International Issues: Cybercrime

Internet Alliance Comments
On Council of Europe, Draft Convention on Cyber-crime
(Draft No.19)

The Internet Alliance welcomes the opportunity to join in the discussion of the application and enforcement of criminal laws relating to "cybercrimes" across national boundaries in the digital environment. Embedded in this discussion are some of the most challenging issues posed by the rise of the Internet and similar networks. These issues arise from the quest for consistent rules governing conduct that often ignores the physical borders of nations, while at the same time respecting individual States' sovereignty, and while preserving and nurturing vital limiting values, chiefly human and commercial rights, that have not always been applied consistently around the world. The IA commends the Council of Europe and other participants for stepping forward to meet some of these questions head on. We submit the following comments to its latest public draft, no. 19, in the hope that they will add to the process a unique viewpoint and will be received, as they are rendered, in a spirit of constructive participation.

Our focus is the promotion of consumer trust and confidence in the Internet through the promotion of good business practices, consumer education and empowerment, vigorous enforcement of existing laws against crime online, and narrowly-tailored government regulation when necessary. We recognize that a digital medium which cannot offer its users security and predictability will never become a major conduit for commercial activity. Thus, part of our mission is cooperation with law enforcement agencies to increase their capacity to identify and bring to justice cybercriminals.

In particular, we emphasize practical industry initiatives, such as our new partnership with Interpol to craft and disseminate audiovisual training materials to help law enforcement officials gain a basic understanding of the Internet environment and a basic set of forensic skills applicable to the investigation and prosecution of cybercrimes. In the United States, we have urged that additional federal funds be made available for increased training, equipment and interagency cooperation, including international cooperation.

Similarly, we encourage governments to be guided by a workable and practical, rather than a theoretical or purist, approach to regulating conduct on the Internet and similar networks.

IA's analysis, advice and activities on behalf of the consumer Internet industry in the law enforcement and security context are further elaborated in its recent White Paper, which we attach to these comments for the Council's further review.

From this vantage point, then, the Internet Alliance suggests several concepts that it urges be reflected in the final COE draft treaty.

• Online crimes by and large are the same as offline crimes, simply carried out through a new medium. Thus, existing laws are usually sufficient to protect society from crimes in the digital environment. Exceptions should be addressed by narrowly targeted legislation or regulation.

• Service providers should expect to respond promptly and fully to law enforcement's formal and lawful requests for assistance, whether authorized by domestic law or by international treaty. However, they should not effectively be forced to monitor the activities of users or to become agents of government in fulfilling the police functions of the state.

• The treaty should not require or authorize signatories to impose design or technical requirements on computer systems within their jurisdiction.

• Treaty provisions should be crafted with care and specificity to avoid making illegal those changes to data or data traffic which are the result of ordinary network operations.

• The treaty submitted to the COE and others will do much good if it focuses on subject areas where there is a general agreement on standards and procedures. It should avoid or defer issues rather than trying to force consensus prematurely. We may reasonably expect that further consideration, further experience, and the rapidly changing nature of technology and user practices, will lead to better resolutions of such issues in the future, while sacrificing little real protection of society in the meantime.

Specific Comments on Draft 19:

1. We concur with the draft's avoidance of the regulation of content under criminal laws, with the exception of child pornography, which presents something of a special case. Content-control laws are traditionally grounded in emotionally explosive cultural-specific contexts. So far, content-control laws continue to elude attempts to craft international consensus. While they may ripen as subjects for treaty action in the future, it seems best that they be set aside for the present.

2. The requirement of Chapter II, Section 1, Title 5, Article 13 (Sanctions and Measures) must be considered carefully, as acknowledged in Footnote 21, including with respect to Mutual Assistance under Article 21. For example, deprivation of liberty and extradition are significant penalties and deterrents to criminal behavior, and should be targeted and used carefully in selective types of crime.

3. Chapter II, Section 1, Title 5, Article 4 (Data Interference) and Article 7 (Computer-related Forgery) are both salutary in intent and, when implemented, will improve the Internet experience for consumers in a number of respects. However, they also raise the sensitive issue of anonymity. The IA feels that the present and future ability of Internet users to communicate or navigate the Internet anonymously if they so desire must be preserved, so long as the practice involves no deceit. Consider, for example, the routing of a message through an "anonymizer service" which may typically strip out information of origin and, with substitute (but genuine) routing information, perhaps with no entry in the email "sender" line, return the message into the Internet packet stream for delivery to its intended recipient. In such a case, it is apparent to the recipient before opening the message that it comes from one who prefers to remain anonymous. Without additional circumstances, these actions should not subject neither the user, the anonymizer nor any other service provider to criminal liability. It may be argued that this kind of practice significantly hinders law enforcement in certain cases. However, the difficulties are not insuperable, and the value of preserving the ability to communicate controversial political views, for example, without fear of instant identification and reprisal, should outweigh any countervailing values.

4. In addition, Chapter II, Section 1, Title 5, Articles 4 and 5 contain language relating to the damage, deletion, alteration or suppression of data or a computer system without right. We are concerned that without modifying or clarifying language some signatories may deem technical events, such as a dropped packet, or failure to accommodate a particular technology that is not a widely adopted industry standard as an act of "deleting or suppressing" data.

5. Chapter II, Section 1, Title 5, Article 6(a)(1) (Illegal Devices) offers three alternative modifiers for the design or adaptation of enabling devices: that they be designed/adapted "specifically," "primarily," or "particularly" for the purpose of committing any offense. While the thrust of the question is correct, we suggest the COE consider a more flexible approach along the following lines: ". . . a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offenses established in accordance with Article 2-5, or; that has only limited commercially significant purpose or use other than to commit an offense established in accordance with Article 2-5, or; is marketed by a person or another acting in concert with that person with that person's knowledge for use in committing an offense established in accordance with Article 2-5." Restriction in the production, sale, etc., of such devices should be subject to exceptions for legitimate educational, research and law enforcement activities.

6. Chapter II, Section 2, Articles 16 and 17 (data preservation and disclosure): We believe the authority of "competent authorities" referred to in Article 16(1) should refer to individual cases and the data referred to should be not any and all data, but data relevant to investigations and that may be obtained under this treaty. We do not oppose, of course, preservation or other measures directed at particular data in a particular case by a court or other competent authority. In Article 17 (1)(a) we suggest importing language similar to that in Article 16, i.e., "a. enable its competent authorities to ensure the expeditious preservation . . . ." (new language in italics).

7. The matter of varying levels of human rights protections from state to state deserves the closest consideration, both in the Procedural Law articles and in the Mutual Assistance articles. It seems clear that in Article 14, for example, there is no floor of civil liberties or personal procedural protection, though paragraph 7 permits such limitations. It can be argued that the law enforcement agencies of signatory nations, which COE intends may also include non-COE members, gain substantial benefits under the treaty through mutual assistance. It is then also reasonable to ask if they should not be required to balance those new capabilities with some basic guarantee that the information delivered to them will be used in ways reflecting, in the phrasing of the Preamble, "the values of the Council of Europe" and a "proper balance between the interests of law enforcement and respect for fundamental human rights."

8. Chapter III (International Cooperation): while much of the substance of this title does not implicate the interests of IA members, we would like to stress two points:
   1. The drafters should consider whether the Article 20 language necessitates the use of intelligence capabilities, which often are not curbed by normal personal rights protections;

   2. As in the case of our Article 15 concerns, service providers subject to data disclosure under an Article 26 mutual assistance order should not be required to shoulder expensive burdens of data analysis and production without reimbursement.

9. Finally, while the issue of interception was temporarily deferred and no language is proposed as yet, we note that this area raises significant concerns of privacy (thus, consumer trust and confidence), network security and integrity, and cost. We would like to have the opportunity to contribute views on this subject as well.

In conclusion, we applaud COE's commitment to the difficult task of achieving a degree of consistency in the national treatment of cybercrime that will improve the ability of law enforcement to investigate and bring to justice criminals, while at the same time establishing standards of conduct which are predictable, reasonable, and enforceable. IA believes much good progress has been made, and we appreciate the opportunity to submit our comments before the draft is finalized. We believe consideration of our comments will improve the final product in key areas important both to consumer trust and confidence in the Internet, and to business as it seeks to build the functionality and increase the benefits of the new medium to the greatest possible extent.

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy