More than three billion people across the planet use the internet, and over ninety-seven percent of telecommunication utilizes the internet’s infrastructure.1Bradley J. Raboin, Treacherous Waters: Jurisdiction in E-Commerce and on the High Seas, 21 Tul. J. Tech. & Intell. Prop. 1, 2–3 (2019). The internet has also become an integral part of the operation of both the government and the economy.2William M. Stahl, The Uncharted Waters of Cyberspace: Applying the Principles of International Maritime Law to the Problem of Cybersecurity, 40 Ga. J. Int’l & Compar. L. 247, 248 (2011). This comprehensive use and integration of the internet has left both the United States and the international community “irreversibl[y] dependen[t]” on it.3Id. at 249 (quoting Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent, 43 Vand. J. Transnat’l L. 57, 64 (2010)). The rise of the “Internet of Things,” the network of non-computer devices like thermostats, lights, locks, etc., has served to further blur the boundaries between the physical world and cyber world as every part of daily life becomes irrevocably intertwined with, and often controlled by, the internet and its derivatives.
This irreversible dependence, however, creates deep vulnerabilities across both the domestic and international stage. The internet was purpose-made to facilitate the free flow of information—data packets are flung across cyberspace via a system of interconnected routers,4See Farshad Safaei & Majed ValadBeigi, A Probabilistic Approach to Analysis of Reliability in n-D Meshes with Interconnect Router Failures, Int’l J. Comput. Networks & Commc’ns, July 2011, at 87, 87. which creates multiple paths for any given packet to take, ensuring that the internet’s stability is never compromised by external attacks.5Stahl, supra note 2, at 253–54. This system, while stable, does not allow for the ability to protect against damage spawning from the data packets themselves.6Id. at 254. This gap in the internet’s armor allows for malfeasant users to leverage this vulnerability to create malware,7Malware is generally separated into worms and viruses, based on their abilities to either self-replicate or not. Id. at 254–55. denial of service (“DOS”) attacks, and forcible, remote invasions of other computer systems.8Id. at 254.
A glaring example many may remember was the Lovebug virus. After infiltrating numerous national governments’ systems, as well as multitudes of private computers and networks, that virus stole passwords from infected terminals and eventually caused some ten billion dollars in damage.9Id. at 264. The virus originated in the Philippines and was coded to steal passwords by way of an email with the subject line “ILOVEYOU.” Alexandra Perloff-Giles, Note, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int’l L. 191, 198 (2018). Despite penetrating the U.S. government, British Parliament, media outlets, and corporations, the viral perpetrator could not be prosecuted since the Philippines did not criminalize such activity at that time. Id. Thousands of Americans are also familiar with the affliction spawned from this connectedness: identity theft. Common identity theft scenarios include a keylogger stealing a password, the opening of an email that should not have been opened, or a questionable website allowed administrator access. Any of these can lead to thousands of dollars of actual monetary damage, not including the time and resources used to rebuild protections or accounts that were compromised.10See Peter C. Alexander, Identity Theft and Bankruptcy Expungement, 77 Am. Bankr. L.J. 409, 409–10 (2003).
As if this were not enough, the damage that cybercrimes pose goes far beyond a single individual’s data or household. On August 26, 2020, an unknown foreign actor initiated two distributed denial of service (“DDoS”)11A DDoS attack is a distributed denial of service action where many users (computers) flood a website and swamp it to the point that it cannot function. Steve Weisman, What Is a Distributed Denial of Service Attack (DDoS) and What Can You Do About Them?,NortonLifeLock (July 23, 2020), https://perma.cc/XN2H-8NWS. attacks against the New Zealand Stock Exchange, which resulted in enough disruption to halt trading twice in a single day.12New Zealand Stock Exchange Halted by Cyber-attack,BBC News (Aug. 26, 2020), https://perma.cc/L6VS-RPBK. While that attack was relatively minor,13I will continue to classify this attack as minor, though it should be noted that this attack brought trading down, intermittently, for four days—ultimately resulting in New Zealand triggering a national security emergency plan. Jamie Tarabay & Matthew Brockett, New Zealand Deploys Spy Agency as Hackers Hit Stock Market, Bloomberg Quint (Aug. 28, 2020, 1:31 PM), https://perma.cc/TZ6N-C668. Responsibility has generally been attributed to what are likely criminal cybergangs also targeting other financial firms across the world. See id. it shows that a group of cybercriminals, armed with naught but computing power and knowledge, could bring down a financial market and affect the global marketplace. Furthermore, a report from 2013 showed that cybercrime costs around the globe could be as much as $575 billion annually.14Paul Sandle, Cyber Crime Costs Global Economy $445 Billion a Year: Report, Reuters (June 9, 2014, 6:33 AM) https://perma.cc/HW8W-W9HU (noting a range of $375–$575 billion per year).
Damage from cybercrime does not solely rest in cyberspace however. On April 29, 2021, a group of hackers gained access to the largest fuel pipeline in the United States: the Colonial Pipeline.15William Turton & Kartikay Mehrotra, Hackers Breached Colonial Pipeline Using Compromised Password, Bloomberg (June 4, 2021, 3:58 PM), https://perma.cc/6M8A-5TEJ. Those hackers subsequently demanded millions of dollars in ransom, halting 2.5 million barrels of fuel per day from reaching their intended destination.16Id. Unfortunately, there was no “happy ending” after the Colonial Pipeline attack. The CEO of Colonial Pipeline Co., Joseph Blount, after discovering the hacker group was located in Russia, noted that “[u]ltimately the government needs to focus on the actors themselves. As a private company, we don’t have a political capability of shutting down the host countries that have these bad actors in them.”17Id.
Current jurisdictional schemes do not allow for the prompt prosecution of those responsible for such acts, and thus do not function as adequate deterrents against future cybercrimes.18See Jan Kleijssen & Pierluigi Perri, Cybercrime, Evidence and Territoriality: Issues and Options, 47 Neth. Y.B. Int’l L. 147, 150 (2016). Unsurprisingly, Westphalian-based jurisdictional rules that center on territoriality fail when applied to the ether of cyberspace. For example, the creator of the Lovebug virus referenced above was never prosecuted, since the creator’s home country had not yet criminalized such computer crimes.19Stahl, supra note 2, at 264; Perloff-Giles, supra note 9, at 198. However, had there been a non-territorial basis to prosecute the Lovebug creator, the multiple nations and entities affected may have been able to seek justice for that damage. In the same way, even if the entities that were responsible for the intrusion to the New Zealand Stock Exchange are definitively established, it would be difficult to determine jurisdiction for prosecution. If New Zealand must rely on the state where the group resides, hope that state criminalized that type of conduct, and hope that the state has the will to prosecute. Similarly, the perpetrators of the Colonial Pipeline attack are effectively immune, since Russia seems to lack either the legal capability or political will to halt the cyber operations that stem from its territory.20See Del Quentin Wilber, Ransomware Hackers Remain Largely Out of Reach Behind Russia’s Cybercurtain, L.A. Times (June 10, 2021, 9:40 AM), https://perma.cc/S6DW-V4WN.
The “loophole” in current jurisdictional schemes in cybercrime law undermines prosecutorial deterrence.21Prosecutorial deterrence is the reduction of crime when the investigation and prosecution of a criminal action is both rapid and certain—both severely lacking under the current internet regimes. See Scott M. Mourtgos & Ian T. Adams, The Effect of Prosecutorial Actions on Deterrence: A County-Level Analysis, 31 Crim. Just. Pol’y Rev. 479, 480, 491–92 (2020) (showing that crime deterrence is heavily affected by the certainty of criminal prosecution and the celerity of case disposition and punishment). Without some way for the existing legal powers to assert effective accountability measures, the realm of the internet risks becoming “a Hobbesian state of nature in which victims engage in self-help and cyber-vigilantism.”22Perloff-Giles, supra note 9, at 192. Several new jurisdictional theories have been posited by commentators to address this danger, but they also fail to adequately encompass the new challenges posed by crime in cyberspace.23See infra Part III. There is, however, an existing jurisdictional doctrine that would allow for the prosecution of cybercrimes, without the limitations found in the territorial jurisdictions. This doctrine—universal jurisdiction, or historically hostis humani generis (“enemy of all mankind”)—allows for the prosecution of offenders based not on their nationality, location, or criminal target, but upon the very offense itself.24See infra Part II. This means the coder that inflicted the Lovebug virus on the world and the cybergangs that coordinated the New Zealand Stock Exchange and Colonial Pipeline attacks could be prosecuted by any state that gains control over them. Even if the state in which they reside refuses to prosecute, the cybergang members would be unable to leave that state for fear they would place themselves under the jurisdiction of a state that would prosecute them. This allows for the boxing-in of criminals and for international pressures to come to bear against known safe havens.
Universal criminal jurisdiction originates from a seventeenth-century doctrine that mercantilist maritime nations developed to effectively combat piracy.25While the doctrine originated from Rome’s orator Cicero, its use in more familiar legal systems in the Golden Age of Piracy lends to an “origin” of the seventeenth century. See infra Part II for a more in-depth explanation. Piracy threatened all nations that used the sea.26See Douglas R. Burgess, Jr., Hostis Humani Generi: Piracy, Terrorism and a New International Law, 13 U. Mia. Int’l & Compar. L. Rev. 293, 302–03 (2006); Jody Greene, Hostis Humani Generis, 34 Critical Inquiry 683, 696 (2008). To these seventeenth-century seafaring nations, the commerce that sea access granted was the lifeblood of their economies, and piracy threatened to undermine that most precious of resources.27See Burgess, supranote 26, at 310–15 (explaining how Europe shifted from using pirates, namely as privateers, to vehemently hunting them down in only a few years); Eugene Kontorovich, The Piracy Analogy: Modern Universal Jurisdiction’s Hollow Foundation, 45 Harv. Int’l L.J. 183, 190 (2004). Additionally, the crime of piracy was regarded as so heinous that it threatened the order and stability of the international community, which allowed all those who constitute that community the legitimate authority to prosecute pirates.28Burgess, supra note 26, at 298–99.
Presently, the limits of universal criminal jurisdiction have been expanded and codified to encompass seven crimes that are so heinous and internationally impactful that they warrant inclusion under the prosecutorial umbrella of universal criminal jurisdiction: piracy, slavery, war crimes, crimes against peace, crimes against humanity, genocide, and torture.29Princeton Project on Universal Jurisdiction, The Princeton Principles on Universal Jurisdiction 29 (Stephen Macedo ed., 2001) [hereinafter Princeton Project, Principles]. It must, however, be noted that there is some debate to the exact contours of universal jurisdiction, given its oft-varying nature. See, e.g., Rome Statute of the International Criminal Court pmbl., July 17, 1998, 2187 U.N.T.S 3 [hereinafter Rome Statute]; Restatement (Third) of Foreign Relations Law § 403 (Am. L. Inst. 1987). This Comment advocates for the expansion of universal criminal jurisdiction to include an additional category of offense that has universal effects and massive impacts upon modern life: cybercrime. This is the best way to decentralize enforcement and deter cybercriminals without forcing nations to cede criminal prescriptive and adjudicative power to a central international tribunal.
Part I of this Comment lays out the current internationally acceptable bases for jurisdiction. Part II addresses the history and rationale behind universal criminal jurisdiction and its applications. Part III examines jurisdictional theories posited by scholars and commentators and argues that universal criminal jurisdiction better accomplishes the goal of deterring cybercrime than current territorial concepts. Part IV examines universal criminal jurisdiction in context of the United States’ court system and constitutional structural, as well as Due Process jurisdictional limitations. Finally, Part V illuminates the sources of international law and how international law could expand universal criminal jurisdiction.
I. Current Internationally Acceptable Bases for Jurisdiction
Under international law, jurisdiction is generally split into three parts: jurisdiction to prescribe conduct, jurisdiction to adjudicate the violations of that prescription, and the jurisdiction to enforce those adjudications.30Restatement (Third) of Foreign Relations Law § 401; Darrel C. Menthe, Jurisdiction in Cyberspace: A Theory of International Spaces, 4 Mich. Telecomm. Tech. L. Rev. 69, 71 (1998). Jurisdiction comparisons have been made comparing prescriptive jurisdiction to the legislative authority of Congress, adjudicative authority to the in personam jurisdiction oft analyzed in U.S. courts, and finally enforcement jurisdiction to the exercise of executive power. See Anthony J. Colangelo, Constitutional Limits on Extraterritorial Jurisdiction: Terrorism and the Intersection of National and International Law, 48 Harv. Int’l L.J. 121, 126 (2007). This Comment will focus only on prescriptive and adjudicative jurisdiction, though the concerns with enforcement jurisdiction are generally the same.
There are six bases for jurisdiction extant in international law: subjective territoriality, objective territoriality, nationality, protective principle, passive nationality, and, finally, universal jurisdiction.31Menthe, supra note 30, at 71. A number of commentators and scholars classify these concepts of jurisdiction under five theories: territoriality, nationality, protective, passive personality, and universality. See Restatement (Third) of Foreign Relations Law §§ 402–04; see also Allyson Bennett, That Sinking Feeling: Stateless Ships, Universal Jurisdiction, and the Drug Trafficking Vessel Interdiction Act, 37 Yale J. Int’l L. 433, 435 & n.11 (2012) (referencing the “five general doctrines authorizing the exercise of jurisdiction under international law” and the inception of this classification); Harvard Research in International Law, Draft Convention on Jurisdiction With Respect to Crime, 29 Am. J. Int’l L. 439, 445 (Supp. 1935)). However, given that the focus of this Comment is generally on universal jurisdiction, and the six classifications are more descriptive, this larger theoretic basis is listed here. The first group of jurisdictional theories rely on the territorial limits of the prosecuting state: subjective and objective.
Subjective territoriality is by far the most common—it is the jurisdiction afforded when the conduct takes place within the territory of the forum state.32Menthe, supra note 30, at 71–72. Virtually all criminal statutes and prosecutions find their legitimacy within this jurisdictional principle.33Id. The quintessential example would be a homicide committed in Virginia that was then investigated by some branch of Virginian investigators; the murderer prosecuted by the Commonwealth Attorney and then subsequently imprisoned by the Commonwealth carceral system.
Objective territoriality, sometimes called effects jurisdiction, is jurisdiction based on actions taken while outside the territory of the forum state, but whose primary effects occur within the state.34Id. An illustrative example is an individual standing on the Virginia side of the Potomac River and launching a projectile into Maryland territory. In this example, Virginia would have jurisdiction based on the subjective territoriality principle, since the conduct occurred within its bounds, however Maryland would also have jurisdiction over this individual based on the primary effects of the projectile within its bounds.
The Second group of jurisdictional theories involve the parties of the offensive conduct: active and passive nationality. These generally involve the perpetrator (active) and the victim (passive).
The active nationality principle can be invoked as a basis for legitimate jurisdiction when the perpetrator of the offensive conduct is a national of the state asserting jurisdiction.35Id. One commenter uses the example of a Dutch law authorizing prosecution of “an offence committed abroad, which is punishable under Netherlands law and which is also punishable under the law of the country where the offence was committed.”36Id. In such a case, a Dutch national could travel abroad, commit some crime proscribed extraterritorially by the Netherlands, and then be prosecuted once that Dutch national returned home—even though the crime did not happen in, nor affect, Dutch territory or interests. Here in the United States, one such example would be 18 U.S.C. § 1119, which forbids any U.S. national from killing, or attempting to kill, another U.S. national “while such national is outside the United States but within the jurisdiction of another country.”3718 U.S.C. § 1119(b).
The passive nationality principle is a jurisdictional invocation based on the nationality of the victim.38Menthe, supra note30, at 72. Under this principle, a state may prosecute an offender when he or she harms or targets a national of the prosecuting state.39See id. Returning to the example above, had our Dutch national travelled abroad to France and then been assaulted there by a French citizen, this type of jurisdiction could be invoked to lawfully allow the Netherlands to prosecute the French assaulter. This is a generally disfavored theory of jurisdiction based on two thoughts: the enforcement jurisdiction of the prosecuting state—absent an extradition treaty, there is no practical way to gain control of the offender—and the potential diplomatic fallout stemming from one nation-state reaching into the sovereignty of another to prosecute a national while also insinuating that the host state cannot protect visitors from its own nationals.40See id.
The protective principle, another disfavored theory,41Id. (“This principle is disfavored for the obvious reason that it can easily offend the sovereignty of another nation.”). is predicated on the need for states to protect their own sovereign integrity.42Id. This principle may be invoked when the target of the offensive conduct is the state itself.43Id. This principle could be invoked to prosecute terrorism, coup attempts, or other acts that threaten the stability of a nation-state.44See Paul N. Stockton & Michele Golabek-Goldman, Prosecuting Cyberterrorists: Applying Traditional Jurisdictional Frameworks to a Modern Threat, 25 Stan. L. & Pol’y Rev. 211 (2014). This basis of jurisdiction faces the same sovereignty issues that the passive nationality faces,45See id. at 244, 258–59. and which will continue to be a theme throughout any analysis of extraterritorial criminal jurisdiction.
The final basis of jurisdiction is universal jurisdiction.46Menthe, supra note 30, at 72. The universality principle is an outlier when compared to the other bases for jurisdiction, as it establishes its legitimacy from the status of the offensive conduct itself.47Id. at 72–73. The historical example is piracy—should a pirate be caught, it did not matter where they were from, who they were targeting, or where effects were felt.48See, e.g., Princeton Project, Principles, supra note 29, at 28–29; see also Burgess, supra note 26, at 312. Once caught, a pirate could be tried, convicted, and likely executed by any state.49See Burgess, supra note 26, at 312.
In contrast to this conduct-based basis for jurisdiction, the other bases are limited either by geography or the nationalities of the parties involved. More generally, these concepts can be grouped into those dealing with some place and those dealing with the parties involved. Universal jurisdiction, conversely, is established by the very nature of the act itself, divorced from target, place, perpetrator, or other nexus with the prosecuting state.50See Rome Statute, supra note 29, 2187 U.N.T.S. at 91; Princeton Project, Principles, supra note 29, at 28; Bennett, supra note 31, at 435–37. Given that the concept of universal international crime is predicated upon international norms, there is some disagreement as to what is and what is not such a universal crime outside those that have been established by clear international law authorities like the International Criminal Court or the International Court of Justice.
Universal jurisdiction is also unique because it does not afford the prosecuting state the jurisdiction to prescribe conduct. Instead, that power lies with the international community as a whole, leaving the prosecuting state only the jurisdiction to adjudicate and enforce.51See Bennett, supra note 31, at 437; see also Restatement (Third) of Foreign Relations Law§§ 401–04, 421–23 (Am. l. Inst. 1987) (establishing both prescriptive and adjudicative jurisdiction over all bases but universal criminal jurisdiction). There are also some commentators that muse that universal jurisdiction, or parts of it, also create obligations upon states as a jus cogens (“compelling law”) but that is far from clear. See Bennett, supra note 31, at 437. Instead, the international community establishes universal jurisdiction over piracy, genocide, slave trade, war crimes, hijacking, and acts of terror.52The actual list of prescribed actions is contested among scholars. See Rome Statute, supra note 29, 2187 U.N.T.S. at 92; Restatement (Third) of Foreign Relations Law § 403; Princeton Project, Principles, supra note 29, at 29. Thus, the proscriptive jurisdiction of universal criminal jurisdiction is shared between the international community that legitimates it as a whole and the prosecuting state, when it tailors specific domestic empowering statutes. These traits allow universal criminal jurisdiction to be a powerful, decentralized, and customizable force for the deterrence of cybercrime across the world.
II. Universal Criminal Jurisdiction from Its Birth as Hostis Humani Generis to the Rome Statute
Universal jurisdiction was first birthed to combat the scourge of piracy and has remained present in international law since the sixteenth century.53Burgess, supra note 26, at 302. Note that this doctrine technically has its roots in Rome, but it is most often identified with pirates during the Golden Age of Piracy. Generally, scholars postulate that the rationale and motivation behind the creation of this far-reaching jurisdiction was the heinous nature of the crime and—more importantly for this area—the deleterious effects it had on state authority and stability.54Miriam Cohen, The Analogy Between Piracy and Human Trafficking: A Theoretical Framework for the Application of Universal Jurisdiction, 16 Buff. Hum. Rts. L. Rev. 201, 216 (2010) (referencing Eugene Kontorovich, Implementing Sosa v. Alvarez-Machain: What Piracy Reveals About the Limits of the Alien Tort Statute, 80 Notre Dame L. Rev. 111, 152–54 (2004), and Kenneth C. Randall, Universal Jurisdiction Under International Law, 66 Tex. L. Rev. 785, 793 (1988)). See generally Kontorovich, supra note 27, at 184–86 (arguing that the heinousness rationale is not borne out when compared to piracy’s history); David Luban, The Enemy of All Humanity, 47 Neth. J. Legal. Phil. 112, 112–13 (2018) (arguing that the rationale of the term has shifted over time as it gained more of a moral basis). The universal criminal jurisdiction over piracy was later codified into international law by the United Nations.55United Nations Convention on the Laws of the Sea, Dec. 10, 1982, 1833 U.N.T.S. 397 [hereinafter UNCLOS]. and has since expanded to all new areas of internationally condemned offenses.56See generally Rome Statute, supra note 29.
The term and concept extend all the way back to Cicero, who stated that pirates were among those to whom good faith was not to be extended and who were enemies of all.57Luban, supra note 54, at 113–15 (additionally addressing parallels to the Roman concept of homo sacer or someone who is entirely outside the bounds of law). While there is some debate as to why piracy warranted such vehement odium from civilization, the best arguments are: pirates have declared war against all of humanity and so shall humanity declare war on them; that the crime was outside the bounds and powers of a single state so is an everyone-problem; and finally (perhaps best) that piracy is not just a challenge to one state’s legitimacy but to the legitimacy of all of them.58Id. at 114–17 (analyzing the linguistic nuances of the original Latin phrase and all of Cicero’s possible motivations); see also id. at 119 n.29 (referencing an argument that really “pirate” was an ancient equivalent of “terrorist” in the political coalition-building sense). No matter which specific rationale was foremost in Cicero’s mind when he wrote those words, these themes are distilled as history progresses.
The Golden Age of Piracy was the next heyday of hostis humani generis, popularized by movies and classic literature featuring buried treasure and swashbuckling buccaneers. Yet the truth was often far more political. This was the age of Letters of Marque and Reprisal, official (but secret) endorsements of private parties to embark on state-sponsored piracy against other nation-states’ economic interests.59Id. at 119. The European powers’ use of piracy for their own economic and political gain would seem to directly contrast the rationale that piracy was subject to universal prosecution on the basis of some sense of heinousness.60See generally Kontorovich, supra note 27. Even those that did use privateers at this point rapidly moved to hunting them down within only a few short years. See Burgess, supra note 26, at 312–14. However, at least one scholar has posited that the heinousness justification remains even during state-sponsored piracy.61Luban, supra note 54, at 118–19. So, if the heinousness was not actually the acts of murder and mayhem on the high seas, what was? Professor David Luban lays out a theory that the actual act that allowed for universal jurisdiction on heinousness was lese-majeste—the threat and degradation of the respect, stability, and authority of the state.62Id. at 120. Luban directly addresses Professor Kontorovich’s thesis that piracy was not about heinousness, since the European powers would not have willingly harnessed piracy since it was so heinous. See Kontorovich, supra note 27, at 186. Instead, Luban argues that the incredible heinousness that lies at the center of hostis humani generis is lese-majeste, or the degradation of state authority is the heinous act. Luban, supra note 54, at 118–20. In such a way the European states, in their use of the piracy to further their own ends, avoided the actual heinous action by way of their use of sanctioned piracy that did not lessen the authority and stability of states.63Luban, supra note 54, at 120.
Moving forward, the nineteenth century saw the first expansion of the hostis humani generis designation beyond piracy, as the world’s nations attempted to contain the slave trade.64Id. at 122. As Professor Luban posits, “[t]he simplest route to punishing slavers was to declare them pirates” so that they could be boarded virtually at will.65Id. Burgess also argues that the shift from using privateers to hunting pirates in the eighteenth century stemmed from political motivations rather than the professed worry about the evilness of piracy. See Burgess, supra note 26, at 314. It seems that this is the beginning of the “evilness” focus of hostis humani generis as opposed to the threat that the condemned actions posed to state authority.66Luban, supra note 54, at 120–22. Luban makes the argument that philosopher Emer de Vattel, in his Law of Nations, may have laid the stage for an evilness justification. See id. at 120–23. However, it was not until states actually proscribed the slave trade that any actual change happened. Id. at 122. Luban argues that, basically, the legal convenience of being able to board a ship during peacetime if its crew were pirates justified expanding the doctrine to what is now regarded as being motivated by “evil” or “heinousness.” Id. at 122–23.
The post-WWII era sees the next major change in hostis humani generis. While the Nuremberg trials did not directly say that they relied on the doctrine—though the implication is clear—the prosecution of Nazi war criminal Adolf Eichmann did.67Id.at 123–24. The Eichmann court directly invoked hostis humani generis in its judgment of Eichmann.68Id. More tellingly, the Israeli Attorney General, Gideon Hausner, suggested a parallel between Eichmann and the biblical Cain, stating, “There are definitions of hostis humani generis. There are definitions of people of whom, in biblical language, it might have been said that they bore the mark of Cain on their foreheads.”69Id. In this way, the link between morality and the ability for all mankind to prosecute based on the egregious violation of that morality was solidified.70See id.
Finally, only verging on the modern era, does hostis humani generis become the formalized universal criminal jurisdiction. The 1856 Paris Declaration established universal jurisdiction over piracy and its evils.71Anna W. Gleysteen, Pirates of the Southern Ocean: Sea Shepherd, Greenpeace and the Implications of the Ninth Circuit Decision, 8 Geo. Mason J. Int’l Com. L. 349, 357 (2017). This codification of piracy and its jurisdiction was affirmed in the U.N. Convention on the Law of the Sea.72Id. Piracy was not, however, the only change in the universal jurisdiction arena. The passage of the Rome Treaty, creating the International Criminal Court, revolutionized international law and universal jurisdiction.73Leila Nadya Sadat, Redefining Universal Jurisdiction, 35 New Eng. L. Rev. 241, 245–46 (2001). It was this “sea change” moment that international law promulgation moved from treaties and contracts to “some other grounds.”74Id. Most significantly, it established that universal jurisdiction is appropriate when criminal activity rises to a certain level of harm or gravity.75Id. at 246. Combining this with the underlying historical rationale existing from Rome to Europe indicates that it is appropriate when the interests of international society are threatened as well.76Id.; cf. Luban, supra note 54, at 120 (indicating that hostis humani generis may have roots in preserving the state’s authority). Effectively, the underlying motivations must remain, even if the modern iteration of universal criminal jurisdiction codification does not directly reference them.
Therefore, while scholars may disagree with the origins and motivations of the original hostis humani generis, it seems that at least one underlying rationale likely remained the same: the preservation of the structures of authority in society. Furthermore, while the origins of universal criminal jurisdiction may not be entirely consistent with the thought that such jurisdiction is predicated on the heinousness of the act, it is still true that the international community regards that as a correct interpretation, which establishes it as an international norm and which, ironically, makes it legitimate.77Sadat, supra note 73, at 244. Thus, there are two possible justifications for the international community to assert and recognize universal criminal jurisdiction: state instability and heinousness. Does cybercrime, then, fit within those categories? First, we must establish what cybercrime is in relation to other forms of cyber action.
III. What is Cybercrime and How Current Jurisdictional Concepts Fail in Cyberspace
The internet is “a unique medium—known to its users as ‘cyberspace’—located in no particular geographical location but available to anyone, anywhere in the world, with access to [it].”78Menthe, supra note 30, at 70 (quoting Reno v. ACLU, 117 S. Ct. 2329, 2334–35 (1997)). This unique medium “challenges the centrality of territoriality” and “basic assumptions about what is ‘here’ and ‘there.’”79Jennifer Daskal, The Un-Territoriality of Data, 125 Yale L.J. 326, 329 (2015). This “unique medium” is a place that is unbounded by the conventional physical power of the state apparatus, which allows for a multitude of actions that would not normally be possible in the physical space, such as the instantaneous transfer of funds or communications across the globe, bounding in and out of a complex system of routers and networks until the information reaches its destination. These capabilities allow for what commentators have termed “cyberactions”80See, e.g., Christopher E. Lentz, A State’s Duty to Prevent and Respond to Cyberterrorist Acts, 10 Chi. J. Int’l L. 799, 809 (2010). or “cyberaggression.”81See, e.g., Stahl, supra note 2, at 270.
Cyberaggression is, however, too broad a concept for one legal regime—or Comment—to manage, and so it must be broken down into three subcategories: cyberwarfare, cyberterrorism, and cybercrime.82Id. This Comment solely addresses the difficulties in prosecuting cybercrime, but the relationship of cybercrime to its cousins of cyberwarfare and cyberterrorism must be addressed first to fully examine the problem. Cyberwarfare is offensive action taken by nation-states against nation-states, as a virtual extension of traditional military forays to “acheiv[e] advantages over a competing nation-state.”83Susan W. Brenner, “At Light Speed”: Attribution and Response to Cybercrime/Terrorism/Warfare, 97 J. Crim. L. & Criminology 379, 401 (2007). Traditionally, the dichotomy between warfare versus terrorism and crime is best identified via an “internal versus external threat” framework.84Id. at 404. Under such a framework, an action that threatens the external order of a nation-state is classified as war,85There must be a noted caveat here that such indications of war are related to, but not sufficient for, the lawful use of military force under the United Nations’ Charter, which generally refers wartime determinations to the Security Council. U.N. Charter arts. 39, 59. whereas a threat to the internal stability of a nation state is either terrorism or crime.86Brenner, supra note 83, at 404. While this framework is unhelpful in parsing crime and terrorism, it does have the benefit of consistently allowing for the identification of warfare, given the “monopolization of territory and military force by nation-states.”87Id.
However, the traditional “internal versus external” framework begins to collapse upon the introduction of cyberspace, since that allows “non-state actors access to a new, diffuse kind of power” that “ends nation-states’ monopolization of the ability to wage war and effectively levels the playing field between all actors.”88Id. The key, then, to rejuvenating this framework is attribution—who initiated the cyberaggression and was it an attack89“Attack” in the sense of an initiation of warfare. or a crime? Of these two questions, the question of who initiated (either directly or via agents) the cyberaggression is the most determinative, since that establishes what parties swing into action against the aggression: either the state for an act of war by a state or law enforcement for crime or terrorism of individuals.90Brenner, supra note 83, at 436. This step is the most important for a jurisdictional analysis, since war is an entirely separate regime. Unfortunately, this analysis in the cyber world necessarily relies on inferences rather than the analogous hard data found in the physical world and will likely remain a murky area for some time to come.91See id. at 409–12, 425–27 (discussing the difficult steps to determine “attack origin” attribution (where the attack originated) and “occurrence” attribution as steps to find who initiated the attack); see also Off. of the Dir. of Nat’l Intel., A Guide to Cyber Attribution (2018), https://perma.cc/9N25-8Y5D (showing the DNI standards for attribution that deals with parsing the point of origin, the specific device or persona used, and the individual or organization that directed the activity to determine an attribution to varying degrees of confidence). Thus is the current conceptual boundary between players and legal regimes—laws of war and humanitarianism92Often referred to as jus ad bello and jus in bello respectively (controlling when a state may lawfully engage in warfare and what obligations that warfare imposes once so engaged). See generally Robert D. Sloane, The Cost of Conflation: Preserving the Dualism of Jus ad Bellum and Jus in Bello in the Contemporary Law of War, 34 Yale J. Int’l L. 47, 49–50 (2009) (describing the axiom). for warfare, and then domestic penal laws for crime and terrorism.
Cybercrime, the second category of cyberaggression and the first that threatens internal order, has been defined as “a crime committed on a computer network,”93Brenner, supra note 83, at 382. but that definition requires refinement. While many traditional crimes committed in cyberspace fit appropriately into that definition as “old wine in new bottles,”94Id. at 383. some crimes are fundamentally different or new. For example, one commenter points to an incident when a cybercriminal penetrated a hospital system, altered prescriptions, and almost killed a nine-year-old boy with a potentially lethal prescription.95Howard L. Steele, Jr., The Prevention of Non-Consensual Access to “Confidential” Health-Care Information in Cyberspace, 1997 Comput. L. Rev. & Tech. J. 101, 102 (1997). What can “traditional” law or investigative techniques do under such circumstances? A new definition, “use of computer technology to commit [a] crime” has been posited by Professor Susan Brenner,96Brenner, supra note 83, at 386. but that definition would likely lead to a more over-inclusive universal criminal jurisdiction than is wise.97Professor Brenner uses the example of forgery or counterfeiting as reasons to use the “computer technology” definition, but this Comment does not advocate for universal criminal jurisdiction of simple forgery, even if it does involve a computer. Id. at 385–86. Brenner’s use of a “‘pure’ cybercrime” may be a better definition, but that lacks an intuitive definition like the one this Comment uses. Id. at 385. Instead, this Comment uses a working definition of cybercrime, for the universal criminal jurisdiction context, as a crime, either traditional or modern, that is accomplished by the penetration, destruction, or damage of a computer network or system by way of another network, system, or device.98Cf. Kristin Finklea & Catherine A. Theohary, Cong. Rsch. Serv., R42547, Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement 4, 16 (2015) (explaining that there is no current universal definition, even amongst the U.S. government, on the definition of a cybercrime, and explaining the pitfalls, and likely need, in determining that definition). Albeit wordy, this definition preserves the need for a new jurisdiction over cybercrime—a hard-to-pinpoint, non-physical use of cyberspace to threaten networks that control everything from home temperature to global financial markets—while also not expanding potential universal criminal jurisdiction any farther than is absolutely necessary.
Cyberterrorism is the third category of cyberaggression, and the second type that threatens internal order. Terrorism, in general, is distinguished from crime by its motivations: terrorism is crime that is motivated for political, rather than individual, goals.9922 U.S.C. § 2656f; G.A. Res. 49/60, annex, Declaration on Measures to Eliminate International Terrorism (Dec. 9, 1994). This framework is not overly affected once introduced to cyberspace, since the crime-terror distinction is only apparent after the determination of motive. In effect, since a cyberterrorism event will naturally be treated as a crime until political motivation is shown, it would already fall under the universal criminal jurisdiction advocated for by this Comment.100Since terrorism is defined as a crime that is committed for political purposes, it is only natural to assume that an act is a crime, not terrorism, until a group claims responsibility or political motivations are made obvious. See Brenner, supra note 83, at 400. Once terrorism is determined (or the group responsible claims responsibility) it is likely that an entirely different justification would exist for universal criminal jurisdiction, given that terrorism itself may already be covered under universal criminal jurisdiction.101See James D. Fry, Comment, Terrorism as a Crime Against Humanity and Genocide: The Backdoor to Universal Jurisdiction, 7 UCLA J. Int’l L. & Foreign Affs. 169, 178–79 (2002). Therefore, given a particular cyberaggression event, the event is either: (1) an act of warfare subject to the various restrictions and abilities thereof; or (2) either cybercrime or cyberterrorism which would bring the culprit under universal criminal jurisdiction as advocated here. This clear, quick categorization would further the certainty and celerity of criminal prosecution of the actors and thus would create or strengthen the prosecutorial deterrence against cyberaggression that the world needs.102Cf. Mourtgos & Adams, supra note 21, at 480, 491–92 (showing that crime deterrence is heavily affected by the certainty of criminal prosecution and the celerity of case disposition and punishment).
A. Applying Current Territorial Jurisdictional Concepts
This Comment addresses solely cybercrime and its jurisdictional challenges and necessities; with this working definition we can move to evaluating the current jurisdictional principles currently in use. While there are six jurisdictional bases listed in Part I, in this Section they will be grouped into the larger categories of territorial and non-territorial bases. Neither category allows for a cohesive regime to address cybercrime since the jurisdictional bases, when taken together, either fail due to absurd overinclusion, or fail because no basis results in jurisdiction over possible cybercriminal acts.
The territorial bases for jurisdiction are the most favored, given that the sovereignty and enforcement challenges are the most limited in this sphere. The territorial theories are subjective territoriality and objective territoriality; both fail due to absurdity in the cybercrime context.
Subjective territoriality (henceforth just territoriality) is the theory that when the criminal act happens within a state’s territory, then that state has jurisdiction. Many cybercrimes are covered, and covered well, by this jurisdiction.103Menthe, supra note 30, at 74 (explaining that current theories can adequately handle situations where states forbid “on [their] own territory, the uploading and downloading of material [they] consider harmful to [their] interests”). Under what some commentators have termed uploader/downloader jurisdiction, when the crime is either specifically uploading or downloading information to or cyberspace within that state’s territory, the offense is adequately addressed by this theory and requires no additional legal regime changes.104Id. Examples of such conduct could be child pornography or online threats—these are “offense[s] ‘committed and consummated’ in the state where the uploader is located.”105Id. at 75. For example, child pornography is a crime often committed on the internet or with the aid of a computer network, but there is hardly a dearth of prosecutions of that crime. See Janis Wolak, David Finkelhor & Kimberly J. Mitchell, Child-Pornography Possessors Arrested in Internet Related Crimes: Findings from the National Juvenile Online Victimization Study 27 (2005). Such simple cybercrime, however, does not encompass all cybercrime. Hacking, DDoS attacks, viruses and other malware, etc., are not so well addressed by uploader/downloader jurisdiction, since their effects are much more widespread and have fewer physical ties.
Territoriality could be expanded to these types of crimes via what commenters call “territoriality of server” jurisdiction. Under the territoriality of server theory, the location where the server of the offensive data is located establishes jurisdiction, as that is now the “location” of the website.106Menthe, supra note 30, at 79. However, this would create inconsistencies and a patchwork cyber jurisdiction even worse than the one currently in use. The nature of the internet means that data packets are flung from various servers routed to the data’s eventual terminal location; would that indicate the state actors in all of these randomly assigned server locales have jurisdiction over that data’s activities?107Id. Additionally, many websites are located on several different servers at the same time, with data being pulled from all of them; under the territoriality of server theory each locale would have the same claim of jurisdiction at the same time, even though the utility of territoriality is simplicity and clarity.108Id. at 80; see also id. at 81 n.33 (“Picture a computer screen full of links, each one subject to the laws of at least one other jurisdiction, and the webpage itself subject to the law of its server on top of all that. Among other things, one shudders to consider the First Amendment analysis of a law criminalizing the HTML command, <a href = “www.university.edu/~homepage”>, or the random link.”). Finally, if the cybercrime at issue is the intrusion of another network for nefarious purposes, then the territoriality of server again presents a conflict of multiple sovereigns having jurisdiction over the same act for the same reason. Therefore, territoriality jurisdiction over the nonphysical cyberspace is unworkable.
Objective territoriality (referred to henceforth as “effects jurisdiction”) is another existing basis for jurisdiction across the internet. Under this theory, when an actor causes an effect in a place, that actor has brought themselves under the jurisdiction of that place.109See supra Part I. That, however, leads to, for example, a webpage being subject to every single country and locale’s laws all at the same time.110See Menthe, supra note 30, at 74–76. This troublesome result has, in fact, already happened at least once in Martiz, Inc. v. Cybergold, Inc.111947 F. Supp. 1328 (E.D. Mo. 1996). In Martiz, a federal district court relied on the fact that a webpage, uploaded out of state, was accessible and downloadable in the state of Missouri to conclude that the uploader was subject to Missouri’s laws.112Menthe, supra note 30, at 75–76 (examining Maritz). Under the district court’s reliance on a territorially based theory of jurisdiction, the entire planet could be under Missouri jurisdiction—all a person must do is post to the internet. In sum, effects jurisdiction would cause, as one commentator rightly described, “jurisdictional bedlam.”113Id. at 80–81. Finally, neither of the territorially based theories discussed here could function as the jurisdictional theory of cyberspace, since they often expose actors to jurisdictions without the actor knowingly subjecting themselves to that jurisdiction, which is the fundamental predication of territoriality.114See Perloff-Giles, supra note 9, at 205–06 (citing Daskal, supra note 79, 367–68).
The non-territorial based theories of jurisdiction, active and passive personality and the protective principles, also fail to adequately address cybercrime jurisdiction. The active personality theory has merit, though it does lack in enforcement options. Active personality jurisdiction depends on the nationality of the actor—their home sovereign has jurisdiction over their actions.115See supra Part I. However, active personality would cover, in a U.S.-centric view, only American cybercriminals. Given that the internet, as established in the Introduction, allows for the widespread use and availability of power and criminal activities, this would leave the United States unprotected from foreign actors on the internet. Other countries would also struggle to protect their institutions and systems from intrusion. Ergo the rapid and certain prosecution that prosecutorial deterrence depends upon would not be present.
Passive personality, the jurisdiction that depends on the nationality of the victim of crime, also has promise in the fight against cybercrime. However, this jurisdiction presents problems of attribution and comity. As discussed in Part II, attribution of both cyberaggression and cyberaggressor are difficult in cyberspace, but since that determination is also necessary to determine the appropriate legal regime in play, this concern plays a slightly lessened role. Comity, in contrast, is a very real problem for the passive personality principle. In essence, would the other nation, after hearing the adjudication of the affected nation, honor that decision?116Comity is the legal principle that “courts of one state or jurisdiction respect the laws and judicial decisions of other jurisdictions—whether state, federal or international—not as a matter of obligation but out of deference and mutual respect.” Comity, Legal Info. Inst., https://perma.cc/T53N-6XFQ. Given the ease for cybercriminals to move anywhere that allows for internet access, it is imperative that such criminals not have a safe haven in a state that refuses to extradite them. This, in effect, would require international cooperation on a scale that boggles the mind: extradition or comity treaties with all nations. If this was not enough of a hurdle, the passive personality principle does not recognize the harm that may come to non-victims of a cyberoffense. Even if a state or a computer system is not the entity directly targeted by a cybercrime or intrusion effort,
all of the benefits of information networks are at risk if the networks are not safe and secure. If users become unwilling to send their personal and credit card information over the Internet, e-commerce will not flourish. Similarly, citizens will not file their tax returns, bid on government contracts, or use other e-government services if they are afraid to use the networks.117Richard W. Downing, Shoring Up the Weakest Link: What Lawmakers Around the World Need to Consider in Developing Comprehensive Laws to Combat Cybercrime, 43 Colum. J. Transnat’l L. 705, 709 (2005).
Furthermore, any impact to financial markets would ripple across the international stage. Using the New Zealand example discussed above, if the attack had halted trading for longer, or worse, destroyed trading data, that would cause financial impacts across the globe. Nevertheless, under the protective principle, only New Zealand would have jurisdiction to prosecute the offender.
Finally, the protective principle affords sovereign states the ability to prosecute actors that threaten the integrity of that state itself. This is a disfavored principle based on the prosecutor’s invasion of state sovereignty, but it does allow for the prosecution of some criminals at least. However, much like both non-territorial theories above, it is underinclusive. Under this principle, if the criminals refrain from targeting the state and its institutions itself, they avoid prosecution. Using the New Zealand incident again, this theory would not apply at all since the stock market is not a state-run entity.
The individual theories clearly do not function on their own. Neither would they function if combined since each theory must be so constrained, to avoid the problems identified above, that the combination would be unworkable. The territorially based principles adequately cover simple uploading/downloading of information, but they can be extended no further due to the jurisdictional confusion that would result. The non-territorial based principles function well but are limited only to a country’s nationals unless that country obtains a comity or extradition agreement from another state.118This is an overarching sovereignty issue—when can a state reach into another state’s boundaries to prosecute an individual therein? All of the current jurisdictional theories save territoriality struggle with such concerns and represent perhaps the strongest general argument against them all. See generally Sadat, supra note 73, at 241. Unless every state extant were to sign mutual comity and extradition treaties—the only way to avoid a guaranteed safe haven for cybercriminals that would impact all of cyberspace—the prosecutorial deterrence that the international community needs will not function. Amusingly, if the international community—even just a majority of states—were to sign such treaties, these jurisdictional theories would no longer be needed because universal criminal jurisdiction would have been created.119See infra Part V.
B. Proposed Solutions and Their Shortcomings
This Comment is not the first to note that the current jurisdiction theories fail in cyberspace. However, other theories have their significant drawbacks. Generally, these theories involve expanding the current jurisdictional doctrine concerning international spaces or the creation of an international tribunal.120See Luban, supra note 54, at 130–37; Stahl, supra note 2, at 272. However, each of these solutions fail to adequately create the necessary certain and rapid prosecutions that are required for prosecutorial deterrence to function.121See Mourtgos & Adams, supra note 21, at 491–92 (showing that crime deterrence is heavily affected by the certainty of criminal prosecution and the celerity of case disposition and punishment). Additionally, any “technology-specific” solution would be, at best, a band-aid that risks being invalidated with every innovation.122See Andrea M. Matwyshyn, Of Nodes and Power Laws: A Network Theory Approach to Internet Jurisdiction Through Data Privacy, 98 Nw. U. L. Rev. 493, 495 (2004). Instead, there must be a flexible legal regime that can apply a broad spectrum of technology and innovation within cyberspace—the international spaces theory, international tribunal solution, and the implementation of universal criminal jurisdiction are three such flexible regime changes.
The international spaces jurisdictional theory, commonly referred to as flag-state jurisdiction, is the general legal regime in places such as space, the high seas, and Antarctica that is predicated on nationality of the individual.123Menthe, supra note 30, at 83. Darrel Menthe, in putting forward this theory, examines the treaties governing Antarctica, space, and the high seas to create an analogous legal structure that would govern cyberspace as the fourth international space.124Id. This theory recognizes that, fundamentally, people are the agents by which cyberspace is created and changed.125Id. at 93–95. So the sovereign to which the people are responsible to, based on traditional jurisdiction, still governs them and their actions in cyberspace much as the flag state still governs ships on the ocean, or nations that launch satellites are responsible for whatever they cause to happen.126Id. This theory also creates a “law of the sysop” that establishes a state’s jurisdiction over the actor who controls that section of cyberspace, similar to the territoriality of the server discussed above.127Id. at 82.
While this is likely a workable jurisdiction for civil causes of action, this theory fails when confronted with cybercrime. It still does not allow for the prosecution of a cybercriminal based outside a nation’s territory, since that nation would not be in control of either the originator or the sysop of that criminal’s network. Additionally, it would likely severely chill the free speech of those who wish to create a network or section of cyberspace on their own, since it could open them to liability via their own sovereign’s jurisdiction, if their section of cyberspace were to be used in a criminal fashion.128Id.
The second central theory for addressing cybercrime is the creation of either a standing, permanent international tribunal—likely the International Criminal Court or an analogous body129Stahl, supra note 2, at 272.—or an ad hoc tribunal for major occurrences. A standing tribunal has some merit but would pose large invasion-of-sovereignty issues and would require diplomatic steps that would make it a supplementary, rather than a core, element of cybercrime law. Ad hoc tribunals may work for large instances but would fail due to lack of consistent legal pressure on the criminal world.
There are large benefits to the creation of an international permanent body to adjudicate international cybercrime law. First, and most obvious, would be the ability to articulate international standards from a single body and establish global norms. Second, it would afford a forum for those affected by cybercrime to obtain (hopefully enforceable) redress, while also preserving domestic autonomy.130Id. Broad ratification and acknowledgement of such a treaty would go far in creating the requisite consistency of prosecution against cybercriminals that would further prosecutorial deterrence. Indeed, there are some indications that the International Criminal Court, ratified in 2002, does exert some deterrence against the crimes that it forbids.131Hyeran Jo & Beth A. Simmons, Can the International Criminal Court Deter Atrocity?, 70 Int’l Org. 443 (2016).
However, while the successes of the International Criminal Court are illustrative in the case for an international tribunal, so too are its failures. The most glaring is the limited power the International Criminal Court has over non-member states: Parties that have not ratified the Rome Statute empowering the International Criminal Court have not granted jurisdiction over their nationals.132Rick Noack, Why Does the Trump Administration Hate the International Criminal Court So Much?, Wash. Post (Apr. 5, 2019), https://perma.cc/9AAM-HL9F (discussing the United States’ nonratification of the Rome Statute and its refusal to allow jurisdiction, up to and including the revocation of International Criminal Court prosecutors’ visas). To the Court, those individuals remain outside its grasp. In the world of cybercrime, as discussed above, safe havens are anathema to the effective deterrence of cybercrime across the globe. Given that multiple nations refuse to ratify the Rome Statute concerning crimes that are almost universally regarded as heinous (genocide, war crimes, etc.), it would be relatively uncontroversial to assert that there would be nations that would not ratify a similar treaty over cybercrimes. Once that refusal happened, safe havens in those nations would inevitably develop and the tribunal would have no jurisdiction over those actors.
Furthermore, there are major logistic challenges to the implementation of a standing international tribunal: Would states retain the ability to prosecute independently? What definition should be used? And most importantly, what nation or entity is responsible for housing and punishing the offenders adjudged by the tribunal?133Cf. Barry Hart Dubner & Karen Greene, On the Creation of a New Legal Regime to Try Sea Pirates, 41 J. Mar. L. & Com. 439, 452–57 (2010) (examining analogous challenges to the maritime piracy regime). The first challenge would deal with how much sovereignty the nations would be willing to give up to a tribunal, though it would likely result in concurrent ability to prosecute cybercrimes.134Cf. id. That issue would not exist under universal criminal jurisdiction, since it is predicated on individual states prosecuting actors on their own and so does not force states to yield sovereignty to another body. The second challenge would require that the entire international community agree on a single definition of cybercrime and how to punish it—a large diplomatic ask.135Cf. id. That challenge would not hurt universal criminal jurisdiction, since the precise definition to use under universal criminal jurisdiction is left to the individual states, as long as it comports with the broad universal definition. Finally, the logistics addressing resource use are a large hurdle for an international tribunal to jump. Under an international tribunal, nations would not only have to give up portions of its sovereignty, but it would also be forced to award resources so that the tribunal would be able to function.136Cf. id. This would not be an issue under universal criminal jurisdiction: each country would be responsible for its own prosecutions and so would be incentivized (and able) to create domestic regimes to suppress the potential of cybercrime and create international regimes that do the same across the world.
C. Universal Criminal Jurisdiction Combats Cybercrime Effectively
Universal criminal jurisdiction is the best theory currently available to allow for the consistent prosecutorial pressure and rapid consequences of cybercrime so that global deterrence of this harmful activity can flourish. While some commentators regard universal criminal jurisdiction expansion into the cybercrime arena as highly unlikely,137Menthe, supra note 30, at 73. over the last century universal criminal jurisdiction has been codified and expanded to include far more offenses than it once supported;138See generally Rome Statute, supra note 29. there is no reason the same should not be done again for the sake of the twenty-first century and its unique challenges.
First, there are number of obvious similarities between cyberspace and the high seas that originally spawned hostis humani generis jurisdiction. Both spaces are “shared globally,” and a number of scholars have outright noted that “the legal challenges posed by cyberaggression are similar in many respects to the problems posed by piracy and other criminal activity on the high seas.”139Stahl, supra note 2, at 267; accord Julija Kalpokienė & Ignas Kalpokas, Hostes Humani Generis: Cyberspace, the Sea, and Sovereign Control, 5 Baltic J.L. & Pol., no. 2, 2012, at 132, 134. Both are spaces that do not provide for traditional assertions of sovereignty. The sea is ever moving and by necessity, must be available to every nation that has access to it under international agreement.140UNCLOS, supra note 55. Absent massive military undertaking, only small portions of the sea can be forbidden from any single nation. Similarly, cyberspace is an ever-changing nonphysical space that is created and manipulated by users all over the globe—absent massive government efforts and expenditures, it cannot be effectively walled off from its citizens.141See, e.g., Chinese App Helps Users Bypass Great Firewall – Then Disappears, Bloomberg News (Oct. 11, 2020, 8:40 PM), https://perma.cc/QJ9X-3GGC (“Mainland Chinese commonly use VPNs to bypass the Great Firewall—the name given to the blockade of an array of foreign internet services from Gmail to Twitter that’s stood for over a decade.”).
Second, the justification and rationale behind universal criminal jurisdiction from its birth and its current iteration support the extension of universal criminal jurisdiction to cybercrimes. Universal criminal jurisdiction has two general motivations, as determined by its history and the modern legally binding documents142See, e.g., Rome Statute, supra note 29. that describe it: heinousness of the action and the actions threat to the stability and authority of states. Cybercrime may tenuously achieve the first justification, but it certainly exhibits the second.
While professors Luban and Kontorovich argue persuasively that the real reason behind universal criminal jurisdiction was never about some mythic heinousness of action beyond that of lese-majeste, that is nevertheless the international understanding, and so that is the international law.143See Rome Statute, supra note 29; Princeton Project, Principles, supra note 29. While cybercrime represents a truly horrific loss of money—between $375 and $575 billion annually144Sandle, supra note 14.—that is likely not the type of heinousness that the Chief Prosecutor of the Nuremberg Trial and later-Justice Robert Jackson meant when he decried wrongs “so calculated, so malignant, and so devastating, that civilization cannot tolerate their being ignored, because it cannot survive their being repeated.”145Robert Jackson, Opening Statement Before the International Military Tribunal (Nov. 21, 1945), https://perma.cc/JL2 F-X2E8). However, there is still a very real human cost in the destruction of financial markets, in the loss of billions across the globe, from potentially one non-state actor. It is, still, unlikely to fit this justification.
The second rationale, the threat to state order and authority, however, cybercrime fits exceptionally well. The ability for a cybercriminal to escape the bounds of a nation—to jump into the territorial bounds via cyberspace, cause damage, and then leap instantaneously back away—threatens the integrity of states and their ability to protect their own citizenry from such predations. The Stuxnet incident shows this quite well: an unknown entity (many have fingered the United States,146Ellen Nakashima & Joby Warrick, Stuxnet Was Work of U.S. and Israeli Experts, Officials Say, Wash. Post (June 2, 2012), https://perma.cc/6RJ5-DT8Q. but due to ambiguity and so that this incident remains in the cybercrime arena, let it be by an unknown non-state actor) introduced a virus into the system that controlled the Iranian Natanz facility’s uranium enrichment centrifuges.147Kim Zetter, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, Wired (Nov. 3, 2014, 6:30 AM), https://perma.cc/69ER-5A3S. The virus began to take down the centrifuges, much to the bafflement of the technicians.148Id. This is just one example of the ability for unknown foreign actors to destabilize a state—even the most secret of programs—by way of a cyberattack. Stuxnet has since evolved, and been evolved, to attack multiple other state functions across the globe.149See What Is Stuxnet?, McAfee, https://perma.cc/3GRU-XEVG (showing that Stuxnet has been modified to multiple other programs that target power production, aviation, defense, pharmaceuticals, and other industries and infrastructure across the world). Even just this one program, or its derivative, could bring markets, communities, and nations to their knees—let alone some financial attack. If these examples do not constitute a threat to state security and authority, nothing does.
However, universal criminal jurisdiction does not provide a panacea to the global cybercrime problem. It presents a deep challenge to state sovereignty and poses a risk of under-prosecution should states find it to be too expensive. Henry Kissinger, former U.S. Secretary of State, aptly noted that it was a threat to state sovereignty, and that over-politicization by states could open the door to fundamentally wrong proceedings.150Henry Kissinger, The Pitfalls of Universal Jurisdiction, Foreign Affs.,July/Aug. 2001, at 86, 96. Mr. Kissinger is correct that this type of jurisdiction threatens state sovereignty, giving the power over a state’s nationals over to a foreign state. However, this is unavoidable in the cybercrime arena. No matter the regime, some state sovereignty will be violated; the key in this context will be mitigating the violation of that sovereignty to the bare minimum. In this case, in comparison to the free-flowing jurisdictions of the traditional six and the absolute sovereign takeover present in an international tribunal, universal criminal jurisdiction currently offers the best method to mitigate the sovereignty issues present. The quasi-democratic way of its foundation, paired with domestic lawmaking, gives states that ability to limit universal criminal jurisdiction appropriately and allows them to formulate domestic policy to limit as much exposure to foreign agents as possible. If universal criminal jurisdiction could be established such that universal criminal jurisdiction is jurisdiction of last resort, that would create a regime where a state had power over its own citizens that commit cybercrime, to do with what it wills, unless that state abrogates its duty.151The common treaty principle of aut dedere aut judicare (prosecute or extradite) would be particularly useful here. Cf. Rome Statute, supra note 29, 2187 U.N.T.S. at 100–01 (empowering the International Criminal Court to prosecute only when a home state refuses to).
Second, the resource challenges against the states are noticeable. At some point, someone will have to pay for the prosecution and punishment of cybercriminals. However, this is not a challenge unique to universal criminal jurisdiction, but inherent to any penal regime. If anything, it allows states to choose when to prosecute foreign nationals that it gains control of, how and if to spend resources to mitigate its own citizens’ liabilities and allows the state to abrogate its prosecutorial duty in favor of other prosecuting states if they so wish to proceed.
In sum, the rationales behind universal criminal jurisdiction, both historical and modern, at least reasonably support its extension into cyberspace. Necessity strongly supports its extension. However, while it would likely be effective, it would also lead to serious threats, most notable sovereignty violations. If states work together early to carefully craft an appropriate universal criminal jurisdiction, such issues can be mitigated.
IV. Current Internet Criminal Jurisdiction in the United States
The next area for examination concerns the present state of internet jurisdiction here in the United States. As stated above, this Comment primarily addresses the jurisdiction to prescribe and to adjudicate violations of those prescriptions. In the United States, jurisdiction to adjudicate criminal matters, contrasting to civil jurisdiction, is relatively simple. The Sixth Amendment to the U.S. Constitution requires that a criminal defendant be present at criminal proceedings “to be confronted with the witnesses against him.”152U.S. Const. amend. VI. The jurisdiction to prescribe internet conduct, however, is a far more complicated matter.
In the United States, courts must analyze two overarching restraints on the prescriptive authority of Congress. First, Congress must be authorized to prescribe such conduct by the Constitution. Second, the Constitution states that a criminal defendant may not “be deprived of life, liberty, or property, without due process of law.”153Id. amend. V. It is this second restraint, Due Process, that courts grapple with most frequently when confronted by cyber-conduct.154See Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. Pa. L. Rev. 1003, 1092 (2001). It must be noted that when conduct occurs solely within the territorial bounds of the United States, these internet jurisdictional challenges simplify considerably. In such cases, the only difficultly, at least for federal law, would be venue.155Cf. supra Part I. This Part deals with the far more difficult conduct which requires a change in jurisdictional regime: extraterritorial internet conduct.
A. Constitutional Empowerment
The Constitution gives broad, but not unlimited, powers to Congress to prescribe conduct in general. Perhaps the most well-known of these powers lies in the Commerce Clause, for example, allowing Congress “[t]o regulate commerce with foreign nations, and among the several states.”156U.S. Const. art. I, § 8, cl. 3. However, given that this Comment does not advocate for new criminal statutes—only their expanded jurisdictional reach—it is assumed going forward that existing criminal statutes that are already empowered by Congress continue to be so empowered on the internet.157Should the solution advocated here be achieved, Congress would also have the power under the Constitution to prescribe such cybercrime, because such crime would then become an offense under the Law of Nations. See U.S. Const. art. I, § 8, cl. 10. See generally Colangelo, supra note30, at 137–42.
However, in applying those duly empowered statutes to the internet, courts must police new rules. The first is the presumption that no statute has extraterritorial effect unless Congress affirmatively and expressly states that it wishes that statute to apply extraterritorially.158EEOC v. Arabian Am. Oil Co., 499 U.S. 244, 248 (1991). This could, however, also be satisfied if an actor purposefully targets an entity in the United States, even absent a violation of a congressionally extended statute. See United States v. Muench, 694 F.2d 28, 33 (2d Cir. 1982). The second, and more important in this context, determination courts must engage in concerns international law. The courts will read all legislation to comport with international law as closely as possible, absent clear intention to the contrary—this is known as the Charming Betsy canon.159Murray v. Schooner Charming Betsy, 6 U.S. 64, 118 (1804). In 2013, the D.C. Circuit examined a criminal case concerning an extraterritorial defendant accused of conspiracy to commit piracy.160United States v. Ali, 718 F.3d 929, 939–41 (D.C. Cir. 2013). That court found that while piracy was a universal crime, and thus prosecution comported with international law, conspiracy was not.161Id. at 941–42. Therefore, under the Charming Betsy canon, the court dismissed that charge.162Id. at 942. It must be noted that the court also held that Congress could override this presumption if so expressly stated—it just did not here. Similarly, in a cybercrime prosecution, a court must establish whether the prosecution is allowable under the jurisdictional bases listed above, unless Congress expressly stated to ignore international law.
There is another power limitation on Congress in the internet extraterritorial sphere, though it is a subtle one. All prosecutions inherently begin in the executive branch. Foreign policy is also held within the executive.163This Comment recognizes the controversial nature of this statement. However, for clarity and length, this complicated and contentious debate is here reduced to this statement. Thus, there must be a combination attempt of both the legislative branch and the executive branch to both prescribe internet conduct and to prosecute such conduct.164See Colangelo, supra note 30, at 156–57. This is not, however, part of the judicial analysis and will not be further addressed.
B. Due Process Limits of Jurisdiction
The second, and far more complicated, limitation to such extraterritorial application of domestic law to the wide expanse of the internet concerns Due Process limitations.165See generally id. at 158–62 (explaining the uncertainties concerning whether the Fifth Amendment applies to all, some, or no such defendants under the United States v. Verdugo-Urquidez decision). The current jurisprudence concerning extraterritorial Due Process has established that the exertion of jurisdiction over an extraterritorial defendant must not be neither arbitrary nor unfair.166Id. at 158–63 (examining a plethora of federal circuit decisions to determine the Fifth Amendment test). The next question stemming from this requirement is, what are the definitions of arbitrary and unfair?
The most recent test for arbitrary and unfair in the extraterritorial context stems from a case heard by the U.S. Court of Appeals for the Ninth Circuit.167United States v. Davis, 905 F.2d 245, 248–49 (9th Cir. 1990); Colangelo, supra note 30, at 162–63. That test revolves on whether the defendant had a sufficient nexus such that no arbitrariness or unfairness was present.168Colangelo, supra note 30, at 163; see also United States v. Yousef, 327 F.3d 56, 111–12 (2d Cir. 2003) (adopting the Ninth Circuit’s test). The Ninth Circuit held that if a defendant aimed or targeted activity into the United States, then there was a sufficient nexus to prosecute under domestic law.169Davis, 905 F.2d at 249. In that case, the Ninth Circuit lays out an excellent overview of that Circuit’s decisions regarding the international jurisdictional principles. See generally id. at 249 n.2. The Second Circuit has adopted a similar theory concerning the target of the offensive conduct.170Yousef, 327 F.3d at 111–12.
Under this nexus framework, internet jurisdiction is a morass. A court must determine whether an extraterritorial cybercriminal purposefully targeted the United States or an entity within the border. As discussed above, such attributions and determinations in cyberspace are difficult. Additionally, this leaves a number of cybercriminals—having harmed or affected the United States without directly targeting her—outside the bounds of this Due Process restriction.171See Colangelo, supra note 30, at 163–65.
A second understanding of arbitrary and unfair is held by the Fifth Circuit. In United States v. Suerte,172291 F.3d 366 (5th Cir. 2002). the Fifth Circuit determined that the correct limit of arbitrary and unfair was in fact based on notice.173Id. at 377. Colangelo persuasively argued that all of the Due Process analysis is actually motivated by a notice framework, even though some courts do not identify it as such—given that it is borrowed from Fourteenth Amendment jurisprudence. See Colangelo, supra note 30, at 165–66, 171. This far more expansive view is clearer than the nexus test, but still has some ambiguity based on when an individual is on notice that his or her conduct is prescribed by the United States.
Thus, the current jurisdictional framework to analyze internet crimes is to effectively ignore the internet part of it. Once an internet crime occurs, a court must determine if the whole crime was conducted and consummated within the territorial borders of the United States. If that is the case, the fact that it was an internet crime ceases to matter, and standard jurisdictional principles prevail.174This is basically the uploader/downloader circumstance described in Part III. If, however, the conduct is extraterritorial in nature—being perpetrated across the internet and through national borders—then the courts must continue its analysis. First, the court must determine if the statute applies extraterritorially. Next, the court must establish whether the prosecution of the defendant is allowed under Due Process. That test might be based on the nexus test or the notice test. Both tests become even more complicated than usual when applied to cyberspace due to a lack of hard data that might normally exist in the physical world. Additionally, each test may potentially leave out criminals that have harmed the United States or one of her citizens. How, then, would the implementation of cyber universal criminal jurisdiction change this framework?
C. Implementing Universal Criminal Jurisdiction in the United States
If universal criminal jurisdiction were expanded to include cybercrime, then the courts would no longer have to deal with the underinclusive and over-complicated Due Process challenges present under the current regime. Instead, once the determination that a universal cybercrime had been committed, it is inherently not unfair or arbitrary to prosecute such an individual, for two reasons.
First, if the correct Due Process framework is based on notice, then the fact that cybercrime is a universal crime means that all individuals and entities are automatically on notice that their conduct is forbidden.175Colangelo, supra note 30, at 166–68. Second, the international nature (and universal condemnation) of such offenses indicate that national Due Process challenges are of no concern, since the prosecuting state becomes merely a vessel to carry forth what is regarded as universal justice that all actors are always subject to.176See id. at 168–73. Colangelo examines a multitude of cases, even in Circuits that cleave to the nexus test, that disregard Due Process challenges based on invocation of universal criminal jurisdiction. Id.(examining United States v. Furlong, 18 U.S. 184 (1820), United States v. Caicedo, 47 F.3d 370 (9th Cir. 1995), and United States v. Martinez-Hidalgo, 993 F.2d 1052 (3d Cir. 1993), and finding that each support such a bypassing of the Due Process challenge).
There are also indications that a statute predicated upon the Foreign Offenses Clause177U.S. Const. art. I, § 8, cl. 10. This clause allows for the prosecution of offenses against the Law of Nations. may, definitionally, disavow a nexus-based test for Due Process.178Colangelo, supra note 30, at 173–75 (examining Suerte, 291 F.3d at 372). Since any crime covered under universal criminal jurisdiction would inherently be tied to the Foreign Offenses Clause as a violation of international law, then there would be no reason to even venture down any such nexus test. In sum, the utilization of universal criminal jurisdiction would allow for a clearer prosecution both for the courts and for defendants. As opposed to complex analyses that may change based on the court—this allows for the notice that such offenses are always within the prescriptive and adjudicative jurisdiction of United States’ courts. How, then, can international law be changed to expand universal criminal jurisdiction?
V. Sources of International Law and How It Could Be Changed to Allow Universal Criminal Jurisdiction
International law is a bit of a misnomer. International law is comprised of the general customs and principles of the international community that have become ingrained to the community’s fabric so much that it has become law itself.179See, e.g., Statute of the International Court of Justice, art. 38, ¶ 1, June 26, 1945, 59 Stat. 1031, 33 U.N.T.S. 993. In that way, this is rather akin to formalized, and binding, policy. Sources of international law include conventions, customs, general principles recognized by the community, and judicial opinions by highly regarded jurists.180Id.; Restatement (Third) of Foreign Relations Law § 102 (Am. l. Inst. 1987). Given its fluid nature, other scholars have described international customary law as general state practices which result or stem from a sense of duty or obligation of a state (opinio juris).181Colangelo, supranote 30, at 131.
The birth of international law was at the Peace of Westphalia, which established the equal-sovereigns regime that underpins most of this analysis.182Menthe, supra note 30, at 87 n.59. This concluded the Thirty Years War and is regarded as the birth of the modern nation-state. In subsequent years, two types of international law have developed: treaties (which bind only signatories) and the set of broadly applicable rules that govern international actors, generally termed international customary law.183Colangelo, supra note 30, at 131; see also id. at 131 n.75 (noting that some “persistent objector” states may not be bound by the objected-to customary laws). The principles that govern jurisdiction are part of this second, binding group. However, since this type of law is created by the group mind, binding law can be changed by large international agreement via treaties, conventions, or by broad acceptance of decisions by bodies that have been delegated the authority by the international community to decide controversies, like the International Court of Justice.
Thus, there are two ways that universal criminal jurisdiction may be implemented: a treaty so big as to actually change the scope of international thought,184See, e.g., id. at 177–82 (explaining that the broad acceptance of international treaties against terrorism may have manifested universal agreement with a norm against terrorism, and established it as subject to universal criminal jurisdiction). or a decision from an international body that is regarded as an arbiter of international customary law, such as the United Nations General Assembly or the Court of International Justice.185A mere decision or resolution from these bodies is not sufficient; there must also be widespread acceptance of the announced standards as international customary law. Thus, the best way to shift the current status quo with regard to universal criminal jurisdiction may be a resolution by the United Nations or a near-global treaty since that would allow for the tailoring of a careful version of universal criminal jurisdiction that would avoid the pitfalls mentioned in the previous Part.
It is axiomatic to state that the law is generally behind the times. Nowhere is this truer than the modern state of jurisdictional law on the internet. Perhaps the best solution yet available to the international community is the utilization of a theory that has its origins in venerable Rome, which has progressed throughout the centuries to form the basis of the International Criminal Court. The current challenge facing the law in its fight across the ports of cyberspace is similar to the challenge faced in the Golden Age of Piracy: an offense that threatens the structural order of society, and that remains unbounded by territory or state power. Universal criminal jurisdiction offers an effective solution to these problems concerning the removal of cybercriminals and the prevention of a safe-haven forming, while also allowing the various states to formulate their own domestic policy.
That is not to say that there are not pitfalls and dangers in the utilization of universal jurisdiction. The risk to state sovereignty is great, as well as the concomitant risk of international incidents from the offense caused by overzealous use of universal criminal jurisdiction.186See, e.g., Kissinger, supra note 150, at 90–92. After all, universal jurisdiction, by design, is meant to override state sovereignty and provide remedy when states fail to act—or cannot do so.187Kontorovich, supra note 27, at 184. However, the inherent protections of a doctrine predicated on international acceptance, as well as the cost both financially and diplomatically in difficult or unwise prosecutions, should serve to curb any untoward usurpations of sovereign rights.
The internet has fundamentally changed the way society interacts—faster communication, collaboration, and dissemination of knowledge has revolutionized the world. This has also created a new for a revolution in the law. While current jurisdictional schemes may continue to avail the legal community for the moment—barely—the inevitability of continued innovation and change mandates the community create a new and robust way to solve the growing challenges that face the justice system in this new Cyber Age. Currently, the best solution for a robust new legal regime is universal criminal jurisdiction, providing an effective, decentralized prosecuting ability to all nations that does not require a large cession of sovereign jurisdictional rights.