Application of the relevant provisions to the
Convention on Cybercrime against computer viruses
- Task Force on European Cybercrime Initiative
The new Task Force of EICAR was set up to deal with the Convention on Cybercrime signed by 26 Member States of the Council of Europe and other four non-member countries (Canada, Japan, South Africa and the USA) on 23. November 2001 in Budapest. The activity of the Task Force focuses in particular on the issue, whether Article 6 on "Misuse of devices" and other relevant provisions of the Convention, as measures to be taken at the national level, are adequate means to provide an appropriate protection against computer viruses and other malicious computer codes. Within the framework of its activity the Task Force intends to draft three different versions ("lightweight", "middleweight" and "heavyweight") of legal norms criminalising the commission of specific illegal acts in connection with computer viruses in accordance with the provisions of the Convention.
- Convention on Cybercrime
According to the Explanatory Report the Convention aims principally at
- harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime
- providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form
- setting up a fast and effective regime of international co-operation.
Chapter I (substantive law issues) covers both criminalisation provisions and other connected provisions in the area of computer- or computer-related crime: it first defines 9 offences grouped in 4 different categories, then deals with ancillary liability and sanctions.
The following offences are defined by the Convention: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighbouring rights.
- Substantive criminal law of the Convention on
Cybercrime
The purpose of Section 1 of the Convention (Articles 2 - 13) is to improve the means to prevent and suppress computer- or computer - related crime by establishing a common minimum standard of relevant offences.
To a great extent it is based on the guidelines developed in connection with Recommendation No. R (89) 9 of the Council of Europe on computer-related crime and on the work of other public and private international organisations (OECD, UN, AIDP), but taking into account more modern experiences with abuses of expanding telecommunication networks.
Main provisions of this Section:
- the list of offences included represents a minimum consensus not excluding extensions in domestic law
- offences must be committed "without right" and "intentionally"
- certain articles in the section allow the addition of qualifying circumstances when implementing the Convention in domestic law
- in other instances even the possibility of a reservation is granted (cf. Articles 40 and 42).
- Criminal offences: "without right" and "intentionally"
A specificity of the offences included is the express requirement that the conduct involved is done "without right". It reflects the insight that the conduct described is not always punishable per se, but may be legal or justified not only in cases where classical legal defences are applicable, like consent, self defence or necessity, but where other principles or interests lead to the exclusion of criminal liability. The expression 'without right' derives its meaning from the context in which it is used. Thus, without restricting how Parties may implement the concept in their domestic law, it may refer to conduct undertaken without authority (whether legislative, executive, administrative, judicial, contractual or consensual) or conduct that is otherwise not covered by established legal defences, excuses, justifications or relevant principles under domestic law. The Convention, therefore, leaves unaffected conduct undertaken pursuant to lawful government authority (for example, where the Party's government acts to maintain public order, protect national security or investigate criminal offences). Furthermore, legitimate and common activities inherent in the design of networks, or legitimate and common operating or commercial practices should not be criminalised. It is left to the Parties to determine how such exemptions are implemented within their domestic legal systems (under criminal law or otherwise).
All the offences contained in the Convention must be committed "intentionally" for criminal liability to apply. In certain cases an additional specific intentional element forms part of the offence. The drafters of the Convention agreed that the exact meaning of 'intentionally' should be left to national interpretation. - Criminal offences in connection with computer
viruses
Article 4-6 to the Convention includes several illegal acts in connection with computer viruses that shall be criminalised under the domestic law, provided that the Party does not avail of reservation granted by Article 42.
Article 4 - Data interference
- Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right.
- A
Party may reserve the right to require that the conduct described
in paragraph 1 result in serious harm.
Article 5 - System interference
- Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.
This is referred to in Recommendation No. (89) 9 as computer sabotage. The provision aims at criminalising the intentional hindering of the lawful use of computer systems including telecommunications facilities by using or influencing computer data. The protected legal interest is the interest of operators and users of computer or telecommunication systems being able to have them function properly. The text is formulated in a neutral way so that all kinds of functions can be protected by it.
The term "hindering" refers to actions that interfere with the proper functioning of the computer system. Such hindering must take place by inputting, transmitting, damaging, deleting, altering or suppressing computer data.
The hindering must furthermore be "serious" in order to give rise to criminal sanction. Each Party shall determine for itself what criteria must be fulfilled in order for the hindering to be considered "serious". For example, a Party may require a minimum amount of damage to be caused in order for the hindering to be considered serious. The drafters considered as "serious" the sending of data to a particular system in such a form, size or frequency that it has a significant detrimental effect on the ability of the owner or operator to use the system, or to communicate with other systems (e.g., by means of programs that generate "denial of service" attacks, malicious codes such as viruses that prevent or substantially slow the operation of the system, or programs that send huge quantities of electronic mail to a recipient in order to block the communications functions of the system).
Article 6 - Misuse of devices
- Each
Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic
law, when committed intentionally and without right:
- the
production, sale, procurement for use, import, distribution
or otherwise making available of:
- a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with the above Articles 2 through 5;
- a
computer password, access code, or similar data by which
the whole or any part of a computer system is capable
of being accessed, with intent that it be used for the
purpose of committing any of the offences established
in Articles 2 through 5; and
- the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.
- the
production, sale, procurement for use, import, distribution
or otherwise making available of:
- This
article shall not be interpreted as imposing criminal liability
where the production, sale, procurement for use, import, distribution
or otherwise making available or possession referred to in paragraph
1 of this article is not for the purpose of committing
an offence established in accordance with Articles 2
through 5 of this Convention, such as for the authorised testing
or protection of a computer system.
- Each
Party may reserve the right not to apply paragraph 1 of
this article, provided that the reservation does not
concern the sale, distribution or otherwise making available of
the items referred to in paragraph 1 a.ii of this article.
This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing the above-described offences against the confidentiality, the integrity and availability of computer systems or data. As the commission of these offences often requires the possession of means of access ("hacker tools") or other tools, there is a strong incentive to acquire them for criminal purposes which may then lead to the creation of a kind of black market in their production and distribution. To combat such dangers more effectively, the criminal law should prohibit specific potentially dangerous acts at the source, preceding the commission of offences under Articles 2 - 5. In this respect the provision builds upon recent developments inside the Council of Europe (European Convention on the legal protection of services based on, or consisting of, conditional access - ETS N° 178) and the European Union (Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, or consisting of, conditional access) and relevant provisions in some countries.
Paragraph 1(a)1 criminalises the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer programme, designed or adapted primarily for the purpose of committing any of the offences established in Articles 2-5 of the present Convention. 'Distribution' refers to the active act of forwarding data to others, while 'making available' refers to the placing online devices for the use of others. This term also intends to cover the creation or compilation of hyperlinks in order to facilitate access to such devices. The inclusion of a 'computer program' refers to programs that are for example designed to alter or even destroy data or interfere with the operation of systems, such as virus programs, or programs designed or adapted to gain access to computer systems. Paragraph 1(b) creates the offence of possessing the items set out in paragraph 1(a)1 or 1(a)2. Parties are permitted, by the last phrase of paragraph 1(b), to require by law that a number of such items be possessed. The number of items possessed goes directly to proving criminal intent. It is up to each Party to decide the number of items required before criminal liability attaches.
- Establishing criminal offences under the national
laws: Draft-versions of EICAR
Some criminal offences in connection with computer viruses e.g. data interference or system interference have already been established and covered by most of the national laws of the Parties signing the Convention.
EICAR primarily intends to draft such legal norms that have not been established as criminal offences under (most of) the domestic laws of the Parties yet. The commission of (illegal) acts in regard to computer viruses contained in Article 6 requires no damage caused as a result of the act, but they are potentially dangerous acts which should be criminalised by the national laws in order to prevent the commission/occurrence of other criminal offences causing considerable damages e.g. data/system interference.
- Reservation
Article 6 does not oblige the Parties to criminalise the commission of specific acts in connection with computer viruses. The Parties may reserve the right not to apply paragraph 1 of Article 6, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this Article (Hacking; hacking tools: "a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed").
- "Lightweight version"
Misuse of devices
Any person who intentionally and without right
sales, procures for use, imports, distributes or otherwise makes available a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences (relevant criminal offences laid down by national laws/Criminal Code!) contained in.....,
OR
[ instead of listing each offence/citing the relevant Articles it may also be worded a general characteristics for criminal offences in connection with computer viruses:]
sales, procures for use, imports, distributes or otherwise makes available a device, including a computer program, designed or adapted primarily for the purpose of spying out, damaging, deleting, deteriorating, altering or suppressing data or computer programmes
with the intent that it be used for the purpose of committing any of the above-mentioned offences
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding € ..... or to an imprisonment for a term not exceeding ...... years.
(Spying out: e.g. a possible extension allowed by the Explanatory Report of the Convention. It concerns Trojan horses and Spoofs.)
- "Middleweight version"
Misuse of devices
Any person who intentionally and without right
produces, advertise, offers for sale, sales, procures for use, imports, distributes or otherwise makes available a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences (relevant criminal offences laid down by national laws/Criminal Code!) contained in.....,
with the intent that it be used for the purpose of committing any of the above-mentioned offences
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding €..... or to an imprisonment for a term not exceeding ...... years. - "Heavyweight version"
Misuse of devices
Any person who intentionally and without right
produces, provides instructions to production of, distributes or makes available tools enabling the production of
OR
possesses, advertise, offers for sale, sales, procures for use, imports, distributes or otherwise makes available a device, including a computer program or any component thereof, designed or adapted primarily for the purpose of committing any of the offences (relevant criminal offences laid down by national laws/Criminal Code!) contained in.....,
with the intent that it be used for the purpose of committing any of the above-mentioned offences
shall be guilty of an offence and shall be liable on conviction to a fine not exceeding € .... or to an imprisonment for a term not exceeding ...... years.
Qualifying circumstance to offences in connection with computer viruses:
If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding € .... or to an imprisonment for a term not exceeding ...... years or to both.