Computer Crime Statutes and Global Legal Frameworks

The Budapest Convention divides its substantive provisions into four offence categories. Title 1 (Articles 2-6) covers offences against confidentiality, integrity, and availability: illegal access, illegal interception, data interference, system interference, and misuse of devices. Title 2 (Articles 7-8) covers computer-related offences: forgery and fraud using computers. Title 3 (Article 9) covers content offences: child sexual abuse material. Title 4 (Articles 10-13) covers copyright-related offences. Each state party must enact domestic legislation that covers all these categories, though it may reserve the right to exclude or limit certain provisions.

The procedural section (Articles 16-21) is the investigative engine. Article 16 requires states to be able to order rapid preservation of stored computer data when there is reason to believe that data may be particularly vulnerable to loss or modification. Article 17 extends this to traffic data in cross-border situations. Article 18 authorises production orders directed at service providers. Articles 20-21 address real-time collection of traffic data and interception of content. These powers are intended to be available to investigators in all party states so that preservation requests can be acted on before logs are overwritten or accounts are closed.

Article 35 establishes a 24/7 network of national points of contact. Each party designates a contact that can be reached at any hour to assist with urgent requests: immediate preservation, locating a suspect, or routing a formal MLAT request quickly. In practice, investigators working time-sensitive cases contact the Article 35 point of contact in the target country directly rather than waiting for the slower diplomatic channel. Many investigations have succeeded or failed based on whether the preservation request reached the relevant service provider before its log retention window expired.

The CFAA defines a 'protected computer' as any computer used in or affecting interstate or foreign commerce or communication. Given that any internet-connected device meets this threshold, the CFAA in practice applies to virtually every computer in the United States. The statute creates seven core offences, ranging from simple unauthorised access (Section 1030(a)(2)) through damage to protected computers (1030(a)(5)) to extortion involving threats of damage (1030(a)(7)). Penalties escalate based on whether the offender obtained information, whether damage exceeded US$5,000, whether the victim was a government or financial institution, and whether the offence caused serious bodily injury or death.

The UK Computer Misuse Act 1990 predates the Budapest Convention and anticipated many of its concepts. The three original sections remain the core: Section 1 (simple unauthorised access, up to 12 months), Section 2 (unauthorised access with intent to commit or facilitate a further offence, up to 5 years), and Section 3 (unauthorised acts with intent or recklessness as to impairing computer operation, up to 10 years). The Serious Crime Act 2015 added Section 3ZA, covering unauthorised acts that cause serious damage to human welfare, the environment, the economy, or national security, with a maximum of life imprisonment. The same Act added Section 3A, making it an offence to supply or obtain articles for use in computer misuse offences.

The EU NIS2 Directive (Directive 2022/2555, effective October 2024) is not itself a criminal law. It imposes security obligations and mandatory incident reporting on operators of essential services and digital service providers across EU member states. Member states must transpose it into national law and designate competent authorities to supervise compliance and impose administrative sanctions. Its relevance to investigators is indirect: NIS2 creates a reporting infrastructure that generates incident data, and those reports can become investigative leads or evidence in criminal proceedings brought under domestic computer crime statutes.

India's Information Technology Act 2000, substantially amended in 2008, remains the primary source of cybercrime offences. Section 43 establishes civil liability for unauthorised access, data theft, and disruption. Section 66 criminalises hacking and carries a maximum of three years imprisonment or a fine of five lakh rupees. Section 66B covers dishonestly receiving stolen computer resources (3 years), Section 66C covers identity theft (3 years), Section 66D covers impersonation using communication devices (3 years), Section 66E covers voyeurism (3 years), Section 66F covers cyber terrorism and carries imprisonment up to life. Section 69 gives the central government power to intercept, monitor, or decrypt information from any computer resource in the interest of sovereignty, security, or public order, subject to a procedure specified in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules 2009.

The Bharatiya Sakshya Adhiniyam 2023 (BSA) replaced the Indian Evidence Act 1872 with effect from 1 July 2024. Section 61 of the BSA now governs the admissibility of electronic records, requiring that any electronic record submitted in evidence be accompanied by a certificate from a person occupying a responsible official position regarding the computer system that produced the record. The certificate must state that the computer was operating properly, that the record was produced during regular use, and that the information in the record derives from information supplied to the computer in the ordinary course of activities. These requirements parallel the authentication demands in other jurisdictions and are directly relevant to how cyber forensics investigators package evidence for Indian proceedings.

The Digital Personal Data Protection Act 2023 (DPDP Act) governs how personal data collected or processed in India must be handled. For investigators, the most immediate implication is that data obtained through lawful interception or search under the IT Act or Bharatiya Nagarik Suraksha Sanhita 2023 can be processed for the purpose for which it was collected, but secondary use beyond the investigation requires explicit legal authority. The DPDP Act also imposes obligations on data fiduciaries (organisations holding data) that affect how they respond to requests from law enforcement, including mandatory breach notification to the Data Protection Board.

Cybercrime is almost never confined to a single territory. A phishing campaign may be designed by an offender in one country, delivered through servers rented in a second country, and target victims' bank accounts held in a third. The malware command-and-control infrastructure may sit on compromised hosts in a fourth and fifth country. Each of these facts creates a potential jurisdictional hook for a different state.

Most cybercrime statutes assert jurisdiction based on some combination of three connecting factors: territoriality (the offence occurred on the state's territory, including where any part of the conduct or its effects took place), active personality (the offender is a national of the state), and passive personality (the victim is a national of the state or the targeted computer system is located within the state). The CFAA, for example, applies to any 'protected computer' regardless of where the offender is located, creating US jurisdiction over attacks against US-based computers from anywhere in the world. The UK CMA applies to conduct by any person where any significant link to domestic jurisdiction is established.

The practical sequencing for an investigator is: identify all connecting factors, document which states have a legal basis to assert jurisdiction, consult the prosecutor on where prosecution is most likely to be viable (considering extradition relationships, strength of evidence in each forum, and applicable sentencing ranges), then direct evidence collection toward the standards of the target forum from the outset. Evidence collected under the legal framework of country A may be inadmissible in country B if the procedural requirements differ significantly.

Mutual legal assistance treaties (MLATs) are the formal mechanism for one state to request investigative cooperation from another: executing a search warrant, compelling a service provider to produce records, taking a witness statement, or freezing assets. Traditional MLAT requests travel through diplomatic channels (Ministry of Justice to Ministry of Justice or equivalent), are processed by a central authority, and can take months or years. For cybercrime investigations where log data may be overwritten within days or weeks, this timeline is often fatal to the evidence.

The Budapest Convention addresses this gap through Article 29 (expedited preservation of stored computer data) and Article 30 (expedited disclosure of preserved traffic data to identify the service provider in a chain of hops). A state party can request another party to preserve data immediately pending a formal MLAT request for disclosure. The requesting state then has 60 days to submit the formal request; otherwise the preserved data may be released. This two-step procedure is faster than waiting for the full MLAT cycle before any preservation occurs.

Article 35 requires each party to designate a 24/7 contact point reachable at any time. In the United States, the Department of Justice Computer Crime and Intellectual Property Section (CCIPS) operates this contact point. In the United Kingdom, the National Crime Agency fulfills this role. In India, the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs handles international coordination. These points of contact can route urgent preservation requests within hours rather than weeks. Investigators working a time-critical case should contact the relevant Article 35 point of contact as the first step in any cross-border evidence preservation, not as a last resort.

States that have not ratified the Budapest Convention present a different challenge. China and Russia, which host significant cybercriminal infrastructure, are not parties. Cooperation with these states relies on bilateral MLATs (where they exist), Interpol notices, or diplomatic channels, all of which are slower and subject to different political considerations. Investigators should not assume that a preservation request to a non-party state will be acted on within any particular timeframe and should explore whether evidence copies or metadata accessible from within treaty partners can substitute.

The rules for admitting digital evidence in criminal proceedings vary significantly, but common requirements appear across most systems: authentication (proof that the evidence is what it purports to be), integrity (proof that it has not been altered since collection), and reliability (that the system or process that produced it was functioning correctly). How these requirements are satisfied differs in important ways.

In the United States, Federal Rule of Evidence 901 requires authentication as a condition precedent to admissibility. Digital evidence is typically authenticated through hash values (MD5 or SHA-256 checksums that demonstrate the file has not changed), chain of custody documentation, and expert testimony from the examiner who acquired the evidence. Federal Rule of Evidence 1002 (the best evidence rule) requires production of the original when content is in dispute, though courts have adapted this to allow authenticated forensic images. The Electronic Communications Privacy Act (ECPA) also constrains how law enforcement obtains data from service providers, and violations can result in suppression.

In India, Section 61 of the Bharatiya Sakshya Adhiniyam 2023 governs electronic records. The section requires a certificate from a person in a responsible official position attesting to the proper functioning of the computer system, the regular production of such records in ordinary use, and the derivation of information from data supplied in the ordinary course of activities. Failing to produce this certificate has historically caused electronic evidence to be excluded in Indian courts, making certificate preparation a mandatory step in any Indian investigation where a prosecution is anticipated.

In England and Wales, digital evidence admissibility is governed by the Police and Criminal Evidence Act 1984 (PACE) and its associated Codes of Practice, particularly Code B (search and seizure) and the ACPO Good Practice Guide for Digital Evidence (now the Digital Forensics Handling and Recovery guidance published by the Forensic Science Regulator). The principle is that the continuity of the exhibit must be demonstrable, meaning each person who had custody of the device or image must be identifiable and available to give evidence. Where automated tools generate outputs, the reliability of the tool itself may be challenged, requiring documentation of the software version, configuration, and validation testing.