International Cybercrime Treaty Nearly Finished

[Paul Howell]

Europeans Defining The Long Arm Of The Cyberlaw
By Juliana Gruenwald, Inter@ctive Week
September 25, 2000 3:49 AM PT
URL: http://www.zdnet.com/intweek/stories/news/0,4164,2631389,00.html

European and U.S. officials are moving toward a final draft of the world's 
first international treaty on cybercrime, a broad effort that high-tech 
industry groups and privacy advocates fear could intrude on personal privacy 
and hamper e-commerce. 

The proposal, which has been in the drafting stage for nearly three years, 
calls on countries to pass uniform laws that would, among other things, ban 
hacking devices and require countries to empower their law enforcement 
officers to conduct computer and network searches and seizures. 

Though slow to react to the proposal, some U.S. industry groups are now 
scrambling to voice their objections as the Council of Europe, working with 
the U.S. and other governments, last week held a new round of talks on the 
treaty. 

The convention is "in part trying to harmonize what may be more appropriately 
left to individual" countries, said Jeffrey Pryce, a Washington Internet and 
e-commerce lawyer. 

Some also expressed concern that the Department of Justice, which is playing 
a leading role for the U.S., may be seeking powers through the treaty that it 
could not get through Congress. 

"When the U.S. government cannot get a controversial policy adopted 
domestically, they pressure an international group to adopt it, and then bring 
it back to the U.S. as an international treaty - which obliges Congress to 
enact it," wrote David Banisar, a senior fellow at the Electronic Privacy 
Information Center, in a commentary on the draft treaty for Web site 
SecurityFocus.com. 

Officially, the convention is a product of the council, a 41-member 
organization that develops agreements to standardize social and legal 
practices across Eastern and Western Europe. 

But officials from Canada, Japan, South Africa and the U.S. have been 
participating in the negotiations. And the council said it will invite other 
countries to sign the final pact, which it hopes to complete in December. 

"As computer crimes are often international in their nature, national measures 
need to be supplemented by international cooperation," the council said in 
releasing its first public draft of the convention in April. The council may 
release a second public draft of the convention, perhaps as soon as this week. 

The devil is in the details 

The council began its work on the convention in April 1997, after determining 
that a 1995 paper recommending that countries adopt laws covering 
computer-related crime did not go far enough, and that a legally binding 
agreement was needed. 

The draft calls on signatories to pass legislation against illegally accessing 
a computer, intercepting computer data or interfering with computer systems. 
It also would ban the sale, purchase, import and distribution of devices used 
for hacking, and requires passage of laws against computer-related fraud or 
forgery and child pornography. Signatories also would be required to provide 
law enforcement authorities with the ability to conduct computer searches and 
seize computer data. 

In addition, the proposed treaty would require those with access to or 
knowledge of computer data sought by authorities to provide "all necessary 
information, as is reasonable," for authorities to obtain the data. 

"These computer-specific investigative measures will also imply cooperation by
telecom operators and Internet service providers, whose assistance is vital to 
identify computer criminals and secure evidence of their misdeeds," the council
said in releasing the public draft. 

One section deals with the interception of data through networks, but the 
details were not included in the April text. The section was one of the areas 
being discussed by the drafting committee last week, according to a U.S. 
official, who said the U.S. has been pushing for a more updated proposal to be 
released publicly. 

The final sections of the convention deal with improving cooperation. The 
draft requires signatories to "cooperate with each other . . . to the widest 
extent possible." It also calls for cooperation in the extradition of suspects,
and outlines procedures for law enforcement authorities to assist one another.

"What we're trying to do is establish expedited forms of communications . . . 
not get rid of the checks" and balances, said Jennifer Martin, a trial lawyer 
at the DOJ's computer crimes and intellectual property section, which is 
taking the lead for the Clinton administration on the issue. 

Concerns and questions 

Most agree that cybercrime cannot be viewed as a national problem alone. But
privacy advocates, information security professionals and others worry about 
the council's approach. 

Gus Hosein, deputy director at Privacy International in London, said one of 
his biggest concerns is that in harmonizing cybercrime laws, those laws that 
restrict law enforcement powers the least may prevail. 

For example, Hosein pointed to Britain's Regulation of Investigatory Powers 
Act, a measure that grants law enforcement officials broad powers to demand 
access to electronic data. He questioned whether the treaty could be used by 
U.K. officials to obtain information about a British suspect outside Britain 
using powers granted by the U.K. law. 

Computer security professionals worry that the prohibitions on devices used 
for hacking could prevent the legitimate use of such technology and software 
to test computer security products. 

"Our biggest concern is that people don't understand the technology . . . 
[that] you have to use the same technology to do both legitimate and 
illegitimate acts," said Lisa Norton, a Washington lawyer who represents 
Internet Security Systems. 

Other concerns have been raised about the data storage requirements. Internet
service providers worry that they may not have the capacity to store reams of 
data, and if forced to, they could open themselves up to liability from those 
who own the data. 

"The intentions behind the treaty are valid, but as the first draft came out, 
it seemed to raise more problems than it would cure," said Jason Mahler, vice 
president and general council at the Computer and Communications Industry 
Association. 

DOJ and council officials said much of the concern over the draft stems from a
misunderstanding of the treaty's intent and a need for clarifications in the 
text. For example, they said, security testing would not be banned, because 
prosecutors must show there was intent to commit an illegal act. Peter Csonka, 
deputy head of the council's economic crime division, said there needs to be a 
better explanation of the language banning the use of such devices "without 
right." 

When asked about privacy concerns with the treaty, Csonka said: "These 
concerns may be legitimate, but they could be raised in relation to any 
international treaty.  Harmonization of laws is necessary to avoid a legal 
jungle on the Net."