Skip to main content
Book cover

Netherlands Yearbook of International Law 2016 pp 147–173Cite as

Cybercrime, Evidence and Territoriality: Issues and Options

Part of the Netherlands Yearbook of International Law book series (NYIL,volume 47)

Abstract

This chapter aims to explore policy proposals to deal with one of the most complicated problems posed by the Internet, namely that of jurisdiction. While cybercrime is a phenomenon without borders, the effective prosecution of such a crime is seriously hampered by conflicts of territoriality and jurisdiction. These problems are exacerbated by the evolution of information technology, in particular cloud computing which creates ‘loss of location’ problems for collecting the electronic evidence indispensable for prosecuting crime. The Cloud Evidence Group—a Working Group established by decision of the Cybercrime Convention Committee (T-CY) of the Council of Europe—has proposed, within the limits of agreed legal principles of territoriality and jurisdiction, a series of measures which, together with proper implementation of the Convention, would enable fast and effective access to electronic evidence, while respecting human rights and the rule of law.

Keywords

  • Council of Europe
  • Cloud computing
  • Territoriality
  • Budapest Convention on Cybercrime
  • Location of data
  • Jurisdiction

Jan Kleijssen is Director of Information Society and Action against Crime at the Council of Europe. Pierluigi Perri is Associate Research Professor at University of Milan, and Advisor on Cybercrime at the Council of Europe. The views and opinions expressed in this contribution are those of the authors and do not necessarily reflect the official position of the Council of Europe.

This is a preview of subscription content, access via your institution.

Notes

  1. 1.

    Defined here as offences against and by means of computer data and systems in the sense of Articles 2 to 11 of the Budapest Convention on Cybercrime, ETS No 185, 23 November 2001.

  2. 2.

    The IP address is a unique address represented by a number, which identifies the device over the Internet. It is important to underline, with regard to criminal investigations, that an IP address identifies only the device and not the user behind it.

  3. 3.

    One of the best known tools with which to achieve a good anonymization is TOR (The Onion Router) , which is a network of computers (nodes) that distributes the transactions over several places on the Internet, so that it is almost impossible from one single node to trace the user.

  4. 4.

    Consider, for example, the recent case of hacking of the SWIFT global banking system that affected at least twelve central banks like the Bank of Bangladesh, the Bank of Vietnam, the Bank of Philippines, the Bank of Ecuador and the Ukrainian Bank, with a loss of hundreds of million dollars.

  5. 5.

    Phishing is one of the most widespread cybercrimes that consists of computer fraud to obtain sensitive information of the victim, such as credit card numbers, usernames and passwords for internet banking platforms, personal data of the victim, etc. According to the draft version of the Comprehensive Study on Cybercrime of UNODC (United Nations Office on Drug and Crime), ‘[i]ndividual cybercrime victimization is significantly higher than for “conventional” crime forms. Victimization rates for online credit card fraud, identify theft, responding to a phishing attempt, and experiencing unauthorized access to an email account, vary between 1 and 17% of the online population’. UNODC 2013, at 25.

  6. 6.

    Some provisions of the Budapest Convention on Cybercrime are focused on the cooperation between the Parties (see Articles 23 and 25 ).

  7. 7.

    Balkin et al. 2007.

  8. 8.

    There are different definitions of ‘provider’, according to the service that they deliver to their customers. In fact, under the general category of the Internet Service Provider (ISP) , we can identify for example access providers, hosting providers, cloud providers, VoIP providers and content providers.

  9. 9.

    For example, the recent disputes over the encryption of iPhones were not related to cybercrime but to cases of terrorism and drug trafficking. D Chmielewski (2016) Apple-FBI Encryption Battle Shifts to New York, 8 April 2016, http://www.recode.net/2016/4/8/11585978/apple-fbi-encryption-battle-shifts-to-new-york, accessed 20 January 2017.

  10. 10.

    Kerr 2015. Already in this paper of eleven years ago, the Author argues how the law of criminal procedure must be changed as a result of the increasing number of cases based largely on digital evidence. The rise of the number of mobile and personal devices that store not only our personal information (i.e. e-mail, instant messaging contents, bank account movements) but also other information automatically (i.e. location, heart rate, circadian rhythm) combined with the spreading of this information on social network platforms, is creating a large amount of data related to the person under investigation that must be taken into account.

  11. 11.

    Usually, the starting point of this endless debate is identified in the paper by Johnson and Post published in 1996 in the Stanford Law Review ‘Law and Borders—The Rise of Law in Cyberspace ’, in which the Authors argued that ‘The rise of the global computer network is destroying the link between geographical location and: (1) the power of local governments to assert control over online behavior; (2) the effects of online behavior on individuals or things; (3) the legitimacy of a local sovereign’s effort to regulate global phenomena; and (4) the ability of physical location to give notice of which sets of rules apply’ (see Johnson and Post 1996, at 1370). But the debate is still open and many scholars focus their research on the new challenges for the principle of territoriality in cyberspace, for example Goldsmith 1998; Reidenberg 2005; Bach and Newman 2006; Kulesza 2008; Schultz 2008; de Hert and Kopcheva 2011; Daskal 2015; Osula 2015; Svantesson and Gerry 2015; Svantesson and van Zwieten 2016; Zoetekouw 2016.

  12. 12.

    The ‘un-territoriality’ of data in the cloud is, in fact, one of the most challenging problems for government authorities to search and seize digital evidence : firstly due to the difficulties of determining where the data is stored, so as to identify the applicable jurisdiction, and secondly due to the clash of different judicial systems. See Daskal 2015.

  13. 13.

    The Cloud Evidence Group (CEG) was a Working Group established by decision of the Cybercrime Convention Committee (T-CY) in December 2014. The aim of this Group is to explore solutions on criminal justice access to evidence stored on servers in the cloud and in foreign jurisdictions, including through mutual legal assistance. The members of CEG are the members of the T-CY Bureau plus up to five extra additional members. The objective of the Cloud Evidence Group was to prepare a report on criminal justice access to data in the cloud. During its activity, the Cloud Evidence Group issued several reports, including the Guidance Note on Article 18 of the Budapest Convention (production order) and the final report “Criminal justice access to data in the cloud: recommendations for considerations by the T-CY”, that are all published on http://www.coe.int/en/web/cybercrime/ceg (accessed 18 July 2017). During the last Plenary of 7-9 June 2017, the T-CY decided to follow one of the recommendations included in the final report and approved the Terms of Reference for an Additional Protocol to the Budapest Convention in order to help law enforcement to secure evidence on servers in foreign, multiple or unknown jurisdictions. This will be the second Additional Protocol to the Budapest Convention after the Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems.

  14. 14.

    See Symantec Internet Security Threat Report, Volume 21, April 2016, http://www.symantec.com/deepsight-products, accessed 20 October 2016.

  15. 15.

    See for example the Overview of current cyberattacks on Deutsche Telekom sensors, http://www.sicherheitstacho.eu/?lang=en, accessed 30 October 2016.

  16. 16.

    To give an example, see the web page on the ongoing threats managed and constantly updated by the CERT-EU (Computer Emergency Response Team for the EU institutions, bodies and agencies): http://cert.europa.eu/cert/filteredition/en/CERT-LatestNews.html, accessed 30 October 2016.

  17. 17.

    See T-CY 2015b, at 4.

  18. 18.

    A personal data breach is defined by Article 4 of the EU General Data Protection Regulation (Regulation EU 2016/679) as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

  19. 19.

    It is necessary to point out that the theft of subscribers’ data from the Ashley Madison website is more sensitive if compared to other websites, considering that it is an online dating service and social networking service marketed to people who are married or in committed relationships. An unfortunate end of this story, among others, was the suicide committed by a pastor outed by the publication of Ashley Madison’s account. Recently, the website settled the customer class action for 11.2 million dollars.

  20. 20.

    See Talbot 2016.

  21. 21.

    For more information, see J Murdock (2016) Fling.com Breach: Passwords and Sexual Preferences of 40 Million Users Up For Sale on Dark Web, IBTimes, 6 May 2016, http://www.ibtimes.co.uk/fling-com-breach-passwords-sexual-preferences-40-million-users-sale-dark-web-1558711, accessed 20 October 2016.

  22. 22.

    Experts use the expression ‘dark web’ to identify websites that host illegal content and that are not indexed by normal search engines like Google, Yahoo!, Bing, etc. (the indexed web is called ‘surface web’). The dark web is intentionally hidden, to some extent anonymous, and is inaccessible with the standard configuration of web browsers, requiring other tools to join in these websites and get the contents.

  23. 23.

    K.U. v Finland, ECtHR, No. 2872/02, 2 March 2009.

  24. 24.

    See Internet Watch Foundation (2015) Annual Report, https://www.iwf.org.uk/report/2015-annual-report, accessed 20 October 2016.

  25. 25.

    See ECPAT (2016) Global Study on Sexual Exploitation of Children in Travel and Tourism, http://cf.cdn.unwto.org/sites/all/files/docpdf/global-report-offenders-move-final.pdf, accessed 21 October 2016.

  26. 26.

    A distributed denial of service (DDOS) attack is an attack where multiple compromised servers are used to target a single system flooding it with many fake requests, with the result that the server becomes inaccessible for the legitimate users and the service is taken down.

  27. 27.

    A defacement is an attack aimed to change the content of a webpage without the consent of the owner of the webpage. This type of attack is often used to cause reputational damages to companies or to spread political or other propaganda. For example, following the Charlie Hebdo attack of 7 January 2015, more than 20,000 websites in France were under attack, rendering websites inaccessible either by defacing them or by sending multiple requests to a server to render its services inaccessible. Another example are the attacks against the French channel TV5 that targeted their Facebook and Twitter accounts, Internet website as well as the broadcasting programme, shutting down the network for several hours. See J Campbell (2015) French TV network TV5Monde ‘hacked by cyber caliphate in unprecedented attack’ that revealed personal details of French soldiers, The Independent, http://www.independent.co.uk/news/world/europe/french-tv-network-tv5monde-hijacked-by-isis-hackers-in-unprecedented-attack-that-revealed-personal-10164285.html, accessed 21 October 2016.

  28. 28.

    ‘Critical infrastructure ’ is defined by Article 2(a) of the Directive 2008/114/EC as ‘an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions’.

  29. 29.

    See C Von Ulrich (2015) Cyber-Angriff auf Kanzleramt und Bundestag, 7 January 2015, http://www.welt.de/politik/deutschland/article136114277/Cyber-Angriff-auf-Kanzleramt-und-Bundestag.html, accessed 21 October 2016.

  30. 30.

    Ransomware is software able to restrict the access to a computer system and its content until a ransom is paid. Usually the ransomware encrypts the whole disk drive of the computer and show a message containing the procedure to pay the ransom and obtain the decrypting key.

  31. 31.

    Lacy and Reed 2016.

  32. 32.

    von Behr et al. 2013.

  33. 33.

    T-CY 2013b, at 5.

  34. 34.

    The Internet of Everything (IoE) is an evolution of the Internet of Things (IoT) and refers to a possible near future, in which everything will be connected: people, process, data, and things, intended as devices and consumer products. This ‘hyperconnection’ will improve the possibility to deliver services, but will also imply an incredible exposure of data that need to be protected. For more information please visit http://ioeassessment.cisco.com, accessed 30 October 2016.

  35. 35.

    See Brown 2015. On this topic see also: Office of the Police and Crime Commissioner for Surrey (2015/16) South East Cybercrime Survey, https://www.cybersafesurrey.org/surveyresults, accessed 22 October 2016.

  36. 36.

    See Octopus Conference 2015, Cooperation against Cybercrime , Key messages, http://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680319026, accessed 22 October 2016.

  37. 37.

    See T-CY 2015b.

  38. 38.

    See C Metz (2016) Forget Apple vs the FBI: WhatsApp Just Switched on Encryption for a Billion People, 5 April 2016, http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/, accessed 22 October 2016.

  39. 39.

    See Huston 2013.

  40. 40.

    The definition of ‘cloud computing’ provided by NIST, a branch of the US Department of Commerce responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, is: ‘a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.’ See Mell and Grance 2011.

  41. 41.

    See Narayanan 2012.

  42. 42.

    See NIST 2014.

  43. 43.

    Case of the S.S. ‘Lotus’ (France v Turkey), PCIJ Series A, No 10, 7 September 1927 (‘Lotus’).

  44. 44.

    Ibid., at 18–19.

  45. 45.

    Ibid., at 18.

  46. 46.

    Ibid.

  47. 47.

    This reflect the dissenting opinion posed by Judge Loder who commented that ‘[…] every door is open unless it is closed by treaty or by established custom’ (Lotus case, Dissenting Opinion by M. Loder, at 34).

  48. 48.

    Handeyside 2007.

  49. 49.

    In the Kosovo Advisory Opinion, Judge Simma disagreed with the methodology used by the Court for deciding the case, which derive from the Lotus principles. In particular, he criticized the principle, declaring that ‘by upholding the Lotus principle, the Court fails to seize a chance to move beyond this anachronistic, extremely consensualist vision of international law. The Court could have considered the scope of the question from an approach which does not, in a formalistic fashion, equate the absence of a prohibition with the existence of a permissive rule; it could also have considered the possibility that international law can be neutral or deliberately silent on the international lawfulness of certain acts.’ Accordance with international law of the unilateral declaration of independence in respect of Kosovo, Advisory Opinion of 22 July 2010, Declaration of Judge Simma, para 3.

  50. 50.

    Brownlie 2003, at 301.

  51. 51.

    Ireland-Piper 2014.

  52. 52.

    Lotus case, at 20.

  53. 53.

    Some suggestions could come from other sources, like the Restatement of the Law (Third) of the Foreign Relations Law of the United States, that provides the following rules: ‘(2) Whether exercise of jurisdiction over a person or activity is unreasonable is determined by evaluating all relevant factors, including, where appropriate: (a) the link of the activity to the territory of the regulating state, i.e., the extent to which the activity takes place within the territory, or has substantial, direct, and foreseeable effect upon or in the territory; (b) the connections, such as nationality, residence, or economic activity, between the regulating state and the person principally responsible for the activity to be regulated, or between that state and those whom the regulation is designed to protect; (c) the character of the activity to be regulated, the importance of regulation to the regulating state, the extent to which other states regulate such activities, and the degree to which the desirability of such regulation is generally accepted; (d) the existence of justified expectations that might be protected or hurt by the regulation; (e) the importance of the regulation to the international political, legal, or economic system; (f) the extent to which the regulation is consistent with the traditions of the international system; (g) the extent to which another state may have an interest in regulating the activity; and (h) the likelihood of conflict with regulation by another state’. See Hixson 1988; and Swanson 2011.

  54. 54.

    Opinion of Advocate General Wathelet delivered on 9 November 2016, Concurrence SARL v Samsung Electronics France SAS and Amazon Service Europe Sàrl, ECJ, Case C-618/15, ECLI:EU:C:2016:843, para 2. This case is just one of the newest discussed in front of a superior Court, but cases regarding the jurisdiction in cyberspace are quite numerous. We can cite, for example: LICRA v Yahoo! & Yahoo France, Tribunal de Grande Instance de Paris, 22 May 2000; R v Töben, BGH, 12 December 2000; R v Perrin, EWHC Criminal Division, 22 March 2002; Arzneimittelwerbung im Internet, BGH, 30 March 2006; Persönlichkeitsverletzungen durch ausländische Internetveröffentlichungen, BGH, 2 March 2010; Vidal-Hall & Ors v Google Inc, EWHC, 16 January 2014; Google Spain SL, Google Inc v Agencia Española de Protección de Datos, ECJ Grand Chamber, 13 May 2014; Yahoo! v Belgium, Court of Cassation, P.13.2082.N, 1 December 2015.

  55. 55.

    Svantesson 2015, at 79, proposes to focus on the following ‘core principles’:

    ‘In the absence of an obligation under international law to exercise Jurisdiction, a State may only exercise jurisdiction where:

    (1) there is a substantial connection between the matter and the State seeking to exercise jurisdiction

    (2) the State seeking to exercise jurisdiction has a legitimate interest in the matter and

    (3) the exercise of jurisdiction is reasonable given the balance between the State’s legitimate interests and other interests.’

  56. 56.

    See T-CY 2015b.

  57. 57.

    This topic was recently discussed in front of the Second Circuit Court of Appeal in the case Microsoft v United States, USCA II Circuit, 14-2985, 14 July 2016, where the Court stated that the government cannot compel Microsoft, or other companies, to turn over customer emails stored on servers outside the United States. The main question presented was whether the Section 2703(a) of the Stored Communications Act (SCA)–the provision under which the government sought and received a search warrant for the email account–applies extraterritorially. The government argued that when the SCA used the word ‘warrant’, the statute was actually referring not to a traditional warrant, but to legal process or ‘compelled disclosure’ more akin to a subpoena. A warrant, according to the Second Circuit, and conceded by the government, has domestic boundaries. This important decision complicates even more an already uncertain framework. See Svantesson and Gerry 2015.

  58. 58.

    See NIST 2014.

  59. 59.

    See T-CY 2015b, at 15.

  60. 60.

    See T-CY 2016a.

  61. 61.

    See Sect. 7.3.1.7.

  62. 62.

    Defined in Article 18 of the Budapest Convention as follows:

    ‘[…] the term “subscriber information” means any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which can be established:

    (a) the type of communication service used, the technical provisions taken thereto and the period of service;

    (b) the subscriber’s identity, postal or geographic address, telephone and other access number, billing and payment information, available on the basis of the service agreement or arrangement;

    c) any other information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement.’

  63. 63.

    Defined in Article 1 of the Budapest Convention as follows: ‘[…] “traffic data” means any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service.’

  64. 64.

    The same conclusions are reported in the Conference Report of the Presidency Conference ‘Crossing Borders: Jurisdiction in Cyberspace’ held in Amsterdam on 7–8 March 2016 (7323/16). On this specific issue, the conclusions of the policy experts and practitioners participating in the Conference are summarized as follows: ‘Subscriber data is the most often requested type of data for the purposes of criminal proceedings, followed by traffic data and finally content data. It was acknowledged by participants that the interference with the rights of the investigated person is lower in the case of subscriber data compared to traffic data and content data and therefore a lighter regime for obtaining such data could be reasonably envisaged. It was concluded that this distinction should be systematically reflected in the current legal frameworks (both national and international) and that such a solution could substantially release pressure from the existing system for international cooperation for obtaining e-evidence.’ (at 6).

  65. 65.

    See T-CY 2014.

  66. 66.

    See Article 18 of the Budapest Convention.

  67. 67.

    The production order aims to get some information in possession of a person—typically an Internet Service Provider or a telecommunication company—under request. This means that the amount of data is by itself less intrusive than in a search and seizure of computer systems or in an interception of communications, which can allow data dragnet. In fact, the production order must identify precisely the scope and the extension of the request.

  68. 68.

    1959 European Convention on Mutual Assistance in Criminal Matters, ETS No 030.

  69. 69.

    1978 Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, ETS No 099; 2001 Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, ETS 182.

  70. 70.

    See PC-OC 2012.

  71. 71.

    See PC-OC 2014.

  72. 72.

    See PC-OC 2015.

  73. 73.

    2007 Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse, CETS No 201.

  74. 74.

    1990 Council of Europe Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime, ETS No 141.

  75. 75.

    2005 Council of Europe Convention on the Prevention of Terrorism, CETS No 196.

  76. 76.

    See T-CY 2013b.

  77. 77.

    The same conclusions are drawn by some scholars. See Svantesson and van Zwieten 2016, at 673; Walden 2011, at 11.

  78. 78.

    For example, in cloud computing it could happen that the provider does not know where the data are exactly located. On this issue see Vaciago 2011, at 7.

  79. 79.

    See T-CY 2013a.

  80. 80.

    T-CY 2016a, at 2.

  81. 81.

    See on this topic the action taken by the Electronic Frontier Foundation at the following URL: https://act.eff.org/action/stop-the-changes-to-rule-41, accessed 30 October 2016.

  82. 82.

    For this Act also some civil rights associations have filled a complaint addressing the ECtHR for alleged violations of fundamental rights, especially Articles 8, 10 and 14 of ECHR.

  83. 83.

    18 U.S. Code §2702.

  84. 84.

    See T-CY 2016b.

  85. 85.

    See Sect. 7.3.1.7.

  86. 86.

    See T-CY 2016c.

  87. 87.

    See the Chart of signatures and ratifications of the Budapest Convention, Council of Europe Treaty Office, http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=EIwx3ZYf, accessed 30 October 2016.

  88. 88.

    1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No 108. See Chart of signatures and ratification of Convention 108, Council of Europe Treaty Office, http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures?p_auth=etR46XGN, accessed 30 October 2016.

  89. 89.

    The main data protection instruments referred to are the following: 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No 108; Council of Europe Recommendation R(87)15 Regulating the Use of Personal Data in the Police Sector; European Union Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data; Framework Decision 2008/977/JHA of the European Union on the Protection of Personal Data Processed in the Framework of Police and Judicial Co-Operation in Criminal Matters. At the European Union level, a new comprehensive data protection framework, the so-called new ‘data protection package’ was adopted in April 2016 and include the EU General Data Protection Regulation, which, among other things, will replace Directive 95/46/EC and which will be directly applicable in EU member States, and a Directive on data protection in the criminal justice sector.

  90. 90.

    On this negotiation please see http://www.coe.int/t/dghl/standardsetting/dataprotection/Cahdata_en.asp and http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/CAHDat.%203_Report_CM(2015)40_En.pdf, accessed 30 October 2016.

  91. 91.

    See Daskal 2015; Svantesson and van Zwieten 2016.

  92. 92.

    See T-CY 2013b.

  93. 93.

    These provisions have not been fully implemented by all Parties as shown in assessments carried out by the Committee: http://www.coe.int/en/web/cybercrime/assessments, accessed 30 October 2016.

  94. 94.

    See T-CY 2016c.

  95. 95.

    T-CY 2015a.

  96. 96.

    In fact, Article 18.1.a covers any type of data. However, the draft Guidance Note is focusing on subscriber information only.

  97. 97.

    As reported into the final version of the Article 18 Guidance Note approved by the T-CY by written procedure last 20th of February 2017, Parties could consider that a service provider is ‘offering a service in the territory of a Party’ when the service provider enables persons in the territory of the Party to subscribe to its services and the service provider has established a real and substantial connection to a Party. To identify this connection some factors could be the following: providing local advertising or advertising in the language of the territory of the Party, make use of the subscriber information in the course of its activities or interact with subscribers in the Party.

  98. 98.

    For a general overview of the policies adopted by the providers, please see http://www.coe.int/en/web/cybercrime/hearing.

  99. 99.

    See Council of Europe (2016) Internet Governance—Council of Europe Strategy 2016–2019, CM(2016)10-final, https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016805c1b60, accessed 30 October 2016.

  100. 100.

    Terrorism and the Internet is one of the priority areas for the biennium 2016–2017 of the Council of Europe Committee of Experts on Terrorism (CODEXTER), http://www.coe.int/t/dlapil/codexter/about_en.asp?expandable=0, accessed 30 October 2016.

  101. 101.

    For example, the academic literature of US scholars is mainly focused on the Fourth Amendment issues posed by online investigations. See Kerr 2015; Daskal 2015; Daskal and Woods 2015.

  102. 102.

    For a summary of different decisions in applying territoriality principles in cyberspace, see Daskal 2015, at 334–365. From an EU perspective, an important decision, already referred to in footnote 55 is Yahoo! v Belgium, where the Belgian Court of Cassation in December 2015 found that, unlike Yahoo!’s opinion, there was no issue of extraterritorial jurisdiction because the request for disclosure to an operator of an electronic communication network or an electronic communications service provider who is active in Belgium does not imply any intervention outside the territory of Belgium. Also, notwithstanding the place of location of such an operator or provider, its refusal to comply with such request constitutes an offence that takes place in Belgium. The Court of Cassation then concluded that Yahoo! ‘voluntarily’ submits itself to the Belgian law due to some peculiarities, like for example using the domain name.be or by displaying ads referred to Belgian users (see Yahoo! v Belgium, Court of Cassation, P.13.2082.N, 1 December 2015). The European Court of Justice dealt with the problem of territoriality in the Weltimmo case where, among other questions related to data protection law and the Directive 94/46/EC, the ECJ discussed the meaning of ‘establishment’ to decide the applicable law. On this specific issue the Court broadly follows the approach of the Advocate General, especially points 28 and 32 to 34 of his Opinion, agreeing upon a flexible definition of the concept of ‘establishment’, ‘which departs from a formalistic approach whereby undertakings are established solely in the place where they are registered. Accordingly, in order to establish whether a company, the data controller, has an establishment, within the meaning of Directive 95/46, in a Member State other than the Member State or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet.’ (see Weltimmo s.r.o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, ECJ, ECLI:EU:C:2015:639, 1 October 2015, para 29).

  103. 103.

    See Octopus Conference 2015, Cooperation against Cybercrime, Key messages, http://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680319026, accessed 22 October 2016.

  104. 104.

    See http://english.eu2016.nl/events/2016/03/07/crossing-borders-jurisdiction-in-cyberspace, accessed 30 October 2016.

  105. 105.

    See EU Directive 2013/40/EU on Attacks Against Information Systems, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:218:0008:0014:EN:PDF, accessed 30 October 2016.

  106. 106.

    Another 18 States are signatories or have been invited to accede the Convention. This number is constantly increasing.

References

Download references

Author information

Authors and Affiliations

  1. Information Society and Action Against Crime, Council of Europe, Strasbourg, France

    Jan Kleijssen

  2. University of Milan, Milan, Italy

    Pierluigi Perri

Authors
  1. Jan Kleijssen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pierluigi Perri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jan Kleijssen .

Editor information

Editors and Affiliations

  1. Ministry of Security and Justice of the Netherlands, The Hague, The Netherlands

    Martin Kuijer

  2. Faculty of Law, VU University Amsterdam, Amsterdam, The Netherlands

    Wouter Werner

Rights and permissions

Reprints and Permissions

Copyright information

© 2017 T.M.C. Asser Press and the authors

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

Kleijssen, J., Perri, P. (2017). Cybercrime, Evidence and Territoriality: Issues and Options. In: Kuijer, M., Werner, W. (eds) Netherlands Yearbook of International Law 2016. Netherlands Yearbook of International Law, vol 47. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-207-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-94-6265-207-1_7

  • Published:

  • Publisher Name: T.M.C. Asser Press, The Hague

  • Print ISBN: 978-94-6265-206-4

  • Online ISBN: 978-94-6265-207-1

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)