International Statutes

Each country has its own statutes covering computer crime. These can vary widely and might range from extremely draconian (such as China's execution of persons convicted of hacking into banks) to virtually none at all. The accused author of the Love Bug worm was released when it was determined that the Philippines had no statute prohibiting the authoring and release of a computer virus.

A major challenge in investigating and prosecuting computer crimes is the issue of multiple laws in multiple jurisdictions. It is difficult enough to get a warrant for records in one country; when the incident involves multiple countries , it can be almost impossible . Resolving (or at least reducing) this problem has been a major initiative in recent years .

The COE Treaty

One of the most recent and promising proposals to improve international cooperation is the Council on Europe draft Convention on Cybercrime. The council approved the treaty in June of 2001, but it still must be ratified by individual European states. The Council of Europe was founded in 1949 and represents 43 individual European countries. Other countries, including the United States, Japan, Canada, Mexico, and the Vatican, have observer status. If the convention is ratified by the members , these observer countries will be allowed to ratify it as well.

The U.S. Department of Justice was active as an advisor during the negotiations. Officially, the department has made no comment as to whether the United States is expected to ratify the treaty if and when it comes up for review.

The full text of the draft treaty is available at the Council on Europe web site (http://conventions.coe.int). The treaty is too large to include here, but several of the items in the document bear discussion. The convention requires signatories to adopt legislation or regulations to comply with each of the titles in the document.

Title 1: Offenses Against the Confidentiality, Integrity, and Availability of Computer Data and Systems

This section of the convention addresses crimes that could typically be described as crimes against computers. Specifically , the section prohibits the illegal access of systems, illegal interception of communications (computer data only, presumably voice is addressed under other rules), modification or deletion of data, and interference with systems (denial of service).

In addition, the title also prohibits the sale, use, distribution, import, or possession of any device (including software) designed to commit any of the preceding offenses. Unauthorized possession of passwords is specifically prohibited . This item has been criticized by many in the security community as prohibiting legitimate research into system security. For example, some people have argued that the research that went into a tool such as L0phtcrack and the possession of such a tool would be impeded by this regulation. The convention, however, only prohibits these items when they are intended to be used to commit the preceding offenses. Research and the legitimate use of such tools by security professionals appear to be excluded. ^[3]

^[3] As always, legal disclaimers apply. Consult with a legal professional when in doubt.

Title 2: Computer- Related Offenses

This section addresses crimes that could best be described as crimes involving computers. It expands the definitions of fraud and forgery to include the modification or deletion of computer data with the intent to defraud.

Title 3: Content-Related Offenses

Content-related offenses, in the context of the convention, are a metaphor for child pornography. Laws against child pornography vary widely, even within Europe. The age of consent ranges from 16 to 18. The convention states that each signatory must implement laws or regulations against measures that are illegal under its domestic laws. A minor is defined as a person under the age of 18, but countries have the option to choose the lower age of 16.

Specifically, if a given image or item is judged to be illegal under one country's laws, then the production, distribution, offering, and possession of that item on a computer system are also illegal. This section essentially ensures that existing child pornography laws are modified to accommodate computer-related issues.

Title 4: Offenses Related to Infringements of Copyright and Related Rights

This section addresses the problem of digital copyrighted material. It specifically refers to earlier agreements, including World Intellectual Property Organization (WIPO) treaties. Signatories are required to uphold the obligations in these treaties through either criminal or administrative sanctions.

The WIPO copyright treaty received a lot of publicity and discussion when it was adopted. The critical measure in this treaty is a general prohibition against any measure or device designed to circumvent copyright protection. Under this treaty, for example, it is illegal to reverse-engineer the encryption algorithm used to prevent illegal copying or distribution of DVD movies.

Title 5: Ancillary Liability and Sanctions

This last section states that aiding any organization or individual in the commission of any of the preceding offenses is itself an offense. Corporations are also held liable under the provisions of the treaty. Signatories are explicitly warned that they must, when appropriate, be able to hold individuals within a corporation accountable for the actions of the organization.

The remainder of the treaty is concerned with procedures, but part of these procedures includes search and seizure and the interception of data. The convention requires signatories, within the context of their own laws and constitutions, to adopt policies for the search and seizure of computers and computer-related equipment. Agencies must be able to intercept communications data, including compelling a service provider to collect that data.

The treaty ends with a long section about international cooperation ‚ arguably the major impact of this agreement. The convention binds its members to extradition in the event of computer-related crimes.The convention requires each member to set up a contact network, available on a 24x7 basis, to facilitate cooperation. It also acts as a multilateral agreement for cooperation for those states that do not have an agreement in place already. So, for example, if the United States and France did not already have an agreement in place to facilitate law enforcement cooperation, this treaty would act as one.

The EU Privacy Act

The European Union has adopted a number of strict privacy regulations dating from 1995 to 2001. ^[4] These regulations require EU members to set up a privacy commission to oversee the collection, storage, and dissemination of personal data (that is, data on any individual). Members are prohibited from sharing this data with any country that does not have similar protections in place.

^[4] The specific text of these regulations is available on the EU web site at www.europa.eu.int.

This has been a major point of contention with the United States. The United States has no overarching privacy regulation. Although some data is protected (for example, it is illegal to share information about the videos an individual rents), other information can be freely exchanged.

The U.S. proposed a "Safe Harbor" provision to the EU.This is a provision in which organizations can either join or create privacy programs designed to protect personal data. At the time of this writing, however, the EU had rejected the Safe Harbor provision, alleging that organizations cannot successfully self-regulate.

Under the EU rules, a multinational company could be prohibited from transferring customer data from one of its organizations within the EU to another organization outside. This has extremely grave consequences to large corporations, which might process data in several countries. It will be all but impossible to ensure that no personal information about customers or employees is transferred inadvertently to a noncomplying country.

The impact of these regulations is still unknown at this time. The privacy regulations adopted in 1995 are to be phased in over time. They are scheduled to go into full effect this year. No one has been punished for noncompliance yet, although many European companies (and international companies with a European presence) are concerned that the privacy commissioners might look for a test case.