Gestión Administrativa

Cyber-specificity

Legal measures play a key role in the prevention and combating of cybercrime. Law is dynamic tool that enables the state to respond to new societal and security challenges, such as the appropriate balance between privacy and crime control, or the extent of liability of corporations that provide services. In addition to national laws, at the international level, the law of nations – international law – covers relations between states in all their myriad forms. Provisions in both national laws and international law are relevant to cybercrime.

The technological developments associated with cybercrime mean that – while traditional laws can be applied to some extent – legislation must also grapple with new concepts and objects, not traditionally addressed by law. In many states, laws on technical developments date back to the 19th _{century. These laws were, and to a great extent, still are, focused on physical objects – around}

which the daily life of industrial society revolved. For this reason, many traditional general laws do not take into account the particularities of information and information technology that are associated with cybercrime and crimes generating electronic evidence. These acts are largely characterized by new intangible objects, such as data or information.

Key results:

 The technological developments associated with cybercrime mean that – while traditional laws can be applied to some extent – legislation must also grapple with new concepts and objects, such as intangible ‘computer data,’ not traditionally addressed by law

 Legal measures are crucial to the prevention and combating of cybercrime, and are required in all areas, covering criminalization, procedural powers, jurisdiction, international cooperation, and internet service provider responsibility and liability

 At the national level, cybercrime laws most often concern criminalization – establishing specialized offences for core cybercrime acts. Countries increasingly recognize the need, however, for legislation in other areas

 Compared to existing laws, new or planned cybercrime laws more frequently address investigative measures, jurisdiction, electronic evidence and international cooperation

This Chapter examines the role of national, international and regional legislation and frameworks in the prevention and combating of cybercrime. It finds that legislation is required in all areas, including criminalization, procedural powers, jurisdiction, and international cooperation. While the last decade has seen significant developments in the promulgation of multilateral instruments aimed at countering cybercrime, the Chapter highlights a growing legal fragmentation at international and national level.

52   

While physical objects can usually be attributed exclusively to certain owners, attribution of

information ownership can be significantly more challenging. This difference is relevant, for example,

to the legal concept of ‘theft’, applied in the traditional laws of many countries. A ‘theft’ of computer data, for instance – even given the extension of the concept of objects to include data or information – may not fall within the scope of the constituent elements of traditional theft. The data would still remain in the possession of the original bearer, thus (depending upon national law approaches) possibly not meeting required legal elements, such as ‘expropriation’ or ‘taking’ of the object. Similarly, legal references to a public or private ‘place’ in harassment or stalking laws may, or may not (again, depending upon national

approaches) extend to online ‘places.’ Such examples illustrate a potential need – in some areas – for the adaptation of legal doctrines to new information technologies.1

This raises the question of whether cybercrime should be covered by general, existing criminal law provisions, or whether new, computer- specific offences are required. The question cannot be answered generally, but rather depends upon the nature of individual acts, and the scope and interpretation of national laws. Chapter Four (Criminalization) of this Study examines the use of specialized, and general, laws in the criminalization of cybercrime acts. Country responses show that

some ‘core’ cybercrime offences are covered by cyber-specific offences, while others are covered by general offences.2 _{Chapters Five (Law enforcement and investigations) and Eight (Prevention)}

consider the use of information-specific or cyber-specific laws that may be required in areas such as law enforcement investigative powers3 _{and the liability of internet service providers.}4

Relevant categories of law

While criminal law is often perceived as being most relevant when it comes to cybercrime, possible legal responses also include the use of civil law (which addresses the legal relationship between persons), and administrative law (which addresses the legal relationship between persons and the state). Further divisions within these legal regimes include substantive and procedural law, as well as

regulatory and constitutional, or rights-based, laws. In many legal systems, each of these regimes are

characterized by specific aims, institutions, and safeguards. Cybercrime laws are most usually found within the areas of substantive and procedural criminal law. However, a number of other areas of law are also important.

In particular, the range of computer-related acts that the state may wish to regulate will not always require the use of intrusive criminal law measures. Computer-related acts that are considered minor infringements, for example, may be addressed by civil and administrative regulations, rather       

1 _{Sieber, U., 2012. Straftaten und Strafverfolgung im Internet. In: Gutachten des Deutschen Juristentags, Munich: C.H. Beck, pp.C 14-15.} 2 _{See Chapter Four (Criminalization), Section 4.1 Criminalization overview, Cyber-specific and general offences.}

3 _{Existing studies propose that computer-specific provisions are required in investigative powers in order to permit actions such as}

expedited preservation of data and the use of remote forensics tools; see Sieber, U., 2012. Straftaten und Strafverfolgung im Internet, In: Gutachten des Deutschen Juristentags. Munich: C.H. Beck, pp.C 62-72, 103-128.

4 _{The transmission or hosting of large volumes of third-party content by internet service providers, for example, renders}

impracticable the application of traditional liability rules applicable to the press and media – who are often obliged to control content prior to publication. Rather, general liability is replaced by specific conditions, including ‘notice’ and ‘take-down’ procedures. See Chapter Eight (Prevention), Section 8.3 Cybercrime prevention, the private sector, and academia, Cybercrime prevention by internet service and hosting providers.

Functions of cybercrime legislation  Setting clear standards of behaviour for the

use of computer devices

 Deterring perpetrators and protecting citizens

 Enabling law enforcement investigations while protecting individual privacy

 Providing fair and effective criminal justice procedures

 Requiring minimum protection standards in areas such as data handling and retention  Enabling cooperation between countries in

criminal matters involving cybercrime and electronic evidence

CHAPTER THREE:LEGISLATION AND FRAMEWORKS

than by criminal legislation. In addition, criminal statutes often refer to underlying civil and administrative law standards, such as in the areas of copyright law or data protection law. Combined provisions can also provide for criminal, administrative and civil liability at the same time. Thus, legislation relevant to cybercrime may address a wide range of issues, including: criminalization of particular conduct; police investigative powers; issues of criminal jurisdiction; admissibility of electronic evidence; data protection responsibilities of electronic service providers; and mechanisms of international cooperation in criminal matters involving cybercrime.

This breadth of areas was reflected by responding countries. When asked to report legislation relevant to cybercrime, countries referred to a number of laws, including: criminal codes; laws on high-tech crime; criminal procedural codes; laws on wiretapping; evidence acts; laws on electronic communications; laws on security of information technologies; laws on personal data and information protection; laws on electronic transactions; cybersecurity acts; and laws on international cooperation.5

Figure 3.1 shows the areas covered by legislation reported by countries through the Study questionnaire. The data represents the distribution of over 250 reported existing, and over 100 new or planned pieces of legislation.6 _{Criminalization is the predominant area of focus for both existing,}

and new or planned legislation. As discussed in Chapter Four (Criminalization), this includes both cyber-specific and general criminal provisions. The fact that criminalization represents the most frequent area for new

or planned legislation indicates a continued focus of countries on the development of new cyber-specific offences, and/or the

adaptation or amendment of existing general offences. A clear pattern, however, is a reduction in the relative proportion of new or planned legislation (compared

to existing legislation) that concerns criminalization, and an increase in relative attention to other areas, such as investigative measures, jurisdiction, electronic evidence, and, notably, international cooperation. This may indicate a trend – at least amongst responding countries – towards increasing recognition of the need for cybercrime legislation across a spectrum of legislative areas.

By way of introduction to these legislative areas, this section briefly introduces relevant legal considerations for each.

Criminalization - The principle of nullum crimen sine lege (no crime without law) requires that

the conduct constituting any criminal offence must be described clearly by law.7 _{As discussed above,}

5 _{Study cybercrime questionnaire. Q12.}

6 _{Legislation reported in response to Study cybercrime questionnaire. Q12 and 14.}

7 _{While, in common law countries, judicial competencies for developing and extending criminal law have traditionally been greater,}

modern approaches to criminalization require statute-based law even in core common law systems. See U.S. v. Hudson and Goodwin, 38% 15% 11% 9% 6% 9% 5% 6% 27% 17% 14% 13% 12% 6% 5% 5% Criminalization Investigative measures Jurisdiction Electronic evidence International cooperation Prevention Public‐private cooperation Other Figure 3.1: Cybercrime legislation areas Existing legislation New or planned legislation

54   

in order to unambiguously describe cybercrime conduct, criminal laws may require the introduction of new ‘information-related’ legal objects, as well as extended protection of traditional legal interests against new forms of computer-related acts. New objects required may include definitions such as ‘computer data’ or ‘computer information’, and legal interests such as the ‘integrity’ of computer systems.

Through such concepts, the criminal law has the tools to protect against violation of the ‘cyber’-interests that persons have – for example, in controlling access to a computer system that they own. Different legal systems have different basic criteria for identifying conduct that may legitimately be the object of criminal law.8 _{The systematic application of these criteria to cyber-}

related conduct can be challenging. Nonetheless, in many national systems, and in some international or regional initiatives, there is evidence of theoretical work that aims to underpin the criminalization of cyber-conduct. The Explanatory Report to the Council of Europe Cybercrime Convention, for example, refers extensively to ‘legal interests’ and the ‘harms’ at stake.9 _{Where a}

strong justification for the criminalization of a particular conduct does not exist, a risk of over- criminalization arises. In this respect, international human rights law represents one important tool for the assessment of criminal laws against an external, international standard. Chapter Four (Criminalization) of this Study examines further a number of common cybercrime offences and their construction both in national and international law.

In addition to the specific conduct criminalized, any study of cybercrime offences must take into account the general part of criminal law. This is the part that deals with issues applicable to all offences, such as complicity, attempt, omission, state of mind (intent), defences, and criminal liability of legal persons. Cybercrime offences are, in general, subject to the general part of criminal law in the same way as for any other specific offence. Many responding countries indicated, for example, that ‘generally’ criminal offences are limited to intentional acts.10 _{Nonetheless, such general}

positions can be amended for particular acts – such as where a ‘specific intent’ is required. Chapter Four (Criminalization) examines this issue in greater depth.

Procedural powers – An effective investigation of crime is not possible without adequate

investigative powers. Due to their often intrusive nature, such measures must be regulated by law and accompanied by adequate safeguards. While some investigative actions can be achieved with traditional powers, many procedural provisions do not translate well from a spatial, object-oriented approach to one involving electronic data storage and real-time data flows. Specialized powers are therefore required, such as for the gathering of electronically stored and communicated computer content, for the identification and localisation of computer devices and communications, for the quick ‘freeze’ of volatile computer data, and for ‘undercover’ online investigations.11 _{Such powers}

are not only required for the investigation of ‘cybercrime’ itself¸ but also for the investigation of any crime generating electronic evidence. Chapter Five (Law enforcement and investigations) examines a number of specialized investigatory powers found in national and international laws.

Gathering and using evidence – Traditional criminal procedural law typically contains provisions

on the gathering and admissibility of evidence. When it comes to evidence in electronic form,       

11 U.S. 32 (1812); Dubber, M., 1999. Reforming American Penal Law. Journal of American Criminal Law and Criminology, 90(1)49-114; and Simester, A.P., Spencer, J.R., Sullivan, G.R., Virgo, G.J., 2010. Criminal Law. 4th ed. Oxford/Portland: Hart Publishing, p.46.

8 _{Including concepts such as harm, offense, wrongfulness, morality, paternalism, legal goods and deterrence. See Ashworth, A., 2006.}

Principles of Criminal Law. 6th ed. Oxford: Oxford University Press, p.27; Dubber, H., 2005. Positive Generalprävention und Rechtsgutstheorie. Zeitschrift für die gesamte Strafrechtswissenschaft, pp. 485-518, pp.504 et seq.; Hassemer, W., 1980. Theorie und Soziologie des Verbrechens. Frankfurt a.M.; Feinberg, J. 1984. Harm to Others. Oxford: Oxford University Press.

9 _{Council of Europe. 2001. Explanatory Report to the Convention on Cybercrime.} 10 _{Study cybercrime questionnaire. Q40.}

CHAPTER THREE:LEGISLATION AND FRAMEWORKS

computer data can be altered easily. Thus, the gathering and handling of electronic evidence must guarantee the integrity, authenticity and continuity of evidence during the entire time period between its seizure and its use in trial – a process often known as the ‘chain of custody.’ Country responses to the study questionnaire highlight that while some countries create special evidential rules for electronic evidence, others prefer to treat it in the same way as all other forms of evidence. In jury- based common law countries, laws may deal more extensively with evidence and admissibility rules, whereas continental law countries often rely on the principle of free judicial evaluation of evidence.12

Chapter Six (Electronic evidence and criminal justice) examines the issue of electronic evidence in greater depth.

Regulation and risk – Criminal law focuses on bringing offenders responsible for past acts to

justice. Regulatory and risk reduction or anticipation laws, on the other hand, aim at reducing the risk that future acts will occur, or at making it easier for law enforcement authorities to carry out law enforcement investigations and criminal justice actions should acts occur.13 _{With respect to}

cybercrime, a number of approaches, including internet filtering, data protection, data retention, and pro-active actions against criminal infrastructure fall within this category. The ‘anticipatory’ nature of laws authorizing many of these actions requires that they be accompanied by particular safeguards, in order to ensure that they do not represent disproportionate infringements of individual rights, or unnecessarily involve the use of coercive powers.14 _{Chapter Eight (Prevention) examines, amongst}

other prevention aspects, a number of such regulatory frameworks.

Jurisdiction and international cooperation – More than half of responding countries reported that

between 50 and 100 per cent of cybercrime acts encountered by police involved a ‘transnational element.’15 _{The prosecution of transnational acts requires states to assert two types of ‘jurisdiction’ –}

both substantive and investigative. Firstly, states must be able to assert that their national criminal law applies to an act that takes place only partly, or even not at all, within its national territory. Secondly, states need to be able to carry out investigative actions that concern the territory of other states. In so far as investigations may involve infringements on the sovereignty of states, formal and informal processes of consent and international cooperation are required. Many of these are at the level of international treaty law, both multilateral and bilateral. National laws, however, can also specify procedures to be applied, or create bases for cooperation in their own right. Chapter Seven (International cooperation) examines this area in detail.

12 _{Damaska, M.R., 1973. Evidentiary Barriers to Conviction and Two Models of Criminal Procedure: A Comparative Study. University}

of Pennsylvania Law Review 121(3):506-589 (1972-73).

13 _{Sieber, U., 2012. Straftaten und Strafverfolgung im Internet. In: Gutachten des Deutschen Juristentags. Munich: C.H. Beck, note 1, pp.C}

69-74.

14 _{See European Commission. 2012. Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st Century,}

COM(2012) 9 final. Available at: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_9_en.pdf

56