April 2000's Press release :"Crime in Cyberspace - First Draft of International Convention Released for Public Discussion"

Commentaries are welcome on : daj@coe.int

Strasbourg, 25 April 2000

  Prepared by the Secretariat
Directorate General I (Legal Affairs)

The member States of the Council of Europe and the other States signatory hereto,

Considering that the aim of the Council of Europe is to achieve a greater unity between its members;

Recognising the value of fostering co-operation with the other States signatories to this Convention;

Convinced of the need to pursue, as a matter of priority, a common criminal policy aimed at the protection of society against cyber-crime, inter alia by adopting appropriate legislation and fostering international co-operation;

Conscious of the profound changes brought about by the digitalisation, convergence and continuing globalisation of computer networks;

Concerned at the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks;

Believing that an effective fight against cyber-crime requires increased, rapid and well-functioning international co-operation in criminal matters;

Convinced that the present Convention is necessary to deter actions directed against the confidentiality, integrity and availability of computer systems, networks and computer data, as well as the misuse of such systems, networks and data, by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating the detection, investigation and prosecution of such criminal offences at both the domestic and international level, and by providing arrangements for fast and reliable international co-operation, while ensuring a proper balance between the interests of law enforcement and respect for fundamental human rights.

Welcoming recent developments which further advance international understanding and co-operation in combating cyber-crimes, including actions of the United Nations, the OECD, the European Union and the G8;

Recalling Recommendation N° R (89) 9 on computer-related crime providing guidelines for national legislatures concerning the definition of certain computer crimes and Recommendation N° R (95) 13 concerning problems of criminal procedural law connected with Information Technology, calling for, inter alia, the negotiation of an international agreement to regulate trans-border search and seizure;

Having regard to Resolution No. 1 adopted by the European Ministers of Justice at their 21st Conference (Prague, June 1997), which recommended the Committee of Ministers to support the work carried out by the European Committee on Crime Problems (CDPC) on cyber-crime in order to bring domestic criminal law provisions closer to each other and enable the use of effective means of investigation concerning such offences;

Having also regard to the Action Plan adopted by the Heads of State and Government of the Council of Europe, on the occasion of their Second Summit (Strasbourg, 10 - 11 October 1997), to seek common responses to the development of the new information technologies, based on the standards and values of the Council of Europe;

Have agreed as follows:

Article 1 - Definitions (1)

For the purposes of this Convention:

1. "computer system" means any device or a group of inter-connected devices, which pursuant to a program performs automatic processing of data [or any other function] (2);
2. "computer data" means:

   - any representation of facts, information or concepts in a form suitable for processing in a computer system, or

   - set of instructions suitable to cause a computer system to perform a function (3);

3. "service provider" means any public or private entity that provides to users of its services the ability to send or receive electronic communications;
4. "traffic data" means:

1. a code indicating a network, equipment or individual number or account, or similar identifying designator, transmitted to or from any designated point in the chain of communication;
2. the time, date, size, and duration of a communication;
3. as to any mode of transmission (including but not limited to mobile transmissions), any information indicating the physical location to or from which a communication is transmitted;

1. "subscriber data"(4) means:

Article 2 - Illegal Access

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally (6) the access to the whole or any part of a computer system without right. A Party may require that the offence be committed either by infringing security measures or with the intent of obtaining computer data or other dishonest intent.

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the interception without right, made by technical means, of non-public (7) transmissions of computer data to, from or within a computer system, as well as electromagnetic emissions from a computer system carrying such computer data.

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the damaging, deletion, deterioration, alteration (8)or suppression (9) of computer data without right (10).

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the serious hindering without right of the functioning of a computer system by inputting, [transmitting,] damaging, deleting, deteriorating, altering or suppressing computer data.

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right:

1. the production, sale, procurement for use, import, distribution or otherwise making available of:

1. a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 – 5;
2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed

1. the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing the offenses established in Articles 2 – 5. A party may require by law that a number of such items be possessed before criminal liability attaches.

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally and without right the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic (11), regardless whether or not the data is directly readable and intelligible. A Party may require by law an intent to defraud, or similar dishonest intent, before criminal liability attaches.

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing, without right, of a loss of property to another by:

1. any input, alteration, deletion or suppression of computer data,
2. any interference with the functioning of a computer [program] or system,

with the intent of procuring, without right, an economic benefit for himself or for another.

1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed without right (12) and intentionally the following conduct:

1. offering (13), distributing, transmitting or [otherwise] making available child pornography through a computer system;
2. producing child pornography for the purpose of its distribution through a computer system (14);
3. possessing child pornography in a computer system or on a data carrier (15);

2. For the purpose of paragraph 1 above "child pornography" shall include pornographic material (16) that visually depicts:

1. a minor engaged in a sexually explicit conduct (17);
2. a person appearing to be a minor engaged in a sexually explicit conduct;
3. realistic images representing a minor engaged in a sexually explicit conduct.

3. For the purpose of paragraph 2 above, the term "minor" is to be defined by each Party, but shall include in any case all persons under [14] (18) years of age.

1. Each Party shall adopt such necessary legislative and other measures as may be necessary to establish as criminal offences under its domestic law the reproduction and distribution, by means of a computer system, of works protected by copyright, as defined under the law of that Party, [in conformity with the Bern Convention for the Protection of Literary and Artistic Works, the TRIPS Agreement and the WIPO Copyright Treaty], where such acts are committed intentionally on a commercial scale, without right.
2. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the reproduction, distribution or similar acts, by means of a computer system, of works, items or equivalent creations protected by neighbouring rights, as defined under the law of that Party [in conformity with the WIPO Performances and Phonograms Treaty], where such acts are committed intentionally on a commercial scale, without right.

Article 11 - Attempt and aiding and abetting

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally:

1. attempt to commit any of the offences established in accordance with Articles […];(19)
2. aiding or abetting (20) the commission of any of the offences established in accordance with Articles 2 – 10 above.

• a power of representation of the legal person; or
• an authority to take decisions on behalf of the legal person; or
• an authority to exercise control within the legal person;
• as well as for involvement of such a natural person as aidor or abettor, under Article 11, in the above-mentioned offences.

1. Each Party shall take the necessary measures to ensure that the criminal offences established in accordance with Articles 2 – 11 are punishable by effective, proportionate and dissuasive sanctions and measures. In particular, each Party shall ensure that the offences established in accordance with Articles […](21) and those referred to in Article 21, paragraph 1, when committed by natural persons, are punishable by penalties involving deprivation of liberty which can give rise to extradition.
2. Each Party shall ensure that legal persons held liable in accordance with Article 12 shall be subject to effective, proportionate and dissuasive criminal or non-criminal sanctions, including monetary sanctions.

1. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access:

1. a computer system or part of it and computer data stored therein; or
2. a medium in which computer data may be stored

2. Each Party shall take such legislative and other measures as may be necessary to ensure that where its authorities search or similarly access a specific computer system or part of it, using the measures referred to in paragraph 1 (a), and have grounds to believe that the data sought is stored in another computer system or part of it in its territory or other place over which it exercises its sovereign powers, and such data is lawfully accessible from or available to the initial system, such authorities shall be able to expeditiously extend the search or similar accessing to the other system.
3. [If the computer system or a part thereof or computer data accessed according to paragraphs 1 or 2 are found out to be inadvertently accessed in the jurisdiction of another Party, the competent authorities of the Party conducting the investigation shall act as provided for in article [..] ] (23)
4. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2 in view of their possible use in criminal investigations and proceedings. These measures shall include the power to :

1. seize or similarly secure a computer system or part of it or a medium in which computer data may be stored;
2. make and retain a copy of those computer data;
3. maintain the integrity of the relevant stored computer data;
4. render inaccessible or remove those computer data in the accessed computer system.

5. Each Party shall take such legislative and other measures as may be necessary to empower its competent authorities to order for the purposes of criminal investigations and proceedings any person who has knowledge about the functioning of the computer system or measures applied to secure the computer data therein to provide all necessary information, as is reasonable, to enable the undertaking of the measures referred to in paragraphs 1 and 4.
6. Where measures referred to in paragraphs 1 and 2 have been taken in respect of a computer system or part of it, or computer data stored therein, the person in charge of (24) the computer system shall as soon as reasonably practicable be duly informed about the executed measures.
7. The powers and procedures referred to in the present Article shall be subject to conditions and safeguards as provided for under national law.

1. Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or otherwise obtain, for the purpose of criminal investigations or proceedings, the expeditious preservation of data that is stored by means of a computer system, at least where there are grounds to believe that the data is subject to a short period of retention or is otherwise particularly vulnerable to loss or modification.
2. Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that data for a period of time as may be ordered pursuant to national law.
3. Each Party shall adopt such legislative or other measures as may be necessary to oblige a person to whom the procedures of preservation referred to in this Article are directed, to keep confidential the undertaking of such procedures for a period of time as permitted by national law.
4. The powers and procedures referred to in the present article shall be subject to conditions and safeguards as provided for under national law.

1. Each Party shall, with respect to undertaking the procedures referred to under article 16 in respect of the preservation of traffic data concerning a specific communication, adopt such legislative or other measures as may be necessary to:

1. ensure the expeditious preservation of that traffic data, regardless whether one or more service providers were involved in the transmission of that communication; and
2. ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data in order to identify the service providers and the path through which the communication was transmitted.

2. The powers and procedures referred to in the present article shall be subject to conditions and safeguards as provided for under national law.

1. [in whole or in part] in its territory or on a ship, an aircraft, or a satellite(26) flying its flag or registered in that Party;
2. by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

1. The criminal offences established in accordance with Articles 3 - 5 and 7 - 11 of this Convention shall be deemed to be included as extraditable offences in any extradition treaty existing between or among the Parties. The Parties undertake to include such offences as extraditable offences in any extradition treaty to be concluded between or among them. With respect to the criminal offence established by Article 2, the following criteria may be required for qualifying that offence as extraditable:

• [the access without right must be made with the intent to breach the confidentiality of data or impair the integrity or availability of data or a computer system, or]
• [the access without right must impair the integrity or availability of data or a computer system.]

1. The Parties shall afford one another mutual assistance to the widest extent possible for the purpose of investigations and proceedings concerning criminal offences related to computer systems and data, or for the collection of electronic evidence of a criminal offence.
2. Each Party shall also adopt such legislative or other measures as may be necessary to carry out the obligations set forth in Articles 24 - 29.
3. For the purpose of providing cooperation under articles 24 - 29, each Party shall, in urgent circumstances, accept and respond to mutual assistance requests by expedited means of communications, including [voice], fax or e-mail, to the extent that such means provide appropriate levels of security and authentication, with formal confirmation to follow where required by the requested State.
4. Except as otherwise specifically provided in Articles articles 24 - 29, mutual assistance shall be subject to the conditions provided for by the law of the requested Party or by applicable mutual assistance treaties, including the grounds on which the requested Party may refuse cooperation.(28)
5. Where, in accordance with the provisions of this chapter, the requested Party is permitted to make mutual assistance conditional upon the existence of dual criminality, that condition shall be deemed fulfilled, irrespective of whether its laws place the offence within the same category of offence or denominates the offense by the same terminology as the requesting Party, if the conduct underlying the offense for which assistance is sought is a criminal offense under its laws.

1. A Party may request another Party to order or otherwise obtain the expeditious preservation of data stored by means of a computer system, which is located within the territory of that other Party [or other places over which it exercises its sovereign powers] and in respect of which the requesting Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data.
2. A request for preservation made under paragraph 1 shall specify:

1. the authority that is seeking the preservation;
2. the offence under investigation and a brief summary of related facts;
3. the stored data to be preserved and its relationship to the offence;
4. the necessity of the preservation;
5. that the Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data.

3. Upon receiving the request from another Party, the requested Party shall take all appropriate measures to preserve expeditiously the specified data in accordance with its domestic law . For the purposes of responding to a request, dual criminality shall not be required (30) as a condition to providing such preservation, but may be required as a condition for the disclosure of the data to the requesting Party.
4. A request for preservation as described in paragraph 2 may only be refused if the requested Party believes that compliance with the request would prejudice its sovereignty, security, ordre public or other essential interests.
5. Where the requested Party believes that preservation will not ensure the future availability of the data or will threaten the confidentiality of, or otherwise prejudice the requesting Party’s investigation, it shall promptly so inform the requesting Party, which shall then determine whether the request should nevertheless be executed.
6. Any preservation effected in response to the request referred to in paragraph 1 shall be for a period not less than 40 days in order to enable the requesting Party to submit a request for the search or similar access, seizure or similar securing, or disclosure of the data. Following the receipt of such request, the data shall continue to be preserved pending a decision on that request.

1. Where, in the course of the execution of a request made under Article 24 to preserve traffic data concerning a specific communication, the requested Party discovers that a service provider in a third State was involved in the transmission of the communication, the requested Party shall expeditiously disclose to the requesting Party a sufficient amount of traffic data in order to identify that service provider and the path through which the communication was transmitted.
2. Disclosure of traffic data under paragraph 1 may only be withheld if the requested Party believes that compliance with the request would prejudice its sovereignty, security, ordre public or other essential interests.

[Notwithstanding anything in this Chapter, a Party may, when acting in accordance with its domestic law [and without obtaining the authorisation of another State or providing notice to another State]:

a) access publicly available [open source] data, regardless of where the data is geographically located;

b) access or receive stored data located in another State, if the Party [has been in contact with a person located within its territory and] acts in accordance with the lawful and voluntary consent of a person who has the lawful authority to permit the Party access to, or to disclose to the Party, that data.] (31)

1. Each Party shall designate a point of contact available on a 24 hour, 7 day per week basis in order to ensure the provision of immediate assistance for the purpose of the investigation of criminal offenses related to the use of computer systems and data, or for the collection of electronic evidence of any criminal offense. Such assistance shall include facilitating, or, if permitted by its domestic law and practice, directly carrying out:
   1. providing technical advice;
   2. preservation of data pursuant to Articles 24 and 25; and
   3. the collection of evidence, giving of legal information, and locating of suspects.

   2. (a) A Party’s point of contact shall have the capacity to carry out communications with the point of contact of another Party on an expedited basis.

   (b) If the point of contact designated by a Party is not part of that Party’s authority or authorities responsible for international mutual assistance or extradition, the point of contact shall ensure that it is able to coordinate with such authority or authorities on an expedited basis.

   3. Each Party shall ensure that trained and equipped personnel are available in order to facilitate the operation of the network.

   Chapter IV – Follow-up

   Chapter V – Final Provisions

     

   Footnotes :

   (1) The Drafting Group agreed at its 10^th meeting (February 2000) that most definitions under Article 1 should be placed either in relevant parts of the Convention or in the Explanatory report and accordingly deleted from this Article definitions 1/e to 1/n. The remaining definitions (1/a – 1/e) need to revised by the DG.

   (2) The explanatory report should specify that "computer system" refers to the function of data processing and therefore may include any system that is based on such a function, e.g. telecom systems, and that the "inter-connection" referred to in the definition encompasses radio and logical connections. The Chairman noted that in the jurisdiction provision(s), the PC-CY will have to determine to what extent States will be able to claim jurisdiction over acts occurring in the whole or part of such a "computer system".

   (3) The concept of computer data includes computer programs. The Drafting Group agreed that the Explanatory Report should specify, either under Article 1 or another provision, that a "program" is understood as "data suitable for further processing".

   (4) The explanatory report should clarify that subscriber data does not include traffic data nor the content of any communication.

   (5) The explanatory report should clearly exclude electronic surveillance, this being a separate legal issue.

   (6) In the understanding of certain members of the Drafting Group, "intent" may also cover "dolus eventualis". For common law countries, this notion would be similar to "recklessness", i.e. that a person is aware of the high risk that a certain result may occur and knowingly accepts it. The Drafting Group agreed that the interpretation of "intent" should be left to national laws, but it should not, where possible, exclude "dolus eventualis".

   (7) The Drafting Group agreed, at its 9^th meeting (January 2000) on the principle that the terms "non-public" relate to the transmission (communication) process and not necessarily to the data transmitted. It agreed to keep the term in the text temporarily and to try to find some alternative language.

   (8) The Drafting Group agreed at its 8^th meeting (November 1999) that the Explanatory Report should specify that ‘Alteration’ also includes tempering with traffic data (spoofing).

   (9) "Suppression of data" has two commonly agreed meanings for the Drafting Group: 1) delete data so that it does not physically exist any longer; 2) "render inaccessible", i.e. prevent someone from gaining access to it while maintaining it. As the latter, second meaning covers "rendering inaccessible", which appeared separately in previous versions of this Article, this element was deleted on the understanding that an explanation will be included on this in the Explanatory Report.

   (10) One delegation noted that it would need some extra-qualifyer (serious damage or harm) to make this offence extraditable.

   (11) The Explanatory Report shall specify that the term "authentic" refers to the issuer of the data, regardless whether the content of the data is true or not.

   (12) The Explanatory Report should clarify that the terms "without right" include legal defenses, excuses or similar relevant principles that relieve a person of responsibility under specific circumstances. For example, with respect to paragraph (2)b, a State may provide that a person is relieved of criminal responsibility if the accused proves that the person depicted is not a minor.

   (13) The Drafting Group agreed at its 8^th meeting (November 1999) that the Explanatory Report should specify that ‘offering’ also includes giving information about hyperlinks to child-pornography sites.

   (14) The Explanatory Report should clarify that this provision by no means is intended to restrict the criminalisation of the distribution, etc, of child pornography to cases making use of a computer system, but the Convention establishes this only as a minimum standard and States are free to go beyond it.

   (15) Some delegations wished to further consider their position on this paragraph and hold further consultations with domestic authorities. However, a number of delegations viewed it as a provision necessary to prevent the sexual abuse of children when such material is created.

   (16) The Explanatory Report should clarify that that the term "pornographic material" is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt.

   (17) The Explanatory Report should specify that a "sexually explicit conduct" covers at least actual or simulated: a) sexual intercourse, including genital-genital, oral-genital, anal-genital or oral-anal, between minors, or between an adult and a minor, of the same or opposite sex; b) bestiality; c) masturbation; d) sadistic or masochistic abuse; or e) lascivious exhibition of the genitals or the pubic area of a minor.

   (18) Several alternatives were discussed at the 7^th Plenary (March 2000), i.e. 14, 16 or 18 years.

   (19) The Plenary agreed that once the list of criminal offences will be finalised in the draft convention, it will return to this provision on "attempt" to determine to which offences it will apply. Delegations have already expressed concern about applying a provision on "attempt" to illegal access under article 2(1) and copyright and related offences under article 4 (since attempt is not covered by the TRIPS agreement).

   (20) The Plenary agreed to that Explanatory Report should clarify the double-intent requirement for establishing as criminal offences aiding and abetting, i.e. that the intent has to cover both aiding and abetting and the underlying offence. The Explanatory Report will specify that "aiding and abetting" is to be interpreted in a large sense, also covering, notably, instigators and accessories.

   (21) Further consideration will have to given to the offences to be included under this provision once the list of criminal offences is finalised. At present, many States do not consider illegal access to be an extraditable offence, nor will attempt always be an extraditable offence.

   (22) At its 7^th meeting (March 2000), the Plenary requested the Drafting Group to find some alternative language to describe the concept of "territory".

   (23) The Drafting Group did not discuss this provision at its 10^th meeting (February 2000) as it is closely related to the provision on trans-border search.

   (24) The Drafting Group agreed at its 10^th meeting (February 2000) to use this term and clarify in the Explanatory Report that it referred to persons having an actual (physical) control over the computer (system). This would normally include the owner of the premises where the computer is located or the owner/user of the computer itself.

   (25) At its 7^th meeting (March 2000), the Plenary requested the Drafting Group to find some alternative language that could replace this term.

   (26) Further clarification is required with regard to the inclusion of satellites, in particular as to whether this provision would require a State that has responsibility for a satellite (or shares such responsibility with other States) to establish jurisdiction over an offence where the only nexus with that State is that data related to the offence has been transmitted through that satellite. Other international instruments should be examined to determine how they affect the jurisdiction of States with respect to satellites.

   (27) This provision has been limited to situations in which there is no extradition treaty in force between the Parties concerned. Where a bilateral or multilateral extradition treaty is in force between the Parties concerned (such as the 1957 European Convention on Extradition), the Parties will know to whom extradition and provisional arrest requests are to be directed without the necessity of a burdensome registration requirement. The language between brackets governing use of diplomatic channels is modeled after article 5 of the second additional protocol to the European Convention on Extradition.

   (28) The Drafting Group was, for the moment, unable to reach an agreement on this provision.

   (29) The explanatory text should specify that the mere fact that its legal system knows no such procedure is not sufficient grounds to refuse to apply the procedure requested by the requesting State.

   (30) The Plenary agreed at its 7^th meeting (March 2000) that further consideration was necessary on this matter, given that certain delegations expressed their reservation as to the possibility of giving up the requirement of dual criminality.

   (31) This paragraph assumes that the accessing State will limit its own contact to persons within its territory (though such persons may themselves need to contact people in other territories in order to obtain such consent or authority). This could be explicitly added by the insertion of the bracketed text or be explained in the explanatory memorandum.
   
   Source : http://conventions.coe.int/treaty/en/projets/cybercrime.htm