Approaches to cybercrime jurisdiction.

• Author: Brenner, Susan W.
• Position: Report

CONTENTS I. INTRODUCTION 3 II. JURISDICTION 5 III. TERRITORIAL CLAIMS 10 A. LOCATION OF ACTS 10 B. LOCATION OF COMPUTERS 16 C. LOCATION OF PERSONS 16 D. LOCATION OF EFFECT 19 E. LOCATION OF ANYTHING 20 F. NOTE ON JURISDICTION TO ENFORCE 21 IV. PERSONALITY CLAIMS 24 A. NATIONALITY OF THE PERPETRATOR 24 B. NATIONALITY OF THE VICTIM 25 V. OTHER CLAIMS 26 A. PROTECTION 26 B. UNIVERSALITY 28 VI. REASONABLENESS STANDARD 29 VII. JURISDICTION CONFLICTS 40 A. NEGATIVE CONFLICTS 40 B. POSITIVE CONFLICTS 41 VIII. CONCLUSIONS 44 I. INTRODUCTION

A Web site in Germany caters to the adult market, and has done so happily for three years. Then, out of the blue, it finds itself indicted in Singapore because of spreading pornographic material in Singapore, even though the company has never done business with someone from Singapore. To make things worse, the Web site owners are ordered to appear in court in Belgium, because some of the adult pictures are considered to be of 17-year old minors, constituting the crime of child pornography (which, in Belgium, entails persons under 18 years of age; in Germany, the age limit is 14). The business is perfectly legal in Germany, but since it uses the Internet to conduct its business, it finds itself confronted with the criminal laws of all countries connected to the Internet--that is, all countries of the world.

A script kiddie concocts a new worm and, without really thinking of the potential consequences, launches it on the Internet. To his amazement (and somewhat to his fear), he finds that he has blocked large portions of the Internet, causing significant damage in numerous countries around the world. Many countries have laws criminalizing the spreading of worms, and so, in theory, he can be prosecuted by many countries, perhaps consecutively. In practice, however, perhaps no country will claim jurisdiction, thinking that surely other countries will have suffered more damage and hence will have priority in prosecuting.

These examples show that jurisdiction in cybercrimes is a tricky issue. Acts on the Internet that are legal in the state where they are initiated may be illegal in other states, even though the act is not particularly targeted at that single state. Jurisdiction conflicts abound, both negative (no state claims jurisdiction) and positive (several states claim jurisdiction at the same time). Above all, it is unclear just what constitutes jurisdiction: is it the place of the act, the country of residence of the perpetrator, the location of the effect, or the nationality of the owner of the computer that is under attack? Or all of these at once?

It appears that countries think differently on this issue. The cybercrime statutes that have been enacted over the past decades in numerous countries show varying and diverging jurisdiction clauses. In this article, we want to outline these varying approaches in cybercrime jurisdiction, by indicating when states claim jurisdiction and which factors influence that claim. This outline is aimed at answering the questions, what kinds of approaches do states have in claiming jurisdiction over cybercrime, and what are the potential consequences if these approaches significantly diverge globally?

In this article, we focus on jurisdiction in substantive criminal law by analyzing the cybercrime statutes of numerous countries and states. When the cybercrime statute at issue lacks a jurisdiction clause, we focus on the existing principles of jurisdiction in that country, which by implication also apply to the cybercrime laws. We have restricted ourselves mainly to statutory law, since so far there is little case law available on cross-border cybercrime jurisdiction.

It is not our intention to be comprehensive. Rather, we want to raise awareness that cybercrime jurisdiction clauses differ significantly, and, to do so, it is sufficient to analyze a sample of states and countries around the world. In North America, we analyze several U.S. states and the federal U.S. law; in Europe, we study the Netherlands, (3) Belgium, (4) and Germany; (5) in Australasia, we focus on Singapore, (6) Malaysia, (7) and the Australian state of Tasmania. (8) We also include the jurisdiction clause in the Council of Europe's Cybercrime Convention. (9) The selection of these states and countries is rather eclectic: we have simply chosen those states that have interesting jurisdiction clauses with respect to cybercrime. Other countries may have comparable clauses, but the present sample in any case serves the purpose of showing the diversity of approaches in cybercrime jurisdiction.

We start with a general description of jurisdiction ([section] 2). Then, we survey jurisdiction clauses in cybercrime statues that establish jurisdiction, either based on territorial claims, e.g., because the act itself, an affected computer, or an affected person is located in the country ([section] 3), based on personality claims ([section] 4), or based on other claims, such as the protection principle and universality ([section] 5). Jurisdiction does not only require a connection with the crime; it also demands that this connection be sufficiently close to warrant the exercise of jurisdiction--the reasonableness standard ([section] 6). Particularly with cybercrimes that are connected with many countries, the various jurisdiction clauses described will clash, resulting in positive jurisdiction conflicts, or even in negative conflicts when no state claims jurisdiction on the presumption that some other state is more closely affected ([section] 7). We end with summarizing the various approaches in cybercrime jurisdiction, the problems that this variation poses, and we indicate resulting issues that merit further study ([section] 8).

2. JURISDICTION

   "Jurisdiction" encompasses several discrete concepts, including jurisdiction to prescribe, jurisdiction to adjudicate, and jurisdiction to enforce. (10) Jurisdiction to prescribe is a sovereign entity's authority "to make its law applicable to the activities, relations, or status of persons, or the interests of persons in things ... by legislation, by executive act or order, by administrative rule ... or by determination of a court." (11) Jurisdiction to adjudicate is a sovereign entity's authority "to subject persons or entities to the process of its courts or administrative tribunals" for the purpose of determining whether prescriptive law has been violated. (12) Jurisdiction to enforce is a sovereign entity's authority "to induce or compel compliance or to punish noncompliance with its laws or regulations, whether through the courts or by use of executive, administrative, police, or other nonjudicial action." (13)

   Traditionally, all three types of jurisdiction have been based primarily upon the concept of territory. A nation (or a state) had jurisdiction to prescribe what was and was not proper conduct within its physical territory and had jurisdiction to enforce those prescriptions against actors whose unlawful conduct had occurred within its territory. This concept of jurisdiction followed from the basic principle that a sovereign entity had the lawful authority to exert control within "its territory generally to the exclusion of other states, authority to govern in that territory, and authority to apply law there." (14) As the U.S. Supreme Court said in American Banana Company v. United Fruit Company, 213 U.S. 347, 356 (1909), "the character of an act as lawful or unlawful must be determined wholly by the law of the country where the act is done." From this, it followed that no nation could apply its criminal laws to conduct occurring within the physical territory of another nation. (15)

   The twentieth and twenty-first centuries' increased geographical mobility and use of telecommunications technology undermined certain of the assumptions that gave rise to the traditional model of jurisdiction. (16) It became much easier for someone to commit a criminal act in one country and quickly flee the country, thereby frustrating its ability to apply its criminal laws to the perpetrator; it also became possible for someone in Nation A to commit a criminal act against a victim physically situated within the territory of Nation B without the perpetrator's ever leaving his own country. (17) This latter type of activity created new and unique challenges for criminal jurisdiction, as illustrated by the saga of the "Love Bug" virus.

   In May of 2000, the "Love Bug" virus appeared on the Internet and spread around the world in two hours. (18) It is estimated to have affected over forty-five million users in over twenty countries, and to have caused between two and ten billion dollars in damage. (19) Virus experts quickly traced the "Love Bug" virus to the Philippines, where agents from the Federal Bureau of Investigation and the Philippines Bureau of Investigation focused on Onel de Guzman, who had been identified as the likely creator of the virus. (20) The agents' investigation was, however, hampered by the fact that virus dissemination was not at the time a criminal offense in the Philippines; because virus dissemination was not an offense, they had difficulty obtaining a warrant to search de Guzman's apartment for evidence pertaining to the creation and dissemination of the virus. (21) And once they obtained and executed the warrant and arrested de Guzman they faced another problem: How could he be prosecuted when virus dissemination was not a crime in the Philippines? Philippine authorities charged him with fraud and credit card theft--on the premise that the virus was meant to harvest user passwords that would be used to obtain Internet service and other things of value--but the charges were dismissed as legally insufficient. (22) Ultimately, it was determined that the Philippines could not prosecute de Guzman, and because he could not be prosecuted there he could not be extradited for prosecution in the United States or in any of the...