Henrik Spang-Hanssen

The Future of International Law: CyberCrime
From presentation at: Regional Meeting of ASIL Golden Gate University School of Law Seventeen Annual Fulbright Symposium on The Future of International Law San Francisco, 6 April 2007 Abstract: This Article first deals with the question of to what extent the Convention on CyberCrime have unreasonable implications for the individual Cybernauts, specially the convention’s basic principle of “aut dedere aut judicare” – the duty of each party to extradite or to prosecute. Next, it deals with the problem that the convention pursuant to article 22(4) does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law. It then describe when a state under public international law has jurisdiction over public international computer networks (‘the Internet”), including the problem of where the offence is committed and who is the offender. In addition it deals with the problem of a “minor” being the offender and mention some Internet related cases involving juveniles. Finally, it deals with what public international law should embrace in relation to public international computer networks.

Not printed in: Annual Survey of International and Comparative Law Volume XIV, Golden Gate University, School of Law Citation: Henrik Spang-Hanssen, The Future of International Law: CyberCrime (2008). Available at SSRN: http://ssrn.com/abstract=1090876
This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection: http://ssrn.com/abstract=1090876 © 2007 Henrik Spang-Hanssen e-mail: hssph@yahoo.com Research website: www.geocities.com/hssph

The Future of International Law: CyberCrime

The Future of International Law: CyberCrime Henrik Spang-Hanssen*
1. Convention on CyberCrime.............................................................................................................................3 1.1 Parties to the Convention.............................................................................................................................3 1.2 Outline of the Convention ............................................................................................................................4 1.3 The United States of America.......................................................................................................................4 1.3.1. Reservations.........................................................................................................................................5 1.3.2. Declarations .........................................................................................................................................6 2. Some Problems for Cybernauts related to the Convention...........................................................................6 2.1. Article 22 – 2.2. Article 24 – Jurisdiction..........................................................................................................................6 Extradition...........................................................................................................................7

2.3. Global jurisdiction to be considered by the individual Cybernaut..............................................................8 2.4. Other Aspects to be considered by the individual Cybernaut......................................................................8 3.1. When is a State allowed to govern pursuant to Public International Law ...............................................8 3.2. When is the Offence-place “in” or “on” the State’s Sphere ?.................................................................13 3.3. Who is the Offender ? .................................................................................................................................15 3.4. Intent ............................................................................................................................................................15 3.5. Extradition ...................................................................................................................................................16 4. Some US Computer Crime Cases after 1998................................................................................................18 4.1. Juveniles....................................................................................................................................................18 4.1.1. U.S. v. An Unnamed Juvenile (D. Mass., March 18, 1998)...............................................................18 4.1.2. U.S. v. "Comrade" (S.D. FL., September 21, 2000) ..........................................................................20 4.1.3. U.S. v. Sanford (N.D. TX, December 6, 2000).................................................................................20 4.1.4. U.S. v. An Unnamed Juvenile (W.D. Wash., February 11, 2005) .....................................................21 5. The Future of (Public) International Law on CyberCrime ........................................................................21 * Henrik Spang-Hanssen is by several person involved in public international law regarded as an extraordinary scientist and the one or one of very few that is an expert on the issue of public international law and public international computer network (the “Internet”). He has primarily done research from Stanford University in California, Oxford University in England, and the Norwegian Research Center for Computer and Law, Oslo University, Norway. He first time used a computer back in 1971 at the Niels Bohr Institute in Copenhagen. He has Master’s degrees in Law from Denmark and California (US High Tech Law). He is a licensed Supreme Court attorney-at-law in Denmark and has previously worked as prosecutor in Danish Appeal Courts. He is a previous student at the Technical University of Denmark.

He is the author of the books: Cyberspace Jurisdiction in the U.S. (2001), Cyberspace & International Law on Jurisdiction (2004) and Public International Computer Network Law Issues (2006).

© Henrik Spang-Hanssen – Page 2/22

The Future of International Law: CyberCrime

1. CONVENTION ON CYBERCRIME
The Convention on CyberCrime of 23 Nov. 20011 – by some called the Budapest Convention – went into to force on 1 July 2004. In addition, there exists an “Additional protocol2 to the Convention on Cybercrime, concerning the criminalization of acts of a racist and xenophobic3 nature committed through computer systems”. To both the convention and the protocol exists explanatory reports.4 The Convention and its Explanatory Report have been adopted by the Committee of Ministers of the Council of Europe at its 109th Session (8 November 2001) and the Convention was opened for signature in Budapest on 23 November 2001. It is the only existing multilateral treaty to specifically address computer-related crime and the gathering of electronic evidence.

1.1 Parties to the Convention
As of April 1, 2007, the Convention itself has:5 24 signatures not followed by ratifications 19 parties of the Treaty (Albania, Armenia, Bosnia & Herzegovina, Bulgaria, Croatia, Cyprus, Denmark,6 Estonia, France, Hungary, Iceland, Lithuania, Netherlands, Norway, Romania, Slovenia, the former Yugoslav Republic of Macedonia and Ukraine & United States of America). The Protocol has as of April 1, 2007: 21 signatures not followed by ratifications
ETS no. 185 of 23 November 2003 (into force 1. July 2004), at <http://conventions.coe.int/treaty/en/treaties/html/185.htm> [hereinafter Cybercrime Convention]. 2 [hereinafter Additional Protocol], at <http://conventions.coe.int/Treaty/en/Treaties/Html/189.htm>. 3 “racist and xenophobic material” means any written material, any image or any other representation of ideas or theories, which advocates, promotes or incites hatred, discrimination or violence, against any individual or group of individuals, based on race, colour, descent or national or ethnic origin, as well as religion if used as a pretext for any of these factors, article 2 of the Protocol. See also paras 1 and 10-22 in Explanatory Report to the protocol, at <http://convention.coe.int/Treaty/en/Reports/Html/189.htm>. 4 EXPLANATORY REPORT OF 8 NOVEMBER 2001 to the convention adopted by the Committee of Ministers of the at Council of Europe [hereinafter CONVENTION-REPORT], <http://conventions.coe.int/Treaty/en/Reports/Html/185.htm> (visited December 2005. The Report make reference to: (1) Implementation of Recommendation N° R (89) 9 on computer-related crime, Report prepared by Professor Dr. H.W.K. Kaspersen; (2) Report on Computer-related crime by the European Committee on Crime Problems (CDPC); (3) Problems of criminal procedural law connected with information technology, Recommendation N° R (95) 13, principle n° 17; (4) Recommendation (89) 9 PC-CY from the European Committee on Crime Problems. 5 Chart of signatures and ratifications, Council of Europe at <http://conventions.coe.int/Treaty/Commun/ ChercheSig.asp?NT=185&CM=11&DF=22/08/2005&CL=ENG> (visited 1 April 2007). 6 Denmark has made the following reservation (deposited on 21 June 2005) to article 9: The criminal area according to Article 9 shall not comprehend the possession of obscene pictures of a person attained the age of fifteen, if the person concerned has given his or her consent to the possession, cf. Article 9, paragraph 1, letter e. Furthermore, the criminal area according to Article 9 shall not comprehend visual representations of a person appearing to be a minor engaged in sexually explicit conduct, cf. Article 9, paragraph 2, letter b, at <http://conventions.coe.int/Treaty/Commun/ListeDeclarations.asp?NT=185&CM=11&DF=7/25/2006&CL=EN G&VL=1> (visited 24 July 2006). See further, HENRIK SPANG-HANSSEN, PUBLIC INTERNATIONAL COMPUTER NETWORK LAW ISSUES 459-461, Appendix 9 (DJØF Publishing Copenhagen 2006 - ISBN 87-574-14866)[hereinafter SPANG-HANSSEN-3]. This book include two chapters on Danish criminal and jurisdictional statutes related to cyberspace issues.
1

© 2008 Henrik Spang-Hanssen - Page 3 of 22

The Future of International Law: CyberCrime
10 Parties of the Protocol (Albania, Armenia, Bosnia & Herzegovina, Cyprus, Denmark, France,7 Lithuania, Slovenia, the former Yugoslav Republic of Macedonia and Ukraine).

1.2 Outline of the Convention
A broad outline of the Convention is as follows: Chapter 1 – Use of terms (art. 1) Chapter 2 – Measures to be taken at the national level Section 1 – Substantive criminal law8 (art. 2-13)9 Section 2 – Procedural law (art 14-21) Section 3 – Jurisdiction (art. 22)10 Chapter 3 - International co-operation Section 1 – General principles (art. 23 – 28) • Art 23 – General principles relating to international co-operation • Art 24 – Extradition • Art. 25-28 – General principles relating to mutual assistance Section 2 – Specific provisions (art. 29 – 35) Chapter 4 – Final provisions (art. 36 – 48) including: • Art 40 – Declarations (a party can when ratifying declare requiring additional elements as provided for under art. 2, 3, 6 para 1b, 7, 9 para 3, and 27 para 9e) • Art. 41 – Federal Clause • Art. 42 – Reservations (a party can when ratifying declare reservations provided in art. 4 para 2, 6 para 3, 9 para 4, 10 para 3, 11 para 3, 14 para 3, 22 para 2, 29 para 4, and 41 para 1.

1.3 The United States of America
By letter transmittal of November 17, 2007 the President of the United States of America sent the Convention – signed by the United States on November 23, 2001 - for advice and consent to the US Senate. The letter was attached a letter of submittal of September 11, 2003 from the Department of State.11

France has declared to article 6 when ratifying that “France interprets the terms “international court established by relevant international instruments and whose jurisdiction is recognised by that Party” (Article 6, paragraph 1) as being any international criminal jurisdiction explicitely recognised as such by the French authorities and established under its domestic law, <http://conventions.coe.int/Treaty/Commun/ListeDeclarations.asp?NT=189&CM=11&DF=7/25/2006&CL=EN G&VL=1> (visited 24 July 2006). 8 A Global Survey of Cybercrime Laws with translation into English is available at Cybercrimelaw.net (a global information clearinghouse on cybercrime law, edited by Council of Europe expert on cybercrime & Chief Judge Stein Schjølberg, Norway) at <http://www.cybercrimelaw.net/laws/survey.html >. See also WORLD FACTBOOK OF CRIMINAL JUSTICE SYSTEMS (covering 45 countries), at <http://www.ojp.usdoj.gov/bjs/abstract/wfcj.htm> (visited May 2006). 9 The conventions Article 10 on offences related to infringements of copyright and related rights should be compared with Article 14 of the U.N. convention on Jurisdictional Immunities of states and Their Property of 2 December 2004 (Not yet in force), GA Resolution 59/78, Doc. A/59/49, also at <http://untreaty.un.org/ils/texts/instruments/english/conventions/4_1_2004.pdf> (visited April 2007). 10 This article is thoroughly dealt with in SPANG-HANSSEN-3 supra note 6, Chapter 7. 11 <http://www.usdoj.gov/criminal/cybercrime/senateMemo.pdf> (visited May 2006).

7

© 2008 Henrik Spang-Hanssen - Page 4 of 22

The Future of International Law: CyberCrime
The Senate’s Committee on Foreign Relations held a hearing on June 17 2004.12 On November 8, 2005, the US Senate Committee on Foreign Relations submitted report 109-6 (to accompany Treaty Doc. 108-11). The report has the below mentioned reservations and declarations to ratification.13 The United States has not ratified the Additional Protocol as it would be contrary to the U.S. Constitution’s First Amendment’s guarantee of freedom of expression.14 On 3 August 2006, the US Senate agreed (by Division Vote) to a Resolution of advice and consent to ratification (US Senate Treaty number: 108-11). The ratification was done on September 29, 2006 (and the treaty went into force for the US on January 1, 2007).

1.3.1. Reservations
The advice and consent of the Senate under section 1 is subject to the following reservations, which shall be included in the United States instrument of ratification: 1) The United States of America, pursuant to Articles 4 and 42, reserves the right to require that the conduct result in serious harm, which shall be determined in accordance with applicable United States federal law. 2) The United States of America, pursuant to Articles 6 and 42, reserves the right not to apply paragraphs (1)(a)(i) and (1)(b) of Article 6 (‘‘Misuse of devices’’) with respect to devices designed or adapted primarily for the purpose of committing the offenses established in Article 4 (‘‘Data interference’’) and Article 5 (‘‘System interference’’). 3) The United States of America, pursuant to Articles 9 and 42, reserves the right to apply paragraphs (2)(b) and (c) of Article 9 only to the extent consistent with the Constitution of the United States as interpreted by the United States and as provided for under its federal law, which includes, for example, crimes of distribution of material considered to be obscene under applicable United States standards. 4) The United States of America, pursuant to Articles 10 and 42, reserves the right to impose other effective remedies in lieu of criminal liability under paragraphs 1 and 2 of Article 10 (‘‘Offenses related to infringement of copyright and related rights’’) with respect to infringements of certain rental rights to the extent the criminalization of such infringements is not required pursuant to the obligations the United States has undertaken under the agreements referenced in paragraphs 1 and 2. 5) The United States of America, pursuant to Articles 22 and 42, reserves the right not to apply in part paragraphs (1)(b), (c) and (d) of Article 22 (‘‘Jurisdiction’’). The United States does not provide for plenary jurisdiction over offenses that are committed outside its territory by its citizens or on board ships flying its flag or aircraft registered under its laws. However, United States law does provide for jurisdiction over a number of offenses to be established under the Convention that are committed abroad by United States nationals in circumstances implicating particular federal interests, as well as over a number of such offenses committed on board United States-flagged ships or aircraft registered under United States law.
12

Hearing agenda can be found at <http://foreign.senate.gov/hearings/2004/hrg040617a.html>. Hearings report at <http://www.washingtonwatchdog.org/rtk/documents/cong_hearings/senate/108/ senatehearing108_97299.html> and witness’ papers at <http://foreign.senate.gov/testimony/2004/SchmitzTestimony040617.pdf>, <http://foreign.senate.gov/testimony/2004/SwartzTestimony040617.pdf>, and <http://foreign.senate.gov/testimony/2004/WittenTestimony040617.pdf>. 13 <http://www.washingtonwatchdog.org/rtk/documents/cong_reports/executive/109/executivereport109_ 006.html> (visited November 2005). 14 <http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm#QE1> (visited April 2007) and Declan McCullagh, First ‘cybercrime’ treaty advances in Senate, CNET News.Com 26 July 2005 at <http://news.com.com/2100-7348_3-5805561.html> and (visited April 2007).

© 2008 Henrik Spang-Hanssen - Page 5 of 22

The Future of International Law: CyberCrime
Accordingly, the United States will implement paragraphs (1)(b), (c) and (d) to the extent provided for under its federal law. 6) The United States of America, pursuant to Articles 41 and 42, reserves the right to assume obligations under Chapter II of the Convention in a manner consistent with its fundamental principles of federalism.

1.3.2. Declarations
1) The advice and consent of the Senate under section 1 is subject to the following declarations, which shall be included in the United States instrument of ratification: a) The United States of America declares, pursuant to Articles 2 and 40, that under United States law, the offense set forth in Article 2 (‘‘Illegal access’’) includes an additional requirement of intent to obtain computer data. b) The United States of America declares, pursuant to Articles 6 and 40, that under United States law, the offense set forth in paragraph (1)(b) of Article 6 (‘‘Misuse of devices’’) includes a requirement that a minimum number of items be possessed. The minimum number shall be the same as that provided for by applicable United States federal law. c) The United States of America declares, pursuant to Articles 7 and 40, that under United States law, the offense set forth in Article 7 (‘‘Computer-related forgery’’) includes a requirement of intent to defraud. d) The United States of America declares, pursuant to Articles 27 and 40, that requests made to the United States of America under paragraph 9(e) of Article 27 (‘‘Procedures pertaining to mutual assistance requests in the absence of applicable international agreements’’) are to be addressed to its central authority for mutual assistance. 2) The advice and consent of the Senate under section 1 is also subject to the following declaration: The United States of America declares that, in view of its reservation pursuant to Article 41 of the Convention, current United States federal law fulfills the obligations of Chapter II of the Convention for the United States. Accordingly, the United States does not intend to enact new legislation to fulfill its obligations under Chapter II.

2. SOME PROBLEMS FOR CYBERNAUTS RELATED TO THE CONVENTION
The convention is designed to enhance the investigation and prosecution of cross-border computerrelated crimes by eliminating or reducing procedural and jurisdictional obstacles to international cooperation. Most legislators have had their interest on the convention’s part on law-enforcement, that is the international co-operation. Only a little group of people have dealt with the question of to what extent the convention have unreasonable implications for the individual cybernaut for whom the most scary part is the convention’s basic principle of “aut dedere aut judicare” – the duty of each party to extradite or to prosecute. These issues are dealt with in the convention’s articles 22 and 24.

2.1. Article 22 – Jurisdiction
1. Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed: a) in its territory; or b) on board a ship flying the flag of that Party; or

© 2008 Henrik Spang-Hanssen - Page 6 of 22

The Future of International Law: CyberCrime
c) on board an aircraft registered under the laws of that Party; or d) by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State. 2. Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof. 3. Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition. 4. This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law. 5. When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.

2.2. Article 24 – Extradition
1. a. This article applies to extradition between Parties for the criminal offences established in accordance with Articles 2 through 11 of this Convention, provided that they are punishable under the laws of both Parties concerned by deprivation of liberty for a maximum period of at least one year, or by a more severe penalty. b. Where a different minimum penalty is to be applied under an arrangement agreed on the basis of uniform or reciprocal legislation or an extradition treaty, including the European Convention on Extradition,15 applicable between two or more parties, the minimum penalty provided for under such arrangement or treaty shall apply. 2. The criminal offences described in paragraph 1 of this article shall be deemed to be included as extraditable offences in any extradition treaty existing between or among the Parties. The Parties undertake to include such offences as extraditable offences in any extradition treaty to be concluded between or among them. 3. If a Party that makes extradition conditional on the existence of a treaty receives a request for extradition from another Party with which it does not have an extradition treaty, it may consider this Convention as the legal basis for extradition with respect to any criminal offence referred to in paragraph 1 of this article. 4. Parties that do not make extradition conditional on the existence of a treaty shall recognise the criminal offences referred to in paragraph 1 of this article as extraditable offences between themselves. 5. Extradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties, including the grounds on which the requested Party may refuse extradition. 6. If extradition for a criminal offence referred to in paragraph 1 of this article is refused solely on the basis of the nationality of the person sought, or because the requested Party deems that it has jurisdiction over the offence, the requested Party shall submit the case at the request of the requesting Party to its competent authorities for the purpose of prosecution and shall report the final outcome to the requesting Party in due course. Those authorities shall take their decision and conduct their investigations and proceedings in the same manner as for any other offence of a comparable nature under the law of that Party.
15

European Convention on Extradition of 13. December 1957 (into force 18 April 1960), ETS No. 24 at <http://conventions.coe.int/Treaty/en/Treaties/Html/024.htm> (47 ratifications as of 13 April 2007).

© 2008 Henrik Spang-Hanssen - Page 7 of 22

The Future of International Law: CyberCrime
7. a. Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the name and address of each authority responsible for making or receiving requests for extradition or provisional arrest in the absence of a treaty. b. The Secretary General of the Council of Europe shall set up and keep updated a register of authorities so designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times.

2.3. Global jurisdiction to be considered by the individual Cybernaut
In addition, it is a problem that the convention pursuant to article 22(4) does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law. Quite opposite, the convention require each party to respect other parties criminal jurisdiction under their domestic law. This is a carte blanche to allow what I have termed “Global Jurisdiction,” see further below under 3.1. It is hard to imagine how a party to the convention later can protest against other parties’ court decisions when having given such a carte blanche. In addition, it seems hard to oppose against the validity of another party’s court’s determination of dealing with a cybercrime case or offender. Thus, another nation’s court can hardly censor but only reject to enforce another party’s court decision.

2.4. Other Aspects to be considered by the individual Cybernaut
The just above mentioned does not give a cybernaut any security when traveling to other parties countries. Thus, a cybernaut can no longer only rely on his local law as foreign law of Treaty’s parties also has to be accepted and followed. Therefore, any cybernaut is under the law of the least acceptable country’s laws – chaos will come because previous public international law system does not work as there is no borders in Cyberspace and thus for Cybercrimes. Especially, this regime provides no protection for military, FBI’s and CIA’s hacker-personnel on such personals holydays in other parties territories. This was precise the reason for the United States to reject to ratify the Treaty for the International Criminal Court.16 This imply for example that a cybernaut no longer can rely on his owns laws rules of the right to a jury trial. Another aspect to be notices is that the convention does not contain any limitation – opposite the Treaty for the International Criminal Court.

3.1. WHEN IS A STATE INTERNATIONAL LAW

ALLOWED TO GOVERN PURSUANT TO

PUBLIC

Jurisdiction is a vital and indeed central feature of state sovereignty, for it is an exercise of authority, which may alter, create, or terminate legal relationships and obligations.17 It follows from the nature of the sovereignty of states that a state must not intervene in the domestic affairs of another state.18 As the public international computer networks (Internet or Cyberspace) cross the national borders, public international law is the ruling regime.
16

<http://www.icc-cpi.int/home.html&l=en>. See also (Rome) Statute of the ICC 17 July 1998 at <http://www.un.org/law/icc/> (into force 1 July 2002. As of January 2007 ratified by 104 countries) [hereinafter the ICC-Statute]. 17 MALCOLM N. SHAW, INTERNATIONAL LAW (4th Edition, Cambridge University Press) page 452 [hereinafter SHAW] 18 SHAW supra note 17, page 454, and Justice Story in The Apollon, 22 U.S. 362, 370 (U.S. 1824).

© 2008 Henrik Spang-Hanssen - Page 8 of 22

The Future of International Law: CyberCrime
The innovation of the Internet and Cyberspace has made the question of personal jurisdiction much more important than at any time before, since the use of the Internet nearly always involve international aspects. The starting point in every case involving the Internet should be that the case is international rather than national. Traditional, public international law on jurisdiction has used the following division:19 Nationality principle - confers jurisdiction over nationals of the State concerned. Can be divided into • Active personality principle - based on the nationality of the suspect. International law accepts jurisdiction over a state’s owns citizens based on nationally, or the links between the individual and the state • Passive personality principle or Passive nationality principle - based on nationality of the victim, not the nationality of the offender (controversial) Territoriality principle confers jurisdiction on the State in which the person or the goods in question are situated or the event in question took place. Can be divided into • Subjective territoriality principle - permits a State to deal with acts which originated within its territory, but was completed or consummated abroad • Objective territoriality principle – permits a State to deal with acts which originated abroad but which, at least in part, were o the “effect doctrine” - consummated or completed within their territory –; or o the protective theory - producing gravely harmful consequences to the social or economic order inside their territory. The protective theory covers a variety of political offences and is not necessarily confined to political acts. The principle is well established and seems justifiable because it protect a state’s vital interests. However, it can easily be abused. The decisive is the importance of the offence, which standard is supplied solely by international law. However, in Cyberspace there is no “transportation” in form of tangible effects, but only “transmission” of electronic bits (and that transmission route is fortuitous and unpredictable), thus in Cyberspace there only exists what I have termed pure online incidents, which is characterized by no physical shipment or tangible things are involved, and at least one user is an alien, that is, a nonresident or a non-national.20 This term differs from definitions in article 1 of the Cybercrime Convention as my term requires an alien involved – not only two residents of the same state. As acts or incidents suddenly appears to be everywhere and at the same time for anyone, from the perspective of any court or any State these could argue being a proper court or jurisdiction. The later approach I have given the term Global Jurisdiction,21 which is characterized by a State’s jurisdictional rules taken on its “wording” reaches all alien cybernauts, thus making a Worldwide jurisdiction involving aliens whom can be anywhere in the world (outside the forum state). This term has to be distinguished from Universal Jurisdiction. However, Global jurisdiction22 is prohibited by public international law, which requires closeness (a close link) and reasonableness between the jurisdiction and the alien in question.

HENRIK SPANG-HANSSEN, CYBERSPACE & INTERNATIONAL LAW ON JURISDICTION 243-258 (DJØF Publishing, Copenhagen 2004 – 87-547-0890-1 – US Congress Library 2004441311) [hereinafter SPANGHANSSEN-2]. 20 “Henrik’s First Base”, see SPANG-HANSSEN-3 supra note 6, at 1. 21 SPANG-HANSSEN-3 supra note 6, at page v, Foreword. 22 Global jurisdiction under public international law does not evidently mean that a narrow community view is acceptable. The content of for example the UN Declaration on human rights and the Covenant point in the opposite direction. On the other hand, Global jurisdiction does not seem to have special relevance outside “pure

19

© 2008 Henrik Spang-Hanssen - Page 9 of 22

The Future of International Law: CyberCrime
Furthermore, under public international law any jurisdiction has to respect the sovereignty of other States and their right to self-determination of rules for and over its citizen. Thus, in public International Law the requirement for a State being allowed to prescribe, adjudicate & enforce is that there exists a Close Link and that it from an international society point of view is Reasonable the State in question deal with the issue. States (with physical borders) are the backbone of Public International Law. Sofar public international law can be said to have been a “grenz law”, but Cyberspace is borderless and does not “respect” geographic drawn borders. Thus, when dealing with Cyberspace one should turn the view upside down and begin with the view – not from the perspective of a State and its borders – but from the fact that Cyberspace is global reaching and that there has to be made some division of this “global space”. This has let me to introduce the following new division of public international law on jurisdiction:23 Universal jurisdiction – a court of a nation acts on behalf of the international society pursuant to public international law.24 National jurisdiction – a court of a nation acts on behalf of its sovereign. It involve two terms: International jurisdiction and Exterritorial jurisdiction, which is formulated by the particular nation it-self, wherefore it can be in violation with public international law. It can be divided into the following sub-categories: • Global jurisdiction - (Worldwide) jurisdiction involving aliens whom can be anywhere in the world (outside the fo-rum state). This kind of jurisdiction can be exercised on basis of: - General jurisdiction - even if the cause of action is unrelated to the activities at issue, if only the alien defendant’s activities in the forum state are “substantial, continuous, and systematic” (and the particular long-arm statute’s requirement is fulfilled) - Specific jurisdiction - cause of action arise from defendant’s minimum contacts with the forum state • Transnational jurisdiction – which exists pursuant to the Treaty against Transnational Organized Crime25 is present when: - The offence is committed in more than one State - It is committed in one State but a substantial part of its preparation, planning, direction or control takes place in an-other State - It is committed in one State but involves an organized criminal group that engages in criminal activities in more than one State; or - It is committed in one State but has substantial effects in another State. • Restricted jurisdiction – Jurisdiction that a State through statute or caselaw has limited to cases where the defendant at the time of the act is a residents or national of the forum state, or visitor in the forum state.
online” incidents, that is, in what is usually characterized the brick and mortar world where a State or court always can pinpoint a physical connection to the alien defendant. 23 SPANG-HANSSEN-3 supra note 6, at 117-121 & 146-169. 24 It can only be exercised when the international society has accepted this – and if so it will only be for a very limited and specific issue, for example War-crime or Piracy on the sea. SPANG-HANSSEN-2 supra note 19, at 252-254, IAN BROWNLIE, PRINCIPLES OF PUBLIC INTERNATIONAL LAW 303 (6th Edition, Clarendon Press, Oxford – ISBN 0199260710), OPPENHEIM’S INTERNATIONAL LAW 469-470 (London and New York: Longman 9th Ed., paperback edition 1996 – ISBN 0582302455). 25 “Palermo Treaty” or United Nations Convention Against Transnational Organized Crime”, Doc. A/55/383 (Adopted by UN GA resolution A/RES/55/25 of 15 November 2000 - Into force 29 September 2003) at <http://www.unodc.org/unodc/en/crime_cicp_resolutions.html>. As of April 1, 2007: 147 signatories and 132 parties at <http://www.unodc.org/unodc/en/crime_cicp_signatures_convention.html>.

© 2008 Henrik Spang-Hanssen - Page 10 of 22

The Future of International Law: CyberCrime
The latter is equal to a combination of the active personality principle and the subjective territorial principle. As restricted jurisdiction cannot in the sense of public international law be said to deal with “aliens”, which latter is the subject of the rest of this article, this kind of jurisdiction will not be further dealt with. On public international network every State could be said to have concurrent jurisdiction, since the online experience in every State will be the same for everybody, thus, the “effect” would be everywhere. Therefore, in the perspective of Cyberspace it seems more appropriate to use the term “closeness” rather than “effect” or “target”. Thus, the real problem of international law is to define the circumstances in which the relevant points of contact (the legal relationships) are sufficiently close. Or otherwise stated, the problem is where do Internet transactions take place? International public law on jurisdiction to prescribe - and adjudicate - in relation to international computer network can be summoned up as in the following table as for Pure Online cross-border:26
Made online from Made online from State D by national State D by national of of State C, but State B citizen of A Global Jurisdiction is an issue State E regarded as sender or receiver state? Global Jurisdiction is an issue State E regarded as sender or receiver state? Global Jurisdiction is an issue

Made online from State D by national of state A Global Jurisdiction is an issue State E regarded as sender or receiver state?

Uploaded in State E

Global Jurisdiction is Global Jurisdiction is an issue an issue Objective and Passive Objective and Passive Received in State personality personality B (controversial) (controversial) principles allow State principles allow State B to prescribe? B to prescribe?

Initially should be remarked, that Universal Jurisdiction is not by the international society – and the International Court of Justice (ICJ) – allowed to be used on Cyberspace incidents. In relation to Cyberspace, I find hard to find incidents that fulfill the tough criterias for use of Universal Jurisdiction27 - except using the Internet for Human Trafficking (a modern way of slavery). Further should to the table be noted: the Subjective Territoriality Principle allows State D to prescribe in all fields the Active Personality Principle allows the State of nationality or residency of the suspect to prescribe in all fields This implies for online communication that it has to meet the requirements of the legislation in: The State from where the original electronic communication (“bits-transfer”) was prepared The State where the communication is uploaded The State of the communicator’s “nationality,” that is, for a private owned communication firm where the owner is born, or a corporate is incorporated The State where the communicator is a “citizen,” that is, for a private owned communication firm where the owner living or a corporate is having headquarter

26 27

SPANG-HANSSEN-2, supra note 19, page 299-300 SPANG-HANSSEN-2, supra note 19, page 121-128.

© 2008 Henrik Spang-Hanssen - Page 11 of 22

The Future of International Law: CyberCrime
From the online communicator’s perspective, it should initially be noted that the Passive personality principle generally is rejected by the international society, thus, the communicator out of this principle does not have to follow the legislation (statutes or case law) in the state of which the receiver is a nationality. This has to be kept in mind with regard to the text of article 22(4) of the Cybercrime Convention. However, the online communicator might have to meet the requirement pursuant to the Objective territoriality principle that permits a State to deal with acts which originated abroad but which, at least in part, were consummated or completed within their territory (the “effect doctrine”); or producing gravely harmful consequences to the social or economic order inside their territory (the protective theory). As for the first prong it should be noted, that among the public international society there is discrepancy of the reach of the “effect doctrine” – which internationally is interpretated somewhat otherwise than the US “effect test”. The above mean that a State cannot interfere with what is going on, on the Internet or on the international network’s “pipe-lines” through which the electronic bits of the telecommunication is transmitted. In addition, it implies that each State’s legislators and enforcement has to take great consideration to other States interests. However, this is somewhat undermined by the text of article 22(4) of the Cybercrime Convention. As for foreign parties and jurisdictional rules, the latter will only have any real value, if courts decisions later can be executed in another state. Thus, it has no real value for a plaintiff, if a sovereign or its court decide an issue of a case, but all other nations holds that the issue or case belongs to or are much more related to another nation. If any given nations jurisdictional rules in practice does not have any limits, then the rules will have no real value and should in stead just state it will catch any nonresident (“Global Jurisdiction”). Then it will be for the court that is to execute the decision to decide the “real” jurisdictional question determining whether the first court’s decision can be acknowledged. Thus, if the different nations or jurisdictions do not consider the implications of their decisions on the worldwide network of computers - and thus over users outside the particular jurisdiction - the result can very easy become an extremely inefficient and cribbed network,28 where only material allowed by every nation can be accessed. Such a regime will probably conflict with the UN rules on free speech and respect of other nations’ people. At this point should be mentioned that in May 1992, the United States suggested to the Hague Conference on Private International Law to make a draft to Convention on Jurisdiction and Enforcement of foreign Judgments. In a Summary of discussions in March 2000 was amongst others discussed the question of identification and location of the parties. In a paper of February 2002, it was pointed out that the ongoing globalization and the exponential growth of the use of the Internet continue to add to the need for a global framework for jurisdiction and the recognition and enforcement of judgments. The Internet environment adds to the complexity of the issues to be resolved in specific provisions; on the other hand, it reinforces the common need for a global framework on jurisdiction and recognition and enforcement (in civil and commercial matters).29

“if every jurisdiction in the world insisted on some form of filtering for its particular geographic territory, the World Wide Web would stop functioning.” From e-mail of Vinton Cerf, Chairman of Internet Corporation for Assigned Names and Numbers (ICANN) and previous Stanford University professor, 24/11 2000 to Agence France-Presse in connection to his expert statement to a French court about Yahoo-US’s web site, Agence France Pres 24. November 2000, 2000 WL 24767154 (Westlaw database AGFRP) and Putting it in its place, THE ECONOMIST, August 9th 2001 at <http://www.yale.edu/lawweb/jbalkin/telecom /puttingitinitsplace.html> (visited 14 October 2003). 29 See SPANG-HANSSEN-2 supra note 19, at 453-460.

28

© 2008 Henrik Spang-Hanssen - Page 12 of 22

The Future of International Law: CyberCrime
However, due to realized disagreements between the conferences member states presented at an informal working group in March 2003, it was decided to limit a drafts to a Convention and in reality leaving the whole issue of the Internet unsolved.

3.2. WHEN IS THE OFFENCE-PLACE “IN” OR “ON”

THE STATE’S SPHERE ?

This question of where an offence is committed is without doubt the toughest and most difficult question to answer when dealing with Cyberspace. As the computer technology is new, public international law has not developed any practice on when a Cyberspace-act is occurring “in” or “on” a territory. The main problem with Cybercrime Conventions article 22 litra a-c is that the convention does not determine when something related to Cyberspace is occurring “in” or “on” the territory. This is a most controversial issue in Cyberspace law, which should have been solved by the drafting committee as the steppingstone before drafting any other articles. The drafting committee have neglected a specified given task no. v (the question of jurisdiction in relation to information technology offences), namely “determine the place where the offence was committed (locus delicti)”.30 The same task also included the question of which law should accordingly apply, including the problem of ne bis idem31 in the case of multiple jurisdictions and the question how to solve positive jurisdiction conflicts and how to avoid negative jurisdiction conflicts. From a human point of view, it is of cause obvious to choose the line of least resistance as for the problem - as the drafters of the Convention has done. However, such a choice does not seem appropriate when drafting the text for an international Treaty. The overall principles in public international law to answer the question is whether these “places” has a close link and are reasonable, see on this subject Spang-Hanssen supra note 19, at 296462, chapters 31-33. When considering a place where an offence could be regarded to be committed in Cyberspace what immediately comes into mind is the following “places” in the public international computer networks:32 the place of a server the place of a proxy33 servers the place where the work on the computer was done (prepared) before uploading it to the Internet the place where a laptop was hooked up when connected to the Net, or should it be the uploaded content that decides ? Many court decisions has decided that the place of the server is not the determine fact.34 However, the court in U.S. v. Kammersell could not have reached its decision if it had not relied on the place of a service providers’ server.35 The EU issued a declaration when it passed Regulation 44/2001 on jurisdiction and enforcement36 which “stress that the mere fact that an Internet site is accessible is not sufficient for Article 15 [about jurisdiction over consumer contracts] to be applicable,…In this respect, the
CONVENTION-REPORT supra note 4, para 11 subsection v. Ne bis in idem (ne bis idem) - no person should be proceeded against twice over the same matter. 32 SPANG-HANSSEN, CYBERSPACE JURISDICTION IN THE U.S. 97-122, (Norwegian Research Center for Computers and Law, Oslo University 2001 – ISBN 82-7226-046-8 – US Congress Library 2003450386), also free downloading from research website <www.geocities.com/hssph> [hereinafter SPANG-HANSSEN-1] and SPANG-HANSSEN-2 supra note 19, at 359-365 33 A server that sits between a client application, such as a web browser, and a real server. 34 On US court decisions on this issue, see SPANG-HANSSEN-1 supra note 33, at 107-111 and SPANG-HANSSEN2 supra note 19, at 359-361. 35 United States v. Kammersell, 196 F.3d 1137 (10th Circuit 1999). 36 Council Regulation 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, O.J. 16/01/2001 p. 0001-0023, also at <www.geocities.com/hssph/CouncilRegulationNo44.pdf>.
31 30

© 2008 Henrik Spang-Hanssen - Page 13 of 22

The Future of International Law: CyberCrime
language or currency which a website uses does not constitute a relevant factor.”37 If such factors are not found relevant in civil matters, then they should neither be determining in criminal matters. The Report to the Convention points out that article 22 establishes a series of criteria under which Contracting Parties are obliged to establish jurisdiction over the criminal offences enumerated in Articles 2-11 of the Convention.38 It noted that article 22, paragraph 1 littera a is based upon the principle of territoriality, see above section 3.1, and that each Party is required to punish the commission of crimes established in this Convention that are committed in its territory. The report gives as examples that a Party would assert territorial jurisdiction if (A) both the person attacking a computer system and the victim system are located within its territory, and (B) where the computer system attacked is within its territory, even if the attacker is not.39 The first example is dealing with a totally internal national matter and the court should of cause use its national law. As for the latter example “B”, where the “offender” is an alien, public international law must be used rather than national law. Article 22 paragraph 1, littera b and c require each Party to establish criminal jurisdiction over offences committed upon ships flying its flag or aircraft registered under its laws. The Report notes that if the crime is committed on a ship or aircraft that is beyond the territory of the flag Party, there may be no other State that would be able to exercise jurisdiction barring this requirement. In addition, if a crime is committed aboard a ship or aircraft, which is merely passing through the waters or airspace of another State, the latter State may face significant practical impediments to the exercise of its jurisdiction, and it is therefore useful for the State of registry to also have jurisdiction.40 This does not seem to be in conflict with the customary law that is codified in the 1958 High Sea Convention41 (and the Convention on the Law of the Sea42). The paragraph does not distinguish between the Subjective territoriality principle and the Objective territoriality principle. Thus, it is left for each party to decide whether the paragraph cover acts which originated within its territory, but was completed or consummated abroad and/or acts which originated abroad, but which, at least, in part were consummated or completed within their territory (the effect doctrine) or producing gravely harmful consequences to the social or economic order inside their territory (the protective theory). Paragraph 1, littera d is based upon the principle of nationality. The report states out the obvious from a public international law point of view, that nationals of a State are obliged to comply with the domestic law even when they are outside its territory.43 The wording of the paragraph leaves out the use of the passive personality/nationality principle. The report points out that parties can only make reservations to the jurisdiction grounds laid down in paragraph 1, litterae b, c, and d. No reservation is permitted with respect to the territorial jurisdiction under littera a. Furthermore, no reservation can be made with respect to the obligation to establish jurisdiction in cases falling under the principle of "aut dedere aut judicare" (extradite or prosecute) under paragraph
37

Joined declaration issued by the European Parliament and Commission at the time the Regulation was passed – Statement on Articles 15 and 73, reprinted in SPANG-HANSSEN-2, supra note 19, at 564-566, also at <www.geocities.com/hssph/Joineddeclaration.pdf>. 38 CONVENTION-REPORT supra note 4, para 232. 39 CONVENTION-REPORT supra note 4, para 233. 40 CONVENTION-REPORT supra note 4, para 235. 41 Convention on the High Seas of 1958 (into force 30 September 1962), 13 U.S.T. 2312, T.I.A.S. 5200, 450 U.N.T.S. 82, also at <http://www.univie.ac.at/RI/KONTERM/intlaw/konterm/vrkon_en/html/doku/highsea.htm> (visited April 2007). 42 United Nations Convention on the Law of the Sea of 10 December 1982, U.N.Doc. A/CONF.62/122. Convention on the Law of the Sea of 1982 (also called the Montego Bay Convention)(into force 16 November 1994 – 153 states have ratified as of 4 April 2007) [hereinafter “Law of the Sea”], also at <http://www.un.org/Depts/los/convention_agreements/texts/unclos/unclos_e.pdf> (visited April 2007). 43 CONVENTION-REPORT supra note 4, para 236.

© 2008 Henrik Spang-Hanssen - Page 14 of 22

The Future of International Law: CyberCrime
3, for example where that Party has refused to extradite the alleged offender on the basis of his nationality and the offender is present on its territory. The report remarks that the jurisdiction established on the basis of paragraph 3 in article 22 is necessary to ensure that those Parties that refuse to extradite a national have the legal ability to undertake investigations and proceedings domestically instead, if sought by the Party that requested extradition pursuant to the requirements of "Extradition", Article 24, paragraph 6 of the Convention.44 Finally, the report remarks that the bases of jurisdiction set forth in paragraph 1 are not exclusive and that paragraph 4 of Article 22 permits the Parties to establish, in conformity with their domestic law, other types of criminal jurisdiction as well.45 This is nothing but a carte blanch from one party of the Convention to another. Taken together with the just mentioned comment 237 of the Report, this paragraph can give extreme consequences for a cybernaut as he has no longer any protection under his own laws.

3.3. WHO IS THE OFFENDER ?
An important question that the Convention does not deal with is, who is the offender? Is it for example the grandparent that allows a grandchild to use a computer during a visit or is it (only) the grandchild? In this respect should be noted that the International Criminal Court in the Hague only has jurisdiction in cases which involve a person that at the time of the alleged commission of the crime was of the age of 18 or over.46 The Cybercrime Convention only deals with the term “minor” in relation with Article 9(3) on child pornography: “For the purpose of paragraph 2 above, the term “minor” shall include all persons under 18 years of age. A Party may, however, require a lower agelimit, which shall be not less than 16 years.” Thus, under the Cybercrime Convention a child in diapers using a computer can be an offender and be sentenced – even by a foreign country as party to the convention)! However, this regime might be against the Convention for Protection of Children.47 Furthermore, to what extent does it matter that a person is careless with a password and let others use their access? Another problem is one especially for the prosecutors. Computers connected to the Internet have an IP address but this does not reveal where the laptop is located and who used it. The latter is also of special significance as for computers offered to the public in libraries or at CyberCafees. A further problem for prosecutors is wireless connections for which some are available without any password but only requiring the laptop being in a certain distance to a hotspot.48 Most of the latter are unsecured.

3.4. INTENT
Another aspect not to forget when dealing with crime and computer networks, is to which extent the offender had intent to do a crime and where to do it. Should it be allowed in public international law just because the offender knows that he is using Cyberspace and have the intent to hit one particular forum state, that this anyhow allows all other states also to have jurisdiction over that crime?
CONVENTION-REPORT supra note 4, para 237. CONVENTION-REPORT supra note 4, para 238. 46 Articles 26 of the ICC-Statute supra note 16, which further only involves “the most serious crimes of concern to the international community as a whole.” See THE ROME STATUTE OF THE INTERNATIONAL CRIMINAL COURT: A COMMENTARY 533-35 (Ed. Antonio Cassese, Oxford University Press 2002 – ISBN 0-19-829862-5) [hereinafter CASSESE] and SPANG-HANSSEN-3, supra note 6, at 300. 47 Convention on Jurisdiction, Applicable law, Recognition, Enforcement and Co-operation in Respect of Parental Responsibility and Measures for the Protection of Children of 19 October 1996 (Into force 1 January 2002 – As of January 2007 14 states has ratified), at <www.hcch.net/index_en.pho?act=conventions.pdf&cid=70> (visited April 2007). 48 Hotspots are venues that offer wireless Internet access points..
45 44

© 2008 Henrik Spang-Hanssen - Page 15 of 22

The Future of International Law: CyberCrime
Criminal jurisdiction is designed to promote security and certainty in international life to prevent friction among nations. To be entitled to assume legislative jurisdiction there must exist a close connection in an international sense between the person, fact or event and the State imposing criminal liability in regard to them. The real problem of international law is to define the circumstances. The limits of a State’s criminal jurisdiction should be found in the doctrine of the abuse of rights.49 When the intent to commit the proscribed act is clear and demonstrated by some activity, and the effect to be produced by the activity is substantial and foreseeable, the fact that a plan or conspiracy was thwarted does not deprive the target state of jurisdiction to make its law applicable.50 Pursuant to article 30 of the ICC Statute51 a person is only criminally responsible or liable for punishment for a crime if the person had “intent”, that is (1) the offender meant to engage in the conduct (prohibited act or omission)(actus reus) and (2) the offender meant to cause that consequence or was aware that it would occur in the ordinary course of events (mens rea). Furthermore is required that the crime was committed with knowledge, that is, awareness that a circumstance existed or a consequence would occur in the ordinary course of events.52 The ICC Court only has jurisdiction in cases that involve “the most serious crimes of concern to the international community as a whole” (and where the person at the time of the alleged commission of the crime was of the age of 18 or over).53 Hacking can be regarded as a crime, as a military weapon or as a mean for supporting human rights. For the latter should be mentioned, that at the latest many people have realized that a most important weapon in the struggle for human rights is computer code. Thus, “hacktivism” has turned up in shape of elite computer experts – the “original” hackers, not crackers - who have set their sights on ways to help human-rights causes and are trying to give activists electronic ways to circumvent government surveillance and information management. Such humanitarian help can probably not qualify being a crime – at least there is a lack of the necessary criminal intent.54

3.5. EXTRADITION
Article 24 on extradition has to be hold together with article 22(3), which later states that [e]ach Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition. The explanatory Report states that no reservation is permitted with respect to the establishment of territorial jurisdiction under article 22(1) littera a, or with respect to the obligation to establish jurisdiction in cases falling under the principle of “aut dedere aut judicare” (extradite or prosecute) under paragraph 3, for example where that Party has refused to extradite the alleged offender on the basis of his nationality and the offender is present on its territory.55

F.A. MANN, The Doctrine of Jurisdiction in International Law, 111 RECUEIL DES COURS 1, 82-83 (1964I) and SPANG-HANSSEN-2, supra note 19, at 239-240. 50 Comment d to § 402 to Restatement (Third) of Foreign Relation Law. 51 ICC-Statute supra note 16. 52 Herman von Hebel, Elements of Crimes in THE INTERNATIONAL CRIMINAL COURT: ELE-MENTS OF CRIMES AND RULES OF PROCEDURE AND EVIDENCE 14-15 (Ed. Roy S. Lee, Transnational Publishers 2001 – ISBN 157105-209-7). 53 Articles 26 of the ICC-statute supra note 16, and CASSESE supra note 46, at 533-35, and SPANG-HANSSEN-3 supra note 6, at 300. 54 SPANG-HANSSEN-3 supra note 6, at 285-286. 55 CONVENTION-REPORT supra note 4, para 237.

49

© 2008 Henrik Spang-Hanssen - Page 16 of 22

The Future of International Law: CyberCrime
Article 24(5) states that extradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties,56 including the grounds on which the requested Party may refuse extradition. The requested party need not extradite if it is not satisfied that all of the terms and conditions provided for by the applicable treaty or law have been fulfilled. Furthermore, each of the offences established in Articles 2-11 are not to be considered per se extraditable. It is required that the maximum punishment that could be imposed for the offence for which extradition is sought is at least one-year’s imprisonment. The determination of whether an offence is extraditable does not hinge on the actual penalty imposed in the particular case at hand, but instead on the maximum period that may legally be imposed for a violation of the offence for which extradition is sought.57 However, this paragraph is not to be used if a different threshold for extradition is described in another treaty or arrangement between the parties in question.58 For example, under the European Convention on Extradition59, reservations may specify a different minimum penalty for extradition. Among Parties to that Convention, when extradition is sought from a Party that has entered such a reservation, the penalty provided for in the reservation shall be applied in determining whether the offence is extraditable. Where a Party, instead of relying on extradition treaties, utilises a general statutory scheme to carry out extradition, paragraph 4 requires it to include the offences described in Paragraph 1 among those for which extradition is available.60 The requested Party need not extradite if it is not satisfied that all of the terms and conditions provided for by the applicable treaty or law have been fulfilled. It is thus another example of the principle that co-operation shall be carried out pursuant to the terms of applicable international instruments in force between the Parties, reciprocal arrangements, or domestic law. For example, conditions and restrictions set forth in the European Convention on Extradition (ETS N° 24) and its Additional Protocols61 (ETS N°s 86 and 98) will apply to Parties to those agreements, and extradition may be refused on such bases (e.g., Article 3 of the European Convention on Extradition62 provides that extradition shall be refused if the offence is considered political in nature, or if the request is considered to have been made for the purpose of prosecuting or punishing a person on account of, inter alia, race, religion, nationality or political opinion).63 Paragraph 6 of article 24 is build over the principle of “aut dedere aut judicare” (extradite or prosecute) and provides that a party must prosecute if the offender is a national of the requested party and extradition is denied solely on nationality. The latter is included in the Convention since many states refuse extradition of their nations. However, this paragraph is too easy to circumvent, as the requested party just has to make up another excuse than nationality. This more or less makes article 24 worthless. The Report points out that if the Party whose extradition request has been refused does not request submission of the case for local investigation and prosecution, there is no obligation on the requested Party to take action. Paragraph 6 requires the local investigation and prosecution to be
56

The US does require existence of a Treaty for extradition, see Senate Report & Letter of Submittal from Department of State, see above footnote 12. 57 CONVENTION-REPORT supra note 4, para 245. Confer Article 2 of the European Convention on Extradition, supra note 16. 58 CONVENTION-REPORT supra note 4, para 246. 59 See above note 16. 60 CONVENTION-REPORT supra note 4, para 249. 61 Additional Protocol to the European Convention on Extradition of 15 October 1975 (into force 20 August 1979), ETS No. 86 at <http://conventions.coe.int/Treaty/en/Treaties/Html/086.htm> (37 ratifications as of 13 April 2007). 62 Second Additional Protocol to the European Convention on Extradition of 17 March 1978 (into force 5 June 1983), ETS. No. 98 at <http://conventions.coe.int/Treaty/en/Treaties/Html/098.htm> (40 ratifications as of 13 April 2007). 63 CONVENTION-REPORT supra note 4, para 250.

© 2008 Henrik Spang-Hanssen - Page 17 of 22

The Future of International Law: CyberCrime
carried out with diligence. It must be treated as seriously “as in the case of any other offence of a comparable nature” in the Party submitting the case. That Party shall report the outcome of its investigation and proceedings to the Party that had made the request.64 However, if no extradition request has been made, or if extradition has been denied on grounds other than nationality, does paragraph 6 establish no obligation on the requested Party to submit the case for domestic prosecution. Also, should be noted that the Cybercrime Convention does not distinguish between civil and military persons, thus persons working for the U.S. military is embraced by the Cybercrime conventions jurisdictional rules. As many people in the different countries military is involved with what by the convention is regarded as hacking, these military persons should not go on holyday to other countries that are parties of the convention, as U.S. will not have any right to protect them if indicted by another party to the convention and arrested there during their stay there. The U.S. is actually obliged to either extradite or prosecute such persons if another party to the convention makes the claim.

4. SOME US COMPUTER CRIME CASES AFTER 1998
A summary of some prosecuted US computer cases from 1998 can be found on the US Department of Justice’s website,65 including cases involving juvenile and international perpetrators, with press releases on the each case. Criminal cases from around the world can be found at Cybercrime Net,66 which offers a comprehensive survey of current legislations from around the world including the laws of 78 countries. It also has a link to information on Supreme Court decisions from around the World and offers access to decisions in 129 countries, or a way of finding them.67 The sites are managed by Chief Judge Stein Schjølberg, Norway, who also is Council of Europe expert on cybercrime.

4.1. Juveniles
As it between teenagers has become some kind of a game or a sport to hack into other persons’ computers, many cases deal with juveniles, some of which did not have any intent to gain economically, but only wanted to show off to their friends. Furthermore, should be mentioned that juveniles as such68 only know little of the law of their own nation, other nation’s and international law. Of U.S. cases involving juveniles can be mentioned:

4.1.1. U.S. v. An Unnamed Juvenile (D. Mass., March 18, 1998)69
This case was the first U.S. case were federal charges were brought against a juvenile for computercrime. On March 10, 1997, the juvenile computer hacker temporarily disabled Next Generation Digital Loop Carrier systems (“loop carrier systems”70) operated by telephone company NYNEX (later
64 65

CONVENTION-REPORT supra note 4, para 251. Computer Crime & Intellectual Property Section at <www.usdoj.gov/criminal/cybercrime/ccases.html> (visited 10 February 2007). 66 <http://www.globalcourts.com> (visited 4 April 2007). 67 <http://www.cybercrimelaw.net/> (visited 4 April 2007). 68 The Convention on Jurisdiction, Applicable law, Recognition, Enforcement and Co-operation in Respect of Parental Responsibility and Measures for the Protection of Children of 19 October 1996 sets an age limit at 18 (Into force 1 January 2002 – As of January 2007 14 states has ratified), at <www.hcch.net/index_en.pho?act=conventions.pdf&cid=70> (visited April 2007). 69 < http://www.usdoj.gov/criminal/cybercrime/juvenilepld.htm> (visited 4 April 2007). 70 The loop carrier systems are used by telephone companies to integrate service provided over hundreds of telephone lines for digital transmission over a single, high capacity fiber-optic cable to a central office. By

© 2008 Henrik Spang-Hanssen - Page 18 of 22

The Future of International Law: CyberCrime
purchased by Bell Atlantic Telephone Company) at the Worcester Airport and in the community of Rutland, Massachusetts. The loop carrier systems operated by the telephone company were accessible from a personal computer’s modem. This accessibility was maintained so that telephone company technicians could change and repair the service provided to customers by these loop carrier systems quickly and efficiently from remote computers. The juvenile computer hacker identified the telephone numbers of the modems connected to the loop carrier systems operated by the telephone company providing service to the Worcester Airport and the community of Rutland, Massachusetts. At approximately 9:00 a.m., the juvenile computer hacker intentionally, and without authorization, accessed the loop carrier system servicing the Worcester Airport. He then sent a series of computer commands so that it altered and impaired the integrity of data on which the system relied, thereby disabling it. Public health and safety were threatened by the outage, which resulted in the loss of telephone service, until approximately 3:30 p.m., to the Federal Aviation Administration Tower at the Worcester Airport, to the Worcester Airport Fire Department and to other related concerns such as airport security, the weather service, and various private airfreight companies. Further, as a result of the outage, both the main radio transmitter, which is connected to the tower by the loop carrier system, and a circuit which enables aircraft to send an electric signal to activate the runway lights on approach were not operational for this same period of time. Later on the same day, at approximately 3:30 p.m., the juvenile computer hacker intentionally, and without authorization, accessed the loop carrier system servicing customers in and around Rutland, Massachusetts. Once again, he sent a series of computer commands to the digital loop carrier that altered and impaired the integrity of data on which the system relied, thereby disabling it. This second outage disrupted telephone service throughout the Rutland area, causing financial damage as well as threatening public health and safety as a result of the loss of telephone service. During this attack, the juvenile computer hacker changed the system identification to “Jester.” In a separate computer intrusion, the juvenile computer hacker identified the telephone number associated with the modem servicing a Worcester area branch of a major pharmacy chain’s computer in the Worcester pharmacy. On four occasions in January, February and March of 1997, the juvenile computer hacker used his personal computer modem to break into the Worcester pharmacy computer. On each of these days he instructed the Worcester pharmacy computer to transmit to his personal computer files containing all of the prescriptions filled by the pharmacy during the previous week, detailing them by customer name, address, telephone number and prescription medicine supplied. The pharmacist's computer was accessible by modem after hours when the pharmacy was closed. This accessibility was maintained so that the pharmacy chain could periodically transfer information from the pharmacist's local computer to a centralized computer operated by the chain in the course of its business. The juvenile could not alter the prescriptions and there was found no evidence that he disseminated the information, but the hacking constituted a serious invasion of privacy. Pursuant to a plea agreement, the juvenile received a two years’ probation, during which he may not possess or use a modem or other means of remotely accessing a computer or computer network directly or indirectly. He had to pay restitution to the telephone company and complete 250 hours of
disabling a loop carrier system all communications with the telephone lines it services are cuts off. Loop carrier systems are programmable remote computers used to integrate voice and data communications originating on a large number of standard, copper-wire telephone lines for efficient transmission over a single, sophisticated fiber-optic cable. In many respects, a loop carrier system serves the same function as a circuit breaker box in a home or an apartment. Individual electric wires do not run from each plug or light in a home or apartment to the electric company. Rather, the myriad of plugs and lights are connected to a circuit breaker box in a corner of the home or apartment, to which the electric company attaches a single, efficient cable. If the circuit breaker box is disabled, however, none of the lights and outlets in the house can function.

© 2008 Henrik Spang-Hanssen - Page 19 of 22

The Future of International Law: CyberCrime
community service. In addition, he was required to forfeit all of the computer equipment used during his criminal activity.

4.1.2. U.S. v. "Comrade" (S.D. FL., September 21, 2000)71
This is the first U.S. case where a juvenile hacker received a prison sentence (and to serve time in a Detention Facility). A 16-year-old from Miami pleaded guilty and was sentenced to six months in a detention facility for two acts of juvenile delinquency. Under adult statutes, those acts would have been violations of federal wiretap and computer abuse laws for intercepting electronic communications on military computer networks and for illegally obtaining information from NASA computer networks. The juvenile, known on the Internet as “c0mrade,” admitted that he was responsible for computer intrusions from August 23, 1999, to October 27, 1999, into a military computer network used by the Defense Threat Reduction Agency (DTRA). DTRA is an agency of the Department of Defense charged with reducing the threat to the U.S. and its allies from nuclear, biological, chemical, conventional and special weapons. “c0mrade” also admitted that he gained unauthorized access to a computer server, known as a “router,” located in Dulles, Va., and installed a concealed means of access or “backdoor” on the server. The program intercepted more than 3,300 electronic messages to and from DTRA staff. It also intercepted at least 19 user names and passwords of computer accounts of DTRA employees, including at least 10 user names and passwords on military computers. In addition, on June 29 and 30, 1999, “c0mrade” illegally accessed a total of 13 NASA computers located at the Marshall Space Flight Center, Huntsville, Ala., using two different ISPs to originate the attacks. As part of his unauthorized access, he obtained and downloaded proprietary software from NASA valued at approximately $1.7 million. The software supported the International Space Station’s (ISS) physical environment, including control of the temperature and humidity within the living space. As a result of the intrusions and data theft, the NASA computer systems were shut down for 21 days in July 1999. This shutdown resulted in a delivery delay of program software costing NASA approximately $41,000 in contractor labor and computer equipment replacement costs. As conditions of his guilty plea and serving six months in a detention facility, “c0mrade” had to write letters of apology to the Department of Defense and NASA and agreeded to the public disclosure of information about the case.

4.1.3. U.S. v. Sanford (N.D. TX, December 6, 2000)72
The hacker-group “HV2K” obtained unlawfully access to computers belonging to the U.S. Postal Service, the State of Texas, the Canadian Department of Defence and Glinn Publishing Company of Milwaukee, WI, between November 1999 and January 2000 and depriving owners and users from their use of these systems. A Canadian juvenile entered a pre-trial diversion program in Halifax, Nova Scotia, for computer activity related to these offenses. Another member of the hacker-group, Sanford, was a 18-year old resident of Irving, Texas. He was sentenced to two years in prison, on each of six charges for breach of computer security, and 10 years on the theft charge. The prison sentences were suspended and Sanford was placed on five years supervised probation. He was also ordered to pay $45,856.46 in restitution to the victims of his hacking. As a condition of his probation, Sanford was also required to obtain a high school diploma or graduate equivalency degree, submit to random urinalysis, and participate in community service. Sanford was also restricted in his future use of computers. The case was the result of a joint investigation involving the Texas Department of Public Safety, the Royal Canadian Mounted Police, the Canadian Forces National Investigative Service, and the USPS Office of the Inspector General.
71 72

<http://www.usdoj.gov/criminal/cybercrime/comrade.htm> (visited 4 April 2007). <http://www.usdoj.gov/criminal/cybercrime/VAhacker2.htm> (visited 4 April 2007).

© 2008 Henrik Spang-Hanssen - Page 20 of 22

The Future of International Law: CyberCrime
4.1.4. U.S. v. An Unnamed Juvenile (W.D. Wash., February 11, 2005)73
The worm - referred to as the "RPCSDBOT worm" - directed infected computers to log in on a computer (i.e., an Internet Relay Chat channel) that the juvenile controlled. On August 14, 2003, the juvenile directed the infected computers to launch a distributed denial of service attack against Microsoft's main web site causing the site to shutdown and thus became inaccessible to the public for approximately four hours. The juvenile was 14 years old when the activity occurred. The juvenile pleaded guilty in November 2004, because he intentionally caused damage and attempted to cause damage to protected computers. The juvenile was sentenced to three years of probation with a number of restrictions including mental health counseling, and computer monitoring. The Judge also ordered that the juvenile to perform three hundred hours of community service that involved work with the homeless or other less fortunate members of the community. The juvenile told the Judge, “Seventeen months ago, I made the worst mistake I ever made in my life. I did it out of curiosity and did not think I would cause any damage. I am sorry I created problems for people I did not even know.”

5. THE FUTURE OF (PUBLIC) INTERNATIONAL LAW ON CYBERCRIME
As Cyberspace being a vital part for an still explosive number of the citizens on Earth and their daily life, the time has gone far beyond where the American Society of International Law and the International Law Association should have begun thoroughly to deal with the issues that Cyberspace has raised. This implies public international law scholars must learn about the technicalities of the public international computer network – an educational task for the International Law Association and the American Society of International Law. The basic structure of the Internet challenge the international law on jurisdiction since the Net has no respect for sovereignty and territorial, which is the basic for public international law. Therefore, it is necessarily to examine to what extent the creation of the international computer networks causes previous rules to be modified.74 As the European Union, with the highest percentage of citizens using the Internet, and the United States have fundamentally different approaches to Cyberspace - EU, the consumer’s point of view and the US, the business view – it is not surprising that there has not been established any general public international law in relation to Cyberspace – if there ever will be. Thus, therefore is vital the scholars of the above mentioned associations begin to spend some attention to these matters, so a reasonable international scheme or practice can be established, including for cybercrime issues. Only by such an approach can cybernauts – each of us - around the world become protected and feel safe in our daily life and each of us live without fear for fortuitous arrests and criminal charges in different countries. There must be made rules of public international law governing cyberspace and the limits of national jurisdiction over Cyberspace, including: What a cybernaut does on the Internet is most likely an international case – thus, not national law alone. Public international law must solve the problem of where “the place” is. Public international law must solve the problem with minors making offences on the Internet – including a minimum age. Let it be stated by the international society that what is done legally in the cybernaut’s own country, he should not be charged or indicted for in foreign countries. That the Convention allowing “Global jurisdiction” is in violation with public international law.
73 74

<http://www.usdoj.gov/criminal/cybercrime/juvenileSent.htm> (visited 4 April 2007). SPANG-HANSSEN-2, supra note 19, at 295 (and Chapters 31-33 pp. 296-436).

© 2008 Henrik Spang-Hanssen - Page 21 of 22

The Future of International Law: CyberCrime
The drafters of the Princeton Principles75 holds that it would be inappropriate to invoke universal jurisdiction for the prosecution of minor transgressions of the 1949 Geneva Conventions and Protocol I. Such a regime should also cover cross-border cybercrimes. Every single individual has to a certain extent unreasonable been deprived normal rights as far as Cyberspace is concerned, because in practice “Global Jurisdiction”76 is exercised by most nations and their courts. Vinton Cerf, one of the fathers of the Internet, has stated on the technicality of the Internet that “if every country [to fulfill their legislations] requires filters, then the net will stop working.”77 Thus, if every country claim they can legislate and make their courts decide on every issue then the net will stop working because cybernauts will then not know what rules to follow, and when and where to be arrested and sentenced The Cybercrime Convention should immediately be re-written or parties should retreat from the treaty. However, this latter is not easily done pursuant to the Law of Treaties.78

75 76

THE PRINCETON PRINCIPLES page 46, at <www.princeton.edu/~lapa/unive_jur.pdf> (visited November 2005). See above footnote 22. 77 See above footnote 29. 78 Confer the principle of Pacta sunt servanda in the preamble and part IV of The Vienna Conventions on the Law of Treaties of May 23, 1969 (into force 27 January 1980. As of April 2007, 108 ratifications), 1155 U.N.T.S. 331, also at <http://untreaty.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf> (visited April 2007).

© 2008 Henrik Spang-Hanssen - Page 22 of 22

Sign up to vote on this title
UsefulNot useful