FC: Privacy groups try to rally opposition to "cybercrime" treaty

From: Declan McCullagh (declanat_private)
Date: Sat Jun 09 2001 - 10:13:39 PDT

  • Next message: Declan McCullagh: "FC: iPIX threatens German programmer over U.S. software patent"

    Background on Council of Europe "cybercrime" treaty:
    http://www.politechbot.com/p-01136.html
    http://www.politechbot.com/p-01558.html
    http://www.politechbot.com/p-01553.html
    
    ********
    
    Date: Fri, 08 Jun 2001 14:59:23 -0400
    To: Declan McCullagh <declanat_private>
    From: Barry Steinhardt <Barrysat_private>
    Subject: Council Of Europe Cybercrime Treaty
    
    Declan,
    
    ACLU, EPIC and Privacy International have sent a letter to the US 
    Government and to the Council of Europe on the latest and purportedly final 
    version #27 of the Council of Europe Convention of Cybercrime.
    
    It can be found at http://www.gilc.org/privacy/coe-letter-0601.html .
    
    The draft convention continues to pose a threat to civil liberties.
    
    Among other things;
    
    1.      The Convention would require parties to have the capacity and legal 
    authority to install Carnivore like surveillance devices,
    
    2.      Seemingly requires parties to enact laws requiring the disclosure 
    of decryption keys and, or plain text,
    
    3.      In many circumstances requires parties to provide mutual 
    assistance, in the form of  intrusive searches and surveillance, even when 
    the act being investigated by one nation is not a crime in the nation that 
    is being asked to conduct the search and,
    
    4.      Has very few procedural or due process protections for human rights.
    
    
    The Convention is rapidly moving to a conclusion and may go the COE Council 
    of Ministers and be open for signatures as early as this fall.
    
    Barry Steinhardt
    
    ********
    
    http://www.gilc.org/privacy/coe-letter-0601.html
       
                                          
    Comments of the American Civil Liberties Union, the Electronic Privacy
    Information Center and Privacy International on Draft 27 of the Proposed CoE
    Convention on Cybercrime
    
       June 7, 2001
       
       We are offering this letter of comments to the U.S. Department of
       Justice and the CDPC of the Council of Europe in order to voice our
       continuing concerns regarding the development and form of the draft
       Convention on Cybercrime. While we were advised to reserve our
       comments to optional text and footnotes in order to conform with the
       interests of the CDPC, we also present our continuing concerns
       generally in the hope of promoting democratic debate. We represent
       Non-Governmental Organizations, which are members of the Global
       Internet Liberty Campaign. This letter addresses only certain portions
       of the draft Convention and individual signatories may have additional
       concerns.
       
       We have been actively offering our thoughts on the Convention since
       the drafts were made public. Through the Global Internet Liberty
       Campaign, of which we are members, two letters were submitted to the
       Council of Europe outlining our concerns; these concerns still stand.
       We have also worked with industry actors under an ad-hoc group in
       order to communicate our concerns to the U.S. Department of Justice,
       which reports back that the Committee of Experts on Crime in
       Cyber-Space continues to resist our recommendations. We ask that this
       letter be taken with more consideration than past submissions, while
       bearing in mind our previously articulated concerns.
       
    A. Process
    
       We must again object to the non-transparent manner in which this
       Convention has been developed. The CoE has made little effort to
       address the concerns of other stakeholders in the process. Even after
       the publication of Draft 19 and subsequent drafts, we have seen little
       effort on the part of the Council of Europe working group to directly
       and substantially incorporate the views and concerns of the NGO
       community on the issues of privacy and civil liberties. There has been
       limited public input on the convention, while CoE staffers have
       publicly dismissed any critical commentary.
       
       In addition, the makeup of the working party has remained one-sided,
       with law enforcement at the table and no industry or NGO
       participation. This is contrary to similar efforts at the OECD and the
       G-8 where NGOs (albeit in a very limited capacity) and industry were
       asked to participate and a more balanced effort has emerged.
       
    B. Article 15 is Not Adequate
    
       We recognize that the legal protections have been modestly improved in
       Article 15 by the reference to various other international
       instruments, but we still believe that the protections it affords are
       not adequate to address the significant demands and requirements for
       privacy- invasive techniques in the rest of the Convention.
       
       Title II sets out very specific requirements for privacy invasive law
       enforcement techniques. We believe and have consistently stated
       publicly that each of those sections should have included limitations
       on the use of the techniques. A vague reference to proportionality
       will not be adequate to ensure that civil liberties are protected. We
       recognize that countries have varying methods for protection of civil
       liberties, but as a Council of Europe Convention drafted in
       consultation with other democratic nations, this document missed an
       important opportunity to ensure that minimum standards consistent with
       the European Convention on Human Rights and other international human
       rights accords were actually implemented. This failure is, in part, a
       result of the non-transparency of the process.
       
       It is also unfortunate the section does not specifically address the
       issue of privacy and data protection. The COE Convention 108 on Data
       Protection is an important safeguard for protecting citizen's rights
       and the implementation of this Convention should be adopted in a
       manner that is consistent with its requirements.
       
       Other related efforts such as the 1997 OECD cryptography guidelines
       specifically recognize the fundamental right of privacy:
       
       Article 5. The fundamental rights of individuals to privacy, including
       secrecy of communications and protection of personal data, should be
       respected in national cryptography policies and in the implementation
       and use of cryptographic methods.
       
       Even the recent G8 Tokyo-round documents noted privacy as a right that
       needs to be protected by the democratic nations and fully incorporated
       into procedures for law enforcement investigations.
       
       Similarly, the requirements in 15.2 are vague and unlikely to create
       any significant procedural protections and do not provide for adequate
       independent supervision by judicial or other authorities. Independent
       supervision varies greatly across nations. 15.2 does not set any
       standards for independence, while the Explanatory Memorandum (par.138)
       even notes that a competent authorisation across nations differs from
       "judicial, administrative, or other law enforcement authority"
       (emphasis added). We would expect that minimal, yet adequate
       protections be discussed specifically and that the treaty should
       require scrutiny independent from law enforcement itself.
       
       The issue of costs is also troublesome. Under 15.3, countries are not
       required to pay the costs imposed on third parties for their demands
       for surveillance. This both significantly lowers to barriers to law
       enforcement surveillance by removing any limits on how much
       surveillance can be afforded and is grossly unfair to the providers.
       Industry commenters have consistently asked for the inclusion of a
       reimbursement requirement, and those requests have been supported by
       the privacy community. Requiring that law enforcement pay for their
       surveillance provides an important level of accountability through the
       budget process each year.
       
    C. Encryption and Article 19.4
    
       In the last few years, after considerable international debate over
       surveillance, privacy and electronic commerce, the use of encryption
       has been liberalized, except in a few authoritarian governments such
       as China and Russia. Article 19.4 is a step backwards by seemingly
       requiring that countries adopt laws that can force users to provide
       their encryption keys and the plain text of the encrypted files.
       
       So far, only a few countries, such as Singapore, Malaysia, India and
       the UK, have implemented such provisions in their laws. In those
       countries, police have the power to fine and imprison users who do not
       provide the keys or the plaintext of files or communications to
       police. It is worth noting that the UK Government faced significant
       opposition over its initiative; including an ambiguous paragraph
       within an internationally-binding convention is in conflict with
       democratic principles.
       
       Such approaches raise issues involving the right against
       self-incrimination, which is respected in many countries worldwide.
       The privilege against self-incrimination forbids a government official
       from compelling a person to testify against himself. It has a long
       history, originally developing from Roman and Canon law and has
       subsequently been adopted in the Common law of many countries. Many
       European legal scholars also believe that requiring such disclosures
       violates the European Convention on Human Rights.
       
       The proposed treaty should unambiguously provide that there is no
       requirement that parties have domestic legislation that forces users
       to provide encryption keys or to decrypt documents.
       
    D. Interception and Real-time Traffic Data
    
       Articles 20 (Real-time collection of traffic data) and Article 21
       (Interception of content data) mandate that the parties have domestic
       laws requiring service providers to cooperate in both the collection
       of traffic data and the content of communications. Without sufficient
       privacy and due process protections, which are noticeably lacking in
       the Treaty, these provisions threaten human rights.
       
       Both Articles also mandate in their respective Sections A that the
       parties shall adopt such legislative and other measures to empower
       their law enforcement authorities to directly collect or record such
       content and traffic data without the participation of the service
       provider.
       
       Allowing law enforcement direct access to a service provider's network
       to conduct surveillance, e.g., the U.S. Carnivore program, provides
       police with the ability to conduct broad sweeps of network
       communications with only their unsupervised assurance that they will
       only collect that data which they are lawfully entitled to collect. It
       invites abuse of the most invasive investigative powers. It also
       represents a threat to the integrity of providers' networks. For
       example, the use of Carnivore in the US compromised the network
       integrity of a major ISP.
       
    E. Data Protection
    
       We would urge the CoE to adopt the sections under discussion in
       Article 29 and footnote 9 on data protection. Opposition to this
       section seems to come from a misunderstanding on the part of some
       countries about the issue of data protection. In this case, it is a
       requirement that the information is only used by governments for
       appropriate means. It is not a requirement that countries such as the
       US adopt legislation governing the use of personal information in the
       private sector. Many countries around the world already have
       legislation of this nature including the US Privacy Act.
       
       It should also be noted that other international agreements on the
       transfer of information between law enforcement agencies including the
       Interpol, Europol and Schengen agreements all include sections on the
       use of information.
       
    F. On Mutual Assistance and Dual-Criminality
    
       We remain deeply concerned with the draft treaty's failure to
       consistently require dual criminality as a condition for mutual
       assistance. No nation should ask another to interfere with the privacy
       of its citizens or to impose onerous requirements on its service
       providers to investigate acts, which are not a crime in the requested
       nation. Governments should not investigate a citizen who is acting
       lawfully, regardless of whatever mutual assistance conventions are in
       place.
       
       At a minimum, if the CoE insists on not requiring dual criminality,
       then we recommend the addition of an article that has reporting
       requirements regarding such investigations of lawful activity. Such an
       article should include reporting of each case of mutual assistance
       that did not involve dual criminality , as well as an accounting of
       all investigative `product' of lawful activity that involved personal
       data that was shared with another country, and should require
       notification to the individual.
       
       Moreover, we believe that the CoE must explain with much greater
       specificity the situations and scenarios where parties are permitted
       to use the articulated reservations of political offences and
       prejudicing essential interests, and must differentiate these from
       general cases of investigations of an innocent individual for lawful
       acts. Importantly, the CoE also needsto explain why in Article 33
       (Real Time Collection of Traffic Data), the draft provides for neither
       a dual criminality constraint, nor even a `political offence' and
       `essential interest' exemption, as do other articles.
       
       Finally, the interception article provides that interception is
       allowed to the extent permitted by other treaties and domestic law.
       Article 18.5.b of the European Convention on Mutual Assistance in
       Criminal Matters, for example, allows the requested Member State to
       make its consent subject to any conditions, which would have to be
       observed in a similar national case. We recommend clarifying that
       within the CoE convention, requests for interception can only take
       place if it is permitted under the given criminal law as an offence
       that merits interception in both countries. We also favor a
       minimum-authorization request, where warrants are only acted upon if
       they are received from a judicial authority in the requested country.
       
       Additional Protocol on Speech Crimes
       
       In Footnote 3. the PC-CY Committee discussed the possibility of
       including content-related offences other than those defined in Article
       9, such as the distribution of racist propaganda through computer
       systems. [..]
       
       We would oppose the CoE taking forward a second protocol on other
       content-related crimes. Such a protocol will inevitably threaten
       recognized free expression rights in many nations. This treaty should
       be confined to offences where there is universal agreement about
       criminality. We are particularly concerned with the CoE as an
       organisation discussing these issues, if it is going to employ as
       closed a process as it has for its deliberations on this convention.
       
    H. Other Brackets and Footnotes
    
       (i) Preamble: [Mindful also of [the need to reconcile the interests of
       international mutual assistance and] the protection of personal data,
       as conferred e.g. by the 1981 Council of Europe Convention for the
       Protection of Individuals with Regard to Automatic Processing of
       Personal Data];
       
       We support the outside brackets being removed, but recommend removing
       the internal clause regarding mutual assistance. We also support the
       inclusion of the further data protection instruments into the
       preamble.
       
       (ii) Footnotes 4 and 5, relating to "where such acts are committed
       wilfully, [at least] on a commercial scale and by means of a computer
       system":[...] Meanwhile, another delegation proposed the following
       alternative formulation: "Parties shall consider establishing as
       criminal offences conduct described in paragraphs 1 and 2 in
       situations other than those which involve a commercial scale."
       
       We oppose the inclusion of the "[at least]", as it increases the scope
       of applicability. We also disagree with the inclusion of the
       alternative formulation proposed by the 'other delegation' mentioned
       in footnote 4.
       
       (iii) Footnote 6. Two delegations requested that a reservation clause
       be included to Articles 20 and 21 to the extent these provisions under
       their domestic laws cannot apply to certain types of service
       providers.
       
       We support this reservation clause, and recommend tightening the
       definition of traffic data within article 20 particularly considering
       the various types of service providers that could arguably be covered.
       
       (iv) Footnote 9. See our discussion above under "Data Protection".
       
       (v) Footnote 10: It was suggested by several delegations that "may" be
       replaced by "shall" with regard to paragraph b). One delegation
       proposed to replace "may" by "shall" in both paragraphs a) and b).
       
       We support replacing "may" with "shall", particularly in the light of
       our discussion above under "Data Protection".
       
    Conclusion
    
       We thank you for this latest opportunity to respond to the convention.
       We feel that without due consideration to civil liberties, privacy,
       and due process this convention will continue to threaten fundamental
       human rights. We look forward to further discussing the matter with
       you.
       
       David Banisar and Gus Hosein
       Privacy International
       
       Barry Steinhardt
       American Civil Liberties Union
       
       David Sobel
       Electronic Privacy Information Center
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sat Jun 09 2001 - 11:34:02 PDT