Int'l cybercrime treaty remains horrid

CoE listens to law enforcement, but few others

  • alert
  • submit to reddit

High performance access to file storage


This week, the Council of Europe (CoE) Experts Group on Crime in Cyberspace is meeting in Strasbourg, France to finalize the international Cybercrime Convention. The experts should be proud of themselves. They have managed during the past eight months to resist the pernicious influence of hundreds if not thousands of individual computer users, security experts, civil liberties groups, ISPs, computer companies and others outside of their select circle of law enforcement representatives who wrote, faxed and e-mailed their concerns about the treaty.

Last month, the CoE released a new draft of their long-standing effort, which includes a few minor changes and some lip service to human rights, but remains substantially unchanged from previous drafts.

The main gap is a lack of limits on cyber crimes, surveillance powers, and assistance that are created in the convention. The sections on searches still force individuals to disclose encryption keys and other data at the direction of law enforcement officials, in violation of protections against self-incrimination guaranteed by US, Canadian and European laws; wiretap powers remain broadly defined and cover all computer devices down to the smallest local area network (and perhaps even smaller); provisions on real-time data collection remain Carnivore-friendly; and local authorities will still be required to assist law enforcement agencies from other countries, even when investigating actions that are not crimes under local law.

There are a few improvements. The section on illegal devices, which in previous drafts threatened to outright criminalize common security tools, now includes a new paragraph stating that it should not impose criminal liability when the program in question was not created or transferred "for the purpose of committing an offence, such as for testing or the protection of a computer system."

Does that solve all the problems with regulating hacking tools? I don't know, because it all depends on how the law will be implemented by each country.

Human rights gets mentioned once or twice and national governments can resist some requests for assistance when they think the case is political (not to say that could ever happen, but Germany announced this week that anyone anywhere in the world who promotes Holocaust denial is liable under German law, and the Malaysian government announced that anyone who insults Islam online will be punished).

In contrast to these modest changes, the opposition to the entire treaty has been overwhelming. Every cyber-rights group in the world with a pulse has come out against it. On the industry side, it's being opposed by the US Chamber of Commerce, the International Chamber of Commerce, all the ISP associations and a ton of other companies, security groups and so on. About the only one left who isn't calling the draft convention the sign of the devil is the Pope, and he probably would if consulted.

We've not seen this kind of united public interest and industry opposition to a dumb government proposal since the good old days of the Clipper chip. And not coincidentally, the meetings on the subject are filled with the same people.

This is not so say that the CoE committee has not heard or read these complaints.

Last week, Henrik Kaspersen, a Dutch government representative who chairs the committee, and Peter Csonka, the head of Economic Crimes division for the CoE, visited Washington -- reportedly to meet with US Attorney General Janet Reno. At a public meeting on Thursday, Kaspersen acknowledged receiving a flood of complaints on the draft conventions, but dismissed them as coming either from American lawyers who did not understand European law, or, worse, "from the Internet," which his tone suggested could only mean the clueless and uninformed.

None of the kinds of outrageous cases like the French holding Yahoo liable or the Germans arresting a high CompuServe official, could even be conceived by Kaspersen, much less ever happen as a result of the treaty he travelled to America to peddle.

When asked publicly why the treaty did not include any procedural safeguards for limiting surveillance powers, Kaspersen said that determining privacy standards was too hard and controversial for the committee, and had to be left to the national governments of the CoE and signatory countries. I'm sure that those highly democratic countries in the CoE like Russia, Ukraine, and Romania will do a fine job of implementing those rights.

There is a small chance that the committee will finally make real changes to the treaty before the new draft comes out sometime next week. But don't count on it. After three years, it seems they made up their minds a long time ago -- and free speech, privacy, real security on the Net, and all of us be dammed. The next hope is lobbying the national governments to refuse to sign the treaty, or to make changes before it is approved. Perhaps they will not think your comments are just "from the Internet."

© 2000 SecurityFocus.com. All rights reserved.

David Banisar is an attorney and writer in the Washington, DC area. He is co-author of "The Electronic Privacy Papers" (Wiley, 1997) and several other books on privacy, and is deputy director of Privacy International.

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Nokia offers 'voluntary retirement' to 6,000+ Indian employees
India's 'predictability and stability' cited as mobe-maker's tax payment deadline nears
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Adrian Mole author Sue Townsend dies at 68
RIP Blighty's best-selling author of the 1980s
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Analysts: Bright future for smartphones, tablets, wearables
There's plenty of good money to be made if you stay out of the PC market
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.