[ISN] Cybercrime Treaty: What it Means to You

From: InfoSec News (alerts@private)
Date: Tue Mar 06 2007 - 22:19:34 PST


By Larry Downes
CIO Insight
March 6, 2007

Cybercrime is getting cheaper all the time, as shady characters sell 
tools to help criminals spam, phish, hack and crash. And a new treaty 
ratified by the U.S. Senate could wind up passing the costs of combating 
cybercrime directly to American businesses.

 From an economic standpoint, when the cost of crime goes down, 
frequency goes up. How does the legal system fight back? One way is to 
increase enforcement and catch more people. But when it comes to 
cybercrime, no one really expects law enforcement to keep up 
technologically with criminalsit's an arms race the criminals keep 
winning. An alternative is to raise the penalties, in hopes of deterring 
criminals who weigh the benefits of committing their crimes against the 
risk of getting caught.

In that vein, in August the Senate ratified the Convention on 
Cybercrime, drafted by the Council of Europe with considerable input 
from the United States. So far, 43 nations have signed on. The 
Convention includes many sensible provisions aimed at unifying global 
computer-crime laws, and closes loopholes that make it possible for 
criminals to escape prosecution by locating their activities offshore.

But civil libertarians, along with leading telecommunications companies, 
strongly oppose the treaty. Civil libertarians are especially concerned 
about the sweeping authority given to participating countries to seize 
information from private parties as they investigate cybercrimes, even 
when the activity being investigated isn't a crime in the country where 
the data is located. If France is investigating a sale of Nazi 
memorabilia on eBay, the U.S. must cooperate, even though such 
transactions are not illegal in the U.S.

Telecommunications companies object to provisions that require member 
countries to establish and enforce potent data-retention policies for 
network traffic, and require any operator of a computer network to 
respond to requests for information from any participating country 
without compensation of any kind.

These are potentially serious problems, especially given that the 
Convention is open to any country that wants to join. But there are more 
practical reasons U.S. businesses should be concerned. The provisions 
for data retention and production apply to any operator of a computer 
network, not just telecoms. Worse, Article 12 attaches liability to 
businesses for "lack of supervision or control" of employees who commit 
criminal offenses covered by the Convention. Businesses must worry about 
employee activities that may be legal here, but illegal elsewhere, 
risking administrative, civil, or even criminal penalties.

These investigative and supervision costs will invariably be imposed on 
businesses without any real controls. Worldwide law-enforcement 
agencies, in other words, may now avail themselves of the opportunity to 
outsource their most expensive problems to you.

The Convention may improve the cybercrime-and-punishment equation in 
favor of deterrence. But it's also added some new variables and possibly 
irrational numbers. Of the economic, not mathematical, kind.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Tue Mar 06 2007 - 22:36:55 PST