IP: An International Treaty on Cybercrime Sounds Like A Great Idea, Until You Read The Fine Print

[David Farber <dave () farber net>]

> Date: Wed, 21 Mar 2001 16:18:23 -0500
> To: eff-priv () eff org
> From: Lauren Gelman <gelman () eff org>
>
> WATCH OUT
>
> An International Treaty on Cybercrime Sounds Like A Great Idea, Until
> You Read The Fine Print
>
>
>
> By Mike Godwin
>
> IP Worldwide, April 2001
>
>
>
> Maybe you're a civil libertarian, and maybe you're not. Maybe you
> worry about how the United States exercises its vast investigative
> and prosecutorial powers, and maybe you don't.
>
> But if you counsel U.S. corporations on computer-related issues, you
> should be concerned about a new proposed treaty known as the
> "Convention on Cybercrime." The Council of Europe, a 43-nation public
> body created to promote democracy and the rule of law, is nominally
> drafting the treaty. Curiously, however, the primary architect is the
> United States Department of Justice.
>
> The Department of Justice and Federal Bureau of Investigation are
> using a foreign forum to create an international law-enforcement
> regime that favors the interests of the feds over those of ordinary
> citizens and businesses. Their goal is to make it easier to get
> evidence from abroad and to extradite and prosecute foreign nationals
> for certain kinds of crimes.
>
> Maybe you trust the law-enforcement chiefs in D.C. to do the right
> thing. But here's the catch. The same new powers given to the United
> States will also handed over to Bulgaria, Romania, Azerbaijan, and
> other Council of Europe nations that-although officially democratic
> now-don't have a strong traditions of checks and balances on police
> power.
>
> Do you want investigators rummaging around your clients' computer
> systems on warrants issued by former Soviet bloc nations?
>
> That's the prospect that has pushed AT&T Corporation and other
> high-technology companies into feverishly trying to stop or at least
> soften the treaty. The U.S. Chamber of Commerce and Information
> Technology Association of America also oppose it.
>
> Stewart Baker is one of the chief lobbyists for the treaty opponents.
> As a former general counsel of the National Security Agency and
> recipient of the Department of Defense Medal for Meritorious Civilian
> Service, he's got street cred on these issues in corporate America.
>
> What worries Baker and his colleagues? Consider the following
> hypothetical: A Los Angeles screenwriter corresponds by e-mail with a
> neo-Nazi in Germany while researching a script. Shortly after, he
> finds federal agents examining the files on his home computer. The
> agents also visit America Online Inc. to retrieve records of the
> screenwriter's AOL usage.
>
> The agents are fulfilling a warrant issued by German authorities
> allowing them to search for Nazi propaganda. Such material is
> unlawful in Germany but not in the U.S. They framed their warrant in
> terms of "suspected terrorist activity."
>
> Maybe the screenwriter should have anticipated this scenario, given
> the vigor with which German and other European authorities pursue
> hate crime on the Internet. Maybe he's willing to run that risk and
> bear the burden of this kind of search.  But what about AOL?
>
> AOL already handles dozens of search warrants and subpoenas every
> month. What would change under this treaty is that, in addition to
> getting those submitted by U.S. law-enforcement officials, they'd
> also have to respond warrants and court orders from 43 additional
> nations. All Internet service providers and phone companies-and
> perhaps other businesses besides-would have to cooperate with these
> types of investigations. They worry they would also have to foot the
> bill for complying with them.
>
> Maybe AOL and AT&T should expect this sort of intrusion as a cost of
> doing business in the Internet era. But what about the rest of us?
> The treaty would likely apply to any business or individual operating
> a computer connected to a network, according to Marilyn Cade, AT&T's
> director of Internet and e-commerce policy. If you cable together two
> computers, you could be forced to comply with investigations that
> originated in Sofia or Riga.
>
> Even foes say that there might a need for a limited treaty
> harmonizing laws globally. Last year, for example, the Philippines
> was unable to prosecute the creator of the love bug virus. Its laws
> did not fit his deeds.
>
> Déjà Vu
>
> The treaty has supporters, of course. The Motion Picture Association
> of America, the Recording Industry of America Association, and the
> Business Software Alliance all favor the treaty's requirement that
> certain copyright infringements be handled under criminal law. "Our
> members, of course, constantly face problems connected to the
> unauthorized transmission of their copyrighted materials," the three
> organizations stated in a joint letter regarding Draft 25. "Thus, we
> believe that ensuring that a greater number of countries make such
> attacks illegal and actionable under national law is a high
> priority." In general, such "attacks" are now handled under civil law
> in most countries. The copyright industry hopes the treaty will
> extend the United States's increasing use of criminal sanctions to
> deter infringement to the Council of Europe's member states, and
> ultimately to the rest of the world.
>
> Critics sometimes compare the cybercrime treaty to the intellectual
> property treaty promulgated by the World Intellectual Property
> Organization in 1996. That treaty was designed to update laws for the
> Internet era. It was largely the handiwork of the Clinton
> Administration's Bruce Lehman, the head of the Patent and Trade
> Office.
>
> After the United States and other nations signed and ratified the
> WIPO treaty, Congress crafted the Digital Millennium Copyright Act to
> implement the treaty. Congress did not seriously debate the most
> controversial in part because of the perceived need to implement the
> treaty. One of those made it unlawful to tamper with anticopying
> devices and software.
>
> For these critics, the analogy between the WIPO treaty and the
> Convention on Cybercrime is clear. "The [cybercrime] treaty was
> written by government bureaucrats for government bureaucrats," says
> Baker, a partner at Washington, D.C.'s Steptoe & Johnson. "The
> process was entirely dominated by one viewpoint-criminal enforcement."
>
> What It Does
>
> If the treaty is so bad, why has it gotten so little attention-a wire
> service report here, a trade publication article there? The answer,
> it seems, is that it is not easy to explain. But let's try.
>
> The treaty has three primary sets of provisions. All three are aimed
> at setting basic computer-related criminal-law standards for
> signatory nations.
>
> First, it would require nations to outlaw such things as unauthorized
> computer intrusion; the release of viruses; and the use of a computer
> to commit acts that are already crimes, such as fraud and
> distribution of child pornography.
>
> This part is relatively uncontroversial. The exceptions are the move
> to bring copyright under criminal law and the expansion of
> child-pornography statutes to so-called "virtual child porn." A
> similar U.S. law is now under constitutional challenge in the United
> States.
>
> Second, it requires nations to develop standard procedures to capture
> and retrieve online and other information. Nations would have to be
> able to issue "retention orders" that would "freeze" data on any
> computer. Governments would also need the ability to capture in real
> time the time and origin of all traffic on a networks, including
> telephone networks. For serious crimes, they would be required to
> intercept the actual content of the communications.
>
> Third, nations would have to cooperate with other nations in sharing
> electronic evidence across borders. And this cooperation requirement
> would apply to all crimes. They don't have to be the cybercrimes laid
> out in the first section of the treaty or even actions unlawful under
> U.S. law.
>
> Bones of Contention.
>
> The second and third parts of the treaty-individually and
> together-are the hot buttons. Phone companies and Internet providers
> are worried that they will spend their days meeting the demands of
> foreign investigative authorities. They won't get reimbursed for
> compliance with foreign evidence orders in their non-U.S. branches
> and subsidiaries. And they worry that coping with unlimited
> compliance orders will disrupt their businesses, or those of their
> clients, according to James Halpert, a partner in the Washington,
> D.C., office of Piper, Marbury, Rudnick & Wolfe.
>
> One moment, an Internet provider might be turning over all Bulgarian
> folk songs to an investigator. The next moment, it might be searching
> for e-mail traffic between customers in Latvia and the Ukraine.
>
> All companies will have to pay closer attention to their employees'
> computer habits. The treaty imposes criminal liability on businesses
> if they fail to supervise users who commit bad acts. If the treaty is
> taken to its extreme, "companies will have to surveil every single
> thing that users are doing on their computers," says Halpert, who
> represents a coalition of Internet portal companies.
>
> How radically will the treaty affect U.S. law? The Justice Department
> says hardly at all. It may be possible to sign the treaty without
> adopting implementing legislation. Other nations, however, will have
> to strengthen and extend their criminal laws substantially.
>
> Lawyers get paid to worry about what-if scenarios. There's a huge one
> lurking here. What if signatory nations pass laws that creates crimes
> broader than those described in the treaty? Normally, this would not
> be a huge cause for concern. But in this context, it might mean that
> U.S. law-enforcement agents would be enforcing criminal process
> against American citizens for acts that are not crimes in the United
> States.
>
> The Internet sometimes makes strange bedfellows. As when they
> coalesced to oppose the Communications Decency Act regulating
> indecency on the net, industry and civil liberties groups are
> rallying to oppose the treaty. "Industry and civil liberties groups
> are remarkably aligned" in their opposition to the treaty, especially
> in the areas of due process protection, says partner Jeffrey Pryce of
> Steptoe & Johnson.
>
> In the eyes of the critics, the treaty is an open invitation to
> regulatory mischief. For example, newly democratic nations without
> traditional due process and other safeguards could require providers
> to build in monitoring technologies or could outlaw anonymous or
> untraceable Internet use. Those battles have been fought in the U.S.,
> but they might play out differently, and worse, in other nations.
>
> In one likely scenario, the treaty could emerge as the Internet
> version of the Communications Assistance for Law Enforcement Act,
> known colloquially as CALEA. That 1994 law, highly controversial at
> the time, required U.S. telephone companies to make sure that
> authorities could both trace and tap calls carried over their
> networks.
>
> Internet services are not currently included under that law, but the
> Federal Bureau of Investigation and the Department of Justice have
> long sought to expand CALEA to reach computer-based communications.
> "It's as if the FBI, having failed to expand CALEA to computer
> networks here in the U.S., are trying to do so abroad, and import
> that expansion home as a treaty provision," says one industry
> representative.
>
> That last concept is what is known as "policy laundering." Dave
> Banisar of Privacy International, a privacy-rights watchdog group,
> says that the Justice Department and FBI are pursuing their
> law-enforcement agendas overseas with the goal of bringing the
> resulting treaty back to Congress. They will then say, Banisar
> contends, "Well, other nations are doing it, so we should too."
>
> Justice and FBI officials decline to comment on this contention. In
> private meetings with industry/public policy groups, however, Justice
> officials have sought to mollify the treaty's critics. So has the
> Council of Europe. In a memo released in February, the Council of
> Europe suggested ways that countries could limit their implementing
> laws. But while this memo may be a kind of legislative history, it
> isn't binding.
>
> The Treaty Process
>
> The treaty has been developed under the aegis of the Council of
> Europe, an organization created after World War II. Although the U.S.
> is not a member, the Department of Justice is what Baker calls a
> "leading force" in the process.
>
> The drafting process was secret until draft 19 was publicly released
> in April 2000. Even now Justice officials won't comment publicly on
> their role in drafting the terms of the treaty.
>
> American don't like that the treaty was kept under wraps until it was
> well along the way to final form. "A lot of the provisions were
> largely locked in" by the time the treaty was publicly released,
> Baker says.
>
> The Justice Department responds by noting that, since last April, it
> has made numerous presentations and met repeatedly with business and
> other private-sector interests. It is "about as open a process as I
> can think of," says Betty Shave of Justice's Computer Crime and
> Intellectual Property Section, who has represented DOJ in the treaty
> negotiations.
>
> Stop It Or Fix It?
>
> Industry groups believe that the best strategy is to try to improve
> the treaty rather than kill it. Even if it switched position, the
> United States alone "couldn't stand downhill in front of the snowball
> and expect to stop it," Baker adds.
>
> There are no indications that the Bush Administration will stop this
> initiative begun during the Clinton era. But even if the United
> States doesn't sign the treaty, it will likely affect U.S. companies
> doing business internationally, their business partners, and clients.
> "Just backing away from it is not the right answer," Cade says.
>
> U.S. businesses are now starting to appeal to their counterparts
> overseas, including the International Chamber of Commerce, in hopes
> of turning sentiment against the treaty. Perhaps, if the United
> States's role in shaping the treaty becomes better known, European
> policymakers will turn away from it. Even many Europeans familiar
> with the treaty don't know what it says precisely -- only English and
> French translations are available. (English and French are the
> official languages of the Council of Europe.)
>
> "Neither the U.S. Department of Justice nor the U.S. alone will be
> able to achieve the kinds of changes that the coalition is seeking in
> the treaty without help from the other countries who are their
> trading partners and allies," Cade says.
>
> Short of an international backlash against it, treaty watchers are
> uncertain how the U.S. Congress will respond to the treaty if the
> United States signs it. Whether senators decide that the need to
> combat cybercrimes trumps concerns about submitting U.S. citizens and
> companies to foreign criminal process remains an open question.
>
>
>
>
>
> ________________________________________________
>  Lauren Gelman                  Phone: 202/487-0420
>  Director of Public Policy             email: gelman () eff org
>  Electronic Frontier Foundation



For archives see: http://www.interesting-people.org/