October 18, 2000
Dear Council of Europe Secretary General Walter Schwimmer and COE
Committee of Experts on Cyber Crime,
We write to you on behalf of a wide range of civil society
organizations from around the world to object to the proposed Convention
on Cyber-Crime. We believe that the draft treaty is contrary to well
established norms for the protection of the individual, that it
improperly extends the police authority of national governments, that it
will undermine the development of network security techniques, and that
it will reduce government accountability in future law enforcement
conduct.
Specifically, we object to provisions that will require Internet
Service Providers to retain records regarding the activities of their
customers. (Articles 17, 18, 24, 25). These provisions pose a
significant risk to the privacy and human rights of Internet users and
are at odds with well established principles of data protection such as
the Data Protection Directive of the European Union. Similar
communications transaction information has been used in the past to
identify dissidents and to persecute minorities. We urge you not to
establish this requirement in a modern communication network. In our
view the whole of Article 18 is incompatible with Article 8 of the ECHR
and with the jurisprudence of the European Court of Human Rights.
We further object to the conception of "Illegal Devices" set out in
Article 6. We believe that this concept lacks sufficient specificity to
ensure that it will not become an all-purpose basis to investigate
individuals engaged in computer-related activity that is completely
lawful. As technical experts have made clear, this provision will also
discourage the development of new security tools and give government an
improper role in policing scientific innovation.
We also object to the dramatic extension of copyright crimes in the
proposed Article 10. It is hardly a settled matter that criminal
penalties are the appropriate remedy for copyright infringement, nor do
the underlying treaties referenced impose such requirements. New
criminal penalties should not be established by international convention
in an area where national law is so unsettled. More generally, we
disagree with initiatives that allow for mutual assistance without
dual-criminality. This requirement is central to preserving the
sovereign authority of nations.
Additionally, we believe that clear procedures must be agreed upon in
international investigations, and that no law enforcement agency within
a different jurisdiction should act on behalf of another nation without
clear investigative procedures within its own jurisdiction. Different
countries have different procedures, admittedly, but now is the
opportunity to harmonize them, on the condition that we assure a high
level of consistency on individual rights protections.
The criminal provisions of Articles 9 and 11 could lead to a chilling
effect on the free flow of information and ideas. Imposing liability on
Internet Service Providers for third party content places an
unreasonable burden on providers of new network services and will
encourage inappropriate monitoring of private communications.
Article 14 setting out the requirements for search and seizure of
stored computer data lacks necessary procedural safeguards to safeguard
the rights of the individual and to ensure due process of law. In
particular, there is no effort to ensure that an independent judicial
review, ensuring the respect of basic freedoms and liberties, occurs
before a search by the state is undertaken. Such searches would
constitute an "arbitrary interference" under international legal
norms.
Articles 14 and 15 could establish a requirement for government
access to encryption keys that would compel individuals to incriminate
themselves which may well be incompatible with Article 6 of the European
Convention on Human Rights and with the jurisprudence of the European
Court of Human Rights. We also question the ambiguity that arises within
this same article on government access to decryption keys. The Council
of Europe should clarify this provision so that member countries do not
take the convention to be a mandate for passing legislation allowing for
self-incrimination.
We also object in very strong terms to the manner under which this
proposal was developed. Police agencies and powerful private interests
acting outside of the democratic means of accountability have sought to
use a closed process to establish rules that will have the effect of
binding legislation. We believe this process violates requirements of
transparency and is at odds with democratic decisionmaking.
Privacy experts have made clear their opposition to this proposal.
One expert warned that efforts to develop an international convention on
"Cyber crime" would lead to "fundamental restrictions on privacy,
anonymity and encryption."
Data Protection officials have made clear their opposition to this
proposal. The International Working Group on Data Protection in
Telecommunications earlier criticized attempts to require maintaining
traffic data and recommended improvements in security over new criminal
laws.
Technical experts have made clear their opposition to this proposal.
A letter from leading security practitioners, educators, and vendors
states that "the proposed treaty may inadvertently result in
criminalizing techniques and software commonly used to make computer
systems resistant to attack" and that the proposed treaty "would
adversely impact security practitioners, researchers, and
educators."
Now a wide range of organizations representing civil society across
the world make clear our opposition to this proposal.
We believe that any proposal to create new investigative and
prosecutorial authority should include a careful consideration of
articles 8 and 10 of the European Convention on Human Rights and the
related jurisprudence of the European Court of Human Rights. We do not
believe that these instruments were given adequate consideration in the
development of this proposal. Further, we believe that the OECD
Cryptography Policy Guidelines and the OECD Guidelines for the Security
of Information Systems reflect a more balanced, forward-looking view of
the need to promote strong security techniques to reduce the risk of
computer crime than the proposal now under consideration.
Finally, the Universal Declaration of Human Rights speaks directly to
the obligations of government to protect the privacy of communication
and to preserve freedom of expression in new media. Article 12 states
that "No one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence." Article 19 further states that
"Everyone has the right to freedom of opinion and expression; this right
includes freedom to hold opinions without interference and to seek,
receive and impart information and ideas through any media and
regardless of frontiers."
We urge you not to approve the treaty proposal at this time. We, the
undersigned, are ready to support the CoE with experts in the area to
provide a better version of the document, aimed not only at punishing,
but also at preventing computer crimes.
Signed,
American Civil Liberties Union (US)
http://www.aclu.org/
Associazione per la Libertà nella Comunicazione Elettronica
Interattiva (IT)
http://www.alcei.it/
Bits of Freedom (NL)
http://www.bof.nl/
Canadian Journalists for Free Expression (CA)
http://www.cjfe.org/
Center for Democracy and Technology (US)
http://www.cdt.org/
Computer Professional for Social Responsibility (US)
http://www.cpsr.org/
Cyber-Rights & Cyber-Liberties (UK)
http://www.cyber-rights.org/
Derechos Human Rights (US)
http://www.derechos.org/
Digital Freedom Network (US)
http://www.dfn.org/
Electronic Frontier Foundation (US)
http://www.eff.org/
Electronic Frontiers Australia (AU)
http://www.efa.org.au/
Electronic Privacy Information Center (US)
http://www.epic.org/
Equipo Nizkor (ES)
http://www.derechos.org/nizkor/
Feminists Against Censorship (UK)
http://fiawol.demon.co.uk/FAC/
FITUG e.V. (DE)
http://www.fitug.de/
Human Rights Network (RU)
http://www.hro.org/
Internet Freedom (UK)
http://www.netfreedom.org/
Internet Society - Bulgaria (BG)
http://www.isoc.bg/
Internet Society
http://www.isoc.org/
IRIS - Imaginons un réseau Internet solidaire (FR)
http://www.iris.sgdg.org/
Kriptopolis (ES)
http://www.kriptopolis.com/
Liberty (UK)
http://www.liberty-human-rights.org.uk/
The Link Centre, Wits University, Johannesburg (ZA)
http://link.wits.ac.za/
NetAction (US)
http://www.netaction.org/
Netwokers against Surveillance Taskforce (JP)
http://www.jca.apc.org/
Opennet
http://www.opennet.org/
Privacy International (UK)
http://www.privacyinternational.org/
quintessenz (AT)
http://www.quintessenz.at/
Verein für Internet Benutzer (AT)
http://www.vibe.at/
XS4ALL (NL)
http://www.xs4all.nl/
Other Signatories
Association for Computing Machinery (International)
http://www.acm.org/
CryptoRights Foundation (US)
http://www.cryptorights.org/
Digital Rights (DK)
http://www.digitalrights.dk
Foundation for Information Policy Research (UK)
http://www.fipr.org/
PGP en Français (FR)
http://www.geocities.com/SiliconValley/Bay/9648/
Also see: Liste des signatures d'organisations françaises http://www.iris.sgdg.org/actions/cybercrime/sign-coe.html