12 JTransnatl LPoly 287
12 JTransnatl LPoly 287
12 JTransnatl LPoly 287
Citations:
Please note: citations are provided as a general guideline. Users should consult their preferred
citation format's style manual for proper citation formatting.
-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
THE COUNCIL OF EUROPE CONVENTION ON
CYBERCRIME
MIKE KEYSER*
Table of Contents
I. INTRODUCTION
The Internet is often referred to as the new "Wild West."' This
maxim holds true, because the Internet is so similar to the turn of
the century Western Frontier.2 Like the Wild West, the Internet
has brought with it opportunity and millions of new jobs.3 The
Internet also brings with it very real dangers. Although the specific
dangers may be different from those faced on the American
Frontier, a web surfer's exposure to dangers which are new, difficult
to police, and difficult to prevent, is very similar.4 The only
significant difference may be that the Internet is a virtual society
* J.D. candidate, Seattle University School of Law (May 2003); B.A., Washington State
University (May 2000). The author would like to thank Bob Menanteaux, reference librarian
at Seattle University School of Law, for all of his help and guidance.
1. Henry E. Crawford, Internet Calling: FCC Jurisdiction over Internet Telephony, 5
COMM. L. CONSPECTUS 43, 43 (1997) (discussing the Internet and analogizing it to the Wild
West).
2. Id.
3. Mohit Gogna, The World Wide Web Versus the Wild Wild West, at httpJ/
home.utm.utoronto.ca/-mohit/ (last visited Dec. 4, 2002). For example, in 1996, 1.1 million
jobs were created. Id.
4. Id.
288 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
9. John Galvin, Meet the World's Baddest Cyber Cops, ZIFF DAVIS SMART Bus. FOR THE
NEW ECON. (Oct. 1, 2001), at 78 (on file with the Journal of Transnational Law & Policy).
10. Id.
11. Id.
12. Id.
13. Dhillon & Smith, supranote 5, at 140 (discussing the reluctance of companies to report
intrusions on its systems).
14. Id.
15. Id.
16. Id. at 139.
17. Jay Lyman, ID Theft and Web Scams Top Consumer Complaints, NEWSFACTOR
NETWORK (Jan. 24, 2002), at http://www.newsfactor.con/perl/story/15965.html.
18. Id.
290 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
B. GreaterDependency on Technology
As our lives become more advanced, we depend on computers
and technology to even greater degrees. For example, one should
consider the increasing trend of Internet sales. The convenience
and privacy of online consumer spending is leading towards a
growing use of the Internet as a consumer's primary purchasing
location. In the year 2000, online retail sales totaled $5 billion,
while total sales were $42.4 billion. 20 "Total U.S. spending on online
sales increased from $4.9 billion in November to $5.7 billion in
December" of 2001.21 Consumer online sales for the third quarter
of 2002 reached $17.9 billion, a 35 percent increase over the third
quarter of 2001.22 Online sales through the third quarter of 2002
totaled $52.5 billion.23 As online sales continue to increase, and
personal and credit card information is transferred over the
Internet, the American public also increases its chances that it will
become the victim of a "cybercrime."
physical site of the crime, or the source of, or reason for, unique
forms of asset loss. "2 Examples of this type of crime are viruses,
logic bombs, and sniffers.29 Finally, "a computer may be [the]
'instrument' used to commit traditional crimes."" For example, a
computer might be used to commit the most common type of
cybercrime to date-identity theft.31
D. Identity Theft
Identity theft is now being called "the signature crime of the
digital era."32 "Identity theft is the illegal use of another's personal
identification numbers."3 3 Examples include a person using a stolen
"credit card, or social security number to purchase goods,"34
withdraw money, apply for loans, or rent apartments.3 5 While these
types of crimes have existed for a long time in the form of pick
36
pocketing, the Internet facilitates their frequency and ease.
Without faces or signatures, the only thing preventing a person from
posing as another is a password, which can be intercepted without
much difficulty by an experienced criminal.3"
28. Id.
29. Id.
30. Id.
31. See Lyman, supra note 17.
32. Michael McCutcheon, Identity Theft, Computer Fraud and 18 U.S.C. § 1030(G): A
Guide to Obtaining Jurisdiction in the United States for a Civil Suit Against a Foreign
National Defendant, 13 Loy. CONSUMER L. REV. 48, 48 (2001) (discussing identity theft).
33. Id.
34. Id.
35. Id.
36. Id.
37. Id. at 49.
38. See, e.g., 18 U.S.C. § 875 (2000) (originally enacted as Act of June 25, 1948, ch. 645, 62
Stat. 741) (interstate communications: including threats, kidnapping, ransom, and extortion);
18 U.S.C. § 1029 (2000) (possession of access device); 18 U.S.C. § 1030 (2000) (fraud and
related activity in connection with computers); 18 U.S.C. § 1343 (2000) (originally enacted as
Act of July 16, 1952, ch. 879, § 18(a), 66 Stat. 722, and amended by Act of July 11, 1956, ch.
561, 70 Stat. 523) (fraud by wire, radio, or television); 18 U.S.C. § 1361 (2000) (based on Act
of Mar. 4, 1909, ch. 321, § 35, 35 Stat. 1095; Act of Oct. 23, 1918, ch. 194, 40 Stat. 1015; Act
of June 18, 1934, ch. 587, 48 Stat. 996; Act of Apr. 4, 1938, ch. 69, 52 Stat. 197) (injury to
government property or contracts); 18 U.S.C. § 1362 (2000) (based on Act of Mar. 4, 1909, ch.
321, § 60,35 Stat. 1099) (communication lines, stations, or systems); Economic Espionage Act
of 1996, 18 U.S.C. § 1831, et seq. (2000).
292 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
39. Pub. L. No. 99-474, § 2, 100 Stat. 1213 (1986) (amending 18 U.S.C. § 1030).
40. Pub. L. No. 104-294, tit. 2, § 201, 110 Stat. 3488, 3491-94 (1996) (amending 18 U.S.C.
§ 1030). For a discussion of laws currently in place, see Dillon et al., supra note 24, at 508.
41. Press Release, United States Dep't of Justice, Hacker Sentenced in New York City for
Hacking into Two NASA Jet Propulsion Lab Computers Located in Pasadena,California
(Sept. 5, 2001), availableat http'//www.usdoj.gov/criminal/cybercrime torricellisent.htm.
42. Id.
43. Id.
44. Id.
45. Id.
46. Id.
47. Id.
48. Id.
49. Id.
50. Id.
51. Id.
Spring, 2003] CYBERCRIME 293
52. Id.
53. Id.
54. Id.
55. Id.
294 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
56. Press Release, United States Dep't of Justice, U.S. Indicts 17 in Alleged International
Software Piracy Conspiracy (May 4, 2000), available at httpJ/www.cybercrime.gov
/pirates.htm.
57. Id.
58. Id.
59. Id. (quoting Scott R. Lassar, United States Attorney for the Northern District of
Illinois).
60. Id.
61. Id.
Spring, 2003] CYBERCRIME 295
62. Id.
63. Id.
64. Id.
65. Id.
66. Id.
67. Id.
68. Id.
69. Id.
70. Dillon et al., supra note 24, at 539 (discussing computer systems and ease of access).
71. Id.
296 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
1. Importance
The COE's Convention on Cybercrime is important international
legislation because it binds countries in the same way as a treaty.
"An international convention, or treaty, is a legal agreement
between governments that spells out a code of conduct."7 Once a
large number of states have ratified a treaty, then it becomes
acceptable to treat it as general law. ° Treaties are the only
machinery that exist for adapting international law to new
conditions and strengthening the force of a rule of law between
states.8 ' Thus, it seems very important for an international regime
to be set up to combat these types of crimes in a growing and
2. Objectives
The Convention is intended to be the "first international treaty
on crimes committed via the Internet and other computer
networks." 2 Its provisions particularly deal with infringements of
copyrights, computer-related fraud, child pornography, and
violations of network security.83 Its main objective, set out in the
preamble, is to "pursue ... a common criminal policy aimed at the
protection of society against cybercrime... especially by adopting
appropriate legislation and fostering international co-operation."84
3. PartiesInvolved
5
The Convention is open to worldwide membership.
Instrumental in its drafting were the forty-one COE "countries,
which cover most of Central and Western Europe."8" In addition,
the United States, Canada, Japan, and South Africa also aided in its
drafting.87 As stated earlier, as of the date of this publication,
thirty-five countries have signed the treaty.8
4. Scope
The Convention is broken up into four main segments, with each
segment consisting of several articles. The first section outlines the
substantive criminal laws and the common legislation all ratifying
countries must adopt to prevent these offenses.89 The second section
delineates the prosecutorial and procedural requirements to which
individual countries must adhere.' The third section sets out
guidelines for international cooperation that most commonly involve
joint investigations of the criminal offenses set out in section one.9'
Finally, the fourth section contains the articles pertaining to the
signing of the Convention, territorial application of the Convention,
92. Id.
93. Id. art. 1.
94. ExplanatoryReport of the Comm. of Ministers[of the Convention on Cybercrime], 109th
Sess. (adopted on Nov. 8, 2001), art. l(a), 23 [hereinafter ExplanatoryReport] (on file with
the Journal of Transnational Law & Policy).
95. Id. art. 1(b), 25.
96. Id.
97. Id.
98. Id. art. 1(c), IT 26, 27.
99. Id.
100. Id. art. l(d), 28-31.
101. Id.
102. Id.
103. Id.
Spring, 2003] CYBERCRIME 299
115. Id.
116. Convention, supra note 6, art. 2.
117. ExplanatoryReport, supra note 94, art. 2, 47.
118. Id. art. 2, 46.
119. Id. art. 2, 9149.
120. Id. art. 2, 9150.
121. 18 U.S.C. § 1030 (2000).
122. 18 U.S.C. § 1030(a)(1).
123. 175 F. Supp. 2d 367 (D. Conn. 2001).
124. Id. at 368.
125. Id.
126. Id.
Spring, 2003] CYBERCRIME 301
c. Article 4 - DataInterference
Article 4, criminalizing the destruction of data, aims "to provide
computer data and computer programs with protection similar to
that enjoyed by" tangible objects against the intentional infliction
of damage.'3 7 The input of malicious codes, viruses, and Trojan
horses is thus covered under this criminal code. 13 Convention
parties are granted the freedom to require that "serious harm" be
committed when legislating this crime, in which the interpretation
of what constitutes
39
"serious harm" is left to the respective
government. 1
The United States' statutory equivalent is the Computer Fraud
and Abuse Act of 1986.140 This section prohibits a person from
knowingly transmitting"a program, information, code, or command,
and as a result of such conduct, intentionally" causing "damage
without authorization, to a protected computer."14 ' A "protected
computer" is defined as a computer "which is used in interstate or
foreign commerce or communication."' 42 Damage must also occur to
"one or more persons,"14 but courts have held that "one or more
persons" includes corporations. 4 4 In United States v. Middleton, a
disgruntled former employee obtained illegal access to his former
company's computer system, changed all the administrative
passwords, altered the computer's registry, deleted the entire billing
system (including programs that ran the billing software), and
deleted two internal databases. 4 5 In response, company employees
spent a considerable amount of time repairing the damage and
buying new software. 4 6 The former employee, arrested under
section 1030(a)(5)(A), moved to dismiss by alleging that the
company was not an "individual" for purposes of the statute.' 4 ' The
136. United States Dep't of Justice, Frequently Asked Questions and Answers About the
Council of Europe Convention on Cybercrime, at httpJ/www.usdoj.gov/criminal/cybercrime/
COEFAQs.htm (last visited Feb. 13, 2003) [hereinafter Frequently Asked Questions].
137. ExplanatoryReport, supra note 94, art. 4, 60.
138. Id. art. 4, 61.
139. Id. art. 4, [ 64.
140. Pub. L. No. 99-474, § 2, 100 Stat. 1213 (1986) (amending 18 U.S.C. § 1030).
141. 18 U.S.C. §1030(a)(5)(A).
142. Id. §1030(g)(e)(2)(B).
143. 18 U.S.C. § 1030(e)(8)(A).
144. United States v. Middleton, 231 F.3d 1207, 1210-1211 (9th Cir. 2000).
145. Id. at 1209.
146. Id.
147. Id.
Spring, 2003] CYBERCRIME 303
f. Article 7- Computer-RelatedForgery
Article 7 outlaws computer-related forgery, or the intentional
"input, alteration, deletion, or suppression of computer data
resulting in inauthentic data with the intent that it be considered
or acted upon for legal purposes as if it were authentic .... The
purpose of this Article is to create a parallel offense to the forgery
157. Kelly Cesare, Prosecuting Computer Virus Authors: the Need for an Adequate and
Immediate InternationalSolution, 14 TRANSNAT'L LAw. 135,143 (2001) (discussing the impact
of the Melissa virus).
158. Id.
159. ExplanatoryReport, supra note 94, art. 6, 71.
160. Id.
161. Id. art. 6, [ 72.
162. Id.
163. Id. art. 6, [73.
164. Id.
165. Id. art. 6, 9176.
166. Convention, supra note 6, art. 7.
Spring, 2003] CYBERCRIME
g. Article 8 - Computer-RelatedFraud
Article 8 makes computer-related fraud illegal.'7 2 Computer-
related fraud is the intentional causing of a loss of property by
deletion or alteration of computer data, "interference with the
functioning of a computer system, with fraudulent or dishonest
intent of procuring without right, an economic benefit for oneself or
for another person."'7 3 Assets such as electronic funds, deposit
money, and credit card numbers have become the target of hackers,
who feed incorrect data into the computer with the intention of an
illegal transfer of property.'7 4 This Article is specifically intended
to criminalize a direct economic or possessory loss of property if the
"perpetrator acted with the intent of procuring an unlawful
economic gain.... ""' In addition to the general intent requirement,
this Article also "requires a specific fraudulent or other dishonest
intent to gain an economic or other benefit .. ,176 This specific
intent requirement is another effort by the drafters to filter serious
misconduct from minor crimes.
This Article is an international tool of legislation that is greatly
needed. Computer-related fraud in online auction houses, such as
eBay, is a growing business for many criminals. The Internet Fraud
Complaint Center ("IFCC"), a partnership between the Federal
Bureau of Investigation ("FBI") and the National White Collar
Crime Center ("NW3C"), reported that 1.3 million transactions per
day take place on Internet auction sites.' Auction fraud through
188. United States v. Hocking, 129 F.3d 1069, 1070 (9th Cir. 199 '7).
189. Convention, supra note 6, art. 9.
190. United States v. Lacy, 119 F.3d 742, 747 (9th Cir. 1997).
191. Id.
192. Ashcroft v. Free Speech Coalition, 535 U.S. 234, 239 (2002).
193. Id. at 242.
194. Id.
195. Id. at 258 (holding 18 U.S.C. §§ 2256(8)(B), 2256(8)(D) uncor astitutional as overbroad).
196. Id. at 256-58.
197. ExplanatoryReport, supra note 94, art. 9, 93.
198. Ashcroft, 535 U.S. at 251.
199. Id. at 252-54.
308 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
200. Id.
201. Id. at 253.
202. Id. (quoting Stanley v. Georgia, 394 U.S. 557, 566 (1969)).
203. Ashcroft, 535 U.S. at 253.
204. Id. at 254.
205. Id.
206. Id.
207. Id.
208. Id.
Spring, 2003] CYBERCRIME 309
k. Article 12 - CorporateLiability
This Article "deals with the liability of legal persons."2 1 6 Four
conditions must be met in order to establish liability.1 7 First, a
described offense must have been committed.2 18 Second, it must
have been committed to benefit a legal person.2 19 Third, a person
who is in a "leading position" must be the one who committed the
offense, which could include a director. 220 Finally, "the person who
has a leading position must have acted.. . within the scope of his or
her authority to engage the liability of the legal person."22 ' In the
case of an offense committed by an agent or employee of the
corporation, the offense must have been made possible by the
leading person's "failure to take appropriate and reasonable
measures to prevent employees or agents from committing criminal
activities on behalf of the [corporation].... 222 Appropriate and
reasonable measures are determined by examining the type of
business, its size, the standards or established business practices,
and other like factors.22' However,
224
liability of a corporation does not
exclude individual liability.
220. Id.
221. Id.
222. Id. art. 12, 125.
223. Id.
224. Id. art. 12, 127.
225. Id. art. 13, 128.
226. Id. art. 13, 130.
227. Id. art. 13, § 2, 131.
228. Id. art. 13, § 2, 132.
229. Id. art. 13, § 2, 133.
Spring, 2003] CYBERCRIME 311
230. Id.
231. Id. art. 13, § 2, 91134.
232. Id.
233. Id.
234. Id. art. 15, 91145.
235. Id.
236. Convention, supra note 6, art. 15.
237. Id.
238. Id. art. 16.
239. Explanatory Report, supra note 94, tit. 2, J 149.
240. Id. art. 15, tit. 2, %151.
312 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
form.2 4 ' On the other hand, data retention, or the process of storing
and compiling data, does not apply under this Article.2 42 The
concept of "data preservation" is a new legal power in many
domestic laws, brought about by because of the ability for computer
data to be destroyed or lost through careless handling and storage
processes.24 3 The statute operates in one of two ways: (1) the
competent authorities in the Convention party country simply
access, seize and secure the relevant data, or (2) where a reputable
business is involved, competent authorities can issue an order to
preserve the relevant data.244 Convention parties are thus required
to introduce a power that would enable law enforcement authorities
to order the preservation of data for a particular period of time not
exceeding 90 days. 245 Data such as this is frequently stored only for
short periods of time, since these laws are designated to protect
privacy and because the costs are high when preserving this type of
data. 4 6
241. Id.
242. Id. art. 15, tit. 2, 1I 151, 152.
243. Id. art. 15, tit. 2, 155.
244. Id.
245. Id. tit. 2, 156.
246. Id. art. 17, $ 166.
247. Id. art. 17, 9191165, 166.
248. Id. art. 1(d), 191 28-31.
Spring, 2003] CYBERCRIME 313
257. Id.
258. Id.
259. Id. art. 19, 186.
260. Id. art. 19, 187.
261. Id.
262. Id.
263. Id. art. 20, 216.
264. Id. art. 20, 225.
265. Id.
Spring, 2003] CYBERCRIME 315
h. Article 22 - Jurisdiction
Article 22 simply establishes that member countries must enact
laws enabling them to have jurisdiction over all the previous crimes
described above should they occur in any one of four places: (1) in
the member country's territory, (2) on board a ship flying the flag of
that country, (3) on board an aircraft registered under the laws of
that country, or (4) outside the territory of the country but
committed by one of its nationals. 27 0 A party would establish
territorial jurisdiction if the person attacking the computer system
and the victim were located within the country, or where the victim
was inside the territory but the attacker was not.2 7 ' The remaining
jurisdictional sections are rather self-explanatory.
stems from the fact that although it may not be such a big deal to
have the United States government wield greater power, the same
new powers will also be given to member countries that may not
"have a strong tradition of checks and balances on police power."27 4
United States companies do not want foreign investigators
searching through domestic computer systems based on a warrant
issued under the Convention. 5
The following example illustrates why United States companies
should have cause for concern. Suppose a Seattle University law
student, while researching a potential research topic, corresponds
by e-mail with an Al-Qaeda member in Italy. A few days later the
unknowing student finds federal agents examining the files on his
home computer. The agents also visit the student's ISP, Seattle
University, to retrieve records of the student's computer usage. The
agents are basing their authority on a warrant that was issued by
Italian authorities, which allows them to search for Al Qaeda
locations and documents. Italian officials framed their warrant in
terms of "suspected terrorist activity." Maybe the student should
have anticipated this scenario, given the vigor with which the world
is cracking down on Al-Qaeda members. Even if the law student is
willing to run the risk, and bear the burden, of this kind of search,
should Seattle University?
Larger ISPs, such as America Online, get dozens of search
warrants and subpoenas every month. This treaty would change
everything by not only requiring them to respond to those submitted
by United States law enforcement officials, they would also have to
respond to warrants and court orders from dozens of nations. All
ISPs, phone companies, and other businesses would be forced into
cooperating with investigations. This equates to higher storage,
investigative and retrieval costs for this extra data. These higher
costs would likely be passed down to the consumer in the form of
higher monthly service rates.
The opposing argument is plausible, however; ISPs should
expect this sort of intrusion as a cost of doing business in the
Internet era. The problem again lies in the fact that these added
costs will be passed down to the consumer. Additionally, if two
companies have cabled together two computers, the second company
could be forced to comply with investigations of other ISPs, which
would cause even more problems.
b. Article 24 - Extradition
Article 24 deals with extradition of criminals between member
countries. "The obligation to extradite applies only to" those crimes
committed in Articles 2 thru 11.2 7 A threshold penalty also exists
to minimize the massive extradition of criminals.2 78 Under certain
offenses, like illegal access (Article 2) and data interference (Article
4), member countries are permitted to impose short periods of
incarceration. 279 Accordingly, extradition can only be sought where
the maximum penalty is at least one year in jail.2 8 °
Important policy considerations are furthered by adding an
extradition provision. By all the countries prosecuting the same
crimes and sending criminals from one jurisdiction to another,
criminals effectively cannot hide from the law when committing a
crime within the Convention's jurisdiction. Because the deterrence
of crime is an important policy goal of any criminal law statute, as
well as this Convention, the extradition provision strengthens the
entire Convention. In fact, extradition laws governing computer
crimes are "hopelessly outdated and therefore, lagging behind the
forces they are trying to regulate." 281' This lack of uniformity results
in lax treatment of cybercriminals, allowing them to escape law
enforcement officials by fleeing to countries unwilling to extradite
a suspected criminal. This Convention provision is an important
step in harmonizing extradition laws between member countries
and bringing reluctant countries up to date.
m. Article 35 - 24 / 7 Network
Article 35 is a very interesting provision. The "24/7 network" is
a way to effectively combat crimes committed through the use of
computer systems when those crimes require a rapid response. This
Article obligates each country to designate a point of contact that is
available 24 hours per day, 7 days a week.30 6 This Article was
considered by the drafters to be one of the most important means of
effectively responding
37
to law enforcement challenges posed by
cybercrimes.
c. Article 38 - TerritorialApplication
Article 38, "territorial application," simply provides that a
member country must express to which territories it intends the
Convention to apply upon signature and ratification.3 2
305. Id.
306. Id. art. 35, 1298.
307. Id.
308. Id. art. 36, 304.
309. Id. art. 36, 305.
310. Id. art. 37, 306.
311. Id.
312. Convention, supra note 6, art. 38(1).
322 J. TRANSNATIONAL LAW & POLICY [Vol. 12:2
e. Article 40 -- Declarations
Article 40, "[d]eclarations," refers to certain articles contained
within the Convention that permit parties to include specific
" 31
"additional elements which modify the scope of the provisions. 1
Also, these elements were added to accommodate certain legal
differences between member countries. 31 6 These "should be
distinguished from 'reservations,' which permit a party to exclude
or modify the legal effect of certain obligations set forth in the
Convention."3 17
h. Article 44 -- Amendments
Article 44 allows for amendments to be made to the
Convention. 2 Any amendments adopted would come into force only
when all of the member countries "have informed the Secretary
General of their acceptance."3 23
k. Article 47 -- Denunciation
Article 47 permits a member country to denounce the
Convention. 3 v A country's denunciation would "become effective on
the first day of the month following the expiration of a period of
three months after the date of receipt" and notification by the
Secretary General.328
1. Article 48 - Notification
Article 48 requires notification to member countries of
signatories and ratifications when they occur.3 29
V. CONCLUSION
Cybercrimes are not confined within national borders. A
criminal armed with a computer and a connection has the capability
to victimize people, businesses, and governments anywhere in the
world. The criminal can commit violent crimes, participate in
international terrorism, sell drugs, commit identity theft, send
viruses, distribute child pornography, steal intellectual property and
trade secrets, and illegally access private and commercial computer
systems. These criminals can hide their tracks by weaving their
communications through numerous ISPs.