Strategies and Statutes for Prevention of Cybercrime
© Springer International Publishing Switzerland 2015
Mohamed Chawki, Ashraf Darwish, Mohammad Ayoub Khan and Sapna TyagiCybercrime, Digital Forensics and JurisdictionStudies in Computational Intelligence59310.1007/978-3-319-15150-2_88. Strategies and Statutes for Prevention of Cybercrime
(1)
International Association of Cybercrime Prevention (AILCC), Paris, France
(2)
Department of Computer Science, Faculty of Science, Helwan University, Cairo, Egypt
(3)
Department of Computer Science and Engineering, School of Engineering and Technology, Sharda University, Greater Noida, India
(4)
College of Computer Science and Engineering, Yanbu Branch, Taibah University, Medina, Kingdom of Saudi Arabia
(5)
Institute of Management Studies, Ghaziabad, India
8.1 Introduction
Cybercrime is a global phenomenon, which countering requires global legal strategies. Only by harmonizing national laws and by formalizing countries’ mutual cooperation can legal enforcement agencies properly respond to sophisticated, agile methods used by cybercriminals (de Almendia 2011). The rapidly increasing number and volume of cybercrime incidents and losses indicate urgent need of convergence by the international community towards a common set of substantive and procedural legal rules.
However, some issues seem to make it difficult to reach a consensus on the contents of such legal rules. For instance, many countries have not yet framed a balance between security and privacy concerns, thus delaying the process of approving procedural rules. Some other countries resist against joining any international convention which they have not negotiated since its inception, or where they do not have equal opportunity for voicing views or claims.
The outcome has been that a large number of countries still lack adequate cybercrime legislation and/or have not yet acceded to existing relevant Budapest Convention.
Given such a picture, regulation should be improved in order to facilitate more responsive action by the international community in putting together forces against cybercrime. Perhaps the combined use of legal rules and improved information security standards might be an interesting, potentially effective way to address the above referenced issues.
8.2 National and Regional Strategies: The European Approach
Computer crime dates from the origination of computers (Shinder 2002). The first empirical computer crime studies applying scientific research methods were conducted in the 1970s (Parker 1998). These studies verified a limited number of cases and suggested that many more have gone undetected or unreported (Goodman and Brenner 2002). In the United States, the Senator Abraham Ribicoff introduced the first proposed federal computer crime legislation in 1977: the Federal Computer Systems Protection Act. The bill was revised and reintroduced 2 years later (Ibid). It then died in committee (Griffith 1990). However it was influential in promoting the subsequent enactment of federal computer crime legislation and in encouraging the adoption of such legislation in Florida and Arizona (Hogge et al. 2001).
Since then, many new crimoids have emerged. Some crimoids, such as eavesdropping on the radio waves that emanate from computers, have never been proven (Parker 1998). Reports of computer codes, including the Michelangelo and fictitious Good Times viruses, have added to the folklore of computer crimoids (Ibid). The vulnerabilities of the information society and the limitations of the existing computer security approach, as well as legislations and law enforcement efforts, became apparent and widely and publicized in the 1990s. Sieber argues that the scope of demonstrated and expected computer crimes today and in the future has also expanded far beyond economic crime, to cover attacks against national infrastructure and social wellbeing (Goodman and Brenner 2002).
In Europe, legal reforms have taken place in many countries since the 1970s, reflecting a change in the legal paradigm. The criminal codes of most of these countries have focused on the protection of tangible objects. However, the revolution of ICTs, which greatly depends on incorporeal values and information, in the latter part of the twentieth century, has predicated the development of new legislation which seeks these incorporeal values. The first step of this development in most European countries started in 1973 and addressed the protection of privacy, as a response to emerging vast capabilities for collecting, storing and transmitting data by computer (Siber et al. 1998). “Data protection legislations” were enacted and have been constantly revised and updated, protecting the citizens’ right to privacy with administrative, civil, and penal regulations.
The second step involved the repression of computer-related economic crimes and started at the beginning of the 1980s (Ibid). It was precipitated by the inadequacy of existing traditional criminal provisions, which protected visible, tangible, and physical objects against traditional crimes, in the advent of cybercrime. These new legislations addressed the new capabilities of cybercrimes to violate traditional objects through new media, to protect intangible objects such as computer software (Ibid). Many European countries enacted new laws fighting computer-related economic crime (including unauthorized access to computer systems). Whilst some countries operate under the legal provisions enacted since the early 1980s, other countries are currently amending these provisions again to reflect new challenges to computer-related criminal law posed by the fast developing computer technology (Ibid).
In 1980s, a third series of additions to national laws were enacted. This wave was directed toward protecting the intellectual property in the realm of ICTs. The new legislation included copyright protection for computer software, penal copyright law and legal protection of topographies.
A fourth wave of reform legislation with respect to illegal and harmful contents began in a few countries in the 1980s, but are expanding rapidly since the triumphant rise of the internet in the mid-1990s. Legal amendments adapting traditional provisions on the dissemination of pornography, hate speech or defamation to computer-stored data were passed in the United Kingdom in 1994 and in Germany in 1997. Special provisions clarifying the responsibility of service and access providers on the internet were enacted in the United States of America in 1996. A final group of issues—discussed in particular in the 1990s—concerns the creation of requirements for and prohibitions of security measures. This field of law includes minimum obligations for security measures in the interest of privacy rights or in the general public interest. It also covers prohibitions of specific security measures in the interest of privacy rights or the effective prosecution of crimes, such as limitations of cryptography.
8.2.1 The Council of Europe Convention on Cybercrime
The 2001 Convention on Cybercrime (‘Cybercrime Convention’) of the Council of Europe is the most comprehensive international legislative effort to combat cybercrime to date (Koops 2011). It was signed in Budapest on November 23, 2001 by member states of the Council of Europe and by several non-member states, including Canada, Japan, South Africa, and the United States, that participated in its development. As of 5th June 2011 there were 16 signatory states not followed by ratifications and 31 countries which had ratified it and entered it into force, including the United States.1 A further protocol on racist and xenophobic acts in cyberspace was signed on 28 January 2003, and entered into force on 1 March 2006.2 Concurrent with both the convention and the protocol are explanatory reports. The Convention and its Explanatory Report have been adopted by the Committee of Ministers of the Council of Europe at its 109th Session (8 November 2001).
8.2.1.1 Effectiveness and Impact of the Convention
A major premise of the treaty is that by fostering international cooperation, nations can tackle the problem of the borderless nature of cybercrime by enabling pursuit beyond the borders of a single nation. However, one needs to examine which countries fall under the auspices of the Cybercrime Treaty and which do not. This should be compared against the known sources of cybercrime to see how many nations have or have not been addressed. 27 EC nations have joined to date but only 12 have ratified. Outside the EU, the Convention is seen as Western dominated, both during its development and at the current time. Of the few non-EC nations that have acceded, only the US has ratified. On the other hand, the Convention is often held up as a model law, even for countries unwilling to accede because the treaty is seen as too Western, or too demanding of resources. While the United States is still the country from which the most Cybercrime attacks have originated, according to the most recent Internet Crime Complaint Center (IC3) report, other nations not covered by the treaty are: in second place, Canada; in fifth place, India; and the Philippines, in tenth place.
The key question for the success of the Cybercrime Convention is perhaps whether it can entice into membership those countries known to harbor the ringleaders of organized cybercrime? In Europe, for example, the nation of Russia has neither signed nor ratified the treaty. Russia however represents the largest and most populated nation in all of Europe (Robel 2006). Russia has near an estimated 24 million people with internet access. According to the Russian Interior Ministry’s Bureau for Counteracting High-Tech Crimes, internet crime in Russia has increased by ten times as much in the past 5 years (Ibid). This is partly attributed to large expansion of the internet throughout Russia. Indeed, Russian hackers have been blamed for everything from a number of computer viruses to orchestrated extortion schemes, and online trading protection money for averting the loss of websites (Ibid).
In relation to the United States, there are also neighbors in the Western Hemisphere that are not a part of the Cybercrime Treaty. The Treaty does claim Canada, as a major source of cyber-attacks.
Even where developing world and Eastern European countries have the political will to take a stance against cybercrime, it is often difficult to justify allocating resources for it, when the beneficiaries will not be that state’s own citizens but those of other countries (Brown et al. 2009). Despite this, the ongoing success of the Cybercrime Convention can be seen at a micro, as well as macro level. Many countries are in the process of harmonizing their laws to meet Cybercrime Convention standards whether or not they plan to join (Ibid). In other regions such as the Arab states, there may be a preference to put together their own regional instruments rather than accede—but in most cases these are very similar to the Convention. It is thus arguably a very successful instrument for international harmonization (Ibid).
8.2.1.2 United States Ratification Serving as a Precedent
One possible aspect of US ratification that needs to be examined here is whether or not US ratification of the Convention may have an effect on the global community as a whole?
One must take into account the differing focus on legal and social values in different nations. One major issue is that the European Union is known for much stricter privacy laws than that of the United States. It especially has a concern in dealing with the United States’ Department of Homeland Security. To illustrate just how strict the EU privacy laws are, they specify that an individual must be provided with information regarding who is processing their data, the purpose of its processing, who has received the data, a clear means to access and correct the data, and the source of the data (Roble 2006). This difference in approach to privacy can be seen in many instances. An example is when the US Administration required that the EU provide access to Passenger Name Records data (PNR) on Europeans flying to the United States.