Status regarding Budapest Convention
Status : Party Declarations and reservations : See https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/declarations?p_auth=z2YadrUR See legal profileCybercrime policies/strategies
The United States Government has developed comprehensive strategies to counter malicious cyber threats, including criminal cyber activity. These include:
- The National Cyber Strategy issued by the United States Government in September 2018, which set forth clear objectives to counter malicious criminal threats, including modernizing surveillance and computer crime laws and reducing threats from transnational criminal organizations.
- The Department of Justice report published in July 2018, which focused on countering malicious cyber activity, including detecting, deterring, and disrupting cyber threats, and improving the government’s response to cyber incidents.
- The U.S. Department of Homeland Security (DHS) Cybersecurity Strategy, published in May 2018, which highlighted DHS’s approach to reduce cybersecurity risks, vulnerabilities, and threats.
In addition, a key strategic objective of the Federal Bureau of Investigation (FBI) is to investigate and mitigate cybercrime by “leveraging innovative techniques and tools” and “making full and effective use of legal authorities.”
Cybercrime legislation
State of cybercrime legislation
The United States enacted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in March 2018 to speed access to electronic information held by U.S.-based global providers that is critical to our foreign partners’ investigations of serious crime, ranging from terrorism and violent crime to sexual exploitation of children and cybercrime. The CLOUD Act is designed to permit our foreign partners that have robust protections for privacy and civil liberties to enter into bilateral agreements with the United States to obtain direct access to this electronic evidence to fight serious crime and terrorism. For more information about the CLOUD Act, please consult the DoJ CLOUD Act resource page.
Substantive law
The primary federal criminal law to combat cyber threats is the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. Enacted by Congress in 1986, the CFAA criminalizes various computer- and network-related criminal activity, including the unauthorized access of computer systems, unauthorized damage and destruction of computer systems, illicit trafficking in passwords, and cyberextortion. Other statutes address specific forms of cybercrime, including cyberstalking (18 U.S.C. § 2261A), identity theft (18 U.S.C. § 1028), and the illegal interception of communications (18 U.S.C. § 2511).
Procedural law
Passed in 1986, the Electronic Communications Privacy Act (“ECPA”) regulates how federal and state law enforcement can obtain access to certain electronic evidence. The stored communication portion of ECPA, 18 U.S.C. §§ 2701-2713, governs access by the government to stored communications, records, and subscriber information held by covered providers, such as Internet service providers, email and social media companies, and telephone companies. The government may utilize warrants and other legal process pursuant to Section 2703 to compel covered providers to disclose records, while Section 2702 regulates how a provider may disclose the records voluntarily to the government. With respect to the prospective collection of electronic evidence, ECPA updated the Wiretap Act, 18 U.S.C. §§ 2510-2522, to permit law enforcement to obtain warrants to intercept electronic communications. In addition, ECPA included the Pen Register/Trap and Trace Act, 18 U.S.C. §§ 3121-3127, which allows law enforcement to obtain court orders for the prospective collection of non-content dialing, routing, and signaling information associated with communications.
Safeguards
Fundamental rights and freedoms are enshrined in, and protected by, the Constitution of the United States. Most notably for purposes of this document, the Fourth Amendment to the Constitution protects the right not to be subject to unreasonable searches and seizures. This amendment requires that law enforcement obtain a warrant based on probable cause before the government can search a person or her house and effects. Additional safeguards exist in ECPA, the Privacy Act of 1974, as amended by the Judicial Redress Act, and other statutes, regulations, policies, as well as guidelines, such as the Attorney General’s Guidelines, that ensure that law enforcement operates in accordance with the Constitution. For information about data protection and privacy laws that apply to U.S. Government agencies, please see Federal Privacy Council, Law Library.
Specialised institutions
While many U.S. federal and state law enforcement agencies have units specialising in cybercrime, the following units counter criminal cyber activity at the national and transnational levels:
- The Department of Justice Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division, and the Counterintelligence and Export Control Section (CES) of the National Security Division.
- FBI Cyber Division
- U.S. Secret Service Cyber Operations unit
International cooperation
Competent authorities and channels
MLA authority in the absence of other treaties (Art. 27)
Office of International Affairs,
US Department of Justice, Criminal Division,
Washington, D.C., 20530
Authority for extradition and provisional arrests in the absence of other treaties (Art. 24)
N/A
24/7 Point of contact (Art. 35)
Computer Crime and Intellectual Property Section (CCIPS)
US Department of Justice, Criminal Division,
Washington, D.C., 20530
Jurisprudence/case law
United States v. Jones (2011) was a landmark United States Supreme Court case which held that installing a Global Positioning System tracking device on a vehicle and using the device to monitor the vehicle's movements constitutes a search under the Fourth Amendment.
Riley v. California (2014) was a landmark United States Supreme Court case that held that the warrantless search and seizure of a cell phone during an arrest is unconstitutional.
Carpenter v. United States (2018) was a United States Supreme Court case which held that law enforcement must obtain a warrant to collect historical cell site location information for more than seven days.
Sources and links
Report of the Attorney General’s Cyber-Digital Task Force
Computer Crime and Intellectual Property Section
Office of International Affairs
Office of Privacy and Civil Liberties
Counterintelligence and Export Control Section
U.S. Secret Service Cyber Operations unit
Computer Fraud and Abuse Act (CFAA)
Privacy Act of 1974, as amended, 5 U.S.C. § 552a;
Electronic Communications Privacy Act (ECPA)
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.