The Council of Europe’s Cybercrime Treaty

Introduction

            The Council of Europe’s Cybercrime Treaty defines cybercrime as criminal activity involving conduct against data protection to copyright infringement.[1] Others have expanded upon this definition to cover a range of criminal activities that cover cyber-stalking, fraud and child pornography.[2] In general cybercrime is the term used to describe criminal conduct committed via the internet or via the use of a computer or computer hardware.[3] The dynamics of computer technology have opened up unique means by which cyber criminals can commit computer fraud so that regulating cybercrime invariably involves multi-jurisdictional concerns.  This is particularly so in Australia and the United States where even on a national level there are various state laws and the potential for cross-border cybercrime is even greater. tIt is against this background that this paper discusses the effectiveness of efforts taken by the Federal Governments of the US and Australia to combat cybercrime with the emphasis on cyber fraud.

            Cyber fraud, invariably involves identity theft, accessing data, sending e-mail from someone else’s email address, hacking into another’s computer to access data or transmitting false messages to another.[4]  Cyber fraud is of particular interest to US and Australian legislators.  In Australia, legislators have taken steps to safeguard against computer hacking in particular while the United States have taken steps to tighten its laws against the incidents of identity theft.

Background Information

In 2003, Bob Tedeschi reported that in a FBI and Computer Security Group survey of over 500 businesses, computer fraud accounted for losses in excess of US$4 million with theft of information accounting for losses over US$6 million.[5] Nir Kshetri of Bryan School of Business and Economics, explains that these kinds of damages indicate the commitment of those who perpetuate cyber fraud and the ease with which cyber fraud can now be conducted. Obviously when consumers shop online they impart personal information with respect to credit and debit card or bank account information with the result that cyber criminals can fraudulently obtain that information by hacking into another’s computer. By the same methods, criminal can obtain personal information to commit identity theft.

According to Kshetri the different jurisdictional laws also contribute to the propensity for cyber crime activities since fraud in one country may not be fraud in another.[6] Moreover, criminal penalties and procedural laws vary from one nation to another with the result that cyber criminals are at liberty to go forum shopping.[7]  In other words the cyber criminal may choose to limit is activity to a jurisdiction where he either can escape prosecution or conviction.

            The Federal Government of Australia

            The Federal Criminal Code Act of 1995 initially created electronic criminal offences for all Australian territories.[8] In January of 2001 a report which resulted in various amendments to the Federal Criminal Code Act of 1995 was issued by the Federal Government of Australia and titled the Commonwealth, State and Territory Model Criminal Code and Computer Offences.[9] The resulting amendments are provided for in the Cybercrime Act 2001.[10] Another Act arising out of the report was the Spam Act 2003 which regulates and controls the ambit of unsolicited electronic transmissions.[11]

Under the Cyber Crime Act 2001 the government starts out by addressing cyber fraud in the ambit of unauthorized access to a computer and sets “serious computer crimes” apart from others by providing for its definition as follows:

“…unauthorized access, modification or impairment with intent to commit a serious offence.”[12]

A serious offence in turn is any offence that is liable to a term of  imprisonment for at least five years.[13]  Division 447 of the 2001 Act creates two separate offences namely; “unauthorized access,” and/or “modification or impairment.”[14]  In each of these instances it is obvious that legislators are contemplating fraud, particularly the use of the term “unauthorized access”.  Unauthorized access implies dishonest use of a computer.  Moreover, it is the primary means by which criminals obtain data for fraudulent purposes.  For example, the cyber criminal will fraudulently gain access to another’s computer to obtain bank or credit card information for unauthorized use.  This kind of access can also be used to obtain passport or divers’ licence information for the purpose of committing identity theft.

            These offences are characterized by conventional ideology of altering or modifying data as the Act goes on to provide that:

“…such access, modification and impairment caused by the person is not unauthorized merely because he or she has an ulterior purpose for causing it.”[15]

This section contemplates circumstances where an individual has authorization to access a computer data base and uses it for an unauthorized purpose. For example, gaining access to a computer for the purpose of copying credit card information from another without their knowledge or consent would amount to a crime of fraud committed via the internet.  This is especially so in cases where a bank employee has authority to access bank accounts but uses that access to make unauthorized withdrawals from the various bank accounts.  This kind of conduct would be fraudulent notwithstanding the authorized access to the computer accounts.

            Unauthorized modification with the intention of causing impairment is a criminal offence by virtue of Division 477.2. Impairment could relate to data stored in the computer as well as impairment to the computer’s function, both of which would constitute fraud if the access for these purposes is not authorized. This places upon the  prosecution the burden of  proving that the modification is unauthorized.[16]  While requiring that the prosecution prove that the accused person knows that the modification is unauthorized it is only necessary to prove that the accused was reckless.[17]

Division 478.3 criminalizes “possession or control of data with intent to commit a computer offence.”[18] Possession of data with the intention of committing a computer offence will not incur strict liability because it requires proof of intention to commit a computer offence either by the person found to be in possession or control of the data of another.[19] Division 476.4 is similarly construed since it criminalizes as a separate offence “producing, supplying or obtaining data with intent to commit a computer offence”.[20]The mere unauthorized possession of this data is fraudulent and one can only anticipate that the information will be used for fraudulent purposes.

The Spam Act 2003 distinguishes between legitimate and illegitimate email.[21] Section 16 attaches criminal liability to the act of transmitting unsolicited electronic commercial messages to another without that person’s consent either explicitly or tacitly.[22] Moreover, it is a criminal offence to facilitate, procure, aid and abet so-called spammers by virtue of Section 16(9)[23].   This method of spamming involves a measure of fraud since it is used to trick the recipient into divulging personal information.

There are exemptions/defences under Section 16(2) which demonstrate the Federal Government’s commitment to distinguish between legitimate business activities and genuine spammers by providing that inferred or explicit consent will not incur liability.[24]  Moreover, if spammers provide recipients with an unsubscribe option they will avoid prosecution and criminal fines.[25] Likewise if spammers provide a means of identifying themselves they will escape successful prosecution.[26] Ivan Trundle explains that the Spam Act 2003 effectively distinguishes between spammers and legitimate businesses.[27] The underlying goal of the Australian legislators is to guard against the incidents of computer fraud so as to preserve the commercial value of computer commerce.

The Federal Government of the US

            The Federal Computer Fraud and Abuse Statue Chapter 18 USC 1030 criminalizes conduct that is abusive and destructive to computer systems in the United States.  In general the Statue is designed to protect Federal Computers, bank Computers and all computers that are connected to the internet.[28] Obviously the US considers all unauthorized intrusions into computers as fraudulent conduct as evidenced by the title to the code.  Moreover, bank computers can be used for fraudulent purposes whereas internet computers can be hacked into to obtain personal data for identity theft.

            The following crimes which are fraudulent in nature are provided for under Section 1030 of the  Federal Computer Fraud and Abuse Statue Chapter 18 USC:

Trespassing (which is generally attributed to hacking) on a government computer.[29]Computer trespassing that exposes any governmental information as well as commercial information generally.[30]Activity that causes damages to either a computer used in interstate or foreign commercial transactions, a bank computer, a government computer.[31]These kinds of damages generally include worms, viruses, Trojans, “time bombs” and “other forms of cyber attack, cyber crime, or cyber terrorism”.[32]Any act of fraud which give rise to unauthorized passage to a government computer, bank computer or a computer which is accessed for foreign or interstate commercial transactions.[33]Threatening damage to a bank computer, government computer or a computer which is used for interstate or foreign commercial transactions.[34]Password interference with a bank, government computer or computers used for interstate and foreign commercial activities.[35]Gaining access to a computer solely for the purpose of committing espionage.[36]Unlike Australian law where attempts to commit cyber crimes are not criminal offences, Section 1030(b) makes any attempt to commit an offence under Section 1030(a) a crime.[37] Charles Doyle explains the ambit and intent of the Federal Computer Fraud and Abuse Statute, Chapter 18 USC as follows:

“18 USC 1030, protects computers in which there is a federal interest…It shields them from trespassing, threats, damage, espionage, and from being corruptly used as instruments of fraud.”[38]

United States Code 18 Section 1028 (a) creates the offence of identity theft which is a crime involving fraudulent conduct by imposing criminal liability in instances where an individual “knowingly transfers or uses” without lawful excuse or authority, the identification of another “with the intent to commit” or procure “any unlawful activity” contrary to Federal or  State law.[39]

            By virtue of Section 1028(d) fraudulent documents are prohibited by providing that producing an “identification document” which originates from the government or any state authority, foreign government is an offence.[40] A:

 “document-making implement means any implement, impression, electronic device, or computer hardware or software, that is specifically configured or primarily used for making an identification document, a false identification document, or another document-making implement…”[41]

            The Cyber-Security Enhancement and Computer Protection Act 2007, a current Bill seeks to amend USC Title 18 to outlaw the remote control of a “protected computer” for the purpose of obtaining identification information.[42] A protected computer under the propose act would also include any computer used for interstate communication, racketeering would also include computer fraud, computer extortion would also include threats to access a computer without consent.[43] The Act would also provide for stiffer criminal penalties which could include a combination of both fines and imprisonment ranging from five to thirty years.[44]

            The Cyber-Security Enhancement Act 2007, another Bill also attempts to redefine the ambit of protected computer to include computers used for the purpose of interstate communication. It is not materially different from Cyber-Security Enhancement and Computer Protection Act 2007.  Its main purpose is to act as a deterrent by increasing criminal penalties and fines in respect of computer fraud.[45] It goes out of its way to extend authorization to the US Secret Service, the Department of Justice and the Federal Bureau of Investigations to investigate and prosecute cybercrime.

Conclusion

            There is a concerted effort on the parts of both the US and the Australian Federal Governments to increase the jurisdiction of law enforcement in both countries by establishing a number or cyber offences that are essentially the same in each of its territories. The emphasis, particularly in the US is on variations of computer fraud.  In Australia, fraud is implied in the unauthorized use of computers and the provision for impairment as both require fraudulent conduct.  Anti-spam laws in Australia also encourage open and honest transmission of emails which implies that a failure to do so is fraudulent. By isolating a means of curtailing fraudulent use of computers, cyber-fruad at the very least becomes identifiable and subject to uniform application.

Bibliography

Brenner, Suzan. (June 2001)  “Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law.” Murdoch University Electronic Journal of Law Vol. 8 No. 2 http://www.murdoch.edu.au/elaw/issues/v8n2/brenner82.html Viewed May 3, 2008

Commonwealth, State and Territory Model Criminal Code and Computer Offences Report

Cybercrime Act 2001

Cyber-Security Enhancement and Computer Protection Act 2007

Cyber-Security Enhancement Act 2007

Davidson, Alan.“The Spam Bill 2003.” Cyber Law, 2003

Doyle, Charles. “Cyber Crime: An Overview of the Federal Computer Fraud and Abuse Stature and Related Federal Criminal Laws.” CRS Report, Order Code 97-1025, Feb. 2008

Federal Computer Fraud and Abuse Statue Chapter 18 USC

Federal Criminal Code Act 1995

Identity Theft Enforcement and Restitution Act 2007

Kshetri, Nir. “Pattern of global cyber war and crime: A conceptual framework.”Journal of International Management Dec. 2005  vol. 11 Issue 4 pp 541-562

Krone, THigh Tech Crime Brief. Australian Institute of Criminology. Canberra, Australia.(2005)

Lebihan, Rachael. (2001) “Australian Cyber Criminals Facing Stiffer Penalties.” ZDNet Australia. http://www.zdnet.com.au/news/soa/Australian-cybercriminals-facing-stiffer-penalties/0,139023165,120221959,00.htm Accessed May 3, 2008

McCullagh, Adrian and Smith, Richard. “Identity Theft: A Crime Waiting to Happen.” Internet Industry Electronic Commerce Update. August 1999. Available online at: http://72.30.186.56/search/cache?ei=UTF-8&p=cyber+fraud&y=Search&rd=r2&fr=yfp-t-501&u=www.iia.net.au/index2.php%3Foption%3Dcom_content%26do_pdf%3D1%26id%3D435&w=cyber+fraud&d=c51IkjWxQw_R&icp=1&.intl=au Retrieved May 12, 2008

Spam Act 2003

Tedeschi, Bob. “E-Commerce Report; Crime is soaring in cyberspace, but many companies keep it quiet.” New York Times, January 27, 2003

Trundle, Ivan. (2004) “What the Spam Act Means for Australian Businesses.” Incite, p.24

Wahlert, Glenn. (1998) “Crime in Cyberspace: Trends in Computer Crime in Australia.” http://www.aic.gov.au/conferences/internet/wahlert.pdf Viewed May 3, 2008

Washingtonwatch.com. (n.d.) http://www.washingtonwatch.com/bills/show/110_SN_2213.html#toc1 Retrieved May 5, 2008

Yar, M. “The Novelty of ‘Cyber Crime’: An Assessment in Light of Routine Activity Theory.” Europen Journal of Criminology Vol. 2 No. 4, 407-427, 2005.

Zeviar-Geese, G. “The State of the Law on Cyberjurisdiction and Cybercrime on the Internet.” California Pacific School of Law. Gonzaga Journal of International Law. Volume 1 1997-98

[1] Krone, THigh Tech Crime Brief. Australian Institute of Criminology. Canberra, Australia.(2005)[2] Zeviar-Geese, G. “The State of the Law on Cyberjurisdiction and Cybercrime on the Internet.” California Pacific School of Law. Gonzaga Journal of International Law. Volume 1 1997-98[3] Yar, M.  “The Novelty of ‘Cyber Crime’: An Assessment in Light of Routine Activity Theory.” Europen Journal of Criminology Vol. 2 No. 4, 407-427, 2005.[4] McCullagh, Adrian and Smith, Richard. “Identity Theft: A Crime Waiting to Happen.” Internet Industry Electronic Commerce Update. August 1999. Available online at: http://72.30.186.56/search/cache?ei=UTF-8&p=cyber+fraud&y=Search&rd=r2&fr=yfp-t-501&u=www.iia.net.au/index2.php%3Foption%3Dcom_content%26do_pdf%3D1%26id%3D435&w=cyber+fraud&d=c51IkjWxQw_R&icp=1&.intl=au Retrieved May 12, 2008[5] Tedeschi, Bob. “E-Commerce Report; Crime is soaring in cyberspace, but many companies keep it quiet.” New York Times, January 27, 2003[6] Kshetri, Nir. “Pattern of global cyber war and crime: A conceptual framework.”Journal of International Management Dec. 2005  vol. 11 Issue 4 pp 541-562[7] Kshetri, Nir. “Pattern of global cyber war and crime: A conceptual framework.”Journal of International Management Dec. 2005  vol. 11 Issue 4 pp 541-562[8] Federal Criminal Code Act 1995[9] Commonwealth, State and Territory Model Criminal Code and Computer Offences Report[10] Cybercrime Act 2001[11] Spam Act 2003[12] Cybercrime Act 2001 Division 477.1[13] Cyber Crime Act 2001,  Division 4771.1(9)[14] Ibid Division 477[15] Ibid Division 476.2(2)[16] Cybercrime Act 2001 Division 477.2[17] Ibid Division 477.2(1)©[18] Ibid Division 478.3[19] Cybercrime Act 2001 Division 478.3[20] Ibid Division 478.4[21] Ibid[22] Spam Act 2003 Section 16[23] Ibid Section 16(9)[24] Davidson, Alan.(2003) “The Spam Bill 2003.” Cyber Law[25] Spam Act 2003[26] Spam Act 2003[27] Trundle, Ivan. (2004) “What the Spam Act Means for Australian Businesses.” Incite, p.24[28] Doyle, Charles. “Cyber Crime: An Overview of the Federal Computer Fraud and Abuse Stature and Related Federal Criminal Laws.” CRS Report, Order Code 97-1025, Feb. 2008[29] Federal Computer Fraud and Abuse Statue Chapter 18 USC, Section 1030(a)(3)[30] Ibid Section 1030(a)(2)[31] Ibid Section 1030(a)(5)[32] Doyle, Charles. “Cyber Crime: An Overview of the Federal Computer Fraud and Abuse Stature and Related Federal Criminal Laws.” CRS Report, Order Code 97-1025, Feb. 2008[33] Federal Computer Fraud and Abuse Statue Chapter 18 USC, Section 1030(a)(4)[34] Ibid Section 1030(a)(7)[35] Federal Computer Fraud and Abuse Statue Chapter 18 USC, Section 1030(a)(6)[36] Ibid Section 1030(a)(1)[37] Ibid[38] Doyle, Charles. “Cyber Crime: An Overview of the Federal Computer Fraud and Abuse Stature and Related Federal Criminal Laws.” CRS Report, Order Code 97-1025, Feb. 2008[39] Federal Computer Fraud and Abuse Statue Chapter 18 USC, Section 1028(a)(7)[40] Ibid Section 1028(d)(2)[41] Federal Computer Fraud and Abuse Statue Chapter 18 USC, Section 1028(d)(1)[42] Cyber-Security Enhancement and Computer Protection Act 2007[43] Cyber-Security Enhancement and Computer Protection Act 2007[44] Ibid[45] Cyber-Security Enhancement Act 2007