Cybercrime is the new age threat that has grown exponentially and more so during the pandemic. Cybercrime knows no excuse, wherein; government, businesses, companies, individuals, including children are all vulnerable to cyberattacks. Cybercrime also knows no boundaries, while the borderless and limitless internet leads to transnational or international crimes. There is no accurate definition of cybercrime internationally yet and goes by different nomenclatures such as computer crime, e-crime, technology-enabled crime etc. Cybercrime, simply put, is defined as a ‘crime committed using [the] internet’ and has an array of crimes constituting it. The most common cybercrimes are child pornography, phishing, hacking, identity theft, inciting hate, spreading violence, sextortion and grooming to name a few. Google itself witnessed a stark growth in phishing emails and had to get rid of around 100 million spam emails a day during the pandemic. Owing to the recent growth of cybercrime, many nation-states are legislating or are on the verge of legislating cyber laws, while 80% of the countries have cyber legislations so far. The borderless feature of this crime makes the investigation process even more tedious as compared to the crime committed within national jurisdiction.
Individuals as a Subject Matter of International Law
International law is no longer limited to the rights and duties of states, but now the rights and freedoms of individuals have become one of the primary concerns[i]. The issue of international law extending beyond states and to include individuals was seen as early as 1928 in the case of Danzig Railway officials. Thereby, individuals now a victim of transnational, cross border or international cybercrime can be adjudicated under international law.
Cybercrimes that individuals are vulnerable to are: hacking – accessing a computer without the knowledge of the user/ owner, malware – a malicious software through which data can be accessed in pursuance of financial or personal gains, Denial of Service and Distributed denial of service where the attackers flood the website and systems with huge traffic eventually leading to performance failure, phishing – the most common cybercrime by email spoofing where the email looks to be genuine and trustful but is used to collect sensitive information such as credit card details, passwords and other information. While these examples are regarding financial gains made by the attackers, cybercrime also includes cyber stalking and cyber harassment, which are the other forms of cybercrime that an individual, most likely women and children, are vulnerable to.
Children are susceptible to cybercrimes such as online grooming, child sexual abuse, child pornography, while women are also subjected to online sexual crime such as sexting, sextortion and sexual abuse. Cyberstalking is carried out through message, call, text, or any other mode of internet communication via threatening with defamatory words, threatening the family of the victim, posting wrong or false information online or creating a fake account of the victim and posting vulgar, absurd information through the account. Further, cyber harassment is where the individual or a group of individuals are targeted and purposefully harassed online or on social media with an intention to either humiliate or silence the victim with regard to an incident or an opinion thereof. Internet trolls are also one of the most common forms of cyber harassment to embarrass the victim, which has the potential to have a long-lasting impact in real life. Michael Brutsch, an infamous person who trolled many women and children on his Reddit page – Rapebait and jailbait leading to loss of his job was one of the earliest incidences of internet troll affecting the community at large. Pictures and videos of innocent women and children are used without their knowledge or consent in such internet trolls, thereby violating the right to privacy online. Few countries such as Singapore & United Kingdom have national legislations regulating internet trolls, but many countries still lack the same.
Further, cyber security and freedom over the internet is not only attacked or derailed by individuals but also by governmental institutions under the pretext of national security undertaking constant surveillance over the cyber activities of the population. Freedom of speech and expression of the citizens on social media is regulated by the governmental authorities and sometimes have imposed severe imposition over the restriction as well. Countries such as Myanmar, Uganda, India, Ethiopia, China, Iran, North Korea, Russia have frequently resorted to internet shutdowns to curb anti-national sentiments and voices. The shutdown of the internet during the elections has been a common trend in Africa, wherein half of the African countries faced internet shutdown curbing activities online before or during the elections.
Cyberspace has also led to severe violations from the governmental organizations and political parties to benefit them in their pursuit of personal or political interest. In addition, incidents such as Cambridge Analytica showcase the ability of the cyber domain to manipulate the psychology of commoners. While spyware such as Pegasus indulges in massive violation of privacy without the user being aware of such breach.
Pegasus is a dangerous spyware which once entered hacks the phone and acts as a surveillance tool for the government. The NSO group of Israel developed the spyware under the pretext to track terrorists and other anti-social elements. Around 50,000 phone numbers have been traced that were under surveillance to include human rights activists, members of the royal family, politicians, business executives, journalists, governmental officials. WhatsApp was one of the mediums used by the NSO group to hack into smartphones. Forbidden stories along with Amnesty internationalbusted the news about Pegasus spyware and the surveillance it undertook. The Pegasus spyware has impacted many countries, including India, France, Hungary, Morocco, Mexico, UK. The NSO Group has stated that the spyware is sold to only governmental bodies and not to any individuals. At the same time, the Pegasus news has spurred the debate regarding the attack on the democracy by the ruling party in India since the phone numbers infected with the spyware were mostly of activists, journalists and politicians of the opposition party. A Public Interest Litigation has been filed at the Supreme Court of India to look into the involvement of the government in the Pegasus spyware for surveillance.
Cambridge Analytica: During the 2016 Presidential election in the United States of America, there was a massive data leak of millions of Facebook users in order to manipulate them to vote for Donald Trump. Ex-employee of Cambridge Analytica Christopher Wylie was the whistleblower who brought out the data breach of millions of Facebook users. The data was harvested through a Facebook App called ’this is your digital life’, which was a research-based personality test app created by Aleksandr Kogan. The personality test helped the company predict the user’s choices and profile them with targeted political advertisements. This way, the users were manipulated to choose and vote for a particular political party by building trust and devote their allegiance to their party through the advertisements.
The only international Convention that addresses cybercrime directly so far is the Budapest Convention. A short analysis of the same can be seen below.
A Brief of Budapest Convention
The Convention applies to the signatory states of the Council of Europe to fight against cybercrime through international cooperation. The Convention does not define what amounts to cybercrimes or the different kinds of cybercrimes as we know them today. The Convention mandates countries to adopt national legislation to deal with cybercrime. The crimes defined and dealt with under the Convention are illegal access, illegal interception, data interference, system interference, misuse of devices etc. The Convention also deals with content related crimes such as child pornography and copyright infringement. In case of a cybercrime committed, the Convention clearly states the rule relating to extradition, jurisdiction and mutual assistance in case of investigation and other related proceedings that concern the crime committed. International cooperation is the crux of the Convention when it comes to procedural aspects to combat and investigate cybercrime. An Additional Protocol to the Convention on cybercrime came into force in 2006 pertaining to crime with xenophobic and racist contents using the computer system. The Council of Europe is on the way to formulate a Second Additional Protocol to the Budapest Convention to include better cooperation among states for sharing of electronic evidence.
Rationale towards an International Cyber law
The current pace of cyber domain not only reverberates upon having a cybercrime Convention but also to have data-sharing agreements between the countries. Cyberspace is more or less perceived as an ‘area’ rather than an abstractentity. This entails territoriality to the cyber space for a country. Information and data are the new assets on which the world is running and relying in this day and age. United States has ‘The Clarifying Lawful Overseas Use of Data Act’(CLOUD ACT) which allows the sharing of communication data across the border. The Act came into light as a consequence of United States v. Microsoft (2018) pursuance of a criminal investigation where the issue was whether the US could have access to data (email) stored in Ireland. Data sharing between countries has led to privacy and human rights concerns owing to lack of strong data protection laws. Currently, there are Mutual Legal Assistance Treatiesbetween nation-states for data sharing, which are successful only by the clause of dual criminality; if not, it paves the way for a cyber-safe haven.
The vast use of cyber space by individuals and nation states has led to increase of crimes in cyber domain and lack concrete laws to regulate and penalize the same. An offence of cybercrime in the national jurisdiction is triable under the respective national laws but seems beyond reach in cases of crimes committed cross-border or between different national jurisdictions. The current international law jurisprudence lacks sufficient grounds to either try an international cyber crime or even to assign the investigation and trial of the offence to a national jurisdiction. Interpol is currently taking up initiatives to enlighten about the cyber-crimes in national jurisdiction in the form of cyber collaborative platform to bring in international cooperation to handle the same.
With the exponential growth of information technology, it is vital for the laws to adopt and adapt to the pace of technology. While Budapest Convention is just one such international Convention covering cybercrime as a subject matter, it also acts as precedence for further development of international law in the cyber space. Cybercrime also has human rights implications such as violation of privacy, freedom of expression, non-discrimination and much more. While the current article only covers individuals vulnerable to cyber-attack either by individuals, state or non-state actors, governmental institutions and nation-states are not left out of cyberattacks either. Information warfare and cyber warfare are the threats that the nation-states are vulnerable to, and the application of existing International Humanitarian Law to such conflicts is debatable. The application of existing international laws needs intricate and detailed statutory interpretation to analyze such new-age warfare.
[i] IA Shearer, Starke's International Law (11th edn, Oxford university press 1947) 61
Priyanka Vaidyanath, has completed her B.A LLB , LLM and is currently pursuing her PhD at Christ (deemed to be) University. Her area of research focuses on the intersection of artificial intelligence and international humanitarian law. Her areas of interest include international law, technology law, and cyber law.
Image: Credits to Adam/Gulf News