Authors: Eva Fava & Oskar J. Gstrein 

Introduction

According to the Europol 2021 Internet Organized Crime Threat Assessment (IOCTA) COVID-19 fueled the increase of cybercrime in all its forms. Cybercriminals use advanced technologies to exploit the internet for criminal purposes through ransomware attacks, botnets, identity theft, dark web markets and much more. Reliable digital infrastructure has become the basis for all aspects of daily life, from online shopping to pandemic management and the handling of governmental tasks. However, unlike regular types of crime, cybercrime presents unique characteristics which make it very difficult to tackle. For instance, it is often almost impossible to find out who is behind a crime and where that person or organization is located. This adds layers of complexity to the investigation and prosecution of cybercrime.

Therefore, states in and beyond Europe have recently revised the Council of Europe’s Convention on Cybercrime (hereinafter also the Budapest Convention or the Convention). This international treaty opened for signature in 2001 and entered into force in 2004. It is currently the most influential binding international agreement trying to effectively regulate responses to cybercrime, but it remains to be seen whether it is future-proof and if it will be replaced by more influential policy initiatives at the United Nations, discussed below.

The Budapest Convention

At the time of its creation 20 years ago, the Budapest Convention was considered an innovative instrument. The Convention was redacted by a group of experts that examined the challenges that the investigation and prosecution of cybercrime presents to law enforcement. Its aim is to protect society by ensuring the criminalization of cybercrimes in a large number of countries, while providing for the adoption of sufficient powers to investigate and prosecute. Therefore, the Convention starts by determining a series of substantive offenses, which the ratifying states are obliged to include in their national laws. The second part of the Convention sets out procedures for the investigation of cybercrime that must be implemented by the states. Lastly, a focal point of the Convention is the establishment of mechanisms for international cooperation concerning the investigation and prosecution of cybercrime. This is achieved mainly through provisions concerning the extradition of criminals, as well as the establishment of mutual legal assistance mechanisms (MLAs) to facilitate investigations.

International Benchmark for Cybercrime Legislation

The international reach of the Convention is worth acknowledging. Even though it is officially a regional agreement promoted by the Council of Europe in Strasbourg (France), the Convention was always intended to become a global instrument. For this reason, it is open for signatures by states worldwide. At the time of writing, the Convention has been ratified by over 30 European countries as well as some non-members of the Council of Europe, such as the US, Australia, Japan and some African and Latin American countries. Many more countries in all regions of the world have been invited to sign. However, some of the major players in the field of cybercrime – such as the Russian Federation and the People’s Republic of China – are not a party to this treaty.

Nevertheless, the Budapest Convention has become an international model when it comes to drafting cybercrime legislation worldwide. It has been used by approximately 80% of states as an inspiration or guideline to redact national legislations. About 55% of UN member states have substantive criminal law provisions in place that correspond to most of the substantive criminal law articles included in the Budapest Convention. Finally, it has also been used as a blueprint for many regional agreements on the matter.

Recent Developments and Updates

As mentioned above, the Budapest Convention currently is the only multilateral binding agreement that we have on the matter of cybercrime. The Convention and its content are not completely set in stone, instead taking the form of a ‘living instrument.’ In fact, since its entry into force in 2004 the scope has been complemented, expanded and modified through additional guidelines, explanatory reports and even capacity-building projects to support implementation. These efforts culminated in the implementation of two additional Protocols to the Convention.

The First Additional Protocol (Protocol I) opened for signatures in 2003 and entered into force in March 2006. Protocol I entails an extension to the scope of the Budapest Convention to include the criminalization of acts of a racist and/or xenophobic nature committed through computer systems (“hate speech”). In particular, Protocol I contains new substantive, procedural and international cooperation procedures to cover a number of related issues, including violations relating to racist or xenophobic propaganda. This additional protocol has currently been ratified by 33 states, while 12 states have signed it but have not yet followed through with ratification.

Furthermore, a Second Additional Protocol to the Cybercrime Convention has been adopted by the Council of Europe as recently as November 2021. Protocol II further tackles the issue of enhancing cooperation between states and the disclosure of electronic evidence. The reason for the adoption of this new protocol is the increasing need for national law enforcement agencies to be able to access digital evidence and other information stored in jurisdictions that are outside their territorial reach. It especially focuses on the victims of cybercrime and their need for justice. Notwithstanding the fact that cybercrime and other offenses involving electronic evidence on computer systems are increasing, only a small portion of these crimes lead to successful court proceedings and convictions. Also, Protocol II aims at relaunching the Convention and affirming its centrality in the procedures for international cooperation in the sphere of cybercrime.

Alongside these new developments concerning the Budapest Convention, international efforts to redact a new international agreement on the matter of cybercrime are currently ongoing. The United Nations Ad Hoc Committee on Cybercrime (AHC) convened from February 28-March 11, 2022. This group was established to elaborate and discuss a comprehensive convention to tackle the use of information and communication technologies for criminal purposes. The negotiations on this separate regulatory framework are still ongoing. It should be noted that alongside the positive expectation that a comprehensive convention could make important contributions to the effort to curb cybercrime, there are concerns that a final agreement might undermine human rights standards and promote the interests of authoritarian regimes.

Fit for the Future?

The Budapest Convention is surely the most significant legal instrument that we currently have on the matter of cybercrime. However, like any other international legal instrument, it is not perfect and has been criticized on various fronts. In particular, its lack of inclusivity has been regarded as problematic as the Convention disproportionately represents western views on the matter of cybercrime, while vastly ignoring the interests of developing countries as well as those of some major players, such as Russia and China. A further concern is that the Convention does not include model legislation that the ratifying parties should implement. Rather, it leaves it up to each country to decide how to implement its provisions within national legislation. This decision was taken to ensure some degree of flexibility when implementing the Convention’s provisions. But such flexibility often results in discrepancies between legal systems and causes a series of legal conflicts, especially when it comes to transnational cooperation.

Most prominently, there are difficulties that will ensue from how the Convention provides for terms of mutual legal assistance (MLA). These procedures are often regarded by states as highly ineffective due to the various difficulties that Law Enforcement Agencies (LEAs) have to endure. In particular, the mechanism as provided by the Convention is considered too lengthy, complex and resource intensive by LEAs.  Requests may sometimes take months or even years to be satisfied and states often prefer to abandon their requests due to the high costs involved (or use bilateral frameworks). Furthermore, at times LEAs have to face various legal issues concerning the content of the requests and their particular wording, as well as differences between legal systems. These problems deter states from utilizing the MLA mechanism, especially when the matter at hand is regarded as a lesser offense. The problems concerning MLA requests have been taken up in the discussions around the Second Additional Protocol to the Convention, but it remains to be seen whether the issue will be satisfactorily resolved.

Another criticism of the Budapest Convention relates to the ability to keep up with the many technological developments in the field of cybercrime. The Convention was the result of almost a decade of studies and deliberation on the subject, and it largely focuses on offenses which originated at the time of its drafting – the late 1990s. Threats that emerged at scale more recently, including such as botnets and ransomware attacks, are therefore not directly addressed. Critics thus argue that the Convention may soon become obsolete. Yet while such concerns are not completely groundless, they are offset by the fact that the scope of the agreement has, at least in part, been extended by means of its complementary guidelines, shared best practices and more importantly the new additional protocols. The approach of the Council of Europe and the ratifying parties to the Convention on extending the scope has been very clear, and is consistent with the original strategy when it was first drafted: The Council managed to negotiate the Budapest Convention when the times were most favorable and slowly build on it rather than trying to negotiate an entirely new international agreement. One of the reasons for this approach surely concerns the many contrasting interests that countries have on the matter of cybercrime and the difficulties that the creation of a new international convention presents.

Much Achieved – Much More to be Done

The Council of Europe’s Budapest Convention is an extremely important international instrument when it comes to fighting cybercrime. Its provisions have been used by many countries in the world as an inspiration or guideline when redacting their own national legislation on the matter. Finally, the Budapest Convention has inspired the creation of many regional agreements on the topic. Throughout the years, the scope of the Convention has been expanded and modified through various guidelines, best practices, explanatory reports etc. However, the most important additions to the Convention are surely the two additional protocols, one of which has been open for signatures since May 2022. Whether or not the Convention will be able to keep pace with the numerous challenges resulting from current developments is a matter of concern, especially as cybercrime continues to evolve and grow at a rapid pace. At the same time, the attempt at the United Nations level to negotiate a new international agreement may help in the effort to curb cybercrime – notwithstanding the significant risks to human rights this separate agreement may pose, as discussed above.

The opinions expressed in this text are solely that of the author/s and do not necessarily reflect the views of IPPI and/or its partners.