Embed Size (px)
Citation preview
The Hague Process: Courses on the International Law Applicable to Cyber OperationsPanama City, Panama26-30 November 2018
JURISDICTION OVER CYBER CRIMES
Jurisdiction: General Principles
• Competence of States to regulate persons,
objects, conduct under their national law, within
limits imposed by international law
• Authority over civil, administrative, and criminal
matters
• Includes cyber activities, individuals who engage in
them, and cyber infrastructure
2
State Pronouncements
• UN GGE 2013 report• “jurisdiction over ICT infrastructure within ...
territory” (pt. 20)
• UN GGE 2015 report• “jurisdiction over ICT infrastructure within ...
territory” (pt. 27)
• “States have jurisdiction over the ICT infrastructure
located within their territory” (pt. 28(a))
3
Jurisdictional Competence
• Prescriptive (legislative)
• Enforcement (executive)
• Judicial (adjudicatory)
4
Jurisdiction:
Territorial v. Extraterritorial
• Territorial: Full prescriptive, enforcement,
judicial jurisdiction
• Extraterritorial: Scope of jurisdiction depends,
inter alia, on type of jurisdiction
Territorial Jurisdiction
• Cyber infrastructure and persons engaged in cyber activities on territory
• Cyber activities commenced (subjective territoriality) or completed (objective territoriality) on State’s territory
• Cyber infrastructure in an intermediary State is integral facet of operation
• Example: Bots in a botnet
• Data transiting?
• Example: Data merely passing through router. De minimis?
6
Territorial Jurisdiction: Effects Doctrine
• Important in cyber context due to ability to conceal points of origin or completion
• May criminalise if clear & internationally acceptable interestaffected
• Substantial effect upon territory, financial/economic activity and stability, or legal order
• Effect must be sufficiently direct and intended or foreseeable
• Aggregation of related cyber ops
• Example: Cyber ops against cloud computing infrastructure in which corporation stores data
• Example: Protection of corporation’s intellectual property data stored abroad
7
Territorial Jurisdiction: Effects Doctrine
• Must be exercised in reasonable fashion with due regard for interests of other states
• Warrants extending State’s law to foreign nationals conducting cyber ops outside territory
• Example: Not cyber op v. foreign corporation that causes loss in stock value for State’s stockholders
• Example: Not criminalization of foreign NGO’s campaign on-line abroad regarding State’s election
• Example: Criminalizing on-line activities that encourage violence in the country
8
Extraterritorial Prescriptive Jurisdiction
• Activities, persons, cyber infrastructure outside territory
• Cyber activities conducted by nationals
• Cyber activities aboard vessels/aircraft possessing its
nationality
• Foreign national cyber activities aimed at seriously
undermining essential State interests (protective
principle)
• Cyber activities conducted by foreign nationals against
nationals, with certain limitations (passive personality
principle)
• Crimes subject to the universality principle
9
Extraterritorial Prescriptive Jurisdiction
• Exercise must be:
• Reasonable
• Conducted with due regard to the interests
of other States
• Example: Unreasonable to criminalize on-line
criticism of leadership or posting of photos of
nationals on social media by non-nationals.
10
Concurrent Jurisdiction
• Multiple bases of prescriptive jurisdiction can
lead to concurrent jurisdiction
• Example: Hacker cell in State A with State B
members launching ops into State C with
effects in State D
11
Extraterritorial EnforcementJurisdiction
• May exercise over persons engaged in cyber
activities and cyber infrastructure abroad if:
• Specific allocation of authority under international
law
• Example: Block internet traffic to/from vessel
engaged in piracy
• Valid consent by a foreign government to exercise
on its territory
• Example: Remote search of database
12
Extraterritorial Enforcement Jurisdiction – Data
• Data hosted on servers abroad, not publicly
available (e.g., dark web)
• Accessible from State: Territorial enforcement
jurisdiction, e.g., by search
• Not accessible: Consent required or specific
authority under international law
• Example: Data stored on personal computer
13
Extraterritorial Enforcement Jurisdiction – By Treaty
• Budapest Convention on Cybercrime
• May, without the authorisation of another Party:
• access publicly available (open source) stored
computer data, regardless of where data located;
or
• access or receive, through a computer system in its
territory, stored computer data located in another
Party, if obtains lawful and voluntary consent of
person who has the lawful authority to disclose the
data
14
Immunity of States from Jurisdiction
• May not exercise enforcement or judicial
jurisdiction over persons engaged in cyber
activities or cyber infrastructure enjoying
immunity under international law
• State’s cyber infrastructure, activities
• Non-commercial exclusively governmental
15
Immunity of State Officials for
Cyber Activities
• Personal immunity (ratione personae)
• High-ranking officials
• Functional immunity (ratione materiae)
• In home state
• In territory of another State?
• Violations of peremptory norms?
International Cooperation inLaw Enforcement
• Generally, States not obliged to cooperate in
investigation/prosecution of cyber crime
• May be required by applicable treaty or other
international law obligation
• Example: Mutual Legal Assistance Treaty
• Example: Council of Europe’s Convention on
Cybercrime (Budapest Convention)
• Example: League of Arab State’s Arab Convention
on Combating Information Technology Offences
17
Case Study
18
Case Study
19
Case Study
20
QUESTIONS?
