International Issues: Cybercrime

November 15, 2000

David Beier
Chief Domestic Policy Advisor to the Vice President
Office of the Vice President
Eisenhower Executive Office Building
Washington, DC 20501

Re: Comments of Americans for Computer Privacy on the Draft Council of Europe Convention on Cybercrime

Dear Mr. Beier:

Americans for Computer Privacy (ACP) is pleased to offer the following specific comments and suggested textual changes with respect to Articles 16, 17, and 18 of draft 22 of the Council of Europe Convention on Cybercrime.

ACP's changes clarify, consistent with assurances we received recently from U.S. government officials, that nothing in the convention is intended to authorize or empower governments to require private-sector parties: (1) to retain data (as opposed to preserving data they ordinarily collect and store in the ordinary course of business when ordered to do so by the government); and (2) to develop, adopt, or deploy particular technologies to collect or record content and traffic data (i.e., the convention is not intended to promulgate an international CALEA approach to computer communications).

As you know, ACP is a broad-based coalition of companies, associations, interest groups, and over 6000 individuals that focuses on issues at the intersection of electronic information and communications, privacy rights, law enforcement, and national security. We worked with you and others in the Administration to bring forth a new encryption policy that included significant relaxation of export controls on American products. We also have focused on critical information infrastructure protection (CIIP) more generally.

ACP is committed to several principles that should guide government decision-makers with respect to CIIP. These principles include:

• CIIP is best accomplished through private-sector solutions that are market- driven and industry-led.
• Governments must not mandate the choice of technologies or dictate standards or processes.
• Governments and industry must work cooperatively on a voluntary basis towards achieving CIIP.
• Governments must not violate personal or corporate privacy in the quest for CIIP.

Based on our recent discussions with U.S. government officials, ACP believes that the U.S. negotiators of the convention agree that the convention should not, and is not intended by its drafters to, violate these principles. However, ACP is very concerned that the current text of Articles 16, 17, and 18 of the convention could be interpreted as violating these principles. Accordingly, ACP offers the specific comments and changes below in a constructive spirit to align the text of the convention with these principles. If these changes are made to the convention, they will address ACP's concerns.

Article 16: Expedited preservation of data stored in a computer system

Representatives of the U.S. government have assured ACP that the convention is not intended to mandate data retention because even though it might help law enforcement, there are significant countervailing considerations of technological feasibility and cost and serious privacy implications. Instead, according to these representatives, the convention is intended to require signatory states to adopt legislation or other measures that would require individuals or businesses to preserve such data that they might have when ordered to do so by the government. However, ACP believes that, as written, Article 16 could be interpreted to require signatory states to mandate data retention.

ACP proposes several changes to Article 16:

• The text of Article 16.1 is confusing in that it uses the term "retention." Therefore, ACP proposes that the text of Article 16.1 be edited to clarify that the convention requires signatory states to pass legislation for data preservation, not data retention.

• Consistent with ACP's principles that CIIP should be market-driven and that governments must not mandate the choice of technologies or dictate standards or processes, and based on our understanding of the intent of the negotiators, the data preservation requirement should specifically state that it applies to records that a company normally preserves in the ordinary course of business.

• The definition of data preservation should be modified to cover only data that companies collect and store rather than data that is merely collected. This emendation is necessary because certain types of data are collected by an Internet service provider (ISP) for use in facilitating a particular Internet communication yet disappear within seconds rather than being stored by that ISP. Requiring preservation of such data would impose an onerous burden on industry. Accordingly, data preservation should be defined to apply to data that ISPs collect and store rather than just collect on a momentary basis.

• With respect to the last clause of Article 16.1, ACP believes that the idea being expressed by the drafters is that signatory states should pass legislation or other measures requiring data preservation for situations in which there is a risk that the data may be destroyed prior to a competent governmental authority ordering an ISP to produce the data. ACP recommends that the final clause of Article 16.1 be modified to state this idea more explicitly. ACP also recommends that Article 16.2 be modified to reflect this idea as well.

• The words "or otherwise obtain" in Article 16.1, and the first clause of Article 16.2, imply that signatory states may give effect to the data preservation requirement of Article 16.1 in a manner other than by means of an order from a competent authority. The words "or otherwise obtain" from Article 16.1 should be deleted, and the first clause of Article 16.2 should be modified, in order to avoid such an implication.

On the basis of the comments above, ACP recommends the following text:

1. Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or otherwise obtain, for the purpose of criminal investigations or proceedings, the expeditious preservation of specified data that is collected and stored in the ordinary course of business by means of a computer system, at least where there are grounds to believe that the data is subject to a short period of retention or is otherwise particularly vulnerable to loss or modification being deleted, lost, or modified before the competent authorities can order its production. Nothing in this convention shall require a Party to adopt legislative or other measures requiring the collection or storage of data.

2. Where a Party gives effect to paragraph 1 above by means of an order to a person may be ordered to preserve specified collected and stored data in the person's possession or control that the person has collected and stored in the ordinary course of business, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that data for a period of time as may be ordered pursuant to domestic law.

3. Each Party shall adopt such legislative or other measures as may be necessary to oblige a person to whom the procedures of preservation referred to in this Article are directed, to keep confidential the undertaking of such procedures for a period of time as permitted by domestic law.

Article 17: Expedited preservation and disclosure of traffic data

Article 17 states as follows:

Each Party shall, with respect to undertaking the procedures referred to under article 16 in respect of the preservation of traffic data concerning a specific communication, adopt such legislative or other measures as may be necessary to:

1. ensure the expeditious preservation of that traffic data, regardless whether one or more service providers were involved in the transmission of that communication; and

2. ensure the expeditious disclosure to the Party's competent authority, or a person designated by that authority, of a sufficient amount of traffic data in order to identify the service providers and the path through which the communication was transmitted.

ACP understands and accepts that clause (a) is intended for situations in which multiple ISPs possess the same traffic data with respect to a particular Internet communication. As worded, clause (a) prevents an ISP from failing to disclose that traffic data to the government based on the justification that the government could obtain that same information from another ISP.

With respect to clause (b), however, ACP is concerned that requiring an ISP to produce "a sufficient amount of traffic data in order to identify the service providers and the path through which the communication was transmitted" means that an ISP must do more than present collected and stored data and must instead actively acquire and synthesize information sufficient to trace the path of an Internet communication. Once again, although such a requirement might be beneficial to law enforcement, for the compelling reasons set forth above with respect to Article 16, ACP believes that Article 17 should be modified to state explicitly that any data preservation requirement should only apply to data that is normally collected and stored in the ordinary course of business.

In addition, ACP is also concerned that requiring a signatory state to "ensure the expeditious disclosure" to a government of traffic data may mean that a signatory state must devise a process for requiring an ISP to produce such information even prior to a competent authority issuing an actual order for such production. We do not believe this was the drafters' intent, and we propose that clause (b) be modified to prevent the text from being construed in this manner.

On the basis of these comments, ACP recommends the following text:

Each Party shall, with respect to undertaking the procedures referred to under article 16 in respect of the preservation of traffic data that is collected and stored in the ordinary course of business concerning a specific communication, adopt such legislative or other measures as may be necessary to:

1. ensure the expeditious preservation of that traffic data, regardless whether one or more service providers were involved in the transmission of that communication; and

2. ensure the expeditious disclosure to the Party's competent authority, or a person designated by that authority, upon issuance of an order by a competent authority, of a sufficient amount of traffic data that is collected and stored in the ordinary course of business in order to identify the service providers and the path through which the communication was transmitted.

Article 18 quater: General provisions relating to domestic procedural law measures

As you will recall, the U.S. CALEA statute exempts ISPs from its ambit. However, ACP is concerned that Articles 18, 18 bis, 18 ter, and 18 quater could be interpreted as applying a CALEA-like regime to ISPs.

Specifically, clause (b) of Articles 18 and 18 bis states that each signatory state should "empower its competent authorities to . . . compel a service provider to

1. collect or record through application of technical means on the territory of that Party, or

2. co-operate and assist the competent authorities in the collection or recording of, content data of and traffic data in real-time associated with, "specified communications on its territory transmitted by means of a computer system."

ACP is concerned that this clause could be interpreted to require ISPs to develop, adopt, or deploy particular technologies to enable collection or recordation of information desired by law enforcement. Therefore, ACP suggests that Article 18 quater, which sets forth interpretative principles applicable to Articles 18, 18 bis, and 18 ter, be amended to state explicitly that the signatory states must not mandate the choice of technologies. Accordingly, clause (5) should be added to Article 18 quater, as follows:

5. No Party shall take any legislative or other measures that dictate technological standards for service providers or require service providers to develop, adopt, deploy, or otherwise utilize a particular technology. General Observations

ACP has other concerns with respect to the convention, as set forth below.

Article 6 requires each signatory state to establish as a criminal offense the production, sale, etc. of hacking equipment when "committed intentionally and without right." ACP wishes to know who defines the concepts of intention and "without right." While footnote 4 attempts to clarify the definition of "without right," we find footnote 4 to be unhelpful in this regard.

We note that footnote 9 states that the convention's explanatory text will clarify that Article 6 is not intended to cover hacking equipment used to test system vulnerability. While we appreciate the weight that the explanatory text carries with respect to the convention's interpretation, ACP believes that the question of legitimate hacking equipment is too important to be excluded from the convention's text itself.

Finally, ACP is concerned that the standards for corporate liability set forth in Article 12 may be broader than such standards under U.S. law. ACP requests that the Administration clarify the relationship between the convention's standards for corporate liability and such standards under U.S. law.

* * *

ACP looks forward to discussing its suggestions with the Administration at the earliest time possible.

Sincerely,

Bruce Heiman
Executive Director

cc: Jeffrey Hunker, Senior Director for Infrastructure Protection
Paul Kurtz, Director for Infrastructure Protection
National Security Council
Eisenhower Executive Office Building
17th Street and Pennsylvania Avenue, NW
Washington, DC 20504

Martha Stansell-Gamm, Chief
Betty Shave
Computer Crime and Intellectual Property Section
Department of Justice
1301 New York Avenue, NW
Washington, DC 20005

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy