The No Man's Land

Amrita Goel

 THE NO MANS LAND

 The world isnt run by weapons, money or energy anymore. Ones and zeros little bits of data, runs it. Theres a war out there, a world war. Its not about who has the most bullets, its about who controls information- what we see and hear, how we work, what we think. Its all about the information.   I. Introduction:

The advent of the computer has been a boon to students, lawyers, businessmen, doctors, teachers etc who have propelled their quest for knowledge to uncharted levels on the back of the information technology wave. However, the computer has also mutated into a potent weapon for criminals to hatch increasingly sinister plots. Unauthorized access and damage to property, theft and the distribution of obscene and indecent material are all familiar crimes; and have assumed new dimensions, with the emergence of the Internet. The Internet has become a preferred way of life for millions of people around the world and has also been transformed into a haven for criminals. In fact the growth of Internet related crime is directly proportional to the growth of the Internet itself, and so is the variety of crimes being committed or attempted. The following selection of statistics stands to reflect the aforementioned threat:

The total complaints pertaining to cyber crimes filed in 1993 was 640 (1.7 per day) it went up from a total of 971 (2.6 per day) in 1994 to 1,494 in 1995, to 4,322 in 1996, to 12,775 in 1997 to 47,000 in 1998 to almost 100,000 in 1999 to almost 280,000 in 2000. It is projected that by the year 2001 almost 775 complaints will be filed per day. The crime rate on the Internet is increasing at 4.2% every week.

In this article the author seeks to mirror the looming threat by cyber crime criminals and the paucity of adequate consensus on questions relating to jurisdiction in their prosecution.   II. What is Cyber Crime?

The founding fathers of Internet would never have envisaged the menacing crimes that are being carried out in cyberspace. Cyber crime refers to all the activities done with criminal intent in cyberspace. These could be either the criminal activities in the conventional sense or could be activities, newly evolved with the growth of the new medium. The anonymous nature of the internet hasmade it possible to engage into a variety of criminal activities with impunity and people with intelligence have been grossly misusing this aspect of the Internet to perpetuate criminal activities in cyberspace.

At the onset, cyber crimes may be classified under three general heads. However, multiple crimes, concurrent criminality or lesser offences, can occur during any given criminal transactions; resulting in an overlap between classifications which, nevertheless, are as follows: 1. Computer as the target. 2. Computer incidental to other crimes. 3. Crimes associated with the prevalence of computers.

111. Cyber Crimes and Questions of Jurisdiction.

Cyber space is increasingly transforming into a veritable No mans land. Questions relating to prosecution of cyber criminals and of jurisdiction assume paramount significance in the trial of cyber criminals. Universal jurisdiction justifies the exercise of jurisdiction by any state over certain crimes agreed by the community of nations to be universal such as crimes against humanity. The customary bases of jurisdiction can be expanded or contracted by treaty. This rule is applicable to solve jurisdiction issues when a particular act committed in one country is also regarded as a crime in the country affected by that act. To be prosecuted across a border, an act must be a crime in each jurisdiction. What happens when an act which is not defined as a crime in a jurisdiction; causes damage to other jurisdictions where the act is a crime or vice verse?

There is obviously no controversy if the act is legal under the law of both the sending and the receiving jurisdiction. But if the act is legal in one country and illegal in the other then the problem of jurisdiction arises.

For example in New Zealand, at present there are no general computer crime offences. However, the Country is currently drafting a Crimes Amendment Bill (No. 6). Given a scenario wherein while the bill in still in the process of becoming a law a citizen of New Zealand creates a virus or even hacks into a computer of an American Citizen, New Zealand will not have any means of taking action against him irrespective of whether they have knowledge of his acts or not.

There are various instances where this issue has arisen, such as when Dmitry Skylyarov a Russian software programmer who provided software used to crack e-books was jailed after he entered the United States. His action is not a crime in his homeland but violated US copyright laws and therefore he could not be penalized in his hometown.

This issue of jurisdiction was not realized up to its potential by various countries across the globe, its full impact and need for consolidated action was felt only when Onel de Guzman released the I Love You virus into the No mans land. IV. The "ILOVEYOU" Virus

Onel de Guzman failed to graduate after Amable Mendoza Aguiluz (AMA) Computer College professors rejected his computer thesis program essentially designed to steal Internet passwords. Aggrieved by this he launched his program himself and released the ILOVEYOU virus.

1. The virus cloaked itself with an e-mail message entitled "ILOVEYOU" and spread rapidly worldwide once opened, causing billions of dollars in damage and halting corporate networks worldwide.  2. The virus operated in a series of stages within each victim's computer.

First, the virus searched the hard drive of the personal computer (PC) for MP3 music files and pictures carrying the ".jpg" suffix. Once found, the virus destroyed each file and replaced it with a copy of itself.   Second, the virus redirected Microsoft Internet Explorer surfers to a predetermined website where a separate program scanned the victim's PC for passwords and log-in names.   3. Finally, the virus sent a copy of itself to every name in the user's address book if the computer ran Microsoft's Outlook program, overloading computer systems worldwide.

De Guzman became a primary suspect after AMA professors noticed remarkable similarities between his proposal and the "ILOVEYOU" virus. Internet Service Providers (ISPs) traced the virus to a telephone line in his apartment. The Philippine National Bureau of Investigation filed charges against de Guzman under the Access Device Act that covers the illegal use of passwords specifically in credit card and bank transactions. The Philippine Department of Justice, however, dropped all charges on August 21, 2000, because crimes such as credit card fraud did not apply to computer hacking as it had no cyber-crime law with which to hold him accountable.

Six weeks after the Love Bug attack, the Philippines outlawed most computer crimes as part of a comprehensive e-commerce statute. However these laws could not be applied retrospectively and hence De Guzman could not be prosecuted in spite of billions of dollars worth of damage resulting directly from the "ILOVEYOU" virus. Philippines inability to prosecute De Guzman led international bodies around the world to embark upon the issue of jurisdiction in cyber space and understand its seriousness.

Professor McConnell was the first person who undertook an International survey to determine the state of cyber security laws around the world. Countries were asked to provide laws that would be used to prosecute criminal acts involving both private and public sector computers out of which over fifty national governments responded. This report reflected that around thirty-three of these countries had not updated their laws to address any type of cyber crime. Of the remaining countries, only nine had enacted legislation to address five or fewer types of cyber crime, and ten had updated their laws to prosecute against six or more of the ten types of cyber crime.

Thereafter international as well as regional organizations such as the European Union (EU), the "Group of Eight" (G-8), the Organization for Economic Cooperation and Development (OECD) and the Counsel of Europe (COE), came together to arrive at a consensus on issues relating to cyber crimes and the means and methods of tackling them keeping in mind at all times uniformity of the laws which would enable them to combat the issue of jurisdiction at the time of enforcement.

V. The Cyber Crime Convention.

These organizations however failed to achieve the desired results when a separate COE Committee of Experts on Crime in Cyber-space (PC-CY Committee) a formed in 1997 by the Counsel of Europe comprising of 41 countries (COE) to draft a legally binding instrument to be known as the Cybercrime Convention (the Treaty) defining cyber-crime offenses and addressing issues of jurisdiction, international cooperation, search and seizure, data protection, and ISPs liability. The Treaty's goals include harmonizing laws against hacking, fraud, computer viruses, and destroying data or hardware. The Treaty seeks to covers other Internet crimes, including child pornography, and facilitates common criminal prosecution methods. In addition to criminal sanctions, the Treaty also provides for civil sanctions, including monitory penalties for corporate liability. Finally, it promotes cooperation among law enforcement officials across national borders. The Cybercrime Convention is an international treaty designed to police cyber crime through international cooperation. Both COE Member States and non-member States are invited to participate in the Treaty once it is finalized.

V(a). Purpose of the Convention:

The primary purpose of the Convention is to harmonize domestic substantive criminal law offenses and investigative procedures. The Convention drafters' principal concerns were two-fold. First, they wanted to ensure crime definitions were flexible enough to adapt to new crimes and methods of committing existing crimes as they evolve. Second, the drafters wanted the Convention to remain sensitive to the legal regimes of domestic states.

Unlike the treaties entered into by the other regional organizations which protect only their member countries the Cybercrime Convention is open to non member countries as well once it is formalized, creating a multinational cyber law. Its success will only be achieved if majority of the countries in the world ratify this convention bringing uniformly in their laws relating to cyber crimes. If the Treaty had been applied in the Philippines, at the time the "ILOVEYOU" virus was unleashed, the love story would have ended quite differently.  V (b). Loopholes in the Convention:

The Convention presents a good starting point for addressing international cyber crime issues, but in reality, is merely aspirational.

1. The Convention requires additional substantive guidance because it requires parties to prohibit the crimes contained therein, but does not explain how to do so.   2. The convention does not lay down the essential ingredients which constitute a particular crime. It leaves it open for the countries to determine them. For example, the U.S. may want to prosecute a citizen from France for the crime of illegal access. France's criminal cyber statute may not include access to a computer system connected to another computer system within the definition of illegal access. Thus, the U.S. may not be able to prosecute a French citizen who accessed a computer connected to another computer. In contrast, if the U.S. and France were both signatories to a Convention codifying the elements of the crime, the U.S. could prosecute a French citizen because both countries would recognize the requisite criminal elements.

3. The Convention's Key Definitions Are Too Broad which leave a great scope of interpretation and a clear route of escape for criminals. It is very essential for the crimes to be clearly defined for effective application to substantive law.

VI. Conclusion:

Though courts and lawmakers have constantly echoed that there is a global revolution looming on the horizon, the development of the law in dealing with cross-border jurisdiction is still in its infancy. The infant law must be further nurtured and developed to become a full-fledge set of cyber laws that lucidly defines a countrys jurisdiction whenever a cyber crime is committed.

International consensus is necessary because problems such as safe havens, sovereignty, and inadequate bilateral treaties of extradition arise when one country criminalizes conduct and another country does not. Evidenced by the "ILOVEYOU" computer virus incident, inadequate laws may allow criminals to go unpunished in one country, while simultaneously impeding the efforts of other countries to exonerate their state's rights and protect their citizens.

Therefore, within the law enforcement agencies, a set of rules must be developed to address the various categories of computer crime, laying down exhaustive and universally acceptable definitions of various crimes keeping in mind the rapid speed at which technology is advancing today and the rate at which cyber crimes are multiplying; devising a scheme for national governments to examine their current statutes to determine whether they are sufficient to combat the kinds of crimes which are taking control of the world at an enomerous speed and lastly where gaps exist, governments should draw on best practices from other countries and work closely with industry to enact enforceable legal protections against these new crimes. One of the most promising solutions to address cyber-crime is creating model legislation, defining the most obvious forms of criminal and tort behavior and setting forth the appropriate punishment because what may constitute a crime in India may not necessarily constitute a crime in the USA. 

Due to technical difficulties the endnotes for this article have not been published, however the same can be obtained by contacting the author at amritagoel@gmail.com