Budapest Convention on Cybercrime
I. The Convention and its Explanatory Report have been adopted by the Committee of Ministers of the Council of Europe at its 109th Session (8 November 2001) and the Convention has been opened for signature in Budapest, on 23 November 2001, on the issue of the International Conference on Cyber-crime.
II. The text of this explanatory report does not constitute an instrument providing an authoritative interpretation of the Convention, although it might be of such a nature as to facilitate the application of the provisions contained therein.
I. Introduction
1. The revolution in information technologies has changed society fundamentally and will probably continue to do so in the foreseeable future. Many tasks have become easier to handle. Where originally only some specific sectors of society had rationalised their working procedures with the help of information technology, now hardly any sector of society has remained unaffected. Information technology has in one way or the other pervaded almost every aspect of human activities.
2. A conspicuous feature of information technology is the impact it has had and will have on the evolution of telecommunications technology. Classical telephony, involving the transmission of human voice, has been overtaken by the exchange of vast amounts of data, comprising voice, text, music and static and moving pictures. This exchange no longer occurs only between human beings, but also between human beings and computers, and between computers themselves. Circuit-switched connections have been replaced by packet-switched networks. It is no longer relevant whether a direct connection can be established; it suffices that data is entered into a network with a destination address or made available for anyone who wants to access it.
3. The pervasive use of electronic mail and the accessing through the Internet of numerous web sites are examples of these developments. They have changed our society profoundly.
4. The ease of accessibility and searchability of information contained in computer systems, combined with the practically unlimited possibilities for its exchange and dissemination, regardless of geographical distances, has lead to an explosive growth in the amount of information available and the knowledge that can be drawn there from.
5. These developments have given rise to an unprecedented economic and social changes, but they also have a dark side: the emergence of new types of crime as well as the commission of traditional crimes by means of new technologies. Moreover, the consequences of criminal behaviour can be more far-reaching than before because they are not restricted by geographical limitations or national boundaries. The recent spread of detrimental computer viruses all over the world has provided proof of this reality. Technical measures to protect computer systems need to be implemented concomitantly with legal measures to prevent and deter criminal behaviour.
6. The new technologies challenge existing legal concepts. Information and communications flow more easily around the world. Borders are no longer boundaries to this flow. Criminals are increasingly located in places other than where their acts produce their effects. However, domestic laws are generally confined to a specific territory. Thus solutions to the problems posed must be addressed by international law, necessitating the adoption of adequate international legal instruments. The present Convention aims to meet this challenge, with due respect to human rights in the new Information Society.
II. The preparatory work
7. By decision CDPC/103/211196, the European Committee on Crime Problems (CDPC) decided in November 1996 to set up a committee of experts to deal with cyber-crime. The CDPC based its decision on the following rationale:
8. “The fast developments in the field of information technology have a direct bearing on all sections of modern society. The integration of telecommunication and information systems, enabling the storage and transmission, regardless of distance, of all kinds of communication opens a whole range of new possibilities. These developments were boosted by the emergence of information super-highways and networks, including the Internet, through which virtually anybody will be able to have access to any electronic information service irrespective of where in the world he is located. By connecting to communication and information services users create a kind of common space, called “cyber-space”, which is used for legitimate purposes but may also be the subject of misuse. These “cyber-space offences” are either committed against the integrity, availability, and confidentiality of computer systems and telecommunication networks or they consist of the use of such networks of their services to commit traditional offences. The transborder character of such offences, e.g. when committed through the Internet, is in conflict with the territoriality of national law enforcement authorities.
9. The criminal law must therefore keep abreast of these technological developments which offer highly sophisticated opportunities for misusing facilities of the cyber-space and causing damage to legitimate interests. Given the cross-border nature of information networks, a concerted international effort is needed to deal with such misuse. Whilst Recommendation No. (89) 9 resulted in the approximation of national concepts regarding certain forms of computer misuse, only a binding international instrument can ensure the necessary efficiency in the fight against these new phenomena. In the framework of such an instrument, in addition to measures of international co-operation, questions of substantive and procedural law, as well as matters that are closely connected with the use of information technology, should be addressed.”
10. In addition, the CDPC took into account the Report, prepared – at its request – by Professor H.W.K. Kaspersen, which concluded that ” … it should be looked to another legal instrument with more engagement than a Recommendation, such as a Convention. Such a Convention should not only deal with criminal substantive law matters, but also with criminal procedural questions as well as with international criminal law procedures and agreements.” (1) A similar conclusion emerged already from the Report attached to Recommendation N° R (89) 9 (2) concerning substantive law and from Recommendation N° R (95) 13 (3) concerning problems of procedural law connected with information technology.
11. The new committee’s specific terms of reference were as follows:
i. “Examine, in the light of Recommendations No R (89) 9 on computer-related crime and No R (95) 13 concerning problems of criminal procedural law connected with information technology, in particular the following subjects:
ii. cyber-space offences, in particular those committed through the use of telecommunication networks, e.g. the Internet, such as illegal money transactions, offering illegal services, violation of copyright, as well as those which violate human dignity and the protection of minors;
iii. other substantive criminal law issues where a common approach may be necessary for the purposes of international co-operation such as definitions, sanctions and responsibility of the actors in cyber-space, including Internet service providers;
iv. the use, including the possibility of transborder use, and the applicability of coercive powers in a technological environment, e.g. interception of telecommunications and electronic surveillance of information networks, e.g. via the Internet, search and seizure in information-processing systems (including Internet sites), rendering illegal material inaccessible and requiring service providers to comply with special obligations, taking into account the problems caused by particular measures of information security, e.g. encryption;
v. the question of jurisdiction in relation to information technology offences, e.g. to determine the place where the offence was committed (locus delicti) and which law should accordingly apply, including the problem of ne bis idem in the case of multiple jurisdictions and the question how to solve positive jurisdiction conflicts and how to avoid negative jurisdiction conflicts;
vi. questions of international co-operation in the investigation of cyber-space offences, in close co-operation with the Committee of Experts on the Operation of European Conventions in the Penal Field (PC-OC).
The Committee should draft a binding legal instrument, as far as possible, on the items i) – v), with particular emphasis on international questions and, if appropriate, accessory recommendations regarding specific issues. The Committee may make suggestions on other issues in the light of technological developments.”
12. Further to the CDPC’s decision, the Committee of Ministers set up the new committee, called “the Committee of Experts on Crime in Cyber-space (PC-CY)” by decision n° CM/Del/Dec(97)583, taken at the 583rd meeting of the Ministers’ Deputies (held on 4 February 1997). The Committee PC-CY started its work in April 1997 and undertook negotiations on a draft international convention on cyber-crime. Under its original terms of reference, the Committee was due to finish its work by 31 December 1999. Since by that time the Committee was not yet in a position to fully conclude its negotiations on certain issues in the draft Convention, its terms of reference were extended by decision n° CM/Del/Dec(99)679 of the Ministers’ Deputies until 31 December 2000. The European Ministers of Justice expressed their support twice concerning the negotiations: by Resolution No. 1, adopted at their 21st Conference (Prague, June 1997), which recommended the Committee of Ministers to support the work carried out by the CDPC on cyber-crime in order to bring domestic criminal law provisions closer to each other and enable the use of effective means of investigation concerning such offences, as well as by Resolution N° 3, adopted at the 23rd Conference of the European Ministers of Justice (London, June 2000), which encouraged the negotiating parties to pursue their efforts with a view to finding appropriate solutions so as to enable the largest possible number of States to become parties to the Convention and acknowledged the need for a swift and efficient system of international co-operation, which duly takes into account the specific requirements of the fight against cyber-crime. The member States of the European Union expressed their support to the work of the PC-CY through a Joint Position, adopted in May 1999.
13. Between April 1997 and December 2000, the Committee PC-CY held 10 meetings in plenary and 15 meetings of its open-ended Drafting Group. Following the expiry of its extended terms of reference, the experts held, under the aegis of the CDPC, three more meetings to finalise the draft Explanatory Memorandum and review the draft Convention in the light of the opinion of the Parliamentary Assembly. The Assembly was requested by the Committee of Ministers in October 2000 to give an opinion on the draft Convention, which it adopted at the 2nd part of its plenary session in April 2001.
14. Following a decision taken by the Committee PC-CY, an early version of the draft Convention was declassified and released in April 2000, followed by subsequent drafts released after each plenary meeting, in order to enable the negotiating States to consult with all interested parties. This consultation process proved useful.
15. The revised and finalised draft Convention and its Explanatory Memorandum were submitted for approval to the CDPC at its 50th plenary session in June 2001, following which the text of the draft Convention was submitted to the Committee of Ministers for adoption and opening for signature.
III. The Convention
16. The Convention aims principally at (1) harmonising the domestic criminal substantive law elements of offences and connected provisions in the area of cyber-crime (2) providing for domestic criminal procedural law powers necessary for the investigation and prosecution of such offences as well as other offences committed by means of a computer system or evidence in relation to which is in electronic form (3) setting up a fast and effective regime of international co-operation.
17. The Convention, accordingly, contains four chapters: (I) Use of terms; (II) Measures to be taken at domestic level – substantive law and procedural law; (III) International co-operation; (IV) Final clauses.
18. Section 1 of Chapter II (substantive law issues) covers both criminalisation provisions and other connected provisions in the area of computer- or computer-related crime: it first defines 9 offences grouped in 4 different categories, then deals with ancillary liability and sanctions. The following offences are defined by the Convention: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright and neighbouring rights.
19. Section 2 of Chapter II (procedural law issues) – the scope of which goes beyond the offences defined in Section 1 in that it applies to any offence committed by means of a computer system or the evidence of which is in electronic form – determines first the common conditions and safeguards, applicable to all procedural powers in this Chapter. It then sets out the following procedural powers: expedited preservation of stored data; expedited preservation and partial disclosure of traffic data; production order; search and seizure of computer data; real-time collection of traffic data; interception of content data. Chapter II ends with the jurisdiction provisions.
20. Chapter III contains the provisions concerning traditional and computer crime-related mutual assistance as well as extradition rules. It covers traditional mutual assistance in two situations: where no legal basis (treaty, reciprocal legislation, etc.) exists between parties – in which case its provisions apply – and where such a basis exists – in which case the existing arrangements also apply to assistance under this Convention. Computer- or computer-related crime specific assistance applies to both situations and covers, subject to extra-conditions, the same range of procedural powers as defined in Chapter II. In addition, Chapter III contains a provision on a specific type of transborder access to stored computer data which does not require mutual assistance (with consent or where publicly available) and provides for the setting up of a 24/7 network for ensuring speedy assistance among the Parties.
21. Finally, Chapter IV contains the final clauses, which – with certain exceptions – repeat the standard provisions in Council of Europe treaties.
Commentary on the articles of the Convention
Chapter I – Use of terms
Introduction to the definitions at Article 1
22. It was understood by the drafters that under this Convention Parties would not be obliged to copy verbatim into their domestic laws the four concepts defined in Article 1, provided that these laws cover such concepts in a manner consistent with the principles of the Convention and offer an equivalent framework for its implementation.
Article 1 (a) – Computer system
23. A computer system under the Convention is a device consisting of hardware and software developed for automatic processing of digital data. It may include input, output, and storage facilities. It may stand alone or be connected in a network with other similar devices “Automatic” means without direct human intervention, “processing of data” means that data in the computer system is operated by executing a computer program. A “computer program” is a set of instructions that can be executed by the computer to achieve the intended result. A computer can run different programs. A computer system usually consists of different devices, to be distinguished as the processor or central processing unit, and peripherals. A “peripheral” is a device that performs certain specific functions in interaction with the processing unit, such as a printer, video screen, CD reader/writer or other storage device.
24. A network is an interconnection between two or more computer systems. The connections may be earthbound (e.g., wire or cable), wireless (e.g., radio, infrared, or satellite), or both. A network may be geographically limited to a small area (local area networks) or may span a large area (wide area networks), and such networks may themselves be interconnected. The Internet is a global network consisting of many interconnected networks, all using the same protocols. Other types of networks exist, whether or not connected to the Internet, able to communicate computer data among computer systems. Computer systems may be connected to the network as endpoints or as a means to assist in communication on the network. What is essential is that data is exchanged over the network.
Article 1 (b) – Computer data
25. The definition of computer data builds upon the ISO-definition of data. This definition contains the terms “suitable for processing”. This means that data is put in such a form that it can be directly processed by the computer system. In order to make clear that data in this Convention has to be understood as data in electronic or other directly processable form, the notion ” computer data” is introduced. Computer data that is automatically processed may be the target of one of the criminal offences defined in this Convention as well as the object of the application of one of the investigative measures defined by this Convention.
Article 1 (c) – Service provider
26. The term “service provider” encompasses a broad category of persons that play a particular role with regard to communication or processing of data on computer systems (cf. also comments on Section 2). Under (i) of the definition, it is made clear that both public and private entities which provide users the ability to communicate with one another are covered. Therefore, it is irrelevant whether the users form a closed group or whether the provider offers its services to the public, whether free of charge or for a fee. The closed group can be e.g. the employees of a private enterprise to whom the service is offered by a corporate network.
27. Under (ii) of the definition, it is made clear that the term “service provider” also extends to those entities that store or otherwise process data on behalf of the persons mentioned under (i). Further, the term includes those entities that store or otherwise process data on behalf of the users of the services of those mentioned under (i). For example, under this definition, a service provider includes both services that provide hosting and caching services as well as services that provide a connection to a network. However, a mere provider of content (such as a person who contracts with a web hosting company to host his web site) is not intended to be covered by this definition if such content provider does not also offer communication or related data processing services.
Article 1 (d) – Traffic data
28. For the purposes of this Convention traffic data as defined in article 1, under subparagraph d., is a category of computer data that is subject to a specific legal regime. This data is generated by computers in the chain of communication in order to route a communication from its origin to its destination. It is therefore auxiliary to the communication itself.
29. In case of an investigation of a criminal offence committed in relation to a computer system, traffic data is needed to trace the source of a communication as a starting point for collecting further evidence or as part of the evidence of the offence. Traffic data might last only ephemerally, which makes it necessary to order its expeditious preservation. Consequently, its rapid disclosure may be necessary to discern the communication’s route in order to collect further evidence before it is deleted or to identify a suspect. The ordinary procedure for the collection and disclosure of computer data might therefore be insufficient. Moreover, the collection of this data is regarded in principle to be less intrusive since as such it doesn’t reveal the content of the communication which is regarded to be more sensitive.
30. The definition lists exhaustively the categories of traffic data that are treated by a specific regime in this Convention: the origin of a communication, its destination, route, time (GMT), date, size, duration and type of underlying service. Not all of these categories will always be technically available, capable of being produced by a service provider, or necessary for a particular criminal investigation. The “origin” refers to a telephone number, Internet Protocol (IP) address, or similar identification of a communications facility to which a service provider renders services. The “destination” refers to a comparable indication of a communications facility to which communications are transmitted. The term “type of underlying service” refers to the type of service that is being used within the network, e.g., file transfer, electronic mail, or instant messaging.
31. The definition leaves to national legislatures the ability to introduce differentiation in the legal protection of traffic data in accordance with its sensitivity. In this context, Article 15 obliges the Parties to provide for conditions and safeguards that are adequate for protection of human rights and liberties. This implies, inter alia, that the substantive criteria and the procedure to apply an investigative power may vary according to the sensitivity of the data.
Chapter II – Measures to be taken at the national level
32. Chapter II (Articles 2 – 22) contains three sections: substantive criminal law (Articles 2 – 13), procedural law (Articles 14 – 21) and jurisdiction (Article 22).
Section 1 – Substantive criminal law
33. The purpose of Section 1 of the Convention (Articles 2 – 13) is to improve the means to prevent and suppress computer- or computer – related crime by establishing a common minimum standard of relevant offences. This kind of harmonisation alleviates the fight against such crimes on the national and on the international level as well. Correspondence in domestic law may prevent abuses from being shifted to a Party with a previous lower standard. As a consequence, the exchange of useful common experiences in the practical handling of cases may be enhanced, too. International co-operation (esp. extradition and mutual legal assistance) is facilitated e.g. regarding requirements of double criminality.
34. The list of offences included represents a minimum consensus not excluding extensions in domestic law. To a great extent it is based on the guidelines developed in connection with Recommendation No. R (89) 9 of the Council of Europe on computer-related crime and on the work of other public and private international organisations (OECD, UN, AIDP), but taking into account more modern experiences with abuses of expanding telecommunication networks.
35. The section is divided into five titles. Title 1 includes the core of computer-related offences, offences against the confidentiality, integrity and availability of computer data and systems, representing the basic threats, as identified in the discussions on computer and data security to which electronic data processing and communicating systems are exposed. The heading describes the type of crimes which are covered, that is the unauthorised access to and illicit tampering with systems, programmes or data. Titles 2 – 4 include other types of ‘computer-related offences’, which play a greater role in practice and where computer and telecommunication systems are used as a means to attack certain legal interests which mostly are protected already by criminal law against attacks using traditional means. The Title 2 offences (computer-related fraud and forgery) have been added by following suggestions in the guidelines of the Council of Europe Recommendation No. R (89) 9. Title 3 covers the ‘content-related offences of unlawful production or distribution of child pornography by use of computer systems as one of the most dangerous modi operandi in recent times. The committee drafting the Convention discussed the possibility of including other content-related offences, such as the distribution of racist propaganda through computer systems. However, the committee was not in a position to reach consensus on the criminalisation of such conduct. While there was significant support in favour of including this as a criminal offence, some delegations expressed strong concern about including such a provision on freedom of expression grounds. Noting the complexity of the issue, it was decided that the committee would refer to the European Committee on Crime Problems (CDPC) the issue of drawing up an additional Protocol to the present Convention.
Title 4 sets out ‘offences related to infringements of copyright and related rights’. This was included in the Convention because copyright infringements are one of the most widespread forms of computer- or computer-related crime and its escalation is causing international concern. Finally, Title 5 includes additional provisions on attempt, aiding and abetting and sanctions and measures, and, in compliance with recent international instruments, on corporate liability.
36. Although the substantive law provisions relate to offences using information technology, the Convention uses technology-neutral language so that the substantive criminal law offences may be applied to both current and future technologies involved.
37. The drafters of the Convention understood that Parties may exclude petty or insignificant misconduct from implementation of the offences defined in Articles 2-10.
38. A specificity of the offences included is the express requirement that the conduct involved is done “without right”. It reflects the insight that the conduct described is not always punishable per se, but may be legal or justified not only in cases where classical legal defences are applicable, like consent, self defence or necessity, but where other principles or interests lead to the exclusion of criminal liability. The expression ‘without right’ derives its meaning from the context in which it is used. Thus, without restricting how Parties may implement the concept in their domestic law, it may refer to conduct undertaken without authority (whether legislative, executive, administrative, judicial, contractual or consensual) or conduct that is otherwise not covered by established legal defences, excuses, justifications or relevant principles under domestic law. The Convention, therefore, leaves unaffected conduct undertaken pursuant to lawful government authority (for example, where the Party’s government acts to maintain public order, protect national security or investigate criminal offences). Furthermore, legitimate and common activities inherent in the design of networks, or legitimate and common operating or commercial practices should not be criminalised. Specific examples of such exceptions from criminalisation are provided in relation to specific offences in the corresponding text of the Explanatory Memorandum below. It is left to the Parties to determine how such exemptions are implemented within their domestic legal systems (under criminal law or otherwise).
39. All the offences contained in the Convention must be committed “intentionally” for criminal liability to apply. In certain cases an additional specific intentional element forms part of the offence. For instance, in Article 8 on computer-related fraud, the intent to procure an economic benefit is a constituent element of the offence. The drafters of the Convention agreed that the exact meaning of ‘intentionally’ should be left to national interpretation.
40. Certain articles in the section allow the addition of qualifying circumstances when implementing the Convention in domestic law. In other instances even the possibility of a reservation is granted (cf. Articles 40 and 42). These different ways of a more restrictive approach in criminalisation reflect different assessments of the dangerousness of the behaviour involved or of the need to use criminal law as a countermeasure. This approach provides flexibility to governments and parliaments in determining their criminal policy in this area.
41. Laws establishing these offences should be drafted with as much clarity and specificity as possible, in order to provide adequate foreseeability of the type of conduct that will result in a criminal sanction.
42. In the course of the drafting process, the drafters considered the advisability of criminalising conduct other than those defined at Articles 2 – 11, including the so-called cyber-squatting, i.e. the fact of registering a domain-name which is identical either to the name of an entity that already exists and is usually well-known or to the trade-name or trademark of a product or company. Cyber-squatters have no intent to make an active use of the domain-name and seek to obtain a financial advantage by forcing the entity concerned, even though indirectly, to pay for the transfer of the ownership over the domain-name. At present this conduct is considered as a trademark-related issue. As trademark violations are not governed by this Convention, the drafters did not consider it appropriate to deal with the issue of criminalisation of such conduct.
Title 1 – Offences against the confidentiality, integrity and availability
of computer data and systems
43. The criminal offences defined under (Articles 2-6) are intended to protect the confidentiality, integrity and availability of computer systems or data and not to criminalise legitimate and common activities inherent in the design of networks, or legitimate and common operating or commercial practices.
Illegal access (Article 2)
44. “Illegal access” covers the basic offence of dangerous threats to and attacks against the security (i.e. the confidentiality, integrity and availability) of computer systems and data. The need for protection reflects the interests of organisations and individuals to manage, operate and control their systems in an undisturbed and uninhibited manner. The mere unauthorised intrusion, i.e. “hacking”, “cracking” or “computer trespass” should in principle be illegal in itself. It may lead to impediments to legitimate users of systems and data and may cause alteration or destruction with high costs for reconstruction. Such intrusions may give access to confidential data (including passwords, information about the targeted system) and secrets, to the use of the system without payment or even encourage hackers to commit more dangerous forms of computer-related offences, like computer-related fraud or forgery.
45. The most effective means of preventing unauthorised access is, of course, the introduction and development of effective security measures. However, a comprehensive response has to include also the threat and use of criminal law measures. A criminal prohibition of unauthorised access is able to give additional protection to the system and the data as such and at an early stage against the dangers described above.
46. “Access” comprises the entering of the whole or any part of a computer system (hardware, components, stored data of the system installed, directories, traffic and content-related data). However, it does not include the mere sending of an e-mail message or file to that system. “Access” includes the entering of another computer system, where it is connected via public telecommunication networks, or to a computer system on the same network, such as a LAN (local area network) or Intranet within an organisation. The method of communication (e.g. from a distance, including via wireless links or at a close range) does not matter.
47. The act must also be committed ‘without right’. In addition to the explanation given above on this expression, it means that there is no criminalisation of the access authorised by the owner or other right holder of the system or part of it (such as for the purpose of authorised testing or protection of the computer system concerned). Moreover, there is no criminalisation for accessing a computer system that permits free and open access by the public, as such access is “with right.”
48. The application of specific technical tools may result in an access under Article 2, such as the access of a web page, directly or through hypertext links, including deep-links or the application of ‘cookies’ or ‘bots’ to locate and retrieve information on behalf of communication. The application of such tools per se is not ‘without right’. The maintenance of a public web site implies consent by the web site-owner that it can be accessed by any other web-user. The application of standard tools provided for in the commonly applied communication protocols and programs, is not in itself ‘without right’, in particular where the rightholder of the accessed system can be considered to have accepted its application, e.g. in the case of ‘cookies’ by not rejecting the initial instalment or not removing it.
49. Many national legislations already contain provisions on “hacking” offences, but the scope and constituent elements vary considerably. The broad approach of criminalisation in the first sentence of Article 2 is not undisputed. Opposition stems from situations where no dangers were created by the mere intrusion or where even acts of hacking have led to the detection of loopholes and weaknesses of the security of systems. This has led in a range of countries to a narrower approach requiring additional qualifying circumstances which is also the approach adopted by Recommendation N° (89) 9 and the proposal of the OECD Working Party in 1985.
50. Parties can take the wide approach and criminalise mere hacking in accordance with the first sentence of Article 2. Alternatively, Parties can attach any or all of the qualifying elements listed in the second sentence: infringing security measures, special intent to obtain computer data, other dishonest intent that justifies criminal culpability, or the requirement that the offence is committed in relation to a computer system that is connected remotely to another computer system. The last option allows Parties to exclude the situation where a person physically accesses a stand-alone computer without any use of another computer system. They may restrict the offence to illegal access to networked computer systems (including public networks provided by telecommunication services and private networks, such as Intranets or Extranets).
Illegal interception (Article 3)
51. This provision aims to protect the right of privacy of data communication. The offence represents the same violation of the privacy of communications as traditional tapping and recording of oral telephone conversations between persons. The right to privacy of correspondence is enshrined in Article 8 of the European Convention on Human Rights. The offence established under Article 3 applies this principle to all forms of electronic data transfer, whether by telephone, fax, e-mail or file transfer.
52. The text of the provision has been mainly taken from the offence of ‘unauthorised interception’ contained in Recommendation (89) 9. In the present Convention it has been made clear that the communications involved concern “transmissions of computer data” as well as electromagnetic radiation, under the circumstances as explained below.
53. Interception by ‘technical means’ relates to listening to, monitoring or surveillance of the content of communications, to the procuring of the content of data either directly, through access and use of the computer system, or indirectly, through the use of electronic eavesdropping or tapping devices. Interception may also involve recording. Technical means includes technical devices fixed to transmission lines as well as devices to collect and record wireless communications. They may include the use of software, passwords and codes. The requirement of using technical means is a restrictive qualification to avoid over-criminalisation.
54. The offence applies to ‘non-public’ transmissions of computer data. The term ‘non-public’ qualifies the nature of the transmission (communication) process and not the nature of the data transmitted. The data communicated may be publicly available information, but the parties wish to communicate confidentially. Or data may be kept secret for commercial purposes until the service is paid, as in Pay-TV. Therefore, the term ‘non-public’ does not per se exclude communications via public networks. Communications of employees, whether or not for business purposes, which constitute “non-public transmissions of computer data” are also protected against interception without right under Article 3 (see e.g. ECHR Judgement in Halford v. UK case, 25 June 1997, 20605/92).
55. The communication in the form of transmission of computer data can take place inside a single computer system (flowing from CPU to screen or printer, for example), between two computer systems belonging to the same person, two computers communicating with one another, or a computer and a person (e.g. through the keyboard). Nonetheless, Parties may require as an additional element that the communication be transmitted between computer systems remotely connected.
56. It should be noted that the fact that the notion of ‘computer system’ may also encompass radio connections does not mean that a Party is under an obligation to criminalise the interception of any radio transmission which, even though ‘non-public’, takes place in a relatively open and easily accessible manner and therefore can be intercepted, for example by radio amateurs.
57. The creation of an offence in relation to ‘electromagnetic emissions’ will ensure a more comprehensive scope. Electromagnetic emissions may be emitted by a computer during its operation. Such emissions are not considered as ‘data’ according to the definition provided in Article 1. However, data can be reconstructed from such emissions. Therefore, the interception of data from electromagnetic emissions from a computer system is included as an offence under this provision.
58. For criminal liability to attach, the illegal interception must be committed “intentionally”, and “without right”. The act is justified, for example, if the intercepting person has the right to do so, if he acts on the instructions or by authorisation of the participants of the transmission (including authorised testing or protection activities agreed to by the participants), or if surveillance is lawfully authorised in the interests of national security or the detection of offences by investigating authorities. It was also understood that the use of common commercial practices, such as employing ‘cookies’, is not intended to be criminalised as such, as not being an interception “without right”. With respect to non-public communications of employees protected under Article 3 (see above paragraph 54), domestic law may provide a ground for legitimate interception of such communications. Under Article 3, interception in such circumstances would be considered as undertaken “with right”.
59. In some countries, interception may be closely related to the offence of unauthorised access to a computer system. In order to ensure consistency of the prohibition and application of the law, countries that require dishonest intent, or that the offence be committed in relation to a computer system that is connected to another computer system in accordance with Article 2, may also require similar qualifying elements to attach criminal liability in this article. These elements should be interpreted and applied in conjunction with the other elements of the offence, such as “intentionally” and “without right”.
Data interference (Article 4)
60. The aim of this provision is to provide computer data and computer programs with protection similar to that enjoyed by corporeal objects against intentional infliction of damage. The protected legal interest here is the integrity and the proper functioning or use of stored computer data or computer programs.
61. In paragraph 1, ‘damaging’ and ‘deteriorating’ as overlapping acts relate in particular to a negative alteration of the integrity or of information content of data and programmes. ‘Deletion’ of data is the equivalent of the destruction of a corporeal thing. It destroys them and makes them unrecognisable. Suppressing of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored. The term ‘alteration’ means the modification of existing data. The input of malicious codes, such as viruses and Trojan horses is, therefore, covered under this paragraph, as is the resulting modification of the data.
62. The above acts are only punishable if committed “without right”. Common activities inherent in the design of networks or common operating or commercial practices, such as, for example, for the testing or protection of the security of a computer system authorised by the owner or operator, or the reconfiguration of a computer’s operating system that takes place when the operator of a system acquires new software (e.g., software permitting access to the Internet that disables similar, previously installed programs), are with right and therefore are not criminalised by this article. The modification of traffic data for the purpose of facilitating anonymous communications (e.g., the activities of anonymous remailer systems), or the modification of data for the purpose of secure communications (e.g. encryption), should in principle be considered a legitimate protection of privacy and, therefore, be considered as being undertaken with right. However, Parties may wish to criminalise certain abuses related to anonymous communications, such as where the packet header information is altered in order to conceal the identity of the perpetrator in committing a crime.
63. In addition, the offender must have acted “intentionally”.
64. Paragraph 2 allows Parties to enter a reservation concerning the offence in that they may require that the conduct result in serious harm. The interpretation of what constitutes such serious harm is left to domestic legislation, but Parties should notify the Secretary General of the Council of Europe of their interpretation if use is made of this reservation possibility.
System interference (Article 5)
65. This is referred to in Recommendation No. (89) 9 as computer sabotage. The provision aims at criminalising the intentional hindering of the lawful use of computer systems including telecommunications facilities by using or influencing computer data. The protected legal interest is the interest of operators and users of computer or telecommunication systems being able to have them function properly. The text is formulated in a neutral way so that all kinds of functions can be protected by it.
66. The term “hindering” refers to actions that interfere with the proper functioning of the computer system. Such hindering must take place by inputting, transmitting, damaging, deleting, altering or suppressing computer data.
67. The hindering must furthermore be “serious” in order to give rise to criminal sanction. Each Party shall determine for itself what criteria must be fulfilled in order for the hindering to be considered “serious.” For example, a Party may require a minimum amount of damage to be caused in order for the hindering to be considered serious. The drafters considered as “serious” the sending of data to a particular system in such a form, size or frequency that it has a significant detrimental effect on the ability of the owner or operator to use the system, or to communicate with other systems (e.g., by means of programs that generate “denial of service” attacks, malicious codes such as viruses that prevent or substantially slow the operation of the system, or programs that send huge quantities of electronic mail to a recipient in order to block the communications functions of the system).
68. The hindering must be “without right”. Common activities inherent in the design of networks, or common operational or commercial practices are with right. These include, for example, the testing of the security of a computer system, or its protection, authorised by its owner or operator, or the reconfiguration of a computer’s operating system that takes place when the operator of a system installs new software that disables similar, previously installed programs. Therefore, such conduct is not criminalised by this article, even if it causes serious hindering.
69. The sending of unsolicited e-mail, for commercial or other purposes, may cause nuisance to its recipient, in particular when such messages are sent in large quantities or with a high frequency (”spamming”). In the opinion of the drafters, such conduct should only be criminalised where the communication is intentionally and seriously hindered. Nevertheless, Parties may have a different approach to hindrance under their law, e.g. by making particular acts of interference administrative offences or otherwise subject to sanction. The text leaves it to the Parties to determine the extent to which the functioning of the system should be hindered – partially or totally, temporarily or permanently – to reach the threshold of harm that justifies sanction, administrative or criminal, under their law.
70. The offence must be committed intentionally, that is the perpetrator must have the intent to seriously hinder.
Misuse of devices (Article 6)
71. This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing the above-described offences against the confidentiality, the integrity and availability of computer systems or data. As the commission of these offences often requires the possession of means of access (”hacker tools”) or other tools, there is a strong incentive to acquire them for criminal purposes which may then lead to the creation of a kind of black market in their production and distribution. To combat such dangers more effectively, the criminal law should prohibit specific potentially dangerous acts at the source, preceding the commission of offences under Articles 2 – 5. In this respect the provision builds upon recent developments inside the Council of Europe (European Convention on the legal protection of services based on, or consisting of, conditional access – ETS N° 178) and the European Union (Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, or consisting of, conditional access) and relevant provisions in some countries. A similar approach has already been taken in the 1929 Geneva Convention on currency counterfeiting.
72. Paragraph 1(a)1 criminalises the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer programme, designed or adapted primarily for the purpose of committing any of the offences established in Articles 2-5 of the present Convention. ‘Distribution’ refers to the active act of forwarding data to others, while ‘making available’ refers to the placing online devices for the use of others. This term also intends to cover the creation or compilation of hyperlinks in order to facilitate access to such devices. The inclusion of a ‘computer program’ refers to programs that are for example designed to alter or even destroy data or interfere with the operation of systems, such as virus programs, or programs designed or adapted to gain access to computer systems.
73. The drafters debated at length whether the devices should be restricted to those which are designed exclusively or specifically for committing offences, thereby excluding dual-use devices. This was considered to be too narrow. It could lead to insurmountable difficulties of proof in criminal proceedings, rendering the provision practically inapplicable or only applicable in rare instances. The alternative to include all devices even if they are legally produced and distributed, was also rejected. Only the subjective element of the intent of committing a computer offence would then be decisive for imposing a punishment, an approach which in the area of money counterfeiting also has not been adopted. As a reasonable compromise the Convention restricts its scope to cases where the devices are objectively designed, or adapted, primarily for the purpose of committing an offence. This alone will usually exclude dual-use devices.
74. Paragraph 1(a)2 criminalises the production, sale, procurement for use, import, distribution or otherwise making available of a computer password, access code or similar data by which the whole or any part of a computer system is capable of being accessed.
75. Paragraph 1(b) creates the offence of possessing the items set out in paragraph 1(a)1 or 1(a)2. Parties are permitted, by the last phrase of paragraph 1(b), to require by law that a number of such items be possessed. The number of items possessed goes directly to proving criminal intent. It is up to each Party to decide the number of items required before criminal liability attaches.
76. The offence requires that it be committed intentionally and without right. In order to avoid the danger of overcriminalisation where devices are produced and put on the market for legitimate purposes, e.g. to counter-attacks against computer systems, further elements are added to restrict the offence. Apart from the general intent requirement, there must be the specific (i.e. direct) intent that the device is used for the purpose of committing any of the offences established in Articles 2-5 of the Convention.
77. Paragraph 2 sets out clearly that those tools created for the authorised testing or the protection of a computer system are not covered by the provision. This concept is already contained in the expression ‘without right’. For example, test-devices (‘cracking-devices’) and network analysis devices designed by industry to control the reliability of their information technology products or to test system security are produced for legitimate purposes, and would be considered to be ‘with right’.
78. Due to different assessments of the need to apply the offence of “Misuse of Devices” to all of the different kinds of computer offences in Articles 2 – 5, paragraph 3 allows, on the basis of a reservation (cf. Article 42), to restrict the offence in domestic law. Each Party is, however, obliged to criminalise at least the sale, distribution or making available of a computer password or access data as described in paragraph 1 (a) 2.
Title 2 – Computer-related offences
79. Articles 7 – 10 relate to ordinary crimes that are frequently committed through the use of a computer system. Most States already have criminalised these ordinary crimes, and their existing laws may or may not be sufficiently broad to extend to situations involving computer networks (for example, existing child pornography laws of some States may not extend to electronic images). Therefore, in the course of implementing these articles, States must examine their existing laws to determine whether they apply to situations in which computer systems or networks are involved. If existing offences already cover such conduct, there is no requirement to amend existing offences or enact new ones.
80. “Computer-related forgery” and “Computer-related fraud” deal with certain computer-related offences, i.e. computer-related forgery and computer-related fraud as two specific kinds of manipulation of computer systems or computer data. Their inclusion acknowledges the fact that in many countries certain traditional legal interests are not sufficiently protected against new forms of interference and attacks.
Computer-related forgery (Article 7)
81. The purpose of this article is to create a parallel offence to the forgery of tangible documents. It aims at filling gaps in criminal law related to traditional forgery, which requires visual readability of statements, or declarations embodied in a document and which does not apply to electronically stored data. Manipulations of such data with evidentiary value may have the same serious consequences as traditional acts of forgery if a third party is thereby misled. Computer-related forgery involves unauthorised creating or altering stored data so that they acquire a different evidentiary value in the course of legal transactions, which relies on the authenticity of information contained in the data, is subject to a deception. The protected legal interest is the security and reliability of electronic data which may have consequences for legal relations.
82. It should be noted that national concepts of forgery vary greatly. One concept is based on the authenticity as to the author of the document, and others are based on the truthfulness of the statement contained in the document. However, it was agreed that the deception as to authenticity refers at minimum to the issuer of the data, regardless of the correctness or veracity of the contents of the data. Parties may go further and include under the term “authentic” the genuineness of the data.
83. This provision covers data which is the equivalent of a public or private document, which has legal effects. The unauthorised “input” of correct or incorrect data brings about a situation that corresponds to the making of a false document. Subsequent alterations (modifications, variations, partial changes), deletions (removal of data from a data medium) and suppression (holding back, concealment of data) correspond in general to the falsification of a genuine document.
84. The term “for legal purposes” refers also to legal transactions and documents which are legally relevant.
85. The final sentence of the provision allows Parties, when implementing the offence in domestic law, to require in addition an intent to defraud, or similar dishonest intent, before criminal liability attaches.
Computer-related fraud (Article 8)
86. With the arrival of the technological revolution the opportunities for committing economic crimes such as fraud, including credit card fraud, have multiplied. Assets represented or administered in computer systems (electronic funds, deposit money) have become the target of manipulations like traditional forms of property. These crimes consist mainly of input manipulations, where incorrect data is fed into the computer, or by programme manipulations and other interferences with the course of data processing. The aim of this article is to criminalise any undue manipulation in the course of data processing with the intention to effect an illegal transfer of property.
87. To ensure that all possible relevant manipulations are covered, the constituent elements of ‘input’, ‘alteration’, ‘deletion’ or ’suppression’ in Article 8(a) are supplemented by the general act of ‘interference with the functioning of a computer programme or system’ in Article 8(b). The elements of ‘input, alteration, deletion or suppression’ have the same meaning as in the previous articles. Article 8(b) covers acts such as hardware manipulations, acts suppressing printouts and acts affecting recording or flow of data, or the sequence in which programs are run.
88. The computer fraud manipulations are criminalised if they produce a direct economic or possessory loss of another person’s property and the perpetrator acted with the intent of procuring an unlawful economic gain for himself or for another person. The term ‘loss of property’, being a broad notion, includes loss of money, tangibles and intangibles with an economic value.
89. The offence must be committed “without right”, and the economic benefit must be obtained without right. Of course, legitimate common commercial practices, which are intended to procure an economic benefit, are not meant to be included in the offence established by this article because they are conducted with right. For example, activities carried out pursuant to a valid contract between the affected persons are with right (e.g. disabling a web site as entitled pursuant to the terms of the contract).
90. The offence has to be committed “intentionally”. The general intent element refers to the computer manipulation or interference causing loss of property to another. The offence also requires a specific fraudulent or other dishonest intent to gain an economic or other benefit for oneself or another. Thus, for example, commercial practices with respect to market competition that may cause an economic detriment to a person and benefit to another, but are not carried out with fraudulent or dishonest intent, are not meant to be included in the offence established by this article. For example, the use of information gathering programs to comparison shop on the Internet (”bots”), even if not authorised by a site visited by the “bot” is not intended to be criminalised.
Title 3 – Content-related offences
Offences related to child pornography (Article 9)
91. Article 9 on child pornography seeks to strengthen protective measures for children, including their protection against sexual exploitation, by modernising criminal law provisions to more effectively circumscribe the use of computer systems in the commission of sexual offences against children.
92. This provision responds to the preoccupation of Heads of State and Government of the Council of Europe, expressed at their 2nd summit (Strasbourg, 10 – 11 October 1997) in their Action Plan (item III.4) and corresponds to an international trend that seeks to ban child pornography, as evidenced by the recent adoption of the Optional Protocol to the UN Convention on the rights of the child, on the sale of children, child prostitution and child pornography and the recent European Commission initiative on combating sexual exploitation of children and child pornography (COM2000/854).
93. This provision criminalises various aspects of the electronic production, possession and distribution of child pornography. Most States already criminalise the traditional production and physical distribution of child pornography, but with the ever-increasing use of the Internet as the primary instrument for trading such material, it was strongly felt that specific provisions in an international legal instrument were essential to combat this new form of sexual exploitation and endangerment of children. It is widely believed that such material and on-line practices, such as the exchange of ideas, fantasies and advice among paedophiles, play a role in supporting, encouraging or facilitating sexual offences against children.
94. Paragraph 1(a) criminalises the production of child pornography for the purpose of distribution through a computer system. This provision was felt necessary to combat the dangers described above at their source.
95. Paragraph 1(b) criminalises the ‘offering’ of child pornography through a computer system. ‘Offering’ is intended to cover soliciting others to obtain child pornography. It implies that the person offering the material can actually provide it. ‘Making available’ is intended to cover the placing of child pornography on line for the use of others e.g. by means of creating child pornography sites. This paragraph also intends to cover the creation or compilation of hyperlinks to child pornography sites in order to facilitate access to child pornography.
96. Paragraph 1(c) criminalises the distribution or transmission of child pornography through a computer system. ‘Distribution’ is the active dissemination of the material. Sending child pornography through a computer system to another person would be addressed by the offence of ‘transmitting’ child pornography.
97. The term ‘procuring for oneself or for another’ in paragraph 1(d) means actively obtaining child pornography, e.g. by downloading it.
98. The possession of child pornography in a computer system or on a data carrier, such as a diskette or CD-Rom, is criminalised in paragraph 1(e). The possession of child pornography stimulates demand for such material. An effective way to curtail the production of child pornography is to attach criminal consequences to the conduct of each participant in the chain from production to possession.
99. The term ‘pornographic material’ in paragraph 2 is governed by national standards pertaining to the classification of materials as obscene, inconsistent with public morals or similarly corrupt. Therefore, material having an artistic, medical, scientific or similar merit may be considered not to be pornographic. The visual depiction includes data stored on computer diskette or on other electronic means of storage, which are capable of conversion into a visual image.
100. A ‘sexually explicit conduct’ covers at least real or simulated: a) sexual intercourse, including genital-genital, oral-genital, anal-genital or oral-anal, between minors, or between an adult and a minor, of the same or opposite sex; b) bestiality; c) masturbation; d) sadistic or masochistic abuse in a sexual context; or e) lascivious exhibition of the genitals or the pubic area of a minor. It is not relevant whether the conduct depicted is real or simulated.
101. The three types of material defined in paragraph 2 for the purposes of committing the offences contained in paragraph 1 cover depictions of sexual abuse of a real child (2a), pornographic images which depict a person appearing to be a minor engaged in sexually explicit conduct (2b), and finally images, which, although ‘realistic’, do not in fact involve a real child engaged in sexually explicit conduct (2c). This latter scenario includes pictures which are altered, such as morphed images of natural persons, or even generated entirely by the computer.
102. In the three cases covered by paragraph 2, the protected legal interests are slightly different. Paragraph 2(a) focuses more directly on the protection against child abuse. Paragraphs 2(b) and 2(c) aim at providing protection against behaviour that, while not necessarily creating harm to the ‘child’ depicted in the material, as there might not be a real child, might be used to encourage or seduce children into participating in such acts, and hence form part of a subculture favouring child abuse.
103. The term ‘without right’ does not exclude legal defences, excuses or similar relevant principles that relieve a person of responsibility under specific circumstances. Accordingly, the term ‘without right’ allows a Party to take into account fundamental rights, such as freedom of thought, expression and privacy. In addition, a Party may provide a defence in respect of conduct related to “pornographic material” having an artistic, medical, scientific or similar merit. In relation to paragraph 2(b), the reference to ‘without right’ could also allow, for example, that a Party may provide that a person is relieved of criminal responsibility if it is established that the person depicted is not a minor in the sense of this provision.
104. Paragraph 3 defines the term ‘minor’ in relation to child pornography in general as all persons under 18 years, in accordance with the definition of a ‘child’ in the UN Convention on the Rights of the Child (Article 1). It was considered an important policy matter to set a uniform international standard regarding age. It should be noted that the age refers to the use of (real or fictitious) children as sexual objects, and is separate from the age of consent for sexual relations.
Nevertheless, recognising that certain States require a lower age-limit in national legislation regard