|
|
Home
| Databases
| WorldLII
| Search
| Feedback
University of New South Wales Law Journal Student Series |
STATE DISTRUST AND MISALIGNING VALUES: THE POISONS OF INTERNATIONAL TREATY-BASED REGULATION OF CYBERCRIME
AMAN MOHAMED[1]*
Let me drink of such a poison,
That I would be deaf and dumb,
And my unglorious glory
Wash away to the final crumb.[1]
I INTRODUCTION
The world has moved into the digital space.[2] The glitz of worldwide connectivity, speed, and information has made us, in our personal, consumer, and working capacities, reliant on technology.[3] With the advent of the physical distancing restrictions of COVID-19, cyber-space has become unprecedentedly interwoven into our social, economic, and political fabric.[4] Cyber-access has become so tantamount that digital rights movements have actively spread into regions which have struggled to access the online. The benefits of cyberspace are clear. Nnenna Ifeanyi-Ajufo[5] notes, for example, that ‘digital transformation offers Africa tremendous opportunities, such as economic empowerment of citizens, transparent governance and less corruption.[6] She poses a clear caveat, however: ‘digital transformation can only happen on the continent if its digital spaces are trusted, secure and resilient.’[7]
Unfortunately, yet unexpectedly, crime has followed the world into cyber-space. Analysts estimate the global cost of cybercrime in 2021 to exceed $6 trillion annually.[8] This is a 100% increase from the 2015 estimate of $3 trillion.[9] Cybercrimes, such as hacking, phishing, doxing, or virus-spreading can now have effects severe enough to constitute attacks on our private rights, and social functions. Yet, there is an enforcement gap.[10] The United States will only see three in 1,000 cyber incidents end in an arrest of a suspect.[11] Some available global data suggests this enforcement gap trend exists in many other countries.[12] Cyberspace does not contour around country lines; it is international and borderless. Enforcement measures against cybercrime therefore must operate internationally. It thus becomes imperative to scrutinise the international regulatory regimes used to steward cyberspace and enforce against cybercrime.
Accordingly, this essay will deconstruct how the internationality of cybercrime complicates its effective treaty-based regulation. This essay makes three arguments. First, international collaboration is necessary to combat cybercrime. Secondly, insufficient trust, or insufficient cohesion between the value systems of states poison the capacity of states to optimally collaborate to regulate cybercrime via treaties. Thirdly, this mistrust and incompatibility produces a fragmented, and imperfect regime for treaty-based regulation of cybercrime. This fragmentation will likely expand once states are confronted with regulating more contentious cybercrime issues.
II CLARIFICATIONS
To properly interrogate cyber-regulatory treaties, one must first understand what a cybercrime is. Cybercrime is notoriously hard to define,[13] its conception in ‘cybercrime legislation across jurisdictions [being] neither systematic nor uniform’.[14] Phillips et al explain that the likely reason for this disclarity is due to there being a ‘diverse set of behaviours’, continuously evolving and expanding due to technological advancements, that we may want to consider to be cybercrimes.[15] Because of this diversity of behaviours, it is difficult to draw the line between what are, and are not cybercrimes, as Part III of this essay describes through the perspective of nation-states. A key clash is whether to restrict the definition of cybercrime to include only cyber-dependant[16] crimes (eg, hacking, which can only occur online), or to also include cyber-enabled crimes (eg, online hate speech and incitement, an activity which can occur in the physical world).[17] This distinction also leads to consequent issues, like whether states should conceive of regulate cyber-enabled offences differently to their non-cyber counterparts, and to what degree. How different is stalking someone online to doing so in-person? Are the dynamics of online stalking less or more insidious, to warrant less or more punishment? Assuming there is a point where we can delineate what is or is not a cybercrime, it is even more cumbersome to find a definition that perfectly articulates commonalities between these diverse sets of cyber-behaviours so as to put into words and operation that delineation.[18]
This essay does not seek to add to the literature of defining cybercrime. Indeed, the exploration of how states, due to their mistrusts and ideological precepts, clash over defining cybercrime is tantamount to its thesis. For the purposes of some starting point, this essay will rely on Thomas and Loader’s popular definition, which defines cybercrime as ‘computer-mediated activities which are either illegal or considered illicit by certain parties and which can be conducted through global electronic networks’.[19]
III COLLABORATIVE TREATIES BETWEEN STATES ARE NECESSARY TO COMBAT CYBERCRIME.
A Why Cybercrime Regulation By Treaty?
Regulation itself is necessary, as defence against cybercrime is important, but insufficient. First, defence is always fallible.[20] New threats emerging from new technology will threaten security systems which have not caught up and are unaware of new threats. Secondly, not all private actors can sufficiently defend themselves against cybercrime. Many individuals do not know, or cannot be expected to know or afford the best protections against cybercrime. States must then proactively incapacitate cyber-criminals from committing cybercrimes on behalf of the private actors who do not have the cyber-competence to sufficiently defend themselves.
Thirdly, in many ways, regulation is defence. Regulation not only potentially deters cybercrime. It also assists in intercepting and incapacitating crime. Cybercrime operates beyond the scope of what private actors can control. Alphabet can block websites with criminal content on Google. Meta can deactivate accounts and content on Facebook. Users can delete and report hacking attempts on their email addresses. However, no one actor can wield sufficient control on the dark web – a decentralised, peer-to-peer network designed to skirt regulation. The United States Government funds the dark web, and therefore has some control over its strength.[21] However, it is only states’ intelligence or law enforcement agencies which have sufficient competence, and incentive to take on the risks of the dark web intercept the crime conducted within that space. States must also provide enforcement agencies with requisite powers and resources to conduct such investigations successfully – which can chiefly be done through regulation. Regulating and enforcing duties on private actors to implement competent defence measures against cybercrime via a multistakeholder approach is another way regulation produces defence. As ASIC v RI Advice Group demonstrates, private actors do not always defend themselves against cyber-threats until regulation or regulators prompt them. [22]
Finally, cybercrime, as with all crime, is an infringement on the community, and requires accountability. This is especially so when cybercriminals contravene public morals or goods by, for example targeting valuable public institutions like hospitals. Acknowledging the law’s desire for accountability, only through regulation can the state classify and punish those acts as crimes, to satisfy cries of retribution, and uphold accountability. Therefore, state regulation of cybercrime is necessary.
Regulation must be international and collaborative to effectively investigate and enforce punishment against cybercrime, thereby necessitating the use of treaties. Cybercrime is uniquely international in scope. It cannot be dealt with merely domestically. A cybercrime can be committed against a state’s jurisdiction without any physical interaction with that state. ‘Normal’ transnational crimes, such as money-laundering, may have some sort of physical presence outside affected jurisdictions that regulators can trace, but cannot follow. Shell companies used to launder money are incorporated somewhere, and are often required to have registered addresses, even if that is merely a mailbox.[23] Transnational criminals may sit in junkets and bet on millions of money-laundered dollars.[24] However, with ‘cybercrimes’, the cloud service provider which stores an email with a phishing link may be well outside the jurisdiction of the phishing victim.[25] Regulation of cybercrime requires the crime to be investigated, and for penalty to be enforced onto the criminal. But neither regulatory investigation nor enforcement of penalty against cyber-criminals residing in foreign jurisdictions can occur without cooperation from the foreign state. The victim state must have permission to operate within the foreign jurisdiction, or must receive intelligence from those jurisdictions about the crime. The foreign state must punish or extradite cyber-criminals for the crimes they commit to other jurisdictions. Treaties are the only international, legal instruments which facilitate this cooperation.
Importantly, cybercrime is too quick for domestic regulators to conduct independent, international investigations to pre-empt and control the attack when it hits domestically. Human trafficking across borders is as fast as planes or boats. States also have significant information, control, and check-points over airports and harbours. By contrast, a phishing link is sent within seconds. At the Sixth Annual Meeting of the Internet Governance Forum, Zahid Jamil[26] concluded that information had to be shared across borders. Jamil affirms that, ‘[states] can’t wait months or years [to send over information]. [States] have to do it within minutes or days.’[27] He concludes, ‘there needs to be an obligation [emphasis added] within countries and law enforcement that if a law enforcement of one country asks for information, the law enforcement of the country will be under an obligation legally to provide it. That can only be provided by an international treaty’.[28]
Every state has an interest in investigating and enforcing punishment against cybercrime. If the only way to adequately regulate cybercrime is via international collaboration, states must therefore have a mutual interest to collaborate, via treaty.
This essay notes that many organisations, whose operation rely on state collaboration, are pushing to achieve the same outcomes as treaties. The Internet Telecommunication Union (‘ITU’)[29] has membership of 193 United Nations member states, and a plethora of other private actors (including regulators, businesses, and experts).[30] The ITU published a guide on cybercrime.[31] The guide seeks to help develop ‘cybercrime legislation that is globally applicable and interoperable with existing national and regional legislative measures’, particularly focussing on harmonising the cyber-laws of developing nations with other states, and building the capacity of developing nations to deal with cybercrime.[32] The Internet Governance Forum also meets to share best practices between different nations and discuss the best way to govern the internet.[33] Similarly, inter-governmental organisations not specifically focussing on cyber-space may also deal with cybercrime. Within the international commercial domain, the World Economic Forum (‘WEF’) issued the Second Joint Statement at the 2019 WEF Annual Meeting in Davos. This statement encouraged negotiations between states about e-commerce, including data flows, localisation, data protection, cybersecurity, and spam issues.[34] Nevertheless, treaties surpass these institutions. Treaties are the most binding, if at all, of these instruments, requiring states to build defensive and regulatory schemes.[35] Treaties also decrease the discretion of states, being able to potentially legally require that information about cybercrime, for example, be yielded to aggrieved states.
B How Does the International Community Currently Regulate Cybercrime?
The international community uses many mechanisms to regulate cybercrime. First, as cyber-enabled crimes are merely traditional crimes committed through the cyber-platform, states can use traditional crime-regulating treaties to respond. These treaties can be global in nature. The United Nations Convention against Transnational Organized Crime is primarily focussed on combatting transnational organised crime.[36] However, its provisions can facilitate cooperation between the 192 state parties in cybercrime cases.[37] Similar regional treaties can be of use. The Inter-American Convention on Mutual Legal Assistance by the Organization of American States have provisions where states can request and provide legal assistance to others party to the convention.[38] States can use these provisions to enhance their cybercrime regulatory responses.
Additionally, states have acceded to numerous cybercrime-related treaties. These treaties range from small to large. Some states have made bilateral agreements with other states to cooperate to prevent cybercrime. In 2018, the United States passed the Clarifying Lawful Overseas Use of Data Act (‘CLOUD Act’).[39] The CLOUD Act facilitates agreements between United States’ companies and certain other governments (which meet privacy and civil liberties standards) to share data across jurisdictions.22 The United States is currently negotiating an agreement with Australia, and has agreements in force with other states, like the United Kingdom.[40]
There are also conventions of varying scopes, most of which coalesce around authoritative regional inter-governmental bodies. For example, the African Union’s convention is the Convention on Cyber Security and Personal Data Protection of 2014 (‘Malabo Convention’).[41] Arab States have their Arab Convention on Combating Information Technology Offences of 2010 (‘Arab Convention’).[42] However, the largest and most influential convention[43] by far has been the Council of Europe’s Convention on Cybercrime (‘Budapest Convention’).[44] Although of European origin, any country can accede to the Budapest Convention. The Budapest Convention has the largest membership of any cybercrime treaty, with 68 state signatories.[45] The states are predominantly European, but there is slight representation of the Americas, Africa and the Asia-Pacific.[46]
With a particular focus on the Budapest Convention, this essay will dissect how mistrust between countries, and differing state attitudes disrupt the effectiveness of treaties.
IV MISTRUST AND DIFFERING STATE ATTITUDES DISRUPT THE EFFECTIVENESS OF TREATIES.
It is amiss to argue that treaties have been entirely ineffective in regulating cybercrime. The Budapest Convention has led to the harmonisation of laws, deterring crimes being committed across jurisdictions, and improving their investigations.[47] Harmonisation is necessary to prevent cyber-criminal activity from occurring. States may individually criminalise cybercrimes, blocking child pornography websites, for example. However, Virtual Private Networks (‘VPNs’) allow users to jump to a different jurisdiction who may not have taken such responsive measures against this crime to view the content. As the ITU states, ‘in terms of illegal content, Internet users can access information from around the world, enabling them to access information available legally abroad that could be illegal in their own country’.[48] Standardising national criminal laws via treaty obligations makes it harder for users to commit these acts.[49] If multiple jurisdictions have passed regulations obliging content, access, and service providers to block content,[50] it is harder for users to access that content.[51] In a similar vein, as Clough argues, harmonising laws means there are no safe havens to which criminals can escape for their crimes.[52]
Moreover, harmonising offences improves cross-border investigations, by harmonising expertise. The IGF guide articulates that “if, for instance, in a country in the Caribbean and a country in Africa the definition of illegal acts differs, there will be great difficulty in prosecutors, investigators to basically go after the bad actors and try to bring them to task.”[53] Where offences are construed in the same way, law enforcement (investigators, and prosecutors) know the types of evidence for which to search, and provide to the victim state.[54]
Finally, the Budapest Convention has led to significant capacity-building for less cyber-resilient states.[55] Ratified members of the Budapest Convention are entitled to attend numerous workshops on capacity-building, and the sharing of best practices for cyber-resilience.[56] The expertise of these workshops often also trickles into domestic corporate practices. Due to the multi-stakeholder approach of the Budapest Convention, the Council of Europe’s Octopus Project, which facilitates the implementation of the Budapest Convention, invites private organisations to learn from best practice workshops.[57] Treaties such as the Budapest Convention do improve cybercrime resistance, even if not for cyber-regulation.
However, this essay identifies the following features which breed mistrust and ideological incongruence between states: first, mistrust over whether states will adequately uphold human rights when granted treaty privileges; secondly, an unacceptable loss of sovereignty from the obligations the treaties impose on states; and thirdly, general political, cultural and realist mistrust and tension between states.
This essay will demonstrate how these sources of mistrust and ideological incongruence disrupt the effectiveness of treaties through analysing: information-sharing obligations; extradition; and the drafting of treaties in the first place.
A Information-Sharing Obligations
Currently, the Budapest Convention is the strongest treaty that facilitates quick sharing of information between states. Article 35 of the Budapest Convention establishes a 24/7 network of information sharing.[58] It requires states to:
“designate a point of contact available on a twenty-four hour, seven-day-a-week basis, in order to ensure the provision of immediate assistance for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. Such assistance shall include facilitating, or, if permitted by its domestic law and practice, directly carrying out the following measures:
a. the provision of technical advice;
b. the preservation of data pursuant to Articles 29 and 30;
c. the collection of evidence, the provision of legal information, and locating of suspects.”[59]
The Budapest Convention allows states to request other states party to the Convention to preserve data to prosecute crimes, even if the other state preserving the data does not classify the investigated actions as a crime.[60] Article 29(3) does not require dual criminality for the “expedited preservation of stored computer data” “by means of a computer system, located within the territory of that other Party and in respect of which the requesting Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data” for the substantive offences of the Budapest Convention.[61]
Notably, the Budapest Convention does not oblige parties to cooperate. Clough sums it as that ‘unless specifically stated to the contrary, mutual assistance is subject to the domestic laws of the requested party or applicable mutual assistance treaties, including the grounds on which the requested party may refuse cooperation.’[62] However, the Budapest Convention may ‘specifically [provide]’,[63] for example, that states cannot refuse to assist solely on the ground that the request concerns an offence under arts 2–11 that the requested party considers to be a ‘fiscal offence’.[64] This proscriptive duty therefore enlivens, to some extent, positive obligations to cooperate, at least for some offences.[65]
Mistrust and ideological incongruence against these information-sharing obligations have caused many states to reject the Budapest Convention, or refuse to share information.
For example, Russia opposes the Budapest Convention because it believes that cross-border investigations, including quasi-obligations to support those investigations, infringe Russian sovereignty.[66] Clough notes that various enforcement agencies, like the United States’ Federal Bureau of Investigations (‘FBI’) have known histories of conducting covert transborder investigations in Russia.[67] Clough describes how the FBI’s search for Russian material (eg, computers) when investigating Russian nationals[68] likely contributed to Russia’s opposition to the Convention.[69] Russia, being the political enemy of the United States, would not trust American enforcement agencies with Russian information.
The Budapest Convention being a fundamentally European instrument by its conception has led to non-Western nations to be ideological resistant and sceptical of it. The Explanatory Report clearly details that predominantly European experts and states were consulted over the specific cyber-issues they faced.[70] Accordingly, many countries perceive the Budapest Convention as a ‘Western’ project. For example, India has not joined the Budapest Convention because they were not party to its initial negotiations; the information-sharing obligations allegedly represent a Western agenda imposed on India, without India’s consultation.[71] This ideological resistance was also a major reason why numerous countries, now signatories, did not initially join. Brazil acceded to the Budapest Convention only in late 2022. Brazil’s view that the Budapest Convention was a ‘Western project formulated without the involvement of the Global South’ was the key basis of its reluctance to sign the Convention.[72] Moreover, many states from developing nations simply do not have the capacity to reach the high level of information-sharing the Budapest Convention requires.[73]
As such, many states have opted into treaties with only trusted, or regional allies. These regional treaties, such as the Malabo Convention, have very few state parties.[74] However, the states opting into regional treaties are almost all not party to the Budapest Convention. Of the 15 African states ratifying the Malabo Convention, only 2 have observer/signatory status with the Budapest Convention.
These regional treaties therefore do represent the meaningful treaty alternatives to the Budapest Convention between which states choose to articulate their cybercrime regulatory mechanisms.
Articles 32 and 34 of the Arab Convention enliven clear obligations on states to facilitate mutual assistance, with practical procedures for cooperation, and mutual assistance requests.[75] The Arab Convention does not establish a 24/7 network. However, it obliges states to assist ‘to the fullest extent possible’,[76] even if there is not perfect dual criminality,[77] and for states to ‘designate a central responsible for sending and responding to mutual assistance requests and for their implementation and referral to the relevant authorities for implementation.’[78]
In this respect, the Arab Convention is not dissimilarly onerous to the Budapest Convention. The lack of Arab state participation within the Budapest Convention does not seem to arise from a lack of capacity to implement the provisions, nor from disagreement with the sorts of regulatory procedures states should use. In fact, Jordan considered partially basing its reform of its domestic framework on cybercrime and electronic evidence on the Budapest Convention.[79]
Instead, it has been argued that the lack of participation of Arab states arises for two reasons. First, Arab states harbour an anti-Western mistrust of how their data will be used by the predominantly-European powers that make up the ratifying parties of the Budapest Convention.[80] Secondly, the national ideologies of Arab states favour policing ‘morality’ which requires criminalising certain content-related cyber-acts that would ‘contravene the protection safeguards’ in the Budapest Convention.[81] As Clough argues, ‘the goal of harmonisation, particularly across such a broad spectrum of laws, will inevitably come into conflict with differences in national principles, whether legal or cultural.’[82]
It is problematic when the treaties alternative to the Budapest Convention into which states opt contain much weaker and more unspecific provisions regarding sharing information. Article 28(1) of the Malabo Convention urges states to ‘strengthen the possibility [emphasis added] of regional harmonization’.[83] Article 28(2) states that states ‘shall undertake to encourage the signing of agreements on mutual legal assistance’.[84] Article 28(4) requires states to ‘make use of existing means for international cooperation with a view to responding to cyber threats’.[85]
The Council of Europe appropriately described the treaty as a reflection of ‘a strong commitment by Member States of the African Union to establish a secure and trusted foundation for the information society’.[86] The treaty demonstrates a cognisance of cybercrime harms. However, it does not proffer clear, discrete obligations on states to mutually assist each other by sharing information and collaborating on investigations.
Ironically, African states not party to the Malabo Convention have been commended as being the only states substantially harmonising cyber-laws and implementing information-sharing protocol,[87] although of course, the Malabo Convention only came into force in 2023. On net, Africa’s insufficient continental response to cybercrime has been widely-criticised.[88] The failure of African states to harmonise their laws via a treaty that confers discrete regulatory and tactical obligations onto states, such as the Budapest Convention, is largely why African continues to be an unprotected victim against cybercrime.[89]
Importantly, there are practically no clear or direct consequences for parties who breach either their information-sharing or extraditing obligations under the Budapest Convention. Albeit not impossible, it is practically complex for other countries to call out certain states who, for example, possessed but did not provide that information in the 24/7 flashpoint system. The requesting state would not know whether that necessarily information existed (hence the request), let alone whether that information was within the possession of the requested state. Even if breaches were clear, the dispute resolution process would be arduous. Some treaties specify dispute resolution procedures, requiring states to arbitrate.[90] However, both the text of the Budapest Convention, and its Explanatory Report are silent on the dispute resolution procedure. States would either have to negotiate, organise an arbitration between them, or apply to have the International Court of Justice (‘ICJ’) adjudicate the dispute (depending on whether the disputing states have consented to the ICJ’s jurisdiction over a dispute of this kind) – all of which take significant time. Given the infamous lack of enforceability of ICJ or arbitral decisions, and the fact that the information would likely have become staunchly outdated at this point, it is unlikely that instituting proceedings would have been worth it.[91] Breaching states may off course be politically criticised, and lose some political goodwill with other nations. However, whether this has ever really been an adequate sanction in the cybercrime realm is unclear. The information-sharing articles also do not expressly prohibit state reservation from their specific obligations. This means that states may have the right to theoretically reject the information-sharing obligations, but accede to the rest of the treaty – although reservation may contravene the overall purpose of the treaty, and therefore be impermissible on that basis.[92] In any case, the relative non-enforceability of the information-sharing obligations then suggests that state resistance to acceding to these treaties therefore is perhaps far more ideological than it is practical.
B Extradition (and Punishment)
Countries suffer from cyber-attacks from criminals outside their jurisdictions. However, given the crime is still committed against those within the jurisdiction, the cyber-criminal has breached the laws of that jurisdiction, despite not being inside it.[93] As such, authorities of the infringed-upon jurisdiction may request that the cybercriminal be extradited to be tried in their own courts.
The Budapest Convention promotes enforcement by improving and streamlining the extradition process.[94] First, the Budapest Convention ensures dual criminality between ratifying states.[95] In 2000, Onel de Guzman created the Love Bug virus to steal internet passwords. Emails would be sent with attachments which, when opened, would cause the bug to install itself into the local disk of computers, rewriting files. It would then send more emails via the compromised email address. The bug required between USD 10–15 billion dollars to fix.[96] The Philippines was unable to extradite de Guzman to the United States for prosecution of this crime.[97] Although the United States did, the Philippines did not have a criminal offence for malware acts of this kind. As both countries needed to consider the act a crime (dual criminality), extradition was impossible. De Guzman was left unpunished for the Love Bug. In response, numerous affected states called for international treaties that harmonised laws (to ensure dual criminality) and streamlined extradition processes.[98]
The Budapest Convention obliges ratifying states to harmonise their laws, making certain actions criminal offences within their national criminal legislation.[99] With dual criminality, countries can extradite easily, because the offence symmetrically exists within both jurisdictions.
Secondly, as art 24(3) authorises, the Budapest Convention can act as a legal basis for extradition between parties for offences in the Convention, even where those parties have not themselves negotiated bilateral extradition agreements.[100] Article 24(3) cuts the time and diplomatic capital states need to expend to negotiate extradition treaties with all other parties to the Convention to facilitate punishment and regulation of certain cyber-offences.[101] Thirdly, art 24(4) requires parties to recognise all the offences in the Budapest Convention as extraditable offences.[102] Therefore, even if the decision to extradite is still ultimately subject to national law of the requested, or extradited party, per art 24(5),[103] the Budapest Convention makes national laws more pliant towards extradition.[104]
If states used these provisions to extradite cybercriminals to the jurisdictions harmed, the victim jurisdiction could exact retributive justice against the cybercriminal, optimising enforcement and accountability. Cybercriminals could also be prosecuted within courts that have greater competence and expertise to deal with cybercrimes, if the victim jurisdiction had courts better equipped to deal with cybercrime cases.
The Budapest Convention obliges punishment, where extradition falters. A requested party may deny an extradition request, either because it believes that it has jurisdiction to prosecute, or on the grounds of the offender’s nationality. If the requested party declares either of those reasons to justify rejecting the extradition request, arts 24(6) and (7) require that the requested party prosecute, and report the outcome of the prosecution to the requesting party.[105] The extradition provisions under art 24 of the Budapest Convention therefore give effect to the extradition principle of aut dedere aut judicare.[106] They ensure regulation, punishment, and deterrence of some sort, in some jurisdiction.
However, mistrust and ideological incongruence deters states from engaging with these provisions. One of the key reasons why Russia did not want to become party to the Budapest Convention is that Russia does not trust the other state parties who may request extradition. Russia has historically opposed extradition requests. Article 61(1) of Russia’s Constitution prohibits Russia from extraditing its citizens.[107] Article 61(2) guarantees its citizens living abroad protection and patronage.[108] Article 63(2) places certain restrictions on extraditing non-citizens within Russia’s borders.[109] Russia has viewed extradition as legally and narratively incongruent to its national views on sovereignty, civil rights, and its role as a state to its citizens. This is even when it alleges that its cybercriminals were not acting with state support. The United States demanded that the Russian cybercriminals who hacked into the 2016 Presidential Election, with whom Russia claimed it had no state involvement, be extradited. When asked about whether Russia would extradite, Vladimir Putin replied, “Never. Never. Russia does not extradite its citizens to anyone”.[110] By contrast, experts have claimed Russia to be a ‘safe-haven’ for cybercriminals – especially those whose crimes align with Russian realist and political (often anti-Western) interests.[111] Not only do cybercriminals who do not attack the Russian state not get prosecuted. Moscow allegedy ‘alerts [cybercriminals] when U.S. authorities file arrest warrants with international police agencies’.[112] Russia’s general ideologies, and its mistrust towards the United States and other such countries, which inform its reluctance to joining a treaty which would curtail its discretion to refuse extradition.
Russia is not alone. India has been accused of failing to regulate an allegedly growing ‘hacking industry’, or taking sufficient regulatory measures against companies exposed for their hacking-for-hire services.[113] Being party to a treaty that requires punishment or extradition would be incongruent with their demonstrated policy of non-enforcement.
Differing ideologies, especially over fundamental rights, also preclude states party to the Budapest Convention from extraditing.[114] Gary McKinnon, a British national, hacked the United States military. The United States issued an extradition request. After a 10-year-long legal dispute over that request, Theresa May (then-Home Secretary) blocked the extradition on the grounds of human rights. There were fears that McKinnon, who had Asperger’s syndrome and other health risks, would commit suicide if extradited.[115] The preference of the United States is to prosecute all US-related cybercriminals themselves.[116] The United States relies on domestic jurisdiction and extradition requests rather than foreign punishment in almost all circumstances.[117] If this preference is maximised, the United States has pre-eminent claim over all exercises of justice in relation to US-relevant cybercrime. This attitude, informed by sovereignty-related persuasions, excludes other affected states from dispensing their own justice. This stance inherently contravenes the idea that extradition should be fair, and that states grant extradition in similar cases where they request it – at highest, the ‘principle of reciprocity’ in extradition law; at lowest, a reasonable political expectation.[118] There is ideological clash over who deserves the right to prosecute, and underlying mistrust between states over whether the prosecution of another state will suffice. These tensions complicate and stifle the operation of the extradition procedures the Budapest Convention establishes.
C Drafting Treaties
Partially in response to the mistrust certain states had to the Budapest Convention, UN Resolution 74/247[119] proposed to draft a United Nations Convention on Cybercrime.[120] However, mistrust and ideological incongruence are at the core of this proposed treaty, and has impeded the global community from passing effective regulation.
First, Russia and China proposing the resolution itself was in response to their mistrust of the Western Budapest agenda.[121] This call for a resolution itself was then criticised as fragmenting and confuddling the global cyber-regulation regime, as the Budapest Convention already existed.[122] Secondly, the co-proposed draft resolution enflamed mistrust towards Russia and China – or at least, ideological differences about procedural safeguards (or lack thereof, considering there was only one mention of privacy – within a preambulatory clause) against infringements on privacy and freedom rights.[123] The draft promised states a wide scope of control over the internet within their domain, and proposed a number of content-related cyber-offences. The draft accords with Russian and Chinese political ideologies, being to exercise digital sovereignty over the cyber-space that users access from within their borders.[124] Predictably, any European nations perceived the co-proposed draft to represent China and Russia’s intention to control and suppress freedom of online expression.[125] They perceived the draft’s absolutist desire for cyberspace sovereignty as merely a legal cloak for repressive state practices that often counter the core European values of a global, open, private, and free Internet.[126]
Thirdly, negotiations, bringing together international and clashing ideologies, and a myriad of states with differing levels of suspicion and mistrust, have inhibited the efficient production of the treaty. States have had profound difficulty agreeing to terms. In the 5th of 6 planned negotiation sessions, and after three informal sessions, the chair of the negotiations brought back all proposed amendments (compounding to 77 pages of text).[127] Representatives of regional contingents like Nnenna Ifeanyi-Ajufo stated that there was still no clarity after the 5th session.[128] States have had ‘polarising debates’ defining crimes.[129] States have proposed merely cyber-dependant crimes, whereas others have advocated to include normal crimes carried out online (like inducement into suicide).[130] Eswatini was inclined to include cyber-human trafficking, cyber-genocide, and cyber-stalking, for example. Notably, it is not only Russia or China who want to criminalise content-related crimes, or exercise high degrees of cyber-sovereignty. Other countries like Nigeria who have ‘insult offences’ which apply to cyber-expressions support protecting state institutions at the costs of privacy, freedom of expression, freedom from arbitrary deprivation of other rights.[131] Senegal,[132] Burkina Faso,[133] and Ethiopia recently conducted internet shut downs and restrictions.[134] By contradistinction, more Western or liberal attitudes posit that ‘content creation should respect human rights and fundamental freedoms of others, including personal privacy, and the right to freedom of thought, conscience, and religion in conformity with relevant international instruments.’[135] This is even after the ‘storm of criticism’ over how the twin priorities of effective enforcement, and privacy protections in the Budapest Convention are ‘fundamentally imbalanced’.[136] States like Canada do not want to assist in the potential prosecution of activists. They do not trust certain regimes to refrain from such prosecutions. This distrust, and their clashing ideology for what constitutes a crime, restricts states from wanting to collaborate, or even being able to agree.
Negotiations of what safeguards are necessary have been equally tumultuous. It is predominantly Western states who distrust whether other states will adhere to concepts like due process, and uphold suspect protections against the coercive powers of the state in cyber-investigations. Sajfert[137] notes that due process is a serious requirement within physical investigation processes.[138] Enforcement agencies are cautious about informing the suspect of their rights, and collecting only necessary physical evidence. Sajfert observes that, by contrast, due process and procedural rights are scant in cyber-investigations.[139] Enforcers peer into, and store, data of suspects (and often collateral citizens) without notifying anyone, unnecessarily infringing the well-established the right to privacy within international law.[140] The clash between states preferencing enforcement, and those preferencing the preservation of civil rights stems from different priorities.
States clearly have mutual incentives to profit from collaboratively tackling cybercrime. However, these forms of mistrust and ideological clashes have so far generated a zero-sum game.[141] States who do not trust others to uphold trust are incentivised to water down treaty powers, information-sharing obligations, and other features of collaboration. Other states who feel like their cyber-sovereignty is not respected are incentivised to water down human rights.[142] Mistrust and ideological differences between states here may either create treaty without substantive powers to regulate cybercrime, or drafts so unsatisfactory that they never become a treaty at all. Numerous parties do want there to be UN Convention on Cybercrime, even as a ‘first level of cyber-participation’.[143] Whether negotiations will eventuate in such an agreement is unclear.
V MISTRUST AND INCOMPABILITY BETWEEN STATES PRODUCES A FRAGMENTED, AND IMPERFECT REGIME OF TREATY-BASED REGULATION OF CYBERCRIME.
A General Fragmentation and its Harms
Already, the selective accession of states to different regional treaties stunts their capacity to regulate cybercrime. These regional treaties seem, on their face, positive. However, it is unclear how effective these treaties are. First, the smaller the number of state parties to the treaty, the smaller the scope of information being exchanged. The Arab Convention may provide Jordan information procured about a Saudi Arabian hacker by the Saudi Arabian Government. However, if the hacker is from the Ukraine, the Arab Convention does not compel or oblige Ukrainian law enforcement agencies to send information or assistance to Jordan.
Secondly, regional treaties are also not sufficiently representative of their region, meaning the scope of who benefits from the treaties is limited. Only 15 African nations are party to the Malabo Convention. This means that most of Africa is not assisted by its provisions. It is also worth noting here that while the Arab Convention has rather rigid provisions for cooperation, cybercrime coordination between the Gulf states[144] largely occurs through ‘bilateral relationships and informal channels, such as police-to-police or agency-to-agency cooperation’.[145] Thus, even if these smaller treaties are representative of a region of nation-states, whether they themselves confers any benefits is worth questioning.
Thirdly, the states most often not party to the Budapest Convention (the most impactful treaty) empirically are nations in the Global South, which can be explained by factoring in anti-Western and anticolonial sentiment, distrust, and ideological incongruence. The countries comprising these smaller regional treaties being developing means, in many ways, that they have low capacity to obtain information about, and intercept cyber-attacks. Coalitions of states with low cyber-resilience working together is therefore still ineffective at defending against harmful cybercrimes. The value of expertise and information being exchanged is likely not high enough to meaningfully combat sophisticated cyber-attacks.[146] Having multiple small regional treaties, while better than nothing, is insufficient for states to effectively combat cybercrime.
B Solutions Poisoned by Fragmentation
The way states have tried to assuage mistrust and ideological differences has led to treaty compromises which fragment the regime of treaty-based regulation of cybercrime.
The key way states have compromised their viewpoints is to create optional protocols for all the cyber-issues and provisions which were too contentious. The parties negotiating the Budapest Convention disagreed on a common position on the criminalization of the dissemination of xenophobic material. The most popular proposals were the condensed into the Optional Protocol Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (‘First Protocol’).[147]
Treaty drafters should of course convert the collective will for, and alignment of state positions on certain policies into treaties, even if the treaties are not all-encompassing. It is better to have a Budapest Convention with an optional protocol on certain cyber issues, rather than no Budapest Convention at all. However, fragmenting cyber-obligations of states into optional protocols only stymies treaty-based regulation. Countries not signed onto the First Protocol (concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems) are not obliged to cooperate with other countries in accordance with the First Protocol’s provisions. Countries that do want to proactively curtail xenophobic cybercrimes can no longer do so as effectively. Further, if the states who have not adopted the First Protocol are those from where many xenophobic cybercrimes occur, the First Protocol ultimately fails to regulate the genre of cybercrime it is purposed to combat. The First Protocol does not bind the states with high degrees of active xenophobic cybercriminals to regulate, or assist in the regulation, of those criminals.
Moreover, proposing new solutions may exacerbate ideological incongruence, distrust, and fragmentation, as proposed solutions are often made by persons ideologically biased towards their own conception of how to regulate cybercrime. States feeling distrust and ideological incongruence would likely thwart otherwise sensible proposals to moderate some concerns. Sajfert suggested that the infringements to privacy and other civil rights that law enforcement agencies make should be justified in accordance with the structured proportionality approach.[148] The European Court of Human Rights assesses the permissibility of contraventions of the right to privacy under Article 8 of the European Convention on Human Rights via structured proportionality.[149] It asks: first, whether the interference further a legitimate aim;[150] if so, whether the interference is necessary in a democratic society;[151] and if necessary, whether what was done was proportionate to the aim it sought to fulfill.[152]
Sajfert suggested that law enforcement agencies should be made to go through these inquiries, by writing records to justify why their infringements were legitimate, necessary and proportionate. Agencies would need to explain that the purpose of their use of data was for legitimate, and that their infringements on privacy were not arbitrary, but rather deliberate and selective. However, ensuring that domestic law enforcement agencies adhere to these procedures requires other states to oversee how those agencies conduct investigations, and for states to disclose core parts of their investigation.[153] Those suggestions make enforcement agencies accountable to other states – which directly allows Western states to monitor non-Western states, infringing on sovereignty. These measures, while sensible, become unpalatable to certain non-Western states, and cause more distrust, and fragmentation between states within negotiations.
Already, disagreements arising from distrust and ideological inconsistency have caused the fragmentation of international treaty regulation. This fragmentation bodes badly. States are disagreeing over the correct response to enforce regulation over private actors, pursuing private agendas. There are mutual incentives to cooperate. Regulation does not impair a state function per se, and yet states cannot agree.
However, the future of cyber-regulation likely requires states to make agreements over cyber-attacks much more intrinsically linked to state interests, which may be see states becoming even more disagreeable. Regulation over the Cloud is intrinsically linked to the comparative advantage states over others with information. In a post-COVID-19 world, the Cloud has now become integral to digital business, and state economies, and so may become more contentious. Similarly, how we regulate state-sanctioned cyber-attacks will become much more contentious – enlivening questions of, for example, what constitutes a cyber-war crime.
States are already divided about whether these forms of attack, purely facilitated through the digital space, contravenes the prohibition on the use of force.[154] For example, Brazil maintains that cyber operations amount to a prohibited use of force “if their impact is similar to the impact of a kinetic attack.”[155] But Denmark, by contrast, has the position that, if ‘the cyber operation causes results in injury, death, or significant physical damage, this prima facie qualifies as use of force’.[156] The categorisation is therefore on the basis of sheer class of outcome, rather than comparisons on a scale of kinetic force. This issue is more important to states than the regulation of private cybercriminals. It goes to what the state perceives is necessary for its existential defence. Whether states will collaborate in regulating these forms of cyber-harms, which could be even more damaging than private criminal acts, is unclear.
Finally, the slow march to regulation, and the distrust and ideological incongruences which stifle it, only jeopardise cybercrime victims. The law already lags behind what cybercriminals can do.[157] The more time states take to develop a cohesive, responsive treaty, the more that newer types of cybercrime go unregulated. State mistrust and ideological differences, as demonstrated in Part V, elongate the drafting or updating of treaty process, which only furthers law lag, and leaves victims exposed.
VI CONCLUSION
It is clear that states must collaborate to deal with the internationality of cybercrime. However, states’ mistrust, and ideological clashes, disrupt this collaboration, poisoning treaties from functioning to regulate cybercrime – as demonstrated within information-sharing obligations, extradition, and the drafting of new treaties. As such, we are left with a fragmented regime of response to cybercrime.
The difficulty of how to proceed is the difficulty arising from the inherent tensions and resistances between states with competing interests, experiences, and past dealings. The context of cybercrime, being so deeply attached to state data and private actors, only worsens these tensions. Crime will increase in the digital space. States need to seriously consider what may cause them to trust other states, and what parts of their ideological agendas can be compromised to protect private actors, and soon themselves, from harm.
* z53[1]2531. Content Warning: This article makes reference to laws relating to suicide, child sexual abuse, ethnic cleansing, and genocide.
[1] Anna Akhmatova, White Flock: Poetry of Anna Akhmatova, tr Andrey Kneller (Andrey Kneller, 2014).
[2] Kirsty Phillips et al, ‘Conceptualizing Cybercrime: Definitions, Typologies and Taxonomies’ (2022) 2(2) Forensic Sciences 379, 379.
[3] Ibid.
[4] See, with regards to cybercrime, ethical hacking and hacker ethics as political acts and values.
[5] Professor Ifeanyi-Ajufo serves as the Vice-Chairperson of the African Union Cyber Security Experts Group where she advises the African Union Commission and African Member States on legal frameworks related to cybersecurity. She also represents African States at the UN Convention on Cybercrime treaty negotiations.
[6] Nnenna Ifeanyi-Ajufo, ‘Cyber Governance in Africa Is Weak. Taking the Malabo Convention Seriously Would Be a Good Start’, The Conversation (online, 23 July 2023) <https://theconversation.com/cyber-governance-in-africa-is-weak-taking-the-malabo-convention-seriously-would-be-a-good-start-209384>.
[7] Ibid.
[8] Allison Peters and Amy Jordan, ‘Countering the Cyber Enforcement Gap: Strengthening Global Capacity on Cybercrime.’ (2020) 10 Journal of National Security Law and Policy 487, 490–500; Mieke Eoyang et al, To Catch a Hacker: Toward a Comprehensive Strategy to Identify, Pursue, and Punish Malicious Cyber Actors (Report, 29 October 2018).
[9] Peters and Jordan (n 8) 490–500.
[10] Ibid 490–500; Allison Peters, ‘Closing the Global Cyber Enforcement Gap’, Lawfare (Web Page, 18 December 2018) <https://www.lawfaremedia.org/article/closing-global-cyber-enforcement-gap>.
[11] Ibid.
[12] Ibid
[13] Brian K Payne, ‘Defining Cybercrime’ The Palgrave Handbook of International Cybercrime and Cyberdeviance 3, 3–20.
[14] Phillips et al (n 2) 379. Phillips et al note that experts have used various terms (eg, cyberspace crime, computer crime, computer-related crime, electronic crime, e-crime, technology-enabled crime, high-tech crime, digital crime, virtual crime) to describe the same act: Phillips et al (n 2) 380. The plethora of different terms conveys how complicated defining cybercrime is.
[15] Phillips et al (n 2) 381, 382.
[16] Cyber-dependent crimes, as distinguished from cyber-enabled crimes (‘real-world crimes migrating to cyberspace’) are those which could not happen without the use of a computer: Phillips et al (n 2) 381, 383.
[17] Ibid.
[18] Gordon and Ford popularly defined cybercrime as ‘any crime that is facilitated or committed using a computer, network, or hardware device’: Sarah Gordon and Richard Ford, ‘On the Definition and Classification of Cybercrime’ (2006) 2 Journal of Computer Virology 13, 14. The issue with this definition is that hitting someone with a computer hard-drive, which would ordinarily constitute physical assault (under Crimes Act 1900 (NSW) s 61) is now a cybercrime.
[19] Douglas Thomas and Brian D. Loader (eds), Cybercrime: Law Enforcement, Security and Surveillance in the Information Age (Routledge, 2000) 14.
[20] George Finney, ‘The Illusion of Perfect Cybersecurity’ Forbes, (Web Page, 27 March 2018) <https://www.forbes.com/sites/forbestechcouncil/2018/03/27/the-illusion-of-perfect-cybersecurity/?sh=7dbc315511f9>.
[21] Clive Williams, ‘A Walk on the Dark Side of the Internet’ Sydney Morning Herald (Web Page, 11 March 2016) <https://www.smh.com.au/opinion/a-walk-on-the-dark-side-20160311-gngcis.html>; Ty McCormick, ‘The Darknet: A Short History’ Sydney Morning Herald (Web Page, 23 December 2013) <https://www.smh.com.au/technology/the-darknet-a-short-history-20131220-2zpk6.html>.
[22] See generally how ASIC used directors’ duties from corporate regulation to require RI Advice Group to improve its cyber-defence practices: Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2020] FCA 1277.
[23] For an in-depth characterisation of the elusiveness of shell companies, see Delphine Nougayrède, ‘After the Panama Papers: A Private Law Critique of Shell Companies’ (2019) 52(2) International Lawyer 327, 333–4.
[24] See for example: AUSTRAC v Crown Casinos [2023] FCA 782.
[25] Andrew D Mitchell and Theodore Samlidis, ‘Cloud Services and Digital Sovereignty in Australia and beyond’ (2021) 29(4) International Journal of Law and Information Technology 364, 365–6. For an example of Australia exercising ‘data sovereignty’, where they restrict service providers from storing data overseas, see My Health Records Act 2012 (Cth) s 77.
[26] Policy Consultant and speaker at the Sixth Annual Meeting of the Internet Governance Forum in Nairobi, Kenya, 2011.
[27] ‘Commonwealth IGF: The Cybercrime Initiative’, Internet Governance Forum (Web Page, 29 September 2011) <https://www.intgovforum.org/en/content/commonwealth-igf-the-cybercrime-initiative> (‘The Cybercrime Initiative’).
[28] Ibid.
[29] The ITU is a specialized agency of the United Nations which advises on issues regarding information and communication technologies.
[30] ‘List of Sector Members’, Internet Telecommunication Union (Web Page) <https://www.itu.int/online/mm/scripts/gensel11>.
[31] Internet Telecommunication Union, ‘Understanding Cybercrime: A Guide for Developing Countries’ (Guide, Internet Telecommunication Union, March 2011) 5 (‘Understanding Cybercrime’).
[32] Ibid. See also the Global Forum on Cyber Expertise (‘GFCE’), which focusses on building capacity for states to improve their defences against cybercrime. GFCE shares research and expertise, and serves a final checker or ‘clearing house’ for projects.
[33] The Internet Governance Forum is a ‘multistakeholder’ governance group in charge of discussing policy issues, and sometimes making recommendations. Cf Konstantinos Komaitis, ‘The Importance of the Internet Governance Forum’ Council of Foreign Relations (Blog Post, 23 October 2023) <https://www.cfr.org/blog/importance-internet-governance-forum>.
[34] Joint Statement on Electronic Commerce, WTO Doc WT/MIN(17)/60 (13 December 2017) (Ministerial Conference).
[35] For example, the Internet Governance Forum explicitly has no decision-making authority, and cannot bind states to implement any policies. World Summit on the Information Society, Tunis Agenda for the Information Society, WSIS-05/TUNIS/DOC/6(Rev. 1)-E, 10 June 2013 [72].
[36] United Nations Convention against Transnational Organized Crime and the Protocols Thereto, opened for signature 12-15 December 2000 (entered into force 29 September 2023).
[37] Allison Peters and Anisha Hindocha, ‘US Global Cybercrime Cooperation: A Brief Explainer’ (Memo, Third Way, 26 June 2019) https://www.thirdway.org/memo/us-global-cybercrime-cooperation-a-brief-explainer.
[38] Inter-American Convention on Mutual Legal Assistance, opened for signature 23 May 1992 (entered into force 1 January 1993).
[39] CLOUD Act, P.L. 115-141.
[40] Peters and Hindocha (n 37).
[41] Convention on Cyber Security and Personal Data Protection opened for signature 16-18 October (entered into force 8 June 2023) (‘Malabo Convention’); Nnenna Ifeanyi-Ajufo, ‘Africa’s Cybersecurity Treaty Enters into Force’, Directions: Cyber Digital Europe (online, 21 September 2023) <https://directionsblog.eu/africas-cybersecurity-treaty-enters-into-force/>.
[42] Arab Convention on Combating Information Technology Offences, opened for signature 21 December 2010 (entered into force 7 February 2014) (‘Arab Convention’).
[43] Convention on Cybercrime, opened for signature 23 November 2001 ETS No 185 (entered into force 1 July 2004) (‘Budapest Convention’).
[44] Asian-African Legal Consultative Organization, Kennedy Gastorn, Relevance of International Law in Combating Cybercrimes: Current Issues and AALCO’s Approach, 4th World Internet Conference, Session on ‘International Cooperation in Countering the Use of Cyberspace for Criminal and Terrorist Purposes’, 4 December 2017, 5 (‘Gastorn’).
[45] Ibid.
[46] Council of Europe, ‘Parties/Observers to the Budapest Convention and Observer Organisations to the T-CY’ Council of Europe (Web Page) <https://www.coe.int/en/web/cybercrime/parties-observers>.
[47] Jonathan Clough, ‘A World of Difference: The Budapest Convention on Cybercrime and the Challenges of Harmonisation’ (2014) 40(3) Monash Law Review, 698, 700–2.
[48] Understanding Cybercrime (n 31) 15.
[49] For an interesting discussion on imposing internet restrictions to prevent ‘geo-piracy’ (which is where internet users skirt to access what would otherwise be pirated, or illegal content due to intellectual property protections), see M’Bia Hortense De-Yolande, ‘The Circumvention of Geo-Blocking and Copyrights Infringement’, (2022) 10(12) Open Journal of Social Sciences 88 (‘De-Yolande’).
[50] Understanding Cybercrime (n 31) 15.
[51] Cf De-Yolande (n 49).
[52] Clough (n 47) 701.
[53] The Cybercrime Initiative (n 27).
[54] See also Clough (n 47) 701.
[55] Alexander Seger, ‘The Budapest Convention on Cybercrime: A Framework for Capacity Building’, GFCE (online, 7 December 2016) <https://thegfce.org/the-budapest-convention-on-cybercrime-a-framework-for-capacity-building/#:~:text=Capacity%20building,-The%20value%20of&text=Following%20adoption%20of%20the%20Budapest,cooperation%20with%20the%20European%20Union>.
[56] Ibid.
[57] ‘Octopus Project’, Council of Europe (Web Page) <https://www.coe.int/en/web/cybercrime/octopus-project>.
[58] Budapest Convention (n 43) art 35.
[59] Ibid.
[60] Ibid art 29(3); Clough (n 47) 716; ‘Formal International Cooperation Mechanisms’, United Nations Office on Drugs and Crime (Web Page) <https://www.unodc.org/e4j/en/cybercrime/module-7/key-issues/formal-international-cooperation-mechanisms.html>.
[61] Budapest Convention (n 43) art 29(3). ‘Substantive offences’ refer to those within Articles 2–11 of the Budapest Convention.
[62] Clough (n 47) 714.
[63] Budapest Convention (n 43) art 25(4).
[64] Ibid. The meaning of ‘fiscal offence’ is given by European Convention on Extradition art 5. Art 5 defines ‘Fiscal offence’ as ‘offences in connection with taxes, duties, customs and exchange’. This has included transnational crimes like money-laundering, for example.
[65] Note: There exists a Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence. This Protocol enables enforcement agencies to request of service providers ‘subscriber information, effective means to obtain subscriber information and traffic data, immediate co-operation in emergencies, mutual assistance tools’.
[66] Mercedes Page, ‘The hypocrisy of Russia’s push for a new global cybercrime treaty’ Lowy Institute (online, 7 March 2022) <https://www.lowyinstitute.org/the-interpreter/hypocrisy-russia-s-push-new-global-cybercrime-treaty> (‘Page’).
[67] Clough (n 47) 719.
[68] See generally the investigation and trial of Alexey Ivanov and Vasily Gorshkov in United States v Gorshkov (WD Wash, No CR00-550C, 23 May 2001); United States v Ivanov, 175 F Supp 2d 367 (D Conn, 2001).
[69] Clough (n 47) 719.
[70] Explanatory Note, Convention on Cybercrime (2001) [7]-[15]; Alexander Seger, ‘India and the Budapest Convention: why not?’ Observer Research Foundation, (online, 20 October 2016) <https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/> (‘Seger’).
[71] Seger (n 70).
[72] Joe Devanny and Russell Buchan, ‘Brazil’s Cyber Strategy Under Lula: Not a Priority, but Progress Is Possible’, Carnegie Endowment for International Peace (Paper, 8 August 2021) <https://carnegieendowment.org/2023/08/08/brazil-s-cyber-strategy-under-lula-not-priority-but-progress-is-possible-pub-90339>; Hannes Ebert and Laura Groenendaal, ‘Brazil’s Cyber Resilience and Diplomacy: The Place for Europe’, EU Cyber Direct (Web Page, 6 February 2020) <https://eucyberdirect.eu/research/brazils-cyber-resilience-and-diplomacy-the-place-for-europe#>.
[73] See Felix E Eboibi ‘Concerns of Cyber Criminality in South Africa, Ghana, Ethiopia and Nigeria: Rethinking Cybercrime Policy Implementation and Institutional Accountability’ (2020) 46(1) Commonwealth Law Bulletin 78, 80–82.
[74] The Malabo Convention only has 15 acceding states, and has been described as remaining ‘largely a document with little action’: Robinson Sibe, ‘Africa’s Chaotic Legal and Regulatory Cybersecurity Landscape Requires Harmonization’, Forbes (Web Page, 2 August 2022) <https://www.forbes.com/sites/forbestechcouncil/2022/08/02/africas-chaotic-legal-and-regulatory-cybersecurity-landscape-requires-harmonization/?sh=2dbfc39e1a9a.>.
[75] Arab Convention (n 42) arts 32, 34.
[76] Budapest Convention (n 43) art 32(1).
[77] Ibid art 32(5). Art 32(5) authorises that ‘dual criminality’ requirements are considered fulfilled so long as both states consider the ‘act leading to the offence [for] which assistance is requested’ as offences. Note: ‘Dual criminality’ (or ‘double criminality’) is a requirement in extradition law. It requires that a person may only be extradited from one country to be prosecuted for an offence in another if both the extraditing and receiving states categorise the activity being prosecuted as a criminal offence. Often there are further qualifications as to the degree to which both countries consider the activity offensive (i.e., that both countries punish the offence by 2 years imprisonment, at minimum). Art 24(1)(a) of the Budapest Convention states that a person may be extradited so long as both the extraditing and receiving states classify the activity being prosecuted as offence carrying at the least a maximum period of 1 year imprisonment.
[78] Ibid art 34(2a).
[79] See the workshops the Council of Europe hosted in Amman, Jordan about this reform here: ‘Global Project Cybercrime@Octopus’, Council of Europe, (Web Page) <https://www.coe.int/en/web/cybercrime/cybercrime-octopus/-/asset_publisher/BEv62ODXhRCA/content/cooperation-with-jordan>. Note however that Jordan is a more liberal, Westernised Arab nation, with greater ties to Western inter-governmental organisations (eg, the United Nations Human Rights Council).
[80] Joyce Hakmeh, ‘Cybercrime and the Digital Economy in the GCC Countries’, Chatham House, (Research Paper, July, 2018) <https://www.chathamhouse.org/sites/default/files/publications/research/2018-07-04-cybercrime-legislation-gcc-hakmeh.pdf> (‘Hakmeh’).
[81] Ibid.
[82] Clough (n 47) 708; Note the differences in civil law, common law and Islamic legal traditions: United Nations Office on Drugs and Crime, ‘Manual on Mutual Legal Assistance and Extradition’ (United Nations, September 2012).
[83] Malabo Convention (n 41) art 28(1).
[84] Ibid art 28(2).
[85] Ibid art 28(4).
[86] See also: ‘Cyber Diplomacy with Africa: Lessons From the African Cybersecurity Convention’ Council of Foreign Relations (online, 7 July 2016) < https://www.cfr.org/blog/cyber-diplomacy-africa-lessons-african-cybersecurity-convention>.
[87] ‘Harmonising Cyberlaws and Regulations: The Experience of the East African Community’, United Nations Conference on Trade and Development UNCTAD/DTL/STICT/2012/4 (Conference paper, 2012) <https://au.int/sites/default/files/newsevents/workingdocuments/27223-wd-harmonizing_cyberlaws_regulations_the_experience_of_eac1.pdf>.
[88] Ifeanyi-Ajufo (n 6).
[89] Ibid.
[90] See U.S.-Australia Air Transport Agreement, United States of America-Australia, signed 23 March 1989 (entered into force 23 March 1989). See also: C. Staker, ‘Introduction to International Law’, International Law, Attorney-General's Department, October 1994, 8.
[91] For completeness, art 94(2) of the United Nations Charter stipulates that where states breach ICJ judgments, the other party may seek the assistance of the United Nations Security Council to enforce the Court's judgment. However, that is an even more complicating procedure, that many states may not meaningfully undertake.
[92] Vienna Convention of the Law of Treaties 1969, opened for signature 23 May 1969, 1155 UNTS 331 (entered into force 27 January 1980), arts 2(1)(d) and 19–23.
[93] See, eg, Criminal Code Act 1995 (Cth) ss 476.3 and 15.1 state that all computer offences under Part 10.7 have “extended geographical jurisdiction”.
[94] Extradition treaties already exist between countries. Extradition treaties, such as the 1957 European Convention on Extradition and the 1981 OAS Inter-American Convention on Extradition, are agreements to arrest and/or extradite individuals to the requesting country if punishment thresholds are met. Article 3 of the ECOWAS Convention on Extradition of 1994 requires the offence to be punishable by a ‘minimum period of two years.’ States also negotiate their own treaties with other states. However, the Budapest Convention fast-forwards the process by having an overarching, international regime that governs extradition.
[95] See footnote 78 for a definition of ‘dual criminality’.
[96] Davey Winder, ‘This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters In 2020’ Forbes (online, 4 May 2020) <https://www.forbes.com/sites/daveywinder/2020/05/04/this-20-year-old-virus-infected-50-million-windows-computers-in-10-days-why-the-iloveyou-pandemic-matters-in-2020/.>.
[97] Formal International Cooperation Mechanisms’, United Nations Office on Drugs and Crime (Web Page) <https://www.unodc.org/e4j/en/cybercrime/module-7/key-issues/formal-international-cooperation-mechanisms.html>.
[98] Lynn Burke, ‘Love Bug Case Dead in Manila’, Wired (Web Page, 21 August 2000) https://www.wired.com/2000/08/love-bug-case-dead-in-manila/.
[99] Budapest Convention (n 43) arts 2–11.
[100] Ibid art 24(3).
[101] Ibid art 24(3).
[102] Ibid art 24(4).
[103] Ibid art 24(5).
[104] See generally: ibid art 24.
[105] Ibid art 24(6) and (7).
[106] The principle to ‘extradite or prosecute’.
[107] The Constitution of the Russian Federation 1993 art 61(1).
[108] Ibid art 61(2).
[109] Ibid art 63(2).
[110] See clip of translated interview: Interview with Vladimir Putin, President of Russia (Megyn Kelly, NBC News, 5 March 2018) < https://www.nbcnews.com/meet-the-press/video/putin-tells-megyn-kelly-russia-will-never-never-extradite-accused-hackers-to-the-united-states-1176423491584>.
[111] Del Quentin Wilber, ‘Ransomware Hackers Remain Largely Out of Reach behind Russia’s Cybercurtain’ Los Angeles Times (online, 10 June 2021) <https://www.latimes.com/politics/story/2021-06-10/ransomware-hackers-remain-largely-out-of-reach-behind-russias-cyber-curtain>.
[112] Ibid.
[113] Jack Stubbs, Raphael Satter, and Christopher Bing, ‘Exclusive: Obscure Indian Cyber Firm Spied on Politicians, Investors Worldwide’ Reuters (online, 9 June 2020) <https://www.reuters.com/article/us-india-cyber-mercenaries-exclusive/exclusive-obscure-indian-cyber-firm-spied-on-politicians-investors-worldwide-idUSKBN23G1GQ>;
[114] See in general Clough (n 47) 707.
[115] Nichlola Daunton, ‘Extradition: Why Is the US Determined to Extradite European Hackers?’ Euronews (online, 5 June 2023) <https://www.euronews.com/next/2023/06/05/extradition-why-is-the-us-determined-to-extradite-european-hackers>. Another case concerning a US extradition request of a neurodivergent offender is of Diogo Santos Coelho. Coelho committed the offences at age 14, and risks being prosecuted retroactively, and by adult standards.
[116] Ibid.
[117] Andrea Vittorio, ‘U.S. Efforts to Catch Criminals Abroad Hinge on Extradition’, Bloomberg Law, (online, 7 December 2021) <https://news.bloomberglaw.com/privacy-and-data-security/u-s-efforts-to-catch-cybercriminals-abroad-hinge-on-extradition> (‘Vittorio’).
[118] Jose Francisco Rezek, ‘Reciprocity as a Basis for Extradition’ (1982) 52(1) British Yearbook of International Law, 173, 174–5.
[119] Countering the use of information and communications technologies for criminal purposes, GA Res 74/247, 74th sess, 57th plen mtg, Agenda Item 107 (20 January 2020) [2].
[120] Vittorio (n 117); Page (n 66).
[121] Ibid.
[122] Ibid.
[123] Ibid.
[124] Similarly, see Liliya Khasanova and Katharin Tai, ‘An Authoritarian Approach to Digital Sovereignty? Russian and Chinese Data Localisation Models’ (2023) <https://dx.doi.org/10.2139/ssrn.4527052>.
[125] Vittorio (n 117); Page (n 66).
[126] Ibid.
[127] Interview with Joyce Hakmeh and Nnenna Ifeanyi-Ajufo (Allison Pytlak, Stimson Center, 26 September 2023) <https://www.stimson.org/event/the-un-cybercrime-treaty-is-it-a-crime/> (‘Interview with Hakmeh and Ifeanyi-Ajufo’).
[128] Ibid.
[129] Ibid.
[130] Ibid.
[131] Ibid. See: Cybercrime (Prohibition, Prevention, Etc) Act 2015 s 24(1).
[132] Jeff Conroy-Krutz, “Senegal’s Internet Shutdowns Are Another Sign of a Democracy in Peril’ The Conversation (online, 14 June 2023) <https://theconversation.com/senegals-internet-shutdowns-are-another-sign-of-a-democracy-in-peril-207443>.
[133] Digital Rights, ‘Network Disruptions: How Govt’s in West Africa Violated Internet Rights in 2022’ Media Foundation for West Africa (online, 10 February, 2023) <https://www.mfwa.org/network-disruptions-how-govts-in-west-africa-violated-internet-rights-in-2022/>.
[134] ‘Ethiopia: One Month on, Authorities Must Immediately Lift Blockade on Selected Social Media Access in the Country’ Amnesty International (Web page, 9 March 2023) <https://www.amnesty.org/en/latest/news/2023/03/ethiopians-in-social-media-blackout-for-second-month/>.
[135] Clough (n 47).
[136] Greg Taylor, ‘The Council of Europe Cybercrime Convention: a Civil Liberties Perspective (2001) 8(4) Privacy Law and Policy Reporter 69, 69–70.
[137] Research Fellow at Vrije Universiteit Brussel (VUB).
[138] Interview with Moritz Körner, Emmanuel Kessler, Juraj Sajfert (Suzane McNamara, InCyber, 26 September 2023) <https://www.youtube.com/watch?v=0ONs3DYtz5M> (‘InCyber Interview’).
[139] Ibid.
[140] See, eg, the International Covenant on Civil and Political Rights, opened for signature 19 December 1966, 999 UNTS 171 (entered into force 23 March 1976).
[141] For completeness, there are, of course, other sources of dissatisfaction. States have also tousled over whose needs will be prioritised. African states have asked for the UN Convention to explicitly mention developing countries, and their need for assistance in building their capacity for cyber-resilience and enforcement. They also want more clarity as to what sort of assistance they will receive – for example, whether the assistance will be financial, or more expertise-based. It is also important for African states that they are insulated from repercussion if they do not have the capacity to fulfil the treaty obligations: Interview with Hakmeh and Ifeanyi-Ajufo (n 127).
[142] See Moritz Körner’s comments, in their capacity as Member of the European parliament, about explicitly distrusting certain African countries to comply with procedural safeguards: InCyber Interview (n 138).
[143] Ibid.
[144] Note: those in the Gulf Cooperation Council.
[145] Gastorn (n 44); Hakmeh (n 80) 12.
[146] See Understanding Cybercrime (n 31).
[147] Additional Protocol to the Convention on Cybercrime, concerning the criminalization of acts of a racist and xenophobic nature committed through computer systems, opened for signature on 28 January 2003 (entered into force 1 March 2006).
[148] InCyber Interview (n 138).
[149] European Convention of Human Rights, opened for signature 4 November 1950 (entered into force 3 September 1953) art 8 (‘European Convention’).
[150] See ibid art 8(2), which defines what is a legitimate aim.
[151] Art 8(2) articulates what are legitimate aims. See also Vavřička and Others v. the Czech Republic (European Court of Human Rights, Grand Chamber, Application Nos 47621/13, 3867/14, 73094/14, 19306/15, 19298/15, and 43883/15, 8 April 2021) [272] (‘Vavřička’).
[152] Vavřička (n 151) [273]–[275].
[153] The purpose of an investigation is sensitive, and is entangled with the interests of a state.
[154] See generally Marco Roscini, ‘Cyber Operations as a Use of Force,’ in Nicholas Tsagourias and Russell Buchan (eds) ‘Research Handbook on International Law and Cyberspace’ (2021) Edward Elgar.
[155] Official Compendium, 2021 UN GGE Report, 19.
[156] ‘Use of Force’, Interactive Cyber Law in Practice, Interactive Toolkit (Web Page) <https://cyberlaw.ccdcoe.org/wiki/Use_of_force#Australia_(2020>.
[157] Understanding Cybercrime (n 31) 10.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJlStuS/2024/21.html