Eight Reasons the International Cybercrime Treaty Should be Rejected

The International Cybercrime Convention: What It Is

In November 2001, the members of the Council of Europe signed an extraordinarily broad new treaty to increase cooperation among law enforcement officials of different nations.Officially, this Cybercrime Convention was drafted by the 43-member Council of Europe, with the U.S., Canada, Japan and other countries participating as “observers.” In reality, American law enforcement officials have been among the primary drivers behind the treaty.

The Cybercrime Convention does three major things:

1. It includes a list of crimes that each member country must have on its books. The treaty requires criminalization of offenses such as hacking, the production, sale or distribution of hacking tools, and child pornography, and an expansion of criminal liability for intellectual property violations (Articles 2-11).
2. It requires each participating nation to grant new powers of search and seizure to its law enforcement authorities, including the power to force an ISP (Internet Service Provider) to preserve a citizen's internet usage records or other data, and the power to monitor a citizen's online activities in real time (Articles 16-22).  
3. It requires law enforcement in every participating country to assist police from other participating countries by cooperating with "mutual assistance requests" from police in other participating nations "to the widest extent possible" (Articles 23-35).

The 8 reasons this treaty should be rejected

This is a bad treaty, and nations should not sign or ratify it. There are 8 main problems with the agreement:

Reason #1: The treaty lacks privacy and civil liberties protections

The treaty lacks meaningful privacy or civil liberties restraints.  For example, unlike other international law enforcement agreements (including the Interpol, Europol and Schengen agreements), this treaty includes no provisions to protect citizens' privacy.  In fact, the word "privacy" doesn't appear once in any of the convention's articles.¹ The treaty also requires ISPs to cooperate with searches and seizures of data without requiring police to reimburse them for the costs of that cooperation.² Not only is that an unfair burden on the ISPs, but by making searches free for the police, it encourages them to use that power indiscriminately. That undermines one of the most important checks and balances of a democratic system: the control over law enforcement that most legislatures maintain through their budgetary "power of the purse."

Reason #2: The treaty is far too broad

Like a monster, the treaty has vastly outgrown its original mission of helping coordinate enforcement of cross-border cybercrimes. Now the treaty covers not only computer-related crimes, but any crime where the evidence could be in computerized form.³ As computers become more and more intertwined with modern life, this treaty's problems will apply to a larger and larger proportion of all crimes. Eventually even muggers will all have Internet-ready handheld computers. Foreign police can't require law enforcement in most nations to search the home of someone who hasn't violated any domestic laws; why should they be able to order a search of his computer records? The Convention's broad reach means that despite the treaty's name, all its flaws would soon apply not just to a few specialist hackers, but to the whole fabric of society.

Reason #3: The treaty lacks a "dual criminality" requirement for cooperation with the police of other nations

Law enforcement officials in a particular nation would be forced under this treaty to cooperate with investigations of behavior that is illegal in another country but perfectly legal within their borders.  That is because the treaty lacks a "dual criminality" provision that would require an activity to be a crime in both countries before one nation could enlist the police in another to help investigate.  The result: law enforcement agencies -- and thus ISPs -- would be forced to cooperate with foreign authorities in conducting surveillance on citizens in their native country who have committed no crime under their own laws.

Worse, some of those mutual assistance requests will come from countries that have minimal civil liberties protections. The Convention includes not only Council of Europe members like Ukraine and Bulgaria, but will also over time be opened to China and other non-democratic nations.

Reason #4: Protection for political activities is too weak

The absence of a dual criminality requirement will inevitably result in the treaty being used to force one nation to cooperate in politically inspired investigations by another.  While there are some exceptions in the treaty, which allow a signatory to refuse to cooperate because the offense being investigated is "political," these exceptions are far too limited and won't even apply to many of the most significant requests.

For example, the exemption for offenses that are "political" in nature was not included in the section requiring real-time data monitoring.⁴ That means that law enforcement in, for example, England, could be required under this treaty to order an ISP to spy on a Ukrainian political dissenter, a Latin American union organizer, or a U.S. veteran who sold a Nazi helmet over eBay.

In addition, the term "political offenses" is not defined - a huge omission since an offense that is considered political in one nation might be a criminal matter in another.  Even worse, official assistance in many cases could be authorized solely by law enforcement without judicial approval or oversight.⁵ A law enforcement agency could decide on its own that an offense isn't political, and initiate surveillance. And since the treaty doesn't even have a reporting requirement (requiring instances of cooperation with other countries on foreign crimes to be made public), law enforcement decisions on this sensitive issue may never be subject to civilian check or oversight.

Reason #5: The treaty threatens to further unbalance intellectual property law

The treaty's vague and obscure intellectual property provisions would significantly expand criminal liability for intellectual property violations and further tilt copyright law away from the public interest.  It also appears to make copyright violations into extradictable offenses.  Intellectual property law in the U.S. and many other nations is a delicate balance between the rights of intellectual propertyholders and the rights of the public.  But this treaty declares simply that copyright infringement would be criminalized,⁶ with no mention of counterbalancing rights that, for example, permit copyrighted material to be used for parodies, criticism, and scholarly analysis.

Reason #6: The treaty would give police invasive new surveillance powers

The treaty would require signatory nations to authorize the use of devices like Carnivore, the "Internet-tapping" surveillance system being used in the United States by the FBI.⁷ Technologies such as Carnivore eliminate the phone company as a mediating institution and allow law enforcement agents direct access to ISPs' entire networks for surveillance, with only their unsupervised self-restraint preventing them from inspecting the vast flow of other data in the network. Unfortunately, the history of government agencies in respecting privacy does not inspire faith.

In the United States, the statutory authority for Carnivore is unclear, and the treaty's authorization of such devices would undercut existing law - as well as collide with the U.S. Constitution's Fourth Amendment, with its guarantee against "unreasonable searches and seizures" without probable cause.

Reason #7: The treaty contains an overly broad criminalization of hacking tools

The amorphous ban on tools that were "designed primarily" for hacking criminalizes the tools rather than the behavior at issue; after all, even if lock-picking tools were designed for burglars, they should still be legal for use by a locksmith to help someone locked out of their car at 2:00 in the morning. This provision would put a damper on technical experimentation.  And it would apply when the tools were distributed "without right"⁸ - an undefined, legally mysterious phrase that makes this article ripe for abuse by under-savvy and over-ambitious prosecutors. 

Reason #8: The treaty was drafted in a closed and secretive manner

The drafting process was closed, secretive and undemocratic. The drafting committee was dominated by law enforcement, while industry and public-interest groups didn't have a seat at the table. Even after the publication of treaty drafts, the authors made little effort to incorporate the views and concerns of privacy and civil liberties groups. The result is a "wish list" for law enforcement that lacks the balance that other viewpoints would have brought to the treaty - and that a wise approach to policy would require.

Footnotes:
1 There is one platitude about privacy in the preamble.
2 Article 15.3.
3 Article 23.
4 Article 33.
5 Article 27.2.b.
6 Article 10.1.
7 Articles 20 and 21.
8 Article 6.1.