International review of criminal policy - Nos. 43 and 44/The international harmonization of criminal law

C. The international harmonization of criminal law

116. In order to effectively address computer crime, concerted international cooperation is required. Such can only occur, however, if there is a common framework for understanding what the problem is and what solutions are being considered. To date, international harmonization of the legal categories and definition of computer crime has been proposed by the United Nations, by OECD and by the Council of Europe.

2. First initiatives of OECD

117. The first comprehensive international effort dealing with the criminal law problems of computer crime was initiated by OECD. From 1983 to 1985, an ad hoc committee of OECD discussed the possibilities of an international harmonization of criminal laws in order to fight computer-related economic crime. In September 1985, the committee recommended that member countries consider the extent to which knowingly committed acts in the field of computer-related abuse should be criminalized and covered by national penal legislation.

118. In 1986, based on a comparative analysis of substantive law, OECD suggested that the following list of acts could constitute a common denominator for the different approaches being taken by member countries:

1. "The input, alteration, erasure and/or suppression of computer data and/or computer programs made willfully with the intent to commit an illegal transfer of funds or of another thing of value;

2. The input, alteration, erasure and/or suppression of computer data and/or computer programs made willfully with the intent to commit a forgery;

3. The input, alteration, erasure and/or suppression of computer data and/or computer programs, or other interference with computer systems, made willfully with the intent to hinder the functioning of a computer and/or telecommunication system;

4. The infringement of the exclusive right of the owner of a protected computer program with the intent to exploit commercially the program and put in on the market;

5. The access to or the interception of a computer and/or telecommunication system made knowingly and without the authorization of the person responsible for the system, either

(i) by infringement of security measures or

(ii) for other dishonest or harmful intentions." 9

2. The guidelines of the Council of Europe

119. From 1985 to 1989, the Select Committee of Experts on Computer-Related Crime of the Council of Europe discussed the legal problems of computer crime. The Select Committee and the European Committee on Crime Problems prepared Recommendation No. R(89)9, which was adopted by the Council on 13 September 1989. 10

120. This document "recommends the Governments of Member States to take into account, when reviewing their legislation or initiating new legislation, the report on computer-related crime... and in particular the guidelines for the national legislatures". The guidelines for national legislatures include a minimum list, which reflects the general consensus of the Committee regarding certain computer-related abuses that should be dealt with by criminal law, as well as an optional list, which describes acts that have already been penalized in some States, but on which an international consensus for criminalization could not be reached.

121. The minimum list of offences for which uniform criminal policy on legislation concerning computer-related crime had been achieved enumerates the following offences:

1. Computer fraud. The input, alteration, erasure or suppression of computer data or computer programs, or other interference with the course of data processing that influences the result of data processing, thereby causing economic or possessory loss of property of another person with the intent of procuring an unlawful economic gain for himself or for another person;

2. Computer forgery. The input, alteration erasure or suppression of computer data or computer programs, or other interference with the course of data processing in a manner or under such conditions, as prescribed by national law, that it would constitute the offence of forgery if it had been committed with respect to a traditional object of such an offence;

3. Damage to computer data or computer programs. The erasure, damaging, deterioration or suppression of computer data or computer programs without right;

4. Computer sabotage. The input, alteration erasure or suppression of computer data or computer programs, or other interference with computer systems, with the intent to hinder the functioning of a computer or a telecommunications system;

5. Unauthorized access. The access without right to a computer system or network by infringing security measures;

6. Unauthorized interception. The interception, made without right and by technical means, of communications to, from and within a computer system or network;

7. Unauthorized reproduction of a protected computer program. The reproduction, distribution or communication to the public without right of a computer program which is protected by law;

8. Unauthorized reproduction of a topography. The reproduction without right of a topography protected by law, of a semiconductor product, or the commercial exploitation or the importation for that purpose, done without right, of a topography or of a semiconductor product manufactured by using the topography."

122. The optional list contains the following conduct:

1. Alteration of computer data or computer programs. The alteration of computer data or computer programs without right;

2. Computer espionage. The acquisition by improper means or the disclosure, transfer or use of a trade or commercial secret without right or any other legal justification, with intent either to cause economic loss to the person entitled to the secret or to obtain an unlawful economic advantage for oneself or a third person;

3. Unauthorized use of a computer. The use of a computer system or network without right, that either

(i) is made with the acceptance of significant risk of loss being caused to the person entitled to use the system or harm to the system or its functioning, or

(ii) is made with the intent to cause loss to the person entitled to use the system or harm to the system or its functioning, or

(iii) causes loss to the person entitled to use the system or harm to the system or its functioning;

4. Unauthorized use of a protected computer program. The use without right of a computer program which is protected by law and which has been reproduced without right, with the intent, either to procure and unlawful economic gain for himself or for another person or to cause harm to the holder of the right."

3. Resolution of the General Assembly

123. In 1990, the legal aspects of computer crime were also discussed by the United Nations, particularly at the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, at Havana, as well as at the accompanying symposium on computer crime organized by the Foundation for Responsible Computing. The Eighth United Nations Congress adopted a resolution on computer-related crime, a portion of which was quoted in paragraph 18. 124. In its resolution 45/121, the General Assembly welcomed the instruments and resolutions adopted by the Eighth Congress and invited Governments to be guided by them in the formulation of appropriate legislation and policy directives in accordance with the economic, social, legal, cultural and political circumstances of each country.

4. The proposed resolution of the Association Internationale de Droit Pénal

125. The draft resolution of the AIDP Colloquium, held at Würzburg, 5-8 October 1992, contains a number of recommendations, including the following:

3. To the extent that traditional criminal law is not sufficient, modification of existing, or the creation of new offences should be supported of other measures are not sufficient (principle of subsidiarity).

4. In the enactment of amendments and new provisions, emphasis should be put on precision and clarity. In areas where criminal law is only an annex to other areas of law (as in the area of copyright law), this requirement should also be applied to the substantive material or that other law.

5. In order to avoid overcriminalization, regard should be given to the scope to which criminal law extends in related areas. Extensions that range beyond these limits require careful examination and justification. In this respect, one important criterion in defining or restricting criminal liability is that offences in this area be limited primarily to intentional acts.

6.

7. Having regard to the advances in information technology, the increase in related crime since the adoption of the 1989 recommendation of the Council of Europe, the significant value of intangibles in the information age, the desirability to promote further research and technological development and the high potential for harm, it is recommended that States should also consider, in accord with their legal traditions and culture and with reference to the applicability of their existing laws, punishing as crimes the conduct described in the ´optional list´, especially the alteration of computer data and computer espionage.

8. Furthermore, it is suggested that some of the definitions in the Council of Europe lists - such as the offence of unauthorized access - may need further clarification and refinement in the light of advances in information technology and changing perceptions of criminality. For the same reasons, other types of abuses that are not included expressly in the lists, such as trafficking in wrongfully obtained computer passwords and other information about means of obtaining unauthorized access to computer systems, and the distribution or viruses or similar programs, should also be considered as candidates for criminalization, in accord with national legal traditions and culture and with reference to the applicability of existing laws. In light of the high potential damage that can be caused by viruses, worms and other such programs that are meant, or are likely, to propagate into and damage, or otherwise interfere with, data, programs or the functioning of computer systems, it is recommended that more scientific discussion and research be devoted to this area. Special attention should be given to the use of criminal norms that penalize recklessness or the creation of dangerous risks, and to practical problems of enforcement. Consideration might also be given as to whether the resulting crime should be regarded as a form of sabotage offence.

9. In regard to the preceding recommendations, it is recognized that different legal cultures and traditions may resolve some of these issues in different ways while, nevertheless, still penalizing the essence of the particular abuse. States should be conscious of alternative approaches in other legal systems."

126. The draft resolution acknowledges the work of OECD and the Council of Europe and welcomes the guidelines adopted by the latter, which create a minimum list of criminal acts as well as an optional list of acts that should be penalized by national law. The draft resolution is expected to be adopted, with or without revisions, at a conference of AIDP to be held at Rio de Janeiro in 1994.