Jurisdiction for criminal offenses of cybercrime – international and national standards

©

1.    Introductory considerations

The immeasurably great opportunities in all spheres of social life that have appeared to man with the development of information technologies have undoubtedly entailed certain risks and social dangers that are reflected in various types of misuse of computers, computer systems and computer networks, above all the Internet.

Respecting all the specifics of computer crime, and especially its transnational character, the international community has a strong motive to establish a general normative framework for regulating the issue of defining computer crime and determining the rules of jurisdiction for prosecuting these crimes. However, reasons of sovereignty, political independence, interest in conducting criminal proceedings and the like prevent the international community from establishing uniform rules at the universal level, while the rules set at the regional level are not sufficiently up-to-date, not binding or not sufficiently widely set.

2.    General remarks on computer crime and the question of jurisdiction in combating computer crime

Regarding the definition of computer crime, in general, it can be stated that computer crime includes both active and passive use of a computer, and even the storage of evidence of a committed criminal act in a computer or in electronic form, while the victims and possible victims are all natural and legal persons. that use or depend on computers and databases (Rome Memorandum, 2008). In this sense, the computer, as a characteristic feature of computer crime, appears in different functions: 1) the object of the execution of the criminal act ; 2) the subject of the criminal act ; 3) means of committing the crime ; 4) “weapon” or means (Vidić, 2016, p. 94).

When it comes to the definition of computer crime itself, there is no single and generally accepted definition of computer crime in the literature. The first and most general definition was given in 1979 by the US National Law Institute in The Criminal Justice Resource Manual of computer Crime (Parker, 1989) , according to which computer crime is understood as “any illegal act for which successful criminal prosecution requires good knowledge of computer technology.” Such a broad definition will serve as a starting point for the international legal definition of the concept of computer crime.

From the point of view of criminal law theory, computer crime, as a general form of manifestation of various forms of criminal activity, is crime directed against the security of information (computer) systems as a whole or in its individual parts, which, in different ways and by different means, is intended to to gain some benefit for oneself or another or to cause some harm to another (Jovašević & Hašimbegović, 2004;

It is a generally accepted definition that the jurisdiction of an authority, in terms of criminal proceedings, implies the right and obligation of that authority to conduct and conclude one proceeding in one criminal case depending on the severity of the criminal offense, expressed in the prescribed sentence and the characteristics of the perpetrator of the criminal offense.

Jurisdiction, therefore, no longer depends only on the physical presence of a person on the territory of a country. However, even under this expanded view of jurisdiction, a state cannot “exercise jurisdiction to prescribe rules of conduct in relation to a person or activity connected with another state when the exercise of such jurisdiction would be unreasonable (Restatemen 1987, para 403(1) ).3

So, as can be concluded, the appearance of computers, computer systems and computer networks, as well as their development and the expansion of the use of these novelties, caused changes in the previous approaches to jurisdiction for trial in criminal matters, because the previous concepts, mostly based on the principle of territoriality, they could no longer maintain as absolute.

3.    International standards regarding jurisdiction for prosecuting criminal offenses of computer crimes

Bearing in mind the fact of the spread of information technologies and, consequently, computer crime, as well as the importance of suppressing this phenomenon and the consequences it causes, it is not surprising that the international community, both at the universal level, within the United Nations, and at regional levels (Council of Europe, European Union), intervened in the field of computer crime. Consequently certain international documents in the field of high-tech crime, which foresee criminal acts and mechanisms by which these acts can be prevented, also determine the rules on jurisdiction for the prosecution of these criminal acts. The most detailed and relevant, certainly, is the Convention on High-tech Crime.

It can be stated that significant progress has been achieved on the international level with regard to the normative regulation of computer crime, but that there are still significant problems related to international cooperation and global efforts to combat computer crime.4

4.    International standards contained in United Nations documents

As part of the work of the General Assembly, the United Nations adopted several resolutions dedicated to computer crime.5

Work in the field of legal regulation of computer crime The United Nations began in 1990, when the Resolution on legislation in the field of computer crime was adopted at the VIII UN Congress on the Prevention of Crime and the Treatment of Offenders (8th UN Congress on the Prevention of Crime and the Treatment of Offenders ) held in Havana. After the adoption of this Resolution, in 1994, the OUN Manual on the prevention and control of computer crime was adopted, and then in May 1998, the Geneva Resolution on the abuse of the Internet for the purpose of sexual exploitation. The Geneva resolution stated that the Internet is currently the most unregulated communication network in the world with new technologies that represent a major challenge for national and international regulation and application, and warned that various forms of sexual exploitation are being promoted on the Internet for the purpose of sexual entertainment. In order to reduce these phenomena, the Resolution contains recommendations to influence the reduction of human trafficking, prostitution and sexual exploitation on the Internet. 6In 2000, the General Assembly of the United Nations adopted the Resolution on the fight against misuse of information technologies. This Resolution highlights the importance of certain measures in the fight against misuse of information technologies.7

At the 10th Congress of the United Nations in 2005, which was dedicated to crime prevention, a working group of experts defined computer crime as a general term that includes criminal acts committed through computer systems or networks. This means that this term includes any criminal offense committed in the electronic environment (Matijašević & Ignjatijević, 2010, p. 853). In the plenary part of the session dedicated to computer crime, it was stated that it is possible to recognize two types of computer crime (Nikić, 2010): (1) computer crime in the narrower sense, which includes any illegal behavior aimed at the electronic security operations of computer systems and the data processed in them (which includes acts related to unauthorized access to a computer system or network by violating security measures; damage to computer data or programs; computer sabotage; unauthorized interception of communications from and in computer systems and networks; computer espionage), (2) computer crime in the wider sense, which includes any illegal behavior related to or in relation to a computer system and network, including such criminality as the illegal possession, offering and distribution of information through computer systems and networks (such as computer forgery; computer theft; technical manipulation of devices or electronic skim components of the device; abuse of payment systems such as manipulation and theft of electronic credit cards or use of false codes in illegal financial activities).

As can be concluded from this brief overview, it is clear that there is still no universal convention or any other act that comprehensively regulates the issue of cyber and computer crime, but the regulation is limited to recommendations, manuals and the like. On the other hand, efforts within the UN are mainly focused on substantive criminal law, that is, prescribing a unique definition of certain forms of computer crime, while defining jurisdiction for prosecuting these crimes is, for now, on the back burner.

However, with the increasingly widespread occurrence of computer crime, and attacks directed at the computer systems and databases of various governments and international organizations, while the perpetrators of these acts are as a rule outside the jurisdiction of the injured states or international organizations, namely the United Nations, therefore, announced the imminent adoption of the text of the universal convention on cybercrime.

In our opinion, when regulating this issue, the United Nations should, as a starting point, take the Convention of the Council of Europe on high-tech crime no. 185 from 2001, and the concept of obligation and rules to preserve national sovereignty should be regulated according to the model of the UN Convention on Combating Transnational Organized Crime.

5.    Standards contained in the documents of the Council of Europe – Budapest Convention

Convention no. 185 adopted within the framework of the Council of Europe in 2001, after several years of work on harmonizing the integral text of this convention.

The convention has as its goal, first of all, the harmonization of domestic substantive criminal law provisions in the field of computer crime, enabling the domestic criminal procedural legal framework to provide competent state authorities with the powers necessary for the effective detection and prosecution of perpetrators of these crimes, as well as the establishment of a quick and effective framework of international cooperation in this area. The provisions of the Convention are systematized in four chapters: the first chapter defines the concepts, the second, foresees the measures that need to be taken at the level of individual states within the framework of criminal substantive and procedural legislation, the third chapter refers to international cooperation within the framework of mutual assistance in the fight against computer crime and the fourth relates to the final provisions of signing and entry into force (accession, territorial application, declarations, reservations, settlement of disputes, cancellation, etc.). The importance of the Convention lies primarily in the fact that its adoption enabled national legislations to develop their own network of combating computer crime based on the provisions of the Convention (Vidić, 2016, p. 265).

When, on the other hand, we talk about the rules on jurisdiction for prosecuting computer crimes, the Convention devotes only one article to this issue: Article 22 of the Convention.

According to the provision of this article, paragraph 1, each “Contracting Party should adopt legislative and other measures necessary to establish jurisdiction for each act prescribed in accordance with articles 2–11 of this Convention, when the act is committed:

• a)    on its territory; or

• b)    on a ship under the flag of that contracting party; or

• c)    in an aircraft registered in accordance with the laws of that contracting party;

• d)    by its citizen, if the act is punishable under the criminal law of the country where it was committed or if the act was committed in a place outside the jurisdiction of any country.”

From the above, it can be clearly determined that, in this paragraph, the Convention sets as a general rule, and insists on it, jurisdiction according to the traditional principle of territoriality9 – the contracting state will have jurisdiction when the act was committed on its territory, accepting, at the same time, the rules on extraterritorial places and jurisdictions of the state. This approach, although theoretically and legally correct, which stems from the concept of sovereignty, can no longer be accepted in modern conditions.

It is true that point g) of this paragraph allows the contracting state to prosecute its citizen for an incriminated offense that he committed abroad, but only if that offense is double incriminated – that it is prescribed as a criminal offense both in the country that wants to undertake the criminal prosecution of his citizen, as well as in the state where the act itself was committed. Also, the state will have jurisdiction to prosecute even if the crime was committed in an area that does not fall under the jurisdiction of any other state.10 However, these rules on criminal jurisdiction are, in our view, part of the generally accepted legal principle regarding criminal jurisdiction and the interest of each state, and represent the usual “expansion” of the criminal jurisdiction of a country, and not specific rules on the jurisdiction of this Convention.

Thus, adapting and more extensively understanding the concept of territoriality, the Report (para. 233) points out that, according to Article 22, paragraph 1a, the contracting state could establish territorial jurisdiction if both the perpetrator (attacker of the computer system) and the attacked system are located within the territory of that country (which is the application of the classical principle of territoriality), but the state will have the authority to prosecute even when only the attacked computer system is located within the territory, regardless of whether the perpetrator of the act (according to the Report – the “attacker”) is not located on the territory of that country. This approach can be justified from two aspects. First, the very nature of computer crime, which often has an international element, dictates the expansion of the traditional concept of territorial jurisdiction. Especially in modern times, it is relatively common for attacks on computer systems in one country to come from the territory of another country. If the requirement that both the attacked system and the attacker should be located on the territory of the same country, in order for it to have jurisdiction, would remain, the efforts of the international community to combat transnational computer crime would be significantly obstructed. In addition, such type of criminal activity would not need to be regulated at the international level – it would be the domain of exclusive national jurisdiction. In addition, the general interest of the international community, embodied through various international and regional organizations, is not to intervene and regulate the internal issues of each country, but to normatively regulate those issues that are of international importance, that have an international element, that is, that concern several countries. On the other hand, it is a theoretically legally acceptable position regarding extended territorial jurisdiction if the moment of the committed act is taken into account. Namely, criminal acts of computer crime, as a rule, are not consequential crimes. Therefore, it is not required that the damage actually occurred, or that the data was actually changed. For the existence of a crime, it is sufficient that a breach in the computer system (hacking) has occurred. Even the penetration of the computer system represents damage in itself, and the deed is completed.11 Therefore, although the opposite could be argued, we believe that, bearing in mind the peculiarity of computer crime, it can be considered that the consequence of the action – hacking – occurred on the territory of the country where the specific computer system is located. In addition, the country in whose territory the computer system that is attacked has the strongest interest in prosecuting the attackers of that computer system. For all the reasons stated, this determination of the authors of the Convention is completely acceptable, reasonable and justified.

When it comes to the rules on extraterritorial places and jurisdiction, paragraph 2 of Article 22 of the Convention stipulates that each Contracting Party may retain the right not to apply, or to apply only in certain cases or under certain circumstances, the rules on jurisdiction specified in paragraphs 1b) to 1g) of this article or in another part of that article. The linguistic interpretation alone easily leads to the conclusion that this provision allows the contracting states to express reservations in relation to the rules of jurisdiction in these cases, in such a way as to completely exclude the application of these rules, or to partially exclude them, or to bind their application to occurrence of any additional condition (Report, para. 238). However, the contracting states cannot exclude, limit or condition the application of the rule of territorial jurisdiction from point a) of this paragraph, considering that the exclusion of that basis of jurisdiction would completely defeat the purpose of international regulation of this issue.

Each Contracting Party should adopt the measures necessary to establish its jurisdiction over the acts listed in Article 24, paragraph 1 of this Convention, after submitting a request for extradition, in cases where the suspect is on its territory and the Contracting Party only of his or her citizenship, shall not be extradited to the other contracting party (Article 22, paragraph 3 of the Convention). This provision embodies the general legal principle of public international law aut dedere aut judicare (extradite or prosecute). In the case when the contracting party refused to extradite the alleged perpetrator of the crime prescribed by the Convention on the basis of his nationality, and the perpetrator is present on its territory, it was necessary to prescribe the jurisdictional rule from paragraph 3, to ensure that those states that refuse to extradite citizens have the legal possibility to, instead of extradition, undertake investigation and prosecution, if requested by the contracting state that requested extradition in accordance with the rules of “Extradition”, from Article 24, paragraph 6 of this Convention (Report, para. 238). This rule, therefore, preserves the basic principle of international law – deliver or judge. In addition, if one member state could refuse both extradition and trial for the offense provided for in the Convention, then neither the Convention itself nor the international regulation of the fight against international computer crime would have any meaning or purpose. That is why the obligation provided for in this provision is, by its very nature, an objective obligation – states are obliged to adopt the measures necessary to preserve the extradite or try principle.

According to paragraph 4 of Article 22, this Convention does not exclude jurisdiction for any criminal prosecution undertaken in accordance with domestic law. As already pointed out, this Convention was adopted after several years of consultation and harmonization of the draft of its text. In addition, it represents a compromise of different countries, different systems and political interests. In addition, this Convention aimed to establish a minimum of uniform rules in this area. That is why, in this position, it has been established that the rules on the bases of jurisdiction set forth in this article are not numerus clausus, that is, they are not of an exclusive nature, and the contracting parties are essentially free to, in accordance with their internal criminal legislation, establish other bases and types of criminal jurisdiction (Report , para. 238).

When several Contracting Parties assert jurisdiction over an alleged act prescribed in accordance with the Convention, those Contracting Parties shall consult each other, when appropriate, regarding the determination of the most appropriate jurisdiction for prosecution (Article 22, paragraph 5 of the Convention). Therefore, as it was pointed out earlier, this Convention, taking into account all the circumstances in which it was adopted, does not contain a concrete mechanism for resolving conflicts of jurisdiction. That is, there are no clear rules according to which the dispute will be resolved if two or more states simultaneously establish jurisdiction in relation to the same offense and the same perpetrator. According to the explanation from the Report (para. 239), it can be concluded that the idea was that, in the case when several of them establish jurisdiction, they will agree on where to prosecute and for which offense, all guided by the rational interests of easier enforcement investigations, prosecutions, evidence, etc. However, this explanation seems more like an effort to justify the prescribed rule as completely reasonable and logical, and not as a result of the impossibility of political compromise. It is completely clear that no country wants to give up its jurisdiction, as an expression of its sovereignty. Each state will therefore have an interest and a desire to prosecute the perpetrator of an act directed against it, its order and its subjects. However, it is also a reality that at a given moment it was necessary to first make a step forward in the fight against computer crime at the international level, and during the adoption of this Convention a compromise was made regarding the rules on jurisdiction. This is all the more so since even the consultations prescribed by paragraph 5 of Article 22 are not mandatory in every case of jurisdictional disputes, but will only take place “when it is appropriate.” This, further, means that if State A considers that consultations are expedient, and State B considers that they are not, consultations will not take place (Report, para. 239).

In truth, with the special and extensive rules on international cooperation contained in the Convention (Articles 23-35 of the Convention), the authors of the Convention tried to replace the relatively loose rules on jurisdiction with extensive rules and obligations on international cooperation. This effort is further embodied in the 2021 Second Additional Protocol on Enhanced Cooperation and Discovery of Electronic Evidence.

The Budapest Convention certainly represented the first and important step in the right direction towards universal regulation of the issue of combating and suppressing international computer crime, which is more relevant today than ever. In addition, this Convention laid the foundations for individual national legislations to more precisely determine the features and characteristics of individual computer crimes, their basic, easier or more serious forms, and to prescribe criminal sanctions for their perpetrators (natural or legal entities) (Jovašević, 2014, p. 41).

6.    National standards regarding competence for prosecuting criminal offenses of computer crimes

When it comes to domestic legislation, it is necessary to look at the issue of computer crime from the aspect of assumed international obligations and from the aspect of the internal regulation of normative and institutional regulation of the issue of jurisdiction for the prosecution of criminal acts of computer crime.

Regarding the aspect of assumed international obligations, the Republic of Serbia signed the Council of Europe Convention on High-tech Crime and the Additional Protocol back in 2005, and finally ratified them in 2009, without reservations or declarations. In addition, the Republic of Serbia signed the Second Additional Protocol to this Convention in May 2022, but it has not yet been ratified. The Republic of Serbia hereby undertakes to prescribe and establish normative and institutional prerequisites for successfully combating computer crime.

To that end, several regulations (laws and by-laws) were adopted in which certain provisions of the Convention were implemented and on the basis of which an institutional framework was created for their implementation. The most important among them are the following laws: the Law on the Organization and Competence of State Bodies for Combating High-Tech

Crime12, the Criminal Code of the Republic of Serbia and the Criminal Procedure Code of the Republic of Serbia.

Special rules on jurisdiction refer to special state bodies that are responsible for detecting, prosecuting and adjudicating high-tech crimes. This primarily refers to special units within the Ministry of Internal Affairs, the Special Prosecutor’s Office for High-Tech Crime, as well as the rules on jurisdiction. Thus, the Law on the Organization and Competence of State Bodies for Combating High-Tech Crime, Article 4, Paragraph 1 prescribes that the Higher Public Prosecutor’s Office in Belgrade is responsible for handling cases of criminal offenses from this law for the territory of the Republic of Serbia, while Paragraph 2 of the same Article prescribes that a special department for the fight against high-tech crime be formed in the High Public Prosecutor’s Office in Belgrade (hereinafter: Special Prosecutor’s Office). According to Article 5, the work of this Special Prosecutor’s Office is managed by the High-Tech Crime Prosecutor, who is appointed for a period of four years by the Public Prosecutor of the Republic, with the consent of the appointed person. This Prosecutor has all the rights and obligations of a public prosecutor (according to the latest amendments to the Constitution of the RS, he is the Chief Prosecutor). On the other hand, the provisions of Article 10 and 11 of the Law define the jurisdiction and organization of courts in terms of trials for criminal offenses within the scope of this Law. Thus, Article 10, Paragraph 1 stipulates that the High Court in Belgrade is competent for dealing with cases of criminal offenses from this law, for the territory of the Republic of Serbia, while Paragraph 2 determines that the Court of Appeal in Belgrade is competent for decision-making in the second instance. 13Article 11, on the other hand, stipulates that the High Court in Belgrade shall establish a (special) Department for the fight against high-tech crime in the High Court in Belgrade to deal with cases of criminal offenses from this Law, which will consist of judges appointed by the President of the High Court in Belgrade from among the judges of that court , for a period of 2 years, and with their consent.

With regard to the organization and competence of the internal affairs body, as an investigative body, in Article 9 of the Law on the Organization and Competence of State Bodies for Combating High-Tech Crime, the Office for the Fight against High-Tech Crime is established for the work of the internal affairs body in cases related to these crimes which is located within the Ministry of Internal Affairs, and which acts according to the requests of the Special Prosecutor.

So, as we can see, with this Law, the concentration of jurisdiction was carried out both in terms of the actions of the prosecution, as well as in terms of the actions and trials of the court, by this regulation deviating from the general rules of local jurisdiction contained in the Code of Criminal Procedure by jurisdiction is concentrated in the High Public Prosecutor’s Office in Belgrade and the High Court in Belgrade, with their special departments. In practice, there are no major problems in determining the competence for the actions of special departments. In addition, although it is not explicitly determined by this Law, the High Court in Belgrade is the only one competent to provide international legal assistance in criminal acts of high-tech crime, in the sense of the Budapest Convention. This approach, according to the author, could be initially accepted, taking into account the fact that high-tech crime was not so widespread at the time of the adoption of the first law in this area (2005). However, in modern times, the prevalence of computer crime, which our legislator defined even more widely than the international standard, is so great that it would be completely justified, if not necessary, to establish appropriate special departments of the prosecution and courts in Novi Sad, Kragujevac and Nan, and in that sense, a partial deconcentration of jurisdiction should be implemented, and as it was done also with regard to organized crime.

7.    Conclusion

Computer crime certainly represents one of the biggest security challenges of the twenty-first century, both for developed and less developed countries. Effective prevention, detection and initiation of proceedings against perpetrators of criminal offenses is further hampered by its transnational character.

The international community, due to different interests, which mostly rest on the sovereignty of each state, has not yet established minimal uniform rules on a universal level that would regulate some issues in the field of cybercrime. The Council of Europe, as a regional organization, has, we have seen, intervened and adopted the Convention on High-Tech Crime, with two additional protocols. However, even within these documents, the question of jurisdiction is loosely regulated, precisely because of the absence of the will of the contracting states to renounce their jurisdiction for criminal acts of computer crime. There, as the biggest problem, the issue of resolving conflicts of jurisdiction may arise when one of the states claiming jurisdiction does not consider it expedient to participate in the consultations. Protection of the national interest, the principle of sovereignty and jurisdiction for criminal prosecution as an expression of the same, are certainly high values that the state should protect. However, the danger of transnational cybercrime is immediate and high, and this circumstance must have an impact on the attitude of countries regarding the prosecution of these acts prescribed by the Convention. The idea of establishing a European tribunal for high-tech crime, with complementary jurisdiction, does not seem completely unacceptable either – if the states fail to agree, through consultation, on which of them will exercise jurisdiction. Certainly, it is necessary for the international community to settle this issue in the shortest possible time in the most comprehensive way.

When it comes to our country, Serbia, by ratifying the Convention and the Additional Protocol and incorporating its provisions into the national legislation, has shown a clear will and readiness to fight against high-tech crime, and the normative solutions in Serbia in this area represent a good basis for leading a successful fight against this type of crime. criminality. Also, the existing normative solutions are harmonized to a significant extent with European standards, i.e. with the Convention and the Additional Protocol. However, in the future, we should work on strengthening the technical-technological and personnel conditions for detecting and prosecuting these crimes. In addition, de lege ferenda, our legislator should carry out a partial deconcentration of jurisdiction from Belgrade to Novi Sad, Kragujevac and Niš.

Dragojlović Joko

Pravni fakultet za privredu i pravosuđe u Novom Sadu, Univerzitet Privredna akademija u Novom Sadu, Srbija