Legislative Frameworks Against Cybercrime: The Budapest Convention and Asia
- 16 Downloads
Asia is one of the fastest-growing regions in the global e-commerce market place and has also been seen as the future of cybercrime. Cybercrimes are emerging in Asia, and the developing countries of the Association of Southeast Asian Nations (ASEAN) are becoming a hub for cybercriminals. To prevent Asia from becoming a cybercrime hub and safe-haven for cybercriminals, it is important that countries be equipped with comprehensive cybercrime laws aligned with international standards. This chapter reviews the development of the Internet in Asia (both Northeast and Southeast Asia) and examines existing legal measures adopted by these countries and compares them with the Council of Europe’s Convention on Cybercrime (Budapest Convention). The chapter finds that cybercrime laws in Northeast Asian countries are all aligned favorably with the Budapest Convention. While most ASEAN countries are favorably or moderately aligned with the Budapest Convention, more work needs to be done to support countries like Myanmar, Indonesia, and Cambodia to build cybercrime laws more closely aligned with the Budapest Convention. It suggests that actions need to be taken to reduce the digital divide and raise cybersecurity awareness among ASEAN member countries. It is also suggested that the Budapest Convention should be updated to match the development of new technologies and crime such as hate speech and fake news.
KeywordsCybercrime law Asia ASEAN Legislative framework Digital divide Budapest Convention
Information and communication technologies (ICTs) are critical infrastructure for many aspects of every society. The World Wide Web, invented 30 years ago in 1989, is still seeing an exponential growth in the use of ICTs. The booming digital economy has made the Internet a new place for doing business and shopping. ICTs also provide criminals a new opportunity. Cybercrime has become a world concern. Cybercriminals are not only chasing after money but also data. As what criminologists usually say, “where there is money, there is crime,” it is becoming real that “where there is data, there is crime” as cybercriminals are “collecting” all kinds of data online for diverse purposes including monetary gain, revenge, and political purpose.
Among the Asia and Pacific countries, cybersecurity in the member countries of the Association of Southeast Asian Nations (ASEAN) is an emerging concern. According to a 2018 report published jointly by Google and Temasek Holdings, a Singapore Government-owned company, six Southeast Asian countries – Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam – had in total more than 350 million Internet users, which is 90 million more than the number in 2015 (Google-Temasek 2018). And we can expect the number of Internet users across all ASEAN countries to keep increasing dramatically, boosted by the growth in Internet users in Myanmar, Cambodia, and Laos, among others. Google-Temasek (2018) also predicted that the Internet economy in the six Southeast Asian countries would be about US$72 billion and reach more than US$240 billion in 2025.
Asia is also seen as the future of cybercrime. As Chang et al. (2018) argue, “the globalization of cybercrime and the increasing penetration of digital technology in Asia, many see the ‘Wild East’ join, if not eclipse the ‘Wild West’ as a source of criminality.” It has been estimated that criminal activities on the Internet cost the world as much as US$600 billion in 2017. One-third of the loss was in the Asia and Pacific region (Lewis 2018). The transnational character of cybercrime makes cybercrime investigation complicated. One of the key elements to improve international cooperation is to have harmonized laws against cybercrime. This chapter will review the development of cybercrime law in the Northeast Asia countries including China (including Hong Kong), Japan, Korea, and Taiwan and the ten ASEAN member states and compare the laws with the Council of Europe’s Convention on Cybercrime (Budapest Convention). It will also propose some key directions for the future development of the legal framework against cybercrime in the region.
The Development of the Internet in Asia
Asia is the future growth area of the Internet. According to World Internet Statistics, the global number of Internet users reached over 4.5 billion. More than half of them (55%, around 2.3 billion) are located in Asia in June 2019. The number of Internet users in Asia has increased 20 times compared with the number in 2000. And there remains space for the number to increase substantially as only 54% of the population of Asia currently are Internet users (Miniwatts Marketing Group 2019). The Asia and Pacific region has also been recognized as “the fastest-growing region in the global e-commerce marketplace, accounting for the largest share of the world’s business-to-consumer e-commerce market” (Asian Development Bank 2018).
However, not all Asian countries have a similar level of Internet participation. The digital divide reminds although there has been a dramatic increase in Internet users in developing countries such as Myanmar, Laos, and Cambodia. However, the Internet penetration rate in most East Asian countries, including China, Japan, South Korea, and Taiwan, is even higher and above the average of all Asia. According to World Internet Statistics (Miniwatts Marketing Group 2019), China is the country that has the most Internet users in Asia and the world. There are more than 854 million Internet users in China. However, with a penetration rate of around 60%, there is still room for a significant increase in Chinese Internet users. In South Korea, Japan, and Taiwan, over 90% of their total population are Internet users.
The digital divide is large even within the Southeast Asia, or the Association of Southeast Asian Nations (ASEAN). The ASEAN was formed in 1967 to promote regional security and cooperation. It was originally formed by Indonesia, Malaysia, the Philippines, Singapore, and Thailand. The number of member states increased over the years, and now it has ten member states: Brunei, Cambodia, Indonesia, Laos, Malaysia, the Philippines, Singapore, Thailand, Myanmar, and Vietnam.
According to ASEAN Key Figures 2018, the total population of the ten ASEAN member countries reached 642.1 million in 2017. Around 48% of the ASEAN population are Internet subscribers (ASEAN 2018). Ninety percent of Internet users in ASEAN countries are connecting themselves online primarily through their mobile phones. For countries like Myanmar, the mobile phone is the device that most Internet users use to connect to the digital world. That is, they have skipped the desktop period and moved directly into the mobile Internet era. And thanks to the Internet, for many poorer and rural communities, they have skipped landline telephony for mobile telephony and skipped traditional bank-based banking for mobile banking.
A second group, including the Philippines, Thailand, and Vietnam, are countries with a penetration rate between 50% and 60%. The Philippines has the fastest-growing Internet penetration rate among the ten countries. It grew from around 6% in 2008 to 60% in 2017. The development of mobile technology, including the introduction of 3G and 4G services, contributed significantly to the increase. While fixed broadband has remained expensive and limited with only 1.9 per 100 inhabitants subscribed to the fixed (wired) broadband in 2017, 68.6% of inhabitants are mobile broadband subscribers (ITU 2018).
The third group includes Cambodia, Indonesia, Myanmar, and Laos. These are countries that have a penetration rate that is lower than the average rate for the whole of ASEAN. Laos has the lowest penetration rate (25%). Both Myanmar and Cambodia have seen a sudden recent increase, from less than 1% in 2008 to above 30% in 2017. Again, mobile devices are the main element contributing to this growth. Myanmar, a country that has recently reopened to the world, was the fourth fastest-growing mobile market in the third quarter of 2015 with an estimated 36 million mobile subscribers. ITU statistics shows that the number has kept increasing and has reached around 48 million subscribers in 2017. This is 130 times the number in 2008 (367,388 mobile subscribers). The 2014 opening of the mobile telecommunications market resulted in three foreign telecommunication companies, Qatar’s Ooredoo, Norway’s Telenor, and Mytel (a consortium led by a Vietnamese mobile network operator Viettel) entering the market to compete with the previous monopoly held by Myanmar Posts and Telecommunications (MPT). The competition has caused the price of a sim card to drop from US$2000 in 2009 to K1500 (approximately US$1.5) in 2014, an affordable price for the general public (Chang 2017; Ericsson 2015; Motlagh 2014; Trautwein 2015).
This gap, between the most developed nations within ASEAN and the least, in terms of the development of cybercrime and security laws and the general security of the Internet services available within countries, has been termed the digital divide (Chang 2017; Broadhurst and Chang 2013). According to the OECD (2001, p. 5), the “digital divide” refers to “the gap between individuals, households, businesses and geographic areas at different socio-economic levels with regard both to their opportunities to access information and communication technologies (ICTs) and to their use of the internet for a wide variety of activities.” Although the 2003 Singapore Declaration emphasized the importance of reducing the digital divide within individual ASEAN member countries and among ASEAN member countries (ASEAN 2003), the gap is still huge. Among the ASEAN member countries, we see countries with an Internet penetration rate of more than 90% (Brunei); we also see countries with a penetration rate below 30% (Laos). The digital divide represents a significant challenge within ASEAN, as the development of a single cybercrime framework will be difficult, given the developmental variance between ASEAN states. According to the 2017 Global Cybersecurity Index, the first group has better performance on domestic legal measures on cybercrime and cybersecurity, while most countries in the third group are performing poorly on their domestic legal measures on cybercrime and cybersecurity (ITU 2017). While ASEAN countries support collective actions to fight against cybercrime (which will be discussed later), the existence of the digital divide has impeded the ability of the member states to collaborate and take measures to combat cybercrime and build a secure ASEAN region.
Cybercrime in Asia
The rapid growth of digital technologies in Asia not only makes it a prime target for cyber criminals but also a springboard or launchpad for cyberattacks. Cybercrime has long been a critical concern in East Asian countries, and emerging countries such as Indonesia, Malaysia, and Vietnam are becoming the global hotspots for the launch of malware attacks (Subhan 2018; Hadjy 2019). In Vietnam, the Internet economy has been called “a dragon being unleashed” as it tripled in 3 years (Google-Temasek 2018). However, Vietnam has also been identified as having the potential to be a mid-level cybercrime hub with its very good hacking traditions and other technology pursuits (Stilgherrian 2019).
Broadhurst and Chang (2013) described the types of cybercrime occurring regularly in Asia, including the popularity of malware and botnets, online scams/frauds, and serious cyberattack based on the complicated political situation in the region. We do still see the continuity and the increase of these cybercrimes happening in the region. Take the political cyberattack, for example, it has been reported that Taiwanese Government websites are under cyberattack at least 20 million times per month (Lee 2018). The technique of advanced persistent threat (APT) was employed in the hacking. That is, the hacking skills nowadays are better designed to target certain entities, countries, or regions. PLATINUM, a malicious software discovered by Microsoft in 2016, is a typical type of APT that targets mainly ASEAN countries, especially Indonesia (Microsoft 2016).
Cyberattacks are also used as a way to demonstrate one’s political stand. Regularly do we see hacktivists launching cyberattack to express their anger on certain political events. Myanmar Government websites came under serious cyberattack in response to the forced displacement of 700,000 Rohingya Muslims from Rakhine state into Bangladesh. Thailand Government websites came under attack by Myanmar hacktivists after two Burmese were charged with murdering two tourists (Chang 2017). During the 2019 Hong Kong protests against the anti-extradition bill, LIHKG, an online discussion forum used by the protestors, came under severe distributed denial of service (DDoS) attack, trying to bombard the forum with traffic to overload the server (see https://lihkg.com/thread/1525319/page/1. Last access: 1 September 2019).
Crimes on social media sites, as predicted in Broadhurst and Chang (2013), are becoming a serious concern in Asia. Online harassment, stalking, online scams/frauds, and child grooming are becoming prevalent in the social media space; the amount of hate speech and fake news disseminated in the region are increasing and are of serious concerns. Myanmar has recently suffered from the spread of hate speech and fake news on the violence against Rohingya, and Facebook was accused for allowing these rumors to spread. Facebook has had to hire more Burmese speakers to review the posts in Burmese following public pressure (McLaughlin 2018; Stecklow 2018).
Evidence has shown that social media such as Twitter and Facebook have been used in Hong Kong to disseminate news that is manipulated and one-sided. Some of the attacks were sophisticated and are suspected to be organized and state-sponsored (Chang 2019). Twitter has suspended approximately 200,000 accounts violating Twitter’s platform manipulation policies. These accounts are believed to be part of “a significant state-backed information operation focused on the situation in Hong Kong, specifically the protest movement and their calls for political change” (Twitter Safety 2019).
Taiwan has been ranked top among the 179 countries surveyed for exposure to information operations (including fake viewpoints or false information) by foreign government and their agents (Lin and Wu 2019; Mechkova et al. 2019).Internet vigilantism , netizens using social media to realize their “real justice” by facilitating crime investigations and even punishing the suspected offenders, is also becoming popular in Asia (Chang and Poon 2017; Chang et al. 2018).
The Emergence of Cybercrime Laws and Regulation in Asia
To prevent cybercrime, it is important that states are equipped with comprehensive cybercrime laws aligned with international standard. While some countries are proposing a new UN standard, the Council of Europe Convention on Cybercrime (Budapest Convention) is by far the most adopted international standard. The Budapest Convention is a non-binding agreement between signature states to criminalize cybercrime (Council of Europe 2001). The agreement, forged between the Council of Europe and many states, came into force in 2004 and has 64 signature states as in August 2019. The Budapest Convention has been signed by many Council of Europe states and many non-council members, as states do not have to be members of the Council of Europe to become party to the convention (Council of Europe 2001). Although a regional drafted convention, it has been noted by the United Nations Resolution 56/121 and ratified by 20 non-state members, which established its status as an international convention.
The Budapest Convention and Northeast Asia
Among the Northeast Asian countries, including China, South Korea, Japan, and Taiwan, Japan is the only country to have ratified the Budapest Convention. Taiwan was not able to become signatory due to its political status, while China was not willing to become a signatory and is proposing a new UN cybercrime standard (Chang 2012).
China (and Hong Kong)
China’s cybercrime laws are contained in the Criminal Law of the People’s Republic of China 1979. Articles 285 and 286 were added in 2009 to regulate offenses against the confidentiality, integrity, and availability of computer data and systems. Also, Article 287 regulates against committing financial crime using a computer. However, while Article 285 regulates illegal access to computer systems and misuse of devices, this article applies only to crime toward computer systems with information concerning state affairs, construction of defense facilities, and sophisticated science and technology. Article 286 regulates data interference and system interference. Article 12 of the Cybersecurity Law of the People’s Republic of China 2016 protects citizens through raising the security of network services. Similar aspects are seen in Article 21 which establishes a Multi-Level Protection System (MLPS) for cybersecurity. These are specifically designed with both national security and citizen protection in mind, which does align with the spirit of the convention.
In the administrative region of Hong Kong, the Telecommunications Ordinance includes cybercrime offenses. Unauthorized computer access is criminalized under s. 27A and aligns well with the convention and other unauthorized computer access legislation. S. 161 which criminalized computer access with dishonest or criminal intent was controversial for being criticized as vague (Cheng 2018). The legislation was created to prevent certain types of cybercrime, including upskirt photography and the leaking of exam result papers to parents for financial gain, although wider concerns over the legislation’s scope emerged (Cheng 2018; Lum and Lau 2019). However, this section was repealed in 2019 after wider media concern in 2018.
In South Korea, cybercrime is covered by the Criminal Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (the Information and Communication Network Act). Most of the cybercrime-related clauses were added in 1995, to accommodate the need to deal with the emergence of cybercrime. Causing damage to electromagnet records used by a public office were added in Article 141 as an offense and will be punishable by imprisonment for up to 7 years or by a fine not exceeding ten million won. Similarly, Article 366 regulated the destruction and damage of electromagnet records used by others. Articles 227-2 and 232-2 were added in the 1995 amendments to punish the falsification or alteration of public or private electromagnetic records. Prohibition of data and system interference can also be seen in Article 314 on the interference with business by damaging or destroying computer and electromagnet records or putting false information into the processor (computer). Fraud by the use of a computer was added later in 2001. These amended articles and clauses are aligned well with the Budapest Convention. The Information and Communications Network Act covers the offenses such as unauthorized access, data and system interference, and misuse of devices such as launching denial of service attack and conveying or spreading malicious program (see Articles 44, 48, and 71).
Japan is the first and the only country among the Northeast Asian countries that has signed and ratified the Budapest Convention. The Penal Code and the Act on the Prohibition of Unauthorized Computer Access which regulate cybercrime were both amended in order to be aligned with the Budapest Convention. Article 161-2 of the Penal Code was added to prohibit unauthorized creation of electronic or magnetic records with the intention to conduct improper administration. Also, Article 234-2 was added with a focus on obstruction of business by damaging a computer, the Act on the Prohibition of Unauthorized Computer Access 1999 (amended in 2012 and 2013) which criminalizes a variety of cyber actions. Some examples include unauthorized computer access (Article 3) and prohibiting the use of an individual’s access control (Articles 4–7).
Although Taiwan is not an eligible signatory of the Budapest Convention due to its special political situation, its criminal code was amended in 2003 to regulate cybercrime consistent with the Budapes Convention by the addition of Chapter 36 Offenses Against the Computer Security. There are six articles (Articles 358–362) in this chapter, covering illegal access, illegal interception, data interference, system interference, and misuse of devices. In the context of Article 358, intentional access to a computer using another’s password without right or by the act of circumventing protective measures or by discovering or exploiting the loopholes in another computer system will be punishable by up to 3 years in prison and/or a fine of up to NT$100,000. Article 359 regulates unauthorized acquisition, deletion, or alteration of electromagnet records of another’s computer. System interference is regulated in Article 360 to protect the Internet being paralyzed by a distributed denial of service or equivalent attacks. Article 362 focuses on the offense of the creation of computer programs specifically for perpetration of a crime. Illegal interception is regulated in the Communication Protection and Surveillance Act which provides that illegal interception of another’s communication can be punished by up to 5 years in jail. Although there is doubt over whether the Communication Protection and Surveillance Act applies only to the regulation of the illegal interception by government agencies, a broader interpretation is supported by the Taiwan’s Ministry of Justice which asserts that this Act applies to illegal interception by nongovernment organizations or individuals.
The Budapest Convention and ASEAN
The Association of Southeast Asian Nations was established not only to accelerate the economic growth of the region but also aims to promote regional peace and stability. This is to be achieved through active collaboration and mutual assistance on matters of common interest in the economic, social, cultural, technical, scientific, and administrative fields (ASEAN 1967). In 2003, ASEAN started to meet and discuss cybersecurity and cybercrime issues. At the Third ASEAN Telecommunications and IT Ministers Meeting, ministers agreed in their Singapore Declaration to launch a “Virtual Forum of ASEAN Cybersecurity” and asked all member countries to establish national Computer Emergency Response Teams (CERTs). In the 2004 Joint Communique of the Fourth ASEAN Ministerial Meeting on Transnational Crime, cybercrime was recognized as an increasing transnational crime that would affect the whole of ASEAN’s security. The ministers urged member states to build effective collaboration against cybercrime. Since then, cybercrime- and cybersecurity-related issues have been addressed in several initiatives, such as the 2006 Statement on Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyberspace, the 2008 ASEAN Economic Community Blueprint, the ASEAN ICT Masterplan 2015, and the 2012 Statement on Cooperation in Ensuring Cyber Security (ASEAN 2003, 2004; Chang 2017).
In November 2017, the ASEAN Declaration to Prevent and Combat Cybercrime was adopted by the heads of state/governments of ASEAN member countries at the 31st ASEAN Summit held in Manila. In the declaration, the ASEAN countries acknowledged the importance of harmonization of laws related to cybercrime and electronic evidence and encouraged ASEAN member states to explore the feasibility of acceding to existing regional and international instruments in combating cybercrime. It also addressed the importance of enhancing international collaboration among ASEAN states and promoting cooperation among ASEAN member states on community education and awareness to prevent cybercrime (ASEAN 2017).
With regard to the harmonization of laws related to cybercrime, the EU-ASEAN Workshop on Cybercrime Legislation (Malaysia, 2008) provides some evidence of ASEAN’s desire to develop an effective cybercrime strategy (ASEAN 2008). This workshop was based on content from the Council of Europe’s Convention on Cybercrime (Budapest Convention), with a specific focus on regional cooperation, and many Council of Europe members were present during the discussions (ASEAN 2008). A Japan-ASEAN Cybercrime Dialogue, held in Bandar Seri Begawan, Brunei Darussalam, also confirmed the importance of the Budapest Convention with ASEAN member states.
Although most of the ASEAN member states have developed cybercrime laws, the Philippines is the only ASEAN country that has ratified the Budapest Convention. Critics have suggested ASEAN is not serious about cybercrime, given the large numbers of Internet users in Asia along with the lack of a concrete cybersecurity framework (Chen 2017; Chang 2017). There has also been some suggestion that ASEAN intends to create its own cybercrime framework, specific to the region. There is some evidence that this is likely to be the case, as ASEAN states, including Singapore, have invested significantly in the ASEAN Cyber Capacity Program (Chen 2017). However, there is still a need to examine whether the development of cybercrime law (substantial law) aligns with the Budapest Convention. The following section will briefly introduce current measures that ASEAN countries use to combat cybercrime. As Cambodia has no cybercrime law yet, it will not be discussed and be listed as weak.
Brunei’s Computer Misuse Act was amended in 2007 which, while containing sections which lie outside the scope of the Budapest Convention’s spirit, is structured in a similar way to the Budapest Convention with a section dedicated to outlining cyber offenses. Sections are similarly worded and cover similar offenses to the Budapest Convention with sections dedicated to unauthorized access (s. 3), unauthorized interception of a computer service (s. 6), and unauthorized disclosure of an access code (s. 8), among others. Under section 9, the punishment will be enhanced if the offender knows, or ought reasonably to have known, the offense committed is related to a protected computer being a computer with data or programs involving national security, defense, international relations, information relating to law enforcement, and information in relation to the protection of public safety.
Cybercrime in Indonesia is covered by the Electronic Information and Transactions Law 2008. The law was created largely to protect electronic transactions and computers operating in national security contexts. This law was amended in 2016 without tangible changes and is moderately aligned with the Budapest Convention.
Given that Indonesia’s cyberlaw is an electronic transaction law rather than a cybercrime law, it is structured in a very different way to the Budapest Convention. The opening sections are largely dedicated to electronic transactions and records. However, Articles 27–37 contain a series of prohibited acts and are very similarly structured to the Budapest Convention itself. For example, under Article 30, unauthorized access to a computer or computer system including interference with its operation along with the use of hacking to achieve this is prohibited. Article 31 prohibits interception or interference with a computer’s electronic information or records. These articles appear to be inspired by the Budapest Convention, with similar offenses covered and worded in a similar way. However, in contrast there appears to be a strong focus on the protection of electronic records in this legislation, rather than cybercrime more directly. For example, under Article 27 knowingly distributing electronic records related to extortion, gambling or defamation is specifically prohibited. Such articles could be significantly broader so as to cover cybercrime more fully while still remaining sensitive to issues related to electronic systems and records.
Laos’s law on Preventing and Combatting Cybercrime 2015 is reasonably well aligned to the Budapest Convention, which has clearly been used to structure the law. Articles 9–18 list a number of cybercrime offenses most of which are very similar to those listed in the Budapest Convention. Offenses including unauthorized computer access, intercepting computer data, causing damage via online social media, disseminating porn, and interfering with computer systems along with others are all covered. As these examples illustrate, Laos’ cybercrime law goes a step further than the Budapest Convention covering areas including social media. Article 13 which covers social media specifically legislates against using social media to cause “damage” which is defined as hate speech dissemination, misinformation, and information dissemination which damages the national interest. The creation of legislation to cover hate speech dissemination and misinformation is to be welcomed even if it is not specifically covered in the Budapest Convention. That said, sanctions for dissemination of information which damages the national interest seem like an intentionally vague legislative clause. Of concern is the possibility that such a clause could be used to suppress political or religious expression in Laos.
Another excellent part of Laos’ cyberlaw is Articles 24–30 which cover government strategies to combat cybercrime. This is not directly covered by the Budapest Convention but does add significantly to detailing government plans to combat cybercrime. Similarly, Articles 31–32 cover the Laos Computer Emergency Response Team (Laos CERT), which covers mutual assistance and international or regional cooperation imperatives of the Budapest Convention.
Malaysia’s Computer Crimes Act 1997 (updated 2011) is only moderately aligned with the Budapest Convention, covering a number of the offenses listed. However, many other offenses listed in the Budapest Convention are not covered by Malaysia’s Computer Crime Act. There is considerable emphasis in Malaysia’s cyberlaw on criminalizing unauthorized access. Four separate offenses are listed which include the unauthorized access to computer material, unauthorized access to computer content, intention to commit a further offense, and wrongful communication of an access code or password. Variations of unauthorized access are the only major offense covered in Malaysia’s cyberlaw. Issues around illegal interception of data and system interference, computer-related forgery, child pornography, and offenses related to copyright and intellectual property are not covered. Those offenses related to unauthorized access which are covered by the cyberlaw are rigorous, which makes the lack of coverage of other cybercrime offenses all the more limiting.
The Philippines has become the first ASEAN country to ratify the Budapest Convention. Its Cybercrime Prevention Act 2012 is strongly influenced by the Budapest Convention and covers many of the offenses listed in the Budapest Convention. The law is split into several offense categories which are clearly influenced by the Budapest Convention with categories including misuse of devices and computer- and content-related offenses. These largely mirror those contained in the Budapest Convention, and for this reason the Philippine coverage of cyber offenses is fairly rigorous. Offenses not included in many ASEAN cyberlaws are covered in Philippine legislation, including child pornography and explicit images, which aligns the legislation well with the Budapest Convention.
Singapore’s Cybercrime Misuse and Cybersecurity Act 1993 is a good example of robust cybercrime legislation with favorable alignment with the Budapest Convention. The cyberlaw contains an extensive list of cyber offenses, most of which have been inspired by the Budapest Convention itself. Offenses including unauthorized access to computer material, unauthorized interference with computer functions, and disclosure of access codes and passwords are all prohibited, among others. The cyberlaw also contains an additional offense under unauthorized disclosure to criminalize the disclosure of personal information in order to commit a cybercrime offense. The offense is specifically designed to combat the selling or passing on of personal information which was obtained in an unauthorized way to another party who may use that information to commit a cybercrime offense. This is a fairly forward-thinking clause, as it allows law enforcement to prosecute those selling stolen credit card information or medical information or similar, which has been obtained by hacking or other means on the dark Web or similar sites. This clause does not apply when the individual is not aware that the information would be used to commit a cybercrime offense. This is part of the safeguards mentioned under Article 15 of the Budapest Convention to ensure that sanctions and offenses are appropriate. Singapore’s cyberlaw does a good job of clearly outlining these areas.
Thailand’s Computer Crimes Act 2007 is a reasonably robust cybercrime law. (A controversial Cybersecurity Act was passed in February 2019 which increases the government’s power to control the Internet (Sattaburuth 2019). Due to the research timeline, this paper does not include the new Cybersecurity Act.) The offenses listed in the legislation are largely inspired by the Budapest Convention and take a similar structure and cover similar offenses. Various types of unauthorized access and modification are covered. However, Thailand’s cyberlaw does cover new ground, with a new offense which legislates that selling cybercrime instructions is a crime (s. 13). This is an innovative clause and one which is not replicated in other ASEAN legislation and is not reflected in the Budapest Convention itself. Under section 16 importing data to a public computer is criminalized. This is not covered in the Budapest Convention and may be targeted at hacktivism. While hacktivist activities do present a concern, criminalizing protest and government resistance is a troubling development.
Vietnam’s Law on Information Security 2015 is one element of Vietnam’s wider electronic laws including the Law on Information Technology 2006 and the Law on E-Transactions 2005. This law is also complemented by the newly passed Law on Cybersecurity 2018. However, this analysis will focus on the first of these, as this forms Vietnam’s first dedicated cyberlaw.
The Law on Information Security 2015 is somewhat differently structured to many ASEAN cyberlaws and from the Budapest Convention itself. Instead of outlining offenses as the Budapest Convention does, this information security law outlines principles and state policies on information security. However, under Article 8, six offenses related to information security are listed. These also seem largely inspired by the Budapest Convention but are applied to information security rather than cybercrime more broadly. However, there is still no regulation on computer-related offenses such as computer-related forgery and fraud (Title 2 of the Budapest Convention). In addition, offenses in this law include prevention of network communication, disabling network security, and illegal dissemination of information using system exploits, among others. These offenses are not included in the Budapest Convention itself, indicating that there might be a need to revisit and review whether the Budapest Convention needs to be updated. Overall, this is a robust information security law which was made in the spirit of the Budapest Convention despite covering areas of information security not included in the Budapest Convention.
The Law on Cybersecurity 2018 focuses on developing cybersecurity for the purposes of national security only and not increasing cybersecurity for individuals and businesses in Vietnam. The law is designed to sanction those who commit cyber offenses against sections of state infrastructure considered essential to national security and to provide a means of increasing cybersecurity of these areas including banking, law enforcement, and the military (Articles 8–15). Information related to these areas is classified as a state secret under Article 10. Much of the content of this law does very little to protect the citizens of Vietnam from cyberattack and is only focused on protecting government structures.
That said, the law does mandate that children are given the necessary protection in cyberspace, which is in line with the Budapest Convention but goes on to place this responsibility at the feet of teachers, parents, and organizations rather than the government itself. This section therefore also falls short of providing children the protection the convention stipulates.
Myanmar’s Electronic Transactions Law 2004 is one of the poorest examples of cyberlaw in the ASEAN, largely because it was not created to combat cybercrime at all but to provide the then military government with sweeping powers which could be exercised at will. This law has not been repealed and thus remains in force and bears almost no alignment with the Budapest Convention. Chapter IV and Chapter V are dedicated to the creation of oversight bodies, designed to ensure the law’s latter provisions are upheld. Chapter VI is dedicated to placing significant restrictions on businesses and requiring electronic keys to be used for transactions. Chapter VII is dedicated to penalties, all of which involve jail time. Under s. 34 offenses include hacking, altering electronic records, and communicating access codes or electronic keys to unauthorized persons. All of these penalties were made from the perspective of the government attempting to limit business communication and outside influence in Myanmar. These offenses are not largely created to prevent cybercrime in the nation.
For this reason, the law bears no connection to the Budapest Convention whatsoever, and it does not appear that the Budapest Convention’s structure or coverage was consulted in the drafting of this law. However, drafting of a new cyberlaw is currently underway. In mid-2018, a call for tender was issued to work on a new Myanmar Cyberlaw. It is expected the new law on cybercrime should align favorably with the Budapest Convention.
This chapter overviewed the development of the Internet in the Asian countries, both the Northeast Asia countries, including China, Japan, South Korea, and Taiwan, and the ASEAN countries. Using the Budapest Convention as a criterion, this paper reviewed current measures used by Northeast Asian countries and the ASEAN countries to combat cybercrime. With the reduction of the digital divide, especially the efforts that the ASEAN has been putting into its reduction, we can see the digital divide becoming smaller. However, there is still a huge gap between developed countries in Asia and the developing countries in ASEAN, i.e., Myanmar, Laos, and Cambodia.
The Budapest Convention and Asian countries
Alignment to the convention
China (including Hong Kong)
Nonetheless, while these countries are still at an early stage of developing information and communication technology laws and regulations, there is no escape for them from cybercrime. Without proper knowledge and education on ICTs, online safety, and cybersecurity, nor proper laws and capacity against cybercrime, we see that these areas are becoming a safe-haven for cybercriminals to conduct cybercrime in these countries as well as launching cybercrime into other countries.
Apart from the development of the legal framework, it is also important for ASEAN countries to put more resources into building cybersecurity awareness and cyber capacity. These are especially needed for countries like Myanmar, Laos, and Cambodia where general public access to the Internet is relatively new. Although cybersecurity awareness was emphasized in the ASEAN Master Plan 2015 and 2020, we still see people in these countries using the Internet without any basic cybersecurity awareness. To be effective, cybersecurity awareness programs should take into consideration local cultural and usage behaviors. Simply applying or copying materials and programs from the developed world might not always be effective.
Last but not the least, it is important to acknowledge that there is a need to update the Budapest Convention. The Internet has advanced significantly since the Budapest Convention was drafted in 2001. With the development of social media and mobile technology, cybercrime is becoming more complicated, and new types of crime are emerging. The problems of fake news, hate crime, and misinformation facilitated by the popularity of social media are emerging and are causing serious harm to society. However, these issues are not included in the Budapest Convention. The darknet, the Internet of Things (IoTs), and the development of the blockchain and artificial intelligence might all influence the governance of cyberspace. Therefore, there is a need for the Budapest Convention to be revised to cover these issues.
- ASEAN. (1967). The ASEAN Declaration (Bangkok Declaration). Retrieved November 20, 2018, from http://asean.org/the-asean-declaration-bangkok-declaration-bangkok-8-august-1967/
- ASEAN. (2003). The Singapore Declaration: An action agenda. Singapore: ASEAN.Google Scholar
- ASEAN. (2004). 2004 Joint communique of the fourth ASEAN ministerial meeting on transnational crime. Retrieved March 19, 2019, from https://asean.org/joint-communique-of-the-fourth-asean-ministerial-meeting-on-transnational-crime-ammtc-bangkok/
- ASEAN. (2008). EU-ASEAN workshop on cybercrime legislation in the ASEAN member states. Retrieved February 12, 2019, from https://www.asean.org/uploads/archive/apris2/file_pdf/Press%20Releases/EU-ASEAN%20Workshop%20on%20Cybercrime%20Legislation%20in%20the%20ASEAN%20Member%20States.pdf
- ASEAN. (2017). ASEAN Declaration to Prevent and Combat Cybercrime. Malina: ASEAN.Google Scholar
- ASEAN. (2018). ASEAN key figures 2018. Retrieved February 2, 2019, from https://asean.org/?static_post=asean-key-figures-2018
- Asian Development Bank. (2018). Embracing the e-commerce revolution in Asia and the Pacific. Retrieved May 14, 2019, from https://www.adb.org/sites/default/files/publication/430401/embracing-e-commerce-revolution.pdf
- Broadhurst, R., & Chang, L. Y. C. (2013). Cybercrime in Asia: Trends and challenges. In B. Hebenton, S. Y. Shou, & J. Liu (Eds.), Asian Handbook of criminology (pp. 49–64).Google Scholar
- Chang, J. Y. T. (2019, August 21). Twitter and Facebook suspend ‘China-linked’ accounts for misinformation. South China Morning Post. Retrieved September 1, 2019, from https://www.scmp.com/video/world/3023645/twitter-and-facebook-suspend-china-linked-accounts-misinformation
- Chen, Q. (2017, August 2). Time for ASEAN to get serious about cybercrime. The Diplomat. Retrieved March 4, 2019, from https://thediplomat.com/tag/cyber-crime-in-asean/
- Cheng, K. (2018). Hong Kong’s top court to define dishonest access to computer charge. Hong Kong Free Press, 6 September 2019. Retrieved August 24, 2019, from https://www.hongkongfp.com/2018/09/06/hong-kongs-top-court-define-dishonest-access-computer-charge/
- Council of Europe. (2001). Convention on cybercrime. Retrieved November 17, 2019, from https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185
- Ericsson. (2015). Ericsson mobility report: On the pulse of the networked society. Retrieved February 9, 2019, from http://www.ericsson.com/res/docs/2015/mobility-report/ericsson-mobility-report-nov-2015.pdf
- Google-Temasek. (2018). E-Conomy SEA 2018: Southeast Asia’s Internet economy hits an inflection point. Retrieved February 14, 2019, from https://www.thinkwithgoogle.com/intl/en-apac/tools-resources/research-studies/e-conomy-sea-2018-southeast-asias-internet-economy-hits-inflection-point/
- Hadjy, P. (2019, March 13). As Internet adoption grows in Southeast Asia, SMEs must defend against sophisticated cyberattacks. South China Post. Retrieved May 14, 2019, from https://www.scmp.com/tech/innovation/article/3001365/internet-adoption-grows-southeast-asia-smes-must-defend-against
- ITU. (2017). Global Cybersecurity Index (GCI) 2017. Geneva: International Telecommunication Union.Google Scholar
- ITU. (2018). ICTEYE: Key ICT data and statistics. Retrieved February 4, 2019, from https://www.itu.int/net4/itu-d/icteye/CountryProfile.aspx
- Lee, S. F. (2018, April 5). Taiwanese government websites are under constant attack by the Chinese cyber army. Liberty Times. Retrieved September 10, 2019, from https://news.ltn.com.tw/news/focus/paper/1190027
- Lewis, J. (2018). Economic impact of cybercrime: No-slowing down. Santa Clara: McAfee.Google Scholar
- Lin, R., & Wu, F. (2019, April 27). Taiwan’s online ‘opinion war’ arrived. CommonWealth. Retrieved August 20, 2019, from https://english.cw.com.tw/article/article.action?id=2375
- Lum, A., & Lau, H. (2019, April 4). Hong Kong’s top court rules against one-size-fits-all charge for smartphone crimes. South China Morning Post. Retrieved August 24, 2019, from https://www.scmp.com/news/hong-kong/law-and-crime/article/3004587/hong-kongs-top-court-rules-against-one-size-fits-all
- McLaughlin, T. (2018, June 7). How Facebook’s rise fueled chaos and confusion in Myanmar. Wired. Retrieved August 20, 2019, from https://www.wired.com/story/how-facebooks-rise-fueled-chaos-and-confusion-in-myanmar/
- Mechkova, V., Pemstein, D., Seim, B., & Wilson, S. (2019). Digital Society Project dataset v1. Retrieved August 27, 2019, from http://digitalsocietyproject.org/data/
- Microsoft. (2016). PLATINUM: Targeted attacks in South and Southeast Asia. Microsoft: Seattle.Google Scholar
- Miniwatts Marketing Group. (2019). Internet World Stats. Retrieved August 25, 2019, from http://www.internetworldstats.com/stats.htm
- Motlagh, J. (2014, September 30). When a SIM card goes from $2,000 to $1.50. Bloomberg. Retrieved February 9, 2019, from http://www.bloomberg.com/news/articles/2014-09-29/myanmar-opens-its-mobile-phone-market-cuing-carrier-frenzy
- OECD. (2001). Understanding digital divide. Paris: OECD.Google Scholar
- Sattaburuth, A. (2019). Cybersecurity Bill passed. Bangkok Post. https://www.bangkokpost.com/news/security/1636694/cybersecurity-bill-passed. Accessed 8 Mar 2019.
- Stecklow, S. (2018, August 15). Why Facebook is losing the war on hate speech in Myanmar. Reuters. Retrieved August 20, 2019, from https://www.reuters.com/investigates/special-report/myanmar-facebook-hate/
- Stilgherrian. (2019, April 30). Vietnam ‘on the edge’ of becoming a mid-tier cybercrime hub. ZDnet. Retrieved April 14, 2019, from https://www.zdnet.com/article/vietnam-on-the-edge-of-becoming-a-mid-tier-cybercrime-hub/
- Subhan, A. (2018, May 20). Southeast Asia’s cybersecurity an emerging concern. The ASEAN Post. Retrieved May 14, 2019, from https://theaseanpost.com/article/southeast-asias-cybersecurity-emerging-concern
- Trautwein, C. (2015, March 25). Myanmar named fourth-fastest-growing mobile market in the world by Ericsson. Myanmar Times. Retrieved February 9, 2019, from http://www.mmtimes.com/index.php/business/technology/17727-myanmar-named-fourth-fastest-growing-mobile-market-in-the-world-by-ericsson.html
- Twitter Safety. (2019, August 19). Information operations directed at Hong Kong. Twitter. Retrieved August 24, 2019, from https://blog.twitter.com/en_us/topics/company/2019/information_operations_directed_at_Hong_Kong.html