International Issues: Cybercrime

December 7, 2000

Martha Stansell-Gamm, Chief
Betty Shave
Computer Crime and Intellectual Property Section
Department of Justice
1301 New York Avenue, NW
Washington, DC 20005

Re: Comments of Americans for Computer Privacy on Draft No. 24 of the Council of Europe Convention on Cybercrime

Dear Ms. Stansell-Gamm and Ms. Shave:

Americans for Computer Privacy (ACP) wishes to express its gratitude to you for taking the time to meet with ACP representatives on November 30, 2000, to discuss the draft Council of Europe Convention on Cybercrime.

As we described in detail in our November 15, 2000 letter to you, ACP is committed to several principles that should guide governmental decision-making with respect to cybercrime and critical information infrastructure protection (CIIP). Two of the principles most relevant to the convention are that computer security and CIIP are best accomplished through private-sector, market-driven, and industry-led solutions, and that governments must not dictate to industry the choice of technologies or mandate technical standards or business processes.

Given the time urgency arising from the advanced stage of the negotiations, we offered certain specific comments in our November 15th letter. Based on our reading of draft no. 24, ACP remains concerned that the convention will not fully reflect the changes suggested in our November 15th letter. With the next round of Council of Europe negotiations rapidly approaching, ACP now offers the following additional specific comments based on the discussions during our November 30th meeting, the December 1st general industry-government meeting, and the December 6th meeting between industry and Henrik Kaspersen, Chairman of the Council of Europe's Committee of Experts on Crime in Cyberspace, and Peter Csonka of the Council of Europe's Directorate General I (Legal Affairs).

ACP regards the issues raised by the convention to be of great importance and directly within the purview of its principles. ACP will continue to follow closely the course of the negotiations here and in Europe to ensure that the whole draft strikes the proper balance among industry, government, and privacy considerations.

1. Data Preservation (Articles 16 and 17)
   1. The convention text needs to state that it does not impose a data retention requirement. We appreciate your clarification that the convention does not mandate data retention. We also note that the last sentence of footnote 23 states this point explicitly. However, ACP believes that this statement is of such critical importance that it should be elevated to the text of the convention itself, specifically at the end of Article 16.1. Furthermore, ACP recommends that the sentence be altered in order to state clearly that the convention does not mandate retention of any data. Accordingly, the following sentence should be removed from footnote 23 and added to the end of Article 16.1:

      It This convention does not mandate retention of all any data collected by a service provider or other entity in the course of its activities.

   2. The convention text needs to state that it only applies to information that a company normally preserves in the ordinary course of business. We reiterate our comment from our November 15th letter that the data preservation requirement should specifically state that it applies only to information that a company normally preserves in the ordinary course of business. The restriction of data preservation to data preserved in the ordinary course of business comports with the spirit of Mr. Kaspersen's comment regarding Articles 20 and 21 (as discussed in Section III below), that the convention is not intended to require governments to mandate that companies develop any capabilities or technology that they do not already possess.

   3. Specific textual changes. In sum, the text of Article 16 should read as follows:

      1. Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities, in connection with a specific criminal matter, to order or similarly obtain the expeditious preservation of data that has been stored by means of a computer system in the ordinary course of business, in particular where there are grounds to believe that the data is particularly vulnerable²² to loss or modification²³. This convention does not mandate retention of any data collected by a service provider or other entity in the course of its activities.

      2. Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored data in the person's possession or control that the person has stored in the ordinary course of business, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that data for an adequate period of time to enable the competent authority to seek its disclosure.

      3. Each Party shall adopt such legislative or other measures as may be necessary to oblige the custodian or other person who is to preserve the data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law. 4. The powers and procedures referred to in this article shall be subject to the conditions and safeguards provided for under the domestic law of the Party concerned²⁴.

   4. Footnote 23 needs to clarify that data preservation applies to data in-hand at the time of the request. ACP appreciates your statement at the November 30th and December 1st meetings that the data preservation provision only covers data stored by an ISP or another company at the time the government requests preservation rather than any additional data collected or stored by an ISP or another company after receipt of the government's request for preservation. ACP believes that footnote 23 should include a clarification to that effect, as follows:

      This convention does not require Parties to adopt legislative and other measures requiring a service provider to preserve data not yet in existence at the time the service provider receives an order to preserve data.

2. Expedited preservation and disclosure of traffic data (Article 17)
   1. Article 17 is subject to serious misinterpretation. During our meeting on November 30th, you clarified that Article 17 is intended for situations in which multiple ISPs or other companies possess the same traffic data with respect to a particular Internet communication. Specifically, you noted that clause (b) is intended to compel a government, not an ISP or another company, to produce "a sufficient amount of traffic data in order to identify the service providers and the path through which the communication was transmitted." However, as we stated in our November 15th letter, we find the text of clause (b) to be vulnerable to misinterpretation as applying to ISPs or other companies rather than to governments. Such a misinterpretation would result in an ISP or another company having to do more than merely present stored data; instead, an ISP or another company would have to acquire and actively to synthesize information sufficient to trace the path of an Internet communication.

   2. Article 17 should state that it does not impose a data retention requirement and that it only applies to traffic data that a company normally preserves in the ordinary course of business. Paralleling Article 16, Article 17 should state unequivocally that it does not mandate retention of any traffic data. In addition, as stated in our November 15th letter and in keeping with the spirit of Mr. Kaspersen's comment regarding Articles 20 and 21, ACP believes that Article 17 must include an explicit limitation to traffic data stored by an ISP or another company in the ordinary course of business.

   3. Specific textual changes. The text of Article 17 should read as follows:

      1. In order to enable the undertaking of the procedures referred to in Article 16 with respect to the preservation of traffic data that is stored in the ordinary course of business concerning a specific communication, each Party shall adopt such legislative or other measures as may be necessary to:

      a. ensure the expeditious preservation of that traffic data regardless whether one or more service providers were involved in the transmission of that communication; and

      b. ensure the expeditious disclosure to the Party's competent authority, or a person designated by that authority, of a sufficient amount of traffic data that is stored in the ordinary course of business and supplied collectively by the relevant service providers in order for the Party to identify the service providers and the path through which the communication was transmitted.

      2. This convention does not mandate retention of any traffic data collected by a service provider or other entity in the course of its activities.

   4. A footnote should clarify that preservation of traffic data applies to data in-hand at the time of the request. Also paralleling Article 16, ACP believes that a footnote to Article 17 should clarify that preservation of traffic data only covers traffic data held by an ISP or another company at the time the government requests preservation, rather than any additional traffic data collected or stored by an ISP or another company after receipt of the government's request for preservation. The footnote should state as follows:

      This convention does not require Parties to adopt legislative and other measures requiring a service provider to preserve traffic data not yet in existence at the time the service provider receives an order to preserve data.

3. Realtime Collection (Articles 20 and 21)

   The convention text needs to state that it does not impose technology requirements. We appreciate your assurances at the November 30th and December 1st meetings that the convention is not intended to impose CALEA-like technological requirements. Mr. Kaspersen repeated such assurances during the December 6th meeting. However, the language in Articles 20 and 21 limiting an ISP's responsibility to actions "within its technical ability" is vague as to what constitutes an ISP's "technical ability." For example, there is no temporal limitation as to an ISP's "technical ability". Accordingly, Articles 20 and 21 should each contain an additional clause that specifically states that the convention does not require the imposition of technology requirements or standards. And we wish to highlight that, during the December 6th meeting, Mr. Kaspersen stated that he was open to suggestions for improving the text of Articles 20 and 21, and that he and Mr. Csonka seemed receptive to our explicit suggestion that a sentence be added to Articles 20 and 21 clarifying that such Articles do not require governments to dictate technological standards. The additional clause should read as follows:

   4. This Article does not require Parties to dictate technological standards for service providers and does not directly or implicitly require a service provider to develop, adopt, deploy, or utilize a particular technology or to ensure that its system is capable of providing any particular traffic data, subscriber-identifying data, or access to the content of a communication.

4. The Proportionality Test (Article 14)

   The proportionality test should be modified to include economic considerations. During our discussion on November 30th, you pointed out the provision in Article 14 setting forth a proportionality test that governs implementation of the convention. You indicated that the convention's proportionality test is based upon the proportionality test contained in European law. It is our understanding that the European proportionality test serves a similar function as the "reasonableness" standard evident in American law but that the European proportionality test is comprised of social and humanitarian Ð rather than economic Ð factors. In contrast, during the December 6th meeting, Mr. Kaspersen indicated that the concept of proportionality does include economic factors. We ask that you clarify the nature of the proportionality test in European law. In any event, ACP believes that the proportionality test contained in this convention should specifically include economic factors in order to provide industry with recourse against overbroad and burdensome requirements of government-imposed collection or preservation. Accordingly, ACP submits that the convention's articulation of the proportionality test be broadened to include economic factors within its scope, as follows:

   1. The measures adopted in accordance with this Section shall be applied for the purpose of criminal investigations and proceedings21 concerning the offences established in accordance with Articles 2 - 11 of this Convention, other criminal offences committed by means of a computer system, or the collection of electronic evidence of a criminal offence.

   2. The application of the measures adopted shall be subject to the conditions and safeguards provided for under the domestic law of the Party concerned, with due regard for the adequate protection of human rights and, where applicable, the proportionality of the measure to the nature and circumstances of the offence and the economic impact of the measure upon the service provider.

5. Joint U.S. Government-Industry Monitoring of the Convention's Implementation

   ACP and the U.S. government should establish an ongoing relationship to monitor foreign governments' implementation of the convention. As we discussed with you on November 30th, ACP is concerned about how governments aside from the United States and Canada will interpret and implement the convention. We note that Article 46 states that the signatory states "shall, as appropriate, consult periodically" with respect to, inter alia, "the effective use and implementation" of the convention. In this spirit, ACP proposes that an ongoing relationship be established between the U.S. government and ACP to monitor other governments' implementation of the convention.

6. General Observations

   In our November 15th letter, ACP raised concerns with respect to criminalization of ethical hacking. We note that you have been working to alleviate these concerns, and we appreciate your efforts in this regard.

   Also in our November 15th letter, we requested clarification of the relationship between the convention's standards for corporate liability and such standards under American law. During our November 30th discussion, you assured us that the convention's corporate liability provisions are narrower than under American law. ACP respectfully disagrees with your assessment. ACP sees no limitation in the corporate liability standards regarding parental authority or actions ultra vires. Furthermore, ACP notes that the term "leading person," even if borrowed from well-established European definitions with limited scope, could be interpreted quite broadly by signatory governments that do not share the European legal architecture.

   ACP wishes to note that these unresolved matters of ethical hacking and corporate liability will be dealt with by ACP member companies individually and via other associations.

* * *

ACP looks forward to discussing its suggestions with you at the earliest possible time.

Sincerely,

Bruce Heiman
Executive Director

cc: David Beier
Chief Domestic Policy Advisor to the Vice President
Office of the Vice President
Eisenhower Executive Office Building
Washington, DC 20501

Jeffrey Hunker, Senior Director for Infrastructure Protection
Paul Kurtz, Director for Infrastructure Protection
National Security Council
Eisenhower Executive Office Building
17th Street and Pennsylvania Avenue, NW
Washington, DC 20504

William Reinsch, Undersecretary for Export Administration, Bureau of Export Administration
John F. Sopko, Deputy Assistant Secretary, National Telecommunications and Information Administration
Brian Hengesbaugh, Office of the General Counsel
U.S. Department of Commerce
14th Street and Constitution Avenue, NW
Washington, DC 20230

Damon R. Wells, Director for Technology Policy
Office of Strategic Planning and Satellite Policy
U.S. Department of State
2201 C Street, N.W., Room 4826
Washington, DC 20520

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy