CoE "cybercrime" convention: legitimising internet surveillance
"We believe the that the draft [CoE cybercrime] treaty is contrary to well established norms for the protection of the individual, that it improperly extends the police authority of national governments, that it will undermine the development of network security techniques, and that it will reduce government accountability in future law enforcement conduct." Global Internet Liberty Campaign (GILC)
In April 2000 the Council of Europe (CoE) released its draft convention on "crime in cyberspace", a legally-binding international treaty aimed at harmonising criminal law and procedural aspects of "offending behaviour directed against computer systems, networks or data" and "other similar abuses". Despite widespread criticism by privacy and civil liberties groups, internet security experts, business representatives and the International Group on Data Protection in Telecommunications (comprised of national data protection commissioners), successive drafts of the convention have conceded very little in the face of law enforcement demands.
The CoE Convention can not be considered alone. In the UK, the RIP Bill (see Statewatch vol 10 no 1) paved the way for extensive surveillance of all electronic communications. Then last month, the Home Office announced £37 million funding for the integration of all police computer systems and £25 million to set up a cybercrime unit of 46 officers. This was closely followed by an announcement that the UK intelligence services want to oblige all telecommunications and internet service providers to maintain all their traffic data records (every phone call, fax, telex, page, e-mail or internet connection) for at least seven years (see feature on page 1). Meanwhile, the G8, EU, UN and OECD have provided a discreet range of venues to ensure the fight against cybercrime is coordinated internationally.
The proposed CoE convention
The convention is aimed at "cyber-criminals and cyber-terrorists", "attacks against commercial websites", "hacking", "illegal interception of data", "computer related fraud and forgery", child-pornography and copyright offences. However, what the convention as drafted can achieve in terms of tackling evident cybercrimes such as damaging computer "viruses", child-porn, or (high-profile) hacking has been questioned in some quarters.
Work on the CoE Convention began in 1997 with the accompanying press-release encouraging interested parties to "share their comments with the experts involved in the negotiations before the adoption of the final text". Countries that ratify the convention will have to incorporate its definitions and offences into their domestic criminal law (chapters I and II), and will be bound by mutual legal assistance provisions obliging signatory states to cooperate with one another (chapter III). In June of this year, Justice Ministers from the 41 CoE member-states adopted a resolution to open the convention for world-wide signature.
The draft convention sets out very broad definitions extending its potential scope from internet based "cybercrime" to anything involving a personal computer. A "computer system" means any computer and "computer data" everything that is held on a computer. "Service providers" are "any public or private entity" that provide "the ability to communicate by means of a computer" (covering every system from AoL to an office network). "Traffic data" is an entire chain of communications from any "computer system", including "origin, destination, path or route, time, date, size, duration, or type". "Subscriber information" means any other data relating to "subscribers of its service" (including visitors to a website or users of a network) which can establish their "identity, address, telephone number" or "location". Most of the powers deferred upon the "competent authorities" of states that adopt the convention can be used for the all-embracing and unlimited "purpose of criminal investigations or proceedings".
Cyber-criminal offences, illegal devices and liability
Cyber-criminal offences are defined in Articles 2-11. In implementing the convention, domestic legislation will have to accommodate the following criminal offences: hacking ("illegal access", art. 2); illegal interception of private communications (art. 3); "data interference": "damaging, deletion, deterioration, alteration [including "tampering"], or suppression [deletion or preventing access] of computer data" (art. 4); creating viruses or causing damage through hacking ("system interference", art. 5).
Also illegal are "devices", including computer programs, passwords, access codes "or similar data" if "possessed", "produced" or "designed" with intent to commit a defined cybercrime (art. 6). The GLIC suggest that:
the concept lacks sufficient specificity to prevent it becoming "an all-purpose basis to investigate individuals engaged in computer related activity that is completely lawful.
According to technical experts it may also have the effect of discouraging the development of new internet security tools, as well as giving national governments an improper role in policing scientific innovation. The burden of proof that the "devices" were intended for illegal purposes was only placed on the prosecution in a concession in the second public draft of the convention - it was originally proposed that suspects must prove that their "devices" were not intended for criminal activity.
Computer related forgery, fraud and child pornography offences are defined, as is copyright infringement in cyberspace. Article 11 includes "attempt" and "aiding or abetting" as criminal offences and article 12 introduces corporate liability. This effectively makes service providers criminally liable for the content on their systems - i.e. open to prosecution for "cybercrimes" committed by third-parties using their servers or networks. The extent of the liability is likely to make service providers unwilling to take on "risky" users or content and can be expected to encourage inappropriate monitoring of private communications across their systems.
On demand access to all data
The convention empowers law enforcement authorities to force service providers to record and preserve data regarding the activities of their customers. This is one of the most controversial provisions, and remains so despite the weakening of law enforcement demands in successive drafts of the convention. The obligation on service providers to preserve "data stored in a computer system" (art. 16) and "traffic data" (art. 17) has been reduced slightly - "for the purpose of criminal investigations or proceedings" was replaced by "in connection with a specific criminal offence". A footnote explaining that the provision "does not mandate retention of all data collected" has also been introduced. However, this is exactly what has been proposed in the UK and discussed in the G8 (see page 1 is this issue).
Article 18 of the draft convention empowers competent authorities to serve "production orders" against service providers to enact provisions for "search and seizure" of any "computer system", "data" or "storage medium" (art. 19). No reference is made to independent judicial review prior to a search - unlike other types of search warrant. Law enforcement agencies will be able to "seize or similarly secure" equipment and data, "make and retain a copy" of any data and have a choice of "maintain[ing] the integrity of" or "render[ing] inaccessible or remov[ing]" data. They will also have the power to order "any person who has knowledge about the functioning.. or measures applied to protect the computer data" (i.e. encryption keys or privacy software) to "provide all necessary information". This is in blatant breach of individual rights against self-incrimination afforded by the ECHR and ECJ case law.
Articles 20-22 create a framework in which all electronic communications can be intercepted in "real-time". Under the convention, service providers will be obliged to "collect or record" or "co-operate and assist.. in the collection and recording" of "traffic" and "content data of specified communications". The scope of the interception provisions is "the range of serious offences to be determined by domestic law" (when they transpose the definitions and offences from the convention). Legislation to enforce confidentiality obligations on service providers is also required.
Disregard for human rights
The rights of individuals, suspects or defendants are only addressed in a reference to "domestic safeguards" with no explicit reference to any data protection or human rights law, such as the 1981 EC Data Protection Directive or the ECHR. While it may seem incredible that an international convention extending law enforcement powers should not be bound by well-established and fundamental international human rights rules, the convention is simply incompatible with them. Nowhere is this more evident than in its dual effect of making the "interception of private communications" a criminal offence, while providing surveillance and interception powers to law enforcement officials which appear to contravene Article 8 of the ECHR.
In a letter urging the CoE drafting committee to reconsider the convention, the GILC note that:
"the Universal declaration of Human Rights speaks directly to the obligations of governments to protect the privacy of communication and to preserve freedom of expression in new media. Article 12 states that "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence." Article 19 further states that "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."
Chapter 3 (art.s 24-35) sets out the mutual assistance procedures enabling the authorities of one signatory country to request the use of the "investigative" powers under the convention in another.
Article 25 creates a new legal basis for extradition procedures in relation to the offences in the convention (existing extradition treaties between parties to the convention otherwise apply). The offence for which extradition is sought must be punishable by at least a one year prison sentence in both countries (a very low standard). Mutual legal assistance (MLA) arrangements provide the framework for international cooperation, although again, where international MLA agreements are in force these apply. There are several provisions to allow MLA to take place without "dual-criminality" - the requirement that requests are related to a matter which constitutes a serious criminal offence in both countries.
Article 28 provides for intelligence exchange between parties to the convention. Authorities in one country can, "without prior request", give authorities in another information that it considers "might assist" in "initiating.. investigations..". Again, there is no explicit reference to any data protection rules or independent supervision, only a note that the providing party "may request" confidentiality. In the absence of any effective rules governing intelligence exchanges, there is nothing to prevent information obtained coercively or unlawfully being transmitted by third states, or the provision of data for political purposes.
Article 27 makes Interpol a lawful communication channel for requests. These are received for approval or rejection by designated national authorities. Concern over Interpol's handling of MLA requests was raised recently in the case of an international arrest warrant issued by Turkey leading to the arrest of extradite a political activist who had been granted political asylum in Switzerland (see Statewatch vol 10 no 5).
"Offences related to infringements of copyright and related rights" are set out in Article 10. Signatory states are to establish criminal penalties in their domestic law for copyright and related offences (which infringe the international "copyrights" afforded by the international conventions). An opt-out of the criminal liability aspects of art. 10 was introduced in the most recent draft of the convention, presumably due to opposition from countries that do not apply criminal penalties to copyright infringements.
The inclusion of copyright crimes in the convention would seem to be aimed directly at protest websites which have achieved various successes and caused embarrassment to corporations and institutions. A number of websites have been forced to close, and many more are currently threatened with or embroiled in legal proceedings:
- Reclaim the streets' "Financial crimes" website which accompanied the September 26 protests against the IMF/World Bank in Prague included a spoof version of the Financial Times newspaper and lasted just three days before the UK service provider pulled the site upon threat of litigation.
- Lawyers for Shell have concerned themselves with the "Nuclear Crimes" website which alleges that the petrochemical giant secretly tested and dumped nuclear material. The corporation, however, appears wary of getting themselves into a "McLibel" situation (in which McDonalds was forced to contest and concede many of the allegations made by campaigners in a lengthy and costly court case).
- Surrey Police have informed a retired inspector that since his website www.policecorruption.co.uk "may be accessed by the public" and is therefore "processing personal data" - the same can of course be said of nearly all websites - he must register it with the Data Protection Commissioners Office. Failure to do so, they note, is a criminal offence.
- In Germany Lufthansa has so far failed to stop a website which criticises the airline's role in deportations. The site carries the "Deportation Class" exhibition featuring posters which lawyers for the company say constitute a breach of copyright and insinuate that Lufthansa is in directly linked with right-wing extremists. Internet providers from all over the world offered to mirror the site in the name of freedom of artistic expression and the threatened legal proceedings against the organisers (the No-one is illegal campaign) did not materialise.
The GILC say that "new criminal penalties should not be introduced by an international convention in an area where national law is so unsettled".
Sources: "Draft Convention on Cybercrime", Council of Europe DG I, European Committee on crime problems (CDPC) and Committee of experts on crime in cyber-space (PC-CY), No. 19, 25.4.00, Draft No. 24 rev 2, 19.11.00; CoE press release 27.4.00; www.privacyinternational.org; www.nuclearcrimes.com; www.deportation-alliance.com; www.gilc.org.
This report appeared in Statewatch bulletin (November-December 2000). There is now a later version of the draft Convention.
Statewatch News online
© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.