|
 |
|
|||||
International Issues: Cybercrime
February 6, 2001
The Council of Europe, with participation of the US Department of Justice, has drafted a convention, or international treaty, on cybercrime that raises substantial questions concerning privacy and government interference with technological innovation and business models in the digital age.
The treaty also raises concerns over the definition of criminal conduct online. The computer crime provisions of the treaty are drafted in very broad terms that could cover a wide range of common behavior. Consequently, the provisions may not achieve the "harmonization" that is the treaty's goal, but rather may subject U.S. corporations and Internet users to criminal liability from Europe. Also, the treaty has been expanded to include matters such as fraud and copyright infringement that are not computer crimes per se, but offline crimes sometimes committed through computer systems. There have been efforts to further add "content" offenses such as hate speech that would translate cultural norms into transborder criminal offenses.
Below, we offer specific recommendations for changes to the language of the draft. We focus on the privacy issues and the "CALEA concerns" (the concerns that the treaty would require companies to design their technology or business models to satisfy government surveillance interests). We also support the comments and recommended changes of Americans for Computer Privacy, a coalition of computer industry companies, trade associations and public interest groups, of which CDT is a member, and of the NetCoalition. We do not repeat here many of those insightful comments, which are available online at http://www.cdt.org/international/cybercrime/. (The latest draft of the treaty is also available there.)
In making specific suggestions about the text and intent of the draft, we remain skeptical that a treaty of this scope is needed to achieve the desirable goal of improved international cooperation on computer crime. Moreover, we remain deeply concerned that the treaty, with its current emphasis on government powers over privacy protection, will lend international support, no matter what its precise language, to government demands to control communications services.
The Center for Democracy and Technology is a non-profit, public interest organization located in Washington, DC, working to promote privacy, freedom of expression and democratic values for the Internet and other digital communications media, from a user and consumer perspective. www.cdt.org.
The first step in analyzing the draft convention is to recognize that much of it is not focused on viruses, hacking or other attacks against computer systems or the computer-dependent critical infrastructures. Instead, central provisions of the treaty are intended to require governments to adopt laws on search and seizure of computer evidence, disclosure to governments of computerized records of any kind, and electronic interception of communications -- for all kinds of crimes. Thus, a major purpose of the treaty aims to establish investigative authority for ordinary offline crimes where evidence may be stored in or exchanged by computer systems (defined by the treaty to include telephone networks). Another major section of the treaty aims to require governments to implement domestically requests from other countries to search and seize computers, compel disclosure of data stored in computers, and carry out real-time interceptions in all kinds of criminal cases.
The draft is really a combination of three treaties:
The treaty addresses one of the most sensitive privacy issues worldwide today the interception of communications and the seizure of computer data by governments. The drafters of the treaty have reached the judgment that, as a matter of international treaty, governments should be required to grant their investigative authorities uniform power to intercept the communications and seize the computer records of their citizens and residents.
Yet the treaty does not take the additional step of specifying what privacy protections should limit government exercise of that authority. Article 15 merely states that such intrusive powers shall be subject to the "conditions and safeguards provided for under the domestic law of each Party concerned, with due regard for the adequate protection of human rights;" it does not specify what those procedures should be and leaves that whole debate to domestic law, with no guidance from the COE, a body initially created to promote human rights.
Footnote 29 refers to the COE's European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Article 8 of which provides that "Everyone has the right to respect for his private and family life, his home and correspondence," subject to such interference as is in accordance with the law and necessary in a democratic society in pursuit of a range of interests, including national security, economic well-being, the prevention of crime or disorder and the protection of health.
Article 15 and the ECHR do not come close to addressing the privacy concerns about a treaty that so precisely and in such detail mandates the adoption of search and seizure and surveillance powers. The ECHR, which was adopted in 1950, is not sufficient in and of itself to respond to the communications privacy issues of the digital age. A great deal has changed since 1950. If there is a need for a treaty requiring countries to adopt certain surveillance laws, then there is also a need for an updated international standard on privacy protections for government surveillance. If anything, the privacy standards are more urgently needed, as wireless and digital communications technologies become far more deeply woven into personal lives. Far more data than ever before is stored outside of the home or office on computer networks of service providers. Traffic data, once thought to be minimally revealing, now provides a full profile of an individual's personal and professional associations and activities. There are obviously difficult issues to be resolved in developing privacy standards suited to the digital age. For example, how does judicial authorization of invasive procedures offer meaningful independence and privacy protection in legal systems where judges are investigators? But, if governments are to seek international support for the establishment of law enforcement surveillance powers, then there must be, at the same time and in the same instrument, international support for privacy protections at a commensurate level of precision.
We recommend deleting Articles 18-21 until the COE can conduct the long overdue development of standards for protecting communications privacy standards that address the vastly more intrusive capabilities available to governments as a result of the emergence of the information society. We are reluctant to try to spell out precise privacy language here, for such standards must be established by a collaborative process worthy of the broad interest in this issue.
At the least, to mirror the "Each Party shall adopt" language of Articles 16 - 21, Article 15 should be rewritten as follows:
"Each Party shall adopt, for the implementation and application of the powers and procedures referred to in this Section, legislative and other measures establishing conditions and safeguards that will adequately protect human rights, in particular as provided in the European Convention for the Protection of Human Rights and Fundamental Freedoms and its Protocols and the International Covenant on Civil and Political Rights. Such measures shall require independent and effective controls, based in each specific instance on findings of fact concerning the crime and specifying the person whose privacy is to be interfered with, with due regard for the proportionality of the specific powers and procedures to the nature and circumstances of the offense."
-- Articles 16 and 17 Expedited Preservation and Disclosure of Data
Article 16 requires Parties to adopt "such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation" of data stored in any computer. Article 17 states that each Party shall adopt such legislative or other measures as may be necessary to "ensure the expeditious disclosure to the Party's competent authority, or a person designated by that authority, of a sufficient amount of traffic data in order to identify the service providers and the path through which the communication was transmitted."
US law (18 USC 2703(f)) currently has a provision similar to Article 16, although Article 16 is much broader than 2703(f), which is limited to computer data relating to communications, while Article 16 applies to all computer data. Moreover, we believe that 2703(f) should be revisited, for it compels service providers to take action with no judicial authorization or review. Article 17, if it were to imply compulsory disclosure in the absence of independent authorization, would go beyond current US law, for US service providers currently cannot disclose any traffic data without a subpoena. This is one of the instances where it would be useful to have the US Department of Justice explicitly state what effect the treaty would have on US law, and whether the treaty would preclude revisions to 2703(f) placing standards and controls on the authority of the FBI or other police to order companies to take certain actions.
-- Article 19 - Search and Seizure
Article 19.3 provides that each party shall establish procedures giving its police the authority to seize entire computer systems and to "render inaccessible or remove those computer data in the accessed computer system." The authorities under the treaty will be exercised not only against criminal suspects but also against legitimate service providers and others who have information relevant to a criminal investigation. Thus, this provision allows the government, with no constraining standards, to seize computer systems or render inaccessible computer data that is important to legitimate businesses and individuals. Language needs to be added making it clear that governments should get the information needed without disrupting business operations or personal lives.
The authorities in Article 19.3, if not exercised with restraint and minimal interference, can shut down an ISP, a portal or any other business that holds computerized records.
To address this, the second sentence of Article 19.3, before the semicolon listing of (a) through (d), should be changed to read:
"These measures shall be implemented so as to minimize the interference with the operations of the owner or operator of the computer system and with any legitimate uses of the data and may include the power:"
A major source of concern about the treaty has been the perception that it is a step towards design mandates of the type that have been imposed in the US on telephone common carriers (but not on Internet services) under the Communications Assistance for Law Enforcement Act of 1994 (CALEA) and, under less detailed but broader mandates, on telephone carriers and Internet service providers in other countries.
Article 16 requires countries to adopt laws empowering their officials to require service providers to expeditiously preserve (in anticipation of a disclosure order) any data in the computers of the service provider. Articles 20 and 21 require governments to adopt laws empowering their officials to intercept communications and transactional data in real-time and to compel service providers to cooperate in carrying out such interceptions.
There have been repeated assurances by both US Department of Justice and COE representatives that these and other provisions in the treaty are not intended to impose design mandates, technical standards, or record-keeping ("data retention") requirements on service providers. Treaty drafters have stated repeatedly that the treaty is intended solely to set procedures for preserving, seizing or accessing whatever data is otherwise available for business purposes, using whatever current technical capabilities companies may have, and that it is not intended to require changes in technology or business practices.
These assurances are welcome and are now reflected in certain textual language and in footnotes that will form the basis for an Explanatory Report that will accompany the treaty. Thus, Articles 20 and 21 now state that the required real-time interception law shall empower competent authorities to "compel a service provider, within its existing technical capability," to collect or record, or to co-operate and assist the competent authorities in the collection or recording of, traffic data and communications content. Footnote 35 now provides: "The phrase 'within its existing technical capability' indicates that this paragraph (and Article 21(1)(b)) should not be implemented in a manner that requires service providers to acquire or develop new technical abilities in order to collect and record data or perform other related activities at the request of a Party."
Addition of the "within its existing technical capability" language to Articles 20 and 21, and the addition of Footnotes 32, 34, and 35 are extremely important to help ease concerns about government mandates on design, technical standards or business models, and we urge that the three footnotes all be retained in the Explanatory Memorandum in the clearest and most complete form.
-- Restrictions on Certain Business Models?
Still, in fundamental respects, the treaty seems to be inconsistent with the unique character of the Internet and the rapidly changing nature of communications technology and business models. The treaty seems intended to preserve methods of government surveillance power common to the switch-based, monopolized, centralized world of telephone networks in which carriers reliably knew the identities of their customers and billed retrospectively for services. In the modern digital environment, many service providers worldwide are offering or planning to offer prepaid services and other services that do not involve the collection or retention of personally identifiable information on subscribers.
Article 18 of the draft treaty states that countries should adopt laws requiring service providers to disclose information identifying their customers. The treaty does not explicitly require service providers to collect and keep information identifying their customers. And footnote 11 recognizes the legitimacy of anonymous communications. But the concern is that the treaty will prompt governments to argue, "We have just signed an international convention requiring us to enact laws on the disclosure of subscriber identifying data. Service offerings (such as prepaid phone cards) that do not require the collection of subscriber identifying information will defeat the purpose of this treaty. Therefore, we cannot allow these services to be offered we will require service providers to be able always to identify their customers." This implication should be rejected.
To further clarify the intent and meaning of the treaty, the language in footnote 35 should be expanded to include business practices. It should be made clear that the treaty is not intended to require service providers to change either their equipment or their business practices to ensure that they are capable of providing any particular traffic data, subscriber-identifying information, or access to the content of communications.
The text or explanatory report should explicitly recognize that the treaty is not intended to serve as justification for prohibitions on anonymous services: "Nothing herein is intended to require states to restrict the offering or use of services that do not involve, in the ordinary course of business, the collection of traffic data or subscriber information."
-- Article 16 -- Expedited Preservation of Any Computer Records
Article 16 requires that
"Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of [specified] computer data, including traffic data, that has been stored by means of a computer system ... ."
This provision applies to any evidence the government may want about any crime. It is not limited to communications. It applies to any data that has been stored in a computer system. Thus, any business of any kind that uses a computer can be ordered under this provision to store any data that the government might want: Bank records, credit card data, inventory data, invoices, word processing, Web surfing data. A business that has a video camera can be told to preserve the tapes. The operator of an intelligent highway system or a passkey system can be required to preserve the data on the comings and goings of vehicles and people.
Article 16.2 requires any person to "preserve and maintain the integrity of that data for an adequate period of time, as necessary, to enable the competent authorities to seek its disclosure." The draft does not call for reimbursement to record holders for the expenses they will incur in complying. Anyone with a computer can be told to hold any volume of data, and would be obliged to give to that data protection. Under the current draft, the exercise of the authority is costless to the government.
Article 16 has been the focus of concerns that the treaty would impose "data retention" requirements on communications and Internet service providers, and it is clearly the goal of police authorities in some countries to establish such requirements. However, treaty drafters have repeatedly stated that this is not the intent of this treaty; they have stressed that Article 16 is only intended to require countries to give their investigators the authority to require companies to freeze whatever data is available, as a result of ordinary business practices, pending a production order. A footnote (#32) states that the treaty "does not mandate retention of all data collected by a service provider or other entity in the course of its activities."
To be consistent with Articles 20 and 21, and to reinforce the message that data retention is not required, the phrase "within its existing legal capability" should be added to Article 16.2, after the words "to oblige that person."
In addition, the word "specified" in Article 16.1, which is bracketed in the latest draft, serves an important limiting function, and should be retained in the treaty text, because it is important to realization of the proportionality requirement in Article 15 and the relevant human rights documents: How will anyone ever know if the proposed preservation is proportionate unless the data to be preserved is specified?
Transborder Cooperation Provisions
Articles 24 through 35, while addressing matters appropriate to an international convention, might have some privacy implications. The treaty's provisions are intended to require countries to process requests for assistance from other countries that have signed the treaty. In general, such requests, to be enforceable, must meet the standards of the requested party. But the treaty does not make this uniformly clear. Some provisions, in fact, seem incompatible with the deference to domestic law and might be read as overriding privacy protections that countries provide. In particular, Articles 27.4, 29.5, and 30.2 state that a request for assistance may be refused or withheld only if the offense concerned is a political offense, or if the requested Party considers that execution of the request is likely to prejudice its sovereignty, security, ordre public or other essential interests. What if the requested Party has established internal guidelines for the exercise of the preservation of data authority? Shouldn't the requested party be able to decline the request if the circumstances do not rise to the level that would justify a preservation order in purely domestic situations?
The Justice Department, under current law, often decides not to exercise its search and seizure or surveillance powers in certain cases, based on priorities and other considerations. Under the treaty as it now stands, the US government would be bound to process, and to submit to US-based service providers, orders and requests in situations where the US government itself would not proceed. Of course, it would undermine the purpose of the treaty to give Parties wide open discretion to decline to process requests. But the treaty goes too far in limiting the ability of Parties to refuse to cooperate with requests for assistance.
To strike a better balance, the following should be added to Articles 27.4, 29.5, and 30.2:
"(c) the request is one that the authorities of the requested Party, under established rules or guidelines, would not execute in their own investigations."
We also note that Article 31.2, like, for example, Article 29.3, should explicitly refer to compliance with "domestic" law.
The Difficulty of Defining "Cybercrimes"
The "Love Bug" virus revealed that there are major gaps from country to country in criminal laws addressing hacking, viruses, and other attacks on computer networks. It is easy to see the justification for an agreement among nations as to the kinds of offenses that will be the subject of cross-jurisdictional investigations. It would be far better to uncouple the substantive criminal law proposals from the surveillance questions.
That said, the sections of the treaty dealing with the specific issue of computer crimes are extremely broad and vague. Partly, this is the nature of treaties, particularly those drafted within the primarily civil law tradition of Europe. However, it is also true that it is very hard to define computer crimes. The US computer crime law was first adopted in 1984. It has been amended 3 times, in 1986, 1994, and 1996, as Congress has struggled to define precisely what a computer crime is. The US law on illegal interception was first drafted in 1968 and was amended in 1986 and 1994, again to clarify what was legal and illegal. Yet even allowing for these considerations, the treaty provisions are still very broad.
Article 2 calls upon states to establish as a criminal offense "when committed intentionally the access to the whole or any part of a computer system without right" (emphasis added). On its face, this would make it a crime to send an unsolicited email, since the sender of an unsolicited email "accesses" the recipient's computer (or the mail server of the recipient's ISP), without right. Recognizing this problem, the treaty now includes a footnote (#6) stating, "Articles 2-5 are not intended to criminalise legitimate and common activities inherent in the design of networks, or common operating or commercial practices, such as, for example, sending electronic mail without it having been first solicited by the recipient; accessing a web page or ftp ('file transfer protocol') server that has been configured for public access; . . . " This footnote barely begins to define what is and what is not done "without right."
Moreover, the very next footnote states that the phrase "without right" may refer to conduct undertaken without contractual authority. For one, this seems to say that what is not permitted is prohibited. In addition, it seems to make violations of a service provider's terms of service into a criminal offense. The ISP subscriber who uses the service for a purpose prohibited by the terms of service is accessing the computer of the ISP "without right." The student who uploads or downloads a single music file in violation of the university's policy for granting students Internet access is committing a crime. If an employer tells its employees that they cannot use the Internet at work for personal purposes, the employee who logs on and checks a stock quote is committing an offense. Conversely, even though the treaty establishes a separate crime of "illegal interception," the phrase "without right" appears there also, and would protect the ISP or service provider whose terms of service reserve the right to randomly or systematically read the communications of its subscribers.
While it should be possible to more narrowly phrase the computer-crime provisions, other substantive law proposals address issues that arise offline as well as online. These issues have long and contested histories and raise difficult policy issues. They should not be included at all:
The Council of Europe is a 41-nation body, established in 1947, that has drafted over 170 treaties, the most famous of which may be the European Convention on Human Rights. It is an institution distinct from the European Union and the European Commission.
The cybercrime convention was drafted by a Committee of Experts, which formally ended its work with draft #25 in December 2000. The Committee of Experts, while its charter expired, is drafting the explanatory Report and is still able to modify the text in response to comments.
The draft convention will also be reviewed by the Parliamentary Assembly of the COE. A vote by the Parliamentary Assembly is expected in April. Further changes can be made in response to its opinion. After the assembly's deliberations, the convention will also to be subject to possible amendments from the Council's European Committee on Crime Problems.
Finally, the text of the treaty will be referred to the COE's Committee of Ministers, which is the institution's decision-making body. The Committee is expected to act on this treaty in July or September 2001. If the Committee of Ministers approves the treaty, it becomes open for signature by member States of the COE, by other countries that have participated in the drafting (including the US) and by other nations invited by the COE to sign. European Conventions are not statutory acts of the organization; they become binding only upon those nations that sign and ratify them.
For more information, contact:
Jim Dempsey, Senior Staff Counsel
202-637-9800 jdempsey@cdt.org
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |