The Council of Europe Convention on Cybercrime - Essay Example

This will examine the European Council’s Convention on Cybercrime. Section will examine what the Convention on Cybercrime is. In particular, this section will examine all the provisions of this treaty. This treaty deals with substantive law, procedural law and jurisdiction of cybercrime. Part of this section will also deal with the drawbacks and weaknesses of the treaty. The next section will deal with the impact that cybercrime has on the economy of the UK, which is a signer of the treaty. As the numbers suggest, cybercrime is still very much a problem, therefore it is debatable how much good the treaty did. The final section is the conclusion and recommendations, in which the issues are wrapped up and the recommendations are put forth. The recommendations are basically that more countries need to be a part of the treaty, the countries that are a part of the treaty need to have their law harmonized, and businesses need to take security measures more seriously. Introduction The advent of the Internet has brought a variety of threats, and the biggest threat is that of cybercrime. Cybercrime can be anything from hacking to copyright infringement to possession of child pornography. The European Council has attempted to address the threats by implementing a treaty that was signed by some 22 countries and ratified by 23 more. Known as the Convention on Cybercrime, this treaty sought to harmonize domestic laws for the member states, while making prosecution of cybercriminals ostensibly easier, as the offenses became extraditable and the nations agreed to work together to help one another fight these crimes. While this treaty has done some good, in that it has served as a model for other countries that were not signatories to the treaty, it has its flaws as well. One of the major flaws is that it does not encompass countries that have the most problems with cybercrime. Another flaw is that the countries that have signed the treaty or ratified it have not implemented the provisions in a uniform fashion, or at all. What this means is that cybercrime is still a problem. How much of a problem it is will be examined by looking into the UK, and assessing the damage that cybercrime has done to its economy. As the UK is a developed country that should be able to combat cybercrime better than most countries, it is a good bellwether as to how serious cybercrime still is. And the numbers are not good. 1.0 The Council of Europe Convention on Cybercrime – What it is, what it does, and its limitations 1.1 What it is The Council of Europe Convention on Cybercrime (hereinafter “treaty”) was a treaty that was signed in 2001 that essentially internationalized cybercrime law.1 The treaty was necessitated by the fact that computer crime was not pursued vigorously by many countries, and this treaty attempted to address this problem by harmonizing criminal law regarding cyber crimes and commits the signatories to use their domestic laws to more vigorously pursue these crimes. 2 The provisions of the treaty were enacted in 2004, with 22 countries signing the treaty and another 23 countries ratifying it.3 While it was prepared by the Council of Europe, it was prepared with the participation of the United States, Japan, Canada and South Africa.4 It has also served as a model law for countries that are not signatories to the treaty, as these countries are using the provisions of the treaty as a guidelines for their own legislation.5 Title I of the Act essentially forces the member states to use their domestic laws to make certain actions criminal. It required the parties to the convention to use their domestic laws to criminalize an individual accessing a computer without having the right to do so. It also stated that a member may require that the individual accesses the computer by breaching security with the intent to steal data or another dishonest intent.6 Hence, the treaty left it open to the signing countries – if they wanted to make their laws state that any kind of unauthorized access is criminalized, they are free to do so; they may also make the laws slightly more lenient, and require that there be a security breach with an intent to steal data or other illegal intent. The treaty also requires member states to use their domestic laws to penalize the unauthorized interception of data.7 Again, the treaty specifically states that the members states may make their laws more lenient with this regard, in that member states may, in their laws, require that that the transmission occur with a “dishonest intent.”8 Further, the treaty requires that member states use their domestic laws to criminalize the alteration or destruction of computer data without right.9 As with the other provisions, a country may make their law regarding this more lenient, in that the country may require that the unauthorized alteration or destruction of data result in serious harm.10 Another provision of the treaty is that the member countries must criminalize the act of interfering with a computer system by altering, deleting, transmitting, inputting, altering or suppressing data.11 Interestingly, the treaty did not give the countries an option to make this particular law more lenient by adding addendums to the law. The law also attacks the makers of software that makes security breaches possible. Member states must make laws criminalizing the distribution of such software.12 Possession of such software also must be criminalized. However, a member state may require that a certain amount of the software or a certain number of the software programs are in possession before it becomes a criminal offense.13 Title II also deals with particular offenses that the members states must criminalize. The offense in question is with regards to computer forgery. Member states must criminalize the act of altering, suppressing or deleting computer data, which results in inauthentic data.14 Related to this is the provision regarding computer related fraud. All member countries must criminalize any forgery that is committed with the intent of procuring economic benefit.15 Title III deals with special offenses which are committed. Specifically, Title III deals with the accessing and distribution of child pornography. Every member state must agree to use their domestic laws to criminalize this.16 Title IV also deals with a specific offense, that of accessing copyrighted material on-line. Every member state agrees to use their domestic laws to make such illegal access to copyrighted material illegal.17 Further, the treaty states that member states must make provisions regarding people who aid and abet others who commit computer crimes, and provisions for corporations whose individuals commit computer crimes with the corporation’s blessing.18 Further, and perhaps most important, the treaty states that any kind of infringement of criminal law, as defined in the substantive criminal law portions, are extraditable offenses. If an attack happens in a country, then the country shall extradite the person if the person is in another country from where the attack occurred.19 Also, the signatories must assist one another in pursuing these criminals.20 1.2Possible Drawbacks and Limitations When the treaty came into being, there were immediate concerns about its provisions. Civil libertarians worldwide worried that the treaty would infringe upon personal liberties. For instance, in the United States, there are certain laws regarding surveillance. However, the treaty expands surveillance, so the United States might use the treaty to conduct surveillance that would be illegal under current domestic law.21 Meanwhile, some European countries worried that the treaty allows for data to be transferred to the United States, where the laws regarding the protection of this information are not as stringent as in the EU.22 Another concern was in regards to the increased costs to service providers and the like, and also that it would have a chilling effect upon the development of new technologies, along with negatively impacting consumers who want to purchase on-line.23 Perhaps more of a concern at the time of the signing of the treaty was that many of the signatories were countries where there is less of a concern about cybercrime than other countries. For instance, Yemen and North Korea were not signatories, and these were countries in which hackers frequently routed attacks. Likewise, the “I Love You” virus that caused millions of dollars in damage in 2000 was a virus that originated in the Philippines, and the Philippines also was not a signatory.24 While this was a concern at this time, it remains a concern today. At present, Russia and Turkey have not joined as signatories.25 China is another large country that was not a signatory, and, because China was left out of the treaty negotiations, it may never sign. This presents a problem, as China and Russia both have been implicated in politically motivated cyber attacks, thus they have even less motivation to sign such a treaty, as these attacks would be punishable offenses.26 In fact, the treaty did not contemplate the rise of the Internet in Asian countries. Broadhurst (2010) states that this is the treaty’s fundamental flaw, and that the treaty must be expanded to include Asian countries. While only 20% of Asians have Internet access, the total number of Asians with Internet access represents 42% of global on-line users. 27 Moreover, there is room for the Asian countries to grow with respect to on-line usage, and these countries are indeed growing rapidly in this regard.28 Therefore, it is not inconceivable that Asian countries may soon make up a great majority of global on-line users, and the treaty does not address these countries, nor are these countries signatories. It is not difficult to imagine that the cybercriminals, being the opportunists that they are, will simply avoid countries that are signatories to the treaty and, instead, operate out of China, or Russia, or North Korea, etc., effectively neutering the treaty. The harmonization of laws also will only apply to the signatories, which further limits the effectiveness of the treaty.29 Furthermore, the countries that have either ratified or signed the treaty have had problems with implementing the provisions. According to a study by Picotti & Salvadori (2008), the particulars of the treaty that have not been implemented by many of the countries are the sections on data interference, system interference, misuse of devices, computer-related forgery and computer-related fraud.30 In particular, Picotti & Salvadori found that most of the nations did not adequately distinguish between system interference and data interference, criminalizing both with the same sanction without regards to the fact that these are separate offenses. Further, countries have been reluctant to implement the provisions regarding the misuse of devices, even though this provision is one that prevents more serious crimes from occurring.31 Picotti & Salvatori considered these areas to be crucial for the treaty to be effective, and, since countries have not adequately addressed these areas, they suggest that this is an area of weakness that should be worked on.32 Moreover, Picotti & Salvatori note that social engineering techniques are prominent ways of committing cybercrime, therefore there should be a provision that it is illegal to sell or transfer identity information that was illegally obtained.33 Picotti & Salvatori go on to state that the biggest weakness so far in the implementation of the treaty is that the countries have yet to harmonize their procedural laws. Some countries obstruct law enforcement when they attempt to investigate cyber crime. Picotti & Salvatori state that there needs to be more harmonization in this area, so that each country has the same search and seizure laws in place.34 2.0Has it worked? The Impact of Digital Fraud, Cybercrime and Data Breaches on the UK Economy In this section, the impact of the treaty will be examined by reviewing the impact of cybercrime on one European country – the UK. As the statistics reveal below, the U.K. still suffers a great deal from cybercrime of every sort. The impact is felt throughout the private and public sector, as well as to individuals. Therefore, it seems that treaty may not have the impact that it would have hoped for. 2.1 Overall Costs for Cybercrime According to information compiled by the Office of Cyber Security, the costs of cybercrime to the UK economy are ?27 billion annually.35 For the purposes of this study, cybercrime included the costs of identity theft and on-line scams; IP theft, industrial espionage and extortion; and fiscal fraud that is committed against the Government.36 Of the ?27 billion that is lost annually to cybercrime, the businesses suffer the most, as they have lost ?21 billion of the ?27 billion figure. Of the types of cybercrime that were profiled, which includes on-line scams, scareware, IP theft, espionage, customer data loss, online theft from businesses, extortion and fiscal fraud, the most prominent types of cybercrime are the IP theft, which costs ?9 billion annually, and espionage, which costs around ?7.5 billion annually.37 IP theft may be accomplished by reverse-engineering or copying an IP address that is legitimately bought; by carrying out a cyber attack; by carrying out an insider attack, by hiring someone to go inside the organization, legitimately get the information and give the information to the criminal; and stealing it, by breaking into the organization to get it.38 This report also detailed the types of cyber criminals and the impact that they have on the UK economy. At the top level are the foreign intelligence services, which has an impact on the economy by engaging in high-level industrial espionage. The best way that these criminals work is to steal IP addresses, as this leads to the greatest damage at the least cost for these criminals. Directly below the foreign intelligence services are the large organized crime networks, which are focusing their attention on cybercrime, because it offers good rewards for a low investment and low level of risk. These criminals may combine social engineering theft by stealing insider information, and may combine this with targeted stock market deals. The next level is disreputable but legitimate organisations, that may engage in industrial espionage in an attempt to steal rivals’ information, with the help of foreign intelligence services. At the lowest level is your common hacker, which is characterized as an “opportunistic cyber criminal.”39 This level of criminal concentrates on identity theft, scareware, customer-data theft, small online scams, fiscal fraud and extortion.40 The overall effects on the UK economy are borne because citizens and corporations pay a large price for these crimes. Moreover, on a macroeconomic level, these crimes have a negative impact on the economy because it lessens consumer confidence in the banking industry, and because consumers will spend less, which has an overall negative effect on the economy.41 The reason why citizens will spend less is because they have less money in their pockets, due to the costs of identity theft. Businesses may suffer from cyber crime, not only because of the costs, as outlined below, but also because cyber crime may lead to increased competition from overseas firms. Also, there is the problem that talented individuals will be lured by the cybercriminals, which means that legitimate business essentially suffer a “brain drain” due to these individuals working for the criminals instead of legitimate businesses. 42 2.2Costs for Organizations The information that was compiled for the costs to the UK for data breaches was compiled by the Symantec Corporation and the Ponemon Institute and was presented in their 2010 Annual Study: UK Cost of a Data Breach.43 The study was conducted by researching 38 different UK companies from 13 different industries, and the findings can be extrapolated to any organization that suffers from large data breaches, which is defined by having 1,000 to 100,000 records compromised.44 The economic impact was measured both by using the business costs that were expended in defending against these attacks, as well as intangible costs, such as the loss of trust from the public due to these data breaches. Not surprisingly, this study found that the companies who were better prepared to defend against breaches fared better overall in terms of costs. The costs were driven by the need to defend against criminal data breaches and by companies who were not prepared for such breaches. Moreover, the report is divided into three different types of data breaches – those caused by malicious attacks; those caused by negligence, which would be under the category of social engineering, above; and those caused by system failures. They found that malicious breaches accounted for the most cost out of any of the three other types of breaches, and that malicious attacks, along with system failures, became more prevalent than ever before, while other types of attacks are becoming less prevalent.45 Also not surprisingly, the firms that spent the least on security spent the most on data breaches. They also found that the majority of the costs borne by businesses that suffer data breaches were from lost business and the costs of cleaning up the mess left by these breaches.46 In terms of costs, the authors found that that average organizational cost of a data breach rose to ?1.9 million, which is up 13% from 2009 and 10% from 2010, and the .7 cost of data breaches cost ?7 per every compromised record.47 The most expensive data breach cost ?6.2 million to resolve, which is up by 60% from the previous year. The dominant cost came from lost business due to churn or turnover, and regulatory compliance assists in churn rates, as customers become more secure in a company after they show that they can be trusted not to have security breaches that lead to the theft of personal information. 2.3 Costs for Individuals The Office of Cyber Security has also compiled information on how individuals suffer from cybercrime. Per annum, individuals suffer ?1.7 billion for the costs related to identity theft, ?1.4 billion for costs related to online scams, and ?30 million for scareware and fake anti-virus software.48 The costs to citizens come because of the money that is lost through identity theft, including loans that are taken out by the criminals, and credit cards that are used by the criminals; the money that is spent guarding against identity theft; the costs of buying scareware, which is where a company compels an individual to buy fake software protection ware because of inadvertently downloading scareware; and revealing sensitive information, such as bank account information, due to phishing scams.49 Conclusion and Recommendations As the experience of the UK attests, cybercrime is still very prevalent. The UK’s economy has been hit by cybercrime to the tune of billions of dollars, and there does not seem to be an abatement to this. Cybercrime touches every aspect of the economy, from the private sector to the public sector to individuals. There are many different ways that cybercrime is accomplished, and it does not seem that the treaty signed is effective in preventing any of it. While this is the experience of just one country, it can be used as a bellwether, as it is one of most developed and sophisticated countries in the European Union. If the UK continues to be adversely affected in such a way, it is safe to say that all other countries are affected in a similar way. The problem with the treaty is that is outdated. It was implemented before the Asian countries, such as China, really had Internet access in a widespread way. Now Asia is quickly growing, and, considering that, as of 2010, there is, in Asia, only 20% access to the Internet, yet Asia makes up almost 50% of worldwide on-line access, there is plenty of room to grow. If Asia’s numbers increase to where there is, say, 50% access, then it is not inconceivable that Asia will have the majority of on-line users in the near future. Therefore, there must be a concentrated effort to bring Asian countries into the fold. To do otherwise would be ineffective, as cybercriminals could just operate out of Asia or any number of other countries that have not signed or ratified the treaty, because these countries will be safe harbor for these criminals. Further, it seems that, even with countries that have signed on to the treaty, these countries may not be implementing the provisions of the treaty correctly or at all. One of the problems is that the treaty gives “wiggle room” to countries that sign on by specifically stating that certain countries may be more lenient with some of the provisions than other countries. Therefore, these laws are not really harmonized, as different countries have implemented the treaty provisions in different ways. Part of the reason is, no doubt, that countries are confused by some of the provisions; other countries may not see the need to implement other procedures, such as the one regarding the misuse of devices, even though this provision is necessary to prevent more serious crimes. This needs to end. There should be a model code that is put into place, and the countries who are signers of the treaty or have ratified the treaty must follow the model code as a condition of being a part of the treaty. This is the only way for the laws to be truly harmonized. Finally, it is important for individual businesses to take the threat of cybercrime more seriously. If there is one positive aspect of the UK study, it is that the businesses that take cybercrime threats seriously are the businesses which are affected the least by cybercrime. Businesses cannot rely upon the legislature and law enforcement to police cybercrime – it is simply too pervasive and out of control. There is only so much that can be done at the governmental level, which necessarily limits the effectiveness of the treaty. However, if more businesses took cybercrime seriously, and implemented heightened security measures to head the cyber-attacks at the pass, then cyberattacks will be lessened. Not eliminated entirely, for this would take a miracle, but lessened considerably. Sources Used Archick, K (2002) “Cybercrime: The Council of Europe Convention.” Available at: http://www.iwar.org.uk/news-archive/crs/10088.pdf Broadhurst, R. (2010) “A New Global Convention on Cybercrime.” Pakistan Journal of Criminology 2.4, p. 3. Convention on Cybercrime “The Cost of Cybercrime,” Available at: http://www.cabinetoffice.gov.uk/sites/default/files/resources/the-cost-of-cyber-crime-full-report.pdf Keyser, M. (2002) “The Council of Europe Convention on Cybercrime.” Journal of Transnational Law & Policy 12.1, p. 296. Picotti, L. & Salvadori, I. (2008) “National Legislation Implementing the Council on Cybercrime – Comparative Analysis & Good Practices.” Available at: http://www.coe.int/t/dg1/legalcooperation/economiccrime/cybercrime/Documents/Reports-Presentations/567%20study2-d-version8%20_28%20august%2008.pdf “2010 Annual Report: U.K. Cost of a Data Breach,” Available at: http://www.symantec.com/content/en/us/about/media/pdfs/UK_Ponemon_CODB_2010_031611.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach Table of Contents Abstract………………………………………………………….1 Introduction…………………………………………………….1 The Council of Europe Convention on Cybercrime – What it is, what it does, and its limitations………………………………………………………..2 What it is…………………………………………………2 Possible Drawbacks and Limitations………………….5 Has it worked? The Impact of Digital Fraud, Cybercrime and Data Breaches on the UK Economy………………………………………………………….9 Overall Costs for Cybercrime…………………………..9 Costs for Organizations…………………………………11 Costs for Individuals…………………………………….13 Conclusions and Recommendations…………………………….13 Read More