Enforcement Across Borders
Excerpts from Michael A. Sussman, The Critical Challenges from International High-
Tech and Computer-Related Crime at the Millenium, 9 Duke J. Comp. & Int’l L. 451
(1999) [Citations omitted]
Imagine this scene out of tomorrow’s headlines: A hacker, going on-line
through the Internet, breaks into computers that the Federal Aviation
Administration (FAA) uses for air traffic control. He disrupts a regional
air traffic network, and the disruption causes the crash of a DC-10 in the
Rocky Mountains, killing all aboard. The FAA and the FBI know there
has been a hacker intrusion, originating through the Internet, but nothing
else. Since anyone can access the Internet from anywhere in the world, the
FBI has no idea where the hacker may be located. Moreover, they do not
know the motive of the attack or the identity of the attackers. Is it a
terrorist group, targeting the United States and likely to strike again at any
time, or is it a fourteen-year-old hacker whose prank has spun tragically
out of control?
Let us follow this scenario a bit further. Within thirty minutes of the plane
crash, the FBI tracks the source of the attack to an Internet Service
Provider (ISP) in Germany. Assuming the worst, another attack could
occur at any time, and hundreds of planes in flight over the United States
are at risk. The next investigative step is to determine whether the ISP in
Germany is a mere conduit, or whether the attack actually originated with
a subscriber to that service. In either case, the FBI needs the assistance of
the German ISP to help identify the source of the attack, but it is now 3:00
a.m. in Germany.
Does the FBI dare wait until morning in Europe to seek formal legal
assistance from Germany or permission from the German government to
continue its investigation within their borders?
Does the Department of Justice authorize the FBI’s computer experts to
conduct a search, without German consent, on the German ISP from their
terminals in Washington?
Does the FBI agent need a U.S. court order to access private information
overseas? What would be the reach of such an order?
If the FBI agent plows forward and accesses information from computers
in Germany, will the German government be sympathetic to the U.S.
plight, will the violation of German sovereignty be condemned, or both?
What are the diplomatic and foreign policy implications of the United
States remotely (and without advance notice) conducting a search that may
intrude into German sovereignty?
The legal and policy implications of possible “transborder searches,” such
as the one contemplated in this scenario, are quickly becoming a concern
for law enforcement agencies around the globe as they grapple with new
challenges posed by networked communications and new technologies.
Traditional investigative procedures – and particularly the often
cumbersome procedures that govern investigations at the international
level – may not be adequate to meet the need in computer crime cases for
immediate law enforcement action reaching beyond national borders. The
globalization of criminal activity has created vexing problems that, in
some cases, defy simple solutions….
…At a meeting of senior law enforcement officials from the G-8 countries
in January 1997, Attorney General Reno stated:
“Until recently, computer crime has not received the emphasis that other
international crimes have engendered. Even now, not all affected nations
recognize the threat it poses to public safety or the need for international
cooperation to effectively respond to the problem. Consequently, many
countries have weak laws, or no laws, against computer hacking – a major
obstacle to solving and to prosecuting computer crimes.”
The solution to this problem is simple to state: “[countries] need to reach a
consensus as to which computer and technology-related activities should
be criminalized, and then commit to taking appropriate domestic actions.”
But it is not as easy to implement. An international “consensus”
concerning the activities that universally should be criminalized may take
time to develop. Meanwhile, individual countries that lack this kind of
legislation will each have to pass new laws, an often cumbersome and
time-consuming process. In the United States, for example, action by both
the Congress and the President is required for new legislation.
In response to these needs the west came up with the Budapest convention in
2001 and the Russians came up with the parallel Yekaterinburg convention a
decade later. One of the fundamental differences between the two is the issue of
sovereignty on the Internet. Budapest Convention:
Please review the two conventions and discuss whether they would solve the
international cyber crime prosecution quagmire and which of the two is better
suited for handling these incidents today?
What would happen if half the world adopted one and the other half adopted the
What other mechanisms should we have to improve enforcement of international
Do you think that countries will use hacking as a tool for military warfare? Would
these conventions help diffusing international cyber warfare?