June 7, 2001
We are offering this letter of comments to the U.S. Department of
Justice and the CDPC of the Council of Europe in order to voice our
continuing concerns regarding the development and form of the draft
Convention on Cybercrime. While we were advised to reserve our comments
to optional text and footnotes in order to conform with the interests of
the CDPC, we also present our continuing concerns generally in the hope
of promoting democratic debate. We represent Non-Governmental
Organizations, which are members of the Global Internet Liberty
Campaign. This letter addresses only certain portions of the draft
Convention and individual signatories may have additional concerns.
We have been actively offering our thoughts on the Convention since
the drafts were made public. Through the Global Internet Liberty
Campaign, of which we are members, two letters were submitted to the
Council of Europe outlining our concerns; these concerns still stand. We
have also worked with industry actors under an ad-hoc group in order to
communicate our concerns to the U.S. Department of Justice, which
reports back that the Committee of Experts on Crime in Cyber-Space
continues to resist our recommendations. We ask that this letter be
taken with more consideration than past submissions, while bearing in
mind our previously articulated concerns.
A. Process
We must again object to the non-transparent manner in which this
Convention has been developed. The CoE has made little effort to address
the concerns of other stakeholders in the process. Even after the
publication of Draft 19 and subsequent drafts, we have seen little
effort on the part of the Council of Europe working group to directly
and substantially incorporate the views and concerns of the NGO
community on the issues of privacy and civil liberties. There has been
limited public input on the convention, while CoE staffers have publicly
dismissed any critical commentary.
In addition, the makeup of the working party has remained one-sided,
with law enforcement at the table and no industry or NGO participation.
This is contrary to similar efforts at the OECD and the G-8 where NGOs
(albeit in a very limited capacity) and industry were asked to
participate and a more balanced effort has emerged.
B. Article 15 is Not Adequate
We recognize that the legal protections have been modestly improved
in Article 15 by the reference to various other international
instruments, but we still believe that the protections it affords are
not adequate to address the significant demands and requirements for
privacy- invasive techniques in the rest of the Convention.
Title II sets out very specific requirements for privacy invasive law
enforcement techniques. We believe and have consistently stated publicly
that each of those sections should have included limitations on the use
of the techniques. A vague reference to proportionality will not be
adequate to ensure that civil liberties are protected. We recognize that
countries have varying methods for protection of civil liberties, but as
a Council of Europe Convention drafted in consultation with other
democratic nations, this document missed an important opportunity to
ensure that minimum standards consistent with the European Convention on
Human Rights and other international human rights accords were actually
implemented. This failure is, in part, a result of the non-transparency
of the process.
It is also unfortunate the section does not specifically address the
issue of privacy and data protection. The COE Convention 108 on Data
Protection is an important safeguard for protecting citizen's rights and
the implementation of this Convention should be adopted in a manner that
is consistent with its requirements.
Other related efforts such as the 1997 OECD cryptography guidelines
specifically recognize the fundamental right of privacy:
Article 5. The fundamental rights of individuals to
privacy, including secrecy of communications and protection of
personal data, should be respected in national cryptography policies
and in the implementation and use of cryptographic methods.
Even the recent G8 Tokyo-round documents noted privacy as a right
that needs to be protected by the democratic nations and fully
incorporated into procedures for law enforcement investigations.
Similarly, the requirements in 15.2 are vague and unlikely to create
any significant procedural protections and do not provide for adequate
independent supervision by judicial or other authorities. Independent
supervision varies greatly across nations. 15.2 does not set any
standards for independence, while the Explanatory Memorandum (par.138)
even notes that a competent authorisation across nations differs from
"judicial, administrative, or other law enforcement authority" (emphasis
added). We would expect that minimal, yet adequate protections be
discussed specifically and that the treaty should require scrutiny
independent from law enforcement itself.
The issue of costs is also troublesome. Under 15.3, countries are not
required to pay the costs imposed on third parties for their demands for
surveillance. This both significantly lowers to barriers to law
enforcement surveillance by removing any limits on how much surveillance
can be afforded and is grossly unfair to the providers. Industry
commenters have consistently asked for the inclusion of a reimbursement
requirement, and those requests have been supported by the privacy
community. Requiring that law enforcement pay for their surveillance
provides an important level of accountability through the budget process
each year.
C. Encryption and Article 19.4
In the last few years, after considerable international debate over
surveillance, privacy and electronic commerce, the use of encryption has
been liberalized, except in a few authoritarian governments such as
China and Russia. Article 19.4 is a step backwards by seemingly
requiring that countries adopt laws that can force users to provide
their encryption keys and the plain text of the encrypted files.
So far, only a few countries, such as Singapore, Malaysia, India and
the UK, have implemented such provisions in their laws. In those
countries, police have the power to fine and imprison users who do not
provide the keys or the plaintext of files or communications to police.
It is worth noting that the UK Government faced significant opposition
over its initiative; including an ambiguous paragraph within an
internationally-binding convention is in conflict with democratic
principles.
Such approaches raise issues involving the right against
self-incrimination, which is respected in many countries worldwide. The
privilege against self-incrimination forbids a government official from
compelling a person to testify against himself. It has a long history,
originally developing from Roman and Canon law and has subsequently been
adopted in the Common law of many countries. Many European legal
scholars also believe that requiring such disclosures violates the
European Convention on Human Rights.
The proposed treaty should unambiguously provide that there is no
requirement that parties have domestic legislation that forces users to
provide encryption keys or to decrypt documents.
D. Interception and Real-time Traffic Data
Articles 20 (Real-time collection of traffic data) and Article 21
(Interception of content data) mandate that the parties have domestic
laws requiring service providers to cooperate in both the collection of
traffic data and the content of communications. Without sufficient
privacy and due process protections, which are noticeably lacking in the
Treaty, these provisions threaten human rights.
Both Articles also mandate in their respective Sections A that the
parties shall adopt such legislative and other measures to empower their
law enforcement authorities to directly collect or record such content
and traffic data without the participation of the service provider.
Allowing law enforcement direct access to a service provider's
network to conduct surveillance, e.g., the U.S. Carnivore program,
provides police with the ability to conduct broad sweeps of network
communications with only their unsupervised assurance that they will
only collect that data which they are lawfully entitled to collect. It
invites abuse of the most invasive investigative powers. It also
represents a threat to the integrity of providers' networks. For
example, the use of Carnivore in the US compromised the network
integrity of a major ISP.
E. Data Protection
We would urge the CoE to adopt the sections under discussion in
Article 29 and footnote 9 on data protection. Opposition to this section
seems to come from a misunderstanding on the part of some countries
about the issue of data protection. In this case, it is a requirement
that the information is only used by governments for appropriate means.
It is not a requirement that countries such as the US adopt legislation
governing the use of personal information in the private sector. Many
countries around the world already have legislation of this nature
including the US Privacy Act.
It should also be noted that other international agreements on the
transfer of information between law enforcement agencies including the
Interpol, Europol and Schengen agreements all include sections on the
use of information.
F. On Mutual Assistance and Dual-Criminality
We remain deeply concerned with the draft treaty's failure to
consistently require dual criminality as a condition for mutual
assistance. No nation should ask another to interfere with the privacy
of its citizens or to impose onerous requirements on its service
providers to investigate acts, which are not a crime in the requested
nation. Governments should not investigate a citizen who is acting
lawfully, regardless of whatever mutual assistance conventions are in
place.
At a minimum, if the CoE insists on not requiring dual criminality,
then we recommend the addition of an article that has reporting
requirements regarding such investigations of lawful activity. Such an
article should include reporting of each case of mutual assistance that
did not involve dual criminality , as well as an accounting of all
investigative 'product' of lawful activity that involved personal data
that was shared with another country, and should require notification to
the individual.
Moreover, we believe that the CoE must explain with much greater
specificity the situations and scenarios where parties are permitted to
use the articulated reservations of political offences and prejudicing
essential interests, and must differentiate these from general cases of
investigations of an innocent individual for lawful acts. Importantly,
the CoE also needs to explain why in Article 31 (Real Time Collection of
Traffic Data), the draft provides for neither a dual criminality
constraint, nor even a 'political offence' and 'essential interest'
exemption, as do other articles.
Finally, the interception article provides that interception is
allowed to the extent permitted by other treaties and domestic law.
Article 18.5.b of the European Convention on Mutual Assistance in
Criminal Matters, for example, allows the requested Member State to make
its consent subject to any conditions, which would have to be observed
in a similar national case. We recommend clarifying that within the CoE
convention, requests for interception can only take place if it is
permitted under the given criminal law as an offence that merits
interception in both countries. We also favor a minimum-authorization
request, where warrants are only acted upon if they are received from a
judicial authority in the requested country.
G. Additional Protocol on Speech Crimes
In Footnote 3. the PC-CY Committee discussed the possibility of
including content-related offences other than those defined in Article
9, such as the distribution of racist propaganda through computer
systems. [..]
We would oppose the CoE taking forward a second protocol on other
content-related crimes. Such a protocol will inevitably threaten
recognized free expression rights in many nations. This treaty should be
confined to offences where there is universal agreement about
criminality. We are particularly concerned with the CoE as an
organisation discussing these issues, if it is going to employ as closed
a process as it has for its deliberations on this convention.
H. Other Brackets and Footnotes
(i) Preamble: [Mindful also of [the need to reconcile the interests
of international mutual assistance and] the protection of personal data,
as conferred e.g. by the 1981 Council of Europe Convention for the
Protection of Individuals with Regard to Automatic Processing of
Personal Data];
We support the outside brackets being removed, but recommend removing
the internal clause regarding mutual assistance. We also support the
inclusion of the further data protection instruments into the
preamble.
(ii) Footnotes 4 and 5, relating to "where such acts are committed
wilfully, [at least] on a commercial scale and by means of a computer
system":[...] Meanwhile, another delegation proposed the following
alternative formulation: "Parties shall consider establishing as
criminal offences conduct described in paragraphs 1 and 2 in situations
other than those which involve a commercial scale."
We oppose the inclusion of the "[at least]", as it increases the
scope of applicability. We also disagree with the inclusion of the
alternative formulation proposed by the 'other delegation' mentioned in
footnote 4.
(iii) Footnote 6. Two delegations requested that a reservation clause
be included to Articles 20 and 21 to the extent these provisions under
their domestic laws cannot apply to certain types of service
providers.
We support this reservation clause, and recommend tightening the
definition of traffic data within article 20 particularly considering
the various types of service providers that could arguably be
covered.
(iv) Footnote 9. See our discussion above under "Data
Protection".
(v) Footnote 10: It was suggested by several delegations that "may"
be replaced by "shall" with regard to paragraph b). One delegation
proposed to replace "may" by "shall" in both paragraphs a) and b).
We support replacing "may" with "shall", particularly in the light of
our discussion above under "Data Protection".
Conclusion
We thank you for this latest opportunity to respond to the
convention. We feel that without due consideration to civil liberties,
privacy, and due process this convention will continue to threaten
fundamental human rights. We look forward to further discussing the
matter with you.
David Banisar
Gus Hosein
Privacy International
Barry Steinhardt
American Civil Liberties Union
David Sobel
Electronic Privacy Information Center