Cybercrime – offences against and by means of computer systems – is a fundamental threat to core values of societies.
The large-scale theft of personal data, computer intrusions, bullying, harassment and other forms of cyber violence, or sexual violence against children online, are attacks against human rights. Hate speech, xenophobia and racism may contribute to radicalisation leading to violent extremism. Attacks against computers used in elections and election campaigns – such as compromising voter databases, tampering with voting machines, denial of service attacks on voting day, the theft of data during election campaigns and related information operations – are attacks against democracy. Daily attacks against critical information infrastructure affect national security and economic and other national interests as well as international peace and stability.
Moreover, evidence in relation to fraud, corruption, murder, rape, terrorism, the sexual abuse of children and, in fact, any type of crime may take the form of electronic evidence stored on servers "somewhere in the cloud". Securing such evidence is necessary to ensure the rule of law and protect society and individuals. But accessing such evidence also has implications for human rights and the rule of law.
Threats are likely to increase with the Internet of Everything, the use of artificial intelligence for scanning of vulnerabilities and automating targeted attacks, and within a tense international context where cyberattacks and information operations – hybrid warfare – are means to pursue political interests.
If only a minuscule share of offenders is brought to justice and if governments may fail in their obligation to protect the rights of individuals and society against crime, public trust in the rule of law and democratic systems will further erode.
In short, cybercrime and the challenges of electronic evidence affect everything; they are matters of human rights, democracy and the rule of law, of national interests and of national and international security.
The response of the Budapest Convention on Cybercrime
The Budapest Convention on Cybercrime of the Council of Europe, is a binding international treaty that provides a framework to States regarding (a) the criminalisation of conduct (that is, offences against and by means of computers), (b) procedural powers for criminal justice authorities to secure electronic evidence in relation to any crime and subject to rule of law safeguards, and (c) international cooperation on cybercrime and electronic evidence.
Opened for signature in Budapest in 2001, this treaty has become the global standard in this field. By the end of June 2018, 60 States had become Parties (the latest being Argentina, Cabo Verde, Morocco and the Philippines) and a further 11 States had signed it or been invited to accede. In addition to these 71 States, another seventy or so had used it as a guideline for domestic legislation. More than 160 States had cooperated with the Council of Europe in capacity building activities on the basis of the Budapest Convention, and many of them are likely to join this treaty sooner or later.
The Convention is backed up by the Cybercrime Convention Committee which (a) assesses implementation by the Parties, (b) develops Guidance Notes on how existing provisions of the treaty can be applied to phenomena that were not relevant (or they were less so) in 2001 (such as botnets, denial of service attacks, identification of theft and others), or (c) negotiates additions to the Budapest Convention.
And finally, a dedicated Cybercrime Programme Office was set up in 2014 in Bucharest, Romania, for worldwide capacity building to help States implement the Budapest Convention and apply it in practice.
In short, with regard to cybercrime as a matter of criminal justice a functioning agreement is in place with increasing membership and use in actual law enforcement operations.
This is remarkable given conflicting interests and thus difficulties in reaching international agreement on all things cyberspace. The Convention was negotiated some twenty years ago, that is, at a time when cybercrime was sufficiently important to warrant an international treaty, but information and communication technologies were not yet that crucial to have other (national) interests stand in the way of agreement.
Towards a Protocol to the Budapest Convention
Additional solutions are nevertheless required to address the problem of electronic evidence. Securing e-evidence for criminal justice purposes is particularly challenging in the context of cloud computing where data is distributed over multiple services, providers, locations and jurisdictions. With powers of law enforcement limited by territorial boundaries and mutual legal assistance often not feasible, the investigation and prosecution of cybercrime risks becoming ineffective.
In June 2017, the Parties to the Budapest Convention, therefore, decided to prepare an additional protocol on enhanced international cooperation and access to evidence in the cloud. Negotiations are foreseen to last until the end of 2019. Options that are under consideration such as direct cooperation by law enforcement with a service provider in another jurisdiction or extending a search to a computer located in another jurisdiction, will need to be reconciled with concerns over national sovereignty, data protection rules and other human rights and rule of law safeguards.
And coherence needs to be ensured between this future protocol, proposals on e-evidence currently under discussion within the European Union and the CLOUD Act adopted by the Congress of the United States in March 2018.
Protecting the rule of law and unintended consequences
Obviously, the complex challenges of cybercrime and cybersecurity require a multi-faceted set of tools and solutions. Criminal justice is one of them.
Protecting and defending systems, setting up incidence response mechanisms and educating users already means that the largest share of the hundreds of millions of attacks daily is denied.
National security and intelligence bodies may have prevented numerous terrorist and other attacks although there are concerns of mass surveillance and the bulk collection of data and that the activities of such bodies comprise measures beyond national security requirements such as espionage, political control and the pursuit of other national interests.
With cyberspace considered the "fifth domain of warfare" considerable resources are allocated by States to defensive and offensive military capabilities and information operations, with the obvious risk of a further militarisation of cyberspace.
Criminal justice obviously offers a higher level of protection of the rights of individuals than national security or defence solutions.
However, the very need to protect the rights of individuals and to meet data protection and other rule of law requirements may very well lead to a dilemma: if criminal justice authorities are no longer able to investigate cybercrime and secure electronic evidence in an effective manner, competencies and resources may further shift to national security and intelligence bodies without the same level of safeguards.
Current trends suggest that while the powers of law enforcement to investigate cybercrime and secure electronic evidence become more restricted (in particular following the Snowden revelations in June 2013 and reports on mass surveillance and bulk interceptions), greater margins continue to be granted to national security and intelligence bodies.
There are good reasons to bring public WHOIS databases in line with data protection requirements. But the recent failure to adopt on time a system permitting access to data of domain registrants for legitimate reasons of public interest – such as public safety – while meeting data protection requirements, means that as from May 2018 law enforcement authorities often not be able anymore to identify the owners of criminal domains and thus to investigate and prosecute cybercrime. Incidentally, within the same week that a German court decided that a registrar was not required anymore to collect registrant data for WHOIS purposes, another court in Germany decided that the German external intelligence service BND is entitled to extract data flowing through one of the world’s largest Internet exchanges, DE-CIX, in Frankfurt.
Law enforcement access to traffic data should be subject to safeguards, but it is arguable whether information on a dynamic IP address needed solely for the identification of a subscriber indeed qualify as traffic data rather than subscriber information and thus requiring a higher threshold for obtaining such data (see the arguments in Benedik v. Slovenia of the European Court of Human Rights).
General data retention requirements are problematic as the data retained may "may allow very precise conclusions to be drawn concerning the private lives" of individuals as stated by the Court of Justice of the European Union in December 2016. However, removal of data retention requirements also means that crucial electronic evidence often is no longer available for criminal investigations. The result may well be an expansion of targeted interception of communications or mass surveillance by national security and intelligence bodies.
Clearly, law enforcement powers that interfere with the rights of individuals must only be exercised as prescribed by law and to the extent strictly necessary and proportionate.
However, increasing restrictions on the effectiveness of criminal justice authorities may have the unintended consequence of favouring a further shift of powers to national security and intelligence bodies that are subject to lesser restrictions and can operate within broader margins.
Governments have the obligation to protect individuals against crime, including through criminal law, as stated by the European Court of Human Rights in K.U. v. Finland ten years ago.
Solutions for more effective criminal justice access to electronic evidence – such as those foreseen under the future Protocol to the Budapest Convention – are essential. Criminal justice authorities need to have the powers to secure such evidence in specific criminal investigations also as technologies evolve.
Data protection, civil society and industry organisations should contribute to ensuring that solutions are both effective and meet human rights and rule of law requirements at the same time.
*The views expressed here are those of the author and do not necessarily reflect official positions of the Council of Europe.