Expert Speak Digital Frontiers
Published on Oct 20, 2016
So far, foreign policy considerations may have prevented India’s accession to the Budapest Convention.
India and the Budapest Convention: Why not?

Worldwide, governments are struggling not only with the increasing levels of cybercrime but also with the complexities of securing electronic evidence (e-evidence) of any type of crime or economic offence.

If only a minuscule portion of cybercrimes and other offences entailing e-evidence is brought to justice, it risks failure of governments in their obligation to protect the rights of individuals and society against crimes and loss of faith in the rule of law.

Securing e-evidence for criminal justice purposes is particularly challenging in the context of cloud computing where data is distributed over different services, providers, locations and often jurisdictions, and where mutual legal assistance is often not feasible.

These challenges are currently being addressed by the Council of Europe’s Cybercrime Convention Committee, which represent the parties to the Budapest Convention on Cybercrime. Solutions to enable criminal justice access to evidence in the cloud are a priority of the committee.

While India is confronted with the same challenges, it is not participating in this work, nor sharing its experience and shaping future international solutions as it has not yet decided to join this treaty.

International agreements form an important node in a web of solutions needed to address security and the rule of law in cyberspace. The more cyber issues affect core national interests, the more difficult it becomes to reach international consensus. However, all-inclusive solutions covering cyber warfare, terrorism and crime does not seem feasible.

With regard to "cyber" as a matter of state-to-state relations and international security, the work of the UN Group of Governmental Experts seems to be the most promising avenue at present. On cybercrime and electronic evidence as a matter of criminal justice, the Budapest Convention on Cybercrime is functioning.

So far, foreign policy considerations may have prevented India’s accession to the Budapest Convention. Given the surge in cybercrime and the vision of a Digital India, it may be time for the government of India to reconsider its position.

< style="color: #163449;">Challenges

Cybercrime — that is, offences against and by means of computer systems — has been around for some 45 years and can hardly be called a new phenomenon. However, with the evolution of the information society and its dependence on information and communications technologies (ICT), the vulnerability of societies worldwide to cybercrime has increased considerably.

The current scale, nature and impact of cybercrime are such that it not only undermines confidence and trust in ICT but also represents a serious threat to the fundamental rights of individuals, rule of law in cyberspace and democratic societies.

This is reflected, for example, in the large-scale theft of personal data that affects the right to privacy; attacks against the dignity and integrity of individuals, in particular children; denial of service and other attacks against media or civil society organisations affecting the freedom of expression; attacks against governments, parliaments and other democratic institutions as well as public infrastructure; or the misuse of ICT for xenophobia and racism or radicalisation and terrorist purposes. Cybercrime causes economic cost and risks to societies and undermines human development opportunities and threatens international peace and stability.

Trillions of security incidents are reported each year and millions of attacks against computer systems and data are recorded every day. However, a tiny portion of such attacks is actually reported to criminal justice authorities.

India is no exception. According to the National Crime Records Bureau, 9,622 incidents of cybercrime were recorded in 2014 under the IT Act, Indian Penal Code and state and local laws. Even if this represents an increase of 69 percent from 2013, cybercrime accounted for only 0.13 percent of all crimes recorded in 2014.

There is, however, another dimension often neglected in discussions on cyber security and in policies and strategies on cyberspace: electronic evidence. Again, India is no exception. The National Cyber Security Policy of 2013 refers to effective law-enforcement capabilities for investigation and prosecution of cybercrime, but not to the broader issue of electronic evidence.

Criminal justice authorities need access to data for use as evidence in criminal proceedings; without data, there will be no evidence, no justice and no rule of law. Increasingly, evidence in relation to any crime is stored in the electronic form on computer systems. This includes serious and violent crime, such as location data in cases of murder or rape, subscriber information related to ransom e-mails sent during kidnappings, data to identify and locate victims of child abuse or data on communications between terrorists.

It can be assumed that this is increasingly a reality in India and that a growing proportion of the more than seven million crimes recorded entails e-evidence.

The more real-world crime involves e-evidence, the greater the need for law-enforcement officers, prosecutors or judges to have the skills to deal with e-evidence. Major capacity-building within the criminal justice system is required and clear rules for access to e-evidence and its admissibility in court need to be established.

Securing e-evidence is an increasingly complex undertaking. The sheer volume of cases involving e-evidence, the number of devices, users and victims involved, and technical complications such as encryption or anonymisers present major challenges.

The transnational nature of e-evidence — it may be stored in foreign jurisdictions even in cases that are otherwise fully domestic — combined with the transversal scope of e-evidence — in that any crime may entail such evidence — has implications on international cooperation in criminal matters. Most mutual legal assistance (MLA) requests for e-evidence are not related to cybercrime but to fraud and financial crimes followed by violent and serious crimes.

Given the volatility of e-evidence, the mutual legal assistance process is rather inefficient. Response times of six to 24 months to MLA requests appear to be the norm. Many requests and thus investigations are abandoned. This adversely affects the obligation of governments to protect society and individuals against cybercrime and other crime.

Cloud computing further complicates the matter. MLA requests are about cooperation between competent authorities. But if evidence is less held on a specific device or in closed networks but is distributed over different services, providers, locations and often jurisdictions, it is difficult to identify to which authorities to send a request.

Furthermore, law-enforcement powers are tied to the principle of territoriality, meaning that a criminal justice authority can only enforce its laws — such as ordering a service provider to produce data, or searching and seizing a computer system — on its own territory. But what principles govern the jurisdiction to enforce in a cloud context: the location of data, nationality or location of the data owner, location of the data controller, headquarters of a cloud provider, location of a subsidiary of a cloud provider or the territory where a service is offered?

The Cybercrime Convention Committee has been analysing these challenges for some time. In 2014, it adopted a set of recommendations to render MLA requests more efficient. However, it also recognised that the feasibility of MLA may be limited, given cloud computing. In 2015, therefore, it established a Cloud Evidence Working Group to identify additional solutions by the end of 2016.

These questions and solutions to them are not only relevant to the parties to the Budapest Convention but also to India. Other parties would also benefit from the experience of India.

< style="color: #163449;">International agreements

Security challenges in cyberspace require a web of responses by public and private sector stakeholders at all levels down to the individual. International agreements are an important part of the response but — with exceptions — they have been difficult to reach.

< style="color: #163449;">Quest for international treaties

International efforts to address cybercrime and e-evidence as a matter of criminal justice have been pursued since the 1980s, initially by the Council of Europe and the Organisation for Economic Cooperation Development (OECD), and from the mid-1990s also by G8. At the Council of Europe, this led to the adoption of soft-law recommendations providing guidance on the criminalisation of computer-related offences (1989) and on law enforcement powers regarding cybercrime and electronic evidence six years later (1995). These were precursors to the Budapest Convention which was opened for signature in 2001.

By 2001 the problems of cybercrime and e-evidence were sufficiently important to warrant an international treaty but cybercrime and information technologies were not yet considered too relevant on national interests and security of states to prevent consensus. Therefore, the Budapest Convention was forged by the member-states of the Council of Europe as well as Canada, Japan, South Africa and the US. By August 2016, all of these countries, with the exception of two members of the Council of Europe, (the Russian Federation and San Marino) had signed the treaty.

At the United Nations, it has not been possible to reach a consensus so far as to whether an international treaty on cybercrime was necessary and feasible and what it would possibly comprise. The matter of "combating the criminal misuse of information technologies" was the subject of a resolution at the UN Congress on Crime Prevention and Criminal Justice in Havana in 1990. It referred to the work of the OECD and the Council of Europe, but no follow-up was given by the UN. In 2001 and 2002, it was taken up again in UN General Assembly Resolutions but at that point, the Budapest Convention had been opened for signature.

Subsequently, the question was on the agendas of UN Crime Congresses (in 2005, 2010 and 2015) and annual UN Crime Commissions but not much progress had been made. The Intergovernmental Group of Experts on Cybercrime, established at the Salvador Crime Congress in 2010, "in view of examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime," noted in its most recent meeting in 2013 "broad support for capacity-building and technical assistance" and "diverse views" on options of new international instruments.

It would seem that from around 2001, the focus within the UN had shifted from cybercrime as a matter of criminal justice to the protection of critical information infrastructure and cyber or information security as a matter of international security. From 2004, Groups of Governmental Experts (GGEs) have been meeting to examine "existing and potential threats from the cyber-sphere and possible cooperative measures to address them." Though progress is slow at the UN towards norms, rules or principles of “responsible state behaviour” in cyberspace, it is considered the most relevant forum on state-to-state relations concerning cybersecurity.

These observations are meant to illustrate the following:

  • International consensus on rules for cyberspace will remain difficult to achieve given strong and often diverging (national) interests.
  • An all-inclusive international agreement encompassing cyber (or information) warfare, terrorism and crime as proposed by some states would hardly be feasible.
  • Separating the issues into more manageable portions would seem a wiser approach. Concerning "cyber" as a matter of state-to-state relations and international security, the work of the UN GGE seems to be the most promising avenue at present, complemented, for example, by confidence-building measures agreed on by the Organisation for Security and Cooperation in Europe, bilateral “cyber diplomacy” or initiatives such as the London process.
  • On cybercrime as a matter of criminal justice, not much progress has been achieved by the UN since 1990, while the Budapest Convention is in place and functioning.

< style="color: #163449;">Budapest Convention on cybercrime

The Budapest Convention provides for (i) the criminalisation of conduct, ranging from illegal access, data and systems interference to computer-related fraud and child pornography; (ii) procedural law tools to make the investigation of cybercrime and the securing of e-evidence in relation to any crime more effective and (iii) international police and judicial cooperation on cybercrime and e-evidence.

States which participated in the negotiation of the Convention (members of the Council of Europe, Canada, Japan, South Africa and the US) can sign and ratify the treaty. Under Article 37, any other state can become a party by ratification or accession if it is prepared to implement the convention.

By August 2016, 49 States were parties (those already mentioned as well as Australia, Dominican Republic, Israel, Mauritius, Panama and Sri Lanka). Another six had signed it (including South Africa) and 12 had been invited to accede (most recently Ghana; from the Asia/Pacific region these include the Philippines and Tonga).

These 67 states — together with 10 international organisations (such as the Commonwealth Secretariat, INTERPOL, International Telecommunication Union and the UN Office on Drugs and Crime) participate as members or observers in the Cybercrime Convention Committee. The Committee, among other things, assesses implementation of the Convention by the parties, adopts guidance notes or prepares additional legal instruments such as draft protocols to the Convention.

The Budapest Convention is backed up by capacity-building programmes. In 2014, the Council of Europe established a dedicated Programme Office on Cybercrime (C-PROC) in Bucharest, Romania. In the Asia/Pacific region, the Philippines, Sri Lanka and Tonga are priority countries for technical assistance given their commitment to implement the Convention. They benefit from law-enforcement and judicial training and strengthening of legislation, including rule of law and human rights safeguards, of specialised institutions, public-private partnerships and international cooperation. By August 2016, C-PROC managed a portfolio of projects worth some €23 million, many being  joint projects with the European Union.

This triangle of common standards (Budapest Convention), follow-up and assessments (Cybercrime Convention Committee) and capacity building (C-PROC) represents a dynamic framework. It helps ensure that states joining the Convention are actually able to keep improving the quality of implementation of its provisions and cooperation with other parties.. And it allows parties to keep the Budapest Convention up-to-date and negotiate additional solutions if necessary.

< style="color: #163449;">Access to evidence in cloud

Obviously, defining the conduct that constitutes cybercrime in criminal law is essential. In the Budapest Convention, this is reflected in Articles 2 (illegal access to a computer system) to 12 (corporate liability). In recent years, the Cybercrime Convention Committee has adopted a series of guidance notes to show how these provisions cover the phenomena such as botnets, distributed denial of service attacks and identity theft that did not exist when the Convention was adopted. The Committee is currently assessing to what extent parties have adopted sanctions and other measures that are effective, proportionate and dissuasive as foreseen in Article 13. On substantive criminal law, the Convention remains up-to-date.

The question of procedural law powers to secure e-evidence and, by extension, efficient access to evidence in a transnational and cloud context is a complicated challenge, given the limitations of the MLA process which is normally designed to protect the rights of individuals as well as the interests of states in which evidence is located.

The Cybercrime Convention Committee has, therefore, been focusing on the following questions:

  • How to ensure effective access to evidence on servers stored on, or distributed or moving between servers in foreign, multiple or unknown jurisdictions; and
  • How to reconcile the need for efficient law-enforcement access to data with the need to respect rule of law and human-rights requirements, and thus how to avoid the trap of undermining the rule of law through actions meant to protect it.

A number of options have been proposed by the Cloud Evidence Group of the Cybercrime Convention Committee and are currently under discussion:

  • Rendering the MLA process more efficient. Specific recommendations to this effect have already been adopted by the committee and relate, for example, to resource allocation in parties, the role of 24/7 points of contact for urgent cooperation and streamlining of MLA procedures.
  • Specific and lighter domestic rules and procedures for production orders for subscriber information in line with the Article 18 of the Convention given that subscriber information is the most sought information in domestic and international criminal investigations. Subscriber information is less privacy sensitive than traffic or content data and production orders are less intrusive than search, seizure or interception powers. A lower threshold for the disclosure of such information would thus be justified.
  • A Guidance Note on the Article 18 on production orders for subscriber information to clarify the scope of this provision. It would require service providers located in or "offering a service in the territory" of a party — under certain conditions — to disclose subscriber information irrespective of the actual location of such data.
  • A clearer (legal) and more predictable basis for the current practice of voluntary disclosure of subscriber information by service providers directly to foreign criminal justice authorities. For example, in 2015, parties to the Budapest Convention other than the US sent about 140,000 requests to six major American providers and received data in 60 percent of the cases on average. (Incidentally, India sent about 20,000 to the same providers — of which more than half to Facebook — with a response rate of 48 percent in 2015.) It is yet to be confirmed whether the Article 18 can serve as the legal basis for such direct cooperation or whether a protocol to the Convention would be needed.
  • An additional protocol to the Budapest to cover, for example, a simplified regime for MLA requests for subscriber information and/or international production orders; direct cooperation between judicial authorities; joint investigations; emergency procedures; direct cooperation with providers in foreign jurisdictions; a clearer framework and safeguards for transborder access to data; and data protection rules and other safeguards.

The Cybercrime Convention Committee — with its 67 parties and observer states – will consider  these proposals in November 2016 and decide a further course of action.

These issues are of relevance to India as reflected, for example, in questions 15 and 17 of the Consultation Paper on Cloud Computing circulated by the Telecommunication Regulatory Authority of India in June 2016.

So far, however, India has not taken part in Cybercrime Convention Committee deliberations.

< style="color: #163449;">India and the Budapest Convention: Why not?

In 2007 and 2008, India and the Council of Europe cooperated in the reform of India’s Information Technology Act. These reforms brought the legislation of India broadly in line with the Budapest Convention.

While membership in the Budapest Convention more than doubled since then, India is yet to join this treaty. The reasons are not entirely clear. Concerns voiced by different stakeholders include:

  • That India did not participate in the negotiation of the Convention and thus should not sign it. Obviously, participation by India in the negotiation of the original treaty would have been preferable. This concern is not unique to India. Yet, other states recognised that the benefits of joining it outweigh this concern. They can now fully participate in the further evolution of the treaty, including the possible negotiation of additional protocols. India has come to a similar conclusion on two other Council of Europe treaties which it did not negotiate, namely on international cooperation in tax matters (to which it became a party in 2012) and on the transfer of sentenced persons (it requested accession and was invited to accede in 2016).
  • That the Budapest Convention — through its Article 32b — allows for transborder access to data and thus infringes on national sovereignty. After thorough scrutiny, the Cybercrime Convention Committee confirmed the limited scope of Article 32b in a Guidance Note in 2014. This then led some quarters in the government of India to criticise that Article 32 was too limited and that additional options would be needed.
  • That the MLA regime of the Convention is not effective, "the promise of cooperation not firm enough," or that there are grounds for refusal to cooperate. It is true that the Cybercrime Convention Committee has come to the conclusion that while the level of MLA keeps increasing among parties, the process needs to be made more efficient overall. This matter is being addressed through follow-up to a set of recommendations adopted in 2014 and the proposals made by the Cloud Evidence Group. The 'algorithm' of the Convention — the triangle of standards, follow-up and capacity-building — allows it to address possible shortcomings. Nevertheless, one should remain realistic and not expect one treaty to resolve all possible problems. India would certainly not expect this from other international treaties to which it is a party.
  • That it is a criminal justice treaty and thus does not cover state actors or that some of the states from which most attacks affecting India emanate have not signed the Convention. Indeed, it is a criminal justice treaty and the question of state-to-state relations need to be addressed in other fora such as the UN GGE.
  • That India should promote a treaty at the UN level. This proposal seems to be favoured in the context of BRICS but the intended scope remains unclear — is it meant to be a criminal justice treaty, to focus on terrorism, or to address state-to-state relations and matters of international security or all of these? Taking into account the experience since 1990, it is unlikely that a binding UN treaty will be available any time soon. Meanwhile, cybercrime keeps growing day by day.

Overall, it would seem that India joining the Budapest Convention has so far been primarily hostage to diplomatic and foreign policy considerations and less to concerns of actual criminal justice cooperation on cybercrime and e-evidence.  From the latter perspective,

  • The challenges currently being addressed by the parties to the Convention through the Cybercrime Convention Committee are highly relevant also for India;
  • The Convention offers a legal basis and practical framework for police-to-police and judicial cooperation on cybercrime and e-evidence with an increasing number of other parties. This framework is constantly under review to make it more effective;
  • As the Convention evolves, India would be able to contribute to shaping future solutions if it were a party;
  • India would become a priority country for capacity-building.

Given Prime Minister Narendra Modi’s vision of a Digital India and considering the surge in cybercrime, it would be beneficial for India to join this treaty

This essay originally appeared in the third volume of Digital Debates: The CyFy Journal.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.