How convenient is the Budapest Convention?

October this year started with a series of unfortunate reveals for Russia – military intelligence got caught planning a range of cyber attacks against a number of international units, as Organization for the Prevention of Chemical Weapons, and directed towards the United Kingdom’s Foreign and Commonwealth Office and its Defence and Science Technology Laboratory. It is never a good day when you get caught with your hands in a cookie jar. UK’s government publicly condemned the action – and asked not to do it again – by boldly labelling Russia a “pariah state”, with no respect to “international law or respected norms”. The international law and respected norms, mentioned by UK, refers to the single standing legislation binding the European states in establishing digital security, the Budapest Convention of 2001.

The Council of Europe Convention on Cybercrime, or the Budapest Convention, the first-ever international treaty seeking to unify national judicial efforts in combatting crime in cyberspace. Today, 61 countries have ratified the convention, including states outside continental Europe, as the United States of America, Philippines, Sri Lanka, Morocco, Israel, Japan, Canada, Australia and others. Russia is the state in Council of Europe who has not signed nor ratified the convention, arguing, that it violates Russian sovereignty, and refused to cooperate on any investigations related to cyberspace.

Now what makes it convenient for Russia to boycott the treaty is that, first of all, the cyberspace and the Internet is not bound to any particular piece of land in the world. However, the actual servers, computers and wires, enabling all actions cyber, are located on the soil of one or another country, and, depending on the national legislation, the actions considered to be illegal online can vary exponentially. And it’s embedded in Budapest convention. The same, which is supposed to protect states from intrusion and hacking of foreign element. Therefore, if the cybercrime happens abroad, but the IP address of the criminal originates in, for example, Russia, the laws on the Russian soil are the ones to be obeyed. Extradition treaties usually do not include cybercriminals, therefore, they end up in this grey zone on dependence from geographic location for obeying the laws, but committing geographically not bound crimes.

More than that, the convention has inherently flexible phrasing, which enables the text to be adopted on the national level according to already existing legislation. But Article 32 brushes away all other articles in the convention.

Article 32 –Trans-border access to stored computer data with consent or where publicly available

A Party may, without the authorisation of another Party:

a) access publicly available (open source) stored computer data, regardless of where the data is located geographically; or

b) access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.

Which basically justifies access to any information without proven intent to misuse of it. Or, as a Lithuanian saying goes, one is not a thief if he hasn’t been caught by his hand (lit. už rankos nepagautas ne vagis). According to this phrasing, it does not only create an exception for territoriality but also, if a so-called hacker gets an official authorisation for access to information anywhere in the world, which leads to a larger amount of data which is invisible for non-tech person, it basically allows to drain all user related sensitive data that exist online without risking territorial constrains and different legislation. Furthermore, this Article grants exception as a part of the international legislation, which can be used in the judicial process as defence, if illegal intent is not proven.

So, if the country or a service provider, based in outside country, provides open access to sensitive data without process of security or intent confirmation, there is no legal way of combating international cyber attacks yet.

But at least countries are battling over copyright directive with Silicon Valley.

That’s it for this time. Thanks for reading, and keep away from the trolls!

Cartoon credits @ MAC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.