Despite the many benefits of new and emerging information technologies, malicious actors have utilised these innovations to engage in illegal activities online. Cybercrime transcends geographical borders because such illicit conduct can be committed remotely. An example of this is when a foreign national steals personal information by hacking into another person’s computer that is located in Australia. This example illustrates that there is no need for the offender and victim to be in the same location. The interesting issue that arises is whether a hacker based overseas can be brought to Australia and be prosecuted for their actions.
Extraterritorial application of computer offences
Gaining unauthorised access into someone’s computer can amount to several different computer offences under part 10.7 of the Criminal Code Act 1995 (Cth) (Criminal Code). These offences have extraterritorial application. Sections 476.3 and 15.1 Criminal Code stipulate that all computer offences under part 10.7 Criminal Code have “extended geographical jurisdiction”.
Consequently, a hacker overseas is guilty of a computer offence if:
- The conduct constituting the alleged offence wholly or partly occurred in Australia or on board an Australian aircraft or ship; or
- The conduct constituting the alleged offence occurred wholly outside Australia and:
- a result of the conduct occurred wholly or partly in Australia or on board an Australian aircraft or ship; or
- at the time of the alleged offence, the person is an Australian citizen; or
- at the time of the alleged offence, the person is a body corporate incorporated under Australian law.
In other words, the effect of the Criminal Code extends Australia’s criminal jurisdiction to prosecute illegal conduct beyond its geographical borders. The transnational character of these computer offences means that hackers do not escape criminal liability just because they reside in a different country.
Thus, a cybercriminal who gains unauthorised access into a computer located in Australia falls within the ambit of section 15.1 Criminal Code because the conduct constituting the alleged computer offence would have occurred wholly outside Australia and a result of such conduct would have occurred in Australia.
Extradition of cyber criminals
Given that computer offences under part 10.7 Criminal Code have extraterritorial application, hackers located overseas face the risk of extradition to Australia. The Extradition Act 1988 (Cth) (EA) sets out the extradition process for persons located in foreign jurisdictions to Australia.
A request for an alleged hacker’s extradition from another country to Australia can only be made by or with the authority of the Attorney‑General. The person named in Australia’s extradition request must also be an “extraditable person” as defined under section 6 of the EA. Satisfaction of this definition requires:
- The valid issuance of an arrest warrant in Australia;
- The alleged offence to be an “extradition offence”; and
- The person to be located outside of Australia.
An “extradition offence” in relation to Australia is an offence for which the maximum penalty is imprisonment for a period of not less than 12 months. Thus, all the computer offences under part 10.7 Criminal Code are “extradition offences” because the stipulated maximum penalty for each is beyond the 12 month threshold.
If the Attorney-General approves the extradition request, it is sent to the foreign country through the proper diplomatic channels for their consideration. The foreign country will then conduct an extradition hearing according to their laws to decide whether they will comply with Australia’s request. Furthermore, a foreign country that already has an extradition treaty with Australia must also follow any set criteria or procedures. For example, a particular extradition treaty might specify ‘dual criminality’ (which requires the alleged conduct to constitute an offence in Australia and the foreign country) as a mandatory consideration that must be satisfied before an alleged cybercriminal is surrendered to Australia.
If Australia’s request is granted, the Attorney-General’s Department will liaise with the foreign country to arrange for the hacker’s extradition.
It is clear that emerging information and communications technology has allowed offenders located in other jurisdictions to commit cybercrimes against Australian citizens. However, the extraterritorial reach of our cybercrime laws and our increasingly streamlined extradition arrangements with other sovereign states has meant that Australia is able to prosecute cybercriminals and prevent them from escaping liability.