The potential ideal of cyberspace has always been a free-flowing, borderless utopia. In this vision, information and ideas travel freely from user to user, with technology overcoming language barriers and common standards ensuring compatibility all around. However, the digital domain is a reflection of the offline world. To keep it running and to maintain security, territory and responsibility have to be demarcated somehow. When an infraction or a dispute takes place, it is natural to turn to the international legal system.
There is no universally accepted international cyber treaty. However, the Council of Europe’s Budapest Convention on Cybercrime, which has been in force for a decade and has been ratified by 44 countries, is the closest there is to one. Part of the success of the Budapest Convention can be attributed to its relative flexibility, allowing signatories to choose how they will implement the requirements of the treaty. It seeks to build on existing international cooperation mechanisms, including Mutual Legal Assistance Treaties (MLATs) and extradition agreements.
The Budapest Convention seeks to make international cyber cooperation more efficient by harmonising two different legislative strands. The first is determining what conduct is criminalised – such as illegal access of computer systems, fraud, child pornography, copyright infringement etc – and the second the investigative procedures used thereafter. The investigative procedures include seizing, storing and sharing computer data, both traffic and content related. The convention also requires that adequate measures, like judicial oversight, are taken to safeguard human rights and that the principle of proportionality is followed.
For countries which are not signatories, the Budapest Convention provides an informal guide to cooperation, suggesting useful measures. The informal adoption of provisions in the convention could lead to it becoming a de facto global cybercrime treaty. As mentioned earlier, the Budapest Convention relies and builds upon other international cooperation mechanisms. One of the common complaints about the existing mechanisms, particularly MLATs, is that they are not well suited to time-sensitive cyber cases. The premier investigative body in India, the Central Bureau of Investigation (CBI) reports that getting a response through the MLAT system takes on average 3 years and 4 months. Attempts were made to address this in the Budapest Convention, which established a 24/7 ‘points of contact network’, which would allow requests for assistance to be made at any time with the aim of getting quicker results.
The efforts to harmonise substantive criminal laws will make mutual legal assistance easier, as many provisions rely on a ‘dual criminality’ clause to operate. Under dual criminality, a request – say for extradition – can depend on the offender’s actions being classified a crime in both the country requesting extradition and the country fulfilling it.
Growing numbers of requests for data has meant that both governments and private entities must adapt and formulate strategies to categorise the information they have and respond appropriately to requests. Particularly for multinational companies which may store large amounts of data around the world, this would require at least two separate investments. The first would be the creation of databases, to organise the information being requested, the parties doing the requesting, and the users who would be affected. The second would be an authentication procedure of some kind, to ensure that data protection – mandated by law in several jurisdictions – was ensured. The Googles of this world might well be able to accomplish such a feat, but for smaller companies, it is a monumental task. This would involve each party, public or private, having its own method for requesting data and for responding to those requests – a hugely time-consuming and cost-intensive approach. It would also doubtless lead to dispute and confusion when differing methods clashed. The lack of a standard procedure means that, unlike case law which forms precedent, the individual decisions taken under this method cannot be taken together to form a coherent body of reference. The system would be missing three key factors: predictability, transparency and accountability. A standardised procedure for information requests and authentication, such as the one proposed by the Internet & Jurisdiction Project based out of France, would help to ensure due process.
If the digital domain is a reflection of the offline world, then it is plausible that they dynamics of jurisdiction would be the same both on- and off-line. Nevertheless, the perennial problem is the uniqueness of data. It may be simple to determine jurisdiction depending on where a data packet originates and where it ends up, but what about when it is in transit? Carrying forward principles from the laws of the sea, tagging data packets with a nationality, like a flag on a ship, could be one way to resolve such issues.
The challenges involved in managing cross-border jurisdiction may lend further support to the data localisation movement. Mandating that data pertaining to citizens of a particular country is stored on domestic servers or otherwise made automatically accessible would greatly aid law enforcement agencies.
The author is a Junior Fellow at the Observer Research Foundation
This article originally appeared in the ORF Cyber Monitor, Volume III Issue 3, March 2015
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.