International Issues: Cybercrime

January 2001
Comments of NetCoalition.com

The Cybercrime Convention Will Harm U.S. Internet Users and Businesses

The proposed Council of Europe Cybercrime Convention contains many useful provisions which will help fight cybercrime around the world, but the draft in its current form poses serious problems for Internet users, U.S. Internet companies and other businesses.

I. Background.

The Council of Europe (CoE) is a multinational organization that includes both European Union member states and several non-democratic countries. The U.S. is not a member, but has "observer" status at CoE deliberations. For the past three years, the CoE has been discussing a cybercrime convention. The U.S. Department of Justice has been participating for much of this period. However, a draft of the Convention was made publicly available for the first time only this past April. The draft provoked sharp criticism from civil liberties organizations, security firms, and Internet companies. In response to these criticisms, the CoE made some improvements. However, the most recent draft (no. 25) remains deeply flawed.

Unfortunately, the Convention is on a very fast track. The CoE hopes to have the negotiations on the Convention concluded by June, 2001. It then would be opened to ratification by all countries, not just CoE members. The DoJ is extremely supportive of the Convention because it feels the Convention will lead to greater international cooperation in combating cybercrime.

II. Problems With the Cybercrime Convention.

The flaws in the Convention are too numerous to be itemized here. In general, the text of the Convention criminalizes many routine Internet activities, and holds Internet companies responsible for these activities regardless of the companiesı intent. Language purporting to limit extreme interpretations of this language is supposed to be placed in a separate "Explanatory Memorandum" that will not be binding upon - and will likely not even be read by most of - the countries that adopt and implement the Convention. More specifically:

1. The provision on aiding and abetting (Article 11) could render a service provider criminally liable for unlawful material placed on its service by a third party based merely on failing to remove it after receiving notice concerning the materialıs existence. This could include the very broad range of content and conduct prohibited by the Convention.

2. The provision on corporate liability (Article 12) could result in imprisonment in foreign jails of representatives of U.S. companies for activities of subscribers or low level employees back in the U.S., where the conduct may be legal.

3. The Convention contains no provision limiting European jurisdiction over Internet sites located solely in the U.S. The drafters of the Convention have made clear their intention to extend the Conventionıs harsh liability structure to hate speech, even though it is protected by the First Amendment in the U.S.

4. The provision on computer related fraud (Article 8) is drafted so broadly that it could criminalize virtually any use of the Internet that causes economic harm to a competitor, as well as routine activities such as blocking unsolicited email advertising (spam).

5. The provision on access crimes (Article 2) could criminalize routine Internet functions such as security testing, automatic price comparisons, and automatic data collection.

6. The provisions on real-time collection of computer data (Articles 20 and 21) encourages signatory nations to require service providers to engage in "Carnivore"-type data collection regardless of the effect on privacy or the technical and financial burden it would impose on the service provider.

7. The provisions on data collection (Articles 16-21) permit and may encourage governments to impose design mandates on the Internet.

8. The provision on the misuse of devices (Article 6), although much improved from earlier drafts, could still prohibit the development and use of important security technologies.

9. The provision on child pornography (Article 9) could expose innocent companies to prosecution simply because third parties send child pornography across their systems without involvement by the service provider.

If the U.S. ratifies the Convention, Congress would be prevented from legislating on some of the privacy and service provider liability issues raised by the Convention. At least one liability provision may require changes to U.S. law. With respect to other concerns, the Convention would interfere with foreign operations of U.S. companies.

The Justice Department negotiators and CoE officials have told U.S. companies and civil liberties organizations that many of these issues can be addressed in the Explanatory Memorandum. However, these matters are simply too important to be relegated merely to an explanatory memorandum; they must be resolved in the text of the Convention.

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy