Global Internet Liberty Campaign Member
Letter
on Council of Europe Convention on Cyber-Crime
[en francais] [en espanol] [in italiano]
October 18, 2000
Dear Committee of Experts on CyberCrime, Committee of Ministers
and the Parliamentary Assembly
We write to you on behalf of a wide range of civil society
organizations from around the world to object to the proposed
Convention on Cyber-Crime. We believe that the draft treaty is
contrary to well established norms for the protection of the
individual, that it improperly extends the police authority of
national governments, that it will undermine the development
of network security techniques, and that it will reduce government
accountability in future law enforcement conduct.
Specifically, we object to provisions that will require Internet
Service Providers to retain records regarding the activities
of their customers. (Articles 17, 18, 24, 25). These provisions
pose a significant risk to the privacy and human rights of Internet
users and are at odds with well established principles of data
protection such as the Data Protection Directive of the European
Union. Similar communications transaction information has been
used in the past to identify dissidents and to persecute minorities.
We urge you not to establish this requirement in a modern communication
network. In our view the whole of Article 18 is incompatible
with Article 8 of the ECHR and with the jurisprudence of the
European Court of Human Rights.
We further object to the conception of "Illegal Devices"
set out in Article 6. We believe that this concept lacks sufficient
specificity to ensure that it will not become an all-purpose
basis to investigate individuals engaged in computer-related
activity that is completely lawful. As technical experts have
made clear, this provision will also discourage the development
of new security tools and give government an improper role in
policing scientific innovation.
We also object to the dramatic extension of copyright crimes
in the proposed Article 10. It is hardly a settled matter that
criminal penalties are the appropriate remedy for copyright infringement,
nor do the underlying treaties referenced impose such requirements.
New criminal penalties should not be established by international
convention in an area where national law is so unsettled. More
generally, we disagree with initiatives that allow for mutual
assistance without dual-criminality. This requirement is central
to preserving the sovereign authority of nations.
Additionally, we believe that clear procedures must be agreed
upon in international investigations, and that no law enforcement
agency within a different jurisdiction should act on behalf of
another nation without clear investigative procedures within
its own jurisdiction. Different countries have different procedures,
admittedly, but now is the opportunity to harmonize them, on
the condition that we assure a high level of consistency on individual
rights protections.
The criminal provisions of Articles 9 and 11 could lead to
a chilling effect on the free flow of information and ideas.
Imposing liability on Internet Service Providers for third party
content places an unreasonable burden on providers of new network
services and will encourage inappropriate monitoring of private
communications.
Article 14 setting out the requirements for search and seizure
of stored computer data lacks necessary procedural safeguards
to safeguard the rights of the individual and to ensure due process
of law. In particular, there is no effort to ensure that an independent
judicial review, ensuring the respect of basic freedoms and liberties,
occurs before a search by the state is undertaken. Such searches
would constitute an "arbitrary interference" under
international legal norms.
Articles 14 and 15 could establish a requirement for government
access to encryption keys that would compel individuals to incriminate
themselves which may well be incompatible with Article 6 of the
European Convention on Human Rights and with the jurisprudence
of the European Court of Human Rights. We also question the ambiguity
that arises within this same article on government access to
decryption keys. The Council of Europe should clarify this provision
so that member countries do not take the convention to be a mandate
for passing legislation allowing for self-incrimination.
We also object in very strong terms to the manner under which
this proposal was developed. Police agencies and powerful private
interests acting outside of the democratic means of accountability
have sought to use a closed process to establish rules that will
have the effect of binding legislation. We believe this process
violates requirements of transparency and is at odds with democratic
decisionmaking.
Privacy experts have made clear their opposition to this proposal.
One expert warned that efforts to develop an international convention
on "Cyber crime" would lead to "fundamental restrictions
on privacy, anonymity and encryption."
Data Protection officials have made clear their opposition
to this proposal. The International Working Group on Data Protection
in Telecommunications earlier criticized attempts to require
maintaining traffic data and recommended improvements in security
over new criminal laws.
Technical experts have made clear their opposition to this
proposal. A letter from leading security practitioners, educators,
and vendors states that "the proposed treaty may inadvertently
result in criminalizing techniques and software commonly used
to make computer systems resistant to attack" and that the
proposed treaty "would adversely impact security practitioners,
researchers, and educators."
Now a wide range of organizations representing civil society
across the world make clear our opposition to this proposal.
We believe that any proposal to create new investigative and
prosecutorial authority should include a careful consideration
of articles 8 and 10 of the European Convention on Human Rights
and the related jurisprudence of the European Court of Human
Rights. We do not believe that these instruments were given adequate
consideration in the development of this proposal. Further, we
believe that the OECD Cryptography Policy Guidelines and the
OECD Guidelines for the Security of Information Systems reflect
a more balanced, forward-looking view of the need to promote
strong security techniques to reduce the risk of computer crime
than the proposal now under consideration.
Finally, the Universal Declaration of Human Rights speaks
directly to the obligations of government to protect the privacy
of communication and to preserve freedom of expression in new
media. Article 12 states that "No one shall be subjected
to arbitrary interference with his privacy, family, home or correspondence."
Article 19 further states that "Everyone has the right to
freedom of opinion and expression; this right includes freedom
to hold opinions without interference and to seek, receive and
impart information and ideas through any media and regardless
of frontiers."
We urge you not to approve the treaty proposal at this time.
We, the undersigned, are ready to support the CoE with experts
in the area to provide a better version of the document, aimed
not only at punishing, but also at preventing computer crimes.
Signed,
American Civil Liberties Union (US)
http://www.aclu.org/
Associazione per la Libertà nella Comunicazione Elettronica
Interattiva (IT)
http://www.alcei.it/
Bits of Freedom (NL)
http://www.bof.nl/
Canadian Journalists for Free Expression (CA)
http://www.cjfe.org/
Centre for Applied Legal Studies
http://link.wits.ac.za/
Center for Democracy and Technology (US)
http://www.cdt.org/
Computer Professional for Social Responsibility (US)
http://www.cpsr.org/
Cyber-Rights & Cyber-Liberties (UK)
http://www.cyber-rights.org/
Derechos Human Rights and Equipo Nizkor (US)
http://www.derechos.org/
Digital Freedom Network (US)
http://www.dfn.org/
Electronic Frontier Foundation (US)
http://www.eff.org/
Electronic Frontiers Australia (AU)
http://www.efa.org.au/
Electronic Privacy Information Center (US)
http://www.epic.org/
Feminists Against Censorship (UK)
http://fiawol.demon.co.uk/FAC/
FITUG e.V. (DE)
http://www.fitug.de/
Human Rights Network (RU)
http://www.hro.org/
Internet Freedom (UK)
http://www.netfreedom.org/
Internet Society - Bulgaria (BG)
http://www.isoc.bg/
Internet Society
http://www.isoc.org/
IRIS - Imaginons un réseau Internet solidaire (FR)
http://www.iris.sgdg.org/
Kriptopolis (ES)
http://www.kriptopolis.com/
Liberty (UK)
http://www.liberty-human-rights.org.uk/
NetAction (US)
http://www.netaction.org/
Opennet
http://www.opennet.org/
Privacy International (UK)
http://www.privacyinternational.org/
quintessenz (AT)
http://www.quintessenz.at/
Verein für Internet Benutzer (AT)
http://www.vibe.at/
XS4ALL (NL)
http://www.xs4all.nl/
Reference Documents
COE Convention on Cyber-Crime (draft)
http://conventions.coe.int/treaty/EN/projets/cybercrime.doc
COE Convention for the Protection of Human Rights and Fundamental
Freedoms
http://www.coe.fr/eng/legaltxt/5e.htm
COE Conventions - Background
http://conventions.coe.int/treaty/EN/cadreintro.htm
IAB/IESG Statement on Wassenaar Arrangement
http://www.iab.org/iab/121898.txt
IETF Policy on Wiretapping (RFC 2804)
ftp://ftp.isi.edu/in-notes/rfc2804.txt
OECD Cryptography Policy Guidelines (1997)
http://www.oecd.org//dsti/sti/it/secur/prod/e-crypto.htm
OECD Guidelines for the Security of Information Systems (1992)
http://www.oecd.org//dsti/sti/it/secur/prod/e_secur.htm
Security Focus Commentary on COE Convention
http://www.securityfocus.com/news/39
Statement of Concern from Technology Professionals on Proposed
COE Convention on Cyber-Crime
http://www.cerias.purdue.edu/homes/spaf/coe/TREATY_LETTER.html
Universal Declaration of Human Rights
http://www.un.org/Overview/rights.html