DOMESTICATION OF EUROPEAN CONVENTION ON CYBERCRIME INTO NIGERIAN LAW
DOMESTICATION OF EUROPEAN CONVENTION ON CYBERCRIME INTO NIGERIAN LAW The OECD’s study on computer-related crime: Analysis of legal policy was published in 1986. The report having surveyed the existing laws and reform proposals in member states, recommended a list of nature of computer crimes, which countries should consider codifying as penal laws. For example, computer fraud and forgery, the alteration of computer programs data, copyright, interception of communications or other functions of computer or telecommunications system, etc. Further to the OECD’s report, the Council of Europe flagged off its own study on computer related crimes having in focus the development of guideline to assist the parliament in determining the nature of computer related crime which should be prohibited by law. The convention on cybercrime 2001 is the outcome of that study. This convention has just entered into force following its ratification by Lithuania, in accordance with its Article 36.It is stating the obvious to say that the convention is now a protocol for legislating against cybercrime, even amongst non-EU States. Under Article 37, the Committee of Minister of the Council of Europe, with the consent of the contracting states -may invite any state which is not a member of the council and which has not participated in its elaboration to accede to this convention. This article merely seeks to lay a roadmap for countries, such as Nigeria to accede to this convention, Nigeria not being an EU State and having not participated in the convention’s elaboration. The Convention only required ratification by five countries to come into force. Croatia, Albania, Estonia, Hungary and Lithuania have already fulfilled this function and, consequently, the convention came into effect on the 1st of July 2005. According to Walter Schwimmer, the Secretary General of the Council of Europe:
“The Convention on Cybercrime is a ground-breaking agreement which will play a key role in fighting computer-related crime. Cybercrime is a major global challenge which requires a co-ordinated international response – I therefore urge all of those Council of Europe member states which have not yet signed or ratified the convention to do so as a matter of priority.”
The former President of the United States, George W. Bush, has also spoken of the Convention in an equally admirable context, calling it -an effective tool in the global effort to combat computer-related crime- and -the only multilateral treaty to address the problems of computer-related crime and electronic evidence gathering.- Despite the aforementioned words of praise for the Convention and the risks associated with cybercrime, the Convention is not without its critics. For example, many opponents have cited privacy issues, while others have highlighted the forced cooperation clause. Very notable vociferous opponents of the Convention include civil libertarians who have objected to the Convention since it became public in early 2000. They argue that it would endanger privacy rights, as well as allocate too much power to government investigators.
THE BINDINGNESS OF TREATIES IN NIGERIA
Nigeria as a Sovereign State can enter into treaties or convention as a contracting party. Such powers to contract on behalf of the state are vested in the president of Nigeria, who can exercise such personally or by delegation of authority. The tenor of the constitution of the Federal Republic of Nigeria 1999, is such that mere ratification or accession of a convention does not in itself confer on the treaty a binding force of law in Nigeria unless and until it is domesticated by the National Assembly. In the celebrated case of ABACHA v. FAWEHINMI (2000) 4 F.W.L.R 533 @ 546, the Supreme Court of Nigeria per Ogundare JSC had this to say. -Suffice it to say that an international treaty entered into by the Government of Nigeria does not become binding until enacted into law by the National Assembly. See S. 12 (1) of the 1999 Constitution which provides: -No treaty between the Federation and any other country shall have the force of law except to the extent to which any such treaty has been enacted into law by the National Assembly.- Before its enactment into law by the National Assembly an international treaty had no such force of law as to make its provisions justiciable in our courts. See the recent decision of the Privy Council in HIGGS & Anor. vs. Minister of National Security & Ors. The Times of December 23, 1999, where it was held that—– -In the law of England and Bahamas, the right to enter into treaties was one of the surviving prerogative powers of the crown. Treaties formed no part of domestic law unless enacted by the legislature. Domestic courts had no jurisdiction to construe or apply a treaty, nor could unincorporated treaties change the law of the land. They had no effect upon citizen’s right and duties in common or statute law. They might have an indirect effect upon the construction of statutes or might give rise to a legitimate expectation by citizens that the government, in its acts affecting them, would observe the terms of the treaty-. In my respectful view, I think the above passage represents the correct position of the law, not only in England, but in Nigeria as well-. A hard look at the provisions of S. 12 (1) of the 1999 constitution, throws up an irresistible submission that, the provision envisages only bilateral not multilateral treaties, so that in the case of multi-lateral treaty like the cybercrime convention accession to it by the government, makes it binding, without further confirmation by the National Assembly. This submission is yet to be pronounced upon by the Nigerian Courts, thus leaving the position of the law as propounded in the ABACHA’s case. However because of the historical ties between Nigeria and the UK, even without acceding to the cybercrime convention, the framework of the convention will always play a pivotal part in Nigeria’s starting blocks to the fight against cybercrime. Where the legislature is awfully slow to make changes in the existing laws that will align the statute books to the technological realities of our time, judicial activism has as much as practicable filled the gap, in the statutes. During his administration, President Olusegun Obasanjo set up a presidential committee on cybercrime. Following the completion of its study, the committee was translated to Nigeria Cybercrime Working Group. Essentially the report of this committee could be modestly termed, Nigeria’s accession to the cybercrime convention, without solicitation. The report replicates in material particulars, the Council of Europe Cybercrime Convention. It is therefore not surprising that the recent Cybercrime Bill now before the National Assembly contains, inter alia, a dub version of the UK’s Computer Misuse Act 1990. -Under a new act being forwarded to the National Assembly for enactment, all crimes carried out with the use of computers, electronic and/or ancillary devices will be punished accordingly. The crimes are categorized into three. The first group includes unauthorized access to computer systems, access exceeding authorization, computer and system interference, data interception, denial of service, computer trespass and -e-mail bombing-. The second category of crimes includes computer contamination, illegal communications, computer vandalism, cyber squatting, cyber terrorism, cyber pornography and intellectual theft. Also included in this category are the use of computers to corrupt a minor, soliciting to compel prostitution, sending obscene materials to minors over the internet, indecent exposure and tampering with computer evidence. The third category includes crimes targeted against critical infrastructure in Nigeria. This aspect protects infrastructure that are critical to the nation’s security economic and social interests- . This bill, thus, in one fell swoop, seeks, to enact the Nigeria’s version of UK’s Computer Misuse Act, 1990, Terrorism Act 2001, Copyright Designs and Patent Act 1988 (with its amendments) Protection of Children Act 1978 (as amended) Obscene Publications Act, (as amended) to mention but a few.
COMMENTS ON SOME EXISTING SUBSTANTIVE, PROCEDURAL AND FORENSIC RULES
Nigeria’s statute books are a compendium of colonial relics, in most ex-British colonies, now, long consigned to the archives made references to, only for historical purposes. In 1990, a -reform- was made to these laws by law reform commission. Alas, rather than have these laws reformed, they were merely jacketed in year 1990 book covers. In the face of technological advance, with its seamless nature, the otiosity of these laws has become embarrassingly obvious. For all there is to some excitements, which the proposed cybercrime bill, will generate, investigation and prosecution of such crimes will founder if the Nigeria’s Evidence Act, is not amended so as to render admissible computer generated evidence. -It must be clearly understood that our Evidence Act is now more than 50 years old and is completely out of touch and out of tune with the realities of the present scientific and technological achievements. Most of its sections are archaic and anachronistic and need thorough over haul to meet the needs of our time- .
The problem of admissibility of evidence generated through the computer stems from the evidential status of storage devices, such as disks, tapes and such like materials since by virtue of section 2 of the Evidence Act; they do not come within the definition of a document . Computer output or print outs are viewed as being in violation of the best evidence rule and may infringe the rule of hearsay evidence. Much of these printouts being admitted in evidence in the law courts are as a result of judicial activism in its attempt to force technology into an otherwise pristine statute . It is submitted that, prosecution of cybercrime in Nigeria involving content-related offences, requiring admissibility of electronic data, will be frustrated by the present Evidence Act, and judicial activism arguably will be hard put to confront such evidence. A complete overhaul of the Evidence Act is therefore a sine qua non for fighting cybercrime in Nigeria. In 1998 a proposed -Evidence Decree 1998- was produced which defined computer as, -any device for storing and processing information, and any reference to information being derived from other information is a reference to its being derived from it by calculation, comparison or any other process-. -Document- was defined to include -any disc tape, soundtrack or other devices in which sound or other data (not being visual images) are embodied so as to be capable (with or without the aid of some other equipment) of being reproduced from it- . Sadly this proposed law was never signed into law. It is needful that this law be pulled up revisited and enacted to align with the intendments of the cybercrime convention. Recently, a bill titled: -A bill for an Act to amend the Evidence Act- had gone through first read at the floor of National Assembly. The amendment is going to be to the effect that Evidence Act will permit admissibility of electronic and computer generated evidence in courts. As for, any Nigerian law, designed to deal with -search and seizure of stored computer data- none exists. S. 25 (b) of Economic and Financial Crimes Commission (Establishment) Act 2004 mentioned, -data used or intended to be used in violation of – the Act-. It is obvious that this piece of legislation, never intended -data- as used there, to include stored computer data. The Act focuses more on the property (real or personal) used to commit or gained from committing the crime. In the all-inclusive proposed cybercrime bill, it will be worthwhile, introducing, the relevant provisions of the UK’s Regulation of Investigatory Power Act (RIPA) 2000, to deal with interception of data in the course of transmission. Confronted recently by paternity testing in Nigeria, along with the issue of police initiating D. N. A. test in that regard, the court, lamented, -the constraints they must have faced being confronted with a totally strange terrain in police investigation- and then stated, -I could not lay my hands on any law promulgated in Nigeria on this issue so ——- my only recourse is to the law in England. It is therefore time for our legislative houses to start considering the promulgation of similar legislation here in Nigeria —— it is imperative that the proper statute are put in place to assist the populace, the lawyers, the Doctors, the forensic scientists and of course the judges that will have to adjudicate on such matters- . To accede to article 7 of the convention dealing with computer-related forgery, sections 465 of the Criminal Code will have to be tinkered with by the Nigerian legislature, as well as S. 463. S. 463, defines document as including -a register or register-book . . . any book, paper, parchment or other material whatever, used for writing or printing . . . capable of conveying a definite meaning to persons conversant with them . . .-. This definition of document does not include a computer data. It follows that where an information contained in a computer data, has been altered, criminally, no offence is committed under the criminal code, as forgery will be deemed to have taken place only if the alteration occurred, after the information has been processed printed out, -with other signs capable of conveying a definite meaning-. It is only then that it becomes a document, which can be made false, by altering it or writing in any material part, either by erasure, obliteration, removal or otherwise. In Odu vs. State, where an accused endorsed a cheque which was not meant for him, in the name of a fictitious person, and opened an account in that fake name, signed the signature card and pay-in-slip, on a charge of forgery, the supreme court held: as the accused presented the two documents as having been made by himself, the fact that he did so under a false name did not mean that the documents purported to be made by some person who did not exist. Again S. 421 of the Criminal Code creates a lacuna where computer is involved. The section provides that -Any person who by means of any fraudulent trick or device obtains from any other person anything capable of being stolen or induces any other person to deliver to any person anything capable of being stolen or to pay or deliver to any person money or goods . . . is guilty of cheating-. Thus where a person fraudulently uses another person’s PIN to withdraw cash from a bank ATM machine, no offence is committed, because the machine -induced- is not a person. This section of the law needs urgent amendment to include inducement by any electronic means. The closest a Nigerian statute got to Article 9 of the cybercrime convention in respect of offences related to child pornography is the Children and Young Persons (Harmful Publications) Law . Its section 2 state that: -This Law applies to any book or magazine which is of a kind likely to fall into the hands of children or young persons and consists wholly or mainly of stories told in pictures (with or without the addition of written matter)— This Law is to say the least anachronistic and will require immediate amendment to adapt it to the provision of Article 9 of the convention dealing with the conduct of producing, distributing or transmitting child pornography through a computer system. There is of course Section 233 d (1) of the criminal Code which provides that any person who whether for gain or not distributes or projects article deemed to be obscene . . . commits an offence. -Article- means anything capable of being or likely to be looked at and read and includes any film or record of a picture or pictures and any sound records . -Distributes- includes, circulates, tends, sells, let or hire or offer for sale or on hire projects in relation to an article to be looked at or heard includes shows or plays . These provisions are based on the UK’s Obscene Publication Act 1959, which has been found wanting, where such -articles- are transferred electronically from one computer to another using telephone lines or modems . This section of the Criminal Code should thus be amended to include electronic transmission of such obscene material. The issue of pseudo-photography as captured by Article 9 (2) of the convention will also need a look-in by criminalizing such. Article 10 of the cybercrime convention deals with offences related to infringement of copyright and related rights, Nigeria’s COPYRIGHT ACT 1988, S. 18 provides, -Any person who … (a)Imports or causes to be imported into Nigeria—infringing copies . . . (b)Makes, causes to be made, or has in his possession any plate, master tape, machine, equipment or contrivance for the purpose of making any infringing copy . . . shall unless he proves . . . that he did not know or had no reason to believe that any such copy was not an infringing copy . . . or that such . . . machine equipment or contrivance was not for purpose of making infringing copies . . . This provision, which is generously inquisitorial in nature, will certainly render everyone criminally liable, from the ISP to an innocent browser who accessed infringing copies inadvertently. The fact is that the law never envisaged computer technology. The provision for importation actually was minded about traditional means of physically bringing in goods into the country by modal means. The provisions as to machine, equipment or contrivance did not think of electronic device, yet they could be subsumed therein. It is submitted that, this provision if subjected to constitutional scrutiny, may fail. Under the Nigerian Constitution, -Every person who is charged with a criminal offence shall be presumed to be innocent until he is proved guilty- . This law on copyright more or less declares an accused guilty until he proves his innocence . Nigeria is party to a number of copyright related treaties including the Berne Convention for the protection of Literary and Artistic Works (Berne Convention 1886). The agreement on trade Related Aspects of Intellectual Property Rights (TRIP 1994) concluded within the framework of GATT; and the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organization (Rome Convention 1961). In addition Nigeria played a prominent role in the birth of WIPO Copyright Treaty 1996 and the WIPO Performance and Phonogram Treaty 1996. The WIPO Treaties are the response of the International Community to the concerns thrust upon copyright by emerging technologies. With Nigeria’s accession to these Treaties, the next step forward is to amend its existing Copyright Act, to bring it in tandem with the recommendation of the cybercrime convention under Article 10. In the light of the fact that the fight against cybercrime is preponderantly commerce-driven, Nigeria’s accession to and/or implementation of the cybercrime convention is a welcome move and a firm step out of economic doldrums. THE QUEST FOR HARMONISATION OF CYBERCRIME LAW IN NIGERIA Generally, Cybercrime Criminal Jurisdictions cover transnational dimensions. A 419 Email letter that originates from Nigeria, and claims a victim elsewhere in the world, might not only violate the territorial laws of Nigeria, but also those of the victim. If it does not violate International jurisdictional regions, evidence trails, for this example, might be found on the electronic pathway of several International States. Thus, to be effective, there is clear indication from Cybercrime experts around the world, that the harmonization of laws, and the harmonization of law enforcement practices, provides a clearer framework for any effective State sponsored Anti-Cybercrime effort. In an article by Phil Williams titled, -Organised Crime and Cybercrime: Synergies, Trends, and Responses-, he writes:
-Harmonization is necessary for both substantive and procedural laws. All countries have to reappraise and revise rules of evidence, search and seizure, electronic eavesdropping, and the like to cover digitized information, modern computer and communication systems, and the global nature of the Internet. Greater coordination of procedural laws, therefore, would facilitate cooperation in investigations that cover multiple jurisdictions.-
In short, there is a need for Cybercrime Laws of one Nation, to be reciprocal with others. To yield, criminal prosecution, a 419 Email that finds it’s victim on the other side of the Atlantic, must not only be criminal in Nigeria, but also, at the jurisdictional State of the victim. Furthermore, the Framework for investigating these criminal activities must be a coordinated effort of International Law Enforcement activities. In the same paper, Phil Williams went further to note that,
-In addition to appropriate laws, it is also important that governments and law enforcement agencies develop the capacity for implementation of these laws. This requires the development of expertise in the area of cybercrime as well as effective information sharing across agencies within a country and across national borders. Moreover, this sharing has to go beyond traditional law enforcement bodies to include national security and intelligence agencies. It is also essential to create specialized law enforcement units to deal with cybercrime issues at the national level. Such units can also provide a basis for both formal international cooperation and informal cooperation based on transnational networks of trust among law enforcement agents. Ad hoc cooperation and multinational task forces can both prove particularly useful — and there are already cases where international cooperation has been very effective. Indeed, successful cooperation can breed emulation and further success.-
Hence, as the National Assembly deliberates on Cybercrime Law, due care must be taken to address the issues of embedding the Nigerian Cybercrime Framework, with the rest of the International community. Thus, in crafting a Nigerian cybercrime law, the following areas must be given consideration:
A) Adapting Internet Laws with domestic laws. B) Harmonization with foreign and regional laws. C) Harmonization with International Law enforcement practice. D) Involvement of private sector. E) Investigative and Law Enforcement collaboration.
In a September 19, 2000 speech, by Kevin DiGregory, a Deputy Assistant Attorneys General in the Criminal Division at the U.S. Department of Justice in Washington, D.C., he noted, -Harmonization of the laws defining criminal behaviour is not enough. To enforce substantive computer crime laws, law enforcement authorities also need appropriate tools for detecting and investigating such unlawful activities. Many criminal cases today are investigated and solved through electronic evidence, which is highly perishable, and can be easily deleted or modified from half-a-world away-. There is therefore a need for Nigeria, in the construction of its Cybercrime law, to include one that recognizes a model that incorporates not only harmonization issues of Law, but also a framework for an effective Law Enforcement Programme that reflects harmonization of Law Enforcement methods. Eoghan Casey, suggests in Chapter 4 of his book (Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet), that digital evidence processing can be accomplished within the efforts of the following groups:
A) Digital Crime Scene Technicians: Individuals responsible for gathering data at a crime scene should have basic training in evidence handling and documentation as well as in basic crime reconstruction to help them locate all available sources of evidence on a network.
B) Digital Evidence Examiners: Individuals responsible for analysis of particular kinds of digital evidence require specialized training and certification in their area.
C) Digital Investigators: Individuals responsible for the overall investigation should receive a general training but do not need very specialized training or certification. Investigators are also responsible for reconstructing the actions relating to a crime using information from first responders and forensic examiners to create a more complete picture for investigators and attorneys. Finally, an effective Nigerian Cybercrime programme, must include, the harmonization of law, Law Enforcement technique and methods, and an adaptive technological research programme. 5.4.THE SHORTCOMINGS OF NIGERIAN CRIMINAL CODE AND EVIDENCE ACT In order to be ingenious, the application of the Criminal Code and the Evidence Act in Nigeria on cybercrimes is legally vulnerable. Both laws are alien to cybercrime because it is a recent phenomenon and committed via the use of the newly discovered technology called the cyber technology. They have a lot of weaknesses that can make a suspect get away with justice by hiding under the technicalities of the laws. In order to show the vulnerability of these laws the following questions will be asked as regard the application of the laws. The Criminal Code for instance cannot be applied to cases that involve hacking, cyber-stalking, e-mail spoofing and other related cases. These crimes need a legal framework to penalize the offences. Even the old crimes, which are committed using the internet and computer such as, advanced fee fraud and other financial crimes also need a new legal framework because it would be very difficult to penalise the offenders because those crime are not specifically mentioned in the Criminal Code. The EFCC Act itself does not define cybercrime neither does it cover all cybercrime related crimes. It was established mainly to address financial and economic crimes. However section 5 (b) of the EFCC Act provides that: -the investigation of all financial crimes including advance fee fraud, money laundering, counterfeiting, illegal charge transfers, futures market fraud, fraudulent encashment of negotiable instruments, eompu1I:r credit card fraud, contract scam, etc- The above provision of EFCC Act does not address cybercrime cases; it only mentioned few offences of cybercrime. There are questions to be asked again in the application of these procedural laws (i.e. the Criminal Code and the Evidence Act.): Can person voluntary provide law enforcement agents with electronic data that may afford evidence of crime? Can a person voluntary permit law enforcement agents to undertake a search for such data, rather than provide it to them? Could continuing cooperation of this nature by a person with law enforcement have a legal effect on the ability of law enforcement to obtain or use the data? Does our laws distinguish between the search and seizure of stored data in a computer, and the interception of data that is being communicated from one computer to another of within a computer system? Do our laws provide for the seizure of intangible data without seizure of the physical medium in which it is found? In some cases, the precise location of the electronic data within a computer system may not be apparent. How specific must be the description in the judicial authority (e.g. search warrant) of the place to be searched or the data to be seized? Seizure of, or during the course of search the shutting down of an entire computer system may be extremely intrusive, and particularly burdensome to an ongoing business. What practical circumstances would justify seizing or shutting a complete system rather than merely taken a copy of the data? Would the law permit the seizure of the entire database for the purpose of subsequently identifying the relevant data? What practical means can be used to copy large volume data? These are questions amongst others which no answer can be given examining our existing laws as regard cybercrime. On the heels of the forgoing problems is the inadequacy of the existing procedural laws for the prosecution of the offenders. Quite a number of economic and financial crimes are carried out these days through the use of computers/internet, word processors, telex machines, fax machines, etc. The problem that arisen from the use of the above stated gadgets is the evidential value and admissibility of the materials generated by them vis-a-vis the law of evidence and proof of the guilt of a culprit of economic or financial crime. The evidential status and admissibility of computer and other electronically generated statements of account or printout, e-mails, telegraphic transfers, telefaxes, etc, have been issues of controversy in the courts, law institutions, workshops, bar conferences and seminars. As professor Yemi Osibanjo (SAN) observed: -One of the specific problems that have arisen from the use of electronic financial transactions is the manner and procedure for providing the forms of evidence generated by these means or simply proof of such transactions themselves- Our procedural laws, particularly the Evidence Act, which were enacted in the light of an agrarian and pedestrian society have become grossly inadequate to cover the present advancement in technology with the concomitant sophistication employed in the commission of economic and financial crimes. The issue as to whether entries in -Books of Account- as contemplated by section 38 of the Evidence Act included Computer generated statements or print-out which came up in YESUFU v. ACB . The Supreme Court only expressed by way of obita dictum a willingness to interpret the section more liberally in view of contemporary business practice and methods when it noted inter alia: -The law cannot be and is not ignorant of modern business methods and must not shut its eyes to the mysteries of computer. In modern times, reproductions or inscriptions or ledgers or other documents by mechanical processes are commonplace and section 38 cannot therefore only apply to books of account so bound and the pages not easily replaced.- In the absence of any positive judicial interpretation of this section, or amendment of some relevant sections of the Evidence Act relevant to the admissibility of electronically generated evidence, the well intended provisions of the Criminal Code, EFCC Act, vis-a-vis detection, investigation and proof of organised internet crimes may continue to be a mirage.
KEY CRITICISMS OF THE CONVENTION The substantive criminal law measures of the Cybercrime Convention include offences on intentional illegal access of computer systems, intentional illegal interception of non-public transmissions of computer data, any intentional interference with computer data including deletion or alteration, any intentional interference with a computer system, misuse of certain devices designed or adapted primarily for the purpose of committing any of the offences established in accordance with Article 2 – 5 of the Convention, and the possession of such devices with an intent to committing of such offences. Moreover the Convention includes computer related crimes such as computer related forgery, fraud, and content related offences such as child pornography. Offences related to infringements of copyright and related rights are also included within the Convention. The procedural law measures of the Convention include conditions and safeguards, expedited preservation of stored computer data, expedited preservation and partial disclosure of traffic data, production orders for law enforcement agencies for accessing data, the search and seizure of stored computer data, real-time collection of traffic data, interception of content data, extradition, principles relating to mutual assistance, and the creation of a 24/7 network of law enforcement point of contacts. According to Walter Schwimmer, the Secretary General of the Council of Europe: -The Convention on Cybercrime is a ground-breaking agreement which will play a key role in fighting computer related crime. Cybercrime is a major global challenge which requires a coordinated international response – I therefore urge all of those Council of Europe Member States which have not yet signed the convention to do so as a matter of policy.- The former President of the United States, George W. Bush, has also spoken of the Treaty in an equally admirable context, calling it -an effective tool in the global effort to combat computer-related crime- and -the only multilateral treaty to address the problems of computer-related crime and electronic evidence gathering.- Despite the aforementioned words of praise for the treaty and the risks associated with cybercrime, the Convention is not without its critics. The following are the key criticisms raised against the Council of Europe Convention on Cybercrime: I. The treaty was drafted in a closed and secretive manner The Council of Europe Committee of Experts on Crime in Cyberspace drawn from 16 member states was working on the Cyber-Crime Convention since September 1997 before the first public release of draft version 19 in April 2000. Although its existence was no secret through references to the draft Convention within publicly available documents at both national and European Union level, the content of the draft Convention was only distributed publicly after April 2000. Although the draft convention has been published in April 2000, some important parts of the draft convention, namely those related to interception of communications, have not been made publicly available until October 2000, two months before the deadline issued for public comments by the Council of Europe. These important sections were certainly not part of the April 2000 version (No 19) of the draft convention. Universally accepted process conditions such as openness, and transparency have not been respected at the Council of Europe level during the development of the Convention. An open and transparent policy making would generally lead into easy to understand regulation and legislation with clear aims and objectives. There was limited transparency during the Council of Europe process, and the policy making process would have benefited from greater openness especially in the light of co-operation between member or supporting States and the private industry being encouraged within the Convention. Hence the Council of Europe process has not been accessible and open and a -dialogue- with all interested parties especially with the representatives of the civil society has not been established at all despite the claims by the Council of Europe that -consultation process proved useful- since the release of the declassified versions of the draft Convention. Submissions made by non-governmental organisations were largely ignored by the Council of Europe.
II. The text of the Convention remains unclear The draft versions of the Convention often referred to the explanatory report that would be published in addition to the Convention. However, the explanatory report was not published in its draft format for public review until 14 February, 2001. The consultation process in relation to the draft versions of the Convention was completed by then. Although the final version of the explanatory memorandum is useful for better understanding of the Cybercrime Convention, it should be noted as the Council of Europe document. -Introduction to Conventions and Agreements in the European Treaty Series (ETS),- states that:
-Following the practice instituted by the Committee of Ministers of the Council of Europe in 1965, explanatory reports have been published on some of the treaties. These reports, prepared by the committee of experts instructed to elaborate the European Convention or Agreement in question and published with the authorisation of the Committee of Ministers, might facilitate the application of the provisions of the respective treaties, although they do not constitute instruments providing an authoritative interpretation of them.-
As the subject matter of this Convention is pretty complex, the drafters could be criticised for not producing a clear and understandable stand-alone text. The wording of various sections should have been clarified in the main text of the Convention rather than the interpretation being left to instruments and/or reports that will not provide -an authoritative interpretation- of the Convention itself. This view was supported by the Working Party on the protection of individuals with regard to the processing of personal data of the European Commission which concluded that -explanations in the explanatory memorandum cannot replace legal clarity of the text itself.- Precision in wording is crucial considering the civil liberties implications of the Cybercrime Convention.
III. Problems associated with the scope of the procedural provisions
Article 14(1) provides that -each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this Section for the purpose of specific criminal investigations or proceedings.- Each Party shall apply the powers and procedures referred to in Article 14(1) to:
a. the criminal offences established in accordance with articles 2-11 of this Convention; b. other criminal offences committed by means of a computer system; and c. the collection of evidence in electronic form of a criminal offence.
It is however maintained that the scope of the above provisions should have been limited to the offences established in articles 2-11 of this Convention (article 14(1)(a)) and should not have extended to -other criminal offences- (article 14(1)(b)) committed by means of a computer system. It is not at all clear what -other criminal offences- means under article 14(1)(b) and there is no explanation whatsoever why the procedural provisions of the Cyber-Crime Convention should be extended to cover other criminal offences. Although the scope of this section is limited by means of article 21 which -provides that the power to intercept content data shall be limited to a range of serious offences to be determined by domestic law-, 46 it still remains unclear why the scope should be extended to criminal offences that are not defined by this Convention. As a result of the widening of the scope of procedural provisions, search and seizure of computer data measures, interception of communications and traffic data, expedited preservation of stored computer data, expedited preservation and partial disclosure of traffic data, and production orders (articles 16-21) could be applied to the offences under article 14(1) established not only in accordance with articles 2-11 of this Convention; but also to other criminal offences established by means of a computer system; and to evidence gathering in electronic form of any criminal offence. It is advised that during the implementation process of the Cyber-Crime Convention, procedural powers and provisions should be limited to the offences included in the Convention only. In any case reservations provided in article 14(3)(a) should be noted:
-each Party may reserve the right to apply the measures referred to in Article 20 (Real-time collection of traffic data) only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21 (Interception of content data). Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20 (Real-time collection of traffic data).-
IV. Conditions and Safeguards and Judicial Warrants Article 15(2) of the 2001 Convention states that conditions and safeguards shall, -as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.- One would have expected to see some of the provisions (if not all) such as the production orders (article 18), search and seizure of stored computer data (article 19), real-time collection of traffic data (article 20) and interception of content data (article 21) to be subject to -judicial warrants- as consistent with the jurisprudence of the Strasbourg court. The European Court of Human Rights has clearly laid down in its case law the -requirement of supervision by the judicial authorities in a democratic society, which is characterised by the rule of law, with the attendant guarantees of independence and impartiality.- It has also been stated that -this is all the more important in order to meet the threat posed by new technologies.- Furthermore as regards to searches and seizure issues in particular, -the relevant legislation and practice must afford individuals -adequate and effective safeguards against abuse’; notwithstanding the margin of appreciation which the Court recognises the Contracting States have in this sphere, it must be particularly vigilant where, the authorities are empowered under national law to order and effect searches without a judicial warrant. If individuals are to be protected from arbitrary interference by the authorities with the rights guaranteed under Article 8, a legal framework and very strict limits on such powers are called for.- Therefore, nothing less than judicial supervision as a safeguard for such procedural powers is acceptable during the implementation process by the parties to the convention especially in the absence of a clear definition for what constitutes -independent supervision-.
V. Production Orders and Private Encryption Keys
Under article 18(1) each Party shall -adopt such legislative and other measures as may be necessary to empower its competent authorities to order:
(a) -a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium . . .-
When read together and if implemented into national legislation, articles 18 (production order) and 19 (search and seizure of stored computer data) could be used by law enforcement agencies to request private encryption keys that has been used to secure/encrypt data in a computer system.
But there are serious security concerns associated with the seizure of private encryption keys or government access to keys (-GAK-) and such an access could seriously undermine the security of computers and computer data, e-commerce and the integrity of service providers, as well as causing huge potential costs in global key revocation and change. But this serious concern has not been acknowledged or discussed neither within the Convention nor within the Explanatory memorandum of the Convention. But clearly the wording of article 18(1)(a) may be used to request -a person to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium.- Although this may not specifically relate to encryption keys, article 19(4) which requires parties to adopt measures as may be necessary -to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures related- to search and seizure of stored computer data could clearly be used for the purposes of law enforcement access to encryption keys. Such an access to encryption keys could also infringe important human rights such as privacy of communications and suspect’s right not to self-incriminate himself. The requests for private encryption keys with a production order under article 18 could lead into those holding the private encryption keys self-incriminating themselves. The right to a fair trial under article 6 of the European Convention of Human Rights includes -the right of anyone charged with a criminal offence … to remain silent and not to contribute to incriminating himself.- The forced disclosure of documentation may not be considered as serious as the demand for personal testimony, but it can be personally incriminating as implying the admission of the existence and possession of encryption keys. Furthermore, as it stands the empowering of competent authorities at the national level to order a -person to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium- would be without any clearly defined conditions and safeguards. Of course article 18(2) refers to the powers and procedures referred to in article 18 to be subject to articles 14 and 15. But there is no explicit and specific protection offered to government (law enforcement) access to encryption keys within those provisions.
As it stands the law enforcement agencies would not be required to protect and keep secure any data or private encryption keys obtained from the suspect computers. In those circumstances, the law enforcement agencies should only be in a capacity to request -plain text- but not encryption keys. Paragraph 176 of the Explanatory memorandum, with respect to the modalities of production, states that -parties could establish obligations that the specified computer data or subscriber information must be produced in the manner specified in the order.- This could include the data or information to be provided in -plain text-. But that explanation falls short of addressing the government access to encryption keys issue.
VI. Problems related to interception of communications
Article 20 deals with real-time collection of traffic data and this section requires competent authorities to -compel service providers- to collect or record through application of technical means (article 20(b)(i)) or to co-operate and assist the competent authorities in the collection or recording (article 20(b)(ii)) of -traffic data in real time- associated with specific communications on its territory transmitted by means of a computer system. Article 21 deals with Interception of content data and this provision was kept secret until October 2000 (two months before the deadline provided by the Council of Europe for public comments). Surveillance powers are far the most important provisions of the Convention and the interested parties should have been given more time to consider these provisions at the time. Article 21(1)(b) requires the empowerment of competent authorities to compel a service provider to (i) collect or record through application of technical means and to (ii) co-operate and assist the competent authorities in the collection or recording of content data in real-time of specified communications transmitted by means of a computer system. In technical terms, articles 20(1)(b)(ii), and 21(1)(b)(ii) could require Internet Service Providers to install black boxes (US Carnivore like) for directly assisting the law enforcement agencies in the collection or recording of traffic data, and content data. Such a mechanism could result with secret surveillance and interception of all forms of communications including Internet communications and data. Such interference by a public authority should be subject to extremely strict conditions and safeguards. Also, the scope of such interception need to be clearly defined by law and should be particularly precise. The Strasbourg Court has repeatedly stressed -the risk that a system of secret surveillance for the protection of national security poses of undermining or even destroying democracy on the ground of defending it-. This is why the Court must be satisfied that the -secret surveillance of citizens is strictly necessary for safeguarding democratic institutions and that there exist adequate and effective safeguards against its abuse.- Furthermore, there is no mention of how much such capability for real time surveillance could cost the service provider industry. The cost of such interception and monitoring capabilities for service providers is extremely important and the 2001 Convention is partially silent on this issue though it is mentioned that service providers can only be compelled within their existing technical capability under articles 20(1)(b), and 21(1)(b). Reliance on the -existing technical capabilities- may for the moment satisfy industry concerns in relation to the cost issue but in reality and practice this may not satisfy law enforcement agencies. So discussions in relation to the implementation of this requirement into national legislation will undoubtedly be problematic as was witnessed with the enactment of the Regulation of Investigatory Powers Act 2000 in the United Kingdom. With regard to secret surveillance measures, the European Court of Human Rights has underlined the importance of that concept in the following terms in the Malone v. the United Kingdom judgment : -The Court would reiterate its opinion that the phrase -in accordance with the law’ does not merely refer back to domestic law but also relates to the quality of the -law’, requiring it to be compatible with the rule of law, which is expressly mentioned in the preamble to the Convention – The phrase thus implies – and this follows from the object and purpose of Article 8 – that there must be a measure of legal protection in domestic law against arbitrary interferences by public authorities with the rights safeguarded by paragraph 1 – Especially where a power of the executive is exercised in secret, the risks of arbitrariness are evident – – Since the implementation in practice of measures of secret surveillance of communications is not open to scrutiny by the individuals concerned or the public at large, it would be contrary to the rule of law for the legal discretion granted to the executive to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, having regard to the legitimate aim of the measure in question, to give the individual adequate protection against arbitrary interference.-
Furthermore, the decision in the case of Amann v. Switzerland should also be recalled. The Court stated that:
-tapping and other forms of interception of telephone conversations constitute a serious interference with private life and correspondence and must accordingly be based on a -law’ that is particularly precise. It is essential to have clear, detailed rules on the subject, especially as the technology available for use is continually becoming more sophisticated.-
The jurisprudence of the European Court of Human Rights should be observed while parties to the Cybercrime Convention ratify and implement the Convention at the national level as the monitoring of communications can constitute an interference with the right to respect for private life and correspondence in breach of article 8(2) of ECHR, unless it is carried out in accordance with a legal provision capable of protecting against arbitrary interference by the state with the rights guaranteed. As mentioned by paragraph 215 of the explanatory report, -in the area of interception, the present Convention itself does not set out specific safeguards other than limiting authorisation of interception of content data to investigations into serious criminal offences as defined in domestic law.- So the exceptions provided for in article 8(2) are to be interpreted narrowly, and the need for them in a given case must be convincingly established. The relevant provisions of domestic law must be both accessible and their consequences foreseeable, in that the conditions and circumstances in which the state was empowered to take secret measures such as telephone monitoring are to be clearly indicated as the European Court of Human Rights held. In particular, the avoidance of abuse demands certain minimum safeguards, including the conditions regarding the definition of categories of persons liable to have their telephones tapped, and the nature of offences that could give rise to such an order. It should also be noted that — states do not enjoy unlimited discretion to subject individuals to secret surveillance or a system of secret files. The interest of a State in protecting its national security must be balanced against the seriousness of the interference with an applicant’s right to respect for his or her private life.- The signing states need to carefully consider and take into account the work and jurisprudence of the European Court of Human Rights in relation to article 8 while developing the conditions and safeguards in relation to the implementation of the Cyber-Crime Convention.
VII. Obligation of confidentiality
Articles 20(3) and 21(3) require signing states to adopt such legislative and other measures as may be necessary to -oblige a service provider to keep confidential the fact of and any information about the execution of any power provided for in- articles 20 (real-time collection of traffic data) and 21 (interception of content data). In the Valenzuela Contreras v Spain judgment, the Strasbourg Court recognised that -where a power of the executive is exercised in secret the risks of arbitrariness are evident. In the context of secret measures of surveillance or interception by public authorities, the requirement of foreseeability implies that the domestic law must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances in and conditions on which public authorities are empowered to take any such secret measures. It is essential to have clear, detailed rules on the subject, especially as the technology available for use is constantly becoming more sophisticated.- Moreover, such requirements for confidentiality may only be justified for matters to do with national security. So far as the activities of intelligence services are concerned, the Strasbourg court reiterates that -powers of secret surveillance of citizens are tolerable under the Convention only in so far as strictly necessary for safeguarding the democratic institutions.- However, even concerns for national security do not provide a blanket right for secret surveillance of citizens by the state and -in respect of national security as in respect of other purposes, there has to be at least a reasonable and genuine link between the aim invoked and the measures interfering with private life for the aim to be regarded as legitimate. In order for systems of secret surveillance to be compatible with Article 8 of the Convention, they must contain safeguards established by law which apply to the supervision of the relevant services’ activities. Supervision procedures must follow the values of a democratic society as faithfully as possible, in particular the rule of law, which is expressly referred to in the Preamble to the Convention. The rule of law implies, inter alia, that interference by the executive authorities with an individual’s rights should be subject to effective supervision, which should normally be carried out by the judiciary, since judicial control affords the best guarantees of independence, impartiality and a proper procedure.
VIII. Preservation Orders
The Cyber-Crime Convention does not include data retention provisions and instead opted for measures involving data preservation within article 16 (Expedited preservation of stored computer data), and article 17 (Expedited preservation and partial disclosure of traffic data) having not reached a consensus on the retention of traffic data issue. Under a data preservation regime, upon the request of appropriate authorities, data relating to named suspects could be ordered to be preserved for possible later access following a further disclosure order. Such a case by case basis approach is better than a blanket data retention regime. However, it should be noted that post September 11, policy initiatives within the European Union encourage -data retention- policies rather than -data preservation- as a tool for law enforcement. Though data preservation itself represents an -entirely new legal power or procedure in domestic law’ for most European countries, nevertheless, data preservation measures -do not mandate the collection and retention of all, or even some, data collected by a service provider or other entity in the course of its activities.’ They are also limited -for the purpose of specific criminal investigations or proceedings’. Such data would be preserved for a period of time as long as necessary, up to a maximum of 90 days. The Convention furthermore enables through article 20 real-time collection of traffic data -associated with specified communications’ as mentioned above. But these powers do not intrude as far as general data retention policies would:
— the Convention does not require or authorise the general or indiscriminate surveillance and collection of large amounts of traffic data. It does not authorise the situation of -fishing expeditions’ where criminal activities are hopefully sought to be discovered, as opposed to specific instances of criminality being investigated. The judicial or other order authorising the collection must specify the communications to which the collection of traffic data relates.’
Furthermore, while the Explanatory Report of the Cyber-Crime Convention claims the privacy interests arising from the collection of traffic data are diminished compared to the interception of content data, it nevertheless acknowledges that
-…a stronger privacy issue may exist in regard to data about the source or destination of a communication (e.g. the visited websites). The collection of this data may, in some situations, permit the compilation of a profile of a person’s interests, associates and social context.’
IX. Mutual Assistance and Dual-Criminality Article 25(1) requires parties to the Convention to -afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence.- This will be subject to the -conditions provided for by the law of the requested Party or by applicable mutual assistance treaties, including the grounds on which the requested Party may refuse co-operation- under subsection (4) The crucial issue in relation to mutual legal assistance is -dual criminality- as a safeguard -that the legal systems of the parties to a mutual assistance request (both the country requesting information and the requested party) have equivalent offences within their national legal systems in relation to the alleged offences that are part of the investigation. It is not acceptable for a law enforcement body of one nation to respond to a request of another without the need for dual criminality safeguards. In the absence of dual criminality, the implementation of this section could lead into the investigation of one nation’s law abiding citizens by another nation’s law enforcement bodies. Article 25 is vague and such wording as -the parties shall afford one another mutual assistance to the widest extent possible- could have been clearer and the extent of such assistance should have been defined within this section and should be consequently defined by law. Furthermore, such provisions need to be in accordance with the Council of Europe Convention on Mutual Assistance in Criminal Matters, as well as with the First Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, and the Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, which broadens the range of situations in which mutual assistance may be requested and making the provision of assistance easier, quicker and more flexible. The second additional protocol also takes account of the need to protect individual rights in the processing of personal data. On the other hand, article 29 dealing with the expedited preservation of stored computer data states in subsection (1) that:
-a Party may request another Party to order or otherwise obtain the expeditious preservation of data stored by means of a computer system, which is located within the territory of that other Party and in respect of which the requesting Party intends to submit a request for mutual assistance for the search or similar access, seizure or similar securing, or disclosure of the data.-
But subsection 3 of the same section explicitly states that for the purposes of responding to a request, dual criminality shall not be required as a condition to providing such preservation. The only safeguard provided for such requests is under subsection (4) which states that parties can only reserve the right to refuse the request for preservation in respect of offences other than those established in accordance with Articles 2 – 11 of this Convention under this article in cases where it has reason to believe that at the time of disclosure the condition of dual criminality cannot be fulfilled. Mutual assistance can also be refused in relation to political offences or offences which are connected with a political offence as well as in cases in which the execution of the request is likely to prejudice the sovereignty, security, public order or other essential interests of the requested state.
X. Provision of Spontaneous information
Article 26(1) states that -A Party may, within the limits of its domestic law, without prior request, forward to another Party information obtained within the framework of its own investigations when it considers that the disclosure of such information might assist the receiving Party in initiating or carrying out investigations or proceedings concerning criminal offences established in accordance with this Convention or might lead to a request for co-operation by that Party under this chapter-.
But this provision should not be read as a requirement to conduct policing duty for the benefit of foreign law enforcement agencies. Such a policing activity and disclosure of data (information) by the law enforcement agencies of one State should not be conducted for the benefit of another State in the absence of dual criminality requirements for the offences in question. If no offence is committed in one State, no information should be collected, processed and disclosed to the law enforcement agencies of another State. Confidentiality requirement within Article 26(2) should be subject to data protection principles and laws as the current requirement for confidentiality only intends to protect the interests of the disclosing state rather than the interests of the persons about whom information has been disclosed to another country. In any case such information should not be disclosed spontaneously to any state which has no comprehensive data protection legislation in place if and when they sign and ra