The Future of International Law: CyberCrime

Henrik Spang-Hanssen
The Future of International Law:

CyberCrime
From presentation at:
Regional Meeting of ASIL

Golden Gate University School of Law
Seventeen Annual Fulbright Symposium
on
The Future of International Law
San Francisco, 6 April 2007
Abstract:
This Article first deals with the question of to what extent the Convention on CyberCrime have
unreasonable implications for the individual Cybernauts, specially the convention’s basic
principle of “aut dedere aut judicare” – the duty of each party to extradite or to prosecute.
Next, it deals with the problem that the convention pursuant to article 22(4) does not exclude
any criminal jurisdiction exercised by a Party in accordance with its domestic law. It then
describe when a state under public international law has jurisdiction over public international
computer networks (‘the Internet”), including the problem of where the offence is committed
and who is the offender. In addition it deals with the problem of a “minor” being the offender
and mention some Internet related cases involving juveniles.
Finally, it deals with what public international law should embrace in relation to public
international computer networks.
Not printed in: Annual Survey of International and Comparative Law

Volume XIV, Golden Gate University, School of Law
Citation:
Henrik Spang-Hanssen, The Future of International Law: CyberCrime (2008).
Available at SSRN: http://ssrn.com/abstract=1090876
This paper can be downloaded without charge from the

Social Science Research Network Electronic Paper Collection:
http://ssrn.com/abstract=1090876
© 2007 Henrik Spang-Hanssen

e-mail: hssph@yahoo.com
Research website: www.geocities.com/hssph
The Future of International Law: CyberCrime
Henrik Spang-Hanssen*
1. Convention on CyberCrime.............................................................................................................................3
1.1 Parties to the Convention.............................................................................................................................3
1.2 Outline of the Convention ............................................................................................................................4
1.3 The United States of America.......................................................................................................................4
1.3.1. Reservations.........................................................................................................................................5
1.3.2. Declarations .........................................................................................................................................6
2. Some Problems for Cybernauts related to the Convention...........................................................................6

2.1. Article 22 – Jurisdiction..........................................................................................................................6
2.2. Article 24 – Extradition...........................................................................................................................7
2.3. Global jurisdiction to be considered by the individual Cybernaut..............................................................8
2.4. Other Aspects to be considered by the individual Cybernaut......................................................................8
3.1. When is a State allowed to govern pursuant to Public International Law ...............................................8
3.2. When is the Offence-place “in” or “on” the State’s Sphere ?.................................................................13
3.3. Who is the Offender ? .................................................................................................................................15
3.4. Intent ............................................................................................................................................................15
3.5. Extradition ...................................................................................................................................................16
4. Some US Computer Crime Cases after 1998................................................................................................18

4.1. Juveniles....................................................................................................................................................18
4.1.1. U.S. v. An Unnamed Juvenile (D. Mass., March 18, 1998)...............................................................18
4.1.2. U.S. v. "Comrade" (S.D. FL., September 21, 2000) ..........................................................................20
4.1.3. U.S. v. Sanford (N.D. TX, December 6, 2000).................................................................................20
4.1.4. U.S. v. An Unnamed Juvenile (W.D. Wash., February 11, 2005) .....................................................21
5. The Future of (Public) International Law on CyberCrime ........................................................................21
* Henrik Spang-Hanssen is by several person involved in public international law regarded as an extraordinary
scientist and the one or one of very few that is an expert on the issue of public international law and public
international computer network (the “Internet”). He has primarily done research from Stanford University in
California, Oxford University in England, and the Norwegian Research Center for Computer and Law, Oslo
University, Norway. He first time used a computer back in 1971 at the Niels Bohr Institute in Copenhagen. He
has Master’s degrees in Law from Denmark and California (US High Tech Law). He is a licensed Supreme
Court attorney-at-law in Denmark and has previously worked as prosecutor in Danish Appeal Courts. He is a
previous student at the Technical University of Denmark.
He is the author of the books: Cyberspace Jurisdiction in the U.S. (2001), Cyberspace & International
Law on Jurisdiction (2004) and Public International Computer Network Law Issues (2006).
© Henrik Spang-Hanssen – Page 2/22

1. CONVENTION ON CYBERCRIME
The Convention on CyberCrime of 23 Nov. 20011 – by some called the Budapest Convention – went
into to force on 1 July 2004. In addition, there exists an “Additional protocol2 to the Convention on
Cybercrime, concerning the criminalization of acts of a racist and xenophobic3 nature committed
through computer systems”. To both the convention and the protocol exists explanatory reports.4 The
Convention and its Explanatory Report have been adopted by the Committee of Ministers of the
Council of Europe at its 109th Session (8 November 2001) and the Convention was opened for
signature in Budapest on 23 November 2001.
It is the only existing multilateral treaty to specifically address computer-related crime and the
gathering of electronic evidence.
1.1 Parties to the Convention

As of April 1, 2007, the Convention itself has:5
24 signatures not followed by ratifications
19 parties of the Treaty (Albania, Armenia, Bosnia & Herzegovina, Bulgaria, Croatia,
Cyprus, Denmark,6 Estonia, France, Hungary, Iceland, Lithuania, Netherlands, Norway,
Romania, Slovenia, the former Yugoslav Republic of Macedonia and Ukraine & United
States of America).
The Protocol has as of April 1, 2007:
21 signatures not followed by ratifications
1
ETS no. 185 of 23 November 2003 (into force 1. July 2004), at
<http://conventions.coe.int/treaty/en/treaties/html/185.htm> [hereinafter Cybercrime Convention].
2
[hereinafter Additional Protocol], at <http://conventions.coe.int/Treaty/en/Treaties/Html/189.htm>.
3
“racist and xenophobic material” means any written material, any image or any other representation of ideas or
theories, which advocates, promotes or incites hatred, discrimination or violence, against any individual or
group of individuals, based on race, colour, descent or national or ethnic origin, as well as religion if used as a
pretext for any of these factors, article 2 of the Protocol. See also paras 1 and 10-22 in Explanatory Report to
the protocol, at <http://convention.coe.int/Treaty/en/Reports/Html/189.htm>.
4
EXPLANATORY REPORT OF 8 NOVEMBER 2001 to the convention adopted by the Committee of Ministers of the
Council of Europe [hereinafter CONVENTION-REPORT], at
<http://conventions.coe.int/Treaty/en/Reports/Html/185.htm> (visited December 2005. The Report make
reference to: (1) Implementation of Recommendation N° R (89) 9 on computer-related crime, Report prepared
by Professor Dr. H.W.K. Kaspersen; (2) Report on Computer-related crime by the European Committee on
Crime Problems (CDPC); (3) Problems of criminal procedural law connected with information technology,
Recommendation N° R (95) 13, principle n° 17; (4) Recommendation (89) 9 PC-CY from the European
Committee on Crime Problems.
5
Chart of signatures and ratifications, Council of Europe at <http://conventions.coe.int/Treaty/Commun/
ChercheSig.asp?NT=185&CM=11&DF=22/08/2005&CL=ENG> (visited 1 April 2007).
6
Denmark has made the following reservation (deposited on 21 June 2005) to article 9: The criminal area
according to Article 9 shall not comprehend the possession of obscene pictures of a person attained the age of
fifteen, if the person concerned has given his or her consent to the possession, cf. Article 9, paragraph 1, letter e.
Furthermore, the criminal area according to Article 9 shall not comprehend visual representations of a person
appearing to be a minor engaged in sexually explicit conduct, cf. Article 9, paragraph 2, letter b, at
<http://conventions.coe.int/Treaty/Commun/ListeDeclarations.asp?NT=185&CM=11&DF=7/25/2006&CL=EN
G&VL=1> (visited 24 July 2006). See further, HENRIK SPANG-HANSSEN, PUBLIC INTERNATIONAL COMPUTER
NETWORK LAW ISSUES 459-461, Appendix 9 (DJØF Publishing Copenhagen 2006 - ISBN 87-574-1486-
6)[hereinafter SPANG-HANSSEN-3]. This book include two chapters on Danish criminal and jurisdictional
statutes related to cyberspace issues.
© 2008 Henrik Spang-Hanssen - Page 3 of 22

10 Parties of the Protocol (Albania, Armenia, Bosnia & Herzegovina, Cyprus, Denmark,
France,7 Lithuania, Slovenia, the former Yugoslav Republic of Macedonia and Ukraine).
1.2 Outline of the Convention

A broad outline of the Convention is as follows:
Chapter 1 – Use of terms (art. 1)
Chapter 2 – Measures to be taken at the national level
Section 1 – Substantive criminal law8 (art. 2-13)9
Section 2 – Procedural law (art 14-21)
Section 3 – Jurisdiction (art. 22)10
Chapter 3 - International co-operation
Section 1 – General principles (art. 23 – 28)
• Art 23 – General principles relating to international co-operation
• Art 24 – Extradition
• Art. 25-28 – General principles relating to mutual assistance
Section 2 – Specific provisions (art. 29 – 35)
Chapter 4 – Final provisions (art. 36 – 48) including:
• Art 40 – Declarations (a party can when ratifying declare requiring additional
elements as provided for under art. 2, 3, 6 para 1b, 7, 9 para 3, and 27 para 9e)
• Art. 41 – Federal Clause
• Art. 42 – Reservations (a party can when ratifying declare reservations provided
in art. 4 para 2, 6 para 3, 9 para 4, 10 para 3, 11 para 3, 14 para 3, 22 para 2, 29
para 4, and 41 para 1.
1.3 The United States of America

By letter transmittal of November 17, 2007 the President of the United States of America sent the
Convention – signed by the United States on November 23, 2001 - for advice and consent to the US
Senate. The letter was attached a letter of submittal of September 11, 2003 from the Department of
State.11
7
France has declared to article 6 when ratifying that “France interprets the terms “international court
established by relevant international instruments and whose jurisdiction is recognised by that Party” (Article 6,
paragraph 1) as being any international criminal jurisdiction explicitely recognised as such by the French
authorities and established under its domestic law,
<http://conventions.coe.int/Treaty/Commun/ListeDeclarations.asp?NT=189&CM=11&DF=7/25/2006&CL=EN
G&VL=1> (visited 24 July 2006).
8
A Global Survey of Cybercrime Laws with translation into English is available at Cybercrimelaw.net (a global
information clearinghouse on cybercrime law, edited by Council of Europe expert on cybercrime & Chief Judge
Stein Schjølberg, Norway) at <http://www.cybercrimelaw.net/laws/survey.html >. See also WORLD FACTBOOK
OF CRIMINAL JUSTICE SYSTEMS (covering 45 countries), at <http://www.ojp.usdoj.gov/bjs/abstract/wfcj.htm>
(visited May 2006).
9
The conventions Article 10 on offences related to infringements of copyright and related rights should be
compared with Article 14 of the U.N. convention on Jurisdictional Immunities of states and Their Property of 2
December 2004 (Not yet in force), GA Resolution 59/78, Doc. A/59/49, also at
<http://untreaty.un.org/ils/texts/instruments/english/conventions/4_1_2004.pdf> (visited April 2007).
10
This article is thoroughly dealt with in SPANG-HANSSEN-3 supra note 6, Chapter 7.
11
<http://www.usdoj.gov/criminal/cybercrime/senateMemo.pdf> (visited May 2006).

The Senate’s Committee on Foreign Relations held a hearing on June 17 2004.12 On November
8, 2005, the US Senate Committee on Foreign Relations submitted report 109-6 (to accompany
Treaty Doc. 108-11). The report has the below mentioned reservations and declarations to
ratification.13
The United States has not ratified the Additional Protocol as it would be contrary to the U.S.
Constitution’s First Amendment’s guarantee of freedom of expression.14
On 3 August 2006, the US Senate agreed (by Division Vote) to a Resolution of advice and
consent to ratification (US Senate Treaty number: 108-11). The ratification was done on September
29, 2006 (and the treaty went into force for the US on January 1, 2007).
1.3.1. Reservations
The advice and consent of the Senate under section 1 is subject to the following reservations, which
shall be included in the United States instrument of ratification:
1) The United States of America, pursuant to Articles 4 and 42, reserves the right to require that
the conduct result in serious harm, which shall be determined in accordance with applicable
United States federal law.
2) The United States of America, pursuant to Articles 6 and 42, reserves the right not to apply
paragraphs (1)(a)(i) and (1)(b) of Article 6 (‘‘Misuse of devices’’) with respect to devices
designed or adapted primarily for the purpose of committing the offenses established in
Article 4 (‘‘Data interference’’) and Article 5 (‘‘System interference’’).
3) The United States of America, pursuant to Articles 9 and 42, reserves the right to apply
paragraphs (2)(b) and (c) of Article 9 only to the extent consistent with the Constitution of the
United States as interpreted by the United States and as provided for under its federal law,
which includes, for example, crimes of distribution of material considered to be obscene
under applicable United States standards.
4) The United States of America, pursuant to Articles 10 and 42, reserves the right to impose
other effective remedies in lieu of criminal liability under paragraphs 1 and 2 of Article 10
(‘‘Offenses related to infringement of copyright and related rights’’) with respect to
infringements of certain rental rights to the extent the criminalization of such infringements is
not required pursuant to the obligations the United States has undertaken under the
agreements referenced in paragraphs 1 and 2.
5) The United States of America, pursuant to Articles 22 and 42, reserves the right not to apply
in part paragraphs (1)(b), (c) and (d) of Article 22 (‘‘Jurisdiction’’). The United States does
not provide for plenary jurisdiction over offenses that are committed outside its territory by
its citizens or on board ships flying its flag or aircraft registered under its laws. However,
United States law does provide for jurisdiction over a number of offenses to be established
under the Convention that are committed abroad by United States nationals in circumstances
implicating particular federal interests, as well as over a number of such offenses committed
on board United States-flagged ships or aircraft registered under United States law.
12
Hearing agenda can be found at <http://foreign.senate.gov/hearings/2004/hrg040617a.html>. Hearings report
at <http://www.washingtonwatchdog.org/rtk/documents/cong_hearings/senate/108/
senatehearing108_97299.html> and witness’ papers at
<http://foreign.senate.gov/testimony/2004/SchmitzTestimony040617.pdf>,
<http://foreign.senate.gov/testimony/2004/SwartzTestimony040617.pdf>, and
<http://foreign.senate.gov/testimony/2004/WittenTestimony040617.pdf>.
13
<http://www.washingtonwatchdog.org/rtk/documents/cong_reports/executive/109/executivereport109_
006.html> (visited November 2005).
14
<http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm#QE1> (visited April 2007) and Declan
McCullagh, First ‘cybercrime’ treaty advances in Senate, CNET News.Com 26 July 2005 at
<http://news.com.com/2100-7348_3-5805561.html> and (visited April 2007).

Accordingly, the United States will implement paragraphs (1)(b), (c) and (d) to the extent
provided for under its federal law.
6) The United States of America, pursuant to Articles 41 and 42, reserves the right to assume
obligations under Chapter II of the Convention in a manner consistent with its fundamental
principles of federalism.
1.3.2. Declarations
1) The advice and consent of the Senate under section 1 is subject to the following declarations,
which shall be included in the United States instrument of ratification:
a) The United States of America declares, pursuant to Articles 2 and 40, that under
United States law, the offense set forth in Article 2 (‘‘Illegal access’’) includes an
additional requirement of intent to obtain computer data.
b) The United States of America declares, pursuant to Articles 6 and 40, that under
United States law, the offense set forth in paragraph (1)(b) of Article 6 (‘‘Misuse of
devices’’) includes a requirement that a minimum number of items be possessed. The
minimum number shall be the same as that provided for by applicable United States
federal law.
c) The United States of America declares, pursuant to Articles 7 and 40, that under
United States law, the offense set forth in Article 7 (‘‘Computer-related forgery’’)
includes a requirement of intent to defraud.
d) The United States of America declares, pursuant to Articles 27 and 40, that requests
made to the United States of America under paragraph 9(e) of Article 27
(‘‘Procedures pertaining to mutual assistance requests in the absence of applicable
international agreements’’) are to be addressed to its central authority for mutual
assistance.
2) The advice and consent of the Senate under section 1 is also subject to the following
declaration: The United States of America declares that, in view of its reservation pursuant to
Article 41 of the Convention, current United States federal law fulfills the obligations of
Chapter II of the Convention for the United States. Accordingly, the United States does not
intend to enact new legislation to fulfill its obligations under Chapter II.
2. SOME PROBLEMS FOR CYBERNAUTS RELATED TO THE CONVENTION

The convention is designed to enhance the investigation and prosecution of cross-border computer-
related crimes by eliminating or reducing procedural and jurisdictional obstacles to international co-
operation.
Most legislators have had their interest on the convention’s part on law-enforcement, that is the
international co-operation.
Only a little group of people have dealt with the question of to what extent the convention have
unreasonable implications for the individual cybernaut for whom the most scary part is the
convention’s basic principle of “aut dedere aut judicare” – the duty of each party to extradite or to
prosecute. These issues are dealt with in the convention’s articles 22 and 24.
2.1. Article 22 – Jurisdiction

1. Each Party shall adopt such legislative and other measures as may be necessary to establish
jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention,
when the offence is committed:
a) in its territory; or
b) on board a ship flying the flag of that Party; or

c) on board an aircraft registered under the laws of that Party; or

d) by one of its nationals, if the offence is punishable under criminal law where it was
committed or if the offence is committed outside the territorial jurisdiction of any
State.
2. Each Party may reserve the right not to apply or to apply only in specific cases or conditions
the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof.
3. Each Party shall adopt such measures as may be necessary to establish jurisdiction over the
offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender
is present in its territory and it does not extradite him or her to another Party, solely on the basis of his
or her nationality, after a request for extradition.
4. This Convention does not exclude any criminal jurisdiction exercised by a Party in
accordance with its domestic law.
5. When more than one Party claims jurisdiction over an alleged offence established in
accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to
determining the most appropriate jurisdiction for prosecution.
2.2. Article 24 – Extradition

1. a. This article applies to extradition between Parties for the criminal offences established in
accordance with Articles 2 through 11 of this Convention, provided that they are punishable under the
laws of both Parties concerned by deprivation of liberty for a maximum period of at least one year, or
by a more severe penalty.
b. Where a different minimum penalty is to be applied under an arrangement agreed on the basis
of uniform or reciprocal legislation or an extradition treaty, including the European Convention on
Extradition,15 applicable between two or more parties, the minimum penalty provided for under such
arrangement or treaty shall apply.
2. The criminal offences described in paragraph 1 of this article shall be deemed to be included
as extraditable offences in any extradition treaty existing between or among the Parties. The Parties
undertake to include such offences as extraditable offences in any extradition treaty to be concluded
between or among them.
3. If a Party that makes extradition conditional on the existence of a treaty receives a request for
extradition from another Party with which it does not have an extradition treaty, it may consider this
Convention as the legal basis for extradition with respect to any criminal offence referred to in
paragraph 1 of this article.
4. Parties that do not make extradition conditional on the existence of a treaty shall recognise the
criminal offences referred to in paragraph 1 of this article as extraditable offences between
themselves.
5. Extradition shall be subject to the conditions provided for by the law of the requested Party or
by applicable extradition treaties, including the grounds on which the requested Party may refuse
extradition.
6. If extradition for a criminal offence referred to in paragraph 1 of this article is refused solely
on the basis of the nationality of the person sought, or because the requested Party deems that it has
jurisdiction over the offence, the requested Party shall submit the case at the request of the requesting
Party to its competent authorities for the purpose of prosecution and shall report the final outcome to
the requesting Party in due course. Those authorities shall take their decision and conduct their
investigations and proceedings in the same manner as for any other offence of a comparable nature
under the law of that Party.
15
European Convention on Extradition of 13. December 1957 (into force 18 April 1960), ETS No. 24 at
<http://conventions.coe.int/Treaty/en/Treaties/Html/024.htm> (47 ratifications as of 13 April 2007).

7. a. Each Party shall, at the time of signature or when depositing its instrument of ratification,
acceptance, approval or accession, communicate to the Secretary General of the Council of Europe
the name and address of each authority responsible for making or receiving requests for extradition or
provisional arrest in the absence of a treaty.
b. The Secretary General of the Council of Europe shall set up and keep updated a register of
authorities so designated by the Parties. Each Party shall ensure that the details held on the register
are correct at all times.
2.3. Global jurisdiction to be considered by the individual

Cybernaut
In addition, it is a problem that the convention pursuant to article 22(4) does not exclude any criminal
jurisdiction exercised by a Party in accordance with its domestic law. Quite opposite, the convention
require each party to respect other parties criminal jurisdiction under their domestic law. This is a
carte blanche to allow what I have termed “Global Jurisdiction,” see further below under 3.1.
It is hard to imagine how a party to the convention later can protest against other parties’ court
decisions when having given such a carte blanche.
In addition, it seems hard to oppose against the validity of another party’s court’s determination
of dealing with a cybercrime case or offender. Thus, another nation’s court can hardly censor but only
reject to enforce another party’s court decision.
2.4. Other Aspects to be considered by the individual Cybernaut

The just above mentioned does not give a cybernaut any security when traveling to other parties
countries. Thus, a cybernaut can no longer only rely on his local law as foreign law of Treaty’s parties
also has to be accepted and followed. Therefore, any cybernaut is under the law of the least
acceptable country’s laws – chaos will come because previous public international law system does
not work as there is no borders in Cyberspace and thus for Cybercrimes.
Especially, this regime provides no protection for military, FBI’s and CIA’s hacker-personnel on
such personals holydays in other parties territories. This was precise the reason for the United States
to reject to ratify the Treaty for the International Criminal Court.16
This imply for example that a cybernaut no longer can rely on his owns laws rules of the right to
a jury trial.
Another aspect to be notices is that the convention does not contain any limitation – opposite the
Treaty for the International Criminal Court.
3.1. WHEN IS A STATE ALLOWED TO GOVERN PURSUANT TO PUBLIC

INTERNATIONAL LAW
Jurisdiction is a vital and indeed central feature of state sovereignty, for it is an exercise of authority,
which may alter, create, or terminate legal relationships and obligations.17 It follows from the nature
of the sovereignty of states that a state must not intervene in the domestic affairs of another state.18
As the public international computer networks (Internet or Cyberspace) cross the national
borders, public international law is the ruling regime.
16
<http://www.icc-cpi.int/home.html&l=en>. See also (Rome) Statute of the ICC 17 July 1998 at
<http://www.un.org/law/icc/> (into force 1 July 2002. As of January 2007 ratified by 104 countries) [hereinafter
the ICC-Statute].
17
MALCOLM N. SHAW, INTERNATIONAL LAW (4th Edition, Cambridge University Press) page 452 [hereinafter
SHAW]
18
SHAW supra note 17, page 454, and Justice Story in The Apollon, 22 U.S. 362, 370 (U.S. 1824).

The innovation of the Internet and Cyberspace has made the question of personal jurisdiction
much more important than at any time before, since the use of the Internet nearly always involve
international aspects. The starting point in every case involving the Internet should be that the case is
international rather than national.
Traditional, public international law on jurisdiction has used the following division:19
Nationality principle - confers jurisdiction over nationals of the State concerned. Can
be divided into
• Active personality principle - based on the nationality of the suspect.
International law accepts jurisdiction over a state’s owns citizens based on
nationally, or the links between the individual and the state
• Passive personality principle or Passive nationality principle - based on
nationality of the victim, not the nationality of the offender (controversial)
Territoriality principle confers jurisdiction on the State in which the person or the
goods in question are situated or the event in question took place. Can be divided into
• Subjective territoriality principle - permits a State to deal with acts which
originated within its territory, but was completed or consummated abroad
• Objective territoriality principle – permits a State to deal with acts which
originated abroad but which, at least in part, were
o the “effect doctrine” - consummated or completed within their territory
–; or
o the protective theory - producing gravely harmful consequences to the
social or economic order inside their territory.
The protective theory covers a variety of political offences and is not
necessarily confined to political acts. The principle is well established
and seems justifiable because it protect a state’s vital interests. However,
it can easily be abused. The decisive is the importance of the offence,
which standard is supplied solely by international law.
However, in Cyberspace there is no “transportation” in form of tangible effects, but only
“transmission” of electronic bits (and that transmission route is fortuitous and unpredictable), thus in
Cyberspace there only exists what I have termed pure online incidents, which is characterized by no
physical shipment or tangible things are involved, and at least one user is an alien, that is, a non-
resident or a non-national.20 This term differs from definitions in article 1 of the Cybercrime
Convention as my term requires an alien involved – not only two residents of the same state.
As acts or incidents suddenly appears to be everywhere and at the same time for anyone, from
the perspective of any court or any State these could argue being a proper court or jurisdiction.
The later approach I have given the term Global Jurisdiction,21 which is characterized by a
State’s jurisdictional rules taken on its “wording” reaches all alien cybernauts, thus making a
Worldwide jurisdiction involving aliens whom can be anywhere in the world (outside the forum
state). This term has to be distinguished from Universal Jurisdiction.
However, Global jurisdiction22 is prohibited by public international law, which requires
closeness (a close link) and reasonableness between the jurisdiction and the alien in question.
19
HENRIK SPANG-HANSSEN, CYBERSPACE & INTERNATIONAL LAW ON JURISDICTION 243-258 (DJØF
Publishing, Copenhagen 2004 – 87-547-0890-1 – US Congress Library 2004441311) [hereinafter SPANG-
HANSSEN-2].
20
“Henrik’s First Base”, see SPANG-HANSSEN-3 supra note 6, at 1.
21
SPANG-HANSSEN-3 supra note 6, at page v, Foreword.
22
Global jurisdiction under public international law does not evidently mean that a narrow community view is
acceptable. The content of for example the UN Declaration on human rights and the Covenant point in the
opposite direction. On the other hand, Global jurisdiction does not seem to have special relevance outside “pure

Furthermore, under public international law any jurisdiction has to respect the sovereignty of other
States and their right to self-determination of rules for and over its citizen.
Thus, in public International Law the requirement for a State being allowed to prescribe,
adjudicate & enforce is that there exists a Close Link and that it from an international society point of
view is Reasonable the State in question deal with the issue. States (with physical borders) are the
backbone of Public International Law.
Sofar public international law can be said to have been a “grenz law”, but Cyberspace is
borderless and does not “respect” geographic drawn borders. Thus, when dealing with Cyberspace
one should turn the view upside down and begin with the view – not from the perspective of a State
and its borders – but from the fact that Cyberspace is global reaching and that there has to be made
some division of this “global space”.
This has let me to introduce the following new division of public international law on
jurisdiction:23
Universal jurisdiction – a court of a nation acts on behalf of the international society
pursuant to public international law.24
National jurisdiction – a court of a nation acts on behalf of its sovereign. It involve two
terms: International jurisdiction and Exterritorial jurisdiction, which is formulated by
the particular nation it-self, wherefore it can be in violation with public international law.
It can be divided into the following sub-categories:
• Global jurisdiction - (Worldwide) jurisdiction involving aliens whom can be
anywhere in the world (outside the fo-rum state). This kind of jurisdiction can be
exercised on basis of:
- General jurisdiction - even if the cause of action is unrelated to the
activities at issue, if only the alien defendant’s activities in the forum state
are “substantial, continuous, and systematic” (and the particular long-arm
statute’s requirement is fulfilled)
- Specific jurisdiction - cause of action arise from defendant’s minimum
contacts with the forum state
• Transnational jurisdiction – which exists pursuant to the Treaty against
Transnational Organized Crime25 is present when:
- The offence is committed in more than one State
- It is committed in one State but a substantial part of its preparation,
planning, direction or control takes place in an-other State
- It is committed in one State but involves an organized criminal group that
engages in criminal activities in more than one State; or
- It is committed in one State but has substantial effects in another State.
• Restricted jurisdiction – Jurisdiction that a State through statute or caselaw has
limited to cases where the defendant at the time of the act is a residents or
national of the forum state, or visitor in the forum state.
online” incidents, that is, in what is usually characterized the brick and mortar world where a State or court
always can pinpoint a physical connection to the alien defendant.
23
SPANG-HANSSEN-3 supra note 6, at 117-121 & 146-169.
24
It can only be exercised when the international society has accepted this – and if so it will only be for a very
limited and specific issue, for example War-crime or Piracy on the sea. SPANG-HANSSEN-2 supra note 19, at
252-254, IAN BROWNLIE, PRINCIPLES OF PUBLIC INTERNATIONAL LAW 303 (6th Edition, Clarendon Press,
Oxford – ISBN 0199260710), OPPENHEIM’S INTERNATIONAL LAW 469-470 (London and New York: Longman
9th Ed., paperback edition 1996 – ISBN 0582302455).
25
“Palermo Treaty” or United Nations Convention Against Transnational Organized Crime”, Doc. A/55/383
(Adopted by UN GA resolution A/RES/55/25 of 15 November 2000 - Into force 29 September 2003) at
<http://www.unodc.org/unodc/en/crime_cicp_resolutions.html>. As of April 1, 2007: 147 signatories and 132
parties at <http://www.unodc.org/unodc/en/crime_cicp_signatures_convention.html>.

The latter is equal to a combination of the active personality principle and the subjective
territorial principle. As restricted jurisdiction cannot in the sense of public international law be said to
deal with “aliens”, which latter is the subject of the rest of this article, this kind of jurisdiction will not
be further dealt with.
On public international network every State could be said to have concurrent jurisdiction, since
the online experience in every State will be the same for everybody, thus, the “effect” would be
everywhere. Therefore, in the perspective of Cyberspace it seems more appropriate to use the term
“closeness” rather than “effect” or “target”. Thus, the real problem of international law is to define
the circumstances in which the relevant points of contact (the legal relationships) are sufficiently
close. Or otherwise stated, the problem is where do Internet transactions take place?
International public law on jurisdiction to prescribe - and adjudicate - in relation to international
computer network can be summoned up as in the following table as for Pure Online cross-border:26
Made online from

Made online from Made online from
State D by national
State D by national of State D by national of
of State C, but
state A State B
citizen of A
Global Jurisdiction is Global Jurisdiction is Global Jurisdiction is

an issue an issue an issue
Uploaded in State State E regarded as State E regarded as State E regarded as
E sender or receiver sender or receiver sender or receiver
state? state? state?
Global Jurisdiction is Global Jurisdiction is Global Jurisdiction is

an issue an issue an issue
Objective and Passive Objective and Passive
Received in State personality personality
B (controversial) (controversial)
principles allow State principles allow State
B to prescribe? B to prescribe?
Initially should be remarked, that Universal Jurisdiction is not by the international society – and the
International Court of Justice (ICJ) – allowed to be used on Cyberspace incidents. In relation to
Cyberspace, I find hard to find incidents that fulfill the tough criterias for use of Universal
Jurisdiction27 - except using the Internet for Human Trafficking (a modern way of slavery).
Further should to the table be noted:
the Subjective Territoriality Principle allows State D to prescribe in all fields
the Active Personality Principle allows the State of nationality or residency of the
suspect to prescribe in all fields
This implies for online communication that it has to meet the requirements of the legislation in:
The State from where the original electronic communication (“bits-transfer”) was
prepared
The State where the communication is uploaded
The State of the communicator’s “nationality,” that is, for a private owned
communication firm where the owner is born, or a corporate is incorporated
The State where the communicator is a “citizen,” that is, for a private owned
communication firm where the owner living or a corporate is having headquarter
26
SPANG-HANSSEN-2, supra note 19, page 299-300
27
SPANG-HANSSEN-2, supra note 19, page 121-128.

From the online communicator’s perspective, it should initially be noted that the Passive
personality principle generally is rejected by the international society, thus, the communicator out of
this principle does not have to follow the legislation (statutes or case law) in the state of which the
receiver is a nationality. This has to be kept in mind with regard to the text of article 22(4) of the
Cybercrime Convention.
However, the online communicator might have to meet the requirement pursuant to the
Objective territoriality principle that permits a State to deal with acts which originated abroad but
which, at least in part, were
consummated or completed within their territory (the “effect doctrine”); or
producing gravely harmful consequences to the social or economic order inside their
territory (the protective theory).
As for the first prong it should be noted, that among the public international society there is
discrepancy of the reach of the “effect doctrine” – which internationally is interpretated somewhat
otherwise than the US “effect test”.
The above mean that a State cannot interfere with what is going on, on the Internet or on the
international network’s “pipe-lines” through which the electronic bits of the telecommunication is
transmitted. In addition, it implies that each State’s legislators and enforcement has to take great
consideration to other States interests. However, this is somewhat undermined by the text of article
22(4) of the Cybercrime Convention.
As for foreign parties and jurisdictional rules, the latter will only have any real value, if courts
decisions later can be executed in another state. Thus, it has no real value for a plaintiff, if a sovereign
or its court decide an issue of a case, but all other nations holds that the issue or case belongs to or are
much more related to another nation. If any given nations jurisdictional rules in practice does not have
any limits, then the rules will have no real value and should in stead just state it will catch any non-
resident (“Global Jurisdiction”). Then it will be for the court that is to execute the decision to decide
the “real” jurisdictional question determining whether the first court’s decision can be acknowledged.
Thus, if the different nations or jurisdictions do not consider the implications of their decisions
on the worldwide network of computers - and thus over users outside the particular jurisdiction - the
result can very easy become an extremely inefficient and cribbed network,28 where only material
allowed by every nation can be accessed. Such a regime will probably conflict with the UN rules on
free speech and respect of other nations’ people.
At this point should be mentioned that in May 1992, the United States suggested to the Hague
Conference on Private International Law to make a draft to Convention on Jurisdiction and
Enforcement of foreign Judgments. In a Summary of discussions in March 2000 was amongst others
discussed the question of identification and location of the parties. In a paper of February 2002, it was
pointed out that the ongoing globalization and the exponential growth of the use of the Internet
continue to add to the need for a global framework for jurisdiction and the recognition and
enforcement of judgments. The Internet environment adds to the complexity of the issues to be
resolved in specific provisions; on the other hand, it reinforces the common need for a global
framework on jurisdiction and recognition and enforcement (in civil and commercial matters).29
28
“if every jurisdiction in the world insisted on some form of filtering for its particular geographic territory, the
World Wide Web would stop functioning.” From e-mail of Vinton Cerf, Chairman of Internet Corporation for
Assigned Names and Numbers (ICANN) and previous Stanford University professor, 24/11 2000 to Agence
France-Presse in connection to his expert statement to a French court about Yahoo-US’s web site, Agence
France Pres 24. November 2000, 2000 WL 24767154 (Westlaw database AGFRP) and Putting it in its place,
THE ECONOMIST, August 9th 2001 at <http://www.yale.edu/lawweb/jbalkin/telecom /puttingitinitsplace.html>
(visited 14 October 2003).
29
See SPANG-HANSSEN-2 supra note 19, at 453-460.

However, due to realized disagreements between the conferences member states presented at an
informal working group in March 2003, it was decided to limit a drafts to a Convention and in reality
leaving the whole issue of the Internet unsolved.
3.2. WHEN IS THE OFFENCE-PLACE “IN” OR “ON” THE STATE’S SPHERE ?

This question of where an offence is committed is without doubt the toughest and most difficult
question to answer when dealing with Cyberspace. As the computer technology is new, public
international law has not developed any practice on when a Cyberspace-act is occurring “in” or “on”
a territory.
The main problem with Cybercrime Conventions article 22 litra a-c is that the convention does
not determine when something related to Cyberspace is occurring “in” or “on” the territory. This is a
most controversial issue in Cyberspace law, which should have been solved by the drafting committee
as the steppingstone before drafting any other articles. The drafting committee have neglected a
specified given task no. v (the question of jurisdiction in relation to information technology offences),
namely “determine the place where the offence was committed (locus delicti)”.30 The same task also
included the question of which law should accordingly apply, including the problem of ne bis idem31
in the case of multiple jurisdictions and the question how to solve positive jurisdiction conflicts and
how to avoid negative jurisdiction conflicts. From a human point of view, it is of cause obvious to
choose the line of least resistance as for the problem - as the drafters of the Convention has done.
However, such a choice does not seem appropriate when drafting the text for an international Treaty.
The overall principles in public international law to answer the question is whether these
“places” has a close link and are reasonable, see on this subject Spang-Hanssen supra note 19, at 296-
462, chapters 31-33. When considering a place where an offence could be regarded to be committed
in Cyberspace what immediately comes into mind is the following “places” in the public international
computer networks:32
the place of a server
the place of a proxy33 servers
the place where the work on the computer was done (prepared) before uploading it to the
Internet
the place where a laptop was hooked up when connected to the Net, or
should it be the uploaded content that decides ?
Many court decisions has decided that the place of the server is not the determine fact.34
However, the court in U.S. v. Kammersell could not have reached its decision if it had not relied on
the place of a service providers’ server.35
The EU issued a declaration when it passed Regulation 44/2001 on jurisdiction and
enforcement36 which “stress that the mere fact that an Internet site is accessible is not sufficient for
Article 15 [about jurisdiction over consumer contracts] to be applicable,…In this respect, the
30
CONVENTION-REPORT supra note 4, para 11 subsection v.
31
Ne bis in idem (ne bis idem) - no person should be proceeded against twice over the same matter.
32
SPANG-HANSSEN, CYBERSPACE JURISDICTION IN THE U.S. 97-122, (Norwegian Research Center for
Computers and Law, Oslo University 2001 – ISBN 82-7226-046-8 – US Congress Library 2003450386), also
free downloading from research website <www.geocities.com/hssph> [hereinafter SPANG-HANSSEN-1] and
SPANG-HANSSEN-2 supra note 19, at 359-365
33
A server that sits between a client application, such as a web browser, and a real server.
34
On US court decisions on this issue, see SPANG-HANSSEN-1 supra note 33, at 107-111 and SPANG-HANSSEN-
2 supra note 19, at 359-361.
35
United States v. Kammersell, 196 F.3d 1137 (10th Circuit 1999).
36
Council Regulation 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of
judgments in civil and commercial matters, O.J. 16/01/2001 p. 0001-0023, also at
<www.geocities.com/hssph/CouncilRegulationNo44.pdf>.

language or currency which a website uses does not constitute a relevant factor.”37 If such factors are
not found relevant in civil matters, then they should neither be determining in criminal matters.
The Report to the Convention points out that article 22 establishes a series of criteria under
which Contracting Parties are obliged to establish jurisdiction over the criminal offences enumerated
in Articles 2-11 of the Convention.38
It noted that article 22, paragraph 1 littera a is based upon the principle of territoriality, see above
section 3.1, and that each Party is required to punish the commission of crimes established in this
Convention that are committed in its territory. The report gives as examples that a Party would assert
territorial jurisdiction if (A) both the person attacking a computer system and the victim system are
located within its territory, and (B) where the computer system attacked is within its territory, even if
the attacker is not.39 The first example is dealing with a totally internal national matter and the court
should of cause use its national law. As for the latter example “B”, where the “offender” is an alien,
public international law must be used rather than national law.
Article 22 paragraph 1, littera b and c require each Party to establish criminal jurisdiction over
offences committed upon ships flying its flag or aircraft registered under its laws. The Report notes
that if the crime is committed on a ship or aircraft that is beyond the territory of the flag Party, there
may be no other State that would be able to exercise jurisdiction barring this requirement. In addition,
if a crime is committed aboard a ship or aircraft, which is merely passing through the waters or
airspace of another State, the latter State may face significant practical impediments to the exercise of
its jurisdiction, and it is therefore useful for the State of registry to also have jurisdiction.40 This does
not seem to be in conflict with the customary law that is codified in the 1958 High Sea Convention41
(and the Convention on the Law of the Sea42).
The paragraph does not distinguish between the Subjective territoriality principle and the
Objective territoriality principle. Thus, it is left for each party to decide whether the paragraph cover
acts which originated within its territory, but was completed or consummated abroad and/or acts
which originated abroad, but which, at least, in part were consummated or completed within their
territory (the effect doctrine) or producing gravely harmful consequences to the social or economic
order inside their territory (the protective theory).
Paragraph 1, littera d is based upon the principle of nationality. The report states out the obvious
from a public international law point of view, that nationals of a State are obliged to comply with the
domestic law even when they are outside its territory.43 The wording of the paragraph leaves out the
use of the passive personality/nationality principle.
The report points out that parties can only make reservations to the jurisdiction grounds laid
down in paragraph 1, litterae b, c, and d. No reservation is permitted with respect to the territorial
jurisdiction under littera a.
Furthermore, no reservation can be made with respect to the obligation to establish jurisdiction in
cases falling under the principle of "aut dedere aut judicare" (extradite or prosecute) under paragraph
37
Joined declaration issued by the European Parliament and Commission at the time the Regulation was passed
– Statement on Articles 15 and 73, reprinted in SPANG-HANSSEN-2, supra note 19, at 564-566, also at
<www.geocities.com/hssph/Joineddeclaration.pdf>.
38
CONVENTION-REPORT supra note 4, para 232.
39
40
41
Convention on the High Seas of 1958 (into force 30 September 1962), 13 U.S.T. 2312, T.I.A.S. 5200, 450
U.N.T.S. 82, also at <http://www.univie.ac.at/RI/KONTERM/intlaw/konterm/vrkon_en/html/doku/high-
sea.htm> (visited April 2007).
42
United Nations Convention on the Law of the Sea of 10 December 1982, U.N.Doc. A/CONF.62/122.
Convention on the Law of the Sea of 1982 (also called the Montego Bay Convention)(into force 16 November
1994 – 153 states have ratified as of 4 April 2007) [hereinafter “Law of the Sea”], also at
<http://www.un.org/Depts/los/convention_agreements/texts/unclos/unclos_e.pdf> (visited April 2007).
43

3, for example where that Party has refused to extradite the alleged offender on the basis of his
nationality and the offender is present on its territory.
The report remarks that the jurisdiction established on the basis of paragraph 3 in article 22 is
necessary to ensure that those Parties that refuse to extradite a national have the legal ability to
undertake investigations and proceedings domestically instead, if sought by the Party that requested
extradition pursuant to the requirements of "Extradition", Article 24, paragraph 6 of the Convention.44
Finally, the report remarks that the bases of jurisdiction set forth in paragraph 1 are not exclusive
and that paragraph 4 of Article 22 permits the Parties to establish, in conformity with their domestic
law, other types of criminal jurisdiction as well.45 This is nothing but a carte blanch from one party of
the Convention to another. Taken together with the just mentioned comment 237 of the Report, this
paragraph can give extreme consequences for a cybernaut as he has no longer any protection under
his own laws.
3.3. WHO IS THE OFFENDER ?

An important question that the Convention does not deal with is, who is the offender? Is it for
example the grandparent that allows a grandchild to use a computer during a visit or is it (only) the
grandchild? In this respect should be noted that the International Criminal Court in the Hague only
has jurisdiction in cases which involve a person that at the time of the alleged commission of the
crime was of the age of 18 or over.46 The Cybercrime Convention only deals with the term “minor” in
relation with Article 9(3) on child pornography: “For the purpose of paragraph 2 above, the term
“minor” shall include all persons under 18 years of age. A Party may, however, require a lower age-
limit, which shall be not less than 16 years.” Thus, under the Cybercrime Convention a child in
diapers using a computer can be an offender and be sentenced – even by a foreign country as party to
the convention)! However, this regime might be against the Convention for Protection of Children.47
Furthermore, to what extent does it matter that a person is careless with a password and let others
use their access?
Another problem is one especially for the prosecutors. Computers connected to the Internet have
an IP address but this does not reveal where the laptop is located and who used it. The latter is also of
special significance as for computers offered to the public in libraries or at CyberCafees. A further
problem for prosecutors is wireless connections for which some are available without any password
but only requiring the laptop being in a certain distance to a hotspot.48 Most of the latter are
unsecured.
3.4. INTENT
Another aspect not to forget when dealing with crime and computer networks, is to which extent the
offender had intent to do a crime and where to do it. Should it be allowed in public international law
just because the offender knows that he is using Cyberspace and have the intent to hit one particular
forum state, that this anyhow allows all other states also to have jurisdiction over that crime?
44
45
46
Articles 26 of the ICC-Statute supra note 16, which further only involves “the most serious crimes of concern
to the international community as a whole.” See THE ROME STATUTE OF THE INTERNATIONAL CRIMINAL
COURT: A COMMENTARY 533-35 (Ed. Antonio Cassese, Oxford University Press 2002 – ISBN 0-19-829862-5)
[hereinafter CASSESE] and SPANG-HANSSEN-3, supra note 6, at 300.
47
Convention on Jurisdiction, Applicable law, Recognition, Enforcement and Co-operation in Respect of
Parental Responsibility and Measures for the Protection of Children of 19 October 1996 (Into force 1 January
2002 – As of January 2007 14 states has ratified), at
<www.hcch.net/index_en.pho?act=conventions.pdf&cid=70> (visited April 2007).
48
Hotspots are venues that offer wireless Internet access points..

Criminal jurisdiction is designed to promote security and certainty in international life to prevent
friction among nations. To be entitled to assume legislative jurisdiction there must exist a close
connection in an international sense between the person, fact or event and the State imposing criminal
liability in regard to them. The real problem of international law is to define the circumstances. The
limits of a State’s criminal jurisdiction should be found in the doctrine of the abuse of rights.49
When the intent to commit the proscribed act is clear and demonstrated by some activity, and the
effect to be produced by the activity is substantial and foreseeable, the fact that a plan or conspiracy
was thwarted does not deprive the target state of jurisdiction to make its law applicable.50
Pursuant to article 30 of the ICC Statute51 a person is only criminally responsible or liable for
punishment for a crime if the person had “intent”, that is (1) the offender meant to engage in the
conduct (prohibited act or omission)(actus reus) and (2) the offender meant to cause that consequence
or was aware that it would occur in the ordinary course of events (mens rea). Furthermore is required
that the crime was committed with knowledge, that is, awareness that a circumstance existed or a
consequence would occur in the ordinary course of events.52
The ICC Court only has jurisdiction in cases that involve “the most serious crimes of concern to
the international community as a whole” (and where the person at the time of the alleged commission
of the crime was of the age of 18 or over).53
Hacking can be regarded as a crime, as a military weapon or as a mean for supporting human
rights. For the latter should be mentioned, that at the latest many people have realized that a most
important weapon in the struggle for human rights is computer code. Thus, “hacktivism” has turned
up in shape of elite computer experts – the “original” hackers, not crackers - who have set their sights
on ways to help human-rights causes and are trying to give activists electronic ways to circumvent
government surveillance and information management. Such humanitarian help can probably not
qualify being a crime – at least there is a lack of the necessary criminal intent.54
3.5. EXTRADITION
Article 24 on extradition has to be hold together with article 22(3), which later states that [e]ach Party
shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to
in Article 24, paragraph 1, in cases where an alleged offender is present in its territory and it does not
extradite him or her to another Party, solely on the basis of his or her nationality, after a request for
extradition.
The explanatory Report states that no reservation is permitted with respect to the establishment
of territorial jurisdiction under article 22(1) littera a, or with respect to the obligation to establish
jurisdiction in cases falling under the principle of “aut dedere aut judicare” (extradite or prosecute)
under paragraph 3, for example where that Party has refused to extradite the alleged offender on the
basis of his nationality and the offender is present on its territory.55
49
F.A. MANN, The Doctrine of Jurisdiction in International Law, 111 RECUEIL DES COURS 1, 82-83 (1964-
I) and SPANG-HANSSEN-2, supra note 19, at 239-240.
50
Comment d to § 402 to Restatement (Third) of Foreign Relation Law.
51
ICC-Statute supra note 16.
52
Herman von Hebel, Elements of Crimes in THE INTERNATIONAL CRIMINAL COURT: ELE-MENTS OF CRIMES
AND RULES OF PROCEDURE AND EVIDENCE 14-15 (Ed. Roy S. Lee, Transnational Publishers 2001 – ISBN
157105-209-7).
53
Articles 26 of the ICC-statute supra note 16, and CASSESE supra note 46, at 533-35, and SPANG-HANSSEN-3
supra note 6, at 300.
54
SPANG-HANSSEN-3 supra note 6, at 285-286.
55

Article 24(5) states that extradition shall be subject to the conditions provided for by the law of
the requested Party or by applicable extradition treaties,56 including the grounds on which the
requested Party may refuse extradition. The requested party need not extradite if it is not satisfied that
all of the terms and conditions provided for by the applicable treaty or law have been fulfilled.
Furthermore, each of the offences established in Articles 2-11 are not to be considered per se
extraditable. It is required that the maximum punishment that could be imposed for the offence for
which extradition is sought is at least one-year’s imprisonment. The determination of whether an
offence is extraditable does not hinge on the actual penalty imposed in the particular case at hand, but
instead on the maximum period that may legally be imposed for a violation of the offence for which
extradition is sought.57 However, this paragraph is not to be used if a different threshold for
extradition is described in another treaty or arrangement between the parties in question.58 For
example, under the European Convention on Extradition59, reservations may specify a different
minimum penalty for extradition. Among Parties to that Convention, when extradition is sought from
a Party that has entered such a reservation, the penalty provided for in the reservation shall be applied
in determining whether the offence is extraditable.
Where a Party, instead of relying on extradition treaties, utilises a general statutory scheme to
carry out extradition, paragraph 4 requires it to include the offences described in Paragraph 1 among
those for which extradition is available.60
The requested Party need not extradite if it is not satisfied that all of the terms and conditions
provided for by the applicable treaty or law have been fulfilled. It is thus another example of the
principle that co-operation shall be carried out pursuant to the terms of applicable international
instruments in force between the Parties, reciprocal arrangements, or domestic law. For example,
conditions and restrictions set forth in the European Convention on Extradition (ETS N° 24) and its
Additional Protocols61 (ETS N°s 86 and 98) will apply to Parties to those agreements, and extradition
may be refused on such bases (e.g., Article 3 of the European Convention on Extradition62 provides
that extradition shall be refused if the offence is considered political in nature, or if the request is
considered to have been made for the purpose of prosecuting or punishing a person on account of,
inter alia, race, religion, nationality or political opinion).63
Paragraph 6 of article 24 is build over the principle of “aut dedere aut judicare” (extradite or
prosecute) and provides that a party must prosecute if the offender is a national of the requested party
and extradition is denied solely on nationality. The latter is included in the Convention since many
states refuse extradition of their nations. However, this paragraph is too easy to circumvent, as the
requested party just has to make up another excuse than nationality. This more or less makes article
24 worthless.
The Report points out that if the Party whose extradition request has been refused does not
request submission of the case for local investigation and prosecution, there is no obligation on the
requested Party to take action. Paragraph 6 requires the local investigation and prosecution to be
56
The US does require existence of a Treaty for extradition, see Senate Report & Letter of Submittal from
Department of State, see above footnote 12.
57
CONVENTION-REPORT supra note 4, para 245. Confer Article 2 of the European Convention on Extradition,
supra note 16.
58
59
See above note 16.
60
61
Additional Protocol to the European Convention on Extradition of 15 October 1975 (into force 20 August
1979), ETS No. 86 at <http://conventions.coe.int/Treaty/en/Treaties/Html/086.htm> (37 ratifications as of 13
April 2007).
62
Second Additional Protocol to the European Convention on Extradition of 17 March 1978 (into force 5 June
1983), ETS. No. 98 at <http://conventions.coe.int/Treaty/en/Treaties/Html/098.htm> (40 ratifications as of 13
April 2007).
63

carried out with diligence. It must be treated as seriously “as in the case of any other offence of a
comparable nature” in the Party submitting the case. That Party shall report the outcome of its
investigation and proceedings to the Party that had made the request.64 However, if no extradition
request has been made, or if extradition has been denied on grounds other than nationality, does
paragraph 6 establish no obligation on the requested Party to submit the case for domestic
prosecution.
Also, should be noted that the Cybercrime Convention does not distinguish between civil and
military persons, thus persons working for the U.S. military is embraced by the Cybercrime
conventions jurisdictional rules. As many people in the different countries military is involved with
what by the convention is regarded as hacking, these military persons should not go on holyday to
other countries that are parties of the convention, as U.S. will not have any right to protect them if
indicted by another party to the convention and arrested there during their stay there. The U.S. is
actually obliged to either extradite or prosecute such persons if another party to the convention makes
the claim.
4. SOME US COMPUTER CRIME CASES AFTER 1998

A summary of some prosecuted US computer cases from 1998 can be found on the US Department of
Justice’s website,65 including cases involving juvenile and international perpetrators, with press
releases on the each case.
Criminal cases from around the world can be found at Cybercrime Net,66 which offers a
comprehensive survey of current legislations from around the world including the laws of 78
countries. It also has a link to information on Supreme Court decisions from around the World and
offers access to decisions in 129 countries, or a way of finding them.67 The sites are managed by
Chief Judge Stein Schjølberg, Norway, who also is Council of Europe expert on cybercrime.
4.1. Juveniles
As it between teenagers has become some kind of a game or a sport to hack into other persons’
computers, many cases deal with juveniles, some of which did not have any intent to gain
economically, but only wanted to show off to their friends. Furthermore, should be mentioned that
juveniles as such68 only know little of the law of their own nation, other nation’s and international
law.
Of U.S. cases involving juveniles can be mentioned:
4.1.1. U.S. v. An Unnamed Juvenile (D. Mass., March 18, 1998)69
This case was the first U.S. case were federal charges were brought against a juvenile for
computercrime.
On March 10, 1997, the juvenile computer hacker temporarily disabled Next Generation Digital
Loop Carrier systems (“loop carrier systems”70) operated by telephone company NYNEX (later
64
65
Computer Crime & Intellectual Property Section at <www.usdoj.gov/criminal/cybercrime/ccases.html>
(visited 10 February 2007).
66
<http://www.globalcourts.com> (visited 4 April 2007).
67
<http://www.cybercrimelaw.net/> (visited 4 April 2007).
68
The Convention on Jurisdiction, Applicable law, Recognition, Enforcement and Co-operation in Respect of
Parental Responsibility and Measures for the Protection of Children of 19 October 1996 sets an age limit at 18
(Into force 1 January 2002 – As of January 2007 14 states has ratified), at
<www.hcch.net/index_en.pho?act=conventions.pdf&cid=70> (visited April 2007).
69
< http://www.usdoj.gov/criminal/cybercrime/juvenilepld.htm> (visited 4 April 2007).
70
The loop carrier systems are used by telephone companies to integrate service provided over hundreds of
telephone lines for digital transmission over a single, high capacity fiber-optic cable to a central office. By

purchased by Bell Atlantic Telephone Company) at the Worcester Airport and in the community of
Rutland, Massachusetts. The loop carrier systems operated by the telephone company were accessible
from a personal computer’s modem. This accessibility was maintained so that telephone company
technicians could change and repair the service provided to customers by these loop carrier systems
quickly and efficiently from remote computers.
The juvenile computer hacker identified the telephone numbers of the modems connected to the
loop carrier systems operated by the telephone company providing service to the Worcester Airport
and the community of Rutland, Massachusetts.
At approximately 9:00 a.m., the juvenile computer hacker intentionally, and without
authorization, accessed the loop carrier system servicing the Worcester Airport. He then sent a series
of computer commands so that it altered and impaired the integrity of data on which the system
relied, thereby disabling it.
Public health and safety were threatened by the outage, which resulted in the loss of telephone
service, until approximately 3:30 p.m., to the Federal Aviation Administration Tower at the
Worcester Airport, to the Worcester Airport Fire Department and to other related concerns such as
airport security, the weather service, and various private airfreight companies. Further, as a result of
the outage, both the main radio transmitter, which is connected to the tower by the loop carrier
system, and a circuit which enables aircraft to send an electric signal to activate the runway lights on
approach were not operational for this same period of time.
Later on the same day, at approximately 3:30 p.m., the juvenile computer hacker intentionally,
and without authorization, accessed the loop carrier system servicing customers in and around
Rutland, Massachusetts. Once again, he sent a series of computer commands to the digital loop carrier
that altered and impaired the integrity of data on which the system relied, thereby disabling it.
This second outage disrupted telephone service throughout the Rutland area, causing financial
damage as well as threatening public health and safety as a result of the loss of telephone service.
During this attack, the juvenile computer hacker changed the system identification to “Jester.”
In a separate computer intrusion, the juvenile computer hacker identified the telephone number
associated with the modem servicing a Worcester area branch of a major pharmacy chain’s computer
in the Worcester pharmacy. On four occasions in January, February and March of 1997, the juvenile
computer hacker used his personal computer modem to break into the Worcester pharmacy computer.
On each of these days he instructed the Worcester pharmacy computer to transmit to his personal
computer files containing all of the prescriptions filled by the pharmacy during the previous week,
detailing them by customer name, address, telephone number and prescription medicine supplied.
The pharmacist's computer was accessible by modem after hours when the pharmacy was closed.
This accessibility was maintained so that the pharmacy chain could periodically transfer information
from the pharmacist's local computer to a centralized computer operated by the chain in the course of
its business.
The juvenile could not alter the prescriptions and there was found no evidence that he
disseminated the information, but the hacking constituted a serious invasion of privacy.
Pursuant to a plea agreement, the juvenile received a two years’ probation, during which he may
not possess or use a modem or other means of remotely accessing a computer or computer network
directly or indirectly. He had to pay restitution to the telephone company and complete 250 hours of
disabling a loop carrier system all communications with the telephone lines it services are cuts off. Loop carrier
systems are programmable remote computers used to integrate voice and data communications originating on a
large number of standard, copper-wire telephone lines for efficient transmission over a single, sophisticated
fiber-optic cable. In many respects, a loop carrier system serves the same function as a circuit breaker box in a
home or an apartment. Individual electric wires do not run from each plug or light in a home or apartment to the
electric company. Rather, the myriad of plugs and lights are connected to a circuit breaker box in a corner of the
home or apartment, to which the electric company attaches a single, efficient cable. If the circuit breaker box is
disabled, however, none of the lights and outlets in the house can function.

community service. In addition, he was required to forfeit all of the computer equipment used during
his criminal activity.
4.1.2. U.S. v. "Comrade" (S.D. FL., September 21, 2000)71
This is the first U.S. case where a juvenile hacker received a prison sentence (and to serve time in a
Detention Facility).
A 16-year-old from Miami pleaded guilty and was sentenced to six months in a detention facility
for two acts of juvenile delinquency. Under adult statutes, those acts would have been violations of
federal wiretap and computer abuse laws for intercepting electronic communications on military
computer networks and for illegally obtaining information from NASA computer networks.
The juvenile, known on the Internet as “c0mrade,” admitted that he was responsible for
computer intrusions from August 23, 1999, to October 27, 1999, into a military computer network
used by the Defense Threat Reduction Agency (DTRA). DTRA is an agency of the Department of
Defense charged with reducing the threat to the U.S. and its allies from nuclear, biological, chemical,
conventional and special weapons. “c0mrade” also admitted that he gained unauthorized access to a
computer server, known as a “router,” located in Dulles, Va., and installed a concealed means of
access or “backdoor” on the server. The program intercepted more than 3,300 electronic messages to
and from DTRA staff. It also intercepted at least 19 user names and passwords of computer accounts
of DTRA employees, including at least 10 user names and passwords on military computers.
In addition, on June 29 and 30, 1999, “c0mrade” illegally accessed a total of 13 NASA
computers located at the Marshall Space Flight Center, Huntsville, Ala., using two different ISPs to
originate the attacks. As part of his unauthorized access, he obtained and downloaded proprietary
software from NASA valued at approximately $1.7 million. The software supported the International
Space Station’s (ISS) physical environment, including control of the temperature and humidity within
the living space. As a result of the intrusions and data theft, the NASA computer systems were shut
down for 21 days in July 1999. This shutdown resulted in a delivery delay of program software
costing NASA approximately $41,000 in contractor labor and computer equipment replacement costs.
As conditions of his guilty plea and serving six months in a detention facility, “c0mrade” had to
write letters of apology to the Department of Defense and NASA and agreeded to the public
disclosure of information about the case.
4.1.3. U.S. v. Sanford (N.D. TX, December 6, 2000)72
The hacker-group “HV2K” obtained unlawfully access to computers belonging to the U.S. Postal
Service, the State of Texas, the Canadian Department of Defence and Glinn Publishing Company of
Milwaukee, WI, between November 1999 and January 2000 and depriving owners and users from
their use of these systems.
A Canadian juvenile entered a pre-trial diversion program in Halifax, Nova Scotia, for computer
activity related to these offenses.
Another member of the hacker-group, Sanford, was a 18-year old resident of Irving, Texas. He
was sentenced to two years in prison, on each of six charges for breach of computer security, and 10
years on the theft charge. The prison sentences were suspended and Sanford was placed on five years
supervised probation. He was also ordered to pay $45,856.46 in restitution to the victims of his
hacking. As a condition of his probation, Sanford was also required to obtain a high school diploma
or graduate equivalency degree, submit to random urinalysis, and participate in community service.
Sanford was also restricted in his future use of computers.
The case was the result of a joint investigation involving the Texas Department of Public Safety,
the Royal Canadian Mounted Police, the Canadian Forces National Investigative Service, and the
USPS Office of the Inspector General.
71
<http://www.usdoj.gov/criminal/cybercrime/comrade.htm> (visited 4 April 2007).
72
<http://www.usdoj.gov/criminal/cybercrime/VAhacker2.htm> (visited 4 April 2007).

4.1.4. U.S. v. An Unnamed Juvenile (W.D. Wash., February 11, 2005)73

The worm - referred to as the "RPCSDBOT worm" - directed infected computers to log in on a
computer (i.e., an Internet Relay Chat channel) that the juvenile controlled. On August 14, 2003, the
juvenile directed the infected computers to launch a distributed denial of service attack against
Microsoft's main web site causing the site to shutdown and thus became inaccessible to the public for
approximately four hours. The juvenile was 14 years old when the activity occurred.
The juvenile pleaded guilty in November 2004, because he intentionally caused damage and
attempted to cause damage to protected computers.
The juvenile was sentenced to three years of probation with a number of restrictions including
mental health counseling, and computer monitoring. The Judge also ordered that the juvenile to
perform three hundred hours of community service that involved work with the homeless or other less
fortunate members of the community. The juvenile told the Judge, “Seventeen months ago, I made
the worst mistake I ever made in my life. I did it out of curiosity and did not think I would cause any
damage. I am sorry I created problems for people I did not even know.”
5. THE FUTURE OF (PUBLIC) INTERNATIONAL LAW ON CYBERCRIME

As Cyberspace being a vital part for an still explosive number of the citizens on Earth and their daily
life, the time has gone far beyond where the American Society of International Law and the
International Law Association should have begun thoroughly to deal with the issues that Cyberspace
has raised. This implies public international law scholars must learn about the technicalities of the
public international computer network – an educational task for the International Law Association
and the American Society of International Law.
The basic structure of the Internet challenge the international law on jurisdiction since the Net
has no respect for sovereignty and territorial, which is the basic for public international law.
Therefore, it is necessarily to examine to what extent the creation of the international computer
networks causes previous rules to be modified.74
As the European Union, with the highest percentage of citizens using the Internet, and the United
States have fundamentally different approaches to Cyberspace - EU, the consumer’s point of view
and the US, the business view – it is not surprising that there has not been established any general
public international law in relation to Cyberspace – if there ever will be. Thus, therefore is vital the
scholars of the above mentioned associations begin to spend some attention to these matters, so a
reasonable international scheme or practice can be established, including for cybercrime issues.
Only by such an approach can cybernauts – each of us - around the world become protected and
feel safe in our daily life and each of us live without fear for fortuitous arrests and criminal charges in
different countries.
There must be made rules of public international law governing cyberspace and the limits of
national jurisdiction over Cyberspace, including:
What a cybernaut does on the Internet is most likely an international case – thus, not
national law alone.
Public international law must solve the problem of where “the place” is.
Public international law must solve the problem with minors making offences on the
Internet – including a minimum age.
Let it be stated by the international society that what is done legally in the cybernaut’s
own country, he should not be charged or indicted for in foreign countries.
That the Convention allowing “Global jurisdiction” is in violation with public
international law.
73
<http://www.usdoj.gov/criminal/cybercrime/juvenileSent.htm> (visited 4 April 2007).
74
SPANG-HANSSEN-2, supra note 19, at 295 (and Chapters 31-33 pp. 296-436).

The drafters of the Princeton Principles75 holds that it would be inappropriate to invoke universal
jurisdiction for the prosecution of minor transgressions of the 1949 Geneva Conventions and Protocol
I. Such a regime should also cover cross-border cybercrimes.
Every single individual has to a certain extent unreasonable been deprived normal rights as far as
Cyberspace is concerned, because in practice “Global Jurisdiction”76 is exercised by most nations and
their courts.
Vinton Cerf, one of the fathers of the Internet, has stated on the technicality of the Internet that
“if every country [to fulfill their legislations] requires filters, then the net will stop working.”77 Thus,
if every country claim they can legislate and make their courts decide on every issue then the net will
stop working because cybernauts will then not know what rules to follow, and when and where to be
arrested and sentenced
The Cybercrime Convention should immediately be re-written or parties should retreat from the
treaty. However, this latter is not easily done pursuant to the Law of Treaties.78
75
THE PRINCETON PRINCIPLES page 46, at <www.princeton.edu/~lapa/unive_jur.pdf> (visited November 2005).
76
See above footnote 22.
77
See above footnote 29.
78
Confer the principle of Pacta sunt servanda in the preamble and part IV of The Vienna Conventions on the
Law of Treaties of May 23, 1969 (into force 27 January 1980. As of April 2007, 108 ratifications), 1155
U.N.T.S. 331, also at <http://untreaty.un.org/ilc/texts/instruments/english/conventions/1_1_1969.pdf> (visited
April 2007).

The Future of International Law: CyberCrime

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Future of International Law: CyberCrime

Uploaded by

Copyright:

Available Formats

Henrik Spang-Hanssen

The Future of International Law:

Regional Meeting of ASIL

Not printed in: Annual Survey of International and Comparative Law

This paper can be downloaded without charge from the

© 2007 Henrik Spang-Hanssen

The Future of International Law: CyberCrime

2. Some Problems for Cybernauts related to the Convention...........................................................................6

3.3. Who is the Offender ? .................................................................................................................................15

3.4. Intent ............................................................................................................................................................15

3.5. Extradition ...................................................................................................................................................16

4. Some US Computer Crime Cases after 1998................................................................................................18

5. The Future of (Public) International Law on CyberCrime ........................................................................21

© Henrik Spang-Hanssen – Page 2/22

1.1 Parties to the Convention

© 2008 Henrik Spang-Hanssen - Page 3 of 22

1.2 Outline of the Convention

1.3 The United States of America

© 2008 Henrik Spang-Hanssen - Page 4 of 22

© 2008 Henrik Spang-Hanssen - Page 5 of 22

2. SOME PROBLEMS FOR CYBERNAUTS RELATED TO THE CONVENTION

2.1. Article 22 – Jurisdiction

© 2008 Henrik Spang-Hanssen - Page 6 of 22

c) on board an aircraft registered under the laws of that Party; or

2.2. Article 24 – Extradition

© 2008 Henrik Spang-Hanssen - Page 7 of 22

2.3. Global jurisdiction to be considered by the individual

2.4. Other Aspects to be considered by the individual Cybernaut

3.1. WHEN IS A STATE ALLOWED TO GOVERN PURSUANT TO PUBLIC

© 2008 Henrik Spang-Hanssen - Page 8 of 22

© 2008 Henrik Spang-Hanssen - Page 9 of 22

© 2008 Henrik Spang-Hanssen - Page 10 of 22

Made online from

Global Jurisdiction is Global Jurisdiction is Global Jurisdiction is

Global Jurisdiction is Global Jurisdiction is Global Jurisdiction is

© 2008 Henrik Spang-Hanssen - Page 11 of 22

© 2008 Henrik Spang-Hanssen - Page 12 of 22

3.2. WHEN IS THE OFFENCE-PLACE “IN” OR “ON” THE STATE’S SPHERE ?

© 2008 Henrik Spang-Hanssen - Page 13 of 22

© 2008 Henrik Spang-Hanssen - Page 14 of 22

3.3. WHO IS THE OFFENDER ?

© 2008 Henrik Spang-Hanssen - Page 15 of 22

© 2008 Henrik Spang-Hanssen - Page 16 of 22

© 2008 Henrik Spang-Hanssen - Page 17 of 22

4. SOME US COMPUTER CRIME CASES AFTER 1998

© 2008 Henrik Spang-Hanssen - Page 18 of 22

© 2008 Henrik Spang-Hanssen - Page 19 of 22

© 2008 Henrik Spang-Hanssen - Page 20 of 22

4.1.4. U.S. v. An Unnamed Juvenile (W.D. Wash., February 11, 2005)73

5. THE FUTURE OF (PUBLIC) INTERNATIONAL LAW ON CYBERCRIME

© 2008 Henrik Spang-Hanssen - Page 21 of 22

© 2008 Henrik Spang-Hanssen - Page 22 of 22

You might also like