International Issues: Cybercrime

These comments have been superceded by comments concerning Draft #25 dated February 6, 2001.

December 11, 2000

Comments of the Center for Democracy and Technology on the Council of Europe Draft "Convention on Cyber-crime" (Draft No. 24)

The Council of Europe, with participation of the US Department of Justice, is drafting a convention, or international treaty, on cybercrime and other issues. The proposal raises substantial questions concerning privacy, due process, and government interference with technological innovation and business models in the digital age.

The first step in analyzing the draft convention is to recognize that much of it is not focused on viruses, hacking or other attacks against computer systems or the computer-dependent critical infrastructures. Instead, central provisions of the treaty are intended to require governments to adopt laws on search and seizure of computer evidence, disclosure to governments of computerized records of any kind, and electronic interception of communications -- for all kinds of crimes. That is, a major section of the treaty aims to expand government investigative authority for ordinary offline crimes where evidence may be stored in or exchanged by computer systems (defined by the treaty to include telephone networks). Another major section of the treaty aims to require governments to implement domestically requests from other countries to search and seize computers, compel disclosure of data stored in computers, and carry out real-time interceptions - in all kinds of criminal cases.

Moreover, while requiring governments to adopt general computer search and seizure and electronic surveillance laws, the treaty specifies no legal standards to protect privacy and limit government use of such powers. And, equally disturbingly, the surveillance provisions could serve to justify government demands that telephone companies, ISPs, web site and portal operators, and computer hardware and software manufacturers design their systems, their record-keeping procedures and their very business models to guarantee the practical effectiveness of such surveillance authorities.

Even the more focused computer crime provisions of the treaty raise serious questions, for they are drafted in very broad terms that could cover a wide range of common behavior. Others touch upon complex and highly contested issues, such as copyright, that merit separate treatment.

Below, we offer specific recommendations for changes to the language of the draft. We focus on the "CALEA concerns" (the concerns that the treaty would require companies to design their technology or business models to satisfy government surveillance interests) and on the privacy issues. We support the comments and recommended changes of Americans for Computer Privacy, a coalition of computer industry companies, trade associations and public interest groups, of which CDT is a member. We also share the concerns of industry and other privacy groups about the breadth and ambiguity of the substantive criminal law provisions of the treaty.

In making these suggestions, we remain skeptical that a treaty of this scope is needed to achieve the desirable goal of improved international cooperation on computer crime. Moreover, we remain deeply concerned that the treaty will lend international support to government demands to control communications services. And we stress that the treaty is imbalanced, lacking strong and specific norms protecting privacy against government surveillance in the age of Echelon, Carnivore and the rising surveillance capabilities of governments brought on by the digital revolution.

About CDT

The Center for Democracy and Technology is a non-profit, public interest organization located in Washington, DC, working to promote privacy, freedom of expression and democratic values for the Internet and other digital communications media, from a user and consumer perspective. www.cdt.org.

Summary of Conclusions

1. It would be far more justifiable to have a treaty dealing only with harmonizing laws around a core set of offenses for hacking, viruses and other attacks on computer networks, plus international cooperation in investigating those crimes, without the controversial and difficult provisions on search and seizure, data access and wiretapping.

2. Within the crimes section, the treaty should focus on those offenses unique to computer networks, and not address forgery, copyright and other offenses that are already the subject of legal schemes equally applicable online and offline.

3. If the surveillance provisions remain in the treaty, they need to be amended to make it clear that they do not imply requirements controlling technology design or business practices.

4. If the surveillance provisions are retained, specific privacy protections should be added.

5. The US government needs to be forthright about what effect, if any, the treaty would have on US law. At this point, the US government has refused to state exactly what changes, if any, would be required in US law or what impact the treaty would have on Congressional proposals to raise standards for government surveillance and access to data stored in computers.

In Substantial Part, the Convention Is Not about "Cyber-crime;" It Is about Surveillance Authority and Trans-Border Cooperation for All Types of Crimes

The draft is really a combination of at least three treaties:

1. Requiring signatory countries to adopt certain substantive criminal offenses:
   • Crimes against computers, computer communications and computerized data - these are the only offenses under the treaty that can really be called "cyber-crimes." Articles 2-5.
   • Crimes involving the use of a computer system to engage in conduct that is already a crime (i.e., forgery, fraud, and the distribution, production or possession of child pornography). Articles 7-9.
   • A crime for copyright infringement through use of computers. Article 10.

2. Requiring the adoption of procedural laws on government investigative powers for all types of crimes:
   • Government orders to anyone to freeze information stored in any computer -- not only transactional information about email and telephone calls, but also business or personal records of any kind stored on a computer. Articles 16-17.
   • Government access to any information stored in computers, through
   • production orders for any stored data and for information identifying subscribers to computer communications systems, Article 18; and
   • search and seizure of computers and computerized data, Article 19.
   • Real-time interception applicable to all communications systems, including telephone networks, for all kinds of crimes (all kinds of serious crimes in the case of content interception). Articles 20-21.

3. Binding states to cooperate in collecting evidence and intercepting communications across borders, with one exception, in all cases:
   • requests to preserve records stored in a computer system, Article 29;
   • requests to disclose records, Article 30;
   • requests to conduct searches and seizures of computers, Article 31;
   • requests to carry out real-time interceptions of transactional data and the content of communications, Articles 33 and 34.
   • Article 25 sets rules for extradition of suspects, limited to offenses established in Articles 2-11.

Is the Convention a Prelude to Government Design Mandates for Digital Communications Systems?

A major source of concern about the treaty is that it is a step towards design mandates of the type that have been imposed in the US on telephone common carriers (but not on Internet services) under the Communications Assistance for Law Enforcement Act of 1994 (CALEA). This concern has two aspects: that the terms of the treaty itself would require or prompt countries to mandate technology or to control business models, or that it would be used, in a two-step process, as justification for such requirements.

• CALEA for the Internet?

  In recent weeks, there have been repeated assurances by both US Department of Justice and COE representatives that the treaty itself is not intended to impose design mandates, technical standards, or record-keeping ("data retention") requirements on service providers. Treaty drafters have stated repeatedly that the treaty is intended solely to set procedures for preserving, seizing or accessing whatever data is otherwise available for business purposes, using whatever current technical capabilities companies may have, and that it is not intended to require changes in technology or business practices. (On the other hand, any legal regime for disclosure, access or interception will require service providers to take some actions to comply with government orders in specific cases.)

  These assurances are welcome, but the language in the treaty remains unclear and must be clarified to preclude its being read as imposing design or record keeping requirements.

  • For example, Articles 19, 20 and 21 state that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities, for the purposes of criminal investigations or proceedings," to search or similarly access a computer system or computer data storage medium (Article19), to collect or record through application of technical means and compel a service provider to collect and record traffic data associated with specified communications (Article 20), and to collect or record content data (Article 21). In each case, the use of the word "empower" is confusing at best: at worst it implies that local legislation should ensure the practical effectiveness of search and seizure orders or wiretap orders. That is, to "empower" governmental authorities to carry out searches and seizures and wiretaps may imply both legal authority and technical capability. It needs to be made absolutely clear that the treaty contemplates only the former, not the latter.

  Recommended change:

  Articles 19, 20 and 21 should begin as follows:

  Each Party shall adopt legislative and other measures establishing procedures by which its competent authorities, for the purposes of criminal investigations or proceedings, may obtain legal authorization" to search and seize computer data, to intercept traffic data, to intercept content in real-time, etc.

• Articles 20 and 21 state that the required real-time interception law shall empower competent authorities to "compel a service provider, within its technical ability," to collect or record through application of technical means, or to co-operate and assist the competent authorities in the collection or recording of, traffic data and communications content. What does "within its technical ability" mean? We have been assured that these articles are not meant to require service providers to modify their systems. (However, in one meeting a US Department of Justice representative reportedly said that service providers would be required to modify their code, but not to buy new software or hardware.)

  Recommended change:

  To clarify the meaning of "within its technical ability," and to otherwise clarify the interception requirements, language along the following lines should be added, either to Article 14 or to Articles 20 and 21:

  This Convention [Article] does not require Parties to dictate technological standards or business practices for service providers and does not directly or implicitly require service providers to develop, adopt, deploy or utilize a particular technology or to ensure that their systems are capable of providing any particular traffic data, subscriber-identifying information, or access to the content of communications."

• Article 17 also seems to imply a design mandate when it states that "each Party shall adopt such legislative and other measures as may be necessary to: (a) ensure the expeditious preservation" of traffic data and to "(b) ensure the expeditious disclosure ... of a sufficient amount of traffic data in order to identify the service providers and the path through which a communication was transmitted" (emphasis added). The use of the word "ensure" again implies that governments must take legislative or regulatory steps to guarantee the success of governmental investigations. Instead, as we understand the current draft, the treaty is intended to tolerate situations in which there is no traffic data to be preserved. This needs to be made clear.

  Recommended change:

  Article 17 should be rewritten to delete the word "ensure." A better formulation is as follows:

  "... each Party shall adopt legislative and other measures establishing procedures by which its competent authorities may order or obtain legal authorization to order: (a) the expeditious preservation..., and (b) the expeditious disclosure ... ."

• Article 16 -- Expedited Preservation of Any Computer Records

  Article 16 requires that

  "Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities, in connection with a specific criminal matter, to order or similarly obtain the expeditious preservation of data that has been stored by means of a computer system ... ."

  This provision applies to any evidence the government may want about any crime. It is not limited to communications. It applies to any data that has been stored in a computer system. Thus, any business of any kind that uses a computer can be ordered under this provision to store any data that the government might want: Bank records, credit card data, inventory data, invoices, word processing, Web surfing data. A business that has a video camera can be told to preserve the tapes. The operator of an intelligent highway system or a passkey system can be required to preserve the data on the comings and goings of vehicles and people.

  Article 16.2 requires any person to "preserve and maintain the integrity of that data for an adequate period of time to enable the competent authorities to seek its disclosure." The draft does not call for reimbursement to record holders for the expenses they will incur in complying. Anyone with a computer can be told to hold any volume of data, and would be obliged to give to that data protection. Under the current draft, the exercise of the authority is costless to the government.

  Article 16 has been the focus of concerns that the treaty would impose "data retention" requirements on communications and Internet service providers, and it is clearly the goal of police authorities in some countries to establish such requirements. However, treaty drafters have repeatedly stated that this is not the intent of this treaty; they have stressed that Article 16 is only intended to require countries to give their investigators the authority to require companies to freeze whatever data is available, as a result of ordinary business practices, pending a production order. A footnote (#23) has been added, which states that the treaty "does not mandate retention of all data collected by a service provider or other entity in the course of its activities."

  Recommended change:

  Footnote 23 should be moved into the text at 16.4 and the word "all" should be changed to "any" so that the provision reads:

  "This Article does not mandate retention of any data collected by a service provider or other entity in the course of its activities, nor does it require service providers or other entities to collect any data not otherwise collected in the ordinary course of their activities."

• Restrictions on Certain Business Models?

  In fundamental respects, the treaty seems to be inconsistent with the unique character of the Internet and the rapidly changing nature of communications technology and business models. Instead, the treaty seems intended to preserve methods of government surveillance power common to the switch-based, monopolized, centralized world of telephone networks in which carriers reliably knew the identities of their customers and billed retrospectively for services. In the modern digital environment, many service providers worldwide are offering or planning to offer prepaid services and other services that do not involve the collection or retention of personally identifiable information on subscribers.

  Article 18 of the draft treaty states that countries should adopt laws requiring service providers to disclose information identifying their customers. The treaty does not explicitly require service providers to collect and keep information identifying their customers. But the fear is that governments will argue, "We have just signed an international convention requiring us and other countries to enact laws on the disclosure of subscriber identifying data. Service offerings (such as prepaid phone cards) that do not require the collection of subscriber identifying information will defeat the purpose of this treaty. Therefore, we cannot allow these services to be offered - service providers must always be able to identify their customers."

  Recommended change:

  The convention (Article 14) or explanatory report should explicitly recognize that it is not intended to serve as justification for prohibitions on anonymous services: "Nothing herein is intended to require states to restrict the offering or use of services that do not involve, in the ordinary course of business, the collection of traffic data or subscriber information."

The Treaty Fails to Provide Privacy Protections

The treaty addresses one of the most sensitive privacy issues worldwide today - the interception of communications and the seizure of computer data by governments. The drafters of the treaty have reached the judgment that, as a matter of international treaty, governments should be required to grant their investigative authorities uniform power to intercept the communications and seize the computer records of their citizens and residents.

Yet the treaty does not take the additional step of specifying what privacy protections should limit government exercise of that authority. The treaty clearly recognizes that such intrusive powers should be subject to some conditions and "safeguards" and that they must give due regard to the adequate protection of human rights, but it does not specify what those procedures should be.

• Articles 20 and 21 - Real-Time Interception

  Articles 20 and 21 require countries to adopt legislation for the real-time interception of "traffic data" (a broad category of transactional data such as telephone numbers dialed, email headers, IP addresses, maybe URLs, as well as the time, date, duration, and type of service used) and the content of voice and data communications. Article 14 generally states, "The application of the measures adopted shall be subject to the conditions and safeguards provided for under the domestic law of the Party concerned, with due regard for the adequate protection of human rights and, where applicable, the proportionality of the measure to the nature and circumstances of the offense." Drafters of the treaty also point out that the COE's European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) has a provision, Article 8, which provides that "Everyone has the right to respect for his private and family life, his home and correspondence," subject to such interference as is in accordance with the law and necessary in a democratic society in pursuit of a range of interests, including national security, economic well-being, the prevention of crime or disorder and the protection of health.

  Proponents of the cybercrime treaty argue that Article 14 and the ECHR address the privacy concerns, and that to go any further would be too complicated. But the ECHR, which was adopted in 1950, is not sufficient in and of itself to respond to the communications privacy issues of the digital age. The European Commission and Court of Human Rights have ruled that the ECHR applies to government wiretapping, but the Court has been constrained by the general language of Article 8. For example, the Court has stated with respect to wiretapping that, "in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge." Yet the Court has found that it has no authority in the bare words of the ECHR to impose such a requirement.

  A great deal has changed since 1950. If there is a need for a treaty requiring countries to adopt certain surveillance laws, then there is also a need for an updated international standard on privacy protections for government surveillance. If anything, the privacy standards are more urgently needed, as wireless and digital communications technologies become far more deeply woven into personal lives. Far more data than ever before is stored outside of the home or office on computer networks of service providers. Traffic data, once thought to be minimally revealing, now provides a full profile of an individual's personal and professional associations and activities. There are obviously difficult issues to be resolved in developing privacy standards suited to the digital age. For example, how does judicial authorization of invasive procedures offer meaningful independence and privacy protection in legal systems where judges are investigators? But, if governments are to seek international support for the establishment of law enforcement surveillance powers, then there must be, at the same time and in the same instrument, international support for privacy protections at a commensurate level of precision.

  Recommended change:

  We recommend deleting Articles 18-21 until the COE can conduct the long overdue development of standards for protecting communications privacy - standards that address the vastly more intrusive capabilities available to governments as a result of the emergence of the information society.

  In lieu of that, Article 14.2 should be rewritten to provide more explicit privacy protection. We are reluctant to try to spell out precise language here, for such standards must be established by a collaborative process worthy of the broad interest in this issue, but the following is a start:

  "Each Party shall adopt legislative and other measures establishing conditions and safeguards adequately protecting human rights in the exercise of the powers and procedures referred to in Articles 16-21, and providing independent and effective judicial controls, based in each specific instance on findings of fact concerning the crime and specifying the person whose privacy is to be interfered with, with due regard for the proportionality of the specific powers and procedures to the nature and circumstances of the offense."

• Articles 16 and 17 - Expedited Preservation and Disclosure of Data

  Article 16 requires Parties to adopt "such legislative and other measures as may be necessary to enable its competent authorities ... to order or similarly obtain the expeditious preservation of data" stored in any computer. Article 17 states that each Party shall adopt such legislative or other measures as may be necessary to "ensure the expeditious disclosure to the Party's competent authority, or a person designated by that authority, of a sufficient amount of traffic data in order to identify the service providers and the path through which the communication was transmitted." There is no reference to the standards for such preservation or disclosure requirements. In earlier drafts, it seemed that police or other investigators would exercise these authorities without judicial or other independent authorization, but Article 16.4 now reserves the question of "conditions and safeguards" to domestic law.

  US law (18 USC 2703(f)) currently has a provision similar to Article 16, although Article 16 is much broader than 2703(f), which is limited to computer data relating to communications, while Article 16 applies to all computer data. Moreover, we believe that the provision in US law should be revisited. Article 17, if it were to imply compulsory disclosure in the absence of independent authorization, would go beyond current US law, for US service providers currently cannot disclose any traffic data without a subpoena. This is one of the instances where it would be useful to have the US Department of Justice explicitly state what effect the treaty would have on US law, and whether the treaty would preclude revisions to 2703(f) placing standards and controls on the authority of the FBI or other police to order companies to take certain actions. We note that Article 17 does not include the clause now inserted in Articles 16 and 18-21, that the powers and procedures referred to "shall be subject to the conditions and safeguards provided for under the domestic law of the Party concerned."

  Recommended change:

  Add the following to Article 17, as it has already been added to Articles 16 and 18-21:

  "The powers and procedures referred to in this article shall be subject to the conditions and safeguards provided for under the domestic law of the Party concerned."

• Article 19 - Search and Seizure

  Article 19.3 provides that each party shall establish procedures giving its police the authority to seize entire computer systems and to "render inaccessible or remove those computer data in the accessed computer system." The authorities under the treaty will be exercised not only against criminal suspects but also against legitimate service providers and others who have information relevant to a criminal investigation. Thus, this provision allows the government, with no constraining standards, to seize computer systems or render inaccessible computer data that is important to legitimate businesses and individuals. Language needs to be added making it clear that governments should get the information needed without disrupting business operations or personal lives.

  Article 19.2 states that each Party shall adopt measures to ensure that, where its authorities search or similarly access a computer system and have grounds to believe that the data sought is stored in another computer system, and such data is lawfully accessible from the initial system, "such authorities shall be able to expeditiously extend the search ... to the other system." What does this mean? Is this consistent with offline practice? Is it consistent with the nature of computer systems? If the authorities search one apartment, and have grounds to believe that what they are looking for is stored in another apartment, even an apartment owned by the same person, they must get a separate warrant for the second apartment.

Transborder Cooperation Provisions

Articles 24 through 35, while addressing matters appropriate to an international convention, might have some privacy implications. The treaty's provisions are intended to require countries to process requests for assistance from other countries that have signed the treaty. In general, such requests, to be enforceable, must meet the standards of the requested party. But the treaty does not make this uniformly clear. Some provisions, in fact, seem incompatible with the deference to domestic law and might be read as overriding privacy protections that countries provide. For example, Articles 29 and 30 state that a request for expedited preservation of stored data or expedited disclosure of preserved data may be refused or withheld only if the offense concerned is a political offense, or if the requested Party considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. What if the requested Party has established internal guidelines for the exercise of the preservation of data authority? Shouldn't the requested party be able to decline the request if the circumstances do not rise to the level that would justify a preservation order in purely domestic situations?

We also note that Article 31.2, unlike, for example, Article 29.3, does not explicitly refer to compliance with domestic law.

The Difficulty of Defining "Cybercrimes"

The "Love Bug" virus revealed that there are major gaps from country to country in criminal laws addressing hacking, viruses, and other attacks on computer networks. It is easy to see the justification for an agreement among nations as to the kinds of offenses that will be the subject of cross-jurisdictional investigations. It would be far better to uncouple the substantive criminal law proposals from the surveillance questions.

That said, the sections of the treaty dealing with the specific issue of computer crimes are extremely broad and vague. Partly, this is the nature of treaties, particularly those drafted within the primarily civil law tradition of Europe. However, it is also true that it is very hard to define computer crimes. The US computer crime law was first adopted in 1984. It has been amended 3 times, in 1986, 1994, and 1996, as Congress has struggled to define precisely what a computer crime is. The US law on illegal interception was first drafted in 1968 and was amended in 1986 and 1994, again to clarify what was legal and illegal. Yet even allowing for these considerations, the treaty provisions are still very broad.

Article 2 calls upon states to establish as a criminal offense "when committed intentionally the access to the whole or any part of a computer system without right" (emphasis added). On its face, this would make it a crime to send an unsolicited email, since the sender of an unsolicited email "accesses" the recipient's computer (or the mail server of the recipient's ISP), without right. Recognizing this problem, the treaty now includes a footnote stating, "This article is not intended to criminalise regular and common activities inherent in the design of the network, such as sending electronic mail without it having been first solicited by the recipient or normally accessing a web page or ftp (Œfile transfer protocol') server that has been configured for public access." This footnote barely begins to define what is and what is not done "without right."

Moreover, the very next footnote states that the phrase "without right" may refer to conduct undertaken without contractual authority. For one, this seems to say that what is not permitted is prohibited. In addition, it seems to make violations of a service provider's terms of service into a criminal offense. The ISP subscriber who uses the service for a purpose prohibited by the terms of service is accessing the computer of the ISP "without right." The student who uploads or downloads a single music file in violation of the university's policy for granting students Internet access is committing a crime. If an employer tells its employees that they cannot use the Internet at work for personal purposes, the employee who logs on and checks a stock quote is committing an offense. Conversely, even though the treaty establishes a separate crime of "illegal interception," the phrase "without right" appears there also, and would protect the ISP or service provider whose terms of service reserve the right to randomly or systematically read the communications of its subscribers.

While it should be possible to more narrowly phrase the computer-crime provisions, other substantive law proposals address issues that arise offline as well as online. These issues have long and contested histories and raise difficult policy issues. They should not be included at all:

• Article 10 - Copyright infringement. Intellectual property protection is an extremely complicated issue that touches upon both free expression and privacy issues and that is still in flux. The treaty would make the criminalization of certain forms of copyright infringement an international standard.

• Article 9 - Child pornography. Production and distribution of images of children in sexually explicit situations is abhorrent, for the very production of such images involves the sexual abuse of children, and thus child pornography is appropriately a crime whether such images are transmitted online or offline. However, the treaty would also criminalize the possession of drawings or computer-generated images that "appear" to involve a child. While an amendment to 18 USC 2252 does something similar, there are serious constitutional questions with that amendment, since it punishes the possession of images the production of which did not involve real children. The scope of the Article 9 child-porn provision could reach third parties (not just ISPs). It is unclear that the "intentionally" element of Article 9 applies to every element of the proposed. One can imagine a more carefully drafted provision on child pornography that would be unobjectionable, but Article 9 is not it.

• Articles 11 and 12 - Aiding-and-abetting, and Corporate liability. Both of these are already be covered by general aiding and abetting and corporate liability principles. The question of what special rules, if any, should apply to the Internet is a complicated question that could be confused, not clarified by these treaty provisions, which are not sufficiently clear as to questions of intent, notice, and responsibility.

Procedural Steps Within the COE

The Council of Europe is a 41-nation body, established in 1947, that has drafted over 170 treaties, the most famous of which may be the European Convention on Human Rights. It is an institution distinct from the European Union and the European Commission.

The cybercrime convention is being drafted by a Committee of Experts. The next and final meeting of the Committee of Experts is December 11-15. The terms of reference of the Committee of Experts expire on December 31, 2000, at which point the Committee will refer the text of the treaty to the COE's Committee of Ministers, which is the institution's decision-making body. The Committee is expected to act on this treaty in July or September 2001. The Committee of Experts, while its charter expires, will remain able to modify the text after 12/31/00 in response to comments. As with other COE draft conventions, the Parliamentary Assembly of the COE will give its opinion on the draft. The Parliamentary Assembly will begin reviewing the treaty in January, and its opinion is expected by mid-March. Further changes can be made in response to its opinion.

If the Committee of Ministers approves the treaty, it becomes open for signature by member States of the COE, by other countries that have participated in the drafting (including the US) and by other nations invited by the COE to sign. European Conventions are not statutory acts of the organization; they owe their legal existence simply to the expression of the will of those States through signature and ratification .

For more information, contact:
Jim Dempsey, Senior Staff Counsel
202-637-9800 jdempsey@cdt.org

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy