Cybercrime Legislation – Setting the Score Straight

In an article published by the Swedish on-line edition of Computer Sweden, security expert Rik Ferguson from Trend Micro comments on the Mariposa bot-net and the fact that the guys running the bot-net are up for trial. Translated to English he is claimed to say the following in the article: “The men behind the bot-net were running it from Spain where it is not an illegal act”. He also calls for the need to harmonize legislation dealing with cybercrime and claims that the prosecutors have to prove that the perpetrators have stolen information as that is the (only) act that is criminalized in Spain.

Now, granted, I do not know what the Spanish regulations say about denial of service attacks carried out by bot-nets from Spain, but I would like to point to two pieces of legislation which are precisely the kind of harmonization attempts that he calls for and which (at least one of them at least) legally binds Spain to criminalize the crimes he describes.

The first one is the Council of Europe’s Convention on Cybercrime (CETS No.: 185) (dating back to 2001). The Convention calls states to criminalize unauthorized access to computer systems (Article 2), the unauthorized interception of computer data (Article 3), data interference (Article 4) and system interference (Article 5) just to name a few acts. (Please refer to the text of the convention to the precise definition of these terms.) One thing that is for certain is that the authors of the Convention definitely had DOS attacks in mind when writing the legislation (Explanatory Report point 67).

So far 18 countries have signed the Convention (including Spain) and another 28 countries have ratified it (including the USA). Granted Spain hasn’t ratified the Convention, which basically means that they have agreed to it but are not bound by it.

On the other hand, Spain is obliged to follow European harmonization legislation. Following the momentum of the Convention, the European Commission put forth a Proposal for a Framework Decision on attacks against information systems in April 2002. Having gone through the European Parliament, a Council Framework Decision on the subject was adopted on February 24, 2005 by the Council of the European Union.

The Framework Decision, which has it’s origins on the Council of Europe’s Convention and follows its setup, also lists illegal access to information systems, illegal system interference, illegal data inference etc. as punishable offenses. The Proposal by the Commission specifically mentions DOS attacks as an example that falls under the category of illegal interference with information systems (page 12 of the Proposal).

This time around, however, Spain does not have a choice. They have to ensure that their legislation penalizes the acts in the Framework Decision. And this had to be done by March 16, 2007 the latest (Article 12.2 of the Framework Decision).

Furthermore, both the Convention and the Framework Decision explicitly state that the countries in question shall establish jurisdiction of the named crimes if they are committed on it’s territory (Article 22 in the Convention and Article 10 in the Framework Decision). I.e. doesn’t matter where the bot-net computers are located. If the perpetrators infected the computers while hanging at an Internet cafe in Spain, then they are encompassed by Spain’s jurisdiction.

Whether Spain has done it’s duty and implemented the regulations, I can not say. But I do wonder if Mr. Ferguson was aware of these legislative acts and that Spain is supposed to oblige by them. And if Spain did do as it is supposed to, then infection of the zombie-computers with Trojans (illegal access to computer system and misuse of devices), any DOS attacks carried out by the bot-net (illegal system interference) and/or any phishing attacks on the zombie-computers (data interference, illegal interception, misuse of devices) would be considered as punishable offenses presuming the perpetrators fall under Spanish jurisdiction. And if not, then Spain has violated an EU legislation which it helped to create. Which is unfortunately not unprecedentetd…

So, there may be a long way to go to harmonize cybercrime legislation, but it is important to remember the efforts that have already taken place. And to come out and say “legislation needs to improve” is stating the obvious. Of course it needs to improve – just like technology constantly needs to adapt to the developments of society, legislation needs to make sure that it follows technological developments. Not much news value in that statement…