Cybercrime convention: a positive beginning to a long road ahead.

• Author: Hopkins, Shannon L.

1. INTRODUCTION

   Information technology has developed rapidly throughout the past decade. (1) Such rapid progress has achieved significant advances in processing and transmitting data through use of computers and computer networks. (2) Some refer to this era as the "Information Revolution," in effect a second "Industrial Revolution." (3) Today, computers affect all aspects of our lives, from medical treatment to air traffic control, online banking and electronic messages ("email"). (4) The Internet (5) provides substantial benefits to society, including the ability to communicate with others real-time, access a library of information and transmit data instantly without leaving home. (6) In addition to these benefits, Internet expansion has fostered new kinds of crimes, additional means to commit existing crimes and increased complexities of prosecuting crimes. (7)

   It seems that today, computer crimes affect everyone. (8) A common example is credit card theft whereby a perpetrator illegally obtains the victim's personal information by "hacking" (9) into a website where the victim maintains an account or makes purchases. (10) The perpetrator may steal or charge thousands of dollars to the victim's credit card before he is apprehended, if ever. (11) The problem persists because a perpetrator can easily remain anonymous by instantaneously manipulating or deleting data. (12)

   The consequences of crimes committed over the Internet reach farther than traditional methods of committing crimes because there are no geographical border restrictions. (13) Current criminal laws are unable to respond quickly to the rapid changes in Internet technology. (14) When Congress enacts a statute, perpetrators of cyber crimes find new technology to bypass an essential element of the crime or impede investigations. (15) For example, prior to enacting the No Electronic Theft Act of 1997 (NET), (16) the United States could not prosecute an individual who hosted a computer bulletin board that enabled anyone to download software at no cost. (17) Authorities were unable to show that the perpetrator received a financial gain from illegal copying, which the law required for criminal wire fraud liability. (18) Similarly, the Philippines Department of Justice dropped charges against the creator of the "ILOVEYOU" virus because existing criminal laws in the Philippines did not apply to computer hacking. (19)

   Internet investigations are inherently difficult to conduct because a maze of interconnected computer networks can transmit information instantaneously. (20) Criminals can delete or alter data as quickly as they create it. (21) The ability to destroy or alter data quickly makes it difficult to obtain evidence and perform investigative procedures. (22) For example, perpetrators of crimes can easily change the sender of an e-mail so the receiver cannot identify the e-mail's origin. (23) Likewise, a criminal could use a computer system to erase data subject to criminal investigations, thus, destroying valuable evidence. (24)

   These factors make it difficult to prosecute cyber criminals and create an exigent need for international cooperation. (25) The Council of Europe (CoE) (26) attempted to address these concerns in the Cybercrime Convention. (27) The Cybercrime Convention is an international treaty designed to police cyber crime through international cooperation. (28)

   Section II of this note will discuss the purpose and history of the Convention. It will then address why we need a Convention and lastly, where cyber crime is currently most prevalent. Section III will discuss the detailed provisions of the Convention. Finally, the last section of this note will argue that the Convention presents a good starting point for addressing international cyber crime issues, but in reality, is merely aspirational.

   The Convention requires additional substantive guidance because it requires parties to prohibit the crimes contained therein, but does not explain how to do so. (29) This note argues that it would be more beneficial if the Convention itself contained the crime elements instead of requiring the parties to create their own. This approach would also be consistent with traditional criminal law principles, which define crime elements at the outset and would also provide consistent application of substantive law principles across nations. (30)

2. BACKGROUND

   1. Purpose of the Convention

      The primary purpose of the Convention is to harmonize domestic substantive criminal law offenses and investigative procedures. (31) The Convention drafters' principal concerns were two-fold. (32) First, they wanted to ensure crime definitions were flexible enough to adapt to new crimes and methods of committing existing crimes as they evolve. (33) Second, the drafters wanted the Convention to remain sensitive to the legal regimes of domestic states. (34)

      These concerns were especially challenging in the human rights area because states have different moral and cultural values. (35) For example, European nations have a much higher degree of privacy protection than the United States. (36) The United States, on the other hand, has stronger speech protection than other nations. (37) To further its purpose, the Convention also empowers parties to restrict or eliminate criminalization of certain offenses and limit investigative procedures by reservation. (38) The Convention's drafters, thus, attempted to balance crime definitions and the investigative needs of law enforcement with individual rights. (39)

   2. Evolution of the Cybercrime Convention

      There are three multilateral organizations40 that focused on international cyber crime policy: the CoE, (41) the European Union (EU) (42) and the G-8. (43) The Organization for Economic Cooperation and Development (OECD) (44) and the United Nations (UN) (45) also participated, but to a lesser extent. (46)

      In response to the increase in cyber crime the CoE's Committee of Ministers (47) adopted Recommendation No. R. (89) 9 ("R89") (48) in 1989, which required that member states consider computer crimes when reviewing old and enacting new legislation. (49) In 1995, the CoE adopted Recommendation No. (95) 13 ("R95") (50) establishing procedures for applying R89. (51) Investigations were still slow and difficult to coordinate, resulting in the untimely information retrieval necessary to combat cyber attacks. (52) Moreover, many countries lacked criminal cyber law statutes. (53) Countries with such laws found their laws were outdated. (54)

      In 1997, the CoE formed a Committee of Experts on Crime in Cyber-space ("PC-CY") in response to prior failed efforts to prevent and deter cyber attacks or address the damaging consequences of such acts. (55) The United States Department of Justice (DOJ) also significantly participated in this effort. (56) The CoE finalized the Convention on November 8, 2001 and opened it for signature on November 23, 2001. (57) Twenty-six of the forty-three European member states signed the Convention, along with four non-members states, Canada, Japan, South Africa and the United States. (58) The Convention will become effective when at least five states ratify it, three of which must be European member states. (59)

   3. Why the Need for a Cybercrime Convention?

      Financial gain motivates many cyber criminals. (60) Financial experts agree that cybercrime is most prevalent in the United States because of its financial wealth and the volume of commercial transactions occurring within its borders. (61) Criminals also target the U.S. because of its strong First Amendment protections. (62) Indeed, the U.S. is known amongst the western world as a "haven" for racial and hate speech. (63)

      Globally, cyber crimes constitute more than $15 billion in damages every year. (64) Most organizations do not report cyber crimes because they fear exposure would make them vulnerable to future attacks by copycats or cause a loss of public confidence. (65) The cost and difficulty associated with investigations also hinders a company's willingness to report crimes. (66) Experts predict that developing nations will need to experience significant technological growth over the next decade to be "self-sufficient and more competitive" in an international economy. (67) Developing countries could thus eventually direct more cyber crimes to the United States, although financial constraints will most likely hinder such growth. (68)

      Cyber criminals range in both age and skill level. (69) Studies show, however, that employees are the largest threat. (70) Ostensibly, ex-employees, as corporate insiders, can easily exploit their knowledge of a company's computer network. (71) For example, an employee may steal a company's source code by entering the corporate network remotely through unauthorized access using confidential passwords. (72) Companies could prevent or at least mitigate computer fraud if they focus more on security through password controls, employee training and background checks. (73)

      Many states have enacted cyber crime laws. (74) Those laws, however, were confined to a specific territory and were frequently outdated. (75) Perpetrators of crimes have thus gone unpunished. (76) Until we are able to cope with the fast-paced changes of the Internet, new kinds of crimes may continue to go unpunished. (77) Those countries that actually have computer crime legislation will continue to operate under a conglomeration of varied and often disjointed laws. (78) The CoE adopted the Convention in response to the need for harmonization. (79) The Convention is a welcome and necessary advance to international criminal laws. It is, however, largely "aspirational" and fails to provide substantive guidance for defining precisely what conduct constitutes a cyber crime. The Convention also does not identify what specific legal procedures states should apply when investigating and prosecuting cyber crimes.

3. THE CYBERCRIME CONVENTION PROVISIONS

   The...