Challenge and Enforcement of Cyber-crimes
Dip. In Telecommunications and Internet Law
E-Government Laboratory of the University of Athens
Address: 74 Eleutheriou Venizelou Str. 15561, Holargos, Athens, Greece.
Tel: 0030 210 6528652
Mobile: 0030 6945 348663
Regulatory challenge and enforcement of cyber-crimes
The mobile and borderless nature of the Internet makes it difficult for the regulator to establish the location and the identity of the actors, since goods and services can be delivered from everywhere to anywhere. The same challenge applies to computer crimes.
Generally, adopting regulations especially public law is a very slow process so that regulators often cannot cope with the speed of technological development. In addition, the borderless nature of the Internet conflicts with different national rules and regulations. Last but not least enforcement of regulation is often difficult or impossible.
Computer Crime Legislation has a 20-year history
The first computer crime law does not go back to 1990 when the United Kingdom Computer Misuse Act was passed, but about 20 years ago to 1978, when the state of Florida made history to become the first to enact a computer crimes law – just as in 1995, the state of Utah made history in enacting the first digital signature law in the world.
At present, 48 of the 51 states in the United States have laws against computer crimes.
The United States has concurrent federal and state jurisdictions over computer crimes. The US federal law against computer crimes was enacted in 1984 and several times amended.
Canada was the first common-law country to enact laws specifically against computer crimes in 1983.
Many other countries have computer crime laws. These countries include UK, Singapore, Australia, New Zealand, Norway, Sweden, Denmark, Finland, France, Germany, Netherlands and Switzerland.
Computer misuse offences
The challenge of computer crime is immense: it is hard to prove, and even harder to detect. There are four steps in committing a computer crime:
1. Obtain access to the computer system.
2. Extend access until the criminal intent can be realized.
3. Scrutinize, modify, defraud or destroy information.
4. Remove evidence of unauthorised entry
The most important step is gaining access. Access control by use of an automatic fingerprint reader was thought to be invincible until a terrorist group kidnapped a bank manager and cut off his right thumb to activate a critical access control system. Actually the password is still by far the most used means of authentication.
As long as weaknesses exist in the security posture of computers, attribution of computer crime to any but the most unsophisticated offenders is all but impossible.
Three reasons for the stiff penalties: firstly, to deter offenders; secondly, to help investors and users feel confident with computer use; and thirdly, create a conducive atmosphere for the development of IT.
However, we should be prudent since it has been estimated that acts of God or the acts of incompetent or careless employees may be expected to cause 84 per cent of the losses in a computer centre; the actions of dishonest employees may be expected to cause 13 per cent; and the actions of intruders 3 per cent.
Criminal activity over the Internet:
Advertising Financial Services
Financial promotions in the UK must be approved by a person authorised under the Financial Services and Markets Act 2000
Material on the internet could be defined as a financial promotion if it invites people to enter into investment activities or if it is likely to lead people directly or indirectly into doing so.
The criminal offence is punishable by 2 years imprisonment, a fine or both and potential civil liability. Agreements are also rendered voidable
Medicines & the Internet, UK Legal Framework
Unlicensed medicines: sale prohibited (s. 7 Medicines Act 1968); maximum two-year prison sentence or fine
Licensed medicines are divided into three categories: General Sales List, Pharmacy Medicines and Prescription Only Medicines (POM)
Exception: Herbal Remedies
Trade Descriptions Act 1968
For goods and services sold online particular care is needed
Criminal offence: false description or statements
General regulatory options:
The regional approach/regional harmonisation
– regional clusters of nation states form supranational organisations with political authority to draw up policy binding instruments and enforce them, e.g. the EU
Directives & International co-operation
– bilateral treaties & conventions
– e.g. Cybercrime Convention (Council of Europe 2002)
Global approach to regulation
– Global bodies to formulate policy for all nation states, e.g. ICANN and UDRP, UNCITRAL Model Law on E-commerce (1996), OECD Cybercrime Convention
Among the general regulatory options: self-regulation, technological regulation and co-regulation.
Criminal law examples:
The Council of Europe, Convention on Cybercrime, art. 10 “Offences related to infringements of copyright and related rights”
In the UK, Marks & Spencer v Craig Cottrell & ors (2001) LawTel, where the defendant had copied M&S’s website onto domains he controlled and owned, for the purpose of fraudulently obtaining customers credit card details. Finding the defendant in contempt of court for breach of previous court orders, the judge imposed a 12-month prison sentence on the defendant.
Also Copyright and Trade Marks (Offences and Enforcement) Act 2002 – increased maximum sentence from 2 to 10 years.
– United States v LaMaccia 871 F. Supp. 535 (D.Mass. 1994) – student operated a bulletin board for the free exchange of commercial software. Prosecution for copyright infringement was not possible because he made no personal gain.
– No Electronic Theft Act of 1997
– 17 U.S.C. § 506(a)
– 18 U.S.C § 2319: 5 years imprisonment, $250,000
EU Distance Selling Directive: Criminal sanctions for inertia selling.
By nation states because there is no “international police” and only a very limited international criminal court
– Only possible if assets, property or local presence
– Political aspect!
Extraterritorial enforcement requires co-operation of national authorities: ad-hoc or Convention (e.g. extradition treaty)
– Extraterritorial effect: non-territory actors are obliged to comply to continue to act in the territory
e.g. EU competition law, data protection law
– Spillover effects: non-territory actors are affected by enforcement in territory
e.g. Yahoo (France)
Enforcing extraterritorial regulation:
Yahoo! v. LICRA (Paris May 2000, San Jose November 2001, Paris 2003)
– Nazi material posted on Yahoo! Inc.’s auction site
– Yahoo! Inc. is a US corporation with material hosted on server in California but still accessible in France
– TGI de Paris issues order requiring Yahoo! to prevent such material being accessible in France
– San Jose District Court grants declaration that this judgment will not be recognised or enforced in the US
– Criminal trial in Paris of former Yahoo! CEO.
If direct regulation of illegal content by the state is difficult or impossible, how else could the problem be addressed? ISPs act as gatekeepers regulating access to Internet content. Brief description of ISP liability provision in relation to all kinds of illegal content.
Concluding Remarks: Cyber-zoning and Digital IDs?
I will present law-based and architecture-based approaches to creating governance systems, and emphasizing the importance of norms and markets in governing behavior and form, but any of these systems are expected to be effective in isolation from each other. However, it is likely that traditional jurisdiction structures will continue to impose the principles of real-world justice on activities.