Updated cybercrime pact aims to speed cross-border investigations
Summary
Proposed changes to the Budapest Convention are an attempt to inject some alacrity into sluggish cross-jurisdictional inquiries that give hackers time to disappear along with evidenceComing changes to an international cybercrime agreement aim to give law-enforcement authorities in the U.S., Europe and other countries swifter and easier access to data outside their jurisdictions.
The main changes to the Budapest Convention, in effect since 2004, focus on updating investigative tools that are too slow to be effective in cybercrime cases, where hackers move quickly and data can disappear. Under the revised agreement, new legal channels would make it easier for prosecutors and police to obtain digital evidence quickly by directly contacting technology companies outside their jurisdiction, according to cybercrime experts.
The new protocols will be presented next month at an online conference organized by the Council of Europe, a Strasbourg, France-based international organization that oversees the Budapest Convention. Governments will be able to sign on to the protocols next year.
The original convention, signed by 65 countries including the U.S., Japan, Ukraine and European Union members, set out common definitions for hacking and other types of cybercrime. That uniformity has already helped prosecutors and police cooperate across borders, said Peter Swire, a professor in the school of cybersecurity and privacy at the Georgia Institute of Technology.
“Without the Budapest Convention, many times international cooperation would be illegal because the same action would be a crime in the different countries," Mr. Swire said.
The accord also has prompted officials to request more data from their foreign counterparts during cybercrime investigations, he said.
At present, U.S. law enforcement can demand data from domestic companies under the Cloud Act. Under the revised Budapest Convention, however, U.S. authorities would be able to make similar requests in other countries that sign up to the protocol. Each government can decide if it will require companies in its jurisdiction to comply with the orders.
“It will significantly expand the geographic scope of law enforcement outreach," said Marco Stefan, a research fellow at the Centre for European Policy Studies, a Brussels-based think tank.
Ideally all countries will sign on, said Alexander Seger, head of cybercrime at the Council of Europe. But governments must first prove they will meet privacy requirements and other standards for handling evidence, he said. “It’s not our intention for anybody to join," he said, adding that Brazil asked to join about a year and a half ago, but its standards are still under review.
Russia, which other nations have blamed for several recent ransomware attacks, hasn’t indicated that it would join the Budapest agreement. Instead, it has proposed a separate United Nations agreement on cybercrime that some experts say would compete with the Budapest Convention. Talks on the U.N. agreement will start next year. Russia has denied involvement in hacking.
The updated Budapest Convention won’t address some major obstacles, like making it easier to trace the cryptocurrency used to pay ransomware gangs, say prosecutors and legal experts. Earlier this month, however, officials from 31 countries and the European Union agreed at a White House summit on ransomware to align their oversight of cryptocurrencies.
As cyberattacks proliferate, bottlenecks hinder law enforcement, said Chris Painter, a former cybercrime prosecutor and top cybersecurity official at the State Department in the Obama administration. Many requests from foreign law enforcement, known as mutual legal assistance treaties, are overly broad and don’t specify what information is needed, he said, which adds time to the process as officials clarify details.
“A lot of requests are pretty incomplete, like, ‘Tell us everything you know about an IP address’," he said.
In some cases, prosecutors don’t bother to submit requests across jurisdictions if they think authorities there won’t respond quickly, said Catherine Van de Heyning, an assistant professor at the University of Antwerp’s law school and public prosecutor specialized in cybercrime. “It’s not worth our time," she said.
Some of the most significant changes to the convention would make it possible for law enforcement to send data requests directly to tech companies. Countries will decide if companies in their jurisdiction will be required to comply with data requests.
Investigators will also be able to directly request information from domain name registrars about individuals who create websites. Names and contact details for website registrations had been publicly available before the European Union’s 2018 General Data Protection Regulation took effect; officials have complained that the wide-ranging law has since made it more difficult to investigate cybercrime.
Cooperation between companies and foreign law-enforcement investigators is uneven and differs among tech firms and the countries where they are domiciled, said Markko Künnapu, an adviser to the Estonian ministry of justice who helped negotiate the new protocol.
Currently, prosecutors and police must send mutual legal assistance treaties to their counterparts abroad to get data from companies in their jurisdiction. Often, internet service providers, web hosts and email or other service providers delete the data before authorities can process a request, or hackers take steps to wipe out evidence that might identify them.
“If it takes months and sometimes you don’t even get a response, the question remains about how you continue to provide necessary protections to citizens and businesses," Mr. Künnapu said.
