13
A rational jurisdiction for cyber terrorism Pardis Moslemzadeh Tehrani, Nazura Abdul Manap Faculty of Law, National University of Malaysia, Malaysia Keywords: Cyber terrorism Cyber crime Jurisdiction Universal jurisdiction Territorial jurisdiction abstract Cyberspace is a cross-national world that transcends geopolitical national borders. Juris- diction is the focal point for any dispute arising in the international arena, because it de- termines which state court has the authority to settle a dispute. The objective of this paper is to analyse territorial and universal jurisdiction principles which can be specifically related to cyberspace to determine which of them is best suited to providing the appro- priate jurisdiction in combating cyber terrorism and how conflicts arising between them can be settled. The transnational nature of cyber terrorism offences leads to jurisdictional complexity, thereby investigation and prosecution is difficult. Lack of harmonisation in legislating among countries leads to difficulty in investigation and prosecution of cyber terrorism offences. This paper notes that universal jurisdiction is the most feasible and effective method to deter cyber terrorism. ª 2013 Pardis Moslemzadeh Tehrani, Nazura Abdul Manap. Published by Elsevier Ltd. All rights reserved. 1. Introduction The progress and development in computer technology have provided new opportunities for those who are willing to involve themselves in illegal activity and this has thereby created some new varieties of criminal activity that pose legal challenges for legal systems as well as for law enforcement. 1 Due to the fact that cyber terrorist attacks are conducted in multiple states, the procedure of prosecution is difficult; therefore, the attacked country will invoke international law to seek justice for damage caused. Although countries implement technical measures, legal measures must also be taken in order to prevent and deter the rapid growth of cyber terrorism. Nations must come up with self-regulatory legal mechanisms to combat against the misuse of new technologies; however, such mechanisms need to be sup- ported by international agreements and appropriate national legislation. 2 The main issue regarding jurisdiction in the international space of the internet is the dichotomy which exists among three components of jurisdiction in cyberspace. Although many steps have been taken to combat cyber terrorism, from legal to technical steps, these attempts have not been sufficient to prevent cyber terrorism. It appears that greater international cooperation is needed. For the time being, as cyber terrorism cannot be prevented, effective prosecution is a logical method to deter cyber terrorists. In- ternational law prescribes several types of jurisdictions: na- tionality jurisdiction (active personality, passive personality), territorial jurisdiction (objective, subjective), universal juris- diction and protective jurisdiction. Of these, territorial juris- diction and universal jurisdiction are more attuned to deter cyber terrorism. However, universal jurisdiction is the more suited to deter cyber terrorism due to the nature of the internet and the initial reality of cyber terrorism. This is because it ignores national borders. 1 Susan. W. Brenner, ’Cyber Crime Investigation and Prosecution: The Role of Penal and Procedural Law,’(2001) 8 Murdoch University Electronic Journal Law, 1. 2 L. Bantekas, International Criminal Law (3rd Edn, Routledge-Cavendish Publication, United Kingdom, 2007) 265. Available online at www.sciencedirect.com www.compseconline.com/publications/prodclaw.htm computer law & security review 29 (2013) 689 e701 0267-3649/$ e see front matter ª 2013 Pardis Moslemzadeh Tehrani, Nazura Abdul Manap. Published by Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.clsr.2013.07.009

A rational jurisdiction for cyber terrorism

  • Upload
    nazura

  • View
    225

  • Download
    0

Embed Size (px)

Citation preview

Page 1: A rational jurisdiction for cyber terrorism

ww.sciencedirect.com

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1

Available online at w

www.compseconl ine.com/publ icat ions/prodclaw.htm

A rational jurisdiction for cyber terrorism

Pardis Moslemzadeh Tehrani, Nazura Abdul Manap

Faculty of Law, National University of Malaysia, Malaysia

Keywords:

Cyber terrorism

Cyber crime

Jurisdiction

Universal jurisdiction

Territorial jurisdiction

1 Susan. W. Brenner, ’Cyber Crime InvestiElectronic Journal Law, 1.

2 L. Bantekas, International Criminal Law0267-3649/$ e see front matter ª 2013 Pardishttp://dx.doi.org/10.1016/j.clsr.2013.07.009

a b s t r a c t

Cyberspace is a cross-national world that transcends geopolitical national borders. Juris-

diction is the focal point for any dispute arising in the international arena, because it de-

termines which state court has the authority to settle a dispute. The objective of this paper

is to analyse territorial and universal jurisdiction principles which can be specifically

related to cyberspace to determine which of them is best suited to providing the appro-

priate jurisdiction in combating cyber terrorism and how conflicts arising between them

can be settled. The transnational nature of cyber terrorism offences leads to jurisdictional

complexity, thereby investigation and prosecution is difficult. Lack of harmonisation in

legislating among countries leads to difficulty in investigation and prosecution of cyber

terrorism offences. This paper notes that universal jurisdiction is the most feasible and

effective method to deter cyber terrorism.

ª 2013 Pardis Moslemzadeh Tehrani, Nazura Abdul Manap. Published by Elsevier Ltd. All

rights reserved.

1. Introduction The main issue regarding jurisdiction in the international

The progress and development in computer technology have

provided new opportunities for those who are willing to

involve themselves in illegal activity and this has thereby

created some new varieties of criminal activity that pose legal

challenges for legal systems as well as for law enforcement.1

Due to the fact that cyber terrorist attacks are conducted in

multiple states, the procedure of prosecution is difficult;

therefore, the attacked country will invoke international law

to seek justice for damage caused. Although countries

implement technical measures, legal measures must also be

taken in order to prevent and deter the rapid growth of

cyber terrorism. Nations must come up with self-regulatory

legal mechanisms to combat against the misuse of new

technologies; however, such mechanisms need to be sup-

ported by international agreements and appropriate national

legislation.2

gation and Prosecution: T

(3rd Edn, Routledge-CavenMoslemzadeh Tehrani, N

space of the internet is the dichotomy which exists among

three components of jurisdiction in cyberspace.

Although many steps have been taken to combat cyber

terrorism, from legal to technical steps, these attempts have

not been sufficient to prevent cyber terrorism. It appears that

greater international cooperation is needed. For the time

being, as cyber terrorism cannot be prevented, effective

prosecution is a logical method to deter cyber terrorists. In-

ternational law prescribes several types of jurisdictions: na-

tionality jurisdiction (active personality, passive personality),

territorial jurisdiction (objective, subjective), universal juris-

diction and protective jurisdiction. Of these, territorial juris-

diction and universal jurisdiction are more attuned to deter

cyber terrorism. However, universal jurisdiction is the more

suited to deter cyber terrorism due to the nature of the

internet and the initial reality of cyber terrorism. This is

because it ignores national borders.

he Role of Penal and Procedural Law,’(2001) 8 Murdoch University

dish Publication, United Kingdom, 2007) 265.azura Abdul Manap. Published by Elsevier Ltd. All rights reserved.

Page 2: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1690

2. Jurisdiction

International law defines “jurisdiction” as: “jurisdiction de-

scribes the limits of the legal competence of a State. tomake,

apply, and enforce rules of conduct upon persons. It concerns

essentially the extent of each state’s right to regulate conduct

or the consequences of events.” 3 Jurisdiction refers to the

sovereign authority within its terrain to propose legislative,

executive, and judicial principles. However, one of the main

problems of the jurisdiction attribute is the lack of information

and absolute certainty. The nature of the internet gives the

ability to the user to disguise its identity, leading to inherent

difficulties in determining the states that fail to prevent an

attack from being originated within their borders. Therefore,

states must cooperate with each other to share information in

order to attribute attackers.4 In the United Kingdom, the

principle of traditional rules applies for its jurisdiction.

Although there have been several efforts by various

scholars around the world, we have yet to attain a uniform

response to address the issue of jurisdiction in cyber

terrorism. Different legal systems have responded in different

ways based upon their own ideas of justice and interest. For

instance, the United States has exercised personal jurisdiction

over its forum, and over foreign defendants, proposes effects

doctrine jurisdiction. It admits jurisdiction to the United

States if an extraterritorial behaviour or crime affects or

harms citizens within the United States.5

2.1. Territorial jurisdiction

Generally, all states have competence in the assertion of

jurisdiction over their citizens and incidents occurring within

their national territory. Territorial jurisdiction is the most

common and uncontroversial basis for jurisdiction. Territorial

jurisdiction is also the most significant and applicable method

in international law. It is divided into two categories: “subjec-

tive territorial jurisdiction” and “objective territorial jurisdiction”.

Furthermore, states have been enforcing territorial limitation

jurisdiction by two methods. “Subjective territorial jurisdic-

tion” happens when an attack begins in state A, but is

completed in State B. State A would then have subjective ter-

ritorial jurisdictionandStateB, objective territorial jurisdiction.

However, if this doctrine were applied, a complication arises

which stems from the nature of the internet and the realities of

cyber terrorism. That is, “cyber terrorism operates without

borders” and cyber terrorism attacks target computer systems

and power grids. Furthermore, the most difficult scenario is in

determiningwhere the attack and the location of the computer

originated, as it is not clear where the crime occurred. As dis-

cussed, cyber terrorism happens in cyberspace, and cyber ter-

rorists utilise various tools, which they operate from remote

destinations, and from various computers in different loca-

tions. Theyuse fake IP addresses or anonymousones to conceal

3 V. Lowe, ‘Jurisdiction in International Law (Malcolm D. Evansed, 2nd edn, United Kingdom 2006) 335.

4 L. Grosswald, ‘Cyber Attack Attribution under Article 51 of theU.N. Charter’ (2011)36 Brooklyn Journal of International Law, 1151.

5 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13CTLR eOxford,245.

their real location and actual identity. In addition, they have

sufficient technological tools to pretend that the attack came

from elsewhere. They operate beyond the territory of any state

and often use computers in multiple states in order to launch

their attacks. Therefore, it is almost impossible to determine

where the information and international data exists or which

jurisdiction’s laws are applicable. On the other hand, even if

this is feasible, it costs a huge amount of money. Similarly, the

same scenario applies in cyber transactions. Another problem

is that the target of cyber-attacks is not always accurate and

may not be possible to identify.

Cyber terrorism is totally different from other types of

cybercrimes. Other cybercrimes may be subject to state con-

trol because they used assigned domain names and the con-

tent can be filtered. Some scholars, such as Professors

Goldsmith and Wu, invalidate the idea of the internet being

borderless and lacking of any territory. They describe it as a

“border characteristic” and believe that it is increasingly

conforming to national law and requirements. However, such

discussions cannot be applied to cyber terrorism; it operates

without borders, and no state can control cyber terrorism. The

concept of a bordered internet is not applicable in the cyber

terrorism context. Another issue is that as cyber terrorism

occurs in multiple states, the other states may have an in-

terest in asserting jurisdiction.6

The issue that hampers the prosecution of cyber terrorism

is the principle of state jurisdiction. Although the basis of state

jurisdiction in customary international law is territoriality,

and according to this principle when the crime is committed

in territory A, that state may exercise jurisdiction over an

offence, the entire offence does not require to have occurred

in that state. If the constituent elements take place within the

state’s territory, it is sufficient to exercise jurisdiction.

Consequently, according to the state principle, a state may

exercise jurisdiction even when the act commences in one

state and is consummated in another state.

The broad scope of this principle may seem proper to

combat cyber terrorism cases as two cases support this idea.

In R v. Waddan, an English resident set up a pornographic

website on a US-based server, published obscene material in

the UK, and the users could access and download such ma-

terial in the UK. The UK court allowed the prosecution of an

English resident. In another case, the ToebenCase, a “Holocaust

Denial” website was established on an Australian server by an

Australian resident. This website could be accessed in Ger-

many. Thus, the prosecution vested in Germany under the

German Anti-Nazi legislation.

On the basis of the broad effect of these cases, territorial

jurisdiction can be applied to a variety of offences in the same

way as it would apply for cyber terrorism. Since usually the

effect of a cyber-attack may be felt in many countries, then

according to the territorial principle, each of these states has a

right to prosecute.7 Territorial jurisdiction may seem to be

6 H.W.K. Kaspersen, Cybercrime and internet jurisdiction,Project on cybercrime, Economic Crime Division, DirectorateGeneral of Human Rights and Legal Affairs, 2009, p 9-10.,November 21-24, 2009.

7 A. Bianchi, ‘Enforcing international law norms againstterrorism’ (Hart publishing, 1stEdn, United Kingdom: 2004), 474-479.

Page 3: A rational jurisdiction for cyber terrorism

10 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford, 251-254.11 R.Walton, ‘The Computer Misuse Act’ (2006), Information Se-curity Technical Report, p 40, http://sciencedirect.com (accessed19 Dec 2011).12 R.Walton, ‘The Computer Misuse Act’ (2006), Information Se-curity Technical Report, p 42, http://sciencedirect.com (accessed19 Dec 2011).13 K. Gable, ‘Cyber-Apocalypse Now: Securing the Internet

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 691

highly relevant to cyber terrorism, but the UN General As-

sembly and other international organisations consider it as a

threat to international security and “emerging universal

offences”.

Despite this, it seems that territorial jurisdiction is the best

method to respond to transnational crimes; but it may face

many problems. Firstly, in cyber terrorism cases, the intent of

the crime may originate from a directly or indirectly

government-supported terrorist group; therefore, it is doubt-

ful that that state would prosecute the offenders. Secondly,

the act may remain unpunished under the law of that state as

it is not forbidden according to its laws. However, due to the

grave damage which occurs with these kinds of crimes, the

state cannot leave the perpetrators without punishment

because, according to the definition of territorial jurisdiction,

“states can assert jurisdiction over behavior occurring within

their territorial border”. In cyber terrorism cases, the physical

location of the act is far from the effect of the act. Therefore,

the commission of the act is not the same as the effect of the

act.

2.1.1. England as a case study of territorial jurisdictionThe English conflict of laws rules adhere to the rule of terri-

toriality for the basis of adjudicative jurisdiction. “There are

now two quite different sets of rules as to jurisdiction of the

English courts. In many cases, jurisdiction is still governed by

whatmay be called the ‘traditional rules’, though in a growing

proportion of cases, they are replaced by the ‘Convention

rules”. 8

The traditional rules of jurisdiction in England permit the

courts to apply their jurisdiction whenever “(1) the defendant

is present within England and the writ is served upon him; (2)

he submits to the jurisdiction of the court; or (3) he is served,

at the discretion of the court, with thewrit, in accordancewith

the Rules of the Supreme Court outside England.” 9 Put simply,

the English courts would exercise jurisdiction over a defen-

dant if he/she were put on notice of his/her action against the

plaintiff. The mere physical presence of a person makes him/

her liable to the service of the writ. The regulations of the

Brussels Convention are binding on and applicable to the

United Kingdom, because the United Kingdom exercised an

“opt-in” option. The traditional rule of jurisdiction in the

United Kingdom is subject to substantial modification by the

EC Treaty by two of its provisions: Article 249, and the

amendment of the EC Treaty by the Amsterdam Treaty. Arti-

cles 65 and 293 of the EC Treaty were amended by the

Amsterdam Treaty and the amendment gives competence to

take measures under Article 249 of the Council of the Euro-

pean Union, while at the same time complying with Articles

61C and 67(1) of the EC Treaty. Also important is the EC

Council Regulation 44/2001 adopted on December 22, 2000 and

entered into force on March 1, 2002. The general rule of this

Regulation regarding jurisdiction is based on the domicile of

the defendant and states that “persons domiciled in aMember

State shall, whatever their nationality, be sued in the courts of

that Member State.” However, the domicile principle is not

8 D. McClean, The Conflict of Laws (4th Edn, Universal Pub-lishing Company, 2004) p 60.

9 Rules of the Supreme Court, Ord.11, r.1.

complete and admits of a number of exceptions which are

outside the scope of this research since it concerns civil and

tort jurisdiction.10

However, it appears that in most computer and network

cases, the United Kingdom implements the principle of

extraterritorial jurisdiction. Most countries implement the

principle of extraterritorial jurisdiction for cybercrime and

cyber terrorism cases in order to assist their own interests in

cross-national crimes. The Computer Misuse Act (CMA) ad-

dresses a new type of computer crime as it has the ability to

cover remote computer networks and the notion of legal

jurisdiction. The CMA has extraterritorial jurisdiction that

includes offences committed in one jurisdiction while the

result is caused elsewhere.11 Regarding the international na-

ture of cybercrime offences, whereby the act is executed in

one jurisdiction and has effect in a different jurisdiction, the

act appears to meet the criteria of the CMA if it has a signifi-

cant link to the United Kingdom in terms that: (a) the offender

is located in the United Kingdom, while the computer is

located outside the United Kingdom; (b) “The computer being

misused is located within the United Kingdom, regardless of

the location of the offender at the time.” 12 The unauthorised

access will be an offence if the computer which is being

accessed is outside the United Kingdom, and the act is illegal

in the country where the computer is located. Furthermore,

according to section 2, a United Kingdom link is not necessary

to be present in the unauthorised access.

As a result, it is submitted that territorial jurisdiction is not

a proper method to deter cyber terrorism. An effective deter-

rence is not gained without a sufficient prosecution and

prosecution relies on determining the identity and location of

cyber terrorists. Only then can a suitable form of jurisdiction

be asserted. Furthermore, “Applying territorial jurisdiction is

not effective and this dates back to the borderless nature of

the internet.” Thus, territorial jurisdiction cannot provide

entire deterrence due to the absence of these factors.13

However, according to the United Nations Security Council

Resolution 1373, states have the duty to prevent terrorist at-

tacks originating within their national boundaries and failing

to do this is shirking their duty. Put simply, the UN General

Assembly places state responsibility on states by the Resolu-

tion. This strategy acts as a deterrent to cyber terrorism.

States implement this principle according to two bases.

Some states have asserted jurisdiction based on a minor

contact with territorial jurisdiction.14 Other states have acts,

such as the US Foreign Corrupt Practices Act (FCPA) which

although based on territorial jurisdiction, is defined broadly to

Against Cyber Terrorism and Using Universal Jurisdiction as aDeterrent’ (2010) 43Vanderbilt Journal of Transnational Law.14 The IBA, Report of Task Force on Extraterritorial Jurisdiction(1stedn, United States: 2009), 11.

Page 4: A rational jurisdiction for cyber terrorism

18 The IBA, Report of Task Force on Extraterritorial Jurisdiction

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1692

have a limited territorial nexus to the improper activity which

permits the US regulator to enforce the FCPA based on mini-

mal territorial contacts. Therefore, international companies

may seek protection within the United States without exten-

sive US operations based on having property there. According

to the criminal committee (International Criminal Court)

there has been a tendency by some states to broaden the

ambit of their criminal laws by extending the principle of

territoriality even when a small part of the conduct consti-

tuting the offence takes place in their state. Secondly is the

principle of the effects doctrine, which enables states to assert

jurisdiction over conduct outside their jurisdiction that is

committed by foreigners but has effect within the states.

Although, from the viewpoint of some scholars, the theory

that cyberspace is a phenomenon lacking territorial connec-

tion is invalid due to its conforming to national laws, such

analysis does not apply to cyber terrorism. This is because,

cyber terrorism, like cyberspace, transcends physical borders,

and therefore the proper legal regime is the legal regime

which is implicated beyond the location.15 Moreover, there is

no domestic or international law pertaining to cyber

terrorism, while no existing national and international laws

have been enacted to address cybercrime. In some situations,

cyberspace may be subject to state control by filtering of the

specific site, and assigning its domain name, but cyber

terrorism cannot be subject to state control, due to the nature

of cyber terrorism which operates without borders and the

progress of countries in this area not outpacing the prolifer-

ation of cyber threats.16

Cyber terrorism may attack entire computer systems via

various locations and determining the origin of such attacks

(the location that the crime is being committed from, occurs,

and affects) is exceedingly difficult to pinpoint. The attacks

are launched frommultiple states, using technological tools to

show the attack came from elsewhere. The identity and

location of the perpetrators is concealed by targeting several

computer systems in multiple states, thus making it difficult

to pinpoint their identity and location because determining

whether any of these “computers are actually involved or are

just decoys is much more complicated.” 17 These acts are

committed via spoofing the information and using anony-

mous IP addresses; similarly, hackers utilise numerous ways

to commit their crimes without leaving a trace. They may

commit the cyber terrorist attack completely anonymously,

beyond the territory of any legal jurisdiction, by encryption.

Thus it is difficult to determine which jurisdiction is to assert

jurisdiction. Therefore methods for determining any physical

location for cyber terrorism seem grossly inadequate. As the

primary goal of providing jurisdiction is deterrence, it defeats

the purpose if it takes a long time to identify the attackers and

their location.

15 P. Kanuk, ‘Information Warfare: New Challenges for PublicInternational Law’ (1996) 37Harvard International Law Journal, 272-288.16 J. B. Avlon, The Growth of Cyber Threat, 2009, http://www.forbes.com/2009/10/20/digital-warfare-cyber-security-opinions-contributors-john-p-avlon.html (accessed 13 Feb 2012).17 K. Gable, ‘Cyber-Apocalypse Now: Securing the InternetAgainst Cyber Terrorism and Using Universal Jurisdiction as aDeterrent’ (2010) 43Vanderbilt Journal of Transnational Law.

2.2. Extraterritorial jurisdiction

Historically, the exercise of jurisdiction by states is limited to

persons, property and actions within a state’s territory.

However, with the rise of international corporations and the

advent of the virtual world, states have been encouraged to

exercise jurisdiction beyond their territorial harbours. States

extend their jurisdiction beyond their territories by exercising

extraterritorial jurisdiction. However, extraterritorial juris-

diction suffers from a fundamental dilemma. On the one

hand, each territory has the right to enact regulations and

have their own regulations which cover behaviour occurring

within their domestic territories. On the other hand, the acts

of individuals and groups affect others beyond national ter-

ritories and state borders.18

In May and November 2000, a French court ordered the

United States to block access of French users from a US

website, because it offered online auctions of Nazi memo-

rabilia, which is prohibited under French criminal law.

Nevertheless, there was no such law in the United States and

thereby it was possible for French users to take part in the

online auction of Nazi memorabilia. The French court then

handed down a decision based on the findings of an inter-

national panel of experts. They recommended blocking

French nationals from the site by using screening technology

based on the internet protocol address of the users’ com-

puters. With such technology, they could block the French

nationals’ access by approximately 70 percent (however,

they could increase the access to almost 90 percent by

completing a nationality questionnaire by the internet ser-

vice provider). The French court thus attempted to regulate

US activities within the US on the basis that such activities

could be accessed by internet users in France. Finally, a

United States court held that the French court had no right to

make such an order affecting the operation of a US website.19

Thus, extraterritorial jurisdiction may often violate the na-

tional sovereignty of another state. This case, the Yahoo Case,

that caused conflict of jurisdiction between the United States

and France, is an example of a very wide extraterritorial ef-

fect.20 This is because the French court asserted jurisdiction

on the basis of the users targeted and the location of the

downloading. Similarly, the US courts have been willing to

extend their jurisdiction and laws outside US borders. In

some cases, the US has attempted to apply its laws to foreign

states with little regard for the governing laws of other

jurisdictions.21

The globalisation of the internet produces conceptual

challenges to territoriality. “Territorial regulation of the

internet is no less feasible and no less legitimate than

(United States: 2009), 13.19 A. Manolopoulos, ‘Raising “Cyber Borders”: The InteractionBetween Law and Technology’ (2003) 11 (1) International Journal ofLaw and Information Technology, 41-44.20 ValerieSedallian, Commentaire de l’affaire Yahoo (1), Revuedu Droit des technologies de l’information, 24/20/00, atparagraph20, http://www.juriscom.net (accessed 6 May 2012).21 Micheal. Geist, “Is There A There: Toward Greater Certainty forInternet Jurisdiction,” (2001) 16 Berkeley Technology Law Journal,1345-1406.

Page 5: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 693

territorial regulation of non-internet transactions.”22 The na-

tional courts are based upon each state’s domestic laws and

their legislative courts are limited to their country. The

absence of geographical borders in cyberspace makes the use

of territorial jurisdiction for sovereign jurisdiction problem-

atic. States do attempt to regulate the internet, but the

decentralised operation of the internetmakes it impossible for

states to control activity in cyberspace.23 However, some

states already regulate cyberspace to a certain extent; for

example China has suppressed dissidence online and pre-

vented users accessing content available in the United States.

As a result, due to the many territorial jurisdiction loop-

holes and the limited deterrence offered by these, territorial

jurisdiction, when compared with universal jurisdiction,

cannot provide sufficient methods to prosecute cyber

terrorism.

2.3. Personality/nationality jurisdiction

This refers to the ability of a state to assert jurisdiction over its

citizens, even when they reside outside its borders in some

cases. The personality or nationality principle includes active

and passive nationality. Active nationality focuses on the

nationality of the perpetrator. In doing so, the state has the

ability to assert jurisdiction over crimes committed by its

nationals abroad. Thus, a state can assert jurisdiction over a

crime which is not committed within its borders solely on the

basis of the perpetrator’s nationality. Passive nationality re-

fers to the victim’s nationality. This enables a state to assert

jurisdiction over a crime which happens outside its territory

but against one of its nationals.24

One of the main problems which may arise under the

territoriality principle is that it may either contravene the

statutes of the other country, or may cause other inadvertent

issues. As in the Yahoo Case, the French court ordered Yahoo to

implement technological measures to prevent access from

French territory.25 The French court should have considered

the possibility of applying jurisdiction under the territorial

doctrine in public international law. The US court, after hav-

ing considered the French order, held that “the First Amend-

ment precludes enforcement within the United States of a

French order intended to regulate the content of its speech

over the internet.”26 Moreover, it condemned the fact that “by

imposing restrictions on the US-based Yahoo.com, the French

court tried to regulate the activities of a US corporation within

the US on the basis that such activities can be accessed by

internet users in France.”27

22 Jack. L. Goldsmith ‘The Internet and the Abiding Significanceof Territorial Sovereignty’ (1998) 5 International Journal of GlobalLegal Studies,475.23 Jack. I. Zekos, ‘Globalization and States’ Cyber-Territory’ (2011)5 Web Journal of Current Legal Issues, http://webjcli.ncl.ac.uk/2011/issues5/zekos5.html (accessed 14 May 2012).24 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 14.25 UEJF et LICRA v Yahoo Inc et Yahoo France.26 Yahoo, Inc v. La Ligue Contre Le Racism et L’Antisemitisme,169 (2001), p 22.27 Yahoo, Inc v. La Ligue Contre Le Racism et L’Antisemitisme,169 (2001), p 43.

Among all countries, the United States is the most impor-

tant example of having court decisions that adopt personal

jurisdiction. The Fourteenth Amendment of the United States

Constitution lays down the principles of personal jurisdiction.

US courts have applied the principle of the International Shoe

Case in cases involving internet crime.28 A person must have

some relationship with a US state in order to be sued in that

state. According to this principle, a United States court may

exercise jurisdiction over a person for any dispute, if the

person has substantial, systematic and continuous contact

with the forum state and even if the conduct is unconnected

to the forum state. In the case of Helicopteros Nacionales de

Colombia v. Hall, the court held that due to the insufficient

contacts which did not constitute continuous and systematic

activity, the court could not assert general jurisdiction.29 In

other words, a person or corporation can be sued in its state of

residence or citizenship, regardless of the place the offence

commenced to occur. Furthermore, the court can assert

jurisdiction according to the principle of the effects doctrine

which proclaims that a US state can assert jurisdiction over

activities taking place outside the US and which cause an ef-

fect within the forum state. The federal and state courts in the

US utilise “long-arm” statutes and establish constitutional

norms to administer the conduct of non-citizens of states. The

US Federal Court has long-arm statutes providing three basic

grants of jurisdiction: firstly, it authorises federal courts to

“borrow” the long-arm statute of the state inwhich the federal

court is located.30 Secondly, federal rule authorises federal

courts to exercise grants of personal jurisdiction contained in

federal statutes.31 Thirdly, federal rule grants long-arm juris-

diction in an international context, within the limits of the

Constitution, over parties to cases arising under federal law

who are not subject to the jurisdiction of any particular

state.32

When the defendant is not domiciled in a state in order to

be subject to personal jurisdiction, the defendant must be

qualified under the state long-arm statute and simultaneously

the state jurisdiction must be valid under the Due Process

Clause of the Fourteenth Amendment. Consequently, such a

person must have sufficient “minimum contact” with the

state, thus the initiation of a suit does not go against “tradi-

tional notions of fair play and substantial justice.”33 The court

must decidewhat contacts are sufficient regarding “notions of

fair play and substantial justice” to use its power. As soon as

the threshold of “minimum contact” is crossed, the US court

can assert its jurisdiction.34 The minimum contact can be

discovered by many methods, e.g. through the internet,

business transactions, effects of cyber activities, and targets of

28 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford, 250.29 Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 US408(1984).30 Federal Rule of Civil Procedure, 4(k)(1)(A).31 Federal Rule of Civil Procedure, (Rule 4(k)).32 Federal Rule of Civil Procedure, 4(k)(2).33 T.D. Leitstein ‘565 A Solution for Personal Jurisdiction on TheInternet’ (1999) Louisiana Law Review, http://cyber.law.harvard.edu/property00/jurisdiction/Leitstein.html (accessed 27 Jun 2012).34 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford,250.

Page 6: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1694

cyber activities.35 Following the minimum contact test, the

court will consider the measure of reasonableness in order to

exercise jurisdiction. A court must consider the following ac-

tions to determine reasonableness:

(1) weigh up the burden on the defendant to litigate in the

forum state (USA),

(2) consider the interest of the forum state (USA) in the

matter,

(3) ascertain the interest of the plaintiff in obtaining relief,

(4) scrutinize the efficiency of the forum state (USA) in

dispute settlement, and

(5) look over the interests of several states (USA) in

furthering certain fundamental social policies.36

The claim of personal jurisdiction by US courts is against

the assumption of jurisdiction applied to web pages which are

accessed internationally. However, this is balanced by cate-

gorising all internet activities into three types: (1) active

websites; (2) websites permitting exchange of information

with the host computer; and (3) passive websites.

The US courts exercise jurisdiction only over active web-

sites. They do not exercise jurisdiction over the supply of in-

formation through passive websites. For the second category,

the jurisdiction is determined by examining the level of

interactivity of the exchange of information that occurs on the

website. In order for the courts to properly exercise jurisdic-

tion they must pass the “minimum contact test” and the

“reasonableness prong”. The court must be inclined to find all

contacts in all circumstances for the test of jurisdiction. This

category needs more refinement to include the substantial

requirement of personal jurisdiction as described in the Zip-

poCase. According to the ZippoCase, deliberate action is

needed, either in the form of transactions between the resi-

dent of the forum state and the defendant, or the defendant’s

conductmust purposely target the resident of the forum state.

Therefore, the United States does not apply single jurisdiction

for all cases. According to Bensusan v. King, a mere advertise-

ment on a website does not confer specific jurisdiction since

the defendant “did not contract to sell any goods or services to

any citizens of the forum state over the internet site.” There

aremany cases that have showed that although theminimum

contact and reasonableness and categorisation of website

tests based on the degree of activity are the requirements of

asserting jurisdiction, these criteria have not always been

adhered to.37

As soon as the US court is satisfied aboutminimumcontact

and reasonableness, it can exercise jurisdiction over the

35 M. O. Rahman, ‘Towards Understanding Personal Jurisdictionin Cyberspace’ (2008) 50 International Journal of Law and Manage-ment, 110.36 M. O. Rahman, ‘Towards Understanding Personal Jurisdictionin Cyberspace’ (2008) 50 International Journal of Law and Manage-ment, 109.37 Amit M. Sachdeva, ’International Jurisdiction in Cyber Space:A Comparative Perspective’ (2007) 13 CTLR eOxford,251.

defendant in another state or country whose performance has

a substantial effect on the US and has established sufficient

contacts with the state, in order to satisfy due process. Even if

the defendant is from another country, he/she may be hauled

into a US court. According to the US Foreign Relations Act,

exercising jurisdiction is reasonable in the following cases:

(1) if the party is a citizen, resident, or domiciliary of the

state;

(2) if the person, whether natural or personal, has con-

sented to the exercise of jurisdiction;

(3) if the person, whether natural or juridical, regularly

carries on business in the state;

(4) if the person, whether natural or juridical, had carried

on activity in the state, but only in respect of such activity;

(5) if the person, whether natural or juridical, had carried

on outside the state an activity having a substantial, direct,

and foreseeable effect within the state, but only in respect

of such activity; or

(6) if the thing that is the subject of adjudication is owned,

possessed, or used in the state, but only in respect of a

claim reasonably connected with that thing.38

The US Supreme Court exercises personal jurisdiction over

issues of cyberspace. The decisions of the US courts have

shown that they may apply personal jurisdiction even over a

non-resident defendant whose sole contact with the US arose

through the internet. There have been various cases on

different aspects of cyberspace that have indicated and

concentrated on personal jurisdiction. However, a number of

rules have limitations, which leaves much at the judges’

discretion.

In addition, the United States also applies extraterritorial

jurisdiction to computer-related crime in overseas cases. It

condemns various crimes involving credit cards, PIN numbers

and other access devices, applicable overseas if the card or

device is issued by or controlled by an American bank or other

entity and some article is held in or transported to or through

the United States during the course of the offence.39 Addi-

tionally, the United States recognises extraterritorial juris-

diction in circumstances where the access device is both

issued by a US entity andwhich has a physical presence in the

US.

2.4. Universal jurisdiction

Universal jurisdiction is applied to crimes that are more

serious.40 Universal jurisdiction, compared to territorial

jurisdiction, offers a more effective and efficient deterrent. It

38 Section 421 of the Restatement (Third) of the Foreign RelationsLaw of the USA.39 18 U.S.C. section 377.40 S.Macedo, ‘Universal Jurisdiction: National Court and Prose-cution of Serious Crime under International Laws’, University ofPennsylvania Press, 2006, p 4.

Page 7: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 695

“confers on any nation the authority to prosecute alleged in-

ternational criminals, even when the prosecuting nation has

no direct connectionwhat so ever with the offense.” Universal

jurisdiction was created based on international law, which

permits all states to apply their laws to an act “even if it ...

occurred outside its territory, even if it has been perpetrated

by a non-national, and even if its nationals have not been

harmed by it.....” 41 It creates a new realm, forcing humankind

to extend the traditional and existing rules to it.42 However,

when exercising the principle of universal jurisdiction, due to

the competencies existing in it, only a limited number of of-

fences are subject to its application.43 Moreover, asserting

jurisdiction under universal jurisdiction requires two factors:

the crime must be serious enough to be hazardous to the in-

ternational community, and the country which asserts juris-

diction must have the defendant in its custody.44 Generally,

the other forms of jurisdiction require some kind of link

among elements of the crime, but the application of universal

jurisdiction does not require any such link. The crimes come

under international law in two ways: firstly, the heinous na-

ture and scale of the offence, which encompass grave

breaches of humanitarian law; or secondly, because of the

inadequacy of legislation by the nations involved, these

crimes are committed in territories that are not subject to the

authority of any states. National courts have upheld universal

jurisdiction on the basis of their municipal criminal statutes.

These statutes are incorporated into the national law by the

Geneva Convention’s member states. Universal jurisdiction

may be created by treaty regimes, or as a matter of customary

international law.45 Treaty regimes are binding on the states

that are parties to them. However, in certain circumstances,

they serve as evidence of customary international law.46 As

classically conceived, the exercise of universal jurisdiction

can be carried out by the international community as well as

by states.47

2.4.1. Opiniojuris and state practiceUniversal jurisdiction is applied based on two criteria: the

treaty regime and customary international law. Universal

jurisdiction is prescribed for cyber terrorism as a matter of

customary international law, and is based on the elements of

customary international law. The elements of customary in-

ternational law that are included are opinio juris and state

practice regarding terrorism. Terrorism has been considered

in a number of treaties (state practice), and as mentioned

41 Roslyn. Higgins, Problems and Process: International Law and HowWe Use It (United Kingdom: 1995), 57.42 Roslyn. Higgins, Problems and Process: International Law and HowWe Use It (United Kingdom: 1995), 57.43 IliasBantekas and Susan Nash, International Criminal Law (2nd

edition, Cavendish Publishing, 2003, United States), 156.44 Kenneth C. Randall, ’Universal Jurisdiction under Interna-tional Law,’Texas Law Review (1998) 66, 785.45 Leila Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction,’(2001) 35 NewEngland Law Review, 245.46 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 11.47 Leila Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction,’ (2001) 35 NewEngland Law Review, 245.

above, numerous treaties have recognised various types of

terrorism. Although they do not mention cyber terrorism per

se, it is accepted that cyber terrorism is generally a form of

terrorism, As well as this, terrorism is considered a heinous

crime against humanity (opinio juris).48 Thus, these two ele-

ments of customary law eopinio juris and state practice - are

suitable for application against terrorism and subject

terrorism to universal jurisdiction. The international com-

munity condemns all aspects of terrorism because of their

heinous nature, which is also a characteristic of the nature of

cyber terrorism acts.

2.4.2. State responsibilityResolutions 1368 and 1373, adopted by the UN Security

Council following 11 September 2001, mandated states to take

affirmative steps as a duty under international law to stop

terrorist acts and to cooperate in shouldering this burden.

Therefore, countries must attempt to prevent terrorist acts. In

other words, state responsibility obliges states to arrest,

prosecute or extradite anyone accused of being associated

with a cyber terrorism act. According to state jurisdiction,

states must prevent and respond to cyber terrorism acts.

Resolution 1373 creates binding international law by con-

taining the word “decide[d]” which obligates all United Na-

tions member states to implement the Security Council

decision. According to Resolution 1373, all states have a duty

to prevent terrorist acts, a duty to prevent territories from

harbouring anyone associated with terrorist acts and from

being used for committing terrorist acts. States must also

adopt proper domestic law to criminalise and punish terrorist

acts. In addition, they have to aid in investigation and criminal

proceedings as well as obtaining evidence in their jurisdiction.

The strong and broad language of Resolution 1373 indicates

the state’s duty regarding cyber terrorism acts. Although

Resolution 1373 does not specifically address cyber terrorism,

cyber terrorism acts being a type of terrorist activity should be

covered under the Resolution as well. As soon as an attack is

identified as a cyber-attack, the duty to respond requires

states to provide evidence and to cooperate with criminal in-

vestigations and to bring the alleged cyber terrorism perpe-

trators to justice by either prosecuting or extraditing them.

Due to the fact that tracing the cyber-attack is difficult,

particularly in situations such as the use of IP packets, spoofed

mid-routes, or ‘botnet’ attacks, identifying the actual at-

tackers to make them accountable to state responsibility is

not an easy job. Tracking is also made difficult because the

attackers use myriad strategies in carrying out their attack.49

Put simply, identifying the nature of the party involved, be it

a government, a terrorist group, or individuals, is a critical

element in determining the appropriate response and juris-

diction. There are also many other elements in attributing the

attack to a certain nation’s jurisdiction.

48 John H. Jackson, ’ Sovereignty Modern: A New Approach to anOutdated Concept’ (2003) 97 The American Journal of InternationalLaw, 795-800.49 Scott. J. Shackelford & Richard. B. Andres, ’State Responsibilityfor Cyber Attacks: Competing Standards for a Growing Problem’(2011) 42 Georgetown Journal of International Law, 971.

Page 8: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1696

Treaty law provides a legitimate basis for exercising uni-

versal jurisdiction over cyber terrorism. Numerous treaties

have been effected on terrorism and as cyber terrorism is a

part of traditional terrorism which launches its attack via the

internet, such treaties may cover cyber terrorism as well.

Good examples of this are the Convention to Prevent and

Punish Acts of Terrorism Taking the Form of Crimes against

Persons and Related Extortion, and the International

Convention for the Suppression of Terrorist Bombings.

Multilateral treaties may conform to customary international

law if a large proportion of non-member states follow the

provisions of treaties without any legal obligation.50

As discussed earlier, in certain circumstances, treaties

serve as evidence of customary international law.51 In the past

few decades, customary international law sources have been

redefined. International treaties generate international legal

norms. They create new customary legal norms, especially

those encompassing human rights. The International Crim-

inal Court for example, has transformed its international

treaties that obliged state signatories to employ customary

international law. The ICC now offers the case that a treaty

being signed by a group of countries becomes the new

customary legal norm.52

As the Convention on Cybercrime is the only existing in-

ternational treaty in the fight against cross-border crime and a

large number of countries have ratified it as well as recognised

the standard jurisdiction approach of the Convention to enact

their federal and state legislation’s jurisdiction over criminal

offences committed in cyberspace, it is vital to consider juris-

diction under this Convention.53 Article 22 of the Convention

on Cybercrime deals with jurisdictional issues over offences

enumerated in Articles 2-11 of the Convention. It stipulates:

1. Each Party shall adopt such legislative and other mea-

sures as may be necessary to establish jurisdiction over

any offence established in accordance with Articles 2

through 11 of this Convention, when the offence is

committed:

a in its territory; or

b on board a ship flying the flag of that Party; or

c on board an aircraft registered under the laws of that

Party; or

d by one of its nationals, if the offence is punishable under

criminal law where it was committed or if the offence is

committed outside the territorial jurisdiction of any State.

50 RoozbehB.Bakher, ’Customary International Law in the 21st

Century: Old Challenges and New Debates’ (2010) 21 EuropeanJournal of International Law, 173.51 The IBA, Report of Task Force on Extraterritorial Jurisdiction, 17.52 Roozbeh. B. Bakher, ’Customary International Law in the 21st

Century: Old Challenges and New Debates, 21 European’ (2010)Journal of International Law, 173.53 C. V. Sanmartin, ‘Internet Jurisdiction and Applicable Law InLatin America. Towards The Need for Regional Harmonization inthe Field of Cybercrime’, The Octopus Interface 2009 Conference onCooperation Against Cybercrime, Strasbourg, 2009, p 89.

2. Each Party may reserve the right not to apply or to apply

only in specific cases or conditions the jurisdiction rules

laid down in paragraphs 1.b through 1.d of this article or

any part thereof.

3. Each Party shall adopt such measures as may be neces-

sary to establish jurisdiction over the offences referred to

in Article 24, paragraph 1, of this Convention, in cases

where an alleged offender is present in its territory and it

does not extradite him or her to another Party, solely on the

basis of his or her nationality, after a request for

extradition.

4. This Convention does not exclude any criminal juris-

diction exercised by a Party in accordance with its do-

mestic law.

5. When more than one Party claims jurisdiction over an

alleged offence established in accordance with this

Convention, the Parties involved shall, where appropriate,

consult with a view to determining the most appropriate

jurisdiction for prosecution.54

Article 22 of the Convention on Cybercrime establishes

extraterritorial jurisdiction over information technology of-

fences in three aspects:

(i) the place where the offense was committed; (ii) which

laws should accordingly apply in case of multiple juris-

dictions; and (iii) how to solve positive and how to avoid

negative jurisdiction conflicts.55

Although many treaties exist, none of them provide a

binding regulatory jurisdiction. Most of themdeal with limited

areas and apply at regional level. The most prominent treaty

in the field of cybercrime does not encompass cyber terrorism.

Thus, since it does not offer personal and territorial jurisdic-

tion covering cyber terrorism, the best thing to do would be to

add a protocol specifically relating to cyber terrorism.

2.4.3. The heinousness of cyber terrorism and the analogy ofuniversal crimeCrimes against humanity, such as genocide and piracy, are

resolved by exercising universal jurisdiction. In a similar way,

cyber terrorism as a new type of traditional terrorism should

be subject to universal jurisdiction, because of the heinous

nature of such crimes. Universal jurisdiction was applied to

pirates because they were considered enemies of all mankind.

According to the principle of universal jurisdiction, as soon as

pirates were caught, any state could prosecute them on behalf

of the international community.56 The heinousness of cyber

terrorism acts is also on par with genocide, crimes against

54 Convention on Cybercrime, Article 22.55 Henrico W. K. Asperse, ‘Jurisdiction in the CyberspaceConvention’ in Cybercrime and Jurisdiction. A Global Survey, (Ed.Bert-Jaap Koops & Susan Brenner), Chapter 2, Information Tech-nology & Law Series 11, 2006 T.M.C. Asser Press, The Hague.56 Leila. Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction’ (2001) 35NewEngland Law Review, 245.

Page 9: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 697

humanity which are subject to universal jurisdiction because

they are analogous to piracy in the heinous nature of the

crime and their matching the definition of piracy as a “crime

committed more or less indiscriminately against citizens of

different nations . on the high seas”. Another thing is that,

such crimes are committed by a state or rather, those in

control of a state; therefore, they are unlikely to go unpun-

ished by territorial states. Thus, international treaties have

increasingly mandated universal jurisdiction, even though

the autdedereautjudicare (‘extradite or prosecute’) principle has

only recently been included in customary international law.57

We can extend universal jurisdiction to cyber terrorism by

its analogy to piracy because both exhibit remarkably parallel

criteria. In fact, we can compare cyberspace in cyber terrorism

to the sea in piracy, both being beyond the control of states.

Also, both of these crimes are carried out by individuals or

clandestine groups without the consent of states and simul-

taneously threaten national infrastructure and global econ-

omy. It also likely that both crimes would be considered as

acts of war. Finally, both of them act to further their motives’

agenda.58

In order to prescribe universal jurisdiction, the injured

party must satisfy certain requirements under the basic

principle of universal jurisdiction. First, the crime must be so

harsh as to be prosecuted only under universal jurisdiction.

Second, it must not be constrained to a limited time and third,

it can be prosecuted inwhichever country that it happens in. It

seems that universal jurisdiction, among other prescribed

jurisdictions, is the most viable and effective method to deter

cyber terrorism.

The idea of universal availability of information on the

internet has resulted in the potential of universal effects and

this may lead to the assertion of universal jurisdiction over

internet offences. Such trans-boundary regulation would

make the job of information producers difficult because it may

force them to comply with the laws of most jurisdictions to

avoid the risk of being hauled before their various courts.

Although it has been previously mentioned that the terri-

torial principle of jurisdiction is applicable in the United

Kingdom, it should be said that it is a general jurisdiction.

According to sections 62 and 63 of the Terrorism Act 2000, and

section 17 of the Terrorism Act 2006, the United Kingdom has

asserted universal jurisdiction over the commission of all

types of terrorism. It is stated that: “anyone who commits any

types of terrorism offences anywhere in the world should be

dealt with under the relevant laws of the United Kingdom.” 59

Regarding the general jurisdiction of the United Kingdom, it

enjoys full jurisdiction over any crime committed on its ter-

ritory. All lists of offences in sections 62 and 63 of the

Terrorism Act 2000 and section 17 of the Terrorism Act 2006

will be considered to be committed onUK territory, evenwhen

they are committed elsewhere.

57 Leila. Nadya Sadat, ’Universal Jurisdiction: Myths, Realities,and Prospects: Redefining Universal Jurisdiction’ (2001) 35 NewEngland Law Review, 245.58 Oona A. Hathaway, ‘The Law of Cyber- Attack’ (2012) 100California Law Review, 817.59 Shane. Sibbel, ‘Universal Jurisdiction and the Terrorism Act’(2007) 3Cambridge Student Law Review, 13.

However, the assertion of universal jurisdiction on these

acts on the basis of customary international law and inter-

national treaties is not plausible. The assertion of universal

jurisdiction in the UK goes beyond that which the UK is obli-

gated or permitted to claim. It is implausible to say that all or

most of the terrorism offences in the world may be charac-

terised as affecting the vital interests of the United Kingdom.

Even the combination of the nationality principle, passive

personality, and the protective principle on the basis of or-

thodoxy cannot establish a customary basis for the UK’s

assertion of universal jurisdiction.

Furthermore, the possible grounds for the assertion of

universal jurisdiction cannot be found in the jurisdiction

available to the UK following its ratification of the Interna-

tional Convention for the Suppression of Terrorist Bombing

and the International Convention for the Suppression of the

Financing of Terrorism. These conventions recognise state

parties’ jurisdiction on territorial, national and protective

grounds. The treaties provide a treaty-based jurisdiction

based on the rule of autdedereautjudicare which “states that

where an alleged offender is apprehended on the territory of

one of the treaty parties, that state must either extradite the

offender to another treaty-party with jurisdiction, or itself

begin prosecution.”60 However, the universal jurisdiction

asserted in sections 62 and 63 of the Terrorism Act 2000 and

section 17 of the Terrorism Act 2006 extends beyond autde-

dereautjudicare in two important ways. Firstly, the scope of the

UK’s jurisdiction is asserted over a wider jurisdiction, rather

than confined to those states that have ratified the conven-

tions. Secondly, when exercising the asserted jurisdiction in

sections 62 and 63, at the time of the assertion, the offender

does not have to be within the territory of the asserting state.

Thus, under sections 62 and 63, the UK authorities can issue

an arrest warrant for offenders anywhere in the world, be-

sides cooperating with other states to bring about the deten-

tion and extradition of these offenders to the UK to face trial.

2.4.4. The exercise of universal jurisdiction by theinternational community and statesThe International Criminal Court (ICC) is an international

tribunal that was established as a result of a multilateral

treaty devoted to international jurisdiction. Such interna-

tional tribunals are self-contained systems. However, the

constitutive instrument of an international tribunal limits its

jurisdictional power. The ICC, like other international tri-

bunals, enjoys an inherent jurisdiction.61 However, the ICC’s

jurisdiction is premised on the basis of complementary or-

gans, i.e. national courts in cases where states override its

authority or where it is unable to carry out investigation or

prosecution.62 A state automatically accepts that the ICC has

jurisdiction over four groups of crimes, i.e. the crime of

genocide, crimes against humanity, war crimes, and the crime

of aggression.

60 Shane. Sibbel, “Universal Jurisdiction and the Terrorism Act’(2007) 3 Cambridge Student Law Review, 18.61 Ilias Bantekas and Susan Nash, ‘International Criminal Law,(2nd edition, Cavendish Publishing, 2003, United States), 162-164.62 ICC statute, e.g. Article 17(1) (a), (b), 2(a).

Page 10: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1698

2.4.4.1. The exercise of universal jurisdiction by the interna-tional community. International tribunals have been created

for exercising universal jurisdiction over international crimes.

The Rome Treaty was the first treaty that articulated all ju-

risdictions (jurisdiction to prescribe, adjudicate, and enforce)

in one instrument. Using universal jurisdiction to deal with

international crime dates back to the nineteenth century. The

anti-slave trading treaty and the Nuremberg tribunals are in-

stances of the efforts of the international community in

exercising universal jurisdiction over international crimes.

Generally, the theory of universal jurisdiction, which was

extended in the Rome Treaty, derives from the idea that the

criminal activity must reach a certain level of harm, or

threaten the interest of international society, for it to be

necessary for all states to apply their laws. The theory of

universal jurisdiction permits the international community in

prescribed jurisdictions to displace the national law with in-

ternational law. However, the statutes of the Rome Treaty do

not focus exactly on the issue of courts’ jurisdiction and leave

it up to the complementarity principle and the state consent

regime. The court exercises its jurisdiction only in cases

“involving the most serious crimes of concern to the inter-

national community as a whole.” 63

The jurisdiction to adjudicate subjects criminal defendants

to the process of the ICC. The ICC jurisdiction is divested in

three ways: firstly, the state’s consent excludes some cases

from the court’s judicial jurisdiction. Secondly, the comple-

mentarity principle removes certain cases because of pru-

dential concerns. Thirdly, the principle of ne bis in idem (‘not

twice in the same’) removes the case from the court if there is

the chance of legal action being instituted twice for the same

cause of action. The court is qualified to assert jurisdiction

only in cases that states and the Security Council lodge com-

plaints against.64

The jurisdiction of the ICC is not limited when the Security

Council refers a case to the court because there has been a

threat to world peace and security, even when the state is not

party to the court’s statutes. In addition, a case can be referred

by the prosecutor or state with the state’s consent. Thus, the

court receives the jurisdiction “by state parties so long as

either the territorial state or the state of accused’s nationality

is either a party to the statute or has accepted the jurisdiction

of the court.” 65 However, the case may be that the Security

Council receives the jurisdiction in times of crises that

threaten peace and security, and this may conflict with the

state’s jurisdiction, and in limited circumstances the state

may withhold its consent and prevent the ICC from exercising

its jurisdiction. In a complementary situation the court may

exercise jurisdiction when the state is unable or unwilling to

assert jurisdiction.66

63 Rome Statute of The International Criminal Court, Article 5(1).64 Rome Statute of The International Criminal Court, Article 17,20.65 L. Nadya Sadat, ‘Universal Jurisdiction: Myths, Realities, AndProspects: Redefining Universal Jurisdiction’ (2001) 35 New En-gland Law Review, 241.66 L. Nadya Sadat, ‘Universal Jurisdiction: Myths, Realities, AndProspects: Redefining Universal Jurisdiction’ (2001),35New EnglandLaw Review, 241.

Offences such as genocide and terrorism that are subject to

universal jurisdiction by a treaty are also subject to the

perpetrator violating the statutes of the treaty not only to the

jurisdiction of all member states of the treaty, but also to the

jurisdiction of the treaty organisation itself.67 Although the

universality principle allows states to exercise jurisdiction to

enforce their criminal laws through their courts in order to

punish universal crime, the ICC simultaneously has jurisdic-

tion, but the latter has primacy over national courts in

adjudicating.68

Jurisdiction to enforce is the weakest component of juris-

diction principles. However, the conflict of jurisdictions often

happens in executive jurisdiction and the limitations of in-

ternational law are clearer than the area of legislative and

judicial jurisdiction. The efficacy of the ICC in enforcing in-

ternational criminal law is undermined, since it has no police

force.

2.4.4.2. The exercise of universal jurisdiction by states. Statesasserting universal jurisdiction over criminals use

specifically-adapted internal enactments. Until recently, there

have been very few state prosecutions of the types of crimes

listed in the Rome Statute. A few examples are the French war

crimes trials of Barbie, Touvier and Papon, Israel’s quest of

Eichmann, Canada’s trial of Finta, and Spain’s search for

General Pinochet. In each of these cases, each state’s national

court, although applying national law, was also to some

extent applying international law, and in the process, chal-

lenging questions were raised on both the substantive law

itself and on the procedural system that accompanied it.

Although prosecutions in the three types of jurisdictions e

prescriptive, adjudicative and enforcement e share certain

similarities in national and international ambitswhen applied

to international crimes, there is one important difference, i.e.

that although national courts apply prescriptive norms that

apply internationally, their adjudicative powers and authority

to enforce them are limited to their own territorial spaces.69

It has been postulated that, having a theory of “absolute”

universal jurisdiction, i.e., universal jurisdiction not subject to

any limitations arising from practical concerns, is appropriate

in the current scenario of few states prosecuting non-

nationals for criminal acts. However, if states do enact legis-

lation to punish international criminals, and thus assert

jurisdiction over such perpetrators, there should be a case for

international law establishing rules to resolve otherwise

difficult conflicts of jurisdiction. This point affects both the

application of substantive law and its procedural regime, and

is discussed below.

The exercising of universal jurisdiction in cyber terrorism

cases by states, in the same way as they treat other interna-

tional crimes, is characterised by two factors. The first one is

67 S. Wilske& T. Schiller, ‘International Jurisdiction in Cyber-space: Which States May Regulate the Internet’ (1998) 50 FederalCommunication Law Journal, 123.68 S. Wilske& T. Schiller, ‘International Jurisdiction in Cyber-space: Which States May Regulate the Internet’ (1998) 50 FederalCommunication Law Journal, 170-171.69 M.C. Bassiouni, International Criminal Law: Multilateral andBilateral Enforcement Mechanisms, (3rdedn, 3, Martinus NijhoffPublishers, Netherlands, 2008) 207-209.

Page 11: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 699

the prescriptive norms which postulate that all states apply

international norms through their national laws. The problem

here is that this statement may be true only in theory, while it

could vary considerably in practice. It must not be forgotten

that the Rome Statute, by the insertion of Article 10 into the

text, called on states to “improve” international norms in the

ICC Treaty by encouraging the development of customary

international law beyond the treaty definitions of crimes lis-

ted in the Rome Statute. This means that the Statute en-

courages states to modify the definitions of the Rome Statute

through their own specific legislation. Thus, it is completely

reasonable to suppose that a state’s definition of its ambit

varies from state to state. In application, overlap between

national legislation and such legislation is not unexpected.

Therefore, the application of universal jurisdiction by the in-

ternational community causes fewer problems. 70

The second factor is regarding the procedural regimes of

substantive law. Even if substantive law norms are constant

from state to state, the procedural regimes to which they are

subjected may vary considerably. The procedural law, espe-

cially in criminal procedure, is almost exclusively local in

character. And this also applies to aspects of procedure which

are covered by international law: there is very little formal

congruence between national and international proceedings.

While there have been assertions that national prosecutions

must have certain specific rules, there has been almost no

integration of national and international legal criminal law

systems that prove those assertions correct. Thus, it is not

clear which law applies. For instance, whenever one of the

procedural laws is in issue, such as immunity granted by

municipal law to a potential criminal defendant, it is not clear

whether the forum state looks to its own law, the law of the

state granting the defendant immunity, the law of the state of

the defendant’s nationality, the law of the state upon whose

territory the crimes were committed (the territorial state), or

international law to resolve the problem. This is because

public international law has not established a conflict of laws

system in such a situation, and on the basis of the Lotus

paradigm, every state may apply its law as an independent

sovereign unless there is some rule prohibiting it from

doing so.71

In such an instance, it would be an inconsistency if the

forum state applies the law of the state granting immunity as

the benchmark for its own exercise of universal jurisdiction.

This is because of the uncertain nature of the immunity. For

example, if the criminal act is committed as part of an internal

conflict by the regime in power, the state granting the im-

munity will be the state of the defendant’s nationality as well

as the territorial state. Or, the immunity may have been

granted by the regime to itself just before it relinquishes

power, or it may be extorted with threats of violence from a

succeeding regime. Thus, if it is the law of the forum state

which applies to the question of whether such immunity is

70 G. Bottini, ‘Universal Jurisdiction after the Creation of TheInternational Criminal Court’ (2004) 36 International Law and Poli-tics, 557-560.71 M.C. Bassiouni, International Criminal Law: Multilateral andBilateral Enforcement Mechanisms (3rdedn, Martinus Nijhoff Pub-lishers, Netherlands, 2008) 207-209.

valid, the choice should be between the law of the forum and

international law.72

There is general consensus that substantive norms,

whether established by treaty or custom, are well-established

norms of customary international law, and are, in addition,

non-derogable and peremptory or jus cogens norms. This

consensus was confirmed at the Rome Diplomatic Conference

to establish the International Criminal Court, where most

states approved the codifying of these norms and then uni-

versally applying them in instances where the UN Security

Council referred a particular case to the ICC. Therefore, a state

investigating a non-citizen involved in these types of crimes

in an exercise of universal jurisdiction is applying interna-

tional law, albeit through the medium of its national law. It is

in doubt, however, if the state is also required in the absence

of specific treaty obligations, to apply international rules

related to the substantive norm, as there is very little evidence

that a state is required to do so.73

Finally, it can be said that the conundrum posited by the

application of international law by national legal systems has

existed for a long time. Although this problem has risen fairly

recently in the international arena, all legal systems deter-

mining cases in multiple and overlapping courts have

encountered this problem. To see theway forward, a brief look

at the United States Supreme Court’s complex doctrine gov-

erning the application of state law by federal courts may be

instructive.

In the case of Erie Railroad v. Tompkins74 the court was faced

with the question of which law governed the case, i.e. the

Federal law or the state law.

Through a series of complex judgements, the Supreme

Court stated that many factors governed the question of

whether state or federal law applied. Important factors would

be whether the application of state or federal law would be

“outcome determinative”, or whether the application of either

law was affected by the rights and obligations created under

the applicable state law. Basically, if the state law question

was “substantive”, then state law applied; if it was simply

“procedural”, then federal law applied.

Furthermore, it is noted that the United States Constitution

has achieved a balance between federal and state courts.

Thus, it is submitted that itmay be instructive to consider case

law in the multiple and conflicting applications of the law by

courts with concurrent jurisdiction elaborated in well-

developed legal systems such as the United States, as a

guide to establishing a doctrine that might ultimately be

beneficial to international law and in supporting thematuring

of international legal systems.

3. Conflict of jurisdictions

In actual fact, conflict of jurisdictions in cyberspacemay easily

occur. It may occur particularly because the effect of cyber

72 L.N. Sadat, ‘Redefining Universal Jurisdiction’ (2001) 35 NewEngland Law Review, 247-248.73 L.N. Sadat, ‘Redefining Universal Jurisdiction’ (2001) 35 NewEngland Law Review, 247-248.74 [1938] U.S. 64, p 304.

Page 12: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1700

terrorism often takes place in a country or countries other

than the country in which the attack originated.75 A new idea

arises here, that since the state has the state responsibility, in

order to determine which state has the proper jurisdiction to

be take action in the ambit of conflict of jurisdiction, territorial

jurisdiction is the most feasible jurisdiction to be prescribed.

Due to the cross-border nature of cybercrime, jurisdiction

conflicts may easily occur, because, the effect and start of

such crime frequently happens in more than one country.

Furthermore, as a specific and holistic jurisdiction and

method has not been determined for cyber terrorism in cy-

berspace, the conflict of jurisdictions is not a surprising issue.

In fact, universal jurisdiction is offered by international and

multi-lateral treaties. The relevant international treaties

encourage their member states to expand jurisdiction over

international offences. Then such jurisdiction is established

with respect to incorporation of municipal law regarding the

international offence. As is articulated in Article 5 of the 1984

United Nations Torture Convention, if the alleged offender is

located in a state that does not wish to initiate criminal pro-

ceedings, it is obliged to extradite the offender to the country

which has the closest connection to the offence. Such extra-

dition is based on a bilateral extradition treaty. The extradi-

tion process in universal jurisdiction must be based on the

legitimacy of the requesting country. In other words, con-

flicting extradition requests can be decided on the basis of

relevant connecting factors. Furthermore, they must not

conflict with other agreed rules of international law.76

The issue of jurisdiction conflicts is divided into two cate-

gories: negative conflicts and positive conflicts. The former

occurs in a situation in which no country claims jurisdiction

over a cybercrime. If an attack targets a nation via hacking

tools and denial of service, the attacked country is qualified to

assert jurisdiction on the basis of the location of the computer,

the effect of the crime, and the nationality of the perpetrator.

Or, if the cyber-attack occurs via a virus or a targeted content-

related offence occurs in one place but simultaneously,

numerous other places are involved in launching the attack.

Negative jurisdiction occurs if the perpetrator launches a

cyber-attack from one country which is a safe haven and he is

also a national of that country.

A good example of an international treaty here is the

Convention of Cybercrime which states in Article 5 that when

the target’s victims of an offence are located in several states,

several parties assert jurisdiction over the crime. The

Convention states that they must consult with each other to

determine the appropriate location for prosecution.77 Some of

the aspects of territorial jurisdiction seem appropriate to

settle the conflict that arises among jurisdictions.

Another conflict which must not be forgotten is the posi-

tive conflict that happens mostly in cyberspace cases, partic-

ularly cyber terrorism incidents, since the cross-border nature

75 S. W. Brenner et al, ‘Approaches To Cyber Crime’ (2004) IVJournal of High Technology Law, 40.76 IliasBantekas and Susan Nash, International Criminal Law(2ndedn, Cavendish Publishing, 2003, United States) 162-164.77 Armando A. Cottim, ‘Cybercrime, Cyberterrorism and Juris-diction: An Analysis of Article 22 of the COE Convention onCybercrime’.

of these lead to it involving a large number of nations. For

instance, the “Love Bug” virus or the “Blast Worm” qualified

many countries to claim jurisdiction on the basis that the ef-

fects were taking place on their territories. For e.g., when a

Polish citizen uses a computer in the Netherlands to hack a

Malaysian computer and the data is transferred via Singapore

and the United States, all these states will be able to claim

jurisdiction. Thus, in this situationmore than one country can

claim jurisdiction over a perpetrator based on the same gen-

eral course of conduct.78 However, some circumstances may

mitigate the ability of claiming jurisdiction, such as lesser

damage compared to that occurring in other involved coun-

tries, and the fact of data merely passing through the territory

of a country without causing damage.

Although there are some factors in prioritising a jurisdic-

tional claim to resolve and prevent jurisdictional conflict, such

as place of commission of the crime, custody of the perpe-

trator, the amount of harm, and the nationality (victim’s na-

tionality, perpetrator’s nationality), conflict still exists in the

cyber terrorism and cybercrime situation, since every indi-

vidual factor has its intrinsic problem.79

Sincemost cybercrime is conceptually analogous to similar

traditional offences in the real world, it seems that cybercrime

can be dealt with by amending the traditional penal law; there

is no need to adopt penal laws which specifically target

various kinds of cybercrime. However, given the physical

distinction between the conduct that constitutes a cybercrime

and the distinct methods necessary to constitute a break in

into a computer system, it seemsmore logical to enact specific

laws targeting cyber terrorism.

Therefore, due to the inadequacy of the traditional juris-

diction principles, three theories have been developed and

applied to cover jurisdiction disputes over the internet and

these include: the country where uploading occurs, the

country where downloading occurs and the country in which

its citizens are targeted through the website.

A reasonable way to address conflict between jurisdictions

is to create uniform rules which can be utilised at the inter-

national level to coordinate among states in the fight against

cyber terrorism. That is, by directing or urging states to either

coordinate their efforts or adopt modes of mutual recognition

in cases when more than one state has an interest, instead of

asking them to decide on their own to exercise jurisdiction.80

This seems the best way to avoid jurisdictional conflict. The

Convention on Cybercrime is the most important instrument

in the fight against cybercrime. Although it contains specific

rules about jurisdiction, it is based on the principle of terri-

toriality. Article 22 of the Convention states: “Each Party shall

adopt such legislative and other measures as may be neces-

sary to establish jurisdiction over any offence . when the

offence is committed in its territory.” As has been seen, this

principle is based on the traditional principle. According to

Convention principles, the place in which the criminal has

78 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 197.79 S. W. Brenner, ‘Cybercrime Jurisdiction’ (2006) 46 Crime LawSocial Change, 197- 204.80 The IBA, Report of Task Force on Extraterritorial Jurisdiction(United States: 2009), 11.

Page 13: A rational jurisdiction for cyber terrorism

c om p u t e r l aw & s e c u r i t y r e v i ew 2 9 ( 2 0 1 3 ) 6 8 9e7 0 1 701

committed a crime is important and this is similar to the

traditional principle.81

4. Conclusion

Currently, we are at the stage where each legal system re-

sponds to the conflict of jurisdictions in cyberspace with a

different method, which is shown by comparative studies

conducted by various scholars. Some scholars respond to this

problem by borrowing personal jurisdiction and extending it

to cyberspace as well, while others believe that such tradi-

tional rules of private international law are inadequate to

address cyberspace, which does not contain any geographic

indications. A global cyber deterrence cannot be obtained

without international cooperation among countries.82 Na-

tional legislation alone is not sufficient to deter and counter

cyber terrorism action.83 There should be international coor-

dination against cyber terrorism in order for it to be success-

ful. Therefore, it seems that the best feasible solution is

providing a treaty (or convention) to regulate particular

transactions to uniform international standards. This agree-

ment can impose compulsory jurisdiction on state parties

over cyber terrorism offences. This treaty can also offer a

special law of a nation to be exercised on certain transactions.

In a situation where no consensus will be reached, an inter-

national regulatory body can provide model law, and then the

state may use it as a guide to enact its own municipal

legislation.84

To address cybercrimes at the international level, the

Convention on Cybercrimewas adopted in 2001 by the Council

of Europe, a consultative assembly of 43 countries, based in

Strasbourg. The Convention, which came into effect in July

2004, is the only international treaty dealing with breaches of

law over the Internet and other information networks and

lists nine offences which member countries have agreed to

adopt into their national legislation. Themain objective of the

Convention as set out in its preamble is to pursue a common

policy to protect society against cybercrime via international

cooperation and national legislation.85 Although it does not

specifically mention cyber terrorism, it includes provisions on

cybercrime that relate to terrorist-related acts.

Although establishing a multilateral treaty having new,

harmonised, and unique jurisdiction has its limitations, the

Convention seems the most appropriate one. There are

difficulties involved in formulating new international

81 N. Foggetti, ‘Transnational Cyber Crime Differences BetweenNational Laws and Development of European Legislation’ (2008)(2) Masaryk University Journal of Law and Technology, 35.82 M. Dogrul and A. Aslan and E. Celik, Developing an InternationalCooperation on Cyber Defense and Deterrence against Cyber Terrorism,3rd International Conference on Cyber Conflict (Tallinn, Estonia,7-8 June 2011) http://ieeexplore.ieee.org/xpls/abs_all.jsp?amumber¼5954698&tag¼1 (accessed 9 April 2012).83 Dogrul (n 6).84 A. M. Sachdeva, ‘International Jurisdiction in Cyberspace: AComparative Perspective’ (2007).85 K. Geers ‘The Challenge of Cyber Attack Deterrence’, [2010] 26Computer Law and Security Review 300 http://sciencedirect.com.(accessed 16 May 2012).

treaties and persuading countries to subscribe to them, not

least being securing the requisite number of countries for

the laws to be effective. In this regard, the Convention on

Cybercrime is no exception. Furthermore, securing the

requisite number of signatures, ratification and imple-

mentation of this convention needs support and any addi-

tional courses of action undertaken in this context should

be carried out in such a way as to avoid hindering or

detracting from this process. The member parties to the

convention must improve their security by harmonising

legislation, coordinating and cooperating in law enforce-

ment, and in conducting direct and indirect anti-cyber

terrorism actions. Furthermore, due to the globally virtual

nature of cyberspace, the proposed response to this matter

is best addressed on a multilateral basis. For the time being,

however, although such an international treaty does pro-

vide some means of countering cyber terrorism, it has not

been able to address and prevent state-sponsored cyber

terrorism from China and South Korea. Once a state has

carried out a cyber-terrorist action, the victim’s response is

governed by international laws of conflict. However, a

multilateral treaty such as a cyber-crime convention still

cannot completely provide security from a state-sponsored

attack.

The best means for the prosecution of cyber terrorism

under universal jurisdiction is to create amultilateral criminal

law convention that will oblige member states to prosecute

and extradite offenders through the ‘autdedereautjudicare’

principle established through the treaty and applicable to

state parties to the convention. As a matter of fact, the

attacker must be identified prior to the application of any of

the varying kinds of jurisdiction - ranging from territorial

jurisdiction to universal jurisdiction e so as to provide effec-

tive deterrence.

Unlike cyber criminals that can operate across jurisdic-

tional boundaries, law enforcement officials’ jurisdictional

boundaries are limited. Law enforcement, investigation and

prosecution in the United States and other countries are

confined to territorial boundaries. Any attempt, for instance,

to prosecute a criminal fleeing the United States or targeting

US interest from outside her borders, will have to rely on the

laws of the other country or on any extradition treaty existing

between the two countries. If no extradition treaty or other

legal arrangements exist then investigation and prosecution

efforts will be handicapped.

Even if an extradition treaty exists, it can be complicated

for a number of reasons. For instance, an illegal action in one

country may be legal in another country, and may lead to

reluctance to work with another or to turn over a suspect for

prosecution. Another obstacle to investigations is the

disparity that exists between the cybercrime laws of different

nations.

Pardis Moslemzadeh Tehrani ([email protected].

edu.my) is Faculty of Law at the National University of Malaysia

(UKM), Bangi, Malaysia.

Nazura Abdul Manap ([email protected]) is Faculty of Law at the

National University of Malaysia (UKM), Bangi, Malaysia.