOC/GEN/ N09/474/49/PDF/N0947449.pdf?OpenElement (date accessed: 1 October 2012), paragraph 13. 31 South Africa participated in the negotiations and signed it. Ratification is still pending. 32 Argentina, Australia, Chile, Costa Rica, Dominican Republic, Mexico, Philippines, and Senegal. 33 Attorney-General for Australia, “New laws in the fight against cyber crime,” 22 August 2012, Internet, http://www.attorneygeneral.gov.au/Media-releases/ Pages/2012/Third%20Quarter/22August2012-Newlawsinthefightagainstcybercrime.aspx (date accessed: 1 October 2012). 34 It is interesting to note that at the time when the negotiations started, about one third of the member states of the Council of Europe member states participating found themselves in the bottom half of UNDP’s

JAMIL

Human Development Index. The member states from Eastern Europe were considered “States in Transition”. For more information, see UN Development Programme, “Human Development Report 1998,” Internet, http://hdr.undp.org/en/media/hdr_1998_ en_indicators1.pdf (date accessed: 1 October 2012). 35 The US invited fifty-five states to attend the International Civil Aviation Conference in November 1944, in Chicago. 54 States attended this Conference. The conference organizer and depository was the US with the seat of ICAO being in Montreal, Canada. For the full treaty text, see: “Convention on International Civil Aviation,” Internet, http://www.icao.int/publications/Documents/7300_orig.pdf (date accessed: 1 October 2012); Russia joined this Convention as late as 1970 and China recognized it in 1974. For a full list of countries and their date of ascension, see: http://www.icao.int/publications/Documents/chicago. pdf (date accessed: 1 October 2012). 36 Notwithstanding its negotiation largely by the UK as a colonial power, developing countries, including those achieving independence from colonial rule, continue to adhere to these Rules now applied by all ocean carriers. The Belgian Government serves to this day as its depository. Russia still does not recognize the Hague nor the Hague-Visby Rules whilst China recognizes both the Hague Rules and Hague Visby Rules. 37 The Chair of the ITU’s High-level Experts Group (HLEG) stated at the UN’s Twelfth Crime Congress that the Convention “is based on cyber conducts in the late 1990s and do not necessary [sic] be suitable for the 2010s.” Stein Schjolberg, “A Cyberspace Treaty – A United Nations Convention on or Protocol on Cybersecurity and Cybercrime – A Background paper,” Twelfth United Nations Congress on Crime Prevention and Criminal Justice, http://www. cybercrimelaw.net/documents/UN_12th_Crime_Congress.pdf (date accessed: 1 October 2012), 3. 38 Convention on Cybercrime (Budapest Convention), Article 21 – Interception of content data 1 Each Party shall adopt such legislative and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, to empower its competent authorities to: a collect or record through the application of technical means on the territory of that Party, and b compel a service provider, within its existing technical capability: i to collect or record through the application of technical means on the territory of that Party, or ii to co-operate and assist the competent authorities in the collection or recording of, content data, in real-time, of specified communications in its territory transmitted by means of a computer system. 39 Ranging from common law, civil law, Nordic to

International Engagement on Cyber 2012 Asian, Islamic and indigenous legal traditions, 40 A mainstay of the Russian Federation’s argument against the Convention. For further information, see: Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cybercrime: New Threat and Global Response,” presentation at Octopus Conference, June 6-8 2012, Internet, http:// www.unodc.org/documents/treaties/organized_crime/ EGM_cybercrime_2011/Presentations/Russia_1_ Cybercrime_EGMJan2011.pdf (date accessed: 30 September 2012). Ernest Chernukhin, Department on New Challenges and Threats, Ministry of Foreign Affairs of the Russian Federation, “Cooperation against Cybercrime,” presentation at UNODC Expert Group on Cybercrime, 17-21 January 2011, Internet, http://www.coe.int/t/ DGHL/cooperation/economiccrime/cybercrime/ cy_Octopus2012/presentations/Conclusions_E_Chernukhinpresentation-2012%20Octopus.pdf (date accessed: 30 September 2012). 41 Commonwealth Secretariat, “Model Law on Computer and Computer Related Crime,” October 2002, Internet, http://www.thecommonwealth. org/shared_asp_files/uploadedfiles/%7BDA109CD25204-4FAB-AA77-86970A639B05%7D_Computer%20Crime.pdf (date accessed: 1 October 2012), 1: “Ministers asked that an expert group be convened to consider the content of a model law on the basis of the work of the Council of Europe on the Draft Convention on Cyber Crime (COE Draft Convention).”; Business Software Alliance, “BSA Global Cybersecurity Framework,” 2010, Internet, http:// www.bsa.org/~/media/Files/Policy/Security/CyberSecure/Cybersecurity_Framework.ashx (date accessed: 1 October 2012), 2: the BSA recommends ratifying the Budapest Convention or ratifying the BSA’s Model Law, which is based upon the Convention; see also, Zahid Jamil, “An International Solution to a Global Problem,” PowerPoint presentation, Internet, http:// www.comnet.org.mt/wp-content/uploads/2011/06/ The-Cybercrime-Convention-Zahid-Jamil.ppt (date accessed: 1 October 2012); 3: ITU’s HPCAR project Model text Articles 4, 6, 7, 9, 10, 11, 12, 13, 20, 22, 23, 24, 25, 26 based on the Convention; Information on this proposal is available at: ITU Telecommunication Development Bureau, “Establishment of Harmonized Policies for the ICT Market in the ACP: Countries Cybercrime/e-Crimes: Model Policy Guidelines and Legislative Texts,” PowerPoint presentation, 2012, Internet, http://www.itu. int/ITU-D/projects/ITU_EC_ACP/hipcar/reports/ wg2/docs/HIPCAR_1-5-B_Model-Policy-Guidelinesand-Legislative-Text_Cybercrime.pdf (date accessed: 1 October 2012); “HIPSSA Draft Computer Crime and Cybercrime Bill Version 1.0,” especially articles 2, 3, 4, 7, 8, 9, 10, 11, 27, 29, 30, 31, 32, based on the Convention January 2012, Internet, http://www. itu.int/ITU-D/projects/ITU_EC_ACP/hipssa/Activities/SA/SA_4%20docs/cybercrime.doc (date accessed:

[ 1 1 9]

GLOBAL FIGHT AGAINST CYBERCRIME

1 October 2012); ITU’s ICB4PAC Pacific Island Regional Model Cybercrime Legislation Articles 4, 6, 7, 9, 10, 12, 13, 14, 26 28, 29, 30, 31, 32 based on the Convention; Information on this proposal is available at: International Telecommunications Union, “Capacity Building and ICT Policy, Regulatory and Legislative Frameworks Support for Pacific Island Countries (ICB4PAC),” Internet, http://www.itu.int/ ITU-D/projects/ITU_EC_ACP/icb4pis/index.html (date accessed: 1 October 2012). 42 “International Strategy for Cyberspace: Prosperity, Security, and Openness,” May 2011, Internet, http://www.whitehouse.gov/sites/default/files/rss_ viewer/international_strategy_for_cyberspace.pdf (date accessed: 1 October 2012). 43 “The UK Cyber Security Strategy: Protecting and promoting the UK in the digital world,” November 2011, Internet, http://www.carlisle.army. mil/dime/documents/UK%20Cyber%20Security%20 Strategy.pdf (date accessed: 1 October 2012), 29. 44 “there was no appetite for an alternative Convention, and that is a view that the UK strongly supports….. encourage the work that the Council has done to reach out to countries across the globe and assist them in developing their legislative framework for tackling cyber crime. “James Brokenshire, “Speech delivered at the 10th anniversary of the Budapest Convention, Council of Europe, Strasbourg,” Internet, http://ukcoe.fco.gov.uk/resources/en/22792210/pdfbrokenshire (date accessed: 30 September 2012). 45 “In retrospect, the foresight of the drafters of this Convention has proven to be quite remarkable. And any suggestion that it is out of date is totally without foundation. A reading of the Convention shows that it is about practical co-operation.While technology has unquestionably developed exponentially in the decade since the Convention came into operation, its framework and practical mechanism are still relevant.……Through its practical approach the Convention remains the world’s leading international legal tool to combat cybercrime. The Convention has been effective, it continues to be effective and will become more so with an increasing number of countries becoming a party to the Convention.”. The Honourable Robert McClelland MP, “Cyberspace:

[ 1 20] Georgetown Journal of International Affairs

The new international legal frontier,” Keynote address to the Council of Europe Convention on Cybercrime, 23 November 2011, Internet, http://www.coe. int/t/dghl/cooperation/economiccrime/cybercrime/ cy_octopus_interface_2011/Presentations/R_McLelland_Keynote_address_10th_anniversary_B_Convention.pdf (date accessed: 1 October 2012), 5. 46 Attorney-General for Australia, “New laws in the fight against cyber crime,” 22 August 2012, Internet, http://www.attorneygeneral.gov.au/Media-releases/ Pages/2012/Third%20Quarter/22August2012-Newlawsinthefightagainstcybercrime.aspx (date accessed: 1 October 2012). 47 Marcel Evans, “What you need to know about Costa Rican Cybercrime Offence Law 9048,” Costa Rica Star, 18 July 2012, http://news.co.cr/what-you-needto-know-about-costa-rican-cybercrime-offencelaw-9048/10702/ (date accessed: 1 October 2012). 48 “Sri Lanka to sign international cybercrime prevention convention,” Sri Lanka Guardian, 9 November 2008, http://www.srilankaguardian.org/2008/11/ sri-lanka-to-sign-international.html (date accessed: 1 October 2012). 49 Information and Communication Technology Agency of Sri Lanka, “Sri Lanka to be signatory to global Cybercrime Prevention Convention - Prof. Tissa Vitharana,” press release, 2 November 2008, Internet, http://www.icta.lk/en/component/content/ article/45-press-releases/338-sri-lanka-to-be-signatory-to-global-cybercrimeprevention-conventionprof-tissa-vitharana-.html (date accessed: 1 October 2012). 50 See for example, Business Software Alliance (BSA), “BSA Global Cloud Computing Scorecard: A Blueprint for Economic Opportunity,” Internet, http://portal.bsa.org/cloudscorecard2012/assets/ PDFs/BSA_GlobalCloudScorecard.pdf (date accessed: 1 October 2012). 51 Office of the United State Trade Representative, “USTR Releases Annual Special 301 Report on Intellectual Property Rights,” press release, May 2011, Internet, http://www.ustr.gov/about-us/press-office/ press-releases/2011/may/ustr-releases-annual-special301-report-intellectual-p (date accessed: 1 October 2012).