Territorial sovereignty refers to the state's complete and exclusive exercise of authority and power over its geographic territory. The safeguarding of sovereignty factors prominently in international and regional cybercrime instruments (discussed in Cybercrime Module 3 on Legal Frameworks and Human Rights). A case in point is the League of Arab States' Arab Convention on Combating Information Technology Offences of 2010. Specifically, Article 4 of this Convention holds that: "Every State Party shall commit itself, subject to its own statutes or constitutional principles, to the discharge of its obligations stemming from the application of this convention in a manner consistent with the two principles of equality of the regional sovereignty of States and the non-interference in the internal affairs of other States."
Territorial sovereignty can be applied to cyberspace, particularly to states' information and communications technology (ICT) infrastructure. State sovereignty can be violated when third parties gain unauthorized access to ICT in foreign countries without the knowledge and permission of the host country and/or its law enforcement agents. This violation happens even if this unauthorized access occurs pursuant to an investigation of a cybercrime committed in a different country in an effort by that country to locate the source of the cyberattack and/or stop the cyberattack from occurring (a tactic known as hackback or hacking back) (Wrange, 2014).
Jurisdiction, which is linked to sovereignty (UNODC, 2013, note 9, p. 184), provides states with the power and authority to define and preserve the duties and rights of people within its territory, enforce laws, and punish violations of laws (see Cybercrime Module 3 on Legal Frameworks and Human Rights). States primarily claim jurisdiction over crimes committed within their territory ( principle of territoriality). Article 22(1) of the Council of Europe's Convention on Cybercrime of 2001, states that "[e]ach Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence … [included in] this Convention, when the offence is committed … in its territory." Nonetheless, as Brenner and Koops (2004) rightly point out, determining "whether or not an offence has been 'committed … in' a nation's territory is not, however, a simple undertaking when the commission of the offence involved the use of cyberspace" (p. 10).
Cybercrime jurisdiction is established by other factors, such as the nationality of the offender ( principle of nationality; active personality principle), the nationality of the victim ( principle of nationality; passive personality principle), and the impacts of the cybercrime on the interests and security of the state ( protective principle) (see Cybercrime Module 3 on Legal Frameworks and Human Rights), as long as "a 'sufficient connection' or 'genuine link' [can be shown] between the …[cybercrime] and the state exercising jurisdiction" (Epping and Gloria, 2004, cited in UNODC, 2013, 184-185). In the United Kingdom, for example, the Court of Appeals in R v. Sheppard and Anor (2010) upheld the application of the UK Public Order Act of 1986 to racially inflammatory material posted on a website hosted by a US server, and the conviction of two UK residents for posting this material.
National cybercrime laws establish cybercrime jurisdiction. For instance, in Malaysia, the Computer Crimes Act of 1997 established the state's jurisdiction over cybercrime. In particular, Article 9 of this Act holds that the "provisions of this Act shall, in relation to any person, whatever his nationality or citizenship, have effect outside as well as within Malaysia, and where an offence under this Act is committed by any person in any place outside Malaysia, he may be dealt with in respect of such offence as if it was committed at any place within Malaysia." By way of comparison, Tanzania claims jurisdiction over a cybercrime when
an act or omission constituting an offence is committed wholly or in part - … within the United Republic of Tanzania; … on a ship or aircraft registered in the United Republic of Tanzania; … by a national of the United Republic of Tanzania; …by a national of the United Republic of Tanzania who resides outside the United Republic of Tanzania, if the act or omission would equally constitute an offence under a law of that country; or … by any person, irrespective of his nationality or citizenship, or location, when the offence is … committed using a computer system, device or data located within United Republic of Tanzania; or … directed against computer system, device or data or person located in United Republic of Tanzania (Article 30, Cybercrimes Act of 2015).
Whereas Kenya establishes its jurisdiction over cybercrime as follows:
an act or omission committed outside Kenya which would if committed in Kenya constitute an offence under this Act is deemed to have been committed in Kenya if -… the person committing the act or omission is … a citizen of Kenya; or … ordinarily resident in Kenya; and … the act or omission is committed … against a citizen of Kenya; … against property belonging to the Government of Kenya outside Kenya; or…to compel the Government of Kenya to do or refrain from doing any act; or … the person who commits the act or omission is, after its commission or omission, present in Kenya (Section 66 of the Computer Misuse and Cybercrimes Act of 2018).
Within these and other national cybercrime laws, jurisdiction is primarily determined by the location of the offenders, victims, and impacts of cybercrime.