Upload
nazura
View
225
Download
0
Embed Size (px)
Citation preview
ww.sciencedirect.com
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1
Available online at w
www.compseconl ine.com/publ icat ions/prodclaw.htm
A rational jurisdiction for cyber terrorism
Pardis Moslemzadeh Tehrani, Nazura Abdul Manap
Faculty of Law, National University of Malaysia, Malaysia
Keywords:
Cyber terrorism
Cyber crime
Jurisdiction
Universal jurisdiction
Territorial jurisdiction
1 Susan. W. Brenner, ’Cyber Crime InvestiElectronic Journal Law, 1.
2 L. Bantekas, International Criminal Law0267-3649/$ e see front matter ª 2013 Pardishttp://dx.doi.org/10.1016/j.clsr.2013.07.009
a b s t r a c t
Cyberspace is a cross-national world that transcends geopolitical national borders. Juris-
diction is the focal point for any dispute arising in the international arena, because it de-
termines which state court has the authority to settle a dispute. The objective of this paper
is to analyse territorial and universal jurisdiction principles which can be specifically
related to cyberspace to determine which of them is best suited to providing the appro-
priate jurisdiction in combating cyber terrorism and how conflicts arising between them
can be settled. The transnational nature of cyber terrorism offences leads to jurisdictional
complexity, thereby investigation and prosecution is difficult. Lack of harmonisation in
legislating among countries leads to difficulty in investigation and prosecution of cyber
terrorism offences. This paper notes that universal jurisdiction is the most feasible and
effective method to deter cyber terrorism.
ª 2013 Pardis Moslemzadeh Tehrani, Nazura Abdul Manap. Published by Elsevier Ltd. All
rights reserved.
1. Introduction The main issue regarding jurisdiction in the international
The progress and development in computer technology have
provided new opportunities for those who are willing to
involve themselves in illegal activity and this has thereby
created some new varieties of criminal activity that pose legal
challenges for legal systems as well as for law enforcement.1
Due to the fact that cyber terrorist attacks are conducted in
multiple states, the procedure of prosecution is difficult;
therefore, the attacked country will invoke international law
to seek justice for damage caused. Although countries
implement technical measures, legal measures must also be
taken in order to prevent and deter the rapid growth of
cyber terrorism. Nations must come up with self-regulatory
legal mechanisms to combat against the misuse of new
technologies; however, such mechanisms need to be sup-
ported by international agreements and appropriate national
legislation.2
gation and Prosecution: T
(3rd Edn, Routledge-CavenMoslemzadeh Tehrani, N
space of the internet is the dichotomy which exists among
three components of jurisdiction in cyberspace.
Although many steps have been taken to combat cyber
terrorism, from legal to technical steps, these attempts have
not been sufficient to prevent cyber terrorism. It appears that
greater international cooperation is needed. For the time
being, as cyber terrorism cannot be prevented, effective
prosecution is a logical method to deter cyber terrorists. In-
ternational law prescribes several types of jurisdictions: na-
tionality jurisdiction (active personality, passive personality),
territorial jurisdiction (objective, subjective), universal juris-
diction and protective jurisdiction. Of these, territorial juris-
diction and universal jurisdiction are more attuned to deter
cyber terrorism. However, universal jurisdiction is the more
suited to deter cyber terrorism due to the nature of the
internet and the initial reality of cyber terrorism. This is
because it ignores national borders.
he Role of Penal and Procedural Law,’(2001) 8 Murdoch University
dish Publication, United Kingdom, 2007) 265.azura Abdul Manap. Published by Elsevier Ltd. All rights reserved.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1690
2. Jurisdiction
International law defines “jurisdiction” as: “jurisdiction de-
scribes the limits of the legal competence of a State. tomake,
apply, and enforce rules of conduct upon persons. It concerns
essentially the extent of each state’s right to regulate conduct
or the consequences of events.” 3 Jurisdiction refers to the
sovereign authority within its terrain to propose legislative,
executive, and judicial principles. However, one of the main
problems of the jurisdiction attribute is the lack of information
and absolute certainty. The nature of the internet gives the
ability to the user to disguise its identity, leading to inherent
difficulties in determining the states that fail to prevent an
attack from being originated within their borders. Therefore,
states must cooperate with each other to share information in
order to attribute attackers.4 In the United Kingdom, the
principle of traditional rules applies for its jurisdiction.
Although there have been several efforts by various
scholars around the world, we have yet to attain a uniform
response to address the issue of jurisdiction in cyber
terrorism. Different legal systems have responded in different
ways based upon their own ideas of justice and interest. For
instance, the United States has exercised personal jurisdiction
over its forum, and over foreign defendants, proposes effects
doctrine jurisdiction. It admits jurisdiction to the United
States if an extraterritorial behaviour or crime affects or
harms citizens within the United States.5
2.1. Territorial jurisdiction
Generally, all states have competence in the assertion of
jurisdiction over their citizens and incidents occurring within
their national territory. Territorial jurisdiction is the most
common and uncontroversial basis for jurisdiction. Territorial
jurisdiction is also the most significant and applicable method
in international law. It is divided into two categories: “subjec-
tive territorial jurisdiction” and “objective territorial jurisdiction”.
Furthermore, states have been enforcing territorial limitation
jurisdiction by two methods. “Subjective territorial jurisdic-
tion” happens when an attack begins in state A, but is
completed in State B. State A would then have subjective ter-
ritorial jurisdictionandStateB, objective territorial jurisdiction.
However, if this doctrine were applied, a complication arises
which stems from the nature of the internet and the realities of
cyber terrorism. That is, “cyber terrorism operates without
borders” and cyber terrorism attacks target computer systems
and power grids. Furthermore, the most difficult scenario is in
determiningwhere the attack and the location of the computer
originated, as it is not clear where the crime occurred. As dis-
cussed, cyber terrorism happens in cyberspace, and cyber ter-
rorists utilise various tools, which they operate from remote
destinations, and from various computers in different loca-
tions. Theyuse fake IP addresses or anonymousones to conceal
3 V. Lowe, ‘Jurisdiction in International Law (Malcolm D. Evansed, 2nd edn, United Kingdom 2006) 335.
4 L. Grosswald, ‘Cyber Attack Attribution under Article 51 of theU.N. Charter’ (2011)36 Brooklyn Journal of International Law, 1151.
5 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13CTLR eOxford,245.
their real location and actual identity. In addition, they have
sufficient technological tools to pretend that the attack came
from elsewhere. They operate beyond the territory of any state
and often use computers in multiple states in order to launch
their attacks. Therefore, it is almost impossible to determine
where the information and international data exists or which
jurisdiction’s laws are applicable. On the other hand, even if
this is feasible, it costs a huge amount of money. Similarly, the
same scenario applies in cyber transactions. Another problem
is that the target of cyber-attacks is not always accurate and
may not be possible to identify.
Cyber terrorism is totally different from other types of
cybercrimes. Other cybercrimes may be subject to state con-
trol because they used assigned domain names and the con-
tent can be filtered. Some scholars, such as Professors
Goldsmith and Wu, invalidate the idea of the internet being
borderless and lacking of any territory. They describe it as a
“border characteristic” and believe that it is increasingly
conforming to national law and requirements. However, such
discussions cannot be applied to cyber terrorism; it operates
without borders, and no state can control cyber terrorism. The
concept of a bordered internet is not applicable in the cyber
terrorism context. Another issue is that as cyber terrorism
occurs in multiple states, the other states may have an in-
terest in asserting jurisdiction.6
The issue that hampers the prosecution of cyber terrorism
is the principle of state jurisdiction. Although the basis of state
jurisdiction in customary international law is territoriality,
and according to this principle when the crime is committed
in territory A, that state may exercise jurisdiction over an
offence, the entire offence does not require to have occurred
in that state. If the constituent elements take place within the
state’s territory, it is sufficient to exercise jurisdiction.
Consequently, according to the state principle, a state may
exercise jurisdiction even when the act commences in one
state and is consummated in another state.
The broad scope of this principle may seem proper to
combat cyber terrorism cases as two cases support this idea.
In R v. Waddan, an English resident set up a pornographic
website on a US-based server, published obscene material in
the UK, and the users could access and download such ma-
terial in the UK. The UK court allowed the prosecution of an
English resident. In another case, the ToebenCase, a “Holocaust
Denial” website was established on an Australian server by an
Australian resident. This website could be accessed in Ger-
many. Thus, the prosecution vested in Germany under the
German Anti-Nazi legislation.
On the basis of the broad effect of these cases, territorial
jurisdiction can be applied to a variety of offences in the same
way as it would apply for cyber terrorism. Since usually the
effect of a cyber-attack may be felt in many countries, then
according to the territorial principle, each of these states has a
right to prosecute.7 Territorial jurisdiction may seem to be
6 H.W.K. Kaspersen, Cybercrime and internet jurisdiction,Project on cybercrime, Economic Crime Division, DirectorateGeneral of Human Rights and Legal Affairs, 2009, p 9-10.,November 21-24, 2009.
7 A. Bianchi, ‘Enforcing international law norms againstterrorism’ (Hart publishing, 1stEdn, United Kingdom: 2004), 474-479.
10 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford, 251-254.11 R.Walton, ‘The Computer Misuse Act’ (2006), Information Se-curity Technical Report, p 40, http://sciencedirect.com (accessed19 Dec 2011).12 R.Walton, ‘The Computer Misuse Act’ (2006), Information Se-curity Technical Report, p 42, http://sciencedirect.com (accessed19 Dec 2011).13 K. Gable, ‘Cyber-Apocalypse Now: Securing the Internet
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 691
highly relevant to cyber terrorism, but the UN General As-
sembly and other international organisations consider it as a
threat to international security and “emerging universal
offences”.
Despite this, it seems that territorial jurisdiction is the best
method to respond to transnational crimes; but it may face
many problems. Firstly, in cyber terrorism cases, the intent of
the crime may originate from a directly or indirectly
government-supported terrorist group; therefore, it is doubt-
ful that that state would prosecute the offenders. Secondly,
the act may remain unpunished under the law of that state as
it is not forbidden according to its laws. However, due to the
grave damage which occurs with these kinds of crimes, the
state cannot leave the perpetrators without punishment
because, according to the definition of territorial jurisdiction,
“states can assert jurisdiction over behavior occurring within
their territorial border”. In cyber terrorism cases, the physical
location of the act is far from the effect of the act. Therefore,
the commission of the act is not the same as the effect of the
act.
2.1.1. England as a case study of territorial jurisdictionThe English conflict of laws rules adhere to the rule of terri-
toriality for the basis of adjudicative jurisdiction. “There are
now two quite different sets of rules as to jurisdiction of the
English courts. In many cases, jurisdiction is still governed by
whatmay be called the ‘traditional rules’, though in a growing
proportion of cases, they are replaced by the ‘Convention
rules”. 8
The traditional rules of jurisdiction in England permit the
courts to apply their jurisdiction whenever “(1) the defendant
is present within England and the writ is served upon him; (2)
he submits to the jurisdiction of the court; or (3) he is served,
at the discretion of the court, with thewrit, in accordancewith
the Rules of the Supreme Court outside England.” 9 Put simply,
the English courts would exercise jurisdiction over a defen-
dant if he/she were put on notice of his/her action against the
plaintiff. The mere physical presence of a person makes him/
her liable to the service of the writ. The regulations of the
Brussels Convention are binding on and applicable to the
United Kingdom, because the United Kingdom exercised an
“opt-in” option. The traditional rule of jurisdiction in the
United Kingdom is subject to substantial modification by the
EC Treaty by two of its provisions: Article 249, and the
amendment of the EC Treaty by the Amsterdam Treaty. Arti-
cles 65 and 293 of the EC Treaty were amended by the
Amsterdam Treaty and the amendment gives competence to
take measures under Article 249 of the Council of the Euro-
pean Union, while at the same time complying with Articles
61C and 67(1) of the EC Treaty. Also important is the EC
Council Regulation 44/2001 adopted on December 22, 2000 and
entered into force on March 1, 2002. The general rule of this
Regulation regarding jurisdiction is based on the domicile of
the defendant and states that “persons domiciled in aMember
State shall, whatever their nationality, be sued in the courts of
that Member State.” However, the domicile principle is not
8 D. McClean, The Conflict of Laws (4th Edn, Universal Pub-lishing Company, 2004) p 60.
9 Rules of the Supreme Court, Ord.11, r.1.
complete and admits of a number of exceptions which are
outside the scope of this research since it concerns civil and
tort jurisdiction.10
However, it appears that in most computer and network
cases, the United Kingdom implements the principle of
extraterritorial jurisdiction. Most countries implement the
principle of extraterritorial jurisdiction for cybercrime and
cyber terrorism cases in order to assist their own interests in
cross-national crimes. The Computer Misuse Act (CMA) ad-
dresses a new type of computer crime as it has the ability to
cover remote computer networks and the notion of legal
jurisdiction. The CMA has extraterritorial jurisdiction that
includes offences committed in one jurisdiction while the
result is caused elsewhere.11 Regarding the international na-
ture of cybercrime offences, whereby the act is executed in
one jurisdiction and has effect in a different jurisdiction, the
act appears to meet the criteria of the CMA if it has a signifi-
cant link to the United Kingdom in terms that: (a) the offender
is located in the United Kingdom, while the computer is
located outside the United Kingdom; (b) “The computer being
misused is located within the United Kingdom, regardless of
the location of the offender at the time.” 12 The unauthorised
access will be an offence if the computer which is being
accessed is outside the United Kingdom, and the act is illegal
in the country where the computer is located. Furthermore,
according to section 2, a United Kingdom link is not necessary
to be present in the unauthorised access.
As a result, it is submitted that territorial jurisdiction is not
a proper method to deter cyber terrorism. An effective deter-
rence is not gained without a sufficient prosecution and
prosecution relies on determining the identity and location of
cyber terrorists. Only then can a suitable form of jurisdiction
be asserted. Furthermore, “Applying territorial jurisdiction is
not effective and this dates back to the borderless nature of
the internet.” Thus, territorial jurisdiction cannot provide
entire deterrence due to the absence of these factors.13
However, according to the United Nations Security Council
Resolution 1373, states have the duty to prevent terrorist at-
tacks originating within their national boundaries and failing
to do this is shirking their duty. Put simply, the UN General
Assembly places state responsibility on states by the Resolu-
tion. This strategy acts as a deterrent to cyber terrorism.
States implement this principle according to two bases.
Some states have asserted jurisdiction based on a minor
contact with territorial jurisdiction.14 Other states have acts,
such as the US Foreign Corrupt Practices Act (FCPA) which
although based on territorial jurisdiction, is defined broadly to
Against Cyber Terrorism and Using Universal Jurisdiction as aDeterrent’ (2010) 43Vanderbilt Journal of Transnational Law.14 The IBA, Report of Task Force on Extraterritorial Jurisdiction(1stedn, United States: 2009), 11.
18 The IBA, Report of Task Force on Extraterritorial Jurisdiction
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1692
have a limited territorial nexus to the improper activity which
permits the US regulator to enforce the FCPA based on mini-
mal territorial contacts. Therefore, international companies
may seek protection within the United States without exten-
sive US operations based on having property there. According
to the criminal committee (International Criminal Court)
there has been a tendency by some states to broaden the
ambit of their criminal laws by extending the principle of
territoriality even when a small part of the conduct consti-
tuting the offence takes place in their state. Secondly is the
principle of the effects doctrine, which enables states to assert
jurisdiction over conduct outside their jurisdiction that is
committed by foreigners but has effect within the states.
Although, from the viewpoint of some scholars, the theory
that cyberspace is a phenomenon lacking territorial connec-
tion is invalid due to its conforming to national laws, such
analysis does not apply to cyber terrorism. This is because,
cyber terrorism, like cyberspace, transcends physical borders,
and therefore the proper legal regime is the legal regime
which is implicated beyond the location.15 Moreover, there is
no domestic or international law pertaining to cyber
terrorism, while no existing national and international laws
have been enacted to address cybercrime. In some situations,
cyberspace may be subject to state control by filtering of the
specific site, and assigning its domain name, but cyber
terrorism cannot be subject to state control, due to the nature
of cyber terrorism which operates without borders and the
progress of countries in this area not outpacing the prolifer-
ation of cyber threats.16
Cyber terrorism may attack entire computer systems via
various locations and determining the origin of such attacks
(the location that the crime is being committed from, occurs,
and affects) is exceedingly difficult to pinpoint. The attacks
are launched frommultiple states, using technological tools to
show the attack came from elsewhere. The identity and
location of the perpetrators is concealed by targeting several
computer systems in multiple states, thus making it difficult
to pinpoint their identity and location because determining
whether any of these “computers are actually involved or are
just decoys is much more complicated.” 17 These acts are
committed via spoofing the information and using anony-
mous IP addresses; similarly, hackers utilise numerous ways
to commit their crimes without leaving a trace. They may
commit the cyber terrorist attack completely anonymously,
beyond the territory of any legal jurisdiction, by encryption.
Thus it is difficult to determine which jurisdiction is to assert
jurisdiction. Therefore methods for determining any physical
location for cyber terrorism seem grossly inadequate. As the
primary goal of providing jurisdiction is deterrence, it defeats
the purpose if it takes a long time to identify the attackers and
their location.
15 P. Kanuk, ‘Information Warfare: New Challenges for PublicInternational Law’ (1996) 37Harvard International Law Journal, 272-288.16 J. B. Avlon, The Growth of Cyber Threat, 2009, http://www.forbes.com/2009/10/20/digital-warfare-cyber-security-opinions-contributors-john-p-avlon.html (accessed 13 Feb 2012).17 K. Gable, ‘Cyber-Apocalypse Now: Securing the InternetAgainst Cyber Terrorism and Using Universal Jurisdiction as aDeterrent’ (2010) 43Vanderbilt Journal of Transnational Law.
2.2. Extraterritorial jurisdiction
Historically, the exercise of jurisdiction by states is limited to
persons, property and actions within a state’s territory.
However, with the rise of international corporations and the
advent of the virtual world, states have been encouraged to
exercise jurisdiction beyond their territorial harbours. States
extend their jurisdiction beyond their territories by exercising
extraterritorial jurisdiction. However, extraterritorial juris-
diction suffers from a fundamental dilemma. On the one
hand, each territory has the right to enact regulations and
have their own regulations which cover behaviour occurring
within their domestic territories. On the other hand, the acts
of individuals and groups affect others beyond national ter-
ritories and state borders.18
In May and November 2000, a French court ordered the
United States to block access of French users from a US
website, because it offered online auctions of Nazi memo-
rabilia, which is prohibited under French criminal law.
Nevertheless, there was no such law in the United States and
thereby it was possible for French users to take part in the
online auction of Nazi memorabilia. The French court then
handed down a decision based on the findings of an inter-
national panel of experts. They recommended blocking
French nationals from the site by using screening technology
based on the internet protocol address of the users’ com-
puters. With such technology, they could block the French
nationals’ access by approximately 70 percent (however,
they could increase the access to almost 90 percent by
completing a nationality questionnaire by the internet ser-
vice provider). The French court thus attempted to regulate
US activities within the US on the basis that such activities
could be accessed by internet users in France. Finally, a
United States court held that the French court had no right to
make such an order affecting the operation of a US website.19
Thus, extraterritorial jurisdiction may often violate the na-
tional sovereignty of another state. This case, the Yahoo Case,
that caused conflict of jurisdiction between the United States
and France, is an example of a very wide extraterritorial ef-
fect.20 This is because the French court asserted jurisdiction
on the basis of the users targeted and the location of the
downloading. Similarly, the US courts have been willing to
extend their jurisdiction and laws outside US borders. In
some cases, the US has attempted to apply its laws to foreign
states with little regard for the governing laws of other
jurisdictions.21
The globalisation of the internet produces conceptual
challenges to territoriality. “Territorial regulation of the
internet is no less feasible and no less legitimate than
(United States: 2009), 13.19 A. Manolopoulos, ‘Raising “Cyber Borders”: The InteractionBetween Law and Technology’ (2003) 11 (1) International Journal ofLaw and Information Technology, 41-44.20 ValerieSedallian, Commentaire de l’affaire Yahoo (1), Revuedu Droit des technologies de l’information, 24/20/00, atparagraph20, http://www.juriscom.net (accessed 6 May 2012).21 Micheal. Geist, “Is There A There: Toward Greater Certainty forInternet Jurisdiction,” (2001) 16 Berkeley Technology Law Journal,1345-1406.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 693
territorial regulation of non-internet transactions.”22 The na-
tional courts are based upon each state’s domestic laws and
their legislative courts are limited to their country. The
absence of geographical borders in cyberspace makes the use
of territorial jurisdiction for sovereign jurisdiction problem-
atic. States do attempt to regulate the internet, but the
decentralised operation of the internetmakes it impossible for
states to control activity in cyberspace.23 However, some
states already regulate cyberspace to a certain extent; for
example China has suppressed dissidence online and pre-
vented users accessing content available in the United States.
As a result, due to the many territorial jurisdiction loop-
holes and the limited deterrence offered by these, territorial
jurisdiction, when compared with universal jurisdiction,
cannot provide sufficient methods to prosecute cyber
terrorism.
2.3. Personality/nationality jurisdiction
This refers to the ability of a state to assert jurisdiction over its
citizens, even when they reside outside its borders in some
cases. The personality or nationality principle includes active
and passive nationality. Active nationality focuses on the
nationality of the perpetrator. In doing so, the state has the
ability to assert jurisdiction over crimes committed by its
nationals abroad. Thus, a state can assert jurisdiction over a
crime which is not committed within its borders solely on the
basis of the perpetrator’s nationality. Passive nationality re-
fers to the victim’s nationality. This enables a state to assert
jurisdiction over a crime which happens outside its territory
but against one of its nationals.24
One of the main problems which may arise under the
territoriality principle is that it may either contravene the
statutes of the other country, or may cause other inadvertent
issues. As in the Yahoo Case, the French court ordered Yahoo to
implement technological measures to prevent access from
French territory.25 The French court should have considered
the possibility of applying jurisdiction under the territorial
doctrine in public international law. The US court, after hav-
ing considered the French order, held that “the First Amend-
ment precludes enforcement within the United States of a
French order intended to regulate the content of its speech
over the internet.”26 Moreover, it condemned the fact that “by
imposing restrictions on the US-based Yahoo.com, the French
court tried to regulate the activities of a US corporation within
the US on the basis that such activities can be accessed by
internet users in France.”27
22 Jack. L. Goldsmith ‘The Internet and the Abiding Significanceof Territorial Sovereignty’ (1998) 5 International Journal of GlobalLegal Studies,475.23 Jack. I. Zekos, ‘Globalization and States’ Cyber-Territory’ (2011)5 Web Journal of Current Legal Issues, http://webjcli.ncl.ac.uk/2011/issues5/zekos5.html (accessed 14 May 2012).24 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 14.25 UEJF et LICRA v Yahoo Inc et Yahoo France.26 Yahoo, Inc v. La Ligue Contre Le Racism et L’Antisemitisme,169 (2001), p 22.27 Yahoo, Inc v. La Ligue Contre Le Racism et L’Antisemitisme,169 (2001), p 43.
Among all countries, the United States is the most impor-
tant example of having court decisions that adopt personal
jurisdiction. The Fourteenth Amendment of the United States
Constitution lays down the principles of personal jurisdiction.
US courts have applied the principle of the International Shoe
Case in cases involving internet crime.28 A person must have
some relationship with a US state in order to be sued in that
state. According to this principle, a United States court may
exercise jurisdiction over a person for any dispute, if the
person has substantial, systematic and continuous contact
with the forum state and even if the conduct is unconnected
to the forum state. In the case of Helicopteros Nacionales de
Colombia v. Hall, the court held that due to the insufficient
contacts which did not constitute continuous and systematic
activity, the court could not assert general jurisdiction.29 In
other words, a person or corporation can be sued in its state of
residence or citizenship, regardless of the place the offence
commenced to occur. Furthermore, the court can assert
jurisdiction according to the principle of the effects doctrine
which proclaims that a US state can assert jurisdiction over
activities taking place outside the US and which cause an ef-
fect within the forum state. The federal and state courts in the
US utilise “long-arm” statutes and establish constitutional
norms to administer the conduct of non-citizens of states. The
US Federal Court has long-arm statutes providing three basic
grants of jurisdiction: firstly, it authorises federal courts to
“borrow” the long-arm statute of the state inwhich the federal
court is located.30 Secondly, federal rule authorises federal
courts to exercise grants of personal jurisdiction contained in
federal statutes.31 Thirdly, federal rule grants long-arm juris-
diction in an international context, within the limits of the
Constitution, over parties to cases arising under federal law
who are not subject to the jurisdiction of any particular
state.32
When the defendant is not domiciled in a state in order to
be subject to personal jurisdiction, the defendant must be
qualified under the state long-arm statute and simultaneously
the state jurisdiction must be valid under the Due Process
Clause of the Fourteenth Amendment. Consequently, such a
person must have sufficient “minimum contact” with the
state, thus the initiation of a suit does not go against “tradi-
tional notions of fair play and substantial justice.”33 The court
must decidewhat contacts are sufficient regarding “notions of
fair play and substantial justice” to use its power. As soon as
the threshold of “minimum contact” is crossed, the US court
can assert its jurisdiction.34 The minimum contact can be
discovered by many methods, e.g. through the internet,
business transactions, effects of cyber activities, and targets of
28 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford, 250.29 Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 US408(1984).30 Federal Rule of Civil Procedure, 4(k)(1)(A).31 Federal Rule of Civil Procedure, (Rule 4(k)).32 Federal Rule of Civil Procedure, 4(k)(2).33 T.D. Leitstein ‘565 A Solution for Personal Jurisdiction on TheInternet’ (1999) Louisiana Law Review, http://cyber.law.harvard.edu/property00/jurisdiction/Leitstein.html (accessed 27 Jun 2012).34 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford,250.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1694
cyber activities.35 Following the minimum contact test, the
court will consider the measure of reasonableness in order to
exercise jurisdiction. A court must consider the following ac-
tions to determine reasonableness:
(1) weigh up the burden on the defendant to litigate in the
forum state (USA),
(2) consider the interest of the forum state (USA) in the
matter,
(3) ascertain the interest of the plaintiff in obtaining relief,
(4) scrutinize the efficiency of the forum state (USA) in
dispute settlement, and
(5) look over the interests of several states (USA) in
furthering certain fundamental social policies.36
The claim of personal jurisdiction by US courts is against
the assumption of jurisdiction applied to web pages which are
accessed internationally. However, this is balanced by cate-
gorising all internet activities into three types: (1) active
websites; (2) websites permitting exchange of information
with the host computer; and (3) passive websites.
The US courts exercise jurisdiction only over active web-
sites. They do not exercise jurisdiction over the supply of in-
formation through passive websites. For the second category,
the jurisdiction is determined by examining the level of
interactivity of the exchange of information that occurs on the
website. In order for the courts to properly exercise jurisdic-
tion they must pass the “minimum contact test” and the
“reasonableness prong”. The court must be inclined to find all
contacts in all circumstances for the test of jurisdiction. This
category needs more refinement to include the substantial
requirement of personal jurisdiction as described in the Zip-
poCase. According to the ZippoCase, deliberate action is
needed, either in the form of transactions between the resi-
dent of the forum state and the defendant, or the defendant’s
conductmust purposely target the resident of the forum state.
Therefore, the United States does not apply single jurisdiction
for all cases. According to Bensusan v. King, a mere advertise-
ment on a website does not confer specific jurisdiction since
the defendant “did not contract to sell any goods or services to
any citizens of the forum state over the internet site.” There
aremany cases that have showed that although theminimum
contact and reasonableness and categorisation of website
tests based on the degree of activity are the requirements of
asserting jurisdiction, these criteria have not always been
adhered to.37
As soon as the US court is satisfied aboutminimumcontact
and reasonableness, it can exercise jurisdiction over the
35 M. O. Rahman, ‘Towards Understanding Personal Jurisdictionin Cyberspace’ (2008) 50 International Journal of Law and Manage-ment, 110.36 M. O. Rahman, ‘Towards Understanding Personal Jurisdictionin Cyberspace’ (2008) 50 International Journal of Law and Manage-ment, 109.37 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford,251.
defendant in another state or country whose performance has
a substantial effect on the US and has established sufficient
contacts with the state, in order to satisfy due process. Even if
the defendant is from another country, he/she may be hauled
into a US court. According to the US Foreign Relations Act,
exercising jurisdiction is reasonable in the following cases:
(1) if the party is a citizen, resident, or domiciliary of the
state;
(2) if the person, whether natural or personal, has con-
sented to the exercise of jurisdiction;
(3) if the person, whether natural or juridical, regularly
carries on business in the state;
(4) if the person, whether natural or juridical, had carried
on activity in the state, but only in respect of such activity;
(5) if the person, whether natural or juridical, had carried
on outside the state an activity having a substantial, direct,
and foreseeable effect within the state, but only in respect
of such activity; or
(6) if the thing that is the subject of adjudication is owned,
possessed, or used in the state, but only in respect of a
claim reasonably connected with that thing.38
The US Supreme Court exercises personal jurisdiction over
issues of cyberspace. The decisions of the US courts have
shown that they may apply personal jurisdiction even over a
non-resident defendant whose sole contact with the US arose
through the internet. There have been various cases on
different aspects of cyberspace that have indicated and
concentrated on personal jurisdiction. However, a number of
rules have limitations, which leaves much at the judges’
discretion.
In addition, the United States also applies extraterritorial
jurisdiction to computer-related crime in overseas cases. It
condemns various crimes involving credit cards, PIN numbers
and other access devices, applicable overseas if the card or
device is issued by or controlled by an American bank or other
entity and some article is held in or transported to or through
the United States during the course of the offence.39 Addi-
tionally, the United States recognises extraterritorial juris-
diction in circumstances where the access device is both
issued by a US entity andwhich has a physical presence in the
US.
2.4. Universal jurisdiction
Universal jurisdiction is applied to crimes that are more
serious.40 Universal jurisdiction, compared to territorial
jurisdiction, offers a more effective and efficient deterrent. It
38 Section 421 of the Restatement (Third) of the Foreign RelationsLaw of the USA.39 18 U.S.C. section 377.40 S.Macedo, ‘Universal Jurisdiction: National Court and Prose-cution of Serious Crime under International Laws’, University ofPennsylvania Press, 2006, p 4.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 695
“confers on any nation the authority to prosecute alleged in-
ternational criminals, even when the prosecuting nation has
no direct connectionwhat so ever with the offense.” Universal
jurisdiction was created based on international law, which
permits all states to apply their laws to an act “even if it ...
occurred outside its territory, even if it has been perpetrated
by a non-national, and even if its nationals have not been
harmed by it.....” 41 It creates a new realm, forcing humankind
to extend the traditional and existing rules to it.42 However,
when exercising the principle of universal jurisdiction, due to
the competencies existing in it, only a limited number of of-
fences are subject to its application.43 Moreover, asserting
jurisdiction under universal jurisdiction requires two factors:
the crime must be serious enough to be hazardous to the in-
ternational community, and the country which asserts juris-
diction must have the defendant in its custody.44 Generally,
the other forms of jurisdiction require some kind of link
among elements of the crime, but the application of universal
jurisdiction does not require any such link. The crimes come
under international law in two ways: firstly, the heinous na-
ture and scale of the offence, which encompass grave
breaches of humanitarian law; or secondly, because of the
inadequacy of legislation by the nations involved, these
crimes are committed in territories that are not subject to the
authority of any states. National courts have upheld universal
jurisdiction on the basis of their municipal criminal statutes.
These statutes are incorporated into the national law by the
Geneva Convention’s member states. Universal jurisdiction
may be created by treaty regimes, or as a matter of customary
international law.45 Treaty regimes are binding on the states
that are parties to them. However, in certain circumstances,
they serve as evidence of customary international law.46 As
classically conceived, the exercise of universal jurisdiction
can be carried out by the international community as well as
by states.47
2.4.1. Opiniojuris and state practiceUniversal jurisdiction is applied based on two criteria: the
treaty regime and customary international law. Universal
jurisdiction is prescribed for cyber terrorism as a matter of
customary international law, and is based on the elements of
customary international law. The elements of customary in-
ternational law that are included are opinio juris and state
practice regarding terrorism. Terrorism has been considered
in a number of treaties (state practice), and as mentioned
41 Roslyn. Higgins, Problems and Process: International Law and HowWe Use It (United Kingdom: 1995), 57.42 Roslyn. Higgins, Problems and Process: International Law and HowWe Use It (United Kingdom: 1995), 57.43 IliasBantekas and Susan Nash, International Criminal Law (2nd
edition, Cavendish Publishing, 2003, United States), 156.44 Kenneth C. Randall, ’Universal Jurisdiction under Interna-tional Law,’Texas Law Review (1998) 66, 785.45 Leila Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction,’(2001) 35 NewEngland Law Review, 245.46 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 11.47 Leila Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction,’ (2001) 35 NewEngland Law Review, 245.
above, numerous treaties have recognised various types of
terrorism. Although they do not mention cyber terrorism per
se, it is accepted that cyber terrorism is generally a form of
terrorism, As well as this, terrorism is considered a heinous
crime against humanity (opinio juris).48 Thus, these two ele-
ments of customary law eopinio juris and state practice - are
suitable for application against terrorism and subject
terrorism to universal jurisdiction. The international com-
munity condemns all aspects of terrorism because of their
heinous nature, which is also a characteristic of the nature of
cyber terrorism acts.
2.4.2. State responsibilityResolutions 1368 and 1373, adopted by the UN Security
Council following 11 September 2001, mandated states to take
affirmative steps as a duty under international law to stop
terrorist acts and to cooperate in shouldering this burden.
Therefore, countries must attempt to prevent terrorist acts. In
other words, state responsibility obliges states to arrest,
prosecute or extradite anyone accused of being associated
with a cyber terrorism act. According to state jurisdiction,
states must prevent and respond to cyber terrorism acts.
Resolution 1373 creates binding international law by con-
taining the word “decide[d]” which obligates all United Na-
tions member states to implement the Security Council
decision. According to Resolution 1373, all states have a duty
to prevent terrorist acts, a duty to prevent territories from
harbouring anyone associated with terrorist acts and from
being used for committing terrorist acts. States must also
adopt proper domestic law to criminalise and punish terrorist
acts. In addition, they have to aid in investigation and criminal
proceedings as well as obtaining evidence in their jurisdiction.
The strong and broad language of Resolution 1373 indicates
the state’s duty regarding cyber terrorism acts. Although
Resolution 1373 does not specifically address cyber terrorism,
cyber terrorism acts being a type of terrorist activity should be
covered under the Resolution as well. As soon as an attack is
identified as a cyber-attack, the duty to respond requires
states to provide evidence and to cooperate with criminal in-
vestigations and to bring the alleged cyber terrorism perpe-
trators to justice by either prosecuting or extraditing them.
Due to the fact that tracing the cyber-attack is difficult,
particularly in situations such as the use of IP packets, spoofed
mid-routes, or ‘botnet’ attacks, identifying the actual at-
tackers to make them accountable to state responsibility is
not an easy job. Tracking is also made difficult because the
attackers use myriad strategies in carrying out their attack.49
Put simply, identifying the nature of the party involved, be it
a government, a terrorist group, or individuals, is a critical
element in determining the appropriate response and juris-
diction. There are also many other elements in attributing the
attack to a certain nation’s jurisdiction.
48 John H. Jackson, ’ Sovereignty Modern: A New Approach to anOutdated Concept’ (2003) 97 The American Journal of InternationalLaw, 795-800.49 Scott. J. Shackelford & Richard. B. Andres, ’State Responsibilityfor Cyber Attacks: Competing Standards for a Growing Problem’(2011) 42 Georgetown Journal of International Law, 971.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1696
Treaty law provides a legitimate basis for exercising uni-
versal jurisdiction over cyber terrorism. Numerous treaties
have been effected on terrorism and as cyber terrorism is a
part of traditional terrorism which launches its attack via the
internet, such treaties may cover cyber terrorism as well.
Good examples of this are the Convention to Prevent and
Punish Acts of Terrorism Taking the Form of Crimes against
Persons and Related Extortion, and the International
Convention for the Suppression of Terrorist Bombings.
Multilateral treaties may conform to customary international
law if a large proportion of non-member states follow the
provisions of treaties without any legal obligation.50
As discussed earlier, in certain circumstances, treaties
serve as evidence of customary international law.51 In the past
few decades, customary international law sources have been
redefined. International treaties generate international legal
norms. They create new customary legal norms, especially
those encompassing human rights. The International Crim-
inal Court for example, has transformed its international
treaties that obliged state signatories to employ customary
international law. The ICC now offers the case that a treaty
being signed by a group of countries becomes the new
customary legal norm.52
As the Convention on Cybercrime is the only existing in-
ternational treaty in the fight against cross-border crime and a
large number of countries have ratified it as well as recognised
the standard jurisdiction approach of the Convention to enact
their federal and state legislation’s jurisdiction over criminal
offences committed in cyberspace, it is vital to consider juris-
diction under this Convention.53 Article 22 of the Convention
on Cybercrime deals with jurisdictional issues over offences
enumerated in Articles 2-11 of the Convention. It stipulates:
1. Each Party shall adopt such legislative and other mea-
sures as may be necessary to establish jurisdiction over
any offence established in accordance with Articles 2
through 11 of this Convention, when the offence is
committed:
a in its territory; or
b on board a ship flying the flag of that Party; or
c on board an aircraft registered under the laws of that
Party; or
d by one of its nationals, if the offence is punishable under
criminal law where it was committed or if the offence is
committed outside the territorial jurisdiction of any State.
50 RoozbehB.Bakher, ’Customary International Law in the 21st
Century: Old Challenges and New Debates’ (2010) 21 EuropeanJournal of International Law, 173.51 The IBA, Report of Task Force on Extraterritorial Jurisdiction, 17.52 Roozbeh. B. Bakher, ’Customary International Law in the 21st
Century: Old Challenges and New Debates, 21 European’ (2010)Journal of International Law, 173.53 C. V. Sanmartin, ‘Internet Jurisdiction and Applicable Law InLatin America. Towards The Need for Regional Harmonization inthe Field of Cybercrime’, The Octopus Interface 2009 Conference onCooperation Against Cybercrime, Strasbourg, 2009, p 89.
2. Each Party may reserve the right not to apply or to apply
only in specific cases or conditions the jurisdiction rules
laid down in paragraphs 1.b through 1.d of this article or
any part thereof.
3. Each Party shall adopt such measures as may be neces-
sary to establish jurisdiction over the offences referred to
in Article 24, paragraph 1, of this Convention, in cases
where an alleged offender is present in its territory and it
does not extradite him or her to another Party, solely on the
basis of his or her nationality, after a request for
extradition.
4. This Convention does not exclude any criminal juris-
diction exercised by a Party in accordance with its do-
mestic law.
5. When more than one Party claims jurisdiction over an
alleged offence established in accordance with this
Convention, the Parties involved shall, where appropriate,
consult with a view to determining the most appropriate
jurisdiction for prosecution.54
Article 22 of the Convention on Cybercrime establishes
extraterritorial jurisdiction over information technology of-
fences in three aspects:
(i) the place where the offense was committed; (ii) which
laws should accordingly apply in case of multiple juris-
dictions; and (iii) how to solve positive and how to avoid
negative jurisdiction conflicts.55
Although many treaties exist, none of them provide a
binding regulatory jurisdiction. Most of themdeal with limited
areas and apply at regional level. The most prominent treaty
in the field of cybercrime does not encompass cyber terrorism.
Thus, since it does not offer personal and territorial jurisdic-
tion covering cyber terrorism, the best thing to do would be to
add a protocol specifically relating to cyber terrorism.
2.4.3. The heinousness of cyber terrorism and the analogy ofuniversal crimeCrimes against humanity, such as genocide and piracy, are
resolved by exercising universal jurisdiction. In a similar way,
cyber terrorism as a new type of traditional terrorism should
be subject to universal jurisdiction, because of the heinous
nature of such crimes. Universal jurisdiction was applied to
pirates because they were considered enemies of all mankind.
According to the principle of universal jurisdiction, as soon as
pirates were caught, any state could prosecute them on behalf
of the international community.56 The heinousness of cyber
terrorism acts is also on par with genocide, crimes against
54 Convention on Cybercrime, Article 22.55 Henrico W. K. Asperse, ‘Jurisdiction in the CyberspaceConvention’ in Cybercrime and Jurisdiction. A Global Survey, (Ed.Bert-Jaap Koops & Susan Brenner), Chapter 2, Information Tech-nology & Law Series 11, 2006 T.M.C. Asser Press, The Hague.56 Leila. Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction’ (2001) 35NewEngland Law Review, 245.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 697
humanity which are subject to universal jurisdiction because
they are analogous to piracy in the heinous nature of the
crime and their matching the definition of piracy as a “crime
committed more or less indiscriminately against citizens of
different nations . on the high seas”. Another thing is that,
such crimes are committed by a state or rather, those in
control of a state; therefore, they are unlikely to go unpun-
ished by territorial states. Thus, international treaties have
increasingly mandated universal jurisdiction, even though
the autdedereautjudicare (‘extradite or prosecute’) principle has
only recently been included in customary international law.57
We can extend universal jurisdiction to cyber terrorism by
its analogy to piracy because both exhibit remarkably parallel
criteria. In fact, we can compare cyberspace in cyber terrorism
to the sea in piracy, both being beyond the control of states.
Also, both of these crimes are carried out by individuals or
clandestine groups without the consent of states and simul-
taneously threaten national infrastructure and global econ-
omy. It also likely that both crimes would be considered as
acts of war. Finally, both of them act to further their motives’
agenda.58
In order to prescribe universal jurisdiction, the injured
party must satisfy certain requirements under the basic
principle of universal jurisdiction. First, the crime must be so
harsh as to be prosecuted only under universal jurisdiction.
Second, it must not be constrained to a limited time and third,
it can be prosecuted inwhichever country that it happens in. It
seems that universal jurisdiction, among other prescribed
jurisdictions, is the most viable and effective method to deter
cyber terrorism.
The idea of universal availability of information on the
internet has resulted in the potential of universal effects and
this may lead to the assertion of universal jurisdiction over
internet offences. Such trans-boundary regulation would
make the job of information producers difficult because it may
force them to comply with the laws of most jurisdictions to
avoid the risk of being hauled before their various courts.
Although it has been previously mentioned that the terri-
torial principle of jurisdiction is applicable in the United
Kingdom, it should be said that it is a general jurisdiction.
According to sections 62 and 63 of the Terrorism Act 2000, and
section 17 of the Terrorism Act 2006, the United Kingdom has
asserted universal jurisdiction over the commission of all
types of terrorism. It is stated that: “anyone who commits any
types of terrorism offences anywhere in the world should be
dealt with under the relevant laws of the United Kingdom.” 59
Regarding the general jurisdiction of the United Kingdom, it
enjoys full jurisdiction over any crime committed on its ter-
ritory. All lists of offences in sections 62 and 63 of the
Terrorism Act 2000 and section 17 of the Terrorism Act 2006
will be considered to be committed onUK territory, evenwhen
they are committed elsewhere.
57 Leila. Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction’ (2001) 35 NewEngland Law Review, 245.58 Oona A. Hathaway, ‘The Law of Cyber- Attack’ (2012) 100California Law Review, 817.59 Shane. Sibbel, ‘Universal Jurisdiction and the Terrorism Act’(2007) 3Cambridge Student Law Review, 13.
However, the assertion of universal jurisdiction on these
acts on the basis of customary international law and inter-
national treaties is not plausible. The assertion of universal
jurisdiction in the UK goes beyond that which the UK is obli-
gated or permitted to claim. It is implausible to say that all or
most of the terrorism offences in the world may be charac-
terised as affecting the vital interests of the United Kingdom.
Even the combination of the nationality principle, passive
personality, and the protective principle on the basis of or-
thodoxy cannot establish a customary basis for the UK’s
assertion of universal jurisdiction.
Furthermore, the possible grounds for the assertion of
universal jurisdiction cannot be found in the jurisdiction
available to the UK following its ratification of the Interna-
tional Convention for the Suppression of Terrorist Bombing
and the International Convention for the Suppression of the
Financing of Terrorism. These conventions recognise state
parties’ jurisdiction on territorial, national and protective
grounds. The treaties provide a treaty-based jurisdiction
based on the rule of autdedereautjudicare which “states that
where an alleged offender is apprehended on the territory of
one of the treaty parties, that state must either extradite the
offender to another treaty-party with jurisdiction, or itself
begin prosecution.”60 However, the universal jurisdiction
asserted in sections 62 and 63 of the Terrorism Act 2000 and
section 17 of the Terrorism Act 2006 extends beyond autde-
dereautjudicare in two important ways. Firstly, the scope of the
UK’s jurisdiction is asserted over a wider jurisdiction, rather
than confined to those states that have ratified the conven-
tions. Secondly, when exercising the asserted jurisdiction in
sections 62 and 63, at the time of the assertion, the offender
does not have to be within the territory of the asserting state.
Thus, under sections 62 and 63, the UK authorities can issue
an arrest warrant for offenders anywhere in the world, be-
sides cooperating with other states to bring about the deten-
tion and extradition of these offenders to the UK to face trial.
2.4.4. The exercise of universal jurisdiction by theinternational community and statesThe International Criminal Court (ICC) is an international
tribunal that was established as a result of a multilateral
treaty devoted to international jurisdiction. Such interna-
tional tribunals are self-contained systems. However, the
constitutive instrument of an international tribunal limits its
jurisdictional power. The ICC, like other international tri-
bunals, enjoys an inherent jurisdiction.61 However, the ICC’s
jurisdiction is premised on the basis of complementary or-
gans, i.e. national courts in cases where states override its
authority or where it is unable to carry out investigation or
prosecution.62 A state automatically accepts that the ICC has
jurisdiction over four groups of crimes, i.e. the crime of
genocide, crimes against humanity, war crimes, and the crime
of aggression.
60 Shane. Sibbel, “Universal Jurisdiction and the Terrorism Act’(2007) 3 Cambridge Student Law Review, 18.61 Ilias Bantekas and Susan Nash, ‘International Criminal Law,(2nd edition, Cavendish Publishing, 2003, United States), 162-164.62 ICC statute, e.g. Article 17(1) (a), (b), 2(a).
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1698
2.4.4.1. The exercise of universal jurisdiction by the interna-tional community. International tribunals have been created
for exercising universal jurisdiction over international crimes.
The Rome Treaty was the first treaty that articulated all ju-
risdictions (jurisdiction to prescribe, adjudicate, and enforce)
in one instrument. Using universal jurisdiction to deal with
international crime dates back to the nineteenth century. The
anti-slave trading treaty and the Nuremberg tribunals are in-
stances of the efforts of the international community in
exercising universal jurisdiction over international crimes.
Generally, the theory of universal jurisdiction, which was
extended in the Rome Treaty, derives from the idea that the
criminal activity must reach a certain level of harm, or
threaten the interest of international society, for it to be
necessary for all states to apply their laws. The theory of
universal jurisdiction permits the international community in
prescribed jurisdictions to displace the national law with in-
ternational law. However, the statutes of the Rome Treaty do
not focus exactly on the issue of courts’ jurisdiction and leave
it up to the complementarity principle and the state consent
regime. The court exercises its jurisdiction only in cases
“involving the most serious crimes of concern to the inter-
national community as a whole.” 63
The jurisdiction to adjudicate subjects criminal defendants
to the process of the ICC. The ICC jurisdiction is divested in
three ways: firstly, the state’s consent excludes some cases
from the court’s judicial jurisdiction. Secondly, the comple-
mentarity principle removes certain cases because of pru-
dential concerns. Thirdly, the principle of ne bis in idem (‘not
twice in the same’) removes the case from the court if there is
the chance of legal action being instituted twice for the same
cause of action. The court is qualified to assert jurisdiction
only in cases that states and the Security Council lodge com-
plaints against.64
The jurisdiction of the ICC is not limited when the Security
Council refers a case to the court because there has been a
threat to world peace and security, even when the state is not
party to the court’s statutes. In addition, a case can be referred
by the prosecutor or state with the state’s consent. Thus, the
court receives the jurisdiction “by state parties so long as
either the territorial state or the state of accused’s nationality
is either a party to the statute or has accepted the jurisdiction
of the court.” 65 However, the case may be that the Security
Council receives the jurisdiction in times of crises that
threaten peace and security, and this may conflict with the
state’s jurisdiction, and in limited circumstances the state
may withhold its consent and prevent the ICC from exercising
its jurisdiction. In a complementary situation the court may
exercise jurisdiction when the state is unable or unwilling to
assert jurisdiction.66
63 Rome Statute of The International Criminal Court, Article 5(1).64 Rome Statute of The International Criminal Court, Article 17,20.65 L. Nadya Sadat, ‘Universal Jurisdiction: Myths, Realities, AndProspects: Redefining Universal Jurisdiction’ (2001) 35 New En-gland Law Review, 241.66 L. Nadya Sadat, ‘Universal Jurisdiction: Myths, Realities, AndProspects: Redefining Universal Jurisdiction’ (2001),35New EnglandLaw Review, 241.
Offences such as genocide and terrorism that are subject to
universal jurisdiction by a treaty are also subject to the
perpetrator violating the statutes of the treaty not only to the
jurisdiction of all member states of the treaty, but also to the
jurisdiction of the treaty organisation itself.67 Although the
universality principle allows states to exercise jurisdiction to
enforce their criminal laws through their courts in order to
punish universal crime, the ICC simultaneously has jurisdic-
tion, but the latter has primacy over national courts in
adjudicating.68
Jurisdiction to enforce is the weakest component of juris-
diction principles. However, the conflict of jurisdictions often
happens in executive jurisdiction and the limitations of in-
ternational law are clearer than the area of legislative and
judicial jurisdiction. The efficacy of the ICC in enforcing in-
ternational criminal law is undermined, since it has no police
force.
2.4.4.2. The exercise of universal jurisdiction by states. Statesasserting universal jurisdiction over criminals use
specifically-adapted internal enactments. Until recently, there
have been very few state prosecutions of the types of crimes
listed in the Rome Statute. A few examples are the French war
crimes trials of Barbie, Touvier and Papon, Israel’s quest of
Eichmann, Canada’s trial of Finta, and Spain’s search for
General Pinochet. In each of these cases, each state’s national
court, although applying national law, was also to some
extent applying international law, and in the process, chal-
lenging questions were raised on both the substantive law
itself and on the procedural system that accompanied it.
Although prosecutions in the three types of jurisdictions e
prescriptive, adjudicative and enforcement e share certain
similarities in national and international ambitswhen applied
to international crimes, there is one important difference, i.e.
that although national courts apply prescriptive norms that
apply internationally, their adjudicative powers and authority
to enforce them are limited to their own territorial spaces.69
It has been postulated that, having a theory of “absolute”
universal jurisdiction, i.e., universal jurisdiction not subject to
any limitations arising from practical concerns, is appropriate
in the current scenario of few states prosecuting non-
nationals for criminal acts. However, if states do enact legis-
lation to punish international criminals, and thus assert
jurisdiction over such perpetrators, there should be a case for
international law establishing rules to resolve otherwise
difficult conflicts of jurisdiction. This point affects both the
application of substantive law and its procedural regime, and
is discussed below.
The exercising of universal jurisdiction in cyber terrorism
cases by states, in the same way as they treat other interna-
tional crimes, is characterised by two factors. The first one is
67 S. Wilske& T. Schiller, ‘International Jurisdiction in Cyber-space: Which States May Regulate the Internet’ (1998) 50 FederalCommunication Law Journal, 123.68 S. Wilske& T. Schiller, ‘International Jurisdiction in Cyber-space: Which States May Regulate the Internet’ (1998) 50 FederalCommunication Law Journal, 170-171.69 M.C. Bassiouni, International Criminal Law: Multilateral andBilateral Enforcement Mechanisms, (3rdedn, 3, Martinus NijhoffPublishers, Netherlands, 2008) 207-209.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 699
the prescriptive norms which postulate that all states apply
international norms through their national laws. The problem
here is that this statement may be true only in theory, while it
could vary considerably in practice. It must not be forgotten
that the Rome Statute, by the insertion of Article 10 into the
text, called on states to “improve” international norms in the
ICC Treaty by encouraging the development of customary
international law beyond the treaty definitions of crimes lis-
ted in the Rome Statute. This means that the Statute en-
courages states to modify the definitions of the Rome Statute
through their own specific legislation. Thus, it is completely
reasonable to suppose that a state’s definition of its ambit
varies from state to state. In application, overlap between
national legislation and such legislation is not unexpected.
Therefore, the application of universal jurisdiction by the in-
ternational community causes fewer problems. 70
The second factor is regarding the procedural regimes of
substantive law. Even if substantive law norms are constant
from state to state, the procedural regimes to which they are
subjected may vary considerably. The procedural law, espe-
cially in criminal procedure, is almost exclusively local in
character. And this also applies to aspects of procedure which
are covered by international law: there is very little formal
congruence between national and international proceedings.
While there have been assertions that national prosecutions
must have certain specific rules, there has been almost no
integration of national and international legal criminal law
systems that prove those assertions correct. Thus, it is not
clear which law applies. For instance, whenever one of the
procedural laws is in issue, such as immunity granted by
municipal law to a potential criminal defendant, it is not clear
whether the forum state looks to its own law, the law of the
state granting the defendant immunity, the law of the state of
the defendant’s nationality, the law of the state upon whose
territory the crimes were committed (the territorial state), or
international law to resolve the problem. This is because
public international law has not established a conflict of laws
system in such a situation, and on the basis of the Lotus
paradigm, every state may apply its law as an independent
sovereign unless there is some rule prohibiting it from
doing so.71
In such an instance, it would be an inconsistency if the
forum state applies the law of the state granting immunity as
the benchmark for its own exercise of universal jurisdiction.
This is because of the uncertain nature of the immunity. For
example, if the criminal act is committed as part of an internal
conflict by the regime in power, the state granting the im-
munity will be the state of the defendant’s nationality as well
as the territorial state. Or, the immunity may have been
granted by the regime to itself just before it relinquishes
power, or it may be extorted with threats of violence from a
succeeding regime. Thus, if it is the law of the forum state
which applies to the question of whether such immunity is
70 G. Bottini, ‘Universal Jurisdiction after the Creation of TheInternational Criminal Court’ (2004) 36 International Law and Poli-tics, 557-560.71 M.C. Bassiouni, International Criminal Law: Multilateral andBilateral Enforcement Mechanisms (3rdedn, Martinus Nijhoff Pub-lishers, Netherlands, 2008) 207-209.
valid, the choice should be between the law of the forum and
international law.72
There is general consensus that substantive norms,
whether established by treaty or custom, are well-established
norms of customary international law, and are, in addition,
non-derogable and peremptory or jus cogens norms. This
consensus was confirmed at the Rome Diplomatic Conference
to establish the International Criminal Court, where most
states approved the codifying of these norms and then uni-
versally applying them in instances where the UN Security
Council referred a particular case to the ICC. Therefore, a state
investigating a non-citizen involved in these types of crimes
in an exercise of universal jurisdiction is applying interna-
tional law, albeit through the medium of its national law. It is
in doubt, however, if the state is also required in the absence
of specific treaty obligations, to apply international rules
related to the substantive norm, as there is very little evidence
that a state is required to do so.73
Finally, it can be said that the conundrum posited by the
application of international law by national legal systems has
existed for a long time. Although this problem has risen fairly
recently in the international arena, all legal systems deter-
mining cases in multiple and overlapping courts have
encountered this problem. To see theway forward, a brief look
at the United States Supreme Court’s complex doctrine gov-
erning the application of state law by federal courts may be
instructive.
In the case of Erie Railroad v. Tompkins74 the court was faced
with the question of which law governed the case, i.e. the
Federal law or the state law.
Through a series of complex judgements, the Supreme
Court stated that many factors governed the question of
whether state or federal law applied. Important factors would
be whether the application of state or federal law would be
“outcome determinative”, or whether the application of either
law was affected by the rights and obligations created under
the applicable state law. Basically, if the state law question
was “substantive”, then state law applied; if it was simply
“procedural”, then federal law applied.
Furthermore, it is noted that the United States Constitution
has achieved a balance between federal and state courts.
Thus, it is submitted that itmay be instructive to consider case
law in the multiple and conflicting applications of the law by
courts with concurrent jurisdiction elaborated in well-
developed legal systems such as the United States, as a
guide to establishing a doctrine that might ultimately be
beneficial to international law and in supporting thematuring
of international legal systems.
3. Conflict of jurisdictions
In actual fact, conflict of jurisdictions in cyberspacemay easily
occur. It may occur particularly because the effect of cyber
72 L.N. Sadat, ‘Redefining Universal Jurisdiction’ (2001) 35 NewEngland Law Review, 247-248.73 L.N. Sadat, ‘Redefining Universal Jurisdiction’ (2001) 35 NewEngland Law Review, 247-248.74 [1938] U.S. 64, p 304.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1700
terrorism often takes place in a country or countries other
than the country in which the attack originated.75 A new idea
arises here, that since the state has the state responsibility, in
order to determine which state has the proper jurisdiction to
be take action in the ambit of conflict of jurisdiction, territorial
jurisdiction is the most feasible jurisdiction to be prescribed.
Due to the cross-border nature of cybercrime, jurisdiction
conflicts may easily occur, because, the effect and start of
such crime frequently happens in more than one country.
Furthermore, as a specific and holistic jurisdiction and
method has not been determined for cyber terrorism in cy-
berspace, the conflict of jurisdictions is not a surprising issue.
In fact, universal jurisdiction is offered by international and
multi-lateral treaties. The relevant international treaties
encourage their member states to expand jurisdiction over
international offences. Then such jurisdiction is established
with respect to incorporation of municipal law regarding the
international offence. As is articulated in Article 5 of the 1984
United Nations Torture Convention, if the alleged offender is
located in a state that does not wish to initiate criminal pro-
ceedings, it is obliged to extradite the offender to the country
which has the closest connection to the offence. Such extra-
dition is based on a bilateral extradition treaty. The extradi-
tion process in universal jurisdiction must be based on the
legitimacy of the requesting country. In other words, con-
flicting extradition requests can be decided on the basis of
relevant connecting factors. Furthermore, they must not
conflict with other agreed rules of international law.76
The issue of jurisdiction conflicts is divided into two cate-
gories: negative conflicts and positive conflicts. The former
occurs in a situation in which no country claims jurisdiction
over a cybercrime. If an attack targets a nation via hacking
tools and denial of service, the attacked country is qualified to
assert jurisdiction on the basis of the location of the computer,
the effect of the crime, and the nationality of the perpetrator.
Or, if the cyber-attack occurs via a virus or a targeted content-
related offence occurs in one place but simultaneously,
numerous other places are involved in launching the attack.
Negative jurisdiction occurs if the perpetrator launches a
cyber-attack from one country which is a safe haven and he is
also a national of that country.
A good example of an international treaty here is the
Convention of Cybercrime which states in Article 5 that when
the target’s victims of an offence are located in several states,
several parties assert jurisdiction over the crime. The
Convention states that they must consult with each other to
determine the appropriate location for prosecution.77 Some of
the aspects of territorial jurisdiction seem appropriate to
settle the conflict that arises among jurisdictions.
Another conflict which must not be forgotten is the posi-
tive conflict that happens mostly in cyberspace cases, partic-
ularly cyber terrorism incidents, since the cross-border nature
75 S. W. Brenner et al, ‘Approaches To Cyber Crime’ (2004) IVJournal of High Technology Law, 40.76 IliasBantekas and Susan Nash, International Criminal Law(2ndedn, Cavendish Publishing, 2003, United States) 162-164.77 Armando A. Cottim, ‘Cybercrime, Cyberterrorism and Juris-diction: An Analysis of Article 22 of the COE Convention onCybercrime’.
of these lead to it involving a large number of nations. For
instance, the “Love Bug” virus or the “Blast Worm” qualified
many countries to claim jurisdiction on the basis that the ef-
fects were taking place on their territories. For e.g., when a
Polish citizen uses a computer in the Netherlands to hack a
Malaysian computer and the data is transferred via Singapore
and the United States, all these states will be able to claim
jurisdiction. Thus, in this situationmore than one country can
claim jurisdiction over a perpetrator based on the same gen-
eral course of conduct.78 However, some circumstances may
mitigate the ability of claiming jurisdiction, such as lesser
damage compared to that occurring in other involved coun-
tries, and the fact of data merely passing through the territory
of a country without causing damage.
Although there are some factors in prioritising a jurisdic-
tional claim to resolve and prevent jurisdictional conflict, such
as place of commission of the crime, custody of the perpe-
trator, the amount of harm, and the nationality (victim’s na-
tionality, perpetrator’s nationality), conflict still exists in the
cyber terrorism and cybercrime situation, since every indi-
vidual factor has its intrinsic problem.79
Sincemost cybercrime is conceptually analogous to similar
traditional offences in the real world, it seems that cybercrime
can be dealt with by amending the traditional penal law; there
is no need to adopt penal laws which specifically target
various kinds of cybercrime. However, given the physical
distinction between the conduct that constitutes a cybercrime
and the distinct methods necessary to constitute a break in
into a computer system, it seemsmore logical to enact specific
laws targeting cyber terrorism.
Therefore, due to the inadequacy of the traditional juris-
diction principles, three theories have been developed and
applied to cover jurisdiction disputes over the internet and
these include: the country where uploading occurs, the
country where downloading occurs and the country in which
its citizens are targeted through the website.
A reasonable way to address conflict between jurisdictions
is to create uniform rules which can be utilised at the inter-
national level to coordinate among states in the fight against
cyber terrorism. That is, by directing or urging states to either
coordinate their efforts or adopt modes of mutual recognition
in cases when more than one state has an interest, instead of
asking them to decide on their own to exercise jurisdiction.80
This seems the best way to avoid jurisdictional conflict. The
Convention on Cybercrime is the most important instrument
in the fight against cybercrime. Although it contains specific
rules about jurisdiction, it is based on the principle of terri-
toriality. Article 22 of the Convention states: “Each Party shall
adopt such legislative and other measures as may be neces-
sary to establish jurisdiction over any offence . when the
offence is committed in its territory.” As has been seen, this
principle is based on the traditional principle. According to
Convention principles, the place in which the criminal has
78 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 197.79 S. W. Brenner, ‘Cybercrime Jurisdiction’ (2006) 46 Crime LawSocial Change, 197- 204.80 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 11.
c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 701
committed a crime is important and this is similar to the
traditional principle.81
4. Conclusion
Currently, we are at the stage where each legal system re-
sponds to the conflict of jurisdictions in cyberspace with a
different method, which is shown by comparative studies
conducted by various scholars. Some scholars respond to this
problem by borrowing personal jurisdiction and extending it
to cyberspace as well, while others believe that such tradi-
tional rules of private international law are inadequate to
address cyberspace, which does not contain any geographic
indications. A global cyber deterrence cannot be obtained
without international cooperation among countries.82 Na-
tional legislation alone is not sufficient to deter and counter
cyber terrorism action.83 There should be international coor-
dination against cyber terrorism in order for it to be success-
ful. Therefore, it seems that the best feasible solution is
providing a treaty (or convention) to regulate particular
transactions to uniform international standards. This agree-
ment can impose compulsory jurisdiction on state parties
over cyber terrorism offences. This treaty can also offer a
special law of a nation to be exercised on certain transactions.
In a situation where no consensus will be reached, an inter-
national regulatory body can provide model law, and then the
state may use it as a guide to enact its own municipal
legislation.84
To address cybercrimes at the international level, the
Convention on Cybercrimewas adopted in 2001 by the Council
of Europe, a consultative assembly of 43 countries, based in
Strasbourg. The Convention, which came into effect in July
2004, is the only international treaty dealing with breaches of
law over the Internet and other information networks and
lists nine offences which member countries have agreed to
adopt into their national legislation. Themain objective of the
Convention as set out in its preamble is to pursue a common
policy to protect society against cybercrime via international
cooperation and national legislation.85 Although it does not
specifically mention cyber terrorism, it includes provisions on
cybercrime that relate to terrorist-related acts.
Although establishing a multilateral treaty having new,
harmonised, and unique jurisdiction has its limitations, the
Convention seems the most appropriate one. There are
difficulties involved in formulating new international
81 N. Foggetti, ‘Transnational Cyber Crime Differences BetweenNational Laws and Development of European Legislation’ (2008)(2) Masaryk University Journal of Law and Technology, 35.82 M. Dogrul and A. Aslan and E. Celik, Developing an InternationalCooperation on Cyber Defense and Deterrence against Cyber Terrorism,3rd International Conference on Cyber Conflict (Tallinn, Estonia,7-8 June 2011) http://ieeexplore.ieee.org/xpls/abs_all.jsp?amumber¼5954698&tag¼1 (accessed 9 April 2012).83 Dogrul (n 6).84 A. M. Sachdeva, ‘International Jurisdiction in Cyberspace: AComparative Perspective’ (2007).85 K. Geers ‘The Challenge of Cyber Attack Deterrence’, [2010] 26Computer Law and Security Review 300 http://sciencedirect.com.(accessed 16 May 2012).
treaties and persuading countries to subscribe to them, not
least being securing the requisite number of countries for
the laws to be effective. In this regard, the Convention on
Cybercrime is no exception. Furthermore, securing the
requisite number of signatures, ratification and imple-
mentation of this convention needs support and any addi-
tional courses of action undertaken in this context should
be carried out in such a way as to avoid hindering or
detracting from this process. The member parties to the
convention must improve their security by harmonising
legislation, coordinating and cooperating in law enforce-
ment, and in conducting direct and indirect anti-cyber
terrorism actions. Furthermore, due to the globally virtual
nature of cyberspace, the proposed response to this matter
is best addressed on a multilateral basis. For the time being,
however, although such an international treaty does pro-
vide some means of countering cyber terrorism, it has not
been able to address and prevent state-sponsored cyber
terrorism from China and South Korea. Once a state has
carried out a cyber-terrorist action, the victim’s response is
governed by international laws of conflict. However, a
multilateral treaty such as a cyber-crime convention still
cannot completely provide security from a state-sponsored
attack.
The best means for the prosecution of cyber terrorism
under universal jurisdiction is to create amultilateral criminal
law convention that will oblige member states to prosecute
and extradite offenders through the ‘autdedereautjudicare’
principle established through the treaty and applicable to
state parties to the convention. As a matter of fact, the
attacker must be identified prior to the application of any of
the varying kinds of jurisdiction - ranging from territorial
jurisdiction to universal jurisdiction e so as to provide effec-
tive deterrence.
Unlike cyber criminals that can operate across jurisdic-
tional boundaries, law enforcement officials’ jurisdictional
boundaries are limited. Law enforcement, investigation and
prosecution in the United States and other countries are
confined to territorial boundaries. Any attempt, for instance,
to prosecute a criminal fleeing the United States or targeting
US interest from outside her borders, will have to rely on the
laws of the other country or on any extradition treaty existing
between the two countries. If no extradition treaty or other
legal arrangements exist then investigation and prosecution
efforts will be handicapped.
Even if an extradition treaty exists, it can be complicated
for a number of reasons. For instance, an illegal action in one
country may be legal in another country, and may lead to
reluctance to work with another or to turn over a suspect for
prosecution. Another obstacle to investigations is the
disparity that exists between the cybercrime laws of different
nations.
Pardis Moslemzadeh Tehrani ([email protected].
edu.my) is Faculty of Law at the National University of Malaysia
(UKM), Bangi, Malaysia.
Nazura Abdul Manap ([email protected]) is Faculty of Law at the
National University of Malaysia (UKM), Bangi, Malaysia.