Convention On Cybercrime In Budapest: Assessment Of India’s Concerns

Convention On Cybercrime In Budapest: Assessment Of India's Concerns

27 Apr, 2023

Convention On Cybercrime In Budapest: Assessment Of India’s Concerns

Author – PRAGATI DWIVEDI, Student of University of Petroleum and Energy Studies, Dehradun

  1. Abstract

The Council of Europe’s Convention on Cyber Crime, also known as the Budapest Convention, is the first legally binding international instrument aimed at addressing the global epidemic of cybercrime in the internet age through the harmonisation of national laws and the promotion of international cooperation in the collection, investigation, and prosecution of such crimes. While India has a nearly two-decade-old, very effective domestic cybercrime law, it is still not a party to the Convention due to a variety of concerns. The purpose of this research is to identify and examine those problems in light of the requirements of the Convention against Cybercrime and its implementation.

II.            Introduction

CYBERCRIME IS AN EXCLUSIVE worldwide danger. Cybercrime is third in terms of global impact, trailing only corruption and narcotics.[1] According to various estimations, the economic impact of cybercrime ranges from 172 billion[2] to 600 billion USD each year, while other researchers question such estimates[3]. Apart from technology difficulties in combating such crimes, the transnational nature of cybercrime offers the most difficult obstacle for any state to combat on its own, necessitating international cooperation, which has its own set of challenges challenges. The Council of Europe’s Convention[4] on Cybercrime is the first legally binding international instrument aimed at addressing the global epidemic of cybercrime in the internet age through the harmonisation of national laws and the promotion of international cooperation in evidence collection, investigation, and prosecution of such crimes. According to a 2017 report published by Symantec[5], India’s security software provider, ranks third in the world in terms of cyber threats detected, and second in terms of targeted attacks[6]. While India has a nearly two-decade-old, very effective domestic cybercrime law, it is still not a party to the Convention due to a variety of concerns. The purpose of this research is to identify and examine those problems in light of the requirements, notably article 32(b) of the Convention against Cybercrime and its implementation. the paper further also discusses about russian led resolution and india’s stand over the same.

  1. Evolution of cybercrime

Over the previous two decades, connected computing has become an integral part of our daily lives[7]. Everything today is internet-linked, from mobile phones to connected houses powered by smart devices. Our digital identities, which were formed in numerous databases owned by companies or the government, have become an integral part of our daily lives. Since the turn of the century, the use of computing devices and the internet has grown at an exponential rate. Today, connected gadgets have become a part of people’s daily lives, and most are oblivious of the security risks that come with being connected. Small enterprises, government, corporations, and individuals have become heavily dependent on computer software and systems, and as a result, we invest a great deal of trust in such systems. Such systems have also been a target for criminals ever since the widespread usage of these systems for processing and storing priceless commercial and personal information started. Criminals took advantage of the tone mechanism employed on phone networks in the 1970s. The attack was known as phreaking, and it involved attackers fraudulently using telephone company networks to make long-distance calls by reverse-engineering the tones utilised by such networks[8].

The world witnessed the first worm assault in 1988, and the first ransomware attack in 1989[9]. In the 1990s, online browsers and internet adoption expanded the reach of cyber criminals and newer crimes such as phishing, viruses, malware, and DDoSetc. Identity theft became the “new financial piggy bank for criminal organisations all over the world” with the development of internet databases and social networking in the 2000s. While cybercrime was primarily the work of a lone individual in the previous century, who could have been “a computer nerd aiming for supremacy over the system,” it was the involvement of organised criminal syndicates around the turn of the century that established cybercrime as an industry valued at nearly $600 billion USD today. 

A.     Cybercrime classification

Cybercrimes can be characterized according to the relationship of the computer to the crime or according to the act itself. Cybercrimes are classified into four groups based on the relationship of the computer to the crime:[10]

i. Where a computer is a target – for example, information theft and the exploitation of such information for other illegal purposes. Such acts, such as hacking, virus attacks, and ransomware, are against the confidentiality, integrity, and availability of computer data or systems.

ii. Where a computer is used as a primary tool in a crime, such as ATM fraud, account fraud, credit card fraud, online hate speech, the production, distribution, or possession of child pornography, acts related to terrorism, and so on.
iii. When the use of a computer is incidental, such as when keeping records or doing online transactions that are legal but are part of a larger illicit activity.
iii. Other crimes helped by computer use: software piracy, counterfeiting, computer program copyright violations, counterfeit equipment, and so on.
 

B.      The Characteristics of Cybercrime


The traditional criminological understanding of crime based on social, cultural, and material aspects considers crimes to be occurrences that occur in a specific geographical location. This understanding of crime has defined the crime, as has the following design of crime mapping and prevention measures to be tailored to a certain target audience. However, because the inherent nature of the underlying technologies exploited by cybercrime makes pinpointing such crimes to a geographic location, or distinctive social or cultural groups, this characterization and its associated mechanisms are not directly relatable in cases of cybercrime. Unlike traditional crimes, which can be traced to a specific geographical territory, cybercrime occurs in cyberspace, the interconnected world that crosses national borders, making it difficult for national law enforcement agencies to effectively combat it in a specific territorial jurisdiction.

Increased cybercrime and law enforcement organisations’ failure to deal with it effectively create a vicious spiral. In the lack of effective mechanisms to control and resolve such crimes, such criminals’ confidence grows, resulting in more occurrences and atrocities.

Simultaneously, it weakens the morale of the broader populace harmed by such crimes. 

C.     India’s experience with Cybercrime

According to NCRB data, 9,622, 11,592 and 12,317 instances were registered in 2014, 2015, and 2016. From January to June of this year, the Indian Computer Emergency Response Team (CERT-In) reported 27,482 occurrences of cybercrime. India was the third worst impacted country by the malware WannaCry, with over 40,000 machines compromised. However, these figures do not represent the entire story because the vast majority of such incidents go unreported. NCRB relies on police data and categorizes a cybercrime incidence only if an FIR was filed under the relevant legal provisions.[11]

IV.            The Cybercrime Convention

The Council of Europe’s Convention on Cybercrime, often known as the Budapest Convention, was the first international convention to address cybercrime. The convention focuses on crimes perpetrated via the Internet and other computer networks and includes rules that expressly address computer-related fraud, copyright infringements, child pornography, and network security breaches. According to the preamble, the fundamental goal of the agreement is “to pursue… a common criminal policy aimed at protecting society against cybercrime, among other things, by adopting appropriate legislation and fostering international cooperation.”[12] The Convention focuses on harmonizing member states’ internal legislation and improving collaboration among them. 

The Convention was drawn up by the Council of Europe with the participation of its observer states Canada, Japan, Philippines, South Africa and the United States. It was adopted by the Council of Europe’s Committee of Ministers at its 109th session, on November 8, 2001 and was opened for signature in Budapest on November 23, 2001. The Convention entered into force on July 1, 2004.[13]

The focus of laws dealing with cybercrime in most jurisdictions has largely been on the criminalisation aspect, i.e., either the creation of new offences or the adaptation of existing provisions to address the challenges of cybercrime. Most of these provisions evolved over time as per the local experience in each of these jurisdictions.

The Convention defines four major types of substantive offences:
1. Violations of computer data and system confidentiality, integrity, and availability
2. Computer-related infractions
3. Offences relating to content
4. Violations of copyright and related rights.
The Convention provides substantive provisions for the criminalization of attempting to commit a crime, as well as aiding or abetting and corporate culpability.

The procedural legislation provisions cover:

 1. expedited preservation of stored computer data; 

2. production orders; 

3. search and seizure of stored computer data; and 

4. real-time computer data collection. 

The Convention also includes measures for jurisdiction establishment and international cooperation. The Convention establishes a legal framework for fostering international cooperation among member states by imposing general and specific measures such as requiring member states to cooperate to the “greatest extent possible,” to take urgent and immediate measures to preserve data related to offences, and to provide efficient mutual legal assistance. The Convention aims to establish critical channels of cooperation by leveraging Interpol’s I-24/7 global communication system as well as the existing Interpol network, which includes designated investigators working in national computer crime units in more than 120 countries, also known as National Central Reference Points.
An supplementary protocol entered into place in 2006, providing for the introduction of legislative measures to recognise and prosecute racist or xenophobic actions.[14]

A.     What are the advantages and consequences of the Convention on Cybercrime?

Beyond the specific provisions foreseen in this Convention, the Budapest Convention is more than a legal document; it is a framework that allows hundreds of practitioners from Parties to share experience and build relationships that facilitate cooperation in specific cases, including emergency situations.

The Budapest Convention may be used as a guideline, check list, or model law by any government. In addition, becoming a Party to this treaty implies extra benefits.

B.      Who are the Budapest Convention’s signatories?

Any State may join the Convention by following the method outlined in Article 37.

Once a (draught) law indicating that a State has already implemented or is likely to implement the provisions of the Budapest Convention in domestic law is available, the Minister of Foreign Affairs (or another authorised representative) would write to the Secretary General of the Council of Europe expressing his or her country’s desire to join the Budapest Convention. The State would be invited to join the Convention once the current Parties reached an agreement.

V.            Why is India not a signatory to the Cybercrime Convention?

Despite encountering difficulties in combating cybercrime due to territorial jurisdictional considerations, India remains a non-party to the Budapest Convention. Although no formal declaration has been issued as to why India is not a party to the Convention, it can be assumed that there are some reservations regarding the convention itself. Based on the limited information available in the public domain, India’s objections to becoming a party to the convention can be broadly classified into the following headings.
i. Not being a party to the convention’s drafting
ii. Participation in future convention/protocol development
iii. Article 32 of the Convention in relation to sovereignty 
iv. The efficacy of the legal assistance provisions.

VI.            Resolution Led by Russia

The Russian proposal, titled “Preventing the Use of Information and Communication Technologies for Criminal Purposes,” was recently submitted to the United Nations General Assembly (UNGA).
This current UN proposal follows prior Russian proposals, such as the “Draught United Nations Convention on Cooperation in Combating Cybercrime” in 2017 to draught a UN cybercrime treaty. The Russian plan calls for the formation of a committee that will meet in New York in August 2020 to draught a new treaty that will allow nation-states to collaborate and share data to combat cybercrime.
This drafting Convention goes well beyond what the Budapest Convention allows for in terms of cross-border data access, including limiting a signatory’s power to refuse to deliver requested data.[15]

This is why some human rights organisations have criticised the UN proposal as a means of extending a Chinese and Russian form of internet governance, also known as the “closed Internet” or “state-controlled internet.”
If the UNGA approves this resolution, it will become the second worldwide convention on cybercrime.
Russia and China have challenged the Budapest Convention on the basis of national sovereignty considerations, proposing their own convention at the United Nations.

A.     stance of India

India remained a non-member of the Europe-led Budapest Convention. Nonetheless, India supported a Russian-led UN resolution to establish a separate treaty.
According to the Intelligence Bureau (IB), exchanging data with foreign law enforcement agencies violates India’s national sovereignty.
India has previously stated that it will not sign the Budapest Treaty because it was negotiated without its input.

B.      India’s Data Protection Act

Due to the lack of a solid legislative framework, India’s data protection regulations are currently beset with several issues and resentments. The legal framework contains the following provisions:
Information Technology Act, 2000: The IT Act includes provisions (for example, in sections 43A and 72A) concerning cyber and IT-related laws in India.

Compensation for failure to protect data under Section 43A.
Section 72A: Any knowingly and willfully disclosed material without the consent of the person concerned is punishable by imprisonment for up to three years.

However, these regulations neither protect against data breaches nor impose a right-based foundation for privacy.
Under Article 21, the Supreme Court unanimously concluded in Justice K. S. Puttaswamy (Retd.) vs Union of India (2017) that citizens have a constitutionally protected fundamental right to privacy that is an integral aspect of life and liberty.
As a result, in order to establish a strong data protection framework, the government has proposed the Draught Personal Data Protection Bill, 2018 (based on the Justice BN Srikrishna Committee’s suggestion).[16]

VII.            Conclusion

As demonstrated by the preceding discussion, the answer to the question of whether India should be a party to the Budapest Convention is not simple. Despite pressing the problem of an international system to handle cybercrime at numerous international forums, India is still not a party to the only binding international instrument in the sector. There are a number of difficulties highlighted by Indian authorities that prevent India from accepting the Budapest Convention. 

Indian foreign policy has evolved its own approach to international diplomacy, shaped by various domestic events during the early years of the republic, the economic crisis of the early 1990s, and international exclusionary politics during the 1980s and 1990s, and has been successful in carving out a unique space for itself in the global arena. The issues associated with cyberspace legislation and the threat of cybercrime are still developing, and the international community’s response has been noticeably delayed. In light of this, a wait and watch policy cannot be entirely criticised.

On the other hand, the Indian experience demonstrates that the epidemic of cybercrime is on the rise, and efforts to achieve more digital inclusion on the domestic policy front may result in higher cybercrime dangers. 

While the issues raised in this study cannot, in any case, be dismissed as insignificant, they must be evaluated in a realistic perspective. With a substantial portion of internet resources currently located in developed western countries, India’s investigation of such crimes inevitably necessitates collaboration from other countries, with India typically acting as a requesting party. Currently, this cooperation is supported by diplomatic efforts that are undertaken on a case-by-case basis. The outcome of such meetings is highly unpredictable and is determined by the diplomatic dynamics in place with the requested party at the moment.

Based on mutuality, these diplomatic channels may also constrain India’s options in the event of a request for help from these countries, as India may not be able to deny such a request in order to maintain the mutual relationship.

Even if membership in the convention isn’t much of a practical advantage (the evaluation report indicates that, despite the requirements of the conventions, the parties to the Convention use alternative channels of contact), it can be a tactical advantage. It will provide India the moral legitimacy to request aid from other countries while also allowing it to decline any request that falls outside the scope of the treaty. In view of the foregoing discussion, it is proposed that India consider becoming a party to the Budapest Convention.

VIII.            References

  1. https://www.coe.int/en/web/cybercrime/the-budapest-convention
  2. https://ili.ac.in/pdf/dpa.pdf
  3. https://www.drishtiias.com/daily-updates/daily-news-analysis/convention-on-global-cybercrime
  4. https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf
  5. https://rm.coe.int/1680081561
  6. https://www.orfonline.org/expert-speak/india-and-the-budapest-convention-why-not/
  7. https://indianexpress.com/article/india/on-global-cybercrime-india-votes-in-favour-of-russia-led-resolution-6130980/

 

[1] The Economic Impact of Cybercrime – No Slowing Down, available at:https://csisprod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf (last visited on April. 2,2023).

[2] Norton Cyber Security Insights Report Global Results, available at:https://www.symantec.com/content/dam/symantec/docs/about/2017-ncsir-global-results-en.pdf (last visited on April. 1, 2023).

[3] DineiFlorˆencio and Cormac Herley, “Sex, Lies and Cyber-crime Surveys”, available at: https://www.microsoft.com/en-us/research/wp-content/uploads/2011/06/SexLiesandCybercrimeSurveys.pdf (last visited on march. 31, 2023).

[4] Convention on Cyber Crime also known as Budapest Convention, European Treaty Series No 185, available

at:https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016800

81561(hereinafter referred as “Budapest Convention”).

[5] 2018 Internet Security Threat Report, available at:https://www.symantec.com/security-center/threat-report (last visited on Feb. 4, 2023).

[6] An attack directed at a specific target or targets as opposed to widescale indiscriminate campaigns. See. Id. at 24.

[7] 9 Internet users in the world, available at: http (last visited on Feb. 27, 2023).

[8] Sam Frizell, “Russian Crime Ring Said to Steal More Than a Billion Internet Passwords“Time(Aug. 5, 2014) available at:http://time.com/3083504/russian-hackers-passwords/ (last visited on Feb. 27, 2023).

[9] 3The evolution of cybercrime, available at:https://hub.packtpub.com/the-evolution-cybercrime/ (last visited on Feb. 27, 2023).

[10] Hamid Jahankhani, A. Al-Nemrat, et.al. “Cybercrime classification and characteristics” in Francesca Bosco,

Andrew Staniforthet.al., Cyber Crime and Cyber Terrorism Investigator’s Handbook (Elsevier, Waltham, 2014)

Available at:

https://www.researchgate.net/publication/280488873_Cyber_crime_Classification_and_Characteristics (last

visited on Feb.1, 2023).

[11] National Crime Records Bureau, Crime in India 2016 (Ministry of Home Affairs, 2016).Available at: http://ncrb.gov.in/StatPublications/CII/CII2016/pdfs/NEWPDFs/Crime%20in%20India%20- %202016%20Complete%20PDF%20291117.pdf(last visited Feb. 4, 2023).

[12] Supra note 4.

[13] 6Jonathan Clough, “A World Of Difference: The Budapest Convention on Cybercrime And The Challenges of Harmonisation” 40(3) Monash University Law Review 698-736 (2014). Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2615789(last visited on Feb 8, 2023).

[14] .Budapest Convention, chapter II, section 1, title 1, arts. 2-6 include offences such as illegal access, illegal interception, data interference, system interference and misuse of devices.

[15] Drishtiias,{https://www.drishtiias.com/daily-updates/daily-news-analysis/convention-on-global-cybercrime} (last visited Feb. 27,2023).

[16] Supra note 15.