First Draft of International Convention Released for Public Discussion
COMMITTEE ON CRIME PROBLEMS
COMMITTEE OF EXPERTS ON CRIME IN CYBER-SPACE
Convention on Cyber-crime
(Draft N° 19)
by the Secretariat
Directorate General I (Legal Affairs)
CONVENTION ON CYBER-CRIME
(Draft N° 19)
The member States of the Council of Europe and the other States signatory hereto,
Considering that the aim of the Council of Europe is to achieve a greater unity between its members;
Recognising the value of fostering co-operation with the other States signatories to this Convention;
Convinced of the need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cyber-crime, inter alia by adopting appropriate legislation and fostering international co-operation;
Conscious of the profound changes brought about by the digitalisation, convergence and continuing globalisation of computer networks;
Concerned at the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks;
Believing that an effective fight against cyber-crime requires increased, rapid and well-functioning international co-operation in criminal matters;
Convinced that the present Convention is necessary to deter actions directed against the confidentiality, integrity and availability of computer systems, networks and computer data, as well as the misuse of such systems, networks and data, by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating the detection, investigation and prosecution of such criminal offences at both the domestic and international level, and by providing arrangements for fast and reliable international co-operation, while ensuring a proper balance between the interests of law enforcement and respect for fundamental human rights.
Welcoming recent developments which further advance international understanding and co-operation in combating cyber-crimes, including actions of the United Nations, the OECD, the European Union and the G8;
Recalling Recommendation N° R (89) 9 on computer-related crime providing guidelines for national legislatures concerning the definition of certain computer crimes and Recommendation N° R (95) 13 concerning problems of criminal procedural law connected with Information Technology, calling for, inter alia, the negotiation of an international agreement to regulate trans-border search and seizure;
Having regard to Resolution No. 1 adopted by the European Ministers of Justice at their 21st Conference (Prague, June 1997), which recommended the Committee of Ministers to support the work carried out by the European Committee on Crime Problems (CDPC) on cyber-crime in order to bring domestic criminal law provisions closer to each other and enable the use of effective means of investigation concerning such offences;
Having also regard to the Action Plan adopted by the Heads of State and Government of the Council of Europe, on the occasion of their Second Summit (Strasbourg, 10 - 11 October 1997), to seek common responses to the development of the new information technologies, based on the standards and values of the Council of Europe;
Have agreed as follows:
Chapter I - Use of terms
Article 1 - Definitions
For the purposes of this Convention:
- any representation of facts, information or concepts in a form suitable for processing in a computer system, or
- set of instructions suitable to cause a computer system to perform a function;
- any information possessed by the service provider necessary to identify and determine the physical address of a subscriber, user, or account-payer of a service provider's communications services, and
- any information associated with such subscriber, user, or account-payer possessed by the service provider relating to a network, equipment or individual number or account or similar identifying designators, services, fees; the physical location of equipment, if known and if different from the location information provided under the definition of traffic data;
Chapter II - Measures to be taken at the national level
Section 1 - Substantive criminal law
Title 1 - Offences against the confidentiality, integrity and availability of computer data and systems
Article 2 - Illegal Access
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the access to the whole or any part of a computer system without right. A Party may require that the offence be committed either by infringing security measures or with the intent of obtaining computer data or other dishonest intent.
Article 3 - Illegal Interception
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, as well as electromagnetic emissions from a computer system carrying such computer data.
Article 4 - Data Interference
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the damaging, deletion, deterioration, alteration or suppression of computer data without right.
Article 5 - System Interference
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the serious hindering without right of the functioning of a computer system by inputting, [transmitting,] damaging, deleting, deteriorating, altering or suppressing computer data.
Article 6 – Illegal Devices
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right:
with intent that it be used for the purpose of committing the offences established in Articles 2 - 5;
Title 2 - Computer-related offences
Article 7 – Computer-related Forgery
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require by law an intent to defraud, or similar dishonest intent, before criminal liability attaches.
Article 8 – Computer-related Fraud
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing, without right, of a loss of property to another by:
with the intent of procuring, without right, an economic benefit for himself or for another.
Title 3 - Content-related offences
Article 9 – Offences related to child pornography
1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed without right and intentionally the following conduct:
- a minor engaged in a sexually explicit conduct;
- a person appearing to be a minor engaged in a sexually explicit conduct;
- realistic images representing a minor engaged in a sexually explicit conduct.
Title 4 – Copyright and related offences
Article 10 - Copyright and related offences
Title 5 – Ancillary liability and sanctions
Article 11 - Attempt and aiding and abetting
Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally:
Article 12 – Corporate liability
1 Each Party shall adopt such legislative and other measures as may be necessary to ensure that legal persons can be held liable for the criminal offences established in accordance with this Convention, committed for their benefit by any natural person, acting either individually or as part of an organ of the legal person, who has a leading position within the legal person, based on:
- a power of representation of the legal person; or
- an authority to take decisions on behalf of the legal person; or
- an authority to exercise control within the legal person;
- as well as for involvement of such a natural person as aidor or abettor, under Article 11, in the above-mentioned offences.
2 Apart from the cases already provided for in paragraph 1, each Party shall take the necessary measures to ensure that a legal person can be held liable where the lack of supervision or control by a natural person referred to in paragraph 1 has made possible the commission of the criminal offences mentioned in paragraph 1 for the benefit of that legal person by a natural person under its authority.
3 Liability of a legal person under paragraphs 1 and 2 shall not exclude criminal proceedings against natural persons who are perpetrators, aidors or abettors of the criminal offences mentioned in paragraph 1.
Article 13 – Sanctions and measures
Section 2 – Procedural law
Article 14 - Search and Seizure of Stored Computer Data
[in its territory or other place over which it exercises its sovereign powers] for the purposes of criminal investigations or proceedings.
Article 15 - Production Order
1. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to order a person in its territory or other place over which it exercises its sovereign powers to submit specified computer data under this person’s control stored in a computer system or a medium in which data may be stored in the form required by these authorities for the purposes of criminal investigations and proceedings.
2. The power referred to in paragraph 1 of the present Article shall be subject to conditions and safeguards as provided for under national law.
Article 16 – Expedited preservation of data stored in a computer system
Article 17 – Expedited preservation and disclosure of traffic data
Article 18 – Interception
Section 3 - Jurisdiction
Article 19 - Jurisdiction
1. Each Party shall take such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 – 11 of this Convention, when the offence is committed
2. Each State may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, by a declaration addressed to the Secretary General of the Council of Europe, declare that it reserves the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraph 1 b of this article or any part thereof.
3. If a Party has made use of the reservation possibility provided for in paragraph 2 of this article, it shall adopt such measures as may be necessary to establish jurisdiction over a criminal offence referred to in Article 21, paragraph 1 of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him to another Party, solely on the basis of his nationality, after a request for extradition.
4. This Convention does not exclude any criminal jurisdiction exercised in accordance with national law.
5. When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.
Chapter III – International Co-operation
Article 20 - General principles relating to international co-operation
The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and national laws, to the widest extent possible for the purposes of investigations and proceedings concerning criminal offences related to computer systems and data, or for the collection of electronic evidence of a criminal offence.
Article 21 - Extradition
2. If a Party that makes extradition conditional on the existence of a treaty receives a request for extradition from another Party with which it does not have an extradition treaty, it may consider this Convention as the legal basis for extradition with respect to any criminal offence referred to in paragraph 1 of this Article.
3. Parties that do not make extradition conditional on the existence of a treaty shall recognise the criminal offences referred to in paragraph 1 of this Article as extraditable offences between themselves.
4. Extradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties, including the grounds on which the requested Party may refuse extradition.
5. If extradition for a criminal offence referred to in paragraph 1 of this Article is refused solely on the basis of the nationality of the person sought, or because the requested Party deems that it has jurisdiction over the offence, the requested Party shall submit the case to its competent authorities for the purpose of prosecution unless otherwise agreed with the requesting Party, and shall report the final outcome to the requesting Party in due course. Those authorities shall take their decision in the same manner as in the case of any other offence of a comparable nature under the law of that State.
6. (a) Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the name and addresses of each authority responsible for the making to or receipt of a request for extradition or provisional arrest in the absence of a treaty. [Designation of an authority shall not exclude the possibility of using the diplomatic channel.]
(b) The Secretary General of the Council of Europe shall set up and keep updated a register of authorities so designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times.
Article 22 - Mutual Assistance
Article 23 - Procedures pertaining to mutual assistance requests
1. Where there is no mutual assistance treaty or arrangement on the basis of uniform or reciprocal legislation in force between the requesting and requested Parties, or the Parties concerned do not have national laws under which to provide mutual assistance to one another, the provisions of paragraphs 2 through 10 of this article shall apply. The provisions of this article shall not apply where such agreement, arrangement or legislation is available, unless the Parties concerned agree to apply any or all of the remainder of this Article in lieu thereof.
2. (a) Each Party shall designate a central authority or authorities that shall be responsible for sending and answering requests for mutual assistance, the execution of such requests, or the transmission of them to the authorities competent for their execution.
(b) The central authorities shall communicate directly with each other.
(c) Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the names and addresses of the authorities designated in pursuance of this paragraph.
(d) The Secretary General of the Council of Europe shall set up and keep updated a register of central authorities so designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times.
3. Mutual assistance requests under this Article shall be executed in accordance with the procedures specified by the requesting Party except where incompatible with the law of the requested Party.
4. The requested Party may, in addition to conditions or grounds for refusal available under Article 22 (4), refuse assistance if it believes that compliance with the request would prejudice its sovereignty, security, ordre public or other essential interests.
5. The requested Party may postpone action on a request if such action would prejudice investigations, prosecutions or related proceedings by its authorities.
6. Before refusing or postponing assistance, the requested Party shall, where appropriate after having consulted with the requesting Party, consider whether the request may be granted partially or subject to such conditions as it deems necessary.
7. The requested Party shall promptly inform the requesting Party of the outcome of the execution of a request for assistance. If the request is refused or postponed, reasons shall be given for the refusal or postponement. The requested Party shall also inform the requesting Party of any reasons that render impossible the execution of the request or are likely to delay it significantly.
8. (a) Without prejudice to its own investigations or proceedings, a Party may, within the limits of its domestic law, without prior request, forward to another Party information obtained within the framework of its own investigations when it considers that the disclosure of such information might assist the receiving Party in initiating or carrying out investigations or proceedings concerning criminal offences established in accordance with this Convention or might lead to a request for cooperation by that Party under this chapter.
(b) Prior to providing such information, the providing Party may request that it be kept confidential or used subject to conditions. If the receiving Party cannot comply with such request, it shall notify the providing Party, which shall then determine whether the information should nevertheless be provided. If the receiving Party accepts the information subject to the conditions, it shall be bound by them.
9. (a) The requesting Party may request that the requested Party keep confidential the fact and substance of any request made under this Chapter except to the extent necessary to execute the request. If the requested Party cannot comply with the request for confidentiality, it shall promptly inform the requesting Party, which shall then determine whether the request should nevertheless be executed.
(b) The requesting Party may request that the requested Party not, without the prior consent of the requesting Party, make use of the substance of the request, nor of the information obtained pursuant to having executed the request, for purposes other than those for which it was obtained or for criminal investigations and related proceedings. If the requested Party cannot comply with the request, it shall promptly inform the requesting Party, which shall then determine whether the request should nevertheless be executed.
(c) The requested Party may request that the requesting Party not, without the prior consent of the requested Party, transmit or use the materials furnished for investigations or proceedings other than those stated in the request. If the requested Party accepts the materials subject to the conditions, it shall be bound by them. If the requesting Party cannot comply with the conditions, it shall promptly inform the requesting Party, which shall then determine whether the materials should nevertheless be provided.
10. (a) In the event of urgency, requests for mutual assistance or communications related thereto may be sent directly by judicial authorities, including public prosecutors, of the requesting Party to such authorities of the requested Party. In any such cases a copy shall be sent at the same time to the central authority of the requested Party through the central authority of the requesting Party.
(b) Any request or communication under this paragraph may be made through the International Criminal Police Organisation (Interpol).
(c) Where a request is made pursuant to subparagraph (a) and the authority is not competent to deal with the request, it shall refer the request to the competent national authority and inform directly the requesting Party that it has done so.
(d) Requests or communications made under this paragraph that do not involve coercive action may be directly transmitted by the competent authorities of the requesting Party to the competent authorities of the requested Party.
(e) Each Party may, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession inform the Secretary General of the Council of Europe that, for reasons of efficiency, requests made under this paragraph are to be addressed to its central authority.
Article 24 - Provisional measures: Expedited preservation of stored computer data
Article 25 – Expedited disclosure of preserved traffic data
Article 26 – Mutual Assistance Regarding Accessing of Stored Data
[1. A Party may request another Party to search or similarly access, seize or similarly secure, or disclose data, stored by means of a computer system, which is located within the territory of that other Party [or other place over which it exercises its sovereign powers], including data that has been preserved pursuant to article 24.
2. Upon receipt of a request referred to in paragraph 1, the requested Party shall execute the request as expeditiously as possible, by:
a) Where permitted by its domestic law, ratifying or endorsing any judicial or other legal authorisation that was granted in the requesting Party to search or seizure the data, thereupon executing the search or seizure and, pursuant to its mutual assistance treaties or laws, as applicable, disclosing any data seized to the requesting Party; or
b) Responding to the request and disclosing any data seized, pursuant to its mutual assistance treaties or laws, as applicable; or
c) Using any other method of assistance permitted by its domestic law.]
Article 27 - Transborder Access to Stored Data Not Requiring Mutual Legal Assistance
[Notwithstanding anything in this Chapter, a Party may, when acting in accordance with its domestic law [and without obtaining the authorisation of another State or providing notice to another State]:
a) access publicly available [open source] data, regardless of where the data is geographically located;
b) access or receive stored data located in another State, if the Party [has been in contact with a person located within its territory and] acts in accordance with the lawful and voluntary consent of a person who has the lawful authority to permit the Party access to, or to disclose to the Party, that data.]
Article 28 – Interception
Article 29 - 24/7 Network
2. (a) A Party’s point of contact shall have the capacity to carry out communications with the point of contact of another Party on an expedited basis.
(b) If the point of contact designated by a Party is not part of that Party’s authority or authorities responsible for international mutual assistance or extradition, the point of contact shall ensure that it is able to coordinate with such authority or authorities on an expedited basis.
3. Each Party shall ensure that trained and equipped personnel are available in order to facilitate the operation of the network.
Chapter IV – Follow-up
Chapter V – Final Provisions
(1) The Drafting Group agreed at its 10th meeting (February 2000) that most definitions under Article 1 should be placed either in relevant parts of the Convention or in the Explanatory report and accordingly deleted from this Article definitions 1/e to 1/n. The remaining definitions (1/a – 1/e) need to revised by the DG.
(2) The explanatory report should specify that "computer system" refers to the function of data processing and therefore may include any system that is based on such a function, e.g. telecom systems, and that the "inter-connection" referred to in the definition encompasses radio and logical connections. The Chairman noted that in the jurisdiction provision(s), the PC-CY will have to determine to what extent States will be able to claim jurisdiction over acts occurring in the whole or part of such a "computer system".
(3) The concept of computer data includes computer programs. The Drafting Group agreed that the Explanatory Report should specify, either under Article 1 or another provision, that a "program" is understood as "data suitable for further processing".
(4) The explanatory report should clarify that subscriber data does not include traffic data nor the content of any communication.
(5) The explanatory report should clearly exclude electronic surveillance, this being a separate legal issue.
(6) In the understanding of certain members of the Drafting Group, "intent" may also cover "dolus eventualis". For common law countries, this notion would be similar to "recklessness", i.e. that a person is aware of the high risk that a certain result may occur and knowingly accepts it. The Drafting Group agreed that the interpretation of "intent" should be left to national laws, but it should not, where possible, exclude "dolus eventualis".
(7) The Drafting Group agreed, at its 9th meeting (January 2000) on the principle that the terms "non-public" relate to the transmission (communication) process and not necessarily to the data transmitted. It agreed to keep the term in the text temporarily and to try to find some alternative language.
(8) The Drafting Group agreed at its 8th meeting (November 1999) that the Explanatory Report should specify that ‘Alteration’ also includes tempering with traffic data (spoofing).
(9) "Suppression of data" has two commonly agreed meanings for the Drafting Group: 1) delete data so that it does not physically exist any longer; 2) "render inaccessible", i.e. prevent someone from gaining access to it while maintaining it. As the latter, second meaning covers "rendering inaccessible", which appeared separately in previous versions of this Article, this element was deleted on the understanding that an explanation will be included on this in the Explanatory Report.
(10) One delegation noted that it would need some extra-qualifyer (serious damage or harm) to make this offence extraditable.
(11) The Explanatory Report shall specify that the term "authentic" refers to the issuer of the data, regardless whether the content of the data is true or not.
(12) The Explanatory Report should clarify that the terms "without right" include legal defenses, excuses or similar relevant principles that relieve a person of responsibility under specific circumstances. For example, with respect to paragraph (2)b, a State may provide that a person is relieved of criminal responsibility if the accused proves that the person depicted is not a minor.
(13) The Drafting Group agreed at its 8th meeting (November 1999) that the Explanatory Report should specify that ‘offering’ also includes giving information about hyperlinks to child-pornography sites.
(14) The Explanatory Report should clarify that this provision by no means is intended to restrict the criminalisation of the distribution, etc, of child pornography to cases making use of a computer system, but the Convention establishes this only as a minimum standard and States are free to go beyond it.
(15) Some delegations wished to further consider their position on this paragraph and hold further consultations with domestic authorities. However, a number of delegations viewed it as a provision necessary to prevent the sexual abuse of children when such material is created.
(16) The Explanatory Report should clarify that that the term "pornographic material" is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt.
(17) The Explanatory Report should specify that a "sexually explicit conduct" covers at least actual or simulated: a) sexual intercourse, including genital-genital, oral-genital, anal-genital or oral-anal, between minors, or between an adult and a minor, of the same or opposite sex; b) bestiality; c) masturbation; d) sadistic or masochistic abuse; or e) lascivious exhibition of the genitals or the pubic area of a minor.
(18) Several alternatives were discussed at the 7th Plenary (March 2000), i.e. 14, 16 or 18 years.
(19) The Plenary agreed that once the list of criminal offences will be finalised in the draft convention, it will return to this provision on "attempt" to determine to which offences it will apply. Delegations have already expressed concern about applying a provision on "attempt" to illegal access under article 2(1) and copyright and related offences under article 4 (since attempt is not covered by the TRIPS agreement).
(20) The Plenary agreed to that Explanatory Report should clarify the double-intent requirement for establishing as criminal offences aiding and abetting, i.e. that the intent has to cover both aiding and abetting and the underlying offence. The Explanatory Report will specify that "aiding and abetting" is to be interpreted in a large sense, also covering, notably, instigators and accessories.
(21) Further consideration will have to given to the offences to be included under this provision once the list of criminal offences is finalised. At present, many States do not consider illegal access to be an extraditable offence, nor will attempt always be an extraditable offence.
(22) At its 7th meeting (March 2000), the Plenary requested the Drafting Group to find some alternative language to describe the concept of "territory".
(23) The Drafting Group did not discuss this provision at its 10th meeting (February 2000) as it is closely related to the provision on trans-border search.
(24) The Drafting Group agreed at its 10th meeting (February 2000) to use this term and clarify in the Explanatory Report that it referred to persons having an actual (physical) control over the computer (system). This would normally include the owner of the premises where the computer is located or the owner/user of the computer itself.
(25) At its 7th meeting (March 2000), the Plenary requested the Drafting Group to find some alternative language that could replace this term.
(26) Further clarification is required with regard to the inclusion of satellites, in particular as to whether this provision would require a State that has responsibility for a satellite (or shares such responsibility with other States) to establish jurisdiction over an offence where the only nexus with that State is that data related to the offence has been transmitted through that satellite. Other international instruments should be examined to determine how they affect the jurisdiction of States with respect to satellites.
(27) This provision has been limited to situations in which there is no extradition treaty in force between the Parties concerned. Where a bilateral or multilateral extradition treaty is in force between the Parties concerned (such as the 1957 European Convention on Extradition), the Parties will know to whom extradition and provisional arrest requests are to be directed without the necessity of a burdensome registration requirement. The language between brackets governing use of diplomatic channels is modeled after article 5 of the second additional protocol to the European Convention on Extradition.
(28) The Drafting Group was, for the moment, unable to reach an agreement on this provision.
(29) The explanatory text should specify that the mere fact that its legal system knows no such procedure is not sufficient grounds to refuse to apply the procedure requested by the requesting State.
(30) The Plenary agreed at its 7th meeting (March 2000) that further consideration was necessary on this matter, given that certain delegations expressed their reservation as to the possibility of giving up the requirement of dual criminality.
This paragraph assumes that the accessing State will limit its own contact
to persons within its territory (though such persons may themselves need
to contact people in other territories in order to obtain such consent or
authority). This could be explicitly added by the insertion of the bracketed
text or be explained in the explanatory memorandum.
Written From Exerts of Garland D. By Evan Sycamnias