Despite Controversy, Cybercrime Treaty Endures

As the Budapest Convention hits 10 years old this week, proponents say it is crucial in fighting cybercrime

Delegates from around the world are meeting in France this week to discuss the only international treaty dealing with cybercrime, a treaty that has come under fire from some countries but defended by others as a crucial tool in fighting electronic crime.

Wednesday marks the 10th anniversary of the Convention on Cybercrime, also known as the Budapest Convention. The treaty, which was opened for signatures in November 2001, sets guidelines for laws and procedures for dealing with Internet crime.

The treaty has formed a foundation for global law enforcement of cyberspace, requiring countries who abide by it to have uniform anti-cybercrime laws and law enforcement contacts available around the clock, among other requirements.

The Convention is overseen by the Council of Europe, an organization founded in 1949 that also oversees the European Convention on Human Rights.

Council of Europe member countries can sign the treaty, and once their national laws conform with the treaty, their national legislatures can ratify it. Countries outside the council are invited to accede to the treaty.

So far, 32 countries have either ratified or acceded, and 15 other countries have signed the treaty but not ratified yet. Another eight have been invited to accede. The pace over the last 10 years has been slow, but not unheard of for an international treaty.

Some countries, such as Russia, have not signed the treaty, with officials there expressing concern over provisions they allege violate international law norms and countries' sovereignty.

Russia, along with China, Russia, Tajikistan and Uzbekistan sent a letter in September to the U.N. asking for a resolution on a code of conduct in cyberspace, which could include provisions intended to stop terrorists' use of the Internet.

Countries including the U.S. have viewed that proposal with suspicion, believing it may be motivated by an intent to create a legal instrument that could be invoked to unfairly crack down on Internet-based dissent.

The call by Russia, however, isn't necessarily at odds with the Budapest Convention, said Alexander Seger, head of data protection and the cybercrime division of the Council of Europe.

The Budapest Convention focuses on crime, not cyberissues between nation states at a national security level, so "maybe a code of conduct will need to be negotiated," he said.

It would likely be nearly impossible to negotiate a treaty such as the Budapest Convention today because the negotiations would be too difficult, Seger said. The convention is one of the best tools available to tackle the cybercrime threat, he said.

The treaty has been essential in laying down uniform ground rules for dealing with cybercrime, which nearly always involves perpetrators in another country, said Pedro Verdelho, a prosecutor who investigated cybercrime for 11 years and taught computer crime and penal law at the Centro de Estudos Judiciarios in Lisbon.

For prosecutions to work, a computer-related offense in one country also needs to be illegal in another, which is one of the aims of the convention, Verdelho said. The treaty also dictates what kind of investigative procedures are allowed, such as data interception or computer searches.

"If you don't have the legal tools, you cannot cooperate," Verdelho said.

Cybercrime incidents in Australia almost all originate with attacks from outside the country, said Neil Gaughan, an assistant commissioner and national manager of high-tech crime operations for the Australian Federal Police (AFP).

The AFP speak "pretty much on a daily basis" with law enforcement agencies outside Australia on cybercrime issues, which the treaty has helped facilitate. Australia is expect to accede to the treaty soon after amending its law to conform with the treaty.

"It's all about international engagement," Gaughan said.

This year's conference on the treaty, which runs through Tuesday in Strasbourg, will include U.S. White House Cybersecurity Coordinator Howard Schmidt, the U.K.'s Home Office Minister for Crime and Security, James Brokenshire, and Robert McLelland, Australia's Attorney General.

Seger said the cybercrime convention's committee is expected to discuss whether to start work on recommendations for clearer rules for how data can be accessed in data centers, also known as data "in the cloud."

"The fact today with cloud computing is that law enforcement doesn't even know where the data is located," Seger said.

The discussions could revolve around issues such as how other parties should be informed and if electronic evidence obtained will be admissible in court, Seger said.

The committee could eventually issue non-binding recommendations, known as a soft-law instrument. It could also decided to add provisions onto the treaty itself as a protocol, which would require ratification by nations, Seger said.

Nonetheless, the talks would show that proponents of the Budapest Convention "are not static," Seger said.

Send news tips and comments to

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)