The Budapest Cybercrime Convention and its impacts
On September 1, 2015, the Council of Europe Convention on Cybercrime (ETS 185 of 2001), often referred to as the “Budapest Cybercrime Convention”, or “Cybercrime Convention” in short, entered into force in Sri Lanka. This is a historic achievement, because Sri Lanka becomes the first country in South Asia (and only the second Asian country, after Japan) to become a state party to this Convention. Philippines and Singapore are yet to complete the accession procedure, although they attend the Convention Committee as observer and ad-hoc observers, respectively.
The Budapest Cybercrime Convention is the only available global treaty which addresses Internet and computer crime, harmonises national laws, adopts improved investigative techniques based on international standards and enhances criminal justice cooperation among nation states to effectively combat the threat from cybercrime. To understand its significance and impact, it is worth considering two recent cases (one from Sri Lanka and the other from UK).
Sri Lanka
In a sextortion case reported last week to the Sri Lanka Police “High Tech Crime Unit”, a suspect used a fake facebook account to add many women as “friends”. The suspect then altered the “friends” photos and sought to extort money from these victims, threatening to post the photos of victims on the fake account if monies were not paid. Investigators eventually managed to uncover the genuine facebook account of the suspect and arrested him when he came to a hotel to collect a ransom. The case is now pending formal prosecution.
A recent data breach case, reported in the UK, saw personal and banking details of up to four million customers of the UK based phone/broadband services provider “Talk Talk” being accessed unlawfully by hackers. In some cases, alleged hackers had directly contacted customers, who eventually reported a loss of money. This prompted policy makers to call for stronger cybercrime measures stating that cybercrime is the “biggest threat to UK’s economy”. Many countries have estimated that the global economic loss from cybercrime has reached a staggering US$ 70 billion per year.
In both of the above-mentioned cases, investigators require information pertaining to Internet Protocol addresses (IP addresses), details of networks and communication systems in other countries. Such information and access to data would enhance the ability of such investigators to identify perpetrators of cybercrime and ensure safer internet environment for bona fide users. Cybercrime offences are transnational and multi-jurisdictional in nature. Therefore, the effective fight against cybercrime requires any country to obtain evidence stored on computer systems and networks in other countries.
In this context, the Budapest Cybercrime Convention is the only International Treaty that facilitates international cooperation and gives countries the ability to obtain electronic evidence stored on computer systems and networks in another country. The Convention greatly enhances the gathering of electronic evidence, as well as the investigation of cyber laundering and other serious crimes. Accession to this Convention significantly enhances the ability of Sri Lanka to carry out successful investigations of cybercrime offences, by gathering electronic evidence from state parties to the Convention. It will also help in law enforcement and judicial cooperation at international level, while ensuring adherence to human rights safeguards in the investigation process, a hallmark of this convention, made applicable amongst all parties to this Treaty.
Sri Lanka’s accession to this Convention was the fastest in the Council of Europe. This was possible due to the provisions contained in the Computer Crimes Act No. 24 of 2007 and several policies adopted in recent times, aligned with the Convention. Prior to Sri Lanka’s accession, there was an assessment of our country’s cybercrime legislative framework. The assessments carried out by the Council of Europe focused on the manner in which Computer Crimes offences were investigated (especially under the Computer Crimes Act and applicable procedural law). One key assessment was the adequacy of safeguards to match the Council of Europe standards. Sri Lanka was found to have safeguards consistent with the Convention standards and the “unanimous approval” of all state parties was obtained before Sri Lanka could be invited to Accede to the Convention.
Warrantless wiretapping
The Budapest Cybercrime Convention is a Criminal Justice Convention and therefore is a criminal justice response to cybercrime offences. The Convention does not deal with Internal Security and Intelligence matters, which in most countries (including Sri Lanka) are dealt with under other laws. Internal Security and Intelligence laws deal with prevention, etc whereas cybercrime laws deal with investigations after an offence is committed and a complaint is formally lodged.
Some concerns have been raised whether “warrantless wiretapping” would be legitimised or enhanced. However, a close review of the Computer Crimes Act of Sri Lanka shows that it is the exception rather than the rule. Under the provisions of the Computer Crimes Act, a Magistrate’s Court order is a “sine quo non” for such interceptions, thus, meeting the standards prescribed by the Budapest Cybercrime Convention.Finally, an advantage of Sri Lanka joining this Convention is that it would be under regular review, both in terms of compliance with the Convention and use of its provisions, through the work of the Cybercrime Convention Committee.
Accession to the Convention has created a paradigm shift in the manner in which investigation of Cybercrime offences are carried out and also set the stage for Data Protection and Privacy legislation, drawing on European best practices thus, enabling Sri Lanka to meet the “adequacy standards” for smooth cross border flow of data. (The writer is an Attorney with a specialised LLM degree in IT and Telecommunications Law from the University of London. He spearheaded ICT legal reforms, including Sri Lanka’s recent accession to the Budapest Cybercrime Convention and the UN Electronic Communications Convention. He is Programme Director/ Legal Advisor at the ICTA and can be contacted via jfdo@icta.lk).