December 12, 2000
Dear Council of Europe Secretary General Walter Schwimmer and COE
Committee of Experts on Cyber Crime,
On October 18, 2000 we wrote a letter on behalf of a wide range of
civil society organizations to indicate our opposition to the proposed
Convention on Cyber-Crime. In that letter we raised our opposition to
issues surrounding criminalisation of tools, the issue of liability,
sanctions on copyright, enhancing mutual legal assistance, and increased
investigative powers. We argued that version 22 of the convention
represented the interests of law enforcement, and lacked accountability.
As a result, its lack of consideration towards civil liberties was
appalling.
To our dismay and alarm, the convention continues to be a document
that threatens the rights of the individual while extending the powers
of police authorities, creates a low-barrier protection of rights
uniformly across borders, and ignores highly-regarded data protection
principles.
Although some changes have been made in version 24-2, we remain
dissatisfied with the substance of the convention. The convention
subcommittee did give our previous letter attention, but we maintain
that protections of individual rights have not been attended to
adequately. We question the validity of the process that still endures a
closed environment and secrecy. As a result, we are following up with
this subsequent letter to reiterate our past concerns, address some of
the changes, and shed more light on a subset of these concerns.
Exceptions indicate a larger problem
One thematic shift in the convention is the increased number of
exceptions and caveats in the current draft. While, these exceptions are
still quite weak, it appears as though there is rising concern within
the CoE as to the powers granted within the convention.
- The effect of the deletion of Article 37.2 (from version 22), that
once limited the amount of flexibility signatory states are allowed to
exercise, appears as though there is an arising opposition among the
drafters and plenary member states over this issue.
- In Section 2 on Investigative Techniques, article 14.2 was added
to assure "adequate protection of human rights and, where applicable,
the proportionality of the measures to the nature and circumstances of
the offence." While the CoE considered allowing signatory states to
restrict the situations for using the new investigatory powers, even
from using them in the crimes established in the convention, this was
not included in version 24-2. The convention still promotes use of
invasive techniques for any crime, except the use of interception,
which according to 21.1 can only be used for "serious offences to be
determined by domestic law". Even this limitation serves little
effect, for the definition of serious crime is left to domestic law,
and some countries in the CoE have an extremely broad definition of
serious crime for content interception purposes.
- An additional exception was appended to Articles 29 and 30, for
consistency with a previous article, that a signatory state may refuse
mutual assistance to pursue an offence only if the state in question
considers the offence to be political. Despite that this option
existed in another article in version 22, and is consistent with
previous CoE documents, it does appear that the CoE is aware of the
differences in regimes and qualitative nature of 'offences' in the
prospective-signatory states. This exception arises because of the
failure to require dual-criminality.
- The addition of sub-article 35(bis).4 states that a transferring
party may require the receiving party to explain the use made
of information that is shared between states. This after-the-fact
reporting is desirable, but not sufficient. The interests of
proportionality and specificity must also be addressed in requirements
applicable to the initial requests for assistance, sufficient to allow
the requested party to verify the reason for the investigation by the
requesting party.
- When a state makes such 'reservations', article 43 contains new
sub-articles to place pressure on these states to conform to the full
powers of the convention. Subarticle 43.2 claims that signatory states
are expected to withdraw reservations "as soon as circumstances
permit", while subarticle 43.3 allows the Secretary General to
approach these states periodically to discuss the withdrawal of their
reservations. The CoE appears to assume that human rights are
negotiable, periodically.
Recommendations on Exceptions
- We continue to argue that the use of invasive powers must applied
only for serious crimes.
- Proportionality is a concept that must be defined at the
international level, uniformly and unilaterally agreed or by reference
to the jurisprudence of the European Court of Human Rights.
- The current draft's approach of allowing for exceptions and
reservations by individual countries is faulty and hazardous to human
rights for it fails to set a mutually agreed upon limit to the
privacy intrusions that will be within the scope of the treaty.
- We urge dual criminality as a pre-requisite to all forms of mutual
assistance, and these crimes must be stated explicitly.
- We also urge the addition of a consistent regime of civil
liberties protections in investigative powers.
We urge that the provisions of the draft Convention be consistent
with international human rights instruments:
- Universal Declaration of Human Rights, article 12, article 19;
- International Covenant on Civil and Political Rights, article 17,
and article 19;
- European Convention on Human Rights, article 8, and article 10.
Influencing Development and Distribution
We also note the addition of a preamble statement regarding the
interests in the use and development of information technologies.
We oppose the creation of a situation where technologies that are
proportionate with regards to authentication are dismissed in favour of
technologies of full traceability. We recommend that this clause
be removed.
Powers for Invasiveness
We continue to oppose powers of interception and preservation of data
without sufficient constraints.
- Article 19.4 continues to allow for self-incrimination by ordering
an individual who has knowledge of the security methods applied to the
data of interest, to provide all necessary information to enable
search and seizure. We remain concerned that this may be a prompt for
government access to decryption keys and could breach Article 6 of the
European Convention on Human Rights.
- Article 20 on access to traffic data fails to acknowledge the
invasive qualities of such data, and the shifting division between
content and traffic data. Likewise, there is no definition for
'content data'.
- The addition of article 20.2 for real-time collection and
recording of traffic data through technical means appears to be a
prompt to allow for systems such as Carnivore.
- The addition of article 21.2 allows similarly for "real-time
collection and recording of content data through technical means."
Recommendations on Powers
- We urge clear limits to the powers involving situations where
civil liberties are compromised. Particularly, we expect that invasive
techniques are used only in the case of serious crimes and
allow for clear prevention of self-incrimination and other inalienable
rights, such as privacy and freedom of expression as outlined in the
European Convention on Human Rights, the Universal Declaration of
Human Rights, and the International Covenant on Civil and Political
Rights.
- We view traffic data collection as invasive and urge sufficient
uniform constraint prior to collection.
- We urge a clear definition of 'content data' and the
differentiation with 'traffic data'.
- We require limitations on the powers of interception and
data gathering devices so as to absolutely limit the invasiveness. We
recommend that 20.2 and 21.2 are replaced in favour of a protective
article ensuring that if technical means are used, these means must
separate out the traffic of the specific user under investigation,
gather only the legally permitted amount of data, disallow tampering,
and respect the shifting division between content and traffic data. If
this can not be guaranteed through independent audit, these techniques
must be deemed illegal (similar to Article 3) and no data access or
sharing can occur.
- Interception of communications is an invasive technique often used
against dissidents and human rights workers around the world. We
continue to urge you not to establish this requirement in a modern
communication network particularly as these networks are still being
developed and shaped.
- The CoE has stated publiclya the difference between
retention and preservation of data. However considering discussion at
the G8 and recently within the UKb, we believe that this
distinction requires explicit protections. We want to see
international respect for data protection as in the 1981 CoE
Convention on Data Protection and the EU Data Protection Directive
1995, and apply these instruments to traffic data.
In increasing powers the convention must also establish a maximum
threshold of investigative techniques that are acceptable; unjudicious
access and data warehousing are gross invasions of civil liberties.
Accession without Rights
It has been stated that the signing of this convention is intended to
eventually include non-member states of the Council of Europe. It is our
hope that any state that is invited to sign this convention have
sufficient respect for human rights and democratic accountability. In
particular, these invited states are not signatories to the European
Convention on Human Rights and have not necessarily enacted into
national law the principles of protection of these rights. As a result,
we would consider this invitation to be an attack on the integrity of
the convention. We require at the very least to see in Article 37
a sufficient requirement and evaluation to the adequacy of human rights
protection prior to allowing their accession.
Un-due Extraterritoriality
The convention contains numerous extraterritoriality claims,
particularly embodied within two statements.
- Article 23 creates supra-national reach for signatory states.
Although there is an exception under subarticle 23.2, which the US
admits that it will have to pursuec, as we have stated
earlier, if an exception exists, it is often because the measure is
too far-reaching.
- Footnote 29, which relates to mutual assistance under article 27,
specifies "that the mere fact that the requested Party’s legal system
knows no such procedure is not a sufficient ground to refuse to apply
the procedure requested by the requesting Party." As a result,
signatory states can be forced to act beyond their means.
Recommendations on Extraterritoriality: We find all
indications of extraterritoriality to be gross invasions on the
sovereignty of nations with respect to the protection of the rights of
the individual.
- We urge that footnote 29 be withdrawn and the philosophy
supporting it be regarded as undemocratic.
- We require that states must only be permitted to act in manners
for which they have legal, democratically agreed procedure as in the
European Convention of Human Rights; otherwise this will allow for the
extraterritoriality of extreme powers, such as the UK Government's
contentious access to decryption keys under the recently enacted RIP
Act 2000.
- We recommend a clause be included under mutual assistance that
states that when Party A requests assistance from Party B, Party B may
not act using powers greater than those allowed for under Party A's
jurisdiction, and Party B can only act based on the rule of law within
Party B under due process.
We do not want mutual assistance to appear as arbitrage between
states where negotiations take place to find increased powers and lowest
levels of protections.
Continuing Opposition
We remain concerned with the original objections stated in our
October 18 2000 letter; please consider this as a complementary
statement of opposition.
We continue to await progress on our previous requirement for
judicial review to invasions of privacy. The Council of Europe should
clarify these provisions as Section 2 is riddled with access to data
without stating a unilateral minimal-level of review and due process. We
are also concerned that the convention fails to uphold the privacy
rights within the European Convention on Human Rights, to protect them
for the digital age. We recommend reference to the Universal Declaration
of Human Rights, particularly article 12 that states: "No one shall be
subjected to arbitrary interference with his privacy, family, home or
correspondence." As a result of its lack of regard to human rights, the
convention is currently unsupportable.
The CoE is granting states the terminology and impetus to act against
cyber-crime; we hope the CoE will take this opportunity to give
the signatory states the terminology and impetus to act in the interests
of the rights of the individual. Therefore we urge that limits to action
be stated explicitly, such as in requiring judicial review, assuring
against self-incrimination, ensuring data is gathered for specific
reasons, using proportionate means at all occasions, and upholding data
protection principles; to name a few.
We continue to believe this convention development process violates
requirements of transparency and is at odds with democratic decision
making. We only hope that even at this late stage the CoE may learn and
practice responsiveness to consultation by incorporating and protecting
human rights.
We call on the member-states of the CoE not to sign the treaty in its
current format at this time. We also call the Committee of Ministers of
the CoE to reject the Convention in its current format in that it does
not provide equal protection to fundamental human rights while trying to
prevent and detect cybercrimes.
We, the undersigned, continue to make our offer to support the CoE
with experts in the area to provide a better version of the convention,
aimed not only at punishing, but also at preventing computer crimes and
protecting fundamental human rights.
Signed,
American Civil Liberties Union (US)
http://www.aclu.org/
Associazione per la Libertà nella Comunicazione Elettronica
Interattiva (IT)
http://www.alcei.it/
Bits of Freedom (NL)
http://www.bof.nl/
Center for Democracy and Technology (US)
http://www.cdt.org/
Computer Professional for Social Responsibility (US)
http://www.cpsr.org/
Cyber-Rights & Cyber-Liberties (UK)
http://www.cyber-rights.org/
Digital Freedom Network (US)
http://www.dfn.org
Electronic Frontiers Australia (AU)
http://www.efa.org.au/
Electronic Frontier Foundation (US)
http://www.eff.org/
Electronic Privacy Information Center (US)
http://www.epic.org/
Feminists Against Censorship (UK)
http://fiawol.demon.co.uk/FAC/
FITUG e.V. (DE)
http://www.fitug.de/
IRIS - Imaginons un réseau Internet solidaire (FR)
http://www.iris.sgdg.org/
Kriptopolis (ES)
http://www.kriptopolis.com/
The Link Centre, Wits University, Johannesburg (ZA)
http://link.wits.ac.za/
NetAction (US)
http://www.netaction.org/
Netwokers against Surveillance Taskforce (JP)
http://www.jca.apc.org/
Opennet
http://www.opennet.org/
Privacy International (UK)
http://www.privacyinternational.org
Privacy Ukraine (UA)
http://www.ukrnet.net/
quintessenz (AT)
http://www.quintessenz.at/
Verein für Internet Benutzer (AT)
http://www.vibe.at/
Other Signatories
Foundation for Information Policy Research (UK)
http://www.fipr.org/