So far, foreign policy considerations may have prevented India’s accession to the Budapest Convention.
Worldwide, governments are struggling not only with the increasing levels of cybercrime but also with the complexities of securing electronic evidence (e-evidence) of any type of crime or economic offence.
If only a minuscule portion of cybercrimes and other offences entailing e-evidence is brought to justice, it risks failure of governments in their obligation to protect the rights of individuals and society against crimes and loss of faith in the rule of law.
Securing e-evidence for criminal justice purposes is particularly challenging in the context of cloud computing where data is distributed over different services, providers, locations and often jurisdictions, and where mutual legal assistance is often not feasible.
These challenges are currently being addressed by the Council of Europe’s Cybercrime Convention Committee, which represent the parties to the Budapest Convention on Cybercrime. Solutions to enable criminal justice access to evidence in the cloud are a priority of the committee.
While India is confronted with the same challenges, it is not participating in this work, nor sharing its experience and shaping future international solutions as it has not yet decided to join this treaty.
International agreements form an important node in a web of solutions needed to address security and the rule of law in cyberspace. The more cyber issues affect core national interests, the more difficult it becomes to reach international consensus. However, all-inclusive solutions covering cyber warfare, terrorism and crime does not seem feasible.
With regard to "cyber" as a matter of state-to-state relations and international security, the work of the UN Group of Governmental Experts seems to be the most promising avenue at present. On cybercrime and electronic evidence as a matter of criminal justice, the Budapest Convention on Cybercrime is functioning.
So far, foreign policy considerations may have prevented India’s accession to the Budapest Convention. Given the surge in cybercrime and the vision of a Digital India, it may be time for the government of India to reconsider its position.
Cybercrime — that is, offences against and by means of computer systems — has been around for some 45 years and can hardly be called a new phenomenon. However, with the evolution of the information society and its dependence on information and communications technologies (ICT), the vulnerability of societies worldwide to cybercrime has increased considerably.
The current scale, nature and impact of cybercrime are such that it not only undermines confidence and trust in ICT but also represents a serious threat to the fundamental rights of individuals, rule of law in cyberspace and democratic societies.
This is reflected, for example, in the large-scale theft of personal data that affects the right to privacy; attacks against the dignity and integrity of individuals, in particular children; denial of service and other attacks against media or civil society organisations affecting the freedom of expression; attacks against governments, parliaments and other democratic institutions as well as public infrastructure; or the misuse of ICT for xenophobia and racism or radicalisation and terrorist purposes. Cybercrime causes economic cost and risks to societies and undermines human development opportunities and threatens international peace and stability.
Trillions of security incidents are reported each year and millions of attacks against computer systems and data are recorded every day. However, a tiny portion of such attacks is actually reported to criminal justice authorities.
India is no exception. According to the National Crime Records Bureau, 9,622 incidents of cybercrime were recorded in 2014 under the IT Act, Indian Penal Code and state and local laws. Even if this represents an increase of 69 percent from 2013, cybercrime accounted for only 0.13 percent of all crimes recorded in 2014.
There is, however, another dimension often neglected in discussions on cyber security and in policies and strategies on cyberspace: electronic evidence. Again, India is no exception. The National Cyber Security Policy of 2013 refers to effective law-enforcement capabilities for investigation and prosecution of cybercrime, but not to the broader issue of electronic evidence.
Criminal justice authorities need access to data for use as evidence in criminal proceedings; without data, there will be no evidence, no justice and no rule of law. Increasingly, evidence in relation to any crime is stored in the electronic form on computer systems. This includes serious and violent crime, such as location data in cases of murder or rape, subscriber information related to ransom e-mails sent during kidnappings, data to identify and locate victims of child abuse or data on communications between terrorists.
It can be assumed that this is increasingly a reality in India and that a growing proportion of the more than seven million crimes recorded entails e-evidence.
The more real-world crime involves e-evidence, the greater the need for law-enforcement officers, prosecutors or judges to have the skills to deal with e-evidence. Major capacity-building within the criminal justice system is required and clear rules for access to e-evidence and its admissibility in court need to be established.
Securing e-evidence is an increasingly complex undertaking. The sheer volume of cases involving e-evidence, the number of devices, users and victims involved, and technical complications such as encryption or anonymisers present major challenges.
The transnational nature of e-evidence — it may be stored in foreign jurisdictions even in cases that are otherwise fully domestic — combined with the transversal scope of e-evidence — in that any crime may entail such evidence — has implications on international cooperation in criminal matters. Most mutual legal assistance (MLA) requests for e-evidence are not related to cybercrime but to fraud and financial crimes followed by violent and serious crimes.
Given the volatility of e-evidence, the mutual legal assistance process is rather inefficient. Response times of six to 24 months to MLA requests appear to be the norm. Many requests and thus investigations are abandoned. This adversely affects the obligation of governments to protect society and individuals against cybercrime and other crime.
Cloud computing further complicates the matter. MLA requests are about cooperation between competent authorities. But if evidence is less held on a specific device or in closed networks but is distributed over different services, providers, locations and often jurisdictions, it is difficult to identify to which authorities to send a request.
Furthermore, law-enforcement powers are tied to the principle of territoriality, meaning that a criminal justice authority can only enforce its laws — such as ordering a service provider to produce data, or searching and seizing a computer system — on its own territory. But what principles govern the jurisdiction to enforce in a cloud context: the location of data, nationality or location of the data owner, location of the data controller, headquarters of a cloud provider, location of a subsidiary of a cloud provider or the territory where a service is offered?
The Cybercrime Convention Committee has been analysing these challenges for some time. In 2014, it adopted a set of recommendations to render MLA requests more efficient. However, it also recognised that the feasibility of MLA may be limited, given cloud computing. In 2015, therefore, it established a Cloud Evidence Working Group to identify additional solutions by the end of 2016.
These questions and solutions to them are not only relevant to the parties to the Budapest Convention but also to India. Other parties would also benefit from the experience of India.
Security challenges in cyberspace require a web of responses by public and private sector stakeholders at all levels down to the individual. International agreements are an important part of the response but — with exceptions — they have been difficult to reach.
International efforts to address cybercrime and e-evidence as a matter of criminal justice have been pursued since the 1980s, initially by the Council of Europe and the Organisation for Economic Cooperation Development (OECD), and from the mid-1990s also by G8. At the Council of Europe, this led to the adoption of soft-law recommendations providing guidance on the criminalisation of computer-related offences (1989) and on law enforcement powers regarding cybercrime and electronic evidence six years later (1995). These were precursors to the Budapest Convention which was opened for signature in 2001.
By 2001 the problems of cybercrime and e-evidence were sufficiently important to warrant an international treaty but cybercrime and information technologies were not yet considered too relevant on national interests and security of states to prevent consensus. Therefore, the Budapest Convention was forged by the member-states of the Council of Europe as well as Canada, Japan, South Africa and the US. By August 2016, all of these countries, with the exception of two members of the Council of Europe, (the Russian Federation and San Marino) had signed the treaty.
At the United Nations, it has not been possible to reach a consensus so far as to whether an international treaty on cybercrime was necessary and feasible and what it would possibly comprise. The matter of "combating the criminal misuse of information technologies" was the subject of a resolution at the UN Congress on Crime Prevention and Criminal Justice in Havana in 1990. It referred to the work of the OECD and the Council of Europe, but no follow-up was given by the UN. In 2001 and 2002, it was taken up again in UN General Assembly Resolutions but at that point, the Budapest Convention had been opened for signature.
Subsequently, the question was on the agendas of UN Crime Congresses (in 2005, 2010 and 2015) and annual UN Crime Commissions but not much progress had been made. The Intergovernmental Group of Experts on Cybercrime, established at the Salvador Crime Congress in 2010, "in view of examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime," noted in its most recent meeting in 2013 "broad support for capacity-building and technical assistance" and "diverse views" on options of new international instruments.
It would seem that from around 2001, the focus within the UN had shifted from cybercrime as a matter of criminal justice to the protection of critical information infrastructure and cyber or information security as a matter of international security. From 2004, Groups of Governmental Experts (GGEs) have been meeting to examine "existing and potential threats from the cyber-sphere and possible cooperative measures to address them." Though progress is slow at the UN towards norms, rules or principles of “responsible state behaviour” in cyberspace, it is considered the most relevant forum on state-to-state relations concerning cybersecurity.
These observations are meant to illustrate the following:
The Budapest Convention provides for (i) the criminalisation of conduct, ranging from illegal access, data and systems interference to computer-related fraud and child pornography; (ii) procedural law tools to make the investigation of cybercrime and the securing of e-evidence in relation to any crime more effective and (iii) international police and judicial cooperation on cybercrime and e-evidence.
States which participated in the negotiation of the Convention (members of the Council of Europe, Canada, Japan, South Africa and the US) can sign and ratify the treaty. Under Article 37, any other state can become a party by ratification or accession if it is prepared to implement the convention.
By August 2016, 49 States were parties (those already mentioned as well as Australia, Dominican Republic, Israel, Mauritius, Panama and Sri Lanka). Another six had signed it (including South Africa) and 12 had been invited to accede (most recently Ghana; from the Asia/Pacific region these include the Philippines and Tonga).
These 67 states — together with 10 international organisations (such as the Commonwealth Secretariat, INTERPOL, International Telecommunication Union and the UN Office on Drugs and Crime) participate as members or observers in the Cybercrime Convention Committee. The Committee, among other things, assesses implementation of the Convention by the parties, adopts guidance notes or prepares additional legal instruments such as draft protocols to the Convention.
The Budapest Convention is backed up by capacity-building programmes. In 2014, the Council of Europe established a dedicated Programme Office on Cybercrime (C-PROC) in Bucharest, Romania. In the Asia/Pacific region, the Philippines, Sri Lanka and Tonga are priority countries for technical assistance given their commitment to implement the Convention. They benefit from law-enforcement and judicial training and strengthening of legislation, including rule of law and human rights safeguards, of specialised institutions, public-private partnerships and international cooperation. By August 2016, C-PROC managed a portfolio of projects worth some €23 million, many being joint projects with the European Union.
This triangle of common standards (Budapest Convention), follow-up and assessments (Cybercrime Convention Committee) and capacity building (C-PROC) represents a dynamic framework. It helps ensure that states joining the Convention are actually able to keep improving the quality of implementation of its provisions and cooperation with other parties.. And it allows parties to keep the Budapest Convention up-to-date and negotiate additional solutions if necessary.
Obviously, defining the conduct that constitutes cybercrime in criminal law is essential. In the Budapest Convention, this is reflected in Articles 2 (illegal access to a computer system) to 12 (corporate liability). In recent years, the Cybercrime Convention Committee has adopted a series of guidance notes to show how these provisions cover the phenomena such as botnets, distributed denial of service attacks and identity theft that did not exist when the Convention was adopted. The Committee is currently assessing to what extent parties have adopted sanctions and other measures that are effective, proportionate and dissuasive as foreseen in Article 13. On substantive criminal law, the Convention remains up-to-date.
The question of procedural law powers to secure e-evidence and, by extension, efficient access to evidence in a transnational and cloud context is a complicated challenge, given the limitations of the MLA process which is normally designed to protect the rights of individuals as well as the interests of states in which evidence is located.
The Cybercrime Convention Committee has, therefore, been focusing on the following questions:
A number of options have been proposed by the Cloud Evidence Group of the Cybercrime Convention Committee and are currently under discussion:
The Cybercrime Convention Committee — with its 67 parties and observer states – will consider these proposals in November 2016 and decide a further course of action.
These issues are of relevance to India as reflected, for example, in questions 15 and 17 of the Consultation Paper on Cloud Computing circulated by the Telecommunication Regulatory Authority of India in June 2016.
So far, however, India has not taken part in Cybercrime Convention Committee deliberations.
In 2007 and 2008, India and the Council of Europe cooperated in the reform of India’s Information Technology Act. These reforms brought the legislation of India broadly in line with the Budapest Convention.
While membership in the Budapest Convention more than doubled since then, India is yet to join this treaty. The reasons are not entirely clear. Concerns voiced by different stakeholders include:
Overall, it would seem that India joining the Budapest Convention has so far been primarily hostage to diplomatic and foreign policy considerations and less to concerns of actual criminal justice cooperation on cybercrime and e-evidence. From the latter perspective,
Given Prime Minister Narendra Modi’s vision of a Digital India and considering the surge in cybercrime, it would be beneficial for India to join this treaty
This essay originally appeared in the third volume of Digital Debates: The CyFy Journal.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.