Deciphering Cybercrime (2) – Global Prescription for a Global Problem

By: Sonny Zulhuda

UN Convention Against Transnational Organized Crime 2000

Even though criminal law is subject to the local criminalization of offences such as described in the earlier paragraph, there is a growing consensus that some types of crime is given a global recognition, due to two-fold factors: the cross-border implication of such crime and the fact that certain crimes are perpetrated by a cross-border organized crime. This global crime reputation is currently enjoyed by criminals involved in money-laundering, global terrorism, as well as in illegal trafficking of gun, drugs and human.

In 2000, cyber criminals have surfaced in the international crime scene albeit insufficiently elaborated. This is by virtue of the introduction of the UN Convention Against Transnational Organized Crime (the TOC Convention) in December 2000. A missed opportunity it may be, the TOC Convention unfortunately does not include any substantive cyber criminal offence in its scope. Article 3.1 mentions it applies on the criminal offences arising out of four offences, namely, participation in an organized criminal group, money laundering, corruption and the obstruction of justice. The TOC Convention however provided in article 3.2 that an offence is transnational in nature if it fulfills either following characteristics:

1. It is committed in more than one State;
2. It is committed in one State but a substantial part of its preparation, planning, direction or control takes place in another State;
3. It is committed in one State but involves an organized criminal group that engages in criminal activities in more than one State; or
4. It is committed in one State but has substantial effects in another State.

This characterization of a transnational crime can help at least the set up another framework for cyber crime which can aptly fit into the above nature. Indeed, cyber crime is a global problem, and therefore requires global effort to cure or prevent it.

Meanwhile, article 29(2) of the TOC Convention expressly refers to methods for combating the misuse of computers and telecommunications networks (Broadhurst & Grabosky, 2005).

Its Article 29(2), among other things, mentions:

“Each State Party shall, to the extent necessary, initiate, develop or improve specific training programmes for its law enforcement personnel, including prosecutors, investigating magistrates and customs personnel, and other personnel charged with the prevention, detection and control of the offences covered by this Convention. Such programmes may include secondments and exchanges of staff. Such programmes shall deal, in particular and to the extent permitted by domestic law, with the following:

(h) Methods used in combating transnational organized crime committed through the use of computers, telecommunications networks or other forms of modern technology…”

The TOC Convention is outstanding because it provides for future mindset and framework in dealing with transnational criminal offences. Nevertheless, due to the absence of criminalization of certain offences specific to cyberspace, this Convention may have done little except in terms of international cooperation and enforcement where it has laid down quite significant platform.

Council of Europe’s Convention of Cybercrime 2001

Barely one year later, there is a light of hope arising in the land of Europe for the future cyber crime law at international level. The member countries of the Council of Europe (COE) together with other governments from Canada, South Africa, Japan and the United States had drafted and signed a first multinational treaty on cybercrime called the Council of Europe’s Convention of Cybercrime 2001 (Csonka in Broadhurst & Grabosky, 2005). This convention set forth broadly four distinct substantive criminal offences, which are;

1. Offences against the confidentiality, integrity and availability of computer data or systems.
2. Computer-related offences
3. Content-related offences
4. Offences involving the infringement of intellectual property and related rights.

Offences against the confidentiality, integrity and availability of computer data or systems

The first category, i.e. offences against the confidentiality, integrity and availability of computer data or systems, covers almost typically all cybercrime that makes computers or computer systems (including data, network, software and hardware, and greater telecommunications infrastructure) as the target of the crime. The bottom line is this category of crimes put either of three pillars to information security at stake. Those three pillars are confidentiality, integrity and availability. This often-dubbed ‘CIA’ principle has been long known to the information security practitioners as adopted in the globally-accepted British Standards of Information Security Practices (BS7799) and later adopted to the ISO17799 on the similar title (Whitman & Mattord, 2003). The role of law towards these three principles can be summarized as follows.

1. Confidentiality – the law seeks to ensure that information is accessible only to those authorized to have access.
2. Integrity – the law is concerned with the maintenance of the accuracy and completeness of information and processing methods.
3. Availability – the law is also required to give assurance that authorized users have access to information and associated assets when required.

In this first category of substantive offense, the Convention specifically mentions certain types of criminal offences such as illegal access, illegal interception, data interference, system interference, and misuse of devices. It is worth noting here, that the above terms are very generic in nature. One should not confuse them with latest terms that sound more techie and sophisticated but actually refers to similar nature substantively. Furthermore these new words are coined from time to time in order to reflect different methods used by perpetrators. Hence for example the terms hacking, cracking, cyber intrusion and online trespass are all reflecting unauthorized or illegal access; while the terms cyber-stalking, cyber espionage and cyber voyeurism may involve illegal interception; and the terms web defacing, distributed denial of services (DDOS) attack and cyber sabotage may well fit the data or system interference. It is submitted here that these generic words should be used in the text of laws instead of the variant offences. This is to avoid the laws from being too technical and becoming quickly obsolete.

Computer-related offences

As opposed to the first group of offences, the second category refers to the group of criminal acts that involve the computers as medium of the crime. It specifically refers to two biggest problems, i.e. computer-related fraud and computer-related forgery. These two types of cyber crime are self-explaining, and may also cover variety of methods and variants that include online fraud, phising, email and sms scams, online banking scam, carding, etc. Nevertheless this provision seems to be too limited. In fact, there are a lot more offences which are computer-related than fraud and forgery. This gap has been addressed in some local cyber crime legislations with the criminalization of ‘unauthorized access to further criminal act’ like the one found in the laws of UK, Singapore and Malaysia.

Content-related offences

As the sub-title suggests, this group of offences concern with the online content. It is noteworthy here that when it comes to content, the global community as reflected in the Convention drafters and signatories can not approve more than the boundary of children pornography. That is why this category only touches various activities pertaining to the provision of online content that depicts children as sexual objects.

This restriction of content-related offences can be viewed with a strong demand to maintain freedom of speech in the cyberspace. The US Supreme Court in the case of American Civil Liberties v. Reno in 1996 commented, among other things, that ‘there is governmental interest in protecting children from harmful materials… but that interest does not justify an unnecessarily broad suppression of speech addressed to adult.’

Having said that, content-related offences are very much local in nature, thus can differ significantly from one jurisdiction to another. What is an approved content in one place can be greatly opposed in another. This explains why, for example, a global online clips portal ‘You-Tube’ had recently received complaints from Thai government for its video clip that is regarded insult to the monarchy’s King. Many Muslim countries do not tolerate online content that depicts the Prophet Muhammad. Meanwhile many European countries criminalize the content that suggests denial to the Holocaust. This is a continuous debate over a controversial idea of online content regulation, where the idea of ‘offensive content’ is not an easy task for globally-framed regulation (Deibert, 2006; Quimbo, 2003).

Offences involving the infringement of intellectual property and related rights.

This last category of the substantive offences under the Cybercrime Convention is strengthening the already existing global legal frameworks under the administration of WIPO that protect the family of works eligible under the boundaries of intellectual properties. These include works protected by copyright, patent, trademarks, industrial design and database right. This area of law is worth reminding due to the increasing ease caused by digital technology to inflict the infringement of copyright, for example, in the cyberspace. Due to this challenge, many countries worldwide had introduced either a new law of amendment to existing law that expands the coverage of copyright infringement to those that occurs electronically.

The European Union Initiatives to Combat Cyber Crime

In January 2001, the European Commission adopted a Communication on “Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime.” The Communication discussed the need for and possible forms of a comprehensive policy initiative in the context of the broader Information Society and Freedom, Security and Justice objectives for improving the security of information infrastructures and combating cyber-crime.

 

In the Communication, the Commission emphasized that a comprehensive policy program to fight against cyber-crime should presuppose at least the following four key conditions:

1. The adoption of adequate substantive and procedural legislative provisions to deal with both domestic and transnational criminal activities.
2. The availability of a sufficient number of well-trained and equipped law enforcement personnel.
3. The improvement of the co-operation between all the actors concerned, users and consumers, industry and law enforcement.
4. The need for ongoing industry and community-led initiatives.

The Commission has also presented a legislative package to approximate specific areas of substantive criminal law in the area of high-tech crime. Following the instructions give by Heads of State and Governments in Tampere, three proposals for Council Framework Decision have been presented for approximation of criminal law on child pornography on the Internet, racism and xenophobia and attacks against information systems (hacking, denial of service and viruses). Negotiations on these instruments are still going on at Council competent instances, while the European Parliament has already been consulted. A fourth proposal will come soon which will address mutual recognition of pre-trial orders to obtain evidence. The main focus of the proposal will be on general judicial co-operation in criminal matters, but the proposal will also address the specific issues associated with cyber-crime investigations.

 

It is worth noting here that the effort which has been seriously taken by the European Union is already based on a regional platform. This is one step closer to an international benchmarking and full cooperation. Similar initiatives should also be considered by other regional communities such as APEC and ASEAN. This is again because many cybercrime enforcement had failed due to the extra-territorial nature of the offense thus requires a close cooperation and mutual assistance.