Cybercrime clash as too many bodies tackle the problem

The United Nations (UN), the Organisation for Economic Co-operation and Development, the Council of Europe (CoE) and the European...

The United Nations (UN), the Organisation for Economic Co-operation and Development, the Council of Europe (CoE) and the European Commission have all been tackling the subject of cybercrime recently. However, there are signs that, with so many bodies involved, they are stepping on each others' toes.

Keith Nuthall

The UN Commission on International Trade Law is finalising a convention on digital signatures and the European Commission has issued a green paper on Internet offences. But the EC's move has been attacked by the UK employers body the CBI for potentially clashing with a proposed Convention on Cybercrime, from the Council of Europe (CoE).

The CoE is entirely independent of the EU, having contrasting aims and membership. Whereas the EU's focus has been mostly economic - the creation of a single market - the CoE is a political body, concerned with matters such as human rights and foreign affairs. Importantly for cybercrime, its membership goes beyond the EU and also includes former communist countries in eastern Europe, including Russia.

The CoE's Convention on Cybercrime calls on all council members to outlaw a number of illicit Internet activities - many of which are still legal in countries where the statute book has failed to keep pace with technical progress in IT.

Data interference, hacking, unauthorised eavesdropping, system interference, misuse of devices, computer-related forgery and fraud, posting child pornography and digital copyright infringement would all be illegal under the convention. It also provides for corporate liability and the prosecution of those found to be aiding and abetting cyber criminals.

The importance of international co-operation on cybercrime law was emphasised last year when a hacker, suspected to be operating in Russia, gained entry to Microsoft's internal systems and viewed future product source code.

Jake Saunders, European director of IT analyst firm Strategis, cited the fact that the perpetrators of the Love Bug virus have been able to escape serious punishment because of the failure of the Philippines to ban Internet offences, as an example of how similar conventions are needed worldwide.

"If there is no legal instrument set up in the first place, police can raid a home or business and shut it down or arrest these people, but then they do not have any process to punish them and encourage other people not to do the same thing," he said.

Despite the fact that the CoE's convention is likely to be officially sanctioned this summer, it could be overtaken by the EC initiative, which also proposes the harmonisation of national laws on cybercrime. This would be possible because Brussels has the power to force EU member states to comply with its regulations, while the CoE does not.

Describing the CoE green paper as "premature" the CBI said Brussels should not consider legislation when the CoE is already drafting wider international laws on the same area. Nigel Hickson, the CBI's head of e-business, said, "There is no point in coming up with proposals that are already being looked at by other bodies or that exist in other countries."

However, the EC claimed that it is building on the work carried out by the CoE, rather than conflicting with it. In its paper, the EC said, "EU approximation could go further than the CoE convention, which will represent a minimum of international approximation. It could be operational within a shorter period of time than the entry into force of the CoE convention. It would bring computer crime within the realms of EU law and introduce EU enforcement mechanisms."

Whatever its merits, the fact remains that the EC initiative will not affect former communist countries until they join the EU, and for companies which have suffered hack-and-grab raids of sensitive data by Russian cyber criminals, it is eastern, not western, Europe that matters.

Nonetheless, the framing of the convention will be far from the final solution. Saunders pointed out that laws have to be policed, and the convention does not have a budget.

"There is a need for pan-European and international crime bodies to assist eastern European countries to get the right processes set up and give them the training skills for their own personnel. And then they need the budget to maintain these people," he said.

Jack Wraith, chief executive of the Telecommunications UK Fraud Forum, agreed, "Primarily my organisation would support any move to address cybercrime on a cross-border basis. We do not underestimate the problems in doing that, however. From our experience of getting cross-border co-operation going, there are clearly immense problems," he said.

Read more on IT legislation and regulation