Skip to main content

Advertisement

SpringerLink
Log in

Cybercrime jurisdiction: past, present and future

  • Article
  • Published:
ERA Forum Aims and scope

Abstract

This article describes activities and policies which have been put into place to date in order to deal with aspects related to cross-border access to computer data and cybercrime jurisdiction. It includes an analysis of the European instruments that address the issue of cybercrime jurisdiction; a perspective on the role of Internet Service Providers in facilitating cooperation to law enforcement for the adjudication of jurisdiction to prosecute cases in national courts. The article addresses some of the current international discussions and possible future scenarios and ends with a personal view and assessment of alternative approaches for asserting jurisdiction for the prosecution of internet-related crime.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. For a broad discussion and for views on internet law and jurisdiction, see: Goldsmith [4].

  2. See International Shoe Co. v. Washington, 326 U.S. 310, 66 S. Ct. 154, 90 L. Ed. 95 [1945], a landmark decision of the United States Supreme Court which had relevant consequences for corporations involved in intrastate commerce and that resolved that a corporation might be subject to the jurisdiction of a state court if it has “minimum contacts” with the State.

  3. See Calder v. Jones, 465 U.S. 783, 790 [1984]. Under this case, the United States Supreme Court resolved that a defendant must: (i) commit an intentional act that is (ii) expressly aimed at the forum state that (iii) causes harm that the defendant knows is likely to suffered in the forum state.

  4. See Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119 [W.D. Pa. 1997]. The court resolved that a passive website was insufficient to establish personal jurisdiction but an interactive site through which a defendant conducts business with the forum residents such as Zippo Dot Com’s was sufficient to establish personal jurisdiction.

  5. See Cybersell Inc v. Cybersell Inc. 130 F.3d 414 [9th Cir. 1997] was a trademark infringement case dealing with the use of a internet service mark in a website. The United States Court of Appeals for the Ninth Circuit found that the use of a website name was passive and did not constitute commercial activity within the state and that the company had not purposefully availed itself such that it could expect to be subject to the state court’s jurisdiction.

  6. For an overview on approaches to cybercrime jurisdiction and the principles and factors determining positive and negative claims on jurisdiction in different countries, see: Brenner [2], available in the Social Science Research Network at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=786507.

  7. This case of December 2011 dealt primarily with illicit access to computer systems, email accounts and stolen access credentials and credit card numbers subsequently used by Russian hackers to commit fraud and extortion against Pay-Pal and e-Bay users. Ivanov was finally indicted for charges of computer fraud, conspiracy and extortion and possession of illegal access devices and was sentenced to 48 months in prison followed by 3 months of supervised release. Ivanov was prosecuted and convicted in five District Courts in the United States—more than any other case listed on the United States Department of Justice listing of computer crimes. See United States Department of Justice press release of July 25, 2003 at: http://www.justice.gov/criminal/cybercrime/press-releases/2003/ivanovSent.htm.

  8. Yahoo! Inc. v. La Ligue Contre Le Racisme et l’antisemitisme (LICRA) 433 F.3d 1199 [9th Cir. 2006]. This is perhaps the most well known case since it involves aspects of content liability of Internet Service Providers, freedom of expression as well as the legality of the execution of foreign judgments in the United Sates and France. In this case dating from 2000, two civil organisations decided to sue Yahoo in France, for having found Nazi propaganda, memorabilia and objects available for purchase in the Yahoo French website. The Court of First Instance (Tribunal Grande Instance) decided to investigate these matters and asserted jurisdiction over Yahoo since it found there were sufficient links and connections with the French territory and mainly because the memorabilia and objects were available to residents located in France in contravention of the French Criminal Code. The French Tribunal ordered Yahoo to restrict access to such content and resolved to impose a monetary fine. Yahoo challenged the award of the French court in the District Court of the State of California arguing that the prohibition and restrictions imposed by the French Tribunal infringed the right of freedom of expression under the First Amendment of the Constitution of the United States and resolved in favour of Yahoo United States leaving without legal effect the French award, which was subsequently appealed by the French organisations in the United States Court of Appeals of the Ninth Circuit in 2006. The United States Supreme Court of Justice declined to hear and attract this case. For an academic perspective on this case, see: Reidenberg [7], available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=267148.

  9. A case of defamation on the internet brought by an Australian entrepreneur Joseph Gutnick against the American media company Dow Jones & Co. for having published an article in its Barrons Online Magazine that purportedly attributed to him fraud, tax evasion and involvement in money laundering activities in Australia. Gutnick sued Dow Jones in his place of residence in Victoria, alleging that the article published damaged his reputation in that territory and also due to the fact that Australian residents had access to the publication in Victoria even though the company was based in New Jersey. The case was finally settled on 15 November 2004. The full text of the judgment and the case history is available at: http://en.wikipedia.org/wiki/Dow_Jones_%26_Co._Inc._v_Gutnick. For an analysis of the case decision, see: Garnett [3], available at: http://www.law.unimelb.edu.au/files/dmfile/downloade52f1.pdf.

  10. The I Love You letter was a computer virus which was spread through an email attachment and which affected millions of personal computers and systems around the world in May 2000. The virus was created and disseminated by two computer programmers from the Philippines who were traced by the authorities and counterparts in that country. Since the Philippines did not have a law to punish crimes against the creation and dissemination of viruses at that time, the authorities in that country dropped all the charges against the offenders and they were not criminally prosecuted. This case took a relevant dimension when the United States Department of Justice got involved in the investigation and tried to cooperate in the prosecution and extradition of the offenders to the United States, however such efforts were meaningless precisely because of the principle and requirement of dual criminality, which requires that extradition may be allowed only when the legislation of both countries provides for a specific sanction and punishment, which was not the case in the Philippines. For further information and a synthesis of the judgment of this case, see: Sy [10].

  11. This was one of the first cases in Germany that widely touched criminal jurisdictional aspects and internet racism and xenophobia speech in Germany and Australia. In 1999, Frederick Töben, a German citizen with Australian nationality and former director of the Adelaide Institute created and disseminated content and materials in its website vilifying Jewish people and denying the Nazi holocaust occurred during the Second World War. As a result of this conduct, he served two sentences, one in Germany for defaming the dead and breaching Germany’s holocaust law and the other in Australia for breaching a court order that ordered him to refrain from publishing materials on his website vilifying the Jewish community, see Velasco [12], pp. 248–250.

  12. See Explanatory Report of the Convention on Cybercrime, paragraphs 7–11.

  13. See Explanatory Report of the Convention on Cybercrime, paragraph 11 v.

  14. See for instance Sections 3 to 9 of the German Criminal Code; Articles 6, 7, 9 and 10 of the Italian Criminal Code; Articles 4 to 7 of the Portuguese Criminal Code and Article 27 of Portugal’s Cybercrime Law nr. 109/2009 and Article 23 of Spain’s Organic Law for the Judicial Power.

  15. See Explanatory Report of the Convention on Cybercrime, paragraphs 293–294.

  16. See Articles 11 and 15.

  17. For an explanation of the scope of Article 22 of the Budapest Convention see: Velasco [10].

  18. Article 32 of the Budapest Convention reads as follows: “Article 32—Trans-border access to stored computer data with consent or where publicly available”. A Party may, without the authorisation of another Party:

    1. a

      access publicly available (open source) stored computer data, regardless of where the data is located geographically; or

    2. b

      access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.”

  19. The former G-8 agreed that the principles should be implemented through treaties, national laws and policies and should apply when law enforcement agencies investigate criminal matters and require cross-border access to, copying of, or search and seizure of electronic data. The relevant document is available at: http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Points%20of%20Contact/24%208%20Principles%20on%20Transborder%20Access%20to%20Stored%20Computer%20Data_en.pdf.

  20. For a perspective of the G-8 principles on Cross-Border Access, see Putnam [6].

  21. See Article 22.

  22. See Article 25.

  23. See Article 31.

  24. See Article 14.

  25. Articles 2 and 10 set out the conditions for establishing consultations between competent authorities conducting parallel criminal proceedings in the European Union in order to avoid positive conflicts of jurisdiction. Article 12 stipulates that when States are not able to reach consensus, the matter shall be referred to Eurojust by any competent authority of the Member States involved.

  26. Article 9 contains a provision on the assertion of jurisdiction in relation to offences concerning racism and xenophobia, instigation, aiding and abetting where the conduct has been committed: (i) in whole or in part within its territory; (ii) by one of its nationals; (iii) for the benefit of a legal person that has its head office in the territory of a Member State. When a Member State establishes jurisdiction based on territory, each Member Sate shall take the necessary measures in order to ensure that its jurisdiction extends to conduct committed through an information system and (a) the offender commits the conduct when physically present in its territory, whether or not the conduct involves material hosted on an information system in its territory; and (b) the conduct involves material hosted on an information system in its territory, whether or not the offender commits the conduct when physically present in its territory. Section 3 of this provision offers Member States the possibility of applying or not applying the jurisdiction rule when committed by one of its nationals or for the benefit of an entity with a head office in the territory of a Member State.

  27. Article 9 contains a provision on jurisdiction and prosecution in relation to offences concerning terrorist activities (including inciting, aiding, abetting and attempting such offences) when: (i) the offence is committed in its territory; (ii) if the offence is committed on a ship or aircraft registered or waving a national flag; (iii) if the offender is one of its national or residents; (iv) if the offence is committed for the benefit of a legal person established in its territory; (v) if the offence is committed against institutions or people of a Member State or of the European Union. Section 2 of this article establishes that when the offence falls within the jurisdiction of more than one Member State, they shall cooperate in order to decide the prosecution of offenders with the aim of centralising proceedings in a single Member State and facilitate cooperation between their judicial authorities and coordination of their action and taking into considerations the following factors: (a) the territory where the acts were committed; (b) the nationality or residence of the perpetrator; (c) the origin of the victims; (d) the territory where the perpetrator was found. Section 3 sets for the measure to establish jurisdiction in case of a refusal to hand over or extradite a suspected or convicted individual to another Member State or to a third country. Section 4 allows Member Sates to establish jurisdiction in its territory regardless of the location of the terrorist group or where they conduct its criminal activities. Section 4 stipulates the non-exclusion of the exercise of jurisdiction in criminal matters in accordance with its national legislation.

  28. See Article 12. The transposition deadline for European Union Member States is September 4, 2015.

  29. See Article 17. The transposition deadline for European Union Member States was December 18, 2013.

  30. For a perspective on the use of international mutual legal assistance procedures and mechanisms in criminal investigations, see: Velasco [11], pp. 283–287 and United Nations Office on Drugs and Crimes (UNODC), “Comprehensive Study on Cybercrime”, United Nations, pp. 185–187 (February 2013).

  31. For a comparative analysis and perspective on the current procedures, guidelines, policies and terms to request legal assistance in criminal proceedings between law enforcement authorities and internet service providers, see: O’Reily [5].

  32. Currently, there is no official source of information or initiative in the European Union offering a compilation of cases or at least a synthesis of judgments and investigation dealing with cybercrime.

  33. Article 46 §2 of the Belgian Code of Criminal Procedure establishes that any operator of a telecommunications network and any provider of a telecommunications service within the Belgian national territory that may be ordered to communicate the above requested data, is to provide the data that were requested to the Public Prosecutor or the officer of the criminal investigation department. A refusal to communicate the data may be sanctioned with a pecuniary penalty from 143.00 EUR up to 55,000.00 EUR.

  34. For a synthesis of the scope of ECPA, see the website of the United States Department of Justice, Office of Justice Programs, available at: https://it.ojp.gov/default.aspx?area=privacy&page=1285.

  35. As of the time of the publication of this article, the final judgment of the Court of Appeals of Antwerp is not final and it is still pending to be enforced against Yahoo in Belgium.

  36. See supra note 34.

  37. See Memorandum and Order of the US Magistrate Judge James C. Francis IV of the United District Court Southern District of New York in the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, April 25, 2014, pp. 5–8, available at: http://www.documentcloud.org/documents/1149373-in-re-matter-of-warrant.html.

  38. The Fourth Amendment of the Constitution of the United States prohibits unreasonable search and seizures and arbitrary arrests and is the basis of laws dealing with search warrants, safety inspections, wiretaps and other forms of surveillance including privacy law.

  39. Center for Democracy and Technology CDT, supra note 40.

  40. See: Center for Democracy and Technology CDT, “Microsoft Ireland Case: Can a US Warrant Compel a US Provider to Disclose Data Stored Abroad?” Security and Surveillance, 30 July 2014, available at: http://cdt.org/insight/microsoft-ireland-case-can-a-us-warrant-compel-a-us-provider-to-disclose-data-stored-abroad/.

  41. For a short overview of the amicus briefs filed in this case, see supra note 40.

  42. See: Brief for Appellant in the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation on Appeal from the United States District Court for the Southern District of New York (14-2985-cv December 18, 2014), available at: http://digitalconstitution.com/wp-content/uploads/2014/12/Microsoft-Opening-Brief-120820141.pdf.

  43. For an academic perspective on the extraterritorial implications of this case, see: Svantesson [9].

  44. BBC News, “Edward Snowden: Leaks that exposed US spy programme” (17 January, 2014), available at: http://www.bbc.com/news/world-us-canada-23123964.

  45. Reuters, “Europe’s police need data law changes to fight cybercrime-Europol” (29 September, 2014), available at: http://www.reuters.com/article/2014/09/29/cybersecurity-crime-eu-idUSL6N0RU35M20140929.

  46. This scenario has become a relevant discussion and is currently being analyzed by a working group of the Cybercrime Convention Committee (TC-Y) of the Council of Europe. According to this working group, current practices in some European countries go beyond the scenarios foreseen in Article 32b—which deals with cross-border access to data with consent—and many countries have not established the necessary safeguards for protecting fundamental human rights during criminal investigations. See: Council of Europe “Transborder access and jurisdiction: What are the options?”. Report of the Ad-hoc Subgroup on Jurisdiction and Transborder Access to Data of the Cybercrime Convention Committee (T-CY) of 6 December 2012, 1–69 (TC-Y 2012).

  47. See for instance, Seitz [8]. The author is of the general opinion that cross-border searches of computer data located in foreign jurisdiction should not be permissible.

  48. See for instance Articles 189 and 190 of Mexico’s new Federal Law on Telecommunications and Broadcasting, which impose obligations on telecommunication concessionaires and content service providers to collaborate with security, law enforcement and justice administration authorities in the geographical location in real-time of mobile communication equipment and the retention of data when there is reason to believe that a crime has been committed using mobile telecommunications equipment.

  49. For a comparative analysis of the practice of cross-border access to data by law enforcement in different regions of the world, see UNOCD Cybercrime Study, supra note 30, pp. 219–223 and for a comparative perspective on the legal practice in some European countries, see supra note 46, pp. 32 to 42.

  50. See supra note 46, paragraph 134, p. 27 and the document containing the key messages of the Council of Europe Octopus 2012 Conference on Cooperation against Cybercrime, Strasbourg, p. 8 (5 July 2012), available at: http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_Octopus2012/2571_Octo_key_messages_V7c_long.pdf.

  51. For a perspective on other legal connecting factors to prioritise jurisdictional claims in cybercrime investigations, see: Council of Europe, “Cloud Computing and cybercrime investigations: Territoriality vs the power of disposal?” Discussion paper prepared for the Project on Cybercrime of the Council of Europe, pp. 8–10 (31 August 2010).

  52. For a perspective on computer data stored in the cloud for purposes of evidence in cybercrime investigations, see: UNOCD Cybercrime Study, supra note 30, pp. 216–218.

  53. The power of disposal refers to “the power of a person to alter, delete, suppress or to render data unusable as well as the right to exclude others from access and any usage whatsoever”. See supra note 46 paragraphs 263–265, p. 50 and supra note 50, pp. 10–11.

  54. See for instance Article 15 on Conditions and Safeguards of the Budapest Convention and Regulation No. 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

  55. The deep web is a term usually referred to the information and content that is not indexed and found by standard search engines where a large number of references and information with illicit content such as drugs, trafficking, terrorism and child pornography is available. For further info on the deep web, see: Bergman [1], available at: http://quod.lib.umich.edu/cgi/t/text/text-idx?c=jep;view=text;rgn=main;idno=3336451.0007.104.

References

  1. Bergman, K.M.: The deep web: surfacing hidden value. Journal of Electronic Publishing 7(1) (2001)

  2. Brenner, W., Koops, S.u.B.-J.: Approaches to cybercrime jurisdiction. Journal of High Technology Law IV(1), 1–46 (2004)

    Google Scholar 

  3. Garnett, R., Down, J., Company Inc vs. Gutnick: An adequate response to transnational internet defamation? Melbourne Journal of International Law 4, 1–21 (2003)

    Google Scholar 

  4. Goldsmith, J., Wu, T.: Who Controls the Internet? Illusions of a Borderless World. Oxford University Press, Oxford (2006)

    Google Scholar 

  5. Reily D, O.: International criminal justice cooperation with multi-national ISP’s. Discussion paper prepared under the Cybercrime@IPA Project from the European Union and the Council of Europe, 1–40 (May 28, 2013)

  6. Putnam, T.L., Elliot, D.: International Responses to Cybercrime. In: Sofaer, A.D., Goodman, S.E. (eds.) Transnational Dimension of Cybercrime and Terrorism, vol. 490. Hoover Institution Press, Stanford (2001)

    Google Scholar 

  7. Reidenberg, J.: The Yahoo Case and the International Democratization of the Internet, Fordham University School of Law. Research Paper No. 11, pp. 1–19 (2001)

  8. Seitz, N., Search, T.: A new perspective in law enforcement? International Journal of Communications Law & Policy/Yale Journal of Law and Technology 9, 1–18 (2004). Special Issue on Cybercrime

    Google Scholar 

  9. Svantesson, D.: After Microsoft v. U.S.—Law Enforcement in the Cloud. First Part published on December 31, 2014 at https://www.linkedin.com/pulse/after-microsoft-v-us-law-enforcement-cloud-1-2-svantesson and Second Part published on January 5, 2015 at https://www.linkedin.com/pulse/after-microsoft-v-us-law-enforcement-cloud-2-dan-jerker-b-svantesson

  10. Sy, G.: E-Commerce Act. Republic Act no. 8792 Implementing Rules and Regulations Legislative Highlights “I Love You Virus Case” (2001)

  11. The Journal of Electronic Publishing http://www.journalofelectronicpublishing.org/

  12. Velasco, C.: La jurisdicción y competencia sobre delitos cometidos a través de sistemas de cómputo e Internet, Tirant lo blanch, Valencia (2012)

Download references

Author information

Authors and Affiliations

  1. Ciberdelincuencia.org, Arndtstr. 21, 68259, Mannheim, Germany

    Cristos Velasco

Authors
  1. Cristos Velasco
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cristos Velasco.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Velasco, C. Cybercrime jurisdiction: past, present and future. ERA Forum 16, 331–347 (2015). https://doi.org/10.1007/s12027-015-0379-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12027-015-0379-y

Keywords

Search

Navigation