The Council of Europe (CoE) not to be confused with the more powerful European Union (EU) is leading the rest of the world in a push to have more countries ratify the Convention on Cybercrime. CoE's former Directorate General of Human Rights and Legal affairs, Head of Economic Crime Division, Alexander Seger, was recently in Nairobi for the sixth Internet Governance Forum (IGF). Seger now heads CoE's new cybercrime division as the organisation reorganised itself to put more structure on cybercrime.
Seger clarified that while EU rules apply only to its 27 members, CoE's convention are open to any country in the world. CoE's Budapest Convention was opened for signature in Budapest, on 23 November 2001.
The Budapest convention covers three things. Seger says it asks all countries to criminalise conduct of cybercrimes, including attacks against computer systems such as hacking.
The second item covered by the Convention is asking countries that ratify it to criminalise attacks using computer systems. This include pornography. Countries should put in place measures that deal with seizure of electronic evidence and securing of the same. Seger says that is is very important that this measure be clearly defined in law and that there are safe-guards. "A warrant, for example, must only allow for searching of certain parts of a computer only," he says.
Third, the Budapest Convention seeks to promote International Co-operation on cybercrime. Any country can take up the convention and develop legislation in line with it. Doing this makes sure countries have compatible and harmonised but not identical cybercrime legislation. "A country is able to come up with fairly complete cybercrime legislation by using the convention when coming up with its own law," says Seger as he explains the convention covers most legal gaps.
Using the treaty though does not qualify a country for co-operation from other countries. A country has to sign and ratify the treaty.
Thirty-two countries including the United States have ratified the convention with Switzerland being the latest. No African country has ratified the treaty, though South Africa has signed it while Senegal has already recieved its invitation to accede the convention. Notable non-signatories include Russia and China. Russia has its own cybercrime laws which according to Seger, have a few gaps. China has even more gaps in its own laws. Seger says that it is important for countries to implement the treaty in their own laws in order to have the treaty in effect.
Benefits for countries that ratify the treaty include better means to protect their citizens. "If there is better trust and safety online , the economy grows. It is difficult to conduct business amidst uncertainty on electronic crimes," says Seger.
"By ratifying the treaty, African countries would not be doing European nations a favour, but doing a benefit to the society at large, " he clarifies. As an example, Seger points out that for someone committing a criminal offence using a Google or Hotmail webmail account, in a country that has ratified the convention can request for the evidence from another country.
For the third element, Seger clarifies that even when a country has laws, there is need for capacity to implement them. This include prosecutors, investigators and judges. "In countries that have become a signatory or party to the treaty, we have been able to mobilise technical assistance," he says.
According to Seger, African countries on the path to implementing the treaty will have much better opportunities to receive support from the private sector. On the contrary, in a country where no objectives exist, it is hard to get support in cybercrime matters. The private sector has expressed great interest in supporting the Convention through firms such as Microsoft and Paypal. Users have to trust these companies systems hence the need of such objectives.
Seger says that it is also important for international corporations, especially US industry players to be seen operating in countries with clear legal frameworks in order to receive support from Congress. He points to Yahoo and Microsoft as such examples. "Microsoft and Google have interest in clear legal basis and on that , they are able to provide information based on that basis, " he says.
Dual criminality is however needed for countries to exchange cybercrime information. "What is defined as a crime in one country has to be a crime in another country," explains Seger. Examples include Wikileaks and pornography which are considered crimes in some states and none in others. All countries that ratify the convention are mandated to implement Articles 2 through 10 in their laws. The convention has 48 articles.
Countries can also reject requests for cooperation, though this will have no basis and will attract deliberation by members. Being members of the treaty also enhances trust between signatories. Seger was however on the defence of accusations that some members had not responded to requests for information. He says that the United States authority was unable to act on several request due to incomplete information, such as requests that covered a wide range of dates.
On 1 March 2006 an additional protocol on Xenophobia and Racism was added to the Budapest Convention. The protocol requires countries that have ratified the protocol are also required to criminalise dissemination of xenophobic and racist material through computer systems, including threats and insults.