11. The new committee’s specific terms of reference were
as follows:
i. "Examine, in the light of Recommendations No R (89)
9 on computer-related crime and No R (95) 13 concerning problems of
criminal procedural law connected with information technology, in
particular the following subjects:
ii. cyber-space offences, in particular those committed
through the use of telecommunication networks, e.g. the Internet, such
as illegal money transactions, offering illegal services, violation of
copyright, as well as those which violate human dignity and the
protection of minors;
iii. other substantive criminal law issues where a
common approach may be necessary for the purposes of international
co-operation such as definitions, sanctions and responsibility of the
actors in cyber-space, including Internet service providers;
iv. the use, including the possibility of transborder
use, and the applicability of coercive powers in a technological
environment, e.g. interception of telecommunications and electronic
surveillance of information networks, e.g. via the Internet, search and
seizure in information-processing systems (including Internet sites),
rendering illegal material inaccessible and requiring service providers
to comply with special obligations, taking into account the problems
caused by particular measures of information security, e.g. encryption;
v. the question of jurisdiction in relation to
information technology offences, e.g. to determine the place where the
offence was committed (locus delicti) and which law should accordingly
apply, including the problem of ne bis idem in the case of multiple
jurisdictions and the question how to solve positive jurisdiction
conflicts and how to avoid negative jurisdiction conflicts;
vi. questions of international co-operation in the
investigation of cyber-space offences, in close co-operation with the
Committee of Experts on the Operation of European Conventions in the
Penal Field (PC-OC).
The Committee should draft a binding legal instrument,
as far as possible, on the items i) - v), with particular emphasis on
international questions and, if appropriate, accessory recommendations
regarding specific issues. The Committee may make suggestions on other
issues in the light of technological developments."
12. Further to the CDPC’s decision, the Committee of
Ministers set up the new committee, called "the Committee of Experts on
Crime in Cyber-space (PC-CY)" by decision n° CM/Del/Dec(97)583, taken at
the 583rd meeting of the Ministers’ Deputies (held on 4 February 1997).
The Committee PC-CY started its work in April 1997 and undertook
negotiations on a draft international convention on cyber-crime. Under its
original terms of reference, the Committee was due to finish its work by
31 December 1999. Since by that time the Committee was not yet in a
position to fully conclude its negotiations on certain issues in the draft
Convention, its terms of reference were extended by decision n°
CM/Del/Dec(99)679 of the Ministers’ Deputies until 31 December 2000. The
European Ministers of Justice expressed their support twice concerning the
negotiations: by Resolution No. 1, adopted at their 21st Conference
(Prague, June 1997), which recommended the Committee of Ministers to
support the work carried out by the CDPC on cyber-crime in order to bring
domestic criminal law provisions closer to each other and enable the use
of effective means of investigation concerning such offences, as well as
by Resolution N° 3, adopted at the 23rd Conference of the
European Ministers of Justice (London, June 2000), which encouraged the
negotiating parties to pursue their efforts with a view to finding
appropriate solutions so as to enable the largest possible number of
States to become parties to the Convention and acknowledged the need for a
swift and efficient system of international co-operation, which duly takes
into account the specific requirements of the fight against cyber-crime.
The member States of the European Union expressed their support to the
work of the PC-CY through a Joint Position, adopted in May 1999.
13. Between April 1997 and December 2000, the Committee
PC-CY held 10 meetings in plenary and 15 meetings of its open-ended
Drafting Group. Following the expiry of its extended terms of reference,
the experts held, under the aegis of the CDPC, three more meetings to
finalise the draft Explanatory Memorandum and review the draft Convention
in the light of the opinion of the Parliamentary Assembly. The Assembly
was requested by the Committee of Ministers in October 2000 to give an
opinion on the draft Convention, which it adopted at the 2nd
part of its plenary session in April 2001.
14. Following a decision taken by the Committee PC-CY, an
early version of the draft Convention was declassified and released in
April 2000, followed by subsequent drafts released after each plenary
meeting, in order to enable the negotiating States to consult with all
interested parties. This consultation process proved useful.
15. The revised and finalised draft Convention and its
Explanatory Memorandum were submitted for approval to the CDPC at its
50th plenary session in June 2001, following which the text of
the draft Convention was submitted to the Committee of Ministers for
adoption and opening for signature.
III. The Convention
16. The Convention aims principally at (1) harmonising
the domestic criminal substantive law elements of offences and connected
provisions in the area of cyber-crime (2) providing for domestic criminal
procedural law powers necessary for the investigation and prosecution of
such offences as well as other offences committed by means of a computer
system or evidence in relation to which is in electronic form (3) setting
up a fast and effective regime of international co-operation.
17. The Convention, accordingly, contains four chapters:
(I) Use of terms; (II) Measures to be taken at domestic level -
substantive law and procedural law; (III) International co-operation; (IV)
Final clauses.
18. Section 1 of Chapter II (substantive law issues)
covers both criminalisation provisions and other connected provisions in
the area of computer- or computer-related crime: it first defines 9
offences grouped in 4 different categories, then deals with ancillary
liability and sanctions. The following offences are defined by the
Convention: illegal access, illegal interception, data interference,
system interference, misuse of devices, computer-related forgery,
computer-related fraud, offences related to child pornography and offences
related to copyright and neighbouring rights.
19. Section 2 of Chapter II (procedural law issues) - the
scope of which goes beyond the offences defined in Section 1 in that it
applies to any offence committed by means of a computer system or the
evidence of which is in electronic form – determines first the common
conditions and safeguards, applicable to all procedural powers in this
Chapter. It then sets out the following procedural powers: expedited
preservation of stored data; expedited preservation and partial disclosure
of traffic data; production order; search and seizure of computer data;
real-time collection of traffic data; interception of content data.
Chapter II ends with the jurisdiction provisions.
20. Chapter III contains the provisions concerning
traditional and computer crime-related mutual assistance as well as
extradition rules. It covers traditional mutual assistance in two
situations: where no legal basis (treaty, reciprocal legislation, etc.)
exists between parties – in which case its provisions apply – and where
such a basis exists – in which case the existing arrangements also apply
to assistance under this Convention. Computer- or computer-related crime
specific assistance applies to both situations and covers, subject to
extra-conditions, the same range of procedural powers as defined in
Chapter II. In addition, Chapter III contains a provision on a specific
type of transborder access to stored computer data which does not require
mutual assistance (with consent or where publicly available) and provides
for the setting up of a 24/7 network for ensuring speedy assistance among
the Parties.
21. Finally, Chapter IV contains the final clauses, which
- with certain exceptions - repeat the standard provisions in Council of
Europe treaties.
COMMENTARY ON THE ARTICLES OF THE
CONVENTION
Chapter I – Use of terms
Introduction to the definitions at
Article 1
22. It was understood by the drafters that under this
Convention Parties would not be obliged to copy verbatim into their
domestic laws the four concepts defined in Article 1, provided that these
laws cover such concepts in a manner consistent with the principles of the
Convention and offer an equivalent framework for its implementation.
Article 1 (a) - Computer system
23. A computer system under the Convention is a device
consisting of hardware and software developed for automatic processing of
digital data. It may include input, output, and storage facilities. It may
stand alone or be connected in a network with other similar devices
"Automatic" means without direct human intervention, "processing of data"
means that data in the computer system is operated by executing a computer
program. A "computer program" is a set of instructions that can be
executed by the computer to achieve the intended result. A computer can
run different programs. A computer system usually consists of different
devices, to be distinguished as the processor or central processing unit,
and peripherals. A "peripheral" is a device that performs certain specific
functions in interaction with the processing unit, such as a printer,
video screen, CD reader/writer or other storage device.
24. A network is an interconnection between two or more
computer systems. The connections may be earthbound (e.g., wire or cable),
wireless (e.g., radio, infrared, or satellite), or both. A network may be
geographically limited to a small area (local area networks) or may span a
large area (wide area networks), and such networks may themselves be
interconnected. The Internet is a global network consisting of many
interconnected networks, all using the same protocols. Other types of
networks exist, whether or not connected to the Internet, able to
communicate computer data among computer systems. Computer systems may be
connected to the network as endpoints or as a means to assist in
communication on the network. What is essential is that data is exchanged
over the network.
Article 1 (b) - Computer data
25. The definition of computer data builds upon the
ISO-definition of data. This definition contains the terms "suitable for
processing". This means that data is put in such a form that it can be
directly processed by the computer system. In order to make clear that
data in this Convention has to be understood as data in electronic or
other directly processable form, the notion " computer data" is
introduced. Computer data that is automatically processed may be the
target of one of the criminal offences defined in this Convention as well
as the object of the application of one of the investigative measures
defined by this Convention.
Article 1 (c) - Service provider
26. The term "service provider" encompasses a broad
category of persons that play a particular role with regard to
communication or processing of data on computer systems (cf. also comments
on Section 2). Under (i) of the definition, it is made clear that both
public and private entities which provide users the ability to communicate
with one another are covered. Therefore, it is irrelevant whether the
users form a closed group or whether the provider offers its services to
the public, whether free of charge or for a fee. The closed group can be
e.g. the employees of a private enterprise to whom the service is offered
by a corporate network.
27. Under (ii) of the definition, it is made clear that
the term "service provider" also extends to those entities that store or
otherwise process data on behalf of the persons mentioned under (i).
Further, the term includes those entities that store or otherwise process
data on behalf of the users of the services of those mentioned under (i).
For example, under this definition, a service provider includes both
services that provide hosting and caching services as well as services
that provide a connection to a network. However, a mere provider of
content (such as a person who contracts with a web hosting company to host
his web site) is not intended to be covered by this definition if such
content provider does not also offer communication or related data
processing services.
Article 1 (d) - Traffic data
28. For the purposes of this Convention traffic data as
defined in article 1, under subparagraph d., is a category of computer
data that is subject to a specific legal regime. This data is generated by
computers in the chain of communication in order to route a communication
from its origin to its destination. It is therefore auxiliary to the
communication itself.
29. In case of an investigation of a criminal offence
committed in relation to a computer system, traffic data is needed to
trace the source of a communication as a starting point for collecting
further evidence or as part of the evidence of the offence. Traffic data
might last only ephemerally, which makes it necessary to order its
expeditious preservation. Consequently, its rapid disclosure may be
necessary to discern the communication's route in order to collect further
evidence before it is deleted or to identify a suspect. The ordinary
procedure for the collection and disclosure of computer data might
therefore be insufficient. Moreover, the collection of this data is
regarded in principle to be less intrusive since as such it doesn't reveal
the content of the communication which is regarded to be more sensitive.
30. The definition lists exhaustively the categories of
traffic data that are treated by a specific regime in this Convention: the
origin of a communication, its destination, route, time (GMT), date, size,
duration and type of underlying service. Not all of these categories will
always be technically available, capable of being produced by a service
provider, or necessary for a particular criminal investigation. The
"origin" refers to a telephone number, Internet Protocol (IP) address, or
similar identification of a communications facility to which a service
provider renders services. The "destination" refers to a comparable
indication of a communications facility to which communications are
transmitted. The term "type of underlying service" refers to the type of
service that is being used within the network, e.g., file transfer,
electronic mail, or instant messaging.
31. The definition leaves to national legislatures the
ability to introduce differentiation in the legal protection of traffic
data in accordance with its sensitivity. In this context, Article 15
obliges the Parties to provide for conditions and safeguards that are
adequate for protection of human rights and liberties. This implies, inter
alia, that the substantive criteria and the procedure to apply an
investigative power may vary according to the sensitivity of the data.
Chapter II – Measures to be taken at the national level
32. Chapter II (Articles 2 – 22) contains three sections:
substantive criminal law (Articles 2 – 13), procedural law (Articles 14 –
21) and jurisdiction (Article 22).
Section 1 – Substantive criminal
law
33. The purpose of Section 1 of the Convention (Articles
2 – 13) is to improve the means to prevent and suppress computer- or
computer – related crime by establishing a common minimum standard of
relevant offences. This kind of harmonisation alleviates the fight against
such crimes on the national and on the international level as well.
Correspondence in domestic law may prevent abuses from being shifted to a
Party with a previous lower standard. As a consequence, the exchange of
useful common experiences in the practical handling of cases may be
enhanced, too. International co-operation (esp. extradition and mutual
legal assistance) is facilitated e.g. regarding requirements of double
criminality.
34. The list of offences included represents a minimum
consensus not excluding extensions in domestic law. To a great extent it
is based on the guidelines developed in connection with Recommendation No.
R (89) 9 of the Council of Europe on computer-related crime and on the
work of other public and private international organisations (OECD, UN,
AIDP), but taking into account more modern experiences with abuses of
expanding telecommunication networks.
35. The section is divided into five titles. Title 1
includes the core of computer-related offences, offences against the
confidentiality, integrity and availability of computer data and systems,
representing the basic threats, as identified in the discussions on
computer and data security to which electronic data processing and
communicating systems are exposed. The heading describes the type of
crimes which are covered, that is the unauthorised access to and illicit
tampering with systems, programmes or data. Titles 2 – 4 include other
types of ‘computer-related offences’, which play a greater role in
practice and where computer and telecommunication systems are used as a
means to attack certain legal interests which mostly are protected already
by criminal law against attacks using traditional means. The Title 2
offences (computer-related fraud and forgery) have been added by following
suggestions in the guidelines of the Council of Europe Recommendation No.
R (89) 9. Title 3 covers the ‘content-related offences of unlawful
production or distribution of child pornography by use of computer systems
as one of the most dangerous modi operandi in recent times. The committee
drafting the Convention discussed the possibility of including other
content-related offences, such as the distribution of racist propaganda
through computer systems. However, the committee was not in a position to
reach consensus on the criminalisation of such conduct. While there was
significant support in favour of including this as a criminal offence,
some delegations expressed strong concern about including such a provision
on freedom of expression grounds. Noting the complexity of the issue, it
was decided that the committee would refer to the European Committee on
Crime Problems (CDPC) the issue of drawing up an additional Protocol to
the present Convention.
Title 4 sets out ‘offences related to infringements of
copyright and related rights’. This was included in the Convention because
copyright infringements are one of the most widespread forms of computer-
or computer-related crime and its escalation is causing international
concern. Finally, Title 5 includes additional provisions on attempt,
aiding and abetting and sanctions and measures, and, in compliance with
recent international instruments, on corporate liability.
36. Although the substantive law provisions relate to
offences using information technology, the Convention uses
technology-neutral language so that the substantive criminal law offences
may be applied to both current and future technologies involved.
37. The drafters of the Convention understood that
Parties may exclude petty or insignificant misconduct from implementation
of the offences defined in Articles 2-10.
38. A specificity of the offences included is the express
requirement that the conduct involved is done "without right". It reflects
the insight that the conduct described is not always punishable per se,
but may be legal or justified not only in cases where classical legal
defences are applicable, like consent, self defence or necessity, but
where other principles or interests lead to the exclusion of criminal
liability. The expression ‘without right’ derives its meaning from the
context in which it is used. Thus, without restricting how Parties may
implement the concept in their domestic law, it may refer to conduct
undertaken without authority (whether legislative, executive,
administrative, judicial, contractual or consensual) or conduct that is
otherwise not covered by established legal defences, excuses,
justifications or relevant principles under domestic law. The Convention,
therefore, leaves unaffected conduct undertaken pursuant to lawful
government authority (for example, where the Party’s government acts to
maintain public order, protect national security or investigate criminal
offences). Furthermore, legitimate and common activities inherent in the
design of networks, or legitimate and common operating or commercial
practices should not be criminalised. Specific examples of such exceptions
from criminalisation are provided in relation to specific offences in the
corresponding text of the Explanatory Memorandum below. It is left to the
Parties to determine how such exemptions are implemented within their
domestic legal systems (under criminal law or otherwise).
39. All the offences contained in the Convention must be
committed "intentionally" for criminal liability to apply. In certain
cases an additional specific intentional element forms part of the
offence. For instance, in Article 8 on computer-related fraud, the intent
to procure an economic benefit is a constituent element of the offence.
The drafters of the Convention agreed that the exact meaning of
‘intentionally’ should be left to national interpretation.
40. Certain articles in the section allow the addition of
qualifying circumstances when implementing the Convention in domestic law.
In other instances even the possibility of a reservation is granted (cf.
Articles 40 and 42). These different ways of a more restrictive approach
in criminalisation reflect different assessments of the dangerousness of
the behaviour involved or of the need to use criminal law as a
countermeasure. This approach provides flexibility to governments and
parliaments in determining their criminal policy in this area.
41. Laws establishing these offences should be drafted
with as much clarity and specificity as possible, in order to provide
adequate foreseeability of the type of conduct that will result in a
criminal sanction.
42. In the course of the drafting process, the drafters considered the
advisability of criminalising conduct other than those defined at Articles
2 – 11, including the so-called cyber-squatting, i.e. the fact of
registering a domain-name which is identical either to the name of an
entity that already exists and is usually well-known or to the trade-name
or trademark of a product or company. Cyber-squatters have no intent to
make an active use of the domain-name and seek to obtain a financial
advantage by forcing the entity concerned, even though indirectly, to pay
for the transfer of the ownership over the domain-name. At present this
conduct is considered as a trademark-related issue. As trademark
violations are not governed by this Convention, the drafters did not
consider it appropriate to deal with the issue of criminalisation of such
conduct. Title 1 - Offences against the confidentiality, integrity and
availability
of computer data and systems
43. The criminal offences defined under (Articles 2-6)
are intended to protect the confidentiality, integrity and availability of
computer systems or data and not to criminalise legitimate and common
activities inherent in the design of networks, or legitimate and common
operating or commercial practices.
Illegal access (Article 2)
44. "Illegal access" covers the basic offence of
dangerous threats to and attacks against the security (i.e. the
confidentiality, integrity and availability) of computer systems and data.
The need for protection reflects the interests of organisations and
individuals to manage, operate and control their systems in an undisturbed
and uninhibited manner. The mere unauthorised intrusion, i.e. "hacking",
"cracking" or "computer trespass" should in principle be illegal in
itself. It may lead to impediments to legitimate users of systems and data
and may cause alteration or destruction with high costs for
reconstruction. Such intrusions may give access to confidential data
(including passwords, information about the targeted system) and secrets,
to the use of the system without payment or even encourage hackers to
commit more dangerous forms of computer-related offences, like
computer-related fraud or forgery.
45. The most effective means of preventing unauthorised
access is, of course, the introduction and development of effective
security measures. However, a comprehensive response has to include also
the threat and use of criminal law measures. A criminal prohibition of
unauthorised access is able to give additional protection to the system
and the data as such and at an early stage against the dangers described
above.
46. "Access" comprises the entering of the whole or any
part of a computer system (hardware, components, stored data of the system
installed, directories, traffic and content-related data). However, it
does not include the mere sending of an e-mail message or file to that
system. "Access" includes the entering of another computer system, where
it is connected via public telecommunication networks, or to a computer
system on the same network, such as a LAN (local area network) or Intranet
within an organisation. The method of communication (e.g. from a distance,
including via wireless links or at a close range) does not matter.
47. The act must also be committed ‘without right’. In
addition to the explanation given above on this expression, it means that
there is no criminalisation of the access authorised by the owner or other
right holder of the system or part of it (such as for the purpose of
authorised testing or protection of the computer system concerned).
Moreover, there is no criminalisation for accessing a computer system that
permits free and open access by the public, as such access is "with
right."
48. The application of specific technical tools may
result in an access under Article 2, such as the access of a web page,
directly or through hypertext links, including deep-links or the
application of ‘cookies’ or ‘bots’ to locate and retrieve information on
behalf of communication. The application of such tools per se is not
‘without right’. The maintenance of a public web site implies consent by
the web site-owner that it can be accessed by any other web-user. The
application of standard tools provided for in the commonly applied
communication protocols and programs, is not in itself ‘without right’, in
particular where the rightholder of the accessed system can be considered
to have accepted its application, e.g. in the case of ‘cookies’ by not
rejecting the initial instalment or not removing it.
49. Many national legislations already contain provisions
on "hacking" offences, but the scope and constituent elements vary
considerably. The broad approach of criminalisation in the first sentence
of Article 2 is not undisputed. Opposition stems from situations where no
dangers were created by the mere intrusion or where even acts of hacking
have led to the detection of loopholes and weaknesses of the security of
systems. This has led in a range of countries to a narrower approach
requiring additional qualifying circumstances which is also the approach
adopted by Recommendation N° (89) 9 and the proposal of the OECD Working
Party in 1985.
50. Parties can take the wide approach and criminalise
mere hacking in accordance with the first sentence of Article 2.
Alternatively, Parties can attach any or all of the qualifying elements
listed in the second sentence: infringing security measures, special
intent to obtain computer data, other dishonest intent that justifies
criminal culpability, or the requirement that the offence is committed in
relation to a computer system that is connected remotely to another
computer system. The last option allows Parties to exclude the situation
where a person physically accesses a stand-alone computer without any use
of another computer system. They may restrict the offence to illegal
access to networked computer systems (including public networks provided
by telecommunication services and private networks, such as Intranets or
Extranets).
Illegal interception (Article 3)
51. This provision aims to protect the right of privacy
of data communication. The offence represents the same violation of the
privacy of communications as traditional tapping and recording of oral
telephone conversations between persons. The right to privacy of
correspondence is enshrined in Article 8 of the European Convention on
Human Rights. The offence established under Article 3 applies this
principle to all forms of electronic data transfer, whether by telephone,
fax, e-mail or file transfer.
52. The text of the provision has been mainly taken from
the offence of ‘unauthorised interception’ contained in Recommendation
(89) 9. In the present Convention it has been made clear that the
communications involved concern "transmissions of computer data" as well
as electromagnetic radiation, under the circumstances as explained below.
53. Interception by ‘technical means’ relates to
listening to, monitoring or surveillance of the content of communications,
to the procuring of the content of data either directly, through access
and use of the computer system, or indirectly, through the use of
electronic eavesdropping or tapping devices. Interception may also involve
recording. Technical means includes technical devices fixed to
transmission lines as well as devices to collect and record wireless
communications. They may include the use of software, passwords and codes.
The requirement of using technical means is a restrictive qualification to
avoid over-criminalisation.
54. The offence applies to ‘non-public’ transmissions of
computer data. The term ‘non-public’ qualifies the nature of the
transmission (communication) process and not the nature of the data
transmitted. The data communicated may be publicly available information,
but the parties wish to communicate confidentially. Or data may be kept
secret for commercial purposes until the service is paid, as in Pay-TV.
Therefore, the term ‘non-public’ does not per se exclude communications
via public networks. Communications of employees, whether or not for
business purposes, which constitute "non-public transmissions of computer
data" are also protected against interception without right under Article
3 (see e.g. ECHR Judgement in Halford v. UK case, 25 June 1997, 20605/92).
55. The communication in the form of transmission of
computer data can take place inside a single computer system (flowing from
CPU to screen or printer, for example), between two computer systems
belonging to the same person, two computers communicating with one
another, or a computer and a person (e.g. through the keyboard).
Nonetheless, Parties may require as an additional element that the
communication be transmitted between computer systems remotely connected.
56. It should be noted that the fact that the notion of
‘computer system’ may also encompass radio connections does not mean that
a Party is under an obligation to criminalise the interception of any
radio transmission which, even though ‘non-public’, takes place in a
relatively open and easily accessible manner and therefore can be
intercepted, for example by radio amateurs.
57. The creation of an offence in relation to
‘electromagnetic emissions’ will ensure a more comprehensive scope.
Electromagnetic emissions may be emitted by a computer during its
operation. Such emissions are not considered as ‘data’ according to the
definition provided in Article 1. However, data can be reconstructed from
such emissions. Therefore, the interception of data from electromagnetic
emissions from a computer system is included as an offence under this
provision.
58. For criminal liability to attach, the illegal
interception must be committed "intentionally", and "without right". The
act is justified, for example, if the intercepting person has the right to
do so, if he acts on the instructions or by authorisation of the
participants of the transmission (including authorised testing or
protection activities agreed to by the participants), or if surveillance
is lawfully authorised in the interests of national security or the
detection of offences by investigating authorities. It was also understood
that the use of common commercial practices, such as employing ‘cookies’,
is not intended to be criminalised as such, as not being an interception
"without right". With respect to non-public communications of employees
protected under Article 3 (see above paragraph 54), domestic law may
provide a ground for legitimate interception of such communications. Under
Article 3, interception in such circumstances would be considered as
undertaken "with right".
59. In some countries, interception may be closely
related to the offence of unauthorised access to a computer system. In
order to ensure consistency of the prohibition and application of the law,
countries that require dishonest intent, or that the offence be committed
in relation to a computer system that is connected to another computer
system in accordance with Article 2, may also require similar qualifying
elements to attach criminal liability in this article. These elements
should be interpreted and applied in conjunction with the other elements
of the offence, such as "intentionally" and "without right".
Data interference (Article 4)
60. The aim of this provision is to provide computer data
and computer programs with protection similar to that enjoyed by corporeal
objects against intentional infliction of damage. The protected legal
interest here is the integrity and the proper functioning or use of stored
computer data or computer programs.
61. In paragraph 1, ‘damaging’ and ‘deteriorating’ as
overlapping acts relate in particular to a negative alteration of the
integrity or of information content of data and programmes. ‘Deletion’ of
data is the equivalent of the destruction of a corporeal thing. It
destroys them and makes them unrecognisable. Suppressing of computer data
means any action that prevents or terminates the availability of the data
to the person who has access to the computer or the data carrier on which
it was stored. The term ‘alteration’ means the modification of existing
data. The input of malicious codes, such as viruses and Trojan horses is,
therefore, covered under this paragraph, as is the resulting modification
of the data.
62. The above acts are only punishable if committed
"without right". Common activities inherent in the design of networks or
common operating or commercial practices, such as, for example, for the
testing or protection of the security of a computer system authorised by
the owner or operator, or the reconfiguration of a computer’s operating
system that takes place when the operator of a system acquires new
software (e.g., software permitting access to the Internet that disables
similar, previously installed programs), are with right and therefore are
not criminalised by this article. The modification of traffic data for the
purpose of facilitating anonymous communications (e.g., the activities of
anonymous remailer systems), or the modification of data for the purpose
of secure communications (e.g. encryption), should in principle be
considered a legitimate protection of privacy and, therefore, be
considered as being undertaken with right. However, Parties may wish to
criminalise certain abuses related to anonymous communications, such as
where the packet header information is altered in order to conceal the
identity of the perpetrator in committing a crime.
63. In addition, the offender must have acted
"intentionally".
64. Paragraph 2 allows Parties to enter a reservation
concerning the offence in that they may require that the conduct result in
serious harm. The interpretation of what constitutes such serious harm is
left to domestic legislation, but Parties should notify the Secretary
General of the Council of Europe of their interpretation if use is made of
this reservation possibility.
System interference (Article 5)
65. This is referred to in Recommendation No. (89) 9 as
computer sabotage. The provision aims at criminalising the intentional
hindering of the lawful use of computer systems including
telecommunications facilities by using or influencing computer data. The
protected legal interest is the interest of operators and users of
computer or telecommunication systems being able to have them function
properly. The text is formulated in a neutral way so that all kinds of
functions can be protected by it.
66. The term "hindering" refers to actions that interfere
with the proper functioning of the computer system. Such hindering must
take place by inputting, transmitting, damaging, deleting, altering or
suppressing computer data.
67. The hindering must furthermore be "serious" in order
to give rise to criminal sanction. Each Party shall determine for itself
what criteria must be fulfilled in order for the hindering to be
considered "serious." For example, a Party may require a minimum amount of
damage to be caused in order for the hindering to be considered serious.
The drafters considered as "serious" the sending of data to a particular
system in such a form, size or frequency that it has a significant
detrimental effect on the ability of the owner or operator to use the
system, or to communicate with other systems (e.g., by means of programs
that generate "denial of service" attacks, malicious codes such as viruses
that prevent or substantially slow the operation of the system, or
programs that send huge quantities of electronic mail to a recipient in
order to block the communications functions of the system).
68. The hindering must be "without right". Common
activities inherent in the design of networks, or common operational or
commercial practices are with right. These include, for example, the
testing of the security of a computer system, or its protection,
authorised by its owner or operator, or the reconfiguration of a
computer’s operating system that takes place when the operator of a system
installs new software that disables similar, previously installed
programs. Therefore, such conduct is not criminalised by this article,
even if it causes serious hindering.
69. The sending of unsolicited e-mail, for commercial or
other purposes, may cause nuisance to its recipient, in particular when
such messages are sent in large quantities or with a high frequency
("spamming"). In the opinion of the drafters, such conduct should only be
criminalised where the communication is intentionally and seriously
hindered. Nevertheless, Parties may have a different approach to hindrance
under their law, e.g. by making particular acts of interference
administrative offences or otherwise subject to sanction. The text leaves
it to the Parties to determine the extent to which the functioning of the
system should be hindered – partially or totally, temporarily or
permanently – to reach the threshold of harm that justifies sanction,
administrative or criminal, under their law.
70. The offence must be committed intentionally, that is
the perpetrator must have the intent to seriously hinder.
Misuse of devices (Article 6)
71. This provision establishes as a separate and
independent criminal offence the intentional commission of specific
illegal acts regarding certain devices or access data to be misused for
the purpose of committing the above-described offences against the
confidentiality, the integrity and availability of computer systems or
data. As the commission of these offences often requires the possession of
means of access ("hacker tools") or other tools, there is a strong
incentive to acquire them for criminal purposes which may then lead to the
creation of a kind of black market in their production and distribution.
To combat such dangers more effectively, the criminal law should prohibit
specific potentially dangerous acts at the source, preceding the
commission of offences under Articles 2 – 5. In this respect the provision
builds upon recent developments inside the Council of Europe (European
Convention on the legal protection of services based on, or consisting of,
conditional access - ETS N° 178) and the European Union (Directive
98/84/EC of the European Parliament and of the Council of 20 November 1998
on the legal protection of services based on, or consisting of,
conditional access) and relevant provisions in some countries. A similar
approach has already been taken in the 1929 Geneva Convention on currency
counterfeiting.
72. Paragraph 1(a)1 criminalises the production, sale,
procurement for use, import, distribution or otherwise making available of
a device, including a computer programme, designed or adapted primarily
for the purpose of committing any of the offences established in Articles
2-5 of the present Convention. ‘Distribution’ refers to the active act of
forwarding data to others, while ‘making available’ refers to the placing
online devices for the use of others. This term also intends to cover the
creation or compilation of hyperlinks in order to facilitate access to
such devices. The inclusion of a ‘computer program’ refers to programs
that are for example designed to alter or even destroy data or interfere
with the operation of systems, such as virus programs, or programs
designed or adapted to gain access to computer systems.
73. The drafters debated at length whether the devices
should be restricted to those which are designed exclusively or
specifically for committing offences, thereby excluding dual-use devices.
This was considered to be too narrow. It could lead to insurmountable
difficulties of proof in criminal proceedings, rendering the provision
practically inapplicable or only applicable in rare instances. The
alternative to include all devices even if they are legally produced and
distributed, was also rejected. Only the subjective element of the intent
of committing a computer offence would then be decisive for imposing a
punishment, an approach which in the area of money counterfeiting also has
not been adopted. As a reasonable compromise the Convention restricts its
scope to cases where the devices are objectively designed, or adapted,
primarily for the purpose of committing an offence. This alone will
usually exclude dual-use devices.
74. Paragraph 1(a)2 criminalises the production, sale,
procurement for use, import, distribution or otherwise making available of
a computer password, access code or similar data by which the whole or any
part of a computer system is capable of being accessed.
75. Paragraph 1(b) creates the offence of possessing the
items set out in paragraph 1(a)1 or 1(a)2. Parties are permitted, by the
last phrase of paragraph 1(b), to require by law that a number of such
items be possessed. The number of items possessed goes directly to proving
criminal intent. It is up to each Party to decide the number of items
required before criminal liability attaches.
76. The offence requires that it be committed
intentionally and without right. In order to avoid the danger of
overcriminalisation where devices are produced and put on the market for
legitimate purposes, e.g. to counter-attacks against computer systems,
further elements are added to restrict the offence. Apart from the general
intent requirement, there must be the specific (i.e. direct) intent that
the device is used for the purpose of committing any of the offences
established in Articles 2-5 of the Convention.
77. Paragraph 2 sets out clearly that those tools created
for the authorised testing or the protection of a computer system are not
covered by the provision. This concept is already contained in the
expression ‘without right’. For example, test-devices (‘cracking-devices’)
and network analysis devices designed by industry to control the
reliability of their information technology products or to test system
security are produced for legitimate purposes, and would be considered to
be ‘with right’.
78. Due to different assessments of the need to apply the offence of
"Misuse of Devices" to all of the different kinds of computer offences in
Articles 2 – 5, paragraph 3 allows, on the basis of a reservation (cf.
Article 42), to restrict the offence in domestic law. Each Party is,
however, obliged to criminalise at least the sale, distribution or making
available of a computer password or access data as described in paragraph
1 (a) 2. Title 2 - Computer-related offences
79. Articles 7 - 10 relate to ordinary crimes that are
frequently committed through the use of a computer system. Most States
already have criminalised these ordinary crimes, and their existing laws
may or may not be sufficiently broad to extend to situations involving
computer networks (for example, existing child pornography laws of some
States may not extend to electronic images). Therefore, in the course of
implementing these articles, States must examine their existing laws to
determine whether they apply to situations in which computer systems or
networks are involved. If existing offences already cover such conduct,
there is no requirement to amend existing offences or enact new ones.
80. "Computer-related forgery" and "Computer-related
fraud" deal with certain computer-related offences, i.e. computer-related
forgery and computer-related fraud as two specific kinds of manipulation
of computer systems or computer data. Their inclusion acknowledges the
fact that in many countries certain traditional legal interests are not
sufficiently protected against new forms of interference and attacks.
Computer-related forgery (Article 7)
81. The purpose of this article is to create a parallel
offence to the forgery of tangible documents. It aims at filling gaps in
criminal law related to traditional forgery, which requires visual
readability of statements, or declarations embodied in a document and
which does not apply to electronically stored data. Manipulations of such
data with evidentiary value may have the same serious consequences as
traditional acts of forgery if a third party is thereby misled.
Computer-related forgery involves unauthorised creating or altering stored
data so that they acquire a different evidentiary value in the course of
legal transactions, which relies on the authenticity of information
contained in the data, is subject to a deception. The protected legal
interest is the security and reliability of electronic data which may have
consequences for legal relations.
82. It should be noted that national concepts of forgery
vary greatly. One concept is based on the authenticity as to the author of
the document, and others are based on the truthfulness of the statement
contained in the document. However, it was agreed that the deception as to
authenticity refers at minimum to the issuer of the data, regardless of
the correctness or veracity of the contents of the data. Parties may go
further and include under the term "authentic" the genuineness of the
data.
83. This provision covers data which is the equivalent of
a public or private document, which has legal effects. The unauthorised
"input" of correct or incorrect data brings about a situation that
corresponds to the making of a false document. Subsequent alterations
(modifications, variations, partial changes), deletions (removal of data
from a data medium) and suppression (holding back, concealment of data)
correspond in general to the falsification of a genuine document.
84. The term "for legal purposes" refers also to legal
transactions and documents which are legally relevant.
85. The final sentence of the provision allows Parties,
when implementing the offence in domestic law, to require in addition an
intent to defraud, or similar dishonest intent, before criminal liability
attaches.
Computer-related fraud (Article 8)
86. With the arrival of the technological revolution the
opportunities for committing economic crimes such as fraud, including
credit card fraud, have multiplied. Assets represented or administered in
computer systems (electronic funds, deposit money) have become the target
of manipulations like traditional forms of property. These crimes consist
mainly of input manipulations, where incorrect data is fed into the
computer, or by programme manipulations and other interferences with the
course of data processing. The aim of this article is to criminalise any
undue manipulation in the course of data processing with the intention to
effect an illegal transfer of property.
87. To ensure that all possible relevant manipulations
are covered, the constituent elements of 'input', 'alteration', 'deletion'
or 'suppression' in Article 8(a) are supplemented by the general act of
'interference with the functioning of a computer programme or system' in
Article 8(b). The elements of 'input, alteration, deletion or suppression'
have the same meaning as in the previous articles. Article 8(b) covers
acts such as hardware manipulations, acts suppressing printouts and acts
affecting recording or flow of data, or the sequence in which programs are
run.
88. The computer fraud manipulations are criminalised if
they produce a direct economic or possessory loss of another person's
property and the perpetrator acted with the intent of procuring an
unlawful economic gain for himself or for another person. The term 'loss
of property', being a broad notion, includes loss of money, tangibles and
intangibles with an economic value.
89. The offence must be committed "without right", and
the economic benefit must be obtained without right. Of course, legitimate
common commercial practices, which are intended to procure an economic
benefit, are not meant to be included in the offence established by this
article because they are conducted with right. For example, activities
carried out pursuant to a valid contract between the affected persons are
with right (e.g. disabling a web site as entitled pursuant to the terms of
the contract).
90. The offence has to be committed "intentionally". The
general intent element refers to the computer manipulation or interference
causing loss of property to another. The offence also requires a specific
fraudulent or other dishonest intent to gain an economic or other benefit
for oneself or another. Thus, for example, commercial practices with
respect to market competition that may cause an economic detriment to a
person and benefit to another, but are not carried out with fraudulent or
dishonest intent, are not meant to be included in the offence established
by this article. For example, the use of information gathering programs to
comparison shop on the Internet ("bots"), even if not authorised by a site
visited by the "bot" is not intended to be criminalised.
Title 3 – Content-related offences
Offences related to child pornography (Article 9)
91. Article 9 on child pornography seeks to strengthen
protective measures for children, including their protection against
sexual exploitation, by modernising criminal law provisions to more
effectively circumscribe the use of computer systems in the commission of
sexual offences against children.
92. This provision responds to the preoccupation of Heads
of State and Government of the Council of Europe, expressed at their 2nd
summit (Strasbourg, 10 - 11 October 1997) in their Action Plan (item
III.4) and corresponds to an international trend that seeks to ban child
pornography, as evidenced by the recent adoption of the Optional Protocol
to the UN Convention on the rights of the child, on the sale of children,
child prostitution and child pornography and the recent European
Commission initiative on combating sexual exploitation of children and
child pornography (COM2000/854).
93. This provision criminalises various aspects of the
electronic production, possession and distribution of child pornography.
Most States already criminalise the traditional production and physical
distribution of child pornography, but with the ever-increasing use of the
Internet as the primary instrument for trading such material, it was
strongly felt that specific provisions in an international legal
instrument were essential to combat this new form of sexual exploitation
and endangerment of children. It is widely believed that such material and
on-line practices, such as the exchange of ideas, fantasies and advice
among paedophiles, play a role in supporting, encouraging or facilitating
sexual offences against children.
94. Paragraph 1(a) criminalises the production of child
pornography for the purpose of distribution through a computer system.
This provision was felt necessary to combat the dangers described above at
their source.
95. Paragraph 1(b) criminalises the ‘offering’ of child
pornography through a computer system. ‘Offering’ is intended to cover
soliciting others to obtain child pornography. It implies that the person
offering the material can actually provide it. ‘Making available’ is
intended to cover the placing of child pornography on line for the use of
others e.g. by means of creating child pornography sites. This paragraph
also intends to cover the creation or compilation of hyperlinks to child
pornography sites in order to facilitate access to child pornography.
96. Paragraph 1(c) criminalises the distribution or
transmission of child pornography through a computer system.
‘Distribution’ is the active dissemination of the material. Sending child
pornography through a computer system to another person would be addressed
by the offence of 'transmitting' child pornography.
97. The term ‘procuring for oneself or for another’ in
paragraph 1(d) means actively obtaining child pornography, e.g. by
downloading it.
98. The possession of child pornography in a computer
system or on a data carrier, such as a diskette or CD-Rom, is criminalised
in paragraph 1(e). The possession of child pornography stimulates demand
for such material. An effective way to curtail the production of child
pornography is to attach criminal consequences to the conduct of each
participant in the chain from production to possession.
99. The term ‘pornographic material’ in paragraph 2 is
governed by national standards pertaining to the classification of
materials as obscene, inconsistent with public morals or similarly
corrupt. Therefore, material having an artistic, medical, scientific or
similar merit may be considered not to be pornographic. The visual
depiction includes data stored on computer diskette or on other electronic
means of storage, which are capable of conversion into a visual image.
100. A ‘sexually explicit conduct’ covers at least real
or simulated: a) sexual intercourse, including genital-genital,
oral-genital, anal-genital or oral-anal, between minors, or between an
adult and a minor, of the same or opposite sex; b) bestiality; c)
masturbation; d) sadistic or masochistic abuse in a sexual context; or e)
lascivious exhibition of the genitals or the pubic area of a minor. It is
not relevant whether the conduct depicted is real or simulated.
101. The three types of material defined in paragraph 2
for the purposes of committing the offences contained in paragraph 1 cover
depictions of sexual abuse of a real child (2a), pornographic images which
depict a person appearing to be a minor engaged in sexually explicit
conduct (2b), and finally images, which, although ‘realistic’, do not in
fact involve a real child engaged in sexually explicit conduct (2c). This
latter scenario includes pictures which are altered, such as morphed
images of natural persons, or even generated entirely by the computer.
102. In the three cases covered by paragraph 2, the
protected legal interests are slightly different. Paragraph 2(a) focuses
more directly on the protection against child abuse. Paragraphs 2(b) and
2(c) aim at providing protection against behaviour that, while not
necessarily creating harm to the 'child' depicted in the material, as
there might not be a real child, might be used to encourage or seduce
children into participating in such acts, and hence form part of a
subculture favouring child abuse.
103. The term ‘without right’ does not exclude legal
defences, excuses or similar relevant principles that relieve a person of
responsibility under specific circumstances. Accordingly, the term
'without right' allows a Party to take into account fundamental rights,
such as freedom of thought, expression and privacy. In addition, a Party
may provide a defence in respect of conduct related to "pornographic
material" having an artistic, medical, scientific or similar merit. In
relation to paragraph 2(b), the reference to 'without right' could also
allow, for example, that a Party may provide that a person is relieved of
criminal responsibility if it is established that the person depicted is
not a minor in the sense of this provision.
104. Paragraph 3 defines the term ‘minor’ in relation to
child pornography in general as all persons under 18 years, in accordance
with the definition of a ‘child’ in the UN Convention on the Rights of the
Child (Article 1). It was considered an important policy matter to set a
uniform international standard regarding age. It should be noted that the
age refers to the use of (real or fictitious) children as sexual objects,
and is separate from the age of consent for sexual relations.
Nevertheless, recognising that certain States require a lower
age-limit in national legislation regarding child pornography, the last
phrase of paragraph 3 allows Parties to require a different age-limit,
provided it is not less than 16 years.
105. This article lists different types of illicit acts
related to child pornography which, as in articles 2 - 8, Parties are
obligated to criminalise if committed "intentionally." Under this
standard, a person is not liable unless he has an intent to offer, make
available, distribute, transmit, produce or possess child pornography.
Parties may adopt a more specific standard (see, for example, applicable
European Community law in relation to service provider liability), in
which case that standard would govern. For example, liability may be
imposed if there is "knowledge and control" over the information which is
transmitted or stored. It is not sufficient, for example, that a service
provider served as a conduit for, or hosted a website or newsroom
containing such material, without the required intent under domestic law
in the particular case. Moreover, a service provider is not required to
monitor conduct to avoid criminal liability.
106. Paragraph 4 permits Parties to make reservations regarding
paragraph 1(d) and (e), and paragraph 2(b) and (c). The right not to apply
these sections of the provision may be made in part or in whole. Any such
reservation should be declared to the Secretary General of the Council of
Europe at the time of signature or when depositing the Party’s instruments
of ratification, acceptance, approval or accession, in accordance with
Article 42. Title 4 - Offences related to infringements of copyright and
related rights
Offences related to infringements of copyright and
related rights (Article 10)
107. Infringements of intellectual property rights, in
particular of copyright, are among the most commonly committed offences on
the Internet, which cause concern both to copyright holders and those who
work professionally with computer networks. The reproduction and
dissemination on the Internet of protected works, without the approval of
the copyright holder, are extremely frequent. Such protected works include
literary, photographic, musical, audio-visual and other works. The ease
with which unauthorised copies may be made due to digital technology and
the scale of reproduction and dissemination in the context of electronic
networks made it necessary to include provisions on criminal law sanctions
and enhance international co-operation in this field.
108. Each Party is obliged to criminalise wilful
infringements of copyright and related rights, sometimes referred to as
neighbouring rights, arising from the agreements listed in the article,
when such infringements have been committed by means of a computer system
and on a commercial scale". Paragraph 1 provides for criminal sanctions
against infringements of copyright by means of a computer system.
Infringement of copyright is already an offence in almost all States.
Paragraph 2 deals with the infringement of related rights by means of a
computer system.
109. Infringement of both copyright and related rights is
as defined under the law of each Party and pursuant to the obligations the
Party has undertaken in respect of certain international instruments.
While each Party is required to establish as criminal offences those
infringements, the precise manner in which such infringements are defined
under domestic law may vary from State to State. However, criminalisation
obligations under the Convention do not cover intellectual property
infringements other that those explictly addressed in Article 10 and thus
exclude patent or trademark-related violations.
110. With regard to paragraph 1, the agreements referred
to are the Paris Act of 24 July 1971 of the Bern Convention for the
Protection of Literary and Artistic Works, the Agreement on Trade-Related
Aspects of Intellectual Property Rights (TRIPS), and the World
Intellectual Property Organisation (WIPO) Copyright Treaty. With regard to
paragraph 2, the international instruments cited are the International
Convention for the Protection of Performers, Producers of Phonograms and
Broadcasting Organisations (Rome Convention), the Agreement on
Trade-Related Aspects of Intellectual Property Rights (TRIPS) and the
World Intellectual Property Organisation (WIPO) Performances and
Phonograms Treaty. The use of the term "pursuant to the obligations it has
undertaken" in both paragraphs makes it clear that a Contracting Party to
the current Convention is not bound to apply agreements cited to which it
is not a Party; moreover, if a Party has made a reservation or declaration
permitted under one of the agreements, that reservation may limit the
extent of its obligation under the present Convention.
111. The WIPO Copyright Treaty and the WIPO Performances
and Phonograms Treaty had not entered into force at the time of concluding
the present Convention. These treaties are nevertheless important as they
significantly update the international protection for intellectual
property (especially with regard to the new right of 'making available' of
protected material 'on demand' over the Internet) and improve the means to
fight violations of intellectual property rights worldwide. However it is
understood that the infringements of rights established by these treaties
need not be criminalised under the present Convention until these treaties
have entered into force with respect to a Party.
112. The obligation to criminalise infringements of
copyright and related rights pursuant to obligations undertaken in
international instruments does not extend to any moral rights conferred by
the named instruments (such as in Article 6bis of the Bern Convention and
in Article 5 of the WIPO Copyright Treaty).
113. Copyright and related rights offences must be
committed "wilfully" for criminal liability to apply. In contrast to all
the other substantive law provisions of this Convention, the term
"wilfully" is used instead of "intentionally" in both paragraphs 1 and 2,
as this is the term employed in the TRIPS Agreement (Article 61),
governing the obligation to criminalise copyright violations.
114. The provisions are intended to provide for criminal
sanctions against infringements 'on a commercial scale' and by means of a
computer system. This is in line with Article 61 of the TRIPS Agreement
which requires criminal sanctions in copyright matters only in the case of
"piracy on a commercial scale". However, Parties may wish to go beyond the
threshold of "commercial scale" and criminalise other types of copyright
infringement as well.
115. The term "without right" has been omitted from the
text of this article as redundant, since the term "infringement" already
denotes use of the copyrighted material without authorisation. The absence
of the term "without right" does not a contrario exclude application of
criminal law defences, justifications and principles governing the
exclusion of criminal liability associated with the term "without right"
elsewhere in the Convention.
116. Paragraph 3 allows Parties not to impose criminal
liability under paragraphs 1 and 2 in "limited circumstances" (e.g.
parallel imports, rental rights), as long as other effective remedies,
including civil and/or administrative measures, are available. This
provision essentially allows Parties a limited exemption from the
obligation to impose criminal liability, provided that they do not
derogate from obligations under Article 61 of the TRIPS Agreement, which
is the minimum pre-existing criminalisation requirement.
117. This article shall in no way be interpreted to extend the
protection granted to authors, film producers, performers, producers of
phonograms, broadcasting organisations or other right holders to persons
that do not meet the criteria for eligibility under domestic law or
international agreement. Title 5 - Ancillary liability and sanctions
Attempt and aiding or abetting (Article 11)
118. The purpose of this article is to establish
additional offences related to attempt and aiding or abetting the
commission of the offences defined in the Convention. As discussed further
below, it is not required that a Party criminalise the attempt to commit
each offence established in the Convention.
119. Paragraph 1 requires Parties to establish
as criminal offences aiding or abetting the commission of any of the
offences under Articles 2-10. Liability arises for aiding or abetting
where the person who commits a crime established in the Convention is
aided by another person who also intends that the crime be committed.
For example, although the transmission of harmful content data or
malicious code through the Internet requires the assistance of service
providers as a conduit, a service provider that does not have the
criminal intent cannot incur liability under this section. Thus, there
is no duty on a service provider to actively monitor content to avoid
criminal liability under this provision.
120. With respect to paragraph 2 on
attempt, some offences defined in the Convention, or elements
of these offences, were considered to be conceptually
difficult to attempt (for example, the elements of offering or
making available of child pornography). Moreover, some legal
systems limit the offences for which the attempt is punished.
Accordingly, it is only required that the attempt be
criminalised with respect to offences established in
accordance with Articles 3, 4, 5, 7, 8, 9(1)(a) and 9(1)(c).
121. As with all the offences
established in accordance with the Convention, attempt and
aiding or abetting must be committed intentionally.
122. Paragraph 3 was added to address
the difficulties Parties may have with paragraph 2, given the
widely varying concepts in different legislations and despite
the effort in paragraph 2 to exempt certain aspects from the
provision on attempt. A Party may declare that it reserves the
right not to apply paragraph 2 in part or in whole. This means
that any Party making a reservation as to that provision will
have no obligation to criminalise attempt at all, or may
select the offences or parts of offences to which it will
attach criminal sanctions in relation to attempt. The
reservation aims at enabling the widest possible ratification
of the Convention while permitting Parties to preserve some of
their fundamental legal concepts.
Corporate liability (Article 12)
123. Article 12 deals with the
liability of legal persons. It is consistent with the current
legal trend to recognise corporate liability. It is intended
to impose liability on corporations, associations and similar
legal persons for the criminal actions undertaken by a person
in a leading position within such legal person, where
undertaken for the benefit of that legal person. Article 12
also contemplates liability where such a leading person fails
to supervise or control an employee or an agent of the legal
person, where such failure facilitates the commission by that
employee or agent of one of the offences established in the
Convention.
124. Under paragraph 1, four
conditions need to be met for liability to attach. First, one
of the offences described in the Convention must have been
committed. Second, the offence must have been committed for
the benefit of the legal person. Third, a person who has a
leading position must have committed the offence (including
aiding and abetting). The term "person who has a leading
position" refers to a natural person who has a high position
in the organisation, such as a director. Fourth, the person
who has a leading position must have acted on the basis of one
of these powers - a power of representation or an authority to
take decisions or to exercise control - which demonstrate that
such a physical person acted within the scope of his or her
authority to engage the liability of the legal person. In sum,
paragraph 1 obligates Parties to have the ability to impose
liability on the legal person only for offences committed by
such leading persons.
125. In addition, Paragraph 2
obligates Parties to have the ability to impose liability upon
a legal person where the crime is committed not by the leading
person described in paragraph 1, but by another person acting
under the legal person’s authority, i.e., one of its employees
or agents acting within the scope of their authority. The
conditions that must be fulfilled before liability can attach
are that (1) an offence has been committed by such an employee
or agent of the legal person, (2) the offence has been
committed for the benefit of the legal person; and (3) the
commission of the offence has been made possible by the
leading person having failed to supervise the employee or
agent. In this context, failure to supervise should be
interpreted to include failure to take appropriate and
reasonable measures to prevent employees or agents from
committing criminal activities on behalf of the legal person.
Such appropriate and reasonable measures could be determined
by various factors, such as the type of the business, its
size, the standards or the established business best
practices, etc. This should not be interpreted as requiring a
general surveillance regime over employee communications (see
also paragraph 54). A service provider does not incur
liability by virtue of the fact that a crime was committed on
its system by a customer, user or other third person, because
the term "acting under its authority" applies exclusively to
employees and agents acting within the scope of their
authority.
126. Liability under this Article may
be criminal, civil or administrative. Each Party has the
flexibility to choose to provide for any or all of these forms
of liability, in accordance with the legal principles of each
Party, as long as it meets the criteria of Article 13,
paragraph 2, that the sanction or measure be "effective,
proportionate and dissuasive" and includes monetary sanctions.
127. Paragraph 4 clarifies that
corporate liability does not exclude individual liability.
Sanctions and measures (Article 13)
128. This article is closely related
to Articles 2-11, which define various computer- or
computer-related crimes that should be made punishable under
criminal law. In accordance with the obligations imposed by
those articles, this provision obliges the Contracting Parties
to draw consequences from the serious nature of these offences
by providing for criminal sanctions that are 'effective,
proportionate and dissuasive' and, in the case of natural
persons, include the possibility of imposing prison sentences.
129. Legal persons whose liability is
to be established in accordance with Article 12 shall also be
subject to sanctions that are 'effective, proportionate and
dissuasive', which can be criminal, administrative or civil in
nature. Contracting Parties are compelled, under paragraph 2,
to provide for the possibility of imposing monetary sanctions
on legal persons.
130. The article leaves open the
possibility of other sanctions or measures reflecting the
seriousness of the offences, for example, measures could
include injunction or forfeiture. It leaves to the Parties the
discretionary power to create a system of criminal offences
and sanctions that is compatible with their existing national
legal systems.
Section 2 - Procedural law
131. The articles in this Section
describe certain procedural measures to be taken at the
national level for the purpose of criminal investigation of
the offences established in Section 1, other criminal offences
committed by means of a computer system and the collection of
evidence in electronic form of a criminal offence. In
accordance with Article 39, paragraph 3, nothing in the
Convention requires or invites a Party to establish powers or
procedures other than those contained in this Convention, nor
precludes a Party from doing so.
132. The technological revolution,
which encompasses the "electronic highway" where numerous
forms of communication and services are interrelated and
interconnected through the sharing of common transmission
media and carriers, has altered the sphere of criminal law and
criminal procedure. The ever-expanding network of
communications opens new doors for criminal activity in
respect of both traditional offences and new technological
crimes. Not only must substantive criminal law keep abreast of
these new abuses, but so must criminal procedural law and
investigative techniques. Equally, safeguards should also be
adapted or developed to keep abreast of the new technological
environment and new procedural powers.
133. One of the major challenges in
combating crime in the networked environment is the difficulty
in identifying the perpetrator and assessing the extent and
impact of the criminal act. A further problem is caused by the
volatility of electronic data, which may be altered, moved or
deleted in seconds. For example, a user who is in control of
the data may use the computer system to erase the data that is
the subject of a criminal investigation, thereby destroying
the evidence. Speed and, sometimes, secrecy are often vital
for the success of an investigation.
134. The Convention adapts traditional
procedural measures, such as search and seizure, to the new
technological environment. Additionally, new measures have
been created, such as expedited preservation of data, in order
to ensure that traditional measures of collection, such as
search and seizure, remain effective in the volatile
technological environment. As data in the new technological
environment is not always static, but may be flowing in the
process of communication, other traditional collection
procedures relevant to telecommunications, such as real-time
collection of traffic data and interception of content data,
have also been adapted in order to permit the collection of
electronic data that is in the process of communication. Some
of these measures are set out in Council of Europe
Recommendation No. R (95) 13 on problems of criminal
procedural law connected with information technology.
135. All the provisions referred to in
this Section aim at permitting the obtaining or collection of
data for the purpose of specific criminal investigations or
proceedings. The drafters of the present Convention discussed
whether the Convention should impose an obligation for service
providers to routinely collect and retain traffic data for a
certain fixed period of time, but did not include any such
obligation due to lack of consensus.
136. The procedures in general refer
to all types of data, including three specific types of
computer data (traffic data, content data and subscriber
data), which may exist in two forms (stored or in the process
of communication). Definitions of some of these terms are
provided in Articles 1 and 18. The applicability of a
procedure to a particular type or form of electronic data
depends on the nature and form of the data and the nature of
the procedure, as specifically described in each article.
137. In adapting traditional
procedural laws to the new technological environment, the
question of appropriate terminology arises in the provisions
of this section. The options included maintaining traditional
language ('search' and 'seize'), using new and more
technologically oriented computer terms ('access' and 'copy'),
as adopted in texts of other international fora on the subject
(such as the G8 High Tech Crime Subgroup), or employing a
compromise of mixed language ('search or similarly access',
and 'seize or similarly secure'). As there is a need to
reflect the evolution of concepts in the electronic
environment, as well as identify and maintain their
traditional roots, the flexible approach of allowing States to
use either the old notions of "search and seizure" or the new
notions of "access and copying" is employed.
138. All the articles in the Section
refer to "competent authorities" and the powers they shall be
granted for the purposes of specific criminal investigations
or proceedings. In certain countries, only judges have the
power to order or authorise the collection or production of
evidence, while in other countries prosecutors or other law
enforcement officers are entrusted with the same or similar
powers. Therefore, 'competent authority' refers to a judicial,
administrative or other law enforcement authority that is
empowered by domestic law to order, authorise or undertake the
execution of procedural measures for the purpose of collection
or production of evidence with respect to specific criminal
investigations or proceedings. Title 1 – Common provisions
139. The Section begins with two
provisions of a general nature that apply to all the articles
relating to procedural law.
Scope of procedural provisions
(Article 14)
140. Each State Party is obligated to
adopt such legislative and other measures as may be necessary,
in accordance with its domestic law and legal framework, to
establish the powers and procedures described in this Section
for the purpose of "specific criminal investigations or
proceedings."
141. Subject to two exceptions, each
Party shall apply the powers and procedures established in
accordance with this Section to: (i) criminal offences
established in accordance with Section 1 of the Convention;
(ii) other criminal offences committed by means of a computer
system; and (iii) the collection of evidence in electronic
form of a criminal offence. Thus, for the purpose of specific
criminal investigations or proceedings, the powers and
procedures referred to in this Section shall be applied to
offences established in accordance with the Convention, to
other criminal offences committed by means of a computer
system, and to the collection of evidence in electronic form
of a criminal offence. This ensures that evidence in
electronic form of any criminal offence can be obtained or
collected by means of the powers and procedures set out in
this Section. It ensures an equivalent or parallel capability
for the obtaining or collection of computer data as exists
under traditional powers and procedures for non-electronic
data. The Convention makes it explicit that Parties should
incorporate into their laws the possibility that information
contained in digital or other electronic form can be used as
evidence before a court in criminal proceedings, irrespective
of the nature of the criminal offence that is prosecuted.
142. There are two exceptions to this
scope of application. First, Article 21 provides that the
power to intercept content data shall be limited to a range of
serious offences to be determined by domestic law. Many States
limit the power of interception of oral communications or
telecommunications to a range of serious offences, in
recognition of the privacy of oral communications and
telecommunications and the intrusiveness of this investigative
measure. Likewise, this Convention only requires Parties to
establish interception powers and procedures in relation to
content data of specified computer communications in respect
of a range of serious offences to be determined by domestic
law.
143. Second, a Party may reserve the
right to apply the measures in Article 20 (real-time
collection of traffic data) only to offences or categories of
offences specified in the reservation, provided that the range
of such offences or categories is not more restricted than the
range of offences to which it applies the interception
measures referred to in Article 21. Some States consider the
collection of traffic data as being equivalent to the
collection of content data in terms of privacy and
intrusiveness. The right of reservation would permit these
States to limit the application of the measures to collect
traffic data, in real-time, to the same range of offences to
which it applies the powers and procedures of real-time
interception of content data. Many States, however, do not
consider the interception of content data and the collection
of traffic data to be equivalent in terms of privacy interests
and degree of intrusiveness, as the collection of traffic data
alone does not collect or disclose the content of the
communication. As the real-time collection of traffic data can
be very important in tracing the source or destination of
computer communications (thus, assisting in identifying
criminals), the Convention invites Parties that exercise the
right of reservation to limit their reservation so as to
enable the broadest application of the powers and procedures
provided to collect, in real-time, traffic data.
144. Paragraph (b) provides a
reservation for countries which, due to existing limitations
in their domestic law at the time of the Convention’s
adoption, cannot intercept communications on computer systems
operated for the benefit of a closed group of users and which
do not use public communications networks nor are they
connected with other computer systems. The term "closed group
of users" refers, for example, to a set of users that is
limited by association to the service provider, such as the
employees of a company for which the company provides the
ability to communicate amongst themselves using a computer
network. The term "not connected with other computer systems"
means that, at the time an order under Articles 20 or 21 would
be issued, the system on which communications are being
transmitted does not have a physical or logical connection to
another computer network. The term "does not employ public
communications networks" excludes systems that use public
computer networks (including the Internet), public telephone
networks or other public telecommunications facilities in
transmitting communications, whether or not such use is
apparent to the users.
Conditions and safeguards (Article 15)
145. The establishment, implementation
and application of the powers and procedures provided for in
this Section of the Convention shall be subject to the
conditions and safeguards provided for under the domestic law
of each Party. Although Parties are obligated to introduce
certain procedural law provisions into their domestic law, the
modalities of establishing and implementing these powers and
procedures into their legal system, and the application of the
powers and procedures in specific cases, are left to the
domestic law and procedures of each Party. These domestic laws
and procedures, as more specifically described below, shall
include conditions or safeguards, which may be provided
constitutionally, legislatively, judicially or otherwise. The
modalities should include the addition of certain elements as
conditions or safeguards that balance the requirements of law
enforcement with the protection of human rights and liberties.
As the Convention applies to Parties of many different legal
systems and cultures, it is not possible to specify in detail
the applicable conditions and safeguards for each power or
procedure. Parties shall ensure that these conditions and
safeguards provide for the adequate protection of human rights
and liberties. There are some common standards or minimum
safeguards to which Parties to the Convention must adhere.
These include standards or minimum safeguards arising pursuant
to obligations that a Party has undertaken under applicable
international human rights instruments. These instruments
include the 1950 European Convention for the Protection of
Human Rights and Fundamental Freedoms and its additional
Protocols No. 1, 4, 6, 7 and 12 (ETS N°s 005 (4), 009, 046,
114, 117 and 177), in respect of European States that are
Parties to them. It also includes other applicable human
rights instruments in respect of States in other regions of
the world (e.g. the 1969 American Convention on Human Rights
and the 1981 African Charter on Human Rights and Peoples’
Rights) which are Parties to these instruments, as well as the
more universally ratified 1966 International Covenant on Civil
and Political Rights. In addition, there are similar
protections provided under the laws of most States.
146. Another safeguard in the
convention is that the powers and procedures shall
"incorporate the principle of proportionality."
Proportionality shall be implemented by each Party in
accordance with relevant principles of its domestic law. For
European countries, this will be derived from the principles
of the 1950 Council of Europe Convention for the Protection of
Human Rights and Fundamental Freedoms, its applicable
jurisprudence and national legislation and jurisprudence, that
the power or procedure shall be proportional to the nature and
circumstances of the offence. Other States will apply related
principles of their law, such as limitations on overbreadth of
production orders and reasonableness requirements for searches
and seizures. Also, the explicit limitation in Article 21 that
the obligations regarding interception measures are with
respect to a range of serious offences, determined by domestic
law, is an explicit example of the application of the
proportionality principle.
147. Without limiting the types of
conditions and safeguards that could be applicable, the
Convention requires specifically that such conditions and
safeguards include, as appropriate in view of the nature of
the power or procedure, judicial or other independent
supervision, grounds justifying the application of the power
or procedure and the limitation on the scope or the duration
thereof. National legislatures will have to determine, in
applying binding international obligations and established
domestic principles, which of the powers and procedures are
sufficiently intrusive in nature to require implementation of
particular conditions and safeguards. As stated in Paragraph
215, Parties should clearly apply conditions and safeguards
such as these with respect to interception, given its
intrusiveness. At the same time, for example, such safeguards
need not apply equally to preservation. Other safeguards that
should be addressed under domestic law include the right
against self-incrimination, and legal privileges and
specificity of individuals or places which are the object of
the application of the measure.
148. With respect to the matters
discussed in paragraph 3, of primary importance is
consideration of the "public interest", in particular the
interests of "the sound administration of justice". To the
extent consistent with the public interest, Parties should
consider other factors, such as the impact of the power or
procedure on "the rights, responsibilities and legitimate
interests" of third parties, including service providers,
incurred as a result of the enforcement measures, and whether
appropriate means can be taken to mitigate such impact. In
sum, initial consideration is given to the sound
administration of justice and other public interests (e.g.
public safety and public health and other interests, including
the interests of victims and the respect for private life). To
the extent consistent with the public interest, consideration
would ordinarily also be given to such issues as minimising
disruption of consumer services, protection from liability for
disclosure or facilitating disclosure under this Chapter, or
protection of proprietary interests. Title 2 – Expedited
preservation of stored computer data
149. The measures in Articles 16 and
17 apply to stored data that has already been collected and
retained by data-holders, such as service providers. They do
not apply to the real-time collection and retention of future
traffic data or to real-time access to the content of
communications. These issues are addressed in Title 5.
150. The measures described in the
articles operate only where computer data already exists and
is currently being stored. For many reasons, computer data
relevant for criminal investigations may not exist or no
longer be stored. For example, accurate data may not have been
collected and retained, or if collected was not maintained.
Data protection laws may have affirmatively required the
destruction of important data before anyone realised its
significance for criminal proceedings. Sometimes there may be
no business reason for the collection and retention of data,
such as where customers pay a flat rate for services or the
services are free. Article 16 and 17 do not address these
problems.
151. "Data preservation" must be
distinguished from "data retention". While sharing similar
meanings in common language, they have distinctive meanings in
relation to computer usage. To preserve data means to keep
data, which already exists in a stored form, protected from
anything that would cause its current quality or condition to
change or deteriorate. To retain data means to keep data,
which is currently being generated, in one’s possession into
the future. Data retention connotes the accumulation of data
in the present and the keeping or possession of it into a
future time period. Data retention is the process of storing
data. Data preservation, on the other hand, is the activity
that keeps that stored data secure and safe.
152. Articles 16 and 17 refer only to
data preservation, and not data retention. They do not mandate
the collection and retention of all, or even some, data
collected by a service provider or other entity in the course
of its activities. The preservation measures apply to computer
data that "has been stored by means of a computer system",
which presupposes that the data already exists, has already
been collected and is stored. Furthermore, as indicated in
Article 14, all of the powers and procedures required to be
established in Section 2 of the Convention are ‘for the
purpose of specific criminal investigations or proceedings’,
which limits the application of the measures to an
investigation in a particular case. Additionally, where a
Party gives effect to preservation measures by means of an
order, this order is in relation to "specified stored computer
data in the person’s possession or control" (paragraph 2). The
articles, therefore, provide only for the power to require
preservation of existing stored data, pending subsequent
disclosure of the data pursuant to other legal powers, in
relation to specific criminal investigations or proceedings.
153. The obligation to ensure
preservation of data is not intended to require Parties to
restrict the offering or use of services that do not routinely
collect and retain certain types of data, such as traffic or
subscriber data, as part of their legitimate business
practices. Neither does it require them to implement new
technical capabilities in order to do so, e.g. to preserve
ephemeral data, which may be present on the system for such a
brief period that it could not be reasonably preserved in
response to a request or an order.
154. Some States have laws that
require that certain types of data, such as personal data,
held by particular types of holders must not be retained and
must be deleted if there is no longer a business purpose for
the retention of the data. In the European Union, the general
principle is implemented by Directive 95/46/EC and, in the
particular context of the telecommunications sector, Directive
97/66/EC. These directives establish the obligation to delete
data as soon as its storage is no longer necessary. However,
member States may adopt legislation to provide for exemptions
when necessary for the purpose of the prevention,
investigation or prosecution of criminal offences. These
directives do not prevent member States of the European Union
from establishing powers and procedures under their domestic
law to preserve specified data for specific investigations.
155. Data preservation is for most
countries an entirely new legal power or procedure in domestic
law. It is an important new investigative tool in addressing
computer and computer-related crime, especially crimes
committed through the Internet. First, because of the
volatility of computer data, the data is easily subject to
manipulation or change. Thus, valuable evidence of a crime can
be easily lost through careless handling and storage
practices, intentional manipulation or deletion designed to
destroy evidence or routine deletion of data that is no longer
required to be retained. One method of preserving its
integrity is for competent authorities to search or similarly
access and seize or similarly secure the data. However, where
the custodian of the data is trustworthy, such as a reputable
business, the integrity of the data can be secured more
quickly by means of an order to preserve the data. For
legitimate businesses, a preservation order may also be less
disruptive to its normal activities and reputation than the
execution of a search and seizure of its premises. Second,
computer and computer-related crimes are committed to a great
extent as a result of the transmission of communications
through the computer system. These communications may contain
illegal content, such as child pornography, computer viruses
or other instructions that cause interference with data or the
proper functioning of the computer system, or evidence of the
commission of other crimes, such as drug trafficking or fraud.
Determining the source or destination of these past
communications can assist in identifying the identity of the
perpetrators. In order to trace these communications so as to
determine their source or destination, traffic data regarding
these past communications is required (see further explanation
on the importance of traffic data below under Article 17).
Third, where these communications contain illegal content or
evidence of criminal activity and copies of such
communications are retained by service providers, such as
e-mail, the preservation of these communications is important
in order to ensure that critical evidence is not lost.
Obtaining copies of these past communications (e.g., stored
e-mail that has been sent or received) can reveal evidence of
criminality.
156. The power of expedited
preservation of computer data is intended to address these
problems. Parties are therefore required to introduce a power
to order the preservation of specified computer data as a
provisional measure, whereby data will be preserved for a
period of time as long as necessary, up to a maximum of 90
days. A Party may provide for subsequent renewal of the order.
This does not mean that the data is disclosed to law
enforcement authorities at the time of preservation. For this
to happen, an additional measure of disclosure or a search has
to be ordered. With respect to disclosure to law enforcement
of preserved data, see paragraphs 152 and 160.
157. It is also important that
preservation measures exists at the national level in order to
enable Parties to assist one another at the international
level with expedited preservation of stored data located in
their territory. This will help to ensure that critical data
is not lost during often time-consuming traditional mutual
legal assistance procedures that enable the requested Party to
actually obtain the data and disclose it to the requesting
Party.
Expedited preservation of stored
computer data (Article 16)
158. Article 16 aims at ensuring that
national competent authorities are able to order or similarly
obtain the expedited preservation of specified stored
computer-data in connection with a specific criminal
investigation or proceeding.
159. ‘Preservation’ requires that
data, which already exists in a stored form, be protected from
anything that would cause its current quality or condition to
change or deteriorate. It requires that it be kept safe from
modification, deterioration or deletion. Preservation does not
necessarily mean that the data be ‘frozen’ (i.e. rendered
inaccessible) and that it, or copies thereof, cannot be used
by legitimate users. The person to whom the order is addressed
may, depending on the exact specifications of the order, still
access the data. The article does not specify how data should
be preserved. It is left to each Party to determine the
appropriate manner of preservation and whether, in some
appropriate cases, preservation of the data should also entail
its ‘freezing’.
160. The reference to ‘order or
similarly obtain’ is intended to allow the use of other legal
methods of achieving preservation than merely by means of a
judicial or administrative order or directive (e.g. from
police or prosecutor). In some States, preservation orders do
not exist in their procedural law, and data can only be
preserved and obtained through search and seizure or
production order. Flexibility is intended by the use of the
phrase ‘or otherwise obtain’ to permit these States to
implement this article by the use of these means. However, it
is recommended that States consider the establishment of
powers and procedures to actually order the recipient of the
order to preserve the data, as quick action by this person can
result in the more expeditious implementation of the
preservation measures in particular cases.
161. The power to order or similarly
obtain the expeditious preservation of specified computer data
applies to any type of stored computer data. This can include
any type of data that is specified in the order to be
preserved. It can include, for example, business, health,
personal or other records. The measures are to be established
by Parties for use "in particular where there are grounds to
believe that the computer data is particularly vulnerable to
loss or modification." This can include situations where the
data is subject to a short period of retention, such as where
there is a business policy to delete the data after a certain
period of time or the data is ordinarily deleted when the
storage medium is used to record other data. It can also refer
to the nature of the custodian of the data or the insecure
manner in which the data is stored. However, if the custodian
were untrustworthy, it would be more secure to effect
preservation by means of search and seizure, rather than by
means of an order that could be disobeyed. A specific