This module is a resource for lecturers

The role of cybercrime law

Cybercrime law identifies standards of acceptable behaviour for information and communication technology (ICT) users; establishes socio-legal sanctions for cybercrime; protects ICT users, in general, and mitigates and/or prevents harm to people, data, systems, services, and infrastructure, in particular; protects human rights; enables the investigation and prosecution of crimes committed online (outside of traditional real-world settings); and facilitates cooperation between countries on cybercrime matters (UNODC, 2013, p. 52). Cybercrime law provides rules of conduct and standards of behaviour for the use of the Internet, computers, and related digital technologies, and the actions of the public, government, and private organizations; rules of evidence and criminal procedure, and other criminal justice matters in cyberspace; and regulation to reduce risk and/or mitigate the harm done to individuals, organizations, and infrastructure should a cybercrime occur. Accordingly, cybercrime law includes substantive, procedural and preventive law.

Substantive law

An illegal act needs to be clearly described in and prohibited by law. Pursuant to the moral principle of nullum crimen sine lege (Latin for "no crime without law") a person cannot be punished for an act that was not proscribed by law at the time the person committed the act (UNODC, 2013, p. 53). Substantive law defines the rights and responsibilities of legal subjects, which include persons, organizations, and states. Sources of substantive law include statutes and ordinances enacted by city, state, and federal legislatures ( statutory law), federal and state constitutions, and court decisions.

Did you know?

Some countries, instead of developing new special laws against cybercrime, amended their national legislation or codes, adding specific paragraphs to address cybercrime. With this practice, an interesting consequence for consideration has been that some countries decided to criminalize separately the illegal use of information and communication technology to commit any crime. Thus, if the perpetrator used illegal access in order to commit forgery or fraud, such behaviour would constitute two crimes at the same time.

Substantive cybercrime law includes laws that prohibit specific types of cybercrime (described in Cybercrime Module 2 on General Types of Cybercrime) and punishes non-compliance with these laws. Cybercrime includes traditional, real-world (offline) crimes (e.g., fraud, forgery, organized crime, money-laundering, and theft) perpetrated in cyberspace that are 'hybrid' or 'cyber-enabled' crimes, as well as 'new' or 'cyber-dependent' crimes that have been made possible with the advent of the Internet and Internet-enabled digital technologies (Wall, 2007; Maras 2014; Maras, 2016). For these reasons, many countries have developed laws that are specifically designed to deal with cybercrime. For example, Germany, Japan, and China, have amended the relevant provisions of their criminal code to combat cybercrime. Countries have also used existing laws that were designed for real-world (offline) crime to target certain cybercrimes and cybercriminals. As another example, in Iraq, the existing civil code (Iraqi Civil Code No. 40 of 1951) and penal code (Iraqi Penal Code No. 111 of 1969) are used to prosecute real-world crimes (e.g., fraud, blackmail, identity theft) perpetrated via the Internet and digital technology.

Legal systems

Each state has its own legal system, which affects the creation of substantive criminal law on cybercrime. These systems include (Maras, forthcoming, 2020):

1) Common law. These systems create laws by legal precedent (i.e., ruling in case binding to the court and lower courts) and established practice. These laws exist as separate laws and case law (i.e., law that develops from court decisions or legal precedent).

2) Civil law. These legal systems have codified, consolidated, and comprehensive legal rules or statutes that delineate basic rights, responsibilities, duties and expectations of behaviour. These legal systems are primarily based on legislation and constitutions.

3) Customary law. These legal systems include established and accepted patterns of behaviour within a culture that are perceived by those within the culture to be law ( opinion juris). In international law, customary law governs relationships and practices between states and is considered binding for all states.

4) Religious law. These legal systems include rules derived from religion or the use of religious documents as a legal source and authority.

5) Legal pluralism. In this type of legal system, two or more of the above-mentioned legal systems (i.e., common, civil, customary or religious law) may exist.

Substantive law focuses on the substance of crime, such as the elements of a crime which includes the prohibited conduct ( actus reus - "guilty act") and the mental element ( mens rea - "guilty mind"). Different states may choose to criminalize different conduct by choosing different elements that constitute a crime. Alternatively, states may criminalize the same conduct, but the laws may still differ as to what "state of mind" makes them culpable for their conduct (i.e., level of criminal culpability). To this end, laws that criminalize, for example, unauthorized access to computer systems and data vary between countries, depending on the degree of intent held by a purported criminal (see "Levels of Criminal Culpability" box below).

Levels of criminal culpability

There are different levels of criminal culpability (or criminal responsibility) based on the degree to which an illicit act was intentional (purposely or wilfully committed) or unintentional (recklessly and negligently committed) that varies according to legal system (Simons, 2003; Dubber, 2011; Maras, 2020):

  • Purposely. A person purposely commits crime when the person is acting to cause harm (i.e., the person has intent to cause harm). A case in point is the UK Computer Misuse Act of 1990, which criminalizes, among other things, unauthorized access to systems and data with the intention of causing changes and/or damage, disruptions of systems and services, and modifications of system data and programmes.
  • Wilfully. A person wilfully commits crime when the person is aware that an action will cause harm but commits the harm or wrongdoing anyway. A person can be charged pursuant to the US Computer Fraud and Abuse Act of 1986, specifically 18 U.S.C. § 1030(a)(1), for
having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it.
  • Recklessly. An individual recklessly commits crime when the person engages in an act even though the person is aware of the substantial and unjustifiable risk of harm to others but shows disregard for or indifference to the risk of harm. In Australia, a person can be charged under Division 477.2(1)(c) of Cybercrime Act 2001 (No. 161, 2001) if a "person is reckless as to whether the [unauthorized] modification [of data] impairs or will impair: (i) access to that or any other data held in any computer; or (ii) the reliability, security or operation, of any such data."
  • Negligently. Negligence is the lowest level of culpability. Those engaging in negligent behaviour lack awareness of the negative consequences of an act. In Senegal, "[a]nyone who, even through negligence, processes or arranges the processing of personal data without having complied with the formalities set out in the Law on Personal Data prior to using such data shall be punished" (Article 431-17, Law No. 2008-11 on Cybercrime).

Note: Levels of criminal culpability are not universal (Fletcher, 2000, p. 445-446, cited in Ohlin, 2013 p. 82).

It is important to note two things here. Firstly, the local application of law (prosecution) will only take place when it is in the public interest to prosecute, yet many bulk cybercrimes such as minor Internet-based frauds are de minimis non-curat lex, in that they areindividuallyregardedtoo minor in impact to be investigated by police and prosecuted. Yet, they may have a considerable collective impact internationally, so need to be subject to international law. Secondly, "where a strong justification for the criminalization of a particular conduct does not exist in law, a risk of moral or cultural overcriminalization can arise. In this respect, international human rights law represents one important tool for the assessment of criminal laws against an external, international standard" (UNODC, 2013, p. 54) (see section on International Human Rights and Cybercrime Law).

Procedural law

Procedural law demarcates the processes and procedures to be followed to apply substantive law and the rules to enable the enforcement of substantive law. An important part of procedural law is criminal procedure, which includes comprehensive rules and guidelines on the manner in which suspected, accused, and convicted persons are to be handled and processed by the criminal justice system and its agents (Maras, forthcoming, 2020; for general information about criminal procedure, see LaFave et al., 2015; for information about international criminal procedure, see Boas, et al., 2011). Ultimately, procedural cybercrime law includes provisions on jurisdiction and investigative powers, rules of evidence and criminal procedure that relate to data collection, wiretapping, search and seizure, data preservation and data retention (which are discussed in greater detail in Cybercrime Module 4 on Introduction to Digital Forensics, Module 5 on Cybercrime Investigation, Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics, and Cybercrime Module 10 on Privacy and Data Protection; see also UNODC, 2013, p. xxii-xxiii). Cybercrime presents certain unique challenges regarding procedure, especially with respect to jurisdiction, investigations, and digital evidence.

Jurisdiction. Law enforcement may only carry out a cybercrime investigation, and national courts may only adjudicate cybercrime cases, if the interested state has jurisdiction. Jurisdiction refers to a state's power and authority to enforce laws and punish noncompliance with laws (this topic is discussed in further detail in Cybercrime Module 7 on International Cooperation against Cybercrime). Jurisdiction is linked to state sovereignty, which is a country's right to exercise authority over its own territory (UNODC, 2013, p. 55). Jurisdiction is commonly associated with geographic territory or locus commissi deliciti (the place where the crime was committed), whereby states claim jurisdiction over and prosecute crimes committed within their territory ( principle of territoriality). Given that there are no geographic boundaries and territories in cyberspace, the location cannot be used to determine jurisdiction. For this reason, states rely on a multitude of other factors to determine jurisdiction (Brenner and Koops, 2004; Rahman 2012; Maras, forthcoming, 2020): One such factor is the nationality of the offender ( principle of nationality; active personality principle). This principle holds that states have the authority to prosecute their nationals even if these nationals are outside of their territory. To a lesser extent (in its use) the nationality of the victim can be used to assert jurisdiction over a crime ( principle of nationality; passive personality principle). A state can further establish jurisdiction because crime committed in another state (e.g., treason or espionage) impacted the interests and security of the state seeking jurisdiction over the case ( protective principle). Finally, any state can establish jurisdiction over certain transnational crimes, such as mass atrocities (e.g., genocide), which are viewed as affecting all human beings irrespective of geographic location, when the state where the crime was committed is unwilling or unable to prosecute the offender ( principle of universality).

Investigative measures and powers. Digital evidence of cybercrimes presents particular challenges both in terms of its handling and use in court proceedings (see Cybercrime Module 5 on Cybercrime Investigation and Cybercrime Module 6 on the Practical Aspects of Cybercrime Investigations and Digital Forensics). According to the 2013 UNODC Draft Comprehensive Study on Cybercrime, "[w]hile some of these investigative actions can be achieved with traditional powers, many procedural provisions do not translate well from a spatial, object-oriented approach to one involving…[digital] data storage and real-time data flows" (p. 122), thus requiring specialized powers for the investigation (UNODC, 2013, p. 54). These specialized powers are prescribed by law and cover not only access to information needed but also include safeguards to ensure that the data is obtained pursuant to appropriate legal orders and accessed only to the extent necessary and authorized by law (this topic is further explored in Cybercrime Module 5 on Cybercrime Investigation). The US Stored Communications Act (18 US Code § 2701-2712), which is Title II of the Electronic Communications Privacy Act of 1986, includes these safeguards. For example, pursuant to 18 US Code § 2703(a),

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.

These safeguards (i.e., the legal order requirement), however, are not required by all countries. In 2014, Turkey amended Internet Law 5651 to require Internet service providers to retain user data and make it available to authorities upon request without requiring them to first obtain a legal order (e.g., a court order or search warrant) to obtain this data. These investigatory powers extend beyond the mere collection of evidence to include obtaining assistance and working with other criminal justice agents on cybercrime cases. Likewise, in Tanzania, the Cybercrimes Act of 2015 provided police with excessive, unrestrained investigatory powers in cybercrime. Particularly, police authorization is the only requirement to enable the search and seizure of evidence and to compel the disclosure of data. Accordingly, search and seizure and other investigatory powers can occur without the appropriate legal orders. Beyond this concern, a danger exists for "mission creep" or "function creep" (i.e., terms used to describe the expansion of law and/or other measures in areas beyond their original scope), where laws and investigatory powers introduced to target one form of cybercrime are then used to target other, less serious forms of cybercrime. Ultimately, the powers and procedures in place for the purpose of cybercrime investigations and proceedings must be in accordance with the rule of law and human rights (see, for example, Article 15 of the Council of Europe's Convention on Cybercrime of 2001).

Identification, collection, sharing, use and admissibility of digital evidence. Cybercrime procedural law covers identification, collection, storage, analysis, and dissemination of digital evidence. Digital evidence (or electronic evidence) refers to "any type of information that can be extracted from computer systems or other digital devices and that can be used to prove or disprove an offence" (Maras, 2014). Digital evidence (discussed further in Cybercrime Module 4 on Introduction to Digital Forensics) can support or refute victim, witness, and suspect testimony, support or refute the truth of a matter asserted, identify a perpetrator's motive, intent and location, identify a perpetrator's behaviour (past actions and behaviour), and determine criminal culpability (Maras 2014; Maras, 2016).

Rules of evidence and criminal procedure include the criteria used to determine whether digital evidence is admissible in court (Maras, 2014). These rules prescribe the manner in which digital evidence is documented, collected, preserved, transmitted, analysed, stored, and safeguarded to ensure its admissibility in national courts. To be admissible, digital evidence is authenticated and its integrity is established. Authentication procedures involve identifying the source/author of the digital evidence (i.e., source identity information) and verifying the integrity of the evidence (i.e., that it was not changed, manipulated, or damaged in any way). The maintenance of a chain of custody, a detailed log about the evidence, the condition of the evidence, its collection, storage, access, and transfer and reasons for its access and transfer, is essential to ensure the admissibility of digital evidence in most courts of law (UNODC, 2013, p. 54; Maras, 2014). The rules of evidence and criminal procedure are not standardized between countries. Similar rules of evidence and criminal procedure are needed for cybercrime because this form of crime transcends borders and impacts digital devices and systems anywhere in the world with an Internet connection.

Preventive law

Preventive law focuses on regulation and risk mitigation. In the context of cybercrime, preventive legislation seeks to either prevent cybercrime or, at the very least, mitigate the damage resulting from the commission of a cybercrime (UNODC, 2013, 55). Data protection laws (e.g., the EU General Data Protection Regulation of 2016, and the African Union Convention on Cyber Security and Personal Data Protection of 2014, discussed in Cybercrime Module 10 on Privacy and Data Protection) and cybersecurity laws (e.g., The Law of Ukraine on the Basic Principles of Ensuring the Cyber Security of Ukraine of 2017) are designed to lessen the material harms from criminal breaches of private data should a cybercrime occur, and/or minimize private vulnerability to cybercrime. Other laws enable criminal justice agents to identify, investigate, and prosecute cybercrime by ensuring the necessary tools, measures, and processes are in place to facilitate these actions (e.g., telecommunications and electronic communications service providers' infrastructure is such that it enables wiretapping and data preservation). In the United States, the Communications Assistance for Law Enforcement Act (CALEA) of 1994 (codified at 47 U.S.C. § 1001-1010) required telecommunications service providers and equipment manufacturers to ensure that their services and products enable government agencies with lawful authorization (i.e., with the appropriate legal order) to access communications.

Did you know?

The United Nations Office on Drugs and Crime (UNODC) Cybercrime Repository, which is part of the SHERLOC Knowledge Management Portal, contains a database of national cybercrime laws and case law.

Next: Harmonization of Laws
Back to top