International review of criminal policy - Nos. 43 and 44/The jurisdiction issue

B. The jurisdiction issue

1. The territoriality principle

245. There are a number of problems related to the issue of jurisdiction. In every computer crime, the determination of the locus delicti (the location of the offence) will affect the ability of a particular country to sanction the crime. Will the sanction arise by virtue of territorial jurisdiction and domestic law, or must extraterritorial principles apply?

246. Today, it is technologically possible for an operator to punch a keyboard in country A so as to modify data stored in country B, even the operator does not know that the data are stored there, to have the modified data transferred over a telecommunications network through several other countries, and to cause an outcome in country C. On the basis of the physical act, the technical modification, the transmission of the falsified data and the consequences, three or perhaps more countries will have been involved and may have a claim to jurisdictional competency.

247. Depending on which elements or stages of the crime are given priority, several countries in the above scenario could, within their full sovereignty, declare the incident as having occurred on their territory, thus invoking the principle of territorial jurisdiction in order to prosecute and sanction. This raises a potential jurisdictional conflict, as well as the question of the appropriate arbitration of these equal claim for jurisdiction, the applicability of the non bis in idem rule,and the impact of the lex mitior rule.

248. The recurring threat of computer viruses worms in another striking example of transnationality. If a virus infects the system in one location, the infection can spread with destructive rapidity and affect programs throughout the international network. What criteria should apply in determining which country may act? Once again, several choices are available: the country in which the virus was introduced, all countries in which software or databases were affected and all countries in which results were felt. It is possible that it may not manifest itself far away from the country of origin. It is also possible that it may not manifest itself until considerable time has passed, when retracing the technological path of the of the original offender has become difficult, as, for example, in cases of the so-called time-bomb virus. What, then, determines the competency to prosecute and sanction? Can it be the best evidence rule or the first-come, first-served principle, or do the traditional solutions discussed below still stand firm?

249. The primacy of the principle of territoriality is generally accepted in sphere of criminal jurisdiction. The principle is based on mutual respect of sovereign equality between States and is linked with the principle of non-intervention in the affairs and exclusive domain of other States. Even in the exceptional event that a country might apply extraterritorial jurisdiction for a sake of protecting its own vital interests, the primacy of the extraterritorial principle is not altered.

250. The ubiquity doctrine is often referred to in determining the place of commission. The offence will be considered to have been committed in its entirety within a country's jurisdiction if one of the constitutive elements of the offence, or the ultimate result, occurred within that country's borders. Jurisdiction is equally applicable to co-perpetrators and accomplices.

251. Common law countries also use the effects doctrine in addition to focusing on the physical act. This doctrine locates crimes in the territory in which the crime is intended to produce, or actually does produce, its effects. Thus, where various elements or effects of a crime may occur in more than one country, the two doctrines of territorial jurisdiction may lead to concurrent, legitimate jurisdictional claims.

252. These positive conflicts of jurisdiction, while at first glance not very problematic in determining the appropriate judicial response, do contain some inherent risks. The most fundamental problem is the general refusal, particularly in civil law systems, to apply the double jeopardy rule. Thus, the accused is submitted to a multitude of prosecutions for the same act.

253. Equally important is the manner of classification of the multiple acts potentially involved in a pattern of computer crimes. In particular, in cases of repeated data manipulation, data espionage or unauthorized access, it is unclear whether the acts should be considered as separate crimes or as a single act by application of the principle of international connexity, by which a single prosecution for the whole transaction would be justified.

254. States should, therefore, endeavour to negotiate agreements on the positive conflicts issue. These agreements should address the following issues:

1. An explicit priority of jurisdictional criteria: for example, of location of act over location of effect, of the place of physical detainment of the suspect over in absentia proceedings or extradition;
2. A mechanism for consultation between the States concerned in order to agree upon either the priority of jurisdiction over the offence or the division of the offence into separate acts;
3. Cooperation in the investigation, prosecution and punishment of international computer offences, including the admissibility of evidence lawfully gathered in the other countries, and the recognition of punishment effectively served in other jurisdictions. This would prevent unreasonable hardship to the accused, otherwise possible by an inflexible interpretation of the territoriality principle.

2. Other base of jurisdiction

255. The issue of international computer crime also requires an analysis of the principles of extraterritorial jurisdiction. State practice discerns the following theoretical grounds:

1. The active nationality principle, which is based on the nationality of the accused. The principle, when applied in conjunction with the territoriality principle, may result in parallel concurrent jurisdictions, creating a situation of double jeopardy. The use of the active nationality principle is therefore generally confined to serious offences;
2. The passive personality principle, which is based on the nationality of the victims. This principle has been highly criticized, since it could subject a national of State A, although acting lawfully in State A, to punishment in State B for acts done in State A to a national of State B, if the acts were unlawful in State B and State B were to apply the principle. On practice, therefore, this principle is seldom used;
3. The protective principle, which is based on the protection of the vital interests of a State. By this principle, a State may exercise jurisdiction over foreigners who commit acts that are considered to be a threat to national security. Given the potential for abuse of this principle if security is interpreted too broadly, the protective principle is not highly favoured; in practice, therefore, it is often linked to other doctrines, such as the personality principle or the effects doctrine;
4. The universality principle, based on the protection of universal values. It is usually effected on the basis of express treaty provisions but is otherwise rarely used. It is generally held that this principle should apply only in cases where the crime is serious, where the State that would have jurisdiction over the offence, based on the usual jurisdictional principles, is unable or unwilling to prosecute.

256. Other than the basic policy considerations as to whether a State should apply one or more of these bases of jurisdiction, it is unlikely that application of these principles of extraterritorial jurisdiction to information technology offences will create specific problems. Nevertheless, the characteristics of transnational computer crime do have the potential to involve an increasing number of States, thereby creating a jurisdiction network in which the ordering of the subsequent priorities is required.

257. There are no rules of international law, other than the principles of comity and non-intervention, that impose express limitations on the freedom of sovereign States in establishing extraterritorial criminal jurisdiction. Where there is strong international solidarity by way of customary or conventional international law, jurisdiction over important offences may be decided by the principle of universality, in addition to the applicability of other grounds of jurisdiction. No such conventions exist yet in relation to computer crime. Eventually, however, as has been the case in other major international crimes, international conventions will regulate this area.

258. A spirit of moderation might be expected from States in exercising these jurisdictional principles, in order to encourage international cooperation and to avoid significant conflicts of jurisdiction with other States. In that spirit, the passive personality principle, although sometimes used to protect the economic interests of nationals (natural or legal persons), is highly disputed, while universality is best limited to express treaty provisions. The protective principle may be relevant for certain types of computer offences, because it grants jurisdiction to a State over offences committed outside its territory, in the defence of fundamental (vital) interests.

259. There exists very little consensus on what constitutes vital interests. No doubt a sovereign State might consider attacks on data or telecommunication infrastructures, when related to basic government activities (police data, military data, State security systems etc.), to fall within its purview. However, a tendency may arise to consider certain economic interests, naturally involving a significant amount of transborder data flow, as a vital concern of the State. Nevertheless, caution is needed in regard to such extensions, since they can affect adversely the legitimate flow of information and data, as well as other economic and social interests. Therefore, the State concerned should be expected to take due account of the principles of cooperation, comity and reasonableness, which should govern State action in exercising extraterritorial jurisdiction.

260. Even if very few specific computer-related concerns seem apparent, the general issues in extraterritorial jurisdiction remain valid: the need for harmonized legislation (see paragraphs 268-273), the settlement of concurrent jurisdictional claims, the international validity of the non bis idem principle and the development of agreements on mutual cooperation and the transfer of criminal proceedings (see paragraphs 279-280).