GLOBAL
INTERNET
LIBERTY
CAMPAIGN



NEWS
 GILC Actions 
 Presswire 

ISSUES
 Free Speech 
 Privacy 
 Cryptography
 Access

RESOURCES
 GILC Alert 
 Mailing List
 GILC Events 

ABOUT GILC
 Principles
 Members 
 Mail GILC 

Home Page

US Site
European Mirror

 

Global Internet Liberty Campaign Member Letter
on Council of Europe Convention on Cyber-Crime

[en francais] [en espanol] [in italiano]

October 18, 2000

Dear Committee of Experts on CyberCrime, Committee of Ministers and the Parliamentary Assembly

We write to you on behalf of a wide range of civil society organizations from around the world to object to the proposed Convention on Cyber-Crime. We believe that the draft treaty is contrary to well established norms for the protection of the individual, that it improperly extends the police authority of national governments, that it will undermine the development of network security techniques, and that it will reduce government accountability in future law enforcement conduct.

Specifically, we object to provisions that will require Internet Service Providers to retain records regarding the activities of their customers. (Articles 17, 18, 24, 25). These provisions pose a significant risk to the privacy and human rights of Internet users and are at odds with well established principles of data protection such as the Data Protection Directive of the European Union. Similar communications transaction information has been used in the past to identify dissidents and to persecute minorities. We urge you not to establish this requirement in a modern communication network. In our view the whole of Article 18 is incompatible with Article 8 of the ECHR and with the jurisprudence of the European Court of Human Rights.

We further object to the conception of "Illegal Devices" set out in Article 6. We believe that this concept lacks sufficient specificity to ensure that it will not become an all-purpose basis to investigate individuals engaged in computer-related activity that is completely lawful. As technical experts have made clear, this provision will also discourage the development of new security tools and give government an improper role in policing scientific innovation.

We also object to the dramatic extension of copyright crimes in the proposed Article 10. It is hardly a settled matter that criminal penalties are the appropriate remedy for copyright infringement, nor do the underlying treaties referenced impose such requirements. New criminal penalties should not be established by international convention in an area where national law is so unsettled. More generally, we disagree with initiatives that allow for mutual assistance without dual-criminality. This requirement is central to preserving the sovereign authority of nations.

Additionally, we believe that clear procedures must be agreed upon in international investigations, and that no law enforcement agency within a different jurisdiction should act on behalf of another nation without clear investigative procedures within its own jurisdiction. Different countries have different procedures, admittedly, but now is the opportunity to harmonize them, on the condition that we assure a high level of consistency on individual rights protections.

The criminal provisions of Articles 9 and 11 could lead to a chilling effect on the free flow of information and ideas. Imposing liability on Internet Service Providers for third party content places an unreasonable burden on providers of new network services and will encourage inappropriate monitoring of private communications.

Article 14 setting out the requirements for search and seizure of stored computer data lacks necessary procedural safeguards to safeguard the rights of the individual and to ensure due process of law. In particular, there is no effort to ensure that an independent judicial review, ensuring the respect of basic freedoms and liberties, occurs before a search by the state is undertaken. Such searches would constitute an "arbitrary interference" under international legal norms.

Articles 14 and 15 could establish a requirement for government access to encryption keys that would compel individuals to incriminate themselves which may well be incompatible with Article 6 of the European Convention on Human Rights and with the jurisprudence of the European Court of Human Rights. We also question the ambiguity that arises within this same article on government access to decryption keys. The Council of Europe should clarify this provision so that member countries do not take the convention to be a mandate for passing legislation allowing for self-incrimination.

We also object in very strong terms to the manner under which this proposal was developed. Police agencies and powerful private interests acting outside of the democratic means of accountability have sought to use a closed process to establish rules that will have the effect of binding legislation. We believe this process violates requirements of transparency and is at odds with democratic decisionmaking.

Privacy experts have made clear their opposition to this proposal. One expert warned that efforts to develop an international convention on "Cyber crime" would lead to "fundamental restrictions on privacy, anonymity and encryption."

Data Protection officials have made clear their opposition to this proposal. The International Working Group on Data Protection in Telecommunications earlier criticized attempts to require maintaining traffic data and recommended improvements in security over new criminal laws.

Technical experts have made clear their opposition to this proposal. A letter from leading security practitioners, educators, and vendors states that "the proposed treaty may inadvertently result in criminalizing techniques and software commonly used to make computer systems resistant to attack" and that the proposed treaty "would adversely impact security practitioners, researchers, and educators."

Now a wide range of organizations representing civil society across the world make clear our opposition to this proposal.

We believe that any proposal to create new investigative and prosecutorial authority should include a careful consideration of articles 8 and 10 of the European Convention on Human Rights and the related jurisprudence of the European Court of Human Rights. We do not believe that these instruments were given adequate consideration in the development of this proposal. Further, we believe that the OECD Cryptography Policy Guidelines and the OECD Guidelines for the Security of Information Systems reflect a more balanced, forward-looking view of the need to promote strong security techniques to reduce the risk of computer crime than the proposal now under consideration.

Finally, the Universal Declaration of Human Rights speaks directly to the obligations of government to protect the privacy of communication and to preserve freedom of expression in new media. Article 12 states that "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence." Article 19 further states that "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."

We urge you not to approve the treaty proposal at this time. We, the undersigned, are ready to support the CoE with experts in the area to provide a better version of the document, aimed not only at punishing, but also at preventing computer crimes.

Signed,

American Civil Liberties Union (US)
http://www.aclu.org/

Associazione per la Libertà nella Comunicazione Elettronica Interattiva (IT)
http://www.alcei.it/

Bits of Freedom (NL)
http://www.bof.nl/

Canadian Journalists for Free Expression (CA)
http://www.cjfe.org/

Centre for Applied Legal Studies
http://link.wits.ac.za/

Center for Democracy and Technology (US)
http://www.cdt.org/

Computer Professional for Social Responsibility (US)
http://www.cpsr.org/

Cyber-Rights & Cyber-Liberties (UK)
http://www.cyber-rights.org/

Derechos Human Rights and Equipo Nizkor (US)
http://www.derechos.org/

Digital Freedom Network (US)
http://www.dfn.org/

Electronic Frontier Foundation (US)
http://www.eff.org/

Electronic Frontiers Australia (AU)
http://www.efa.org.au/

Electronic Privacy Information Center (US)
http://www.epic.org/

Feminists Against Censorship (UK)
http://fiawol.demon.co.uk/FAC/

FITUG e.V. (DE)
http://www.fitug.de/

Human Rights Network (RU)
http://www.hro.org/

Internet Freedom (UK)
http://www.netfreedom.org/

Internet Society - Bulgaria (BG)
http://www.isoc.bg/

Internet Society
http://www.isoc.org/

IRIS - Imaginons un réseau Internet solidaire (FR)
http://www.iris.sgdg.org/

Kriptopolis (ES)
http://www.kriptopolis.com/

Liberty (UK)
http://www.liberty-human-rights.org.uk/

NetAction (US)
http://www.netaction.org/

Opennet
http://www.opennet.org/

Privacy International (UK)
http://www.privacyinternational.org/

quintessenz (AT)
http://www.quintessenz.at/

Verein für Internet Benutzer (AT)
http://www.vibe.at/

XS4ALL (NL)
http://www.xs4all.nl/

 

Reference Documents

COE Convention on Cyber-Crime (draft)
http://conventions.coe.int/treaty/EN/projets/cybercrime.doc

COE Convention for the Protection of Human Rights and Fundamental Freedoms
http://www.coe.fr/eng/legaltxt/5e.htm

COE Conventions - Background
http://conventions.coe.int/treaty/EN/cadreintro.htm

IAB/IESG Statement on Wassenaar Arrangement
http://www.iab.org/iab/121898.txt

IETF Policy on Wiretapping (RFC 2804)
ftp://ftp.isi.edu/in-notes/rfc2804.txt

OECD Cryptography Policy Guidelines (1997)
http://www.oecd.org//dsti/sti/it/secur/prod/e-crypto.htm

OECD Guidelines for the Security of Information Systems (1992) http://www.oecd.org//dsti/sti/it/secur/prod/e_secur.htm

Security Focus Commentary on COE Convention
http://www.securityfocus.com/news/39

Statement of Concern from Technology Professionals on Proposed COE Convention on Cyber-Crime
http://www.cerias.purdue.edu/homes/spaf/coe/TREATY_LETTER.html

Universal Declaration of Human Rights
http://www.un.org/Overview/rights.html