Appendices

A2. Cyber legislation

For law enforcement, observing developments in the field of law is as important as monitoring trends in the commission of crimes and latest investigation techniques. Without criminalisation the hands of law enforcement agencies are bound – and without adequate procedural law, the prosecution of high-tech offenders can be close to impossible.

Trend 1: Legislation related to cybercrime is moving beyond substantive criminal law and procedural law

25 years ago the focus of legislation was on substantive criminal law. When the Council of Europe adopted the ‘Expert Report on Computer-Related Crime’ in 1989, it was dealing with substantive criminal law (criminalisation of offences) [253]. 20 years ago the discussions started to include elements of procedural law (enforcement of law). The 1995 recommendations of the Council of Europe are an example of this development [254]. 15 years ago the focus widened again and international cooperation became part of the discussion. This is for example underlined by Chapter III of the 2001 Council of Europe Convention on Cybercrime [255] that addresses aspects of international cooperation.

This development has not stopped. In the last 15 years the way legislation and regional standards are drafted has developed further. The variety of areas of law covered under the umbrella of cybercrime legislation has increased and includes the following:

• Definitions: The 2001 Council of Europe Convention on Cybercrime only includes four main definitions. The list of definitions in other regional instruments, such as the 2013 SADC [256] Model Law [257] is significantly more complex. A second trend is to move towards more up-to-date definitions. The 2013 EU Directive on attacks against information systems [258] for example refers to ‘information systems’ instead of computer systems to avoid confusion when it comes to devices such as mobile phones or wearable technology.

• Substantive criminal law: Although the 2013 EU Directive on attacks against information systems does not go beyond the 2001 Council of Europe Convention on Cybercrime, when it comes to criminalisation there is global trend towards more inclusive approaches. Recent approaches like the 2013 SADC Model Law for example already include the recommendations from the UNODC Expert Group on Identity-related Crime related to the criminalisation of identity theft – a growing concern also in the European Union. The 2010 Stockholm Programme Action Plan [259] included the aim to develop a legislative proposal for the criminalisation of identity theft. This has however not yet been finished.
• Procedural law: While in the past the focus was on search and seizure and the interception of communication, the use of advanced technologies such as VoIP, encryption, anti-forensics and anonymous communication services goes along with the challenges of using such tradition instruments. Instruments like the 2012 HIPCAR Model Law on Cybercrime/e-Crimes [260], that was developed with funding from the EU, includes instruments like the application of remote forensic tools (such as keyloggers). As such, it is not only in line with European standards but goes beyond it in terms of criminalisation as well as procedural law and investigation instruments.

• Electronic evidence: In 2002 the Commonwealth adopted two model laws: one on computer and computer-related crime and one on electronic evidence. From a practitioner’s point of view this is a logical development as the most efficient investigation does not help if the collected evidence is not admissible in court. Unlike other regions, the EU has not yet developed a harmonised approach to addressing issues such as admissibility of electronic evidence collected abroad. Other instruments such as the above mentioned Commonwealth Model Law and the SADC Model Law contain such regulations.

• Liability of ISPs: It is almost impossible to commit a cybercrime without the involvement of ISPs. But is an ISP criminally responsible for offences committed by its user and is the ISP authorised to report crimes, for example when the ISP detects illegal content? The 2000 EU E-Commerce Directive contains a set of general liability regulations that have been picked up by other regions of the world.

Trend 2: Slower international harmonisation but more regional approaches

Given the inherently borderless nature of cybercrime, investigations must be facilitated by harmonised legal systems and international cooperation measures.

Speed remains a key requirement in investigations. If law enforcement in two or more countries need to cooperate outside existing legal frameworks their abilities are limited by the general Mutual Legal Assistance Treaty (MLAT) regime. In the best case other international (but not cybercrime specific) instruments for expedited cooperation – such as the United Nations Convention against Transnational Organized Crime (UNTOC), or bilateral agreements, are applicable. The very basic rules of international courtesy, based on reciprocity, apply. The related procedures are strict, are based on a complex workflow and are consequently in general, lengthy. Although partly generalised it is possible to say that from the perspective of law enforcement, when investigating cybercrime, less time-critical procedures do not reflect the high speed in which cybercrimes are committed and in which important evidence (such as traffic data/meta data) is automatically deleted.

Current trends in the law enforcement community foster more flexible arrangements for cross-border data exchange – such as information sharing for police use only. However, Europol believes that it is desirable to have a legal framework for international cooperation in place that:

• allows expedited cooperation,
• maximises the protection of fundamental rights of the data subject, even and especially in cross-border investigations, for instance by means of pseudonymisation for de-confliction and identification of links,
• has reach beyond the EU and the trustful (usually Western) partnerships, including for instance the US, non-EU Schengen partners, Canada and Australia, and
• eventually leads to the receipt of evidence that can be used in court.

Current legal developments

• United Nations: In 2010 the UN Crime Congress examined the need for a global legal instrument in the fight against cybercrime [261]. It requested UNODC to conduct a comprehensive study. This study was published in 2013 [262]. Since then the results of the study have been discussed but no substantive action has been taken since.
• European Union: Following the ratification of the Lisbon Treaty renewed efforts towards the harmonisation of laws in relation to computer crime have occurred. The 2011 EU Directive on child pornography [263] and the 2013 EU Directive on attacks against information systems are examples
• Council of Europe: Until August 2014, 42 countries went through the process of ratification/accession to the Convention on Cybercrime. This includes non-European countries such as Australia, Dominican Republic, Japan, Mauritius, Panama and the United States. The EU Member States enjoy good cooperation with those countries that have signed and ratified the Convention. However, from the list of the top 10 countries from where criminal activities originate, only three have ratified the Convention on Cybercrime. Important countries like the Russia, China, India and Brazil have not signed or ratified the Convention. Developments, such as the recent discussion within the Council of Europe about another possible additional protocol to the Convention on Cybercrime that deals with trans-border access, are not relevant to those cases.
• Africa: The Economic Community Of West African States (ECOWAS) Directive on Fighting Cyber Crime within ECOWAS [264], the Common Market for Eastern and Southern Africa (COMESA) Cybersecurity Model Bill, the SADC Model Law on Computer Crime and Cybercrime and the Draft African Union Convention on the Establishment of a Legal Framework Conducive to Cybersecurity in Africa all contain provisions related to the fight against cybercrime. This shows the dynamics of regional harmonisation in the African region.
• Caribbean: The aforementioned HIPCAR Model Legislative Text on Cybercrime as the well as the OECS [265] Electronic Crimes Bill [266] , which were developed in 2012 and 2011.