The Council of Europe (CoE) offered an overview of its 2014 efforts in the domain of cybercrime with a productive 12th Plenary of the Cybercrime Convention Committee (T-CY) on 2-3 December 2014. The agenda reflected ongoing discussions in a number of significant issues pertaining to transborder access, spam, rules on obtaining subscriber information, and mutual legal assistance. T-CY is a platform for periodic consultation between the representatives of the State Parties to the CoE Conventionon of Cybercrime (hereafter the Convention).
Perhaps the most relevant development of the 12th Plenary was the adoption of the report ‘Transborder access to data and jurisdiction: Options for further action by the T-CY’1 prepared by the Ad-hoc Subgroup on Transborder Access and Jurisdiction, accompanied by the adoption of the Guidance Note #3 on Transborder access to data (Article 32).2
The report gives an overview of CoE’s work in pressing ahead with more clearer and more transparent regulation of transborder access, as put forward in one of the most controversial articles (32 (b)) of the Convention.
T-CY has long argued that there is a practical need for law enforcement to have timely access data stored extraterritorially, and that this should be regulated more clearly in an Additional Protocol to the Convention. These proposals have been reviewed by several European Union (EU) bodies such as the Committee on Civil Liberties, the Justice and Home Affairs Committee of the EU Parliament (LIBE Committee), the European Data Protection Supervisor and the Consultative Committee of Convention 108 and the Data Protection Working Party 29.3 Throughout these discussions, CoE has admitted a number of risks posed by agreeing on further transborder data access, such as the more general concerns of expanding extraterritorial jurisdiction, issues related to procedural safeguards of cybercrime investigations, implications for third parties such as Service Providers, personal data protection challenges related to the interpretation of such key terms as ‘consent’ and ‘lawful authority’, and the need to overcome impediments for law enforcement operations.4 Despite CoE having repeatedly addressed these issues through the guidance note on Article 32, numerous studies, meetings, working groups, and concrete proposals for an Additional Protocol to the Convention on access to electronic evidence, the 2014 report concluded that since ‘a reasonable consensus to commence work on a Protocol is lacking’, the ‘negotiation of a Protocol on transborder access to data would not be feasible’.5 T-CY believes that the identified problems will not disappear but rather will increase, and that T-CY should, therefore, follow developments and reconsider the feasibility of the Protocol in the future.3
Guidance Notes #8 on spam
A new guidance note was adopted on spam (T-CY Guidance Note #8).6 Even though the Convention does not specifically address spam, it ‘uses technology-neutral language so that the substantive criminal law offences may be applied to both current and future technologies involved’.7 Guidance Note #8 shows how different articles of the Convention apply to separate issues related to the multi-functional criminal use of spam and spam-related offences, and concludes that these aspects of spam are already covered by the Convention.3 Should the Parties be interested in specific provisions targeting spam, they should include these legal remedies in their national legislation.
Rules on obtaining subscriber information
Another report published by the T-CY aims to exchange experience and best practices between the Parties of the Convention regarding obtaining subscriber information such as Internet Protocol (IP) address for criminal justice purposes. According to the report, identifying the subscriber of an IP address is the most often sought information in domestic and international criminal investigations related to cybercrime and electronic evidence. In addition to confirming that conditions for obtaining subscriber information are rather diverse in the Convention’s current Parties’ domestic legislation, the report also concludes that in most Parties IP addresses are considered personal data in this context. In countries where there are different practices in differentiating traffic data and subscriber information, different rules should apply for obtaining such information. T-CY suggests that harmonized rules for obtaining subscriber information would facilitate international cooperation.8
The mutual legal assistance provisions of the Convention
Lastly, the T-CY conducted an extensive study of the Mutual Legal Assistance Provisions of the Convention. Within the domain of cybercrime, Mutual Legal Assistance (MLA) is one of the most important requirements for effective measures against transnational cybercrime as well as any other offence entailing electronic evidence. In order to outline the challenges associated with the use of MLA between the Parties to the Convention on Cybercrime, the report provided a detailed assessment of the functioning of MLAs. This was followed by conclusions drawn from the suggestions of the 36 Parties and three observer states that were involved in the study.9
The overall conclusion confirmed, not surprisingly, that the MLA process is inefficient in general and with respect to obtaining electronic evidence in particular. There are a number of reasons for this including the length of the MLA procedures and the possibility that the content of current MLAs does not adequately reflect the needs of modern investigations. At the same time, according to T-CY, the Parties to the Convention appear not to be making full use of the opportunities offered by the Convention and other specific agreements. Finally, it was concluded that since detailed data or statistics on MLA are not available, mechanisms for monitoring the MLA process related to cybercrime and electronic evidence should be established.3
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.
- Council of Europe Cybercrime Convention Committee (T-CY), Transborder Access to Data and Jurisdiction: Options for Further Action by the T-CY, December 3, 2014, https://goo.gl/3XpBH2
- Council of Europe Cybercrime Convention Committee (T-CY), T-CY Guidance Note # 3: Transborder Access to Data (Article 32), December 3, 2014, https://goo.gl/uOLaRn
- Council of Europe Cybercrime Convention Committee (T-CY), Transborder Access to Data and Jurisdiction: Options for Further Action by the T-CY.
- Ibid. pp 12-13.
- Council of Europe Cybercrime Convention Committee (T-CY), T-CY Guidance Note #8: Spam, December 3, 2014, https://goo.gl/EGpEMq
- Ibid. p 3.
- Council of Europe Cybercrime Convention Committee (T-CY), Rules on Obtaining Subscriber Information, December 3, 2014, https://goo.gl/5wPyGf
- Council of Europe Cybercrime Convention Committee (T-CY), The Mutual Legal Assistance Provisions of the Budapest Convention on Cybercrime, December 3, 2014, https://goo.gl/ONzGtl