Transnational Cybercrime: Issue of Jurisdiction

  • Meetali Rawat
  • Show Author Details
  • Meetali Rawat

    Student at National University of Study and Research in Law, Ranchi, India.

  • img Save PDF

Abstract

The World Wide Web, an information-sharing platform constructed on top of the Internet’s system of interconnected computer networks, aided in bringing the Internet technology to life. Since then, the Internet technology has evolved organically and transformed almost every facet of contemporary life. However, since its technological infrastructure was built to prioritize survivability and flexibility over security, how can one maintain order in a virtual space that, by design, is not subject to the control of any single jurisdiction? How can one regulate cyber-space in the twenty-first century? The authors attempt to address these questions in this paper. Cyberspace is nothing more than an “abstract terrain” which consists of all users from around the world that are connected by means of networking. Unlike the conventional world, territorial borders do not exist in the virtual world. The present paper specifically deals with “transnational cyber offences” for which the problems of territorial jurisdiction are exceptionally critical. One can attribute this distinctive legal challenge presented by transnational cyber offences to the technical background of cyber space. This paper also examines the test of jurisdiction in determining the issue of jurisdiction in cyberspace in US. The current Indian position with respect to the issue of jurisdiction in cyberspace has also been discussed with the help of a few decided case laws.

Keywords

Type

Research Paper

Information

International Journal of Law Management and Humanities, Volume 4, Issue 2, Page 253 - 266

DOI: http://doi.one/10.1732/IJLMH.26049

Creative Commons

This is an Open Access article, distributed under the terms of the Creative Commons Attribution -NonCommercial 4.0 International (CC BY-NC 4.0) (https://creativecommons.org/licenses/by-nc/4.0/), which permits remixing, adapting, and building upon the work for non-commercial use, provided the original work is properly cited.

Copyright

Copyright © IJLMH 2021

I. Introduction

Internet is considered as a place which is beyond national borders and the same was elucidated by John Perry Barlow, a cyber activist (and former Grateful Dead lyricist), in his 1996 Declaration of the Independence of Cyber Space in the following manner: “Governments of the Industrial World, you weary giants of flesh and steel….I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear….Cyberspace does not lie within your borders”.[1]

Thus, Barlow’s declaration makes it clear that there are neither political barriers nor any territorial demarcations in the cyberspace. But this lack of territorial borders in cyberspace makes internet an attractive medium for criminals to commit crimes. This raises one of the most cryptic issues in cyber law, “jurisdiction in the cyberspace”. Partly due to this inability to map the precise nature of the jurisdictional problem, Internet regulation is widely seen as either empirically impracticable or normatively illegitimate. Meanwhile, cyber threats have escalated, thereby, underscoring the need to regulate cyber activity and to impose sanctions for cyber offences.

In the Cold War era, in order to command and regulate communications systems that could resist nuclear devastation, an American engineer Paul Baran crafted a new communications network which was based on the principles of redundancy and decentralization. Unlike the telephony systems, Baran’s system relies on a distributed network, whereby each node is connected to several other nodes in the web. Information is directed from one node to another until it arrive its final destination in a process Baran referred to as “hot-potato routing”.[2]In Baran’s words, “there is no central control; only a simple local routing policy is performed at each node, yet the overall system adapts.”[3] Thus, Baran’s research laid the foundation for modern computer networking. After the initial phase of sponsorship and supervision by the U.S. in development of Internet, it was in 1989 that the Internet was made available for public commercial use and by 1995, the U.S. government relinquished control.

II. Transnational cyber crimes: definition and its common forms

“Cyber Crimes” means wherein a computer or its network is used to commit a crime as a tool or becomes a target of a crime. Though much has been discussed about the threat posed by cyber crime, including terrorism, but little has been done to protect against what has become the most costly form of such crimes: transnational attacks on computer and information infrastructure. The present Internet technology is based on a system which would continue to operate even if one node were destroyed, thereby, ensuring that no harm is caused to the physical infrastructure of the Internet. However, it fails to take into account the possibility of damage caused by the very data being communicated.[4] Thus, the cyber criminals tend to exploit the weaknesses present in the infrastructure’s transnational nature. These weaknesses include: (1) a worldwide target pool of computers and users to victimize, or to exploit in denial-of-service or other attacks, which enables attackers to do more damage with no more effort than would be necessary in attacking computers or users in a single state; and (2) the widespread disparities among states, in the legal, regulatory or policy environment concerning cyber crime, and the lack of a sufficiently high degree of international cooperation in prosecuting and deterring such crime. Thus, transnational cyber offenses operate from within: using the language code, they enter systems, disrupt service and compromise data.

Some prominent examples of the most damaging transnational cyber attacks are as follows:

  • The “I Love You” virus, which propagated from the Philippines way back in 2000, was spread as an attachment to an e-mail message with the special header “I love you”. This virus damaged many computer systems across the world and damaged critically government computer networks using Windows-98 and Windows-2000 as it was written in visual basic scripting language. The arrest and prosecution of the suspects was demanded by the US investigators– computer programming students from Philippines – and Filipino investigators attempted to do so under a 1998 law prohibiting the use of “access devices”, such as credit cards, to defraud. However, the Chief State Counsel concluded that this law was inapplicable in the present instance because “the intention of a computer hacker….is not to defraud but to destroy files.”[5] Consequently, this costly act had gone unpunished.[6] This incidence led to the passage of appropriate legislations in various States, for instance, in US it brought the passage of the CANSPAM Act.[7]
  • In 1999-2000, there were reports of persistent international attacks on official government websites throughout the world. Some of the notable ones include: (1) The website of Ministry of Finance of Romania was hacked in November 1999 to bring in bogus taxes and alter the exchange rate of the national currency.[8] (2) Recurrent Taiwan-China “hacker” wars in 1999 and 2000 in which attackers broke into various government and business websites, penetrating protective firewall software with seeming ease.[9] (3) Transnational cyber attacks on national security networks and public service websites/infrastructure of many governments.[10]

Thus, this necessitates the need for regulation of such transnational cyber offences because either the sources of transnational attacks cannot be determined or even if the perpetrators are identified, they go unpunished, majorly due to the issue of “jurisdiction in cyberspace”, which has been briefly discussed in the next section.

III. The failure of domestic and international law to deal with transnational cyber offences: the problem of jurisdiction

In the physical world, “we divide threats into internal (‘crime’) and external (‘war’) and assign responsibility for each to a separate institution (law enforcement and military).”[11]But this division between internal and external threats loses its significance in the cyber context where, as Susan Brenner observes, “what we define as ‘internal’ threats can now come from external, civilian actors.”[12]That is why the authors advocate for examining the particular characteristics of each cyber security threat instead of attempting to apply any one existing legal framework to all cyber threats. Just as a single body of law cannot regulate all wrongful acts in the physical world, similarly, all wrongful acts in the cyber space cannot be brought within the scope of a single statutory body.

For ordinary cybercrimes, in which the perpetrator is located in the same jurisdiction as the victim, the domestic laws (namely, Indian Penal Code and Information Technology Act) are generally appropriate. But what would be the appropriate law when the perpetrator and the victim are located in different jurisdictions? Significantly, there is no international instrument relating to jurisdiction in cyber-world. Though an attempt was made by Russia for adoption of an international treaty on cybercrime back in 2010, however, the United Nations rejected, despite widespread agreement on the relevance of international co-operation in the world connected by computer networks.[13] Even if the law of armed conflict provides a suitable legal framework for other rare cyber offences – namely, highly destructive attacks by one government against another government – however, transnational cyber offences do not fit comfortably within either category. This is because on the one hand, the ability of cyber criminals to cooperate internationally, to launch cyber operations remotely and to execute attacks with global effects perplexes the application of domestic law. On the other hand, borderless transnational attacks on computers and civilian data infrastructure cannot be considered as conventional warfare among States. Moreover, the perpetrators of transnational cyber offenses are usually private individuals or non-State groups due to which such crimes do not meet the threshold of an armed conflict.[14]Consequently, transnational cyber offences present legal lacunae as they are neither subject to domestic laws nor international law.

  1. The International Humanitarian Law Framework and its Limitations

International law presents potentially valuable guidelines to combat cyber offenses committed by one State against another. Some human rights treaties deal with components of cybercrimes. For instance, the right to privacy imbibed in international human rights documents like the Universal Declaration of Human Rights[15] or International Covenant on Civil and Political Rights[16] could be invoked to prevent unlawful access to other people’s private data, while the right to freedom of expression and freedom of information in those documents proscribes interfering with access to media-websites.[17]

Usually, the approach of international law in cyber offenses has centered around jus ad bellum and jus in bello. Jus ad bellum ascertains when a State is lawfully permitted to use force against another State. Under Article 51 of the UN Charter, “armed attacks” enables the State to engage in self-defense through the “use of force”, irrespective of the general prohibition contained in Article 2(4) on “the use of force against the territorial integrity or political independence of any State.”[18] Notwithstanding the legality of use of force, whenever an armed conflict occurs, the international humanitarian law (or jus in bello) comes into play.

However, in the context of cyber conflict, the question which pops-up in one’s mind is: whether cyber operations can constitute an “armed attack” under Article 51, authorizing a State to retaliate or “resort to armed force”, activating the existence of an international armed conflict.[19] Referring to traditional armed attacks, Marco Roscini observed that, “both the scale and the effects of the use of force….determine the occurrence of an armed attack”.[20]Thus, an intentional power grid outage, a terrible crash caused by hacking into aircraft computers, or a shutdown of computers regulating waterworks and dams, which, in turn, causes flooding in populated areas, can be considered to fall within the ambit of “armed attack”, while a DDoS attack temporarily distorting non-critical infrastructure would not.[21]While describing international armed conflict, Michael Schmitt, director of the Tallinn Manual Project, maintained that when a State carries out a cyber attack which is “either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable,” international “humanitarian law principles apply…even though classic armed force is not being employed.”[22] The International Committee of the Red Cross (ICRC) went a step ahead to hold that physical damage or destruction is not necessary; cyber operations only need to disable an object to qualify as a use of armed force subject to the rules of international humanitarian law.[23]Still, there must be some intensity threshold for disabling or disruption, so that the effects are analogous to those of destruction by traditional armed forces.[24]

The second major challenge posed by international humanitarian law is the application of State responsibility doctrine. Traditionally, whenever a foreign power attacked another country, there was no question as to State responsibility as the soldiers were uniformed and only nations had the resources to carry out attacks in another country. In contrast, it becomes difficult to attribute responsibility for a cyber attack to a particular nation as such attacks can be carried out at low costs by the State, by hacker groups linked to foreign government or, by individuals whose identities and physical locations are often not revealed. Thus, the international humanitarian law has proved to be an appropriate legal framework only for a narrow set of cyber operations.

  1. The Domestic Law Framework and Its Limitation

When a cyber-criminal introduces a file through bot computers across several jurisdictions to injuriously affect the Critical Information Infrastructure of one or more countries causing irreparable loss of confidential and valuable data, then the cyber-criminal can be sued in any of the affected jurisdictions. This would raise the issue of lack of territorial jurisdiction. Usually, territorial jurisdiction is determined along three dimensions: legislative or prescriptive jurisdiction (the jurisdiction to prescribe legal rules); judicial or adjudicative jurisdiction (the jurisdiction to resolve disputes) and executive or enforcement jurisdiction (the jurisdiction to enforce judgments).Transnational cyber offences have proved to be problematic along all the three dimensions.

When considering legislative jurisdiction, different countries have different laws governing cybercrime. If the territoriality principle of international law allows every State to prescribe their laws on transnational events that are “sufficiently closely linked or connected” to that State, then, in such a case, any State which experiences the effect of online activity could exercise jurisdiction. Consequently, a single act would subject the perpetrator to various jurisdictions which is certainly intolerable, as remarked by James Brierly.[25] Moreover, as explained by Jennifer Daskal, “it is widely understood that when one travels to….a foreign jurisdiction, one is subject to that sovereign nation’s laws,” but if a data, which happens to transit through another nations is sent by an individual over the Internet, then “that individual is not consciously choosing to bind himself to any particular foreign government’s laws.”[26] Thus, subjecting every online actor to the law of every State based on the fact that the activity on Internet has an impact everywhere does not offers an appropriate solution to the problem of transnational cybercrimes.

Coming to adjudicative jurisdiction, when a Forum State is conferred with the jurisdiction to prescribe, then it can exercise its jurisdiction to adjudicate over a non-resident defendant depending upon reasonableness as a threshold requirement. This implies that there is a possibility that there is legislative jurisdiction but no jurisdiction to adjudicate. For instance, section 75 of the IT Act, 2000 makes the Act applicable to any offence or contravention committed outside India by any person irrespective of his nationality if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. This means that the Act has prescriptive jurisdiction over non-residents who may commit an act that amounts to an offence outside India. However, the jurisdiction to adjudicate will be a challenge; particularly as such person will need to be extradited if there is a treaty between the two countries in question. In most cases, such persons who are not non-residents will not consent to the jurisdiction of the forum or regulating state.

Moreover, executive jurisdiction is applicable only when a State has the jurisdiction to prescribe. Very rarely a State may allow another State’s law enforcement team to enforce their own State’s laws within the jurisdiction of another State without due written consent of the State. The same can be evidenced from the fact that any judgment passed by an Indian Court under the IT Act, 2000 may not be enforced by the foreign Court because the foreign Court may refuse to the principle of extra-territorial jurisdiction envisaged under section 75 as that particular act may not be considered an offence in that country. In India, section 13 of the Code of Civil Procedure, 1908 (CPC) provides that a foreign judgment is conclusive as to a matter directly adjudicated between same parties except where it was not delivered by a competent court, or was not judged on merits, or adopts an incorrect international law view or does not recognize Indian law. In Satya v. Teja Singh,[27] the issue raised before the court was whether Indian courts are bound to give recognition to divorce decrees obtained abroad? The court held that the decree was given by a court that cannot be said to be a court of competent jurisdiction and it was tainted by fraud played upon the court and considering section 13 of CPC, it was hence not recognized in Indian law. In R. Viswanathan v. Rukn Ul-Mulk Syed Abdul Wajid,[28] the court held that, “In view of cl. (d) of s. 13, a foreign judgment is not conclusive if the proceedings in which it was obtained are opposed to natural justice. A judgment which is the result of bias or of impartiality on the part of a judge will be regarded as a nullity and the trial as coram non judice.”Further, section 44A of the Code of Criminal Procedure, 1908, provides for execution of decrees passed by courts in foreign countries but the enforcement of foreign decrees is limited to those countries which are notified by the Government of India as ‘reciprocating countries’.

Moreover, in case there is an offence committed by any Foreign national under IT Act, 2000 such as identity theft (section 66C of IT Act, 2000 and/or hacking under section 66), legal assistance and cooperation will be required from concerned Authorities in the foreign country where the foreign national resides for any investigation/prosecution/extradition. This is difficult to obtain in the absence of a Cybercrime Convention that India is signatory to (as India has not signed any) and/or a Mutual Legal Assistance Treaty (MLAT) for cooperation on cybercrime matters (as India has not signed any). Although India has signed MLAT with few countries for legal assistance on criminal matters, a cybercrime may not be covered by it in those arrangements which require dual criminality to be satisfied. Also, India is currently a signatory to UN Convention Against Transnational Organised Crime, which applies to criminal matters in general and may not be effectively used in cybercrime cases. Therefore, there is a growing need to form conventions and treaties for International cooperation and assistance without which combating transnational cybercrimes will remain difficult to achieve. Thus, in view of the authors, India must sign the Cybercrime Convention and efforts must be made to frame MLATs that encourage international cooperation on issues of cybercrime or update the current MLATs with provisions that effectively deal with cybercrime issues. This will harmonize substantive and procedural laws on international cooperation on legal assistance in transnational cybercrime.

IV. Tests to determine jurisdiction in the united states

The authors first analyse the United States jurisprudence on determination of jurisdiction in cyberspace as Indian case laws have borrowed key principles to determine jurisdictions in cyber-cases from the United States.

  • Minimum Contacts Test

The United States Supreme Court explained the Minimum Contacts Test in Washington v. International Shoe Company.[29] According to this test, if the plaintiff establishes that the defendant has sufficient “minimum contacts” in the Forum State, then the Forum State can sue a non-resident foreign defendant while duly considering principles of justice and fair play. ‘Minimum Contacts’ means physical presence or contacts within Forum State.

  • Purposeful Availment Test

The US Supreme Court evolved the purposeful availment test in Hanson v. Denckla[30] wherein the court held that a non-resident defendant should reasonably expect that he may be subjected to a legal proceeding in a foreign court if he ‘purposefully avails’ the benefits of conducting business in the foreign State and enjoys the legal protections granted by that State for conducting its business.

The US Supreme Court, in Burger King Corporation v. Rudzewicz[31] observed that, “In case the defendant performed a single related act or many continuous structured activities within the Forum State has ‘purposefully availed’ himself of that State” and “should reasonably anticipate being hauled into Court (there).” The expression ‘purposefully availed’ was explained in Ballard v. Savage[32] to mean that “the defendant has taken deliberate action within the forum state or if he has created continuing obligations to forum residents.” It was further explained that, “it was not required that a defendant be physically present within, or have physical contacts with the forum State, provided that his efforts are purposefully directed toward forum residents.”

  • The Zippo Sliding Scale Test

In Zippo Manufacturer v. Zippo.com[33], the Supreme Court for the first time laid down the “Zippo Sliding Scale Test”. This test classified websites into three, namely, active, passive and interactive. According to this test, “passive websites” are those that disseminate mainly information to the internet users and would not attract the exercise of personal jurisdiction. The “interactive websites” are those websites, where internet users may input some information on the website. In this case, exercise of personal jurisdiction depends on the “level of interactivity and commercial nature of exchange of information” by means of the website. The “active websites” are those websites wherein the defendant undertakes activities over the internet and constantly interacts with the website. Thus, the court observed that the likelihood of constitutional exercise of personal jurisdiction is directly proportional to the nature of commercial activity that an entity conducts over the Internet, which is compared to a ‘sliding scale’.

  • The Effects Test

The Supreme Court in Calder v. Jones[34] moved from a “subjective territoriality” test to an “objective territoriality” test or “effects test” in which the forum court will exercise personal jurisdiction if it is proved that the effects of the defendant’s actions are seen in the Forum State. In other words, it must have caused some harm or injury to the plaintiff within the territory of the forum state. Thus, in order to have personal jurisdiction, there must be: (1) Intentional actions, (2) Expressly aimed at the forum state, and (3) causing harm.

V. Determination of personal jurisdiction: the indian scenario

Since no special criminal courts have been established under the Information Technology Act, 2000 to deal with cybercrime matters, that is why such cases are heard by criminal courts established to hear general criminal matters. While determining its personal jurisdiction, the courts must take into account essential parameters such as foreseeability, intention of parties, requirements of fairness and reasonableness.

In Casio India Company Limited v. Ashita Tele Systems Private Limited,[35] the single judge bench, placing reliance on Rediff Communication Ltd. v. Cyber Booth[36] held that “once access to the impugned domain name website could be had from anywhere else, the jurisdiction in such matters cannot be confined to the territorial limits of the residence of the defendant.” According to the court, “since a mere likelihood of deception, whereby an average person is likely to be deceived or confused was sufficient to entertain an action for passing off, it was not at all required to be proved that any actual deception took place at Delhi.”[37] Accordingly, the fact that the website of Defendant No. 1 was accessible from Delhi was sufficient to invoke the territorial jurisdiction of the courts. However, this approach is very narrow as practically every site on Internet is accessible everywhere.

In India TV, Independent News Service Pvt. Ltd. v. India Broadcasting Live, LLC,[38] a Hindi news channel “INDIA TV”, which was launched in March 2004, was being run by the plaintiffs. the trade mark (INDIA TV)of which had been adopted since December 2002. The plaintiff had applied for registration of the said mark, the applications of which had been published in the journal of trade marks. The domain name “indiatv.com” was owned by the plaintiff which was registered on 18th Nov, 2003. The channel was made available for live streaming on the said website.“www.indiatvlive.com” was another website which was being hosted by Defendant 1 & 2 of which came to the notice of the plaintiff in January 2007. The website contained the words “INDIA TV” displayed in bold inside the sketch of a television.

 The defendants lived in USA. The plaintiff filed a case for passing off action in the Delhi High Court to prevent Defendant 2 from using the domain name “www.indiatvlive.com”. While the suit was pending, Defendant 1 filed a case in the Arizona District Court in USA against the plaintiff seeking a declaration of non-infringement of the plaintiff’s mark by Defendant 1. The court relied on the purposeful availment test, while examining whether the defendant’s activities “have a sufficient connection with the forum state (India); whether the cause of action arises out of the defendant’s activities within the forum and whether the exercise of jurisdiction would be reasonable”. The Court by relying Zippo Sliding Scale Approach said that “wherever a website is not merely “passive” but is interactive allowing the users to not only access the information thereof but also become subscribers of the website, the situation would be different.

The nature of the website “www.indiatvlive.com” of Defendant 1 is not completely ‘passive’. It has a specific provision for subscription to its services and the options available on the website for the countries whose residents can subscribe to its services include India. The services that was provided by Defendant 1 could thus be subscribed to and availed of in Delhi (India) that was within the jurisdiction of this court.

The court concluded that, “Defendant 1 intended to target Indians residing in India and expatriate Indians”.[39] Since the website of Defendant 1 was launched in India as well as in Los Angeles, the court accordingly held that, “Defendant 1’s company has sufficient connection with India”. Regarding the “effects test”, it was held that since the plaintiff channel was an Indian news channel made for Indian audiences, any harm alleged to have been caused or alleged to be likely to arise to the good will, reputation of the plaintiff would be in India. Therefore, it was held that “the Defendant is carrying on activities within the jurisdiction of this court; has sufficient contacts with the jurisdiction of the court and the claim of the plaintiff has arisen as a consequence of the activities of Defendant 1 within the jurisdiction of this court”.[40]

In the case of Banyan Tree Holdings (Pvt.) Ltd. v. Murali Krishnan Reddy,[41] the court relied on the decision taken in India TV case. In this case, the plaintiff’s company in Singapore was using the trademark “Banyan Tree” and also the banyan tree device since 1994. The plaintiff was maintaining the websites “www.banyantree.com” and “www.banyantreespa.com” since 1996. The plaintiff came to know on October 2007 that the defendants, residing in Hyderabad in Andhra Pradesh had started a project under the name of “Banyan Tree Retreat”, which was deceptively similar to that of the plaintiff. The plaintiff initiated the proceeding in the Delhi High Court on the ground that the defendants’ website “www.makprojects.com/banyantree”, which advertised its products and services, was accessible in Delhi.

The Hon’ble Chief Justice, Dr. Justice S. Murlidhar, observed that merely accessing a website would not invoke the Jurisdiction of the Delhi High Court. For exercise of jurisdiction by the Delhi High Court it has to be shown that the defendant “purposefully availed” itself of such jurisdiction by showing that the website was intended to conclude a commercial transaction, with the user of the site and such use resulted in harm or damage to the plaintiff. Thus, the court went a step ahead and held that “in a passing-off or infringement case where defendant is out of State and where there is no long arm statute, the plaintiff will be required to prove that the defendant purposefully availed itself of the benefits of conducting business in the Forum State by active advertising and ‘targeting’ of customers in Forum State and mere hosting of an interactive website without such targeting will not suffice.”

Placing reliance on Cybersell case[42] and R v. U Toys case, the court further elucidated the criteria to prove purposeful availment and held that, “to prove a prima facie case that plaintiff will need to prove defendant engaged in some commercial activity in the Forum State by targeting its website specifically at customers within that State”.[43]Thus, these tests used to determine jurisdiction can be put to use while adjudicating transnational cyber offences.

VI. Conclusion and suggestions

The grave problems of lack of harmonisation, uncertainty as to jurisdiction, lack of uniformity on lack of  law on extradition between various countries of the world can only be solved by a legal, proportionate and fair self-help system, which is not only quick, instantaneous but also free of technicalities and formalities.

 In order to solve the issue of jurisdiction of courts in transnational cyber crime, an entity should be set up at the global level with the authority to decide the jurisdiction of cyber space disputes and also the authority to penalize crimes in cyber world in which  member states may come together to collaborate in gathering evidence, prosecution, etc. A strong liability policy for transnational cyber offences should also include criminal sanctions. Depending on individual states to apply their penal law is not adequate. Thus, the authors suggest the following solutions to the problem of regulating transnational cyber offences:

  • The laws on cybercrime indifferent countries can be harmonized which can ultimately result in the development of a transnational criminal law regime, which would promote international cooperation in law enforcement. Legal harmonization is an important aspect of developing a transnational criminal law for transnational cyber offences. At a minimum, every country ought to enact laws prohibiting core cybercrimes, such as deliberate release of malware.
  • International cooperation at the level of enforcement is equally essential. Under the transnational criminal law regime, countries should commit to assist one-another with real-time collection of traffic data and technologically sophisticated countries should provide training to less technologically advanced countries. Additionally, countries, in which evidence is found should be required to turn down the evidence (such as computer hard drives) for investigation in other countries that may wish to decrypt files.
  • The most important step toward a transnational criminal law for cyber offences till date is the Budapest Convention on Cybercrime. Drafted by the Council of Europe and adopted in 2001, it represents, in the words of John Kerry, “the best…legal framework for working across borders to define what cybercrime is and how breaches of the law should be prevented and prosecuted”.[44]Though several features of the Convention are controversial, yet it can be used to combat transnational cyber offences to an extent. Thus, as already observed above, India should ratify this 2001 Convention on Cybercrimes.
  • Cybercrimes may be tried as international offences before the International Criminal Court (ICC) or before a sui generis international criminal tribunal. Though currently, the ICC has no jurisdiction to deal with cases of cybercrimes, however, the Rome Statute could be amended to extend the jurisdiction of ICC to include offences serious and grave intensity.

Another solution would be to create a new international criminal tribunal with highly equipped computer technology and having universal jurisdiction over transnational cyber crimes. Such a tribunal would solve many problems of State jurisdiction, including jurisdiction shopping, dispute of complexities of law and the challenge of inter-border cooperation on gathering of evidence and enforcement.

*****

FOOTNOTES

[1] John Perry Barlow, A Declaration of the Independence of Cyberspace, Electronic Frontier Found (Feb. 8, 1996), https://www.eff.org/cyberspace-independence

[2] Paul Baran & Sharla P. Boehm, II. On Distributed Communications: Digital Simulation of Hot-Potato Routing in a Broadband Distributed Communications Network, Rand Corporation (1964), https://www.rand.org/pubs/research_memoranda/RM3103.html

[3] Paul Baran, On Distributed Communications Networks, 12 Ieee Tran. Comm. Sys. 1, 8 (1964).

[4] William M. Stahl, The Uncharted Waters of Cyberspace: Applying the Principles of International Maritime Law to the Problem of Cybersecurity, 40 Ga. J. Int’l & Comp. L. 247, 252 (2011).

[5]Elmer Bautista, Philippines Seek ‘Love Bug’ Law, N. Y. Times, May 17, 2000.

[6] Robert Frank, ‘Love Bug’ Case Against Student Gets Dismissed As Law Lag, WSJ, Aug. 22, 2000, at A20.

[7] 18 U.S.C. § 1037 (2010).

[8]Hackers Alter Romanian Money Rate, N. Y. Times, Nov. 3, 1999.

[9]‘Taiwan-China Hackers’ War Erupts, N.Y. Times, Aug. 9, 1999.

[10] Stephen J. Glain, Blind Arab Brothers, Allegedly Hackers, Disconcert Israel: They’re on Trial for Tapping into Defense Phone System to Commit ‘Cybercrimes’, WSJ, Oct. 21, 1999, at A1.

[11] Susan W. Brenner, The Council of Europe’s Convention on Cybercrime in Cybercrime: Digital Cops In A Networked Environment 207, 210 (Jack M. Balkin et al. Eds., 2007)

[12]Id.

[13]Mark Ballard, UN rejects international cybercrime treaty, Computer Weekly.com (Apr. 20, 2010), https://www.computerweekly.com/news/1280092617/UN-rejects-international-cybercrime-treaty

[14]Prosecutor v. Tadic, Case No. IT-94-1-A, ¶ 70 (Int’l Criminal Tribunal for the Former Yugoslavia, Oct.2, 1995).

[15]Universal Declaration of Human Rights, G.A. Res. 217 (III) A, U.N. Doc. A/810, art. 12 (1948)

[16]International Covenant on Civil and Political Rights, S. Exec. Doc. E, 95-2, art. 17 (1966).

[17]UDHR, supra note 15, art. 19; ICCPR, supra note 16, art. 19.

[18]United Nations Charter, art. 2.

[19]Marco Roscini, Cyber Operations And The Use Of Force In International Law 128-32 (2014).

[20]Id., at 73.

[21]Id.

[22] Michael N. Schmitt, Wired Warfare: Computer Network Attack and Jus in Bello, 84 IRRC 365, 374 (2002).

[23] International Committee Of the Red Cross, International Humanitarian Law And The Challenges Of Contemporary Armed Conflicts, Rep. 31IC/11/5.1.2, at 37 (2011), http://e-brief.icrc.org/wpcontent/uploads/2016/08/4-international-humanitarian-law-and-the-challenges-of-contemporary-armedconflicts.pdf

[24]Roscini,supra note 19, at 135.

[25] James L. Brierly, The “Lotus” Case, 44 L.Q. Rev. 154, 162 (1928).

[26] Jennifer Daskal, The Un-Territoriality of Data, 125 Yale L. J. 326, 367-68 (2015).

[27] Satya v. Teja Singh, 1975 AIR 105.

[28] R. Viswanathan v. Rukn Ul-Mulk Syed Abdul Wajid, 1963 SCR (3) 22.

[29]326 US 310 (1945).

[30] 357 US 235 (1958), 253.

[31] 471 US 462 (1985).

[32] 65 F.3d 1495 (9th Cir. 1995).

[33] 952 F. Supp. 1119 (W.D. Pa. 1997).

[34] 465 US 783 (1984).

[35] (2003) 27 PTC 265 (Del.) (India), overruled by Banyan Tree Holding (P) Limited v. A. Murali Krishna Reddy, CS(OS) 894/2008 (High Court of Delhi, 23rd November 2009) (India).

[36] 1999 SCC OnLineBom275 : AIR 2000 Bom 27 (India)

[37] Supra note 35

[38] 2007 (35) P.T.C. 177 (Del.) (India).

[39] Ibid.

[40]Id.

[41] 2008 (38) PTC 288 (Del) CS/OS no. 894 of 2008 (India).

[42]Cybersell Inc. v. Cybersell Inc., 130 F 3d 414 (9th Cir 1997).

[43] Banyan Tree Holdings (Pvt.) Ltd. v. Murali Krishnan Reddy, 2008 (38) PTC 288 (Del) CS/OS no. 894 of 2008 (India).

[44] John Kerry, An Open and Secure Internet: We Must Have Both, US Department of State (May 18, 2015), https://2009-2017.state.gov/secretary/remarks/2015/05/242553.htm