Cybercrime Treaty Reference Site

The Convention on Cybercrime: What Is It?

Over the past several years, Cybercrime has risen dramatically on a global scale. Country borders do not exist on the Internet. The effective inability to apply any country's laws to transborder cybercriminals has resulted in an open season for countless perpetrators of fraud, identify theft, exploitation of children, network attacks, massive SPAM, terrorist activities - essentially every scam and crime that can be re-invented in cyberspace.

In 1998, critical infrastructure studies led to the recommendation of a Cybercrime treaty.  See, e.g., Stephen J. Lukasik, Lawrence T. Greenberg, Seymour E. Goodman, Protecting an invaluable and ever-widening infrastructure, 41 Communications of the ACM 6 (June 1998); Abraham D. Sofaer, Seymour E. Goodman, Stephen J. Lukasik, et al, A Proposal for an International Convention on Cyber Crime and Terrorism, The Hoover Institution, The Consortium for Research on Information Security and Policy (CRISP), The Center for International Security and Cooperation (CISAC), Stanford University, August 2000; Lukasik et al, in The Transnational Dimension of Cyber Crime and Terrorism, Abraham D. Sofaer and Seymour E. Goodman, editors, Hoover Institution, 2001; Stephen Lukasik , Seymour Goodman , David Longhurst, National Strategies for the Protection of Critical Infrastructures Against Cyber Attack, Oxford University Press (October, 2003).

After several years of careful planning and drafting, the Convention on Cybercrime was signed by representatives of 30 countries at Budapest on 23 November 2001. This treaty is narrowly tailored to dealing with Cybercrime occurring across borders, and has been signed by 35 countries - largely European, plus Canada, Japan, South Africa, and the United States. The treaty will enter into force on 1 July 2004. Many countries are at various stages of ratification.

The repository body of the treaty is the Council of Europe, which has a Treaty Office website on the Cybercrime Convention (Convention sur la cybercriminalité) containing the treaty, explanatory report, and other relevant information. 

In February 2003, the U.S. industry led National Security Telecommunications Advisory Committee adopted a Legislative and Regulatory Task Force Report strongly recommending the treaty.  This was followed by the Secretary of State on 11 Sept preparing a Letter of Submittal (extracted text) to the President containing additional U.S. declarations and understandings.  This was followed on 17 November by the President transmitting the treaty to the U.S. Senate (extracted text) to "give its advice and consent to ratification, subject to the reservations, declarations, and understanding described in the accompanying report of the Department of State.  This was read in the U.S. Senate the first time on 17 November, referred to the Committee on Foreign Relations , printed as  Treaty Doc. 108-11 (complete scanned document less Convention and Explanatory Report which is available on the Council of Europe website).  The Committee held a hearing on 17 June 2004.

The Cybercrime Convention does three major things:

  1. Prohibited Conduct. It includes descriptions of conduct that each member country should "as necessary" proscribe: laws against intentional and serious computer hacking, illegal interception, forgery, fraud, child pornography, intellectual property infringement, and aiding and abetting these offenses. (Articles 2-11).

  2. National Legal Process. It includes descriptions of basic national legal procedures, investigatory tools, and human rights safeguards that most nations, including the U.S., already have as part of their legal systems. (Articles 16-22).

  3. International Cooperation. It includes several areas where international cooperation in investigating cybercrime is appropriate, subject to confidentiality and conditions of use. This includes access to information about apparent perpetrators, the basis for providing mutual investigatory assistance, availability of criminal evidence, safeguards, and points of contact. (Articles 23-35).

Eight reasons why this treaty should be ratified

This is a well crafted treaty whose need has become ever more apparent over the past several years. Signatory countries should rapidly ratify it. In the United States, this includes the Senate providing its affirmative advice and consent to the President's recent transmittal for ratification. There are 8 main attributes of the agreement:

Reason #1: The treaty provides critical arrangements needed by law enforcement to stem transborder cybercrime. Most Internet activities involve the simultaneous interactions of many connected computers dispersed all over the world. Across multiple countries, cybercrime operations can be set up, then reconfigured in milliseconds. It is not possible for any one country to deal with these international developments. Close continuing cooperation is essential to discover the activity, gather evidence, and prosecute the perpetuators. There is no alternative to the Convention on Cybercrime other than every country effecting bilateral agreements with every other concerning the same matters. There are no other multilateral means of accomplishing what is provided in the treaty.

Reason #2: The treaty provides for substantial privacy and civil liberties protections. The treaty in its preamble and throughout its provisions gives due recognition to the importance of human rights protections found in international covenants and most national constitutions. It explicitly includes the ability for any signatory nation to avoid cooperation for activities viewed by the cooperating country as "political."

Reason #3: The treaty is narrowly tailored to accomplish its purpose. The treaty does only what is required to deal with transnational cybercrime, and nothing more. This includes the basics of prohibited criminal conduct, discovery, and evidentiary forensics necessary for prosecution.

Reason #4: The treaty significantly mirrors existing Federal and State law and process in the U.S. While the treaty is generic and intended to over the legal regimes of all signatory countries, it significantly reflects the lawful access regime and protections existing in the U.S. This includes not only substantive and procedural provisions, but also Constitutional protections relating to expression, due process, and equal protection.

Reason #5: The treaty contains numerous mechanisms to avoid conflicts with foreign law and process. Throughout the Convention, multiple provisions are included that indicate where nations may have divergent treatment of the procedural or substantive legal provisions. These were included on matters that were known by the Convention's authors to constitute conflicts among nations. Additionally, four Articles in the Convention allow for any nation at the time of signing or at ratification or accession, to submit declarations or reservations with respect to obligations under any provision of the Convention. These reservations may include those arising under Federal-state relationships.

Reason #6: The treaty only minimally deals with intellectual property law. The Convention calls for countries which have assumed intellectual property protection obligations under other longstanding treaties to adopt domestic law that enforces those protections "...where those acts are committed willfully, on a commercial scale and by means of a computer system." This provision is one of ten kinds of crimes identified by the Convention. See Art. 10.

Reason #7: The treaty provides no new invasive capabilities. The Convention describes the same kinds of basic investigative capabilities that been used for law enforcement since the beginning of electronic communications. These include the preservation of subscriber data records, collection of traffic data, and the access to content - all subject to increasing due process safeguards as the actions affect individual privacy.

Reason #8: The treaty was appropriately prepared among justice experts worldwide, working with industry and academic communities, and based on growing cybercrime experience. That work began in 1996, and continued for more than five years. Some of this history is found in the extensive Explanatory Report accompanying the Convention, and publicly available on the Council of Europe Treaty Office website. Typically in every country, this work has received the strong support of multiple administrations and parties in office.