FC: Privacy groups try to rally opposition to "cybercrime" treaty

[Declan McCullagh <declan () well com>]

Background on Council of Europe "cybercrime" treaty:
http://www.politechbot.com/p-01136.html
http://www.politechbot.com/p-01558.html
http://www.politechbot.com/p-01553.html

********

Date: Fri, 08 Jun 2001 14:59:23 -0400
To: Declan McCullagh <declan () well com>
From: Barry Steinhardt <Barrys () aclu org>
Subject: Council Of Europe Cybercrime Treaty

Declan,

ACLU, EPIC and Privacy International have sent a letter to the US 
Government and to the Council of Europe on the latest and purportedly final 
version #27 of the Council of Europe Convention of Cybercrime.

It can be found at http://www.gilc.org/privacy/coe-letter-0601.html .

The draft convention continues to pose a threat to civil liberties.

Among other things;

1.      The Convention would require parties to have the capacity and legal 
authority to install Carnivore like surveillance devices,

2.      Seemingly requires parties to enact laws requiring the disclosure 
of decryption keys and, or plain text,

3.      In many circumstances requires parties to provide mutual 
assistance, in the form of  intrusive searches and surveillance, even when 
the act being investigated by one nation is not a crime in the nation that 
is being asked to conduct the search and,

4.      Has very few procedural or due process protections for human rights.


The Convention is rapidly moving to a conclusion and may go the COE Council 
of Ministers and be open for signatures as early as this fall.

Barry Steinhardt

********

http://www.gilc.org/privacy/coe-letter-0601.html
   
                                      
Comments of the American Civil Liberties Union, the Electronic Privacy
Information Center and Privacy International on Draft 27 of the Proposed CoE
Convention on Cybercrime

   June 7, 2001
   
   We are offering this letter of comments to the U.S. Department of
   Justice and the CDPC of the Council of Europe in order to voice our
   continuing concerns regarding the development and form of the draft
   Convention on Cybercrime. While we were advised to reserve our
   comments to optional text and footnotes in order to conform with the
   interests of the CDPC, we also present our continuing concerns
   generally in the hope of promoting democratic debate. We represent
   Non-Governmental Organizations, which are members of the Global
   Internet Liberty Campaign. This letter addresses only certain portions
   of the draft Convention and individual signatories may have additional
   concerns.
   
   We have been actively offering our thoughts on the Convention since
   the drafts were made public. Through the Global Internet Liberty
   Campaign, of which we are members, two letters were submitted to the
   Council of Europe outlining our concerns; these concerns still stand.
   We have also worked with industry actors under an ad-hoc group in
   order to communicate our concerns to the U.S. Department of Justice,
   which reports back that the Committee of Experts on Crime in
   Cyber-Space continues to resist our recommendations. We ask that this
   letter be taken with more consideration than past submissions, while
   bearing in mind our previously articulated concerns.
   
A. Process

   We must again object to the non-transparent manner in which this
   Convention has been developed. The CoE has made little effort to
   address the concerns of other stakeholders in the process. Even after
   the publication of Draft 19 and subsequent drafts, we have seen little
   effort on the part of the Council of Europe working group to directly
   and substantially incorporate the views and concerns of the NGO
   community on the issues of privacy and civil liberties. There has been
   limited public input on the convention, while CoE staffers have
   publicly dismissed any critical commentary.
   
   In addition, the makeup of the working party has remained one-sided,
   with law enforcement at the table and no industry or NGO
   participation. This is contrary to similar efforts at the OECD and the
   G-8 where NGOs (albeit in a very limited capacity) and industry were
   asked to participate and a more balanced effort has emerged.
   
B. Article 15 is Not Adequate

   We recognize that the legal protections have been modestly improved in
   Article 15 by the reference to various other international
   instruments, but we still believe that the protections it affords are
   not adequate to address the significant demands and requirements for
   privacy- invasive techniques in the rest of the Convention.
   
   Title II sets out very specific requirements for privacy invasive law
   enforcement techniques. We believe and have consistently stated
   publicly that each of those sections should have included limitations
   on the use of the techniques. A vague reference to proportionality
   will not be adequate to ensure that civil liberties are protected. We
   recognize that countries have varying methods for protection of civil
   liberties, but as a Council of Europe Convention drafted in
   consultation with other democratic nations, this document missed an
   important opportunity to ensure that minimum standards consistent with
   the European Convention on Human Rights and other international human
   rights accords were actually implemented. This failure is, in part, a
   result of the non-transparency of the process.
   
   It is also unfortunate the section does not specifically address the
   issue of privacy and data protection. The COE Convention 108 on Data
   Protection is an important safeguard for protecting citizen's rights
   and the implementation of this Convention should be adopted in a
   manner that is consistent with its requirements.
   
   Other related efforts such as the 1997 OECD cryptography guidelines
   specifically recognize the fundamental right of privacy:
   
   Article 5. The fundamental rights of individuals to privacy, including
   secrecy of communications and protection of personal data, should be
   respected in national cryptography policies and in the implementation
   and use of cryptographic methods.
   
   Even the recent G8 Tokyo-round documents noted privacy as a right that
   needs to be protected by the democratic nations and fully incorporated
   into procedures for law enforcement investigations.
   
   Similarly, the requirements in 15.2 are vague and unlikely to create
   any significant procedural protections and do not provide for adequate
   independent supervision by judicial or other authorities. Independent
   supervision varies greatly across nations. 15.2 does not set any
   standards for independence, while the Explanatory Memorandum (par.138)
   even notes that a competent authorisation across nations differs from
   "judicial, administrative, or other law enforcement authority"
   (emphasis added). We would expect that minimal, yet adequate
   protections be discussed specifically and that the treaty should
   require scrutiny independent from law enforcement itself.
   
   The issue of costs is also troublesome. Under 15.3, countries are not
   required to pay the costs imposed on third parties for their demands
   for surveillance. This both significantly lowers to barriers to law
   enforcement surveillance by removing any limits on how much
   surveillance can be afforded and is grossly unfair to the providers.
   Industry commenters have consistently asked for the inclusion of a
   reimbursement requirement, and those requests have been supported by
   the privacy community. Requiring that law enforcement pay for their
   surveillance provides an important level of accountability through the
   budget process each year.
   
C. Encryption and Article 19.4

   In the last few years, after considerable international debate over
   surveillance, privacy and electronic commerce, the use of encryption
   has been liberalized, except in a few authoritarian governments such
   as China and Russia. Article 19.4 is a step backwards by seemingly
   requiring that countries adopt laws that can force users to provide
   their encryption keys and the plain text of the encrypted files.
   
   So far, only a few countries, such as Singapore, Malaysia, India and
   the UK, have implemented such provisions in their laws. In those
   countries, police have the power to fine and imprison users who do not
   provide the keys or the plaintext of files or communications to
   police. It is worth noting that the UK Government faced significant
   opposition over its initiative; including an ambiguous paragraph
   within an internationally-binding convention is in conflict with
   democratic principles.
   
   Such approaches raise issues involving the right against
   self-incrimination, which is respected in many countries worldwide.
   The privilege against self-incrimination forbids a government official
   from compelling a person to testify against himself. It has a long
   history, originally developing from Roman and Canon law and has
   subsequently been adopted in the Common law of many countries. Many
   European legal scholars also believe that requiring such disclosures
   violates the European Convention on Human Rights.
   
   The proposed treaty should unambiguously provide that there is no
   requirement that parties have domestic legislation that forces users
   to provide encryption keys or to decrypt documents.
   
D. Interception and Real-time Traffic Data

   Articles 20 (Real-time collection of traffic data) and Article 21
   (Interception of content data) mandate that the parties have domestic
   laws requiring service providers to cooperate in both the collection
   of traffic data and the content of communications. Without sufficient
   privacy and due process protections, which are noticeably lacking in
   the Treaty, these provisions threaten human rights.
   
   Both Articles also mandate in their respective Sections A that the
   parties shall adopt such legislative and other measures to empower
   their law enforcement authorities to directly collect or record such
   content and traffic data without the participation of the service
   provider.
   
   Allowing law enforcement direct access to a service provider's network
   to conduct surveillance, e.g., the U.S. Carnivore program, provides
   police with the ability to conduct broad sweeps of network
   communications with only their unsupervised assurance that they will
   only collect that data which they are lawfully entitled to collect. It
   invites abuse of the most invasive investigative powers. It also
   represents a threat to the integrity of providers' networks. For
   example, the use of Carnivore in the US compromised the network
   integrity of a major ISP.
   
E. Data Protection

   We would urge the CoE to adopt the sections under discussion in
   Article 29 and footnote 9 on data protection. Opposition to this
   section seems to come from a misunderstanding on the part of some
   countries about the issue of data protection. In this case, it is a
   requirement that the information is only used by governments for
   appropriate means. It is not a requirement that countries such as the
   US adopt legislation governing the use of personal information in the
   private sector. Many countries around the world already have
   legislation of this nature including the US Privacy Act.
   
   It should also be noted that other international agreements on the
   transfer of information between law enforcement agencies including the
   Interpol, Europol and Schengen agreements all include sections on the
   use of information.
   
F. On Mutual Assistance and Dual-Criminality

   We remain deeply concerned with the draft treaty's failure to
   consistently require dual criminality as a condition for mutual
   assistance. No nation should ask another to interfere with the privacy
   of its citizens or to impose onerous requirements on its service
   providers to investigate acts, which are not a crime in the requested
   nation. Governments should not investigate a citizen who is acting
   lawfully, regardless of whatever mutual assistance conventions are in
   place.
   
   At a minimum, if the CoE insists on not requiring dual criminality,
   then we recommend the addition of an article that has reporting
   requirements regarding such investigations of lawful activity. Such an
   article should include reporting of each case of mutual assistance
   that did not involve dual criminality , as well as an accounting of
   all investigative `product' of lawful activity that involved personal
   data that was shared with another country, and should require
   notification to the individual.
   
   Moreover, we believe that the CoE must explain with much greater
   specificity the situations and scenarios where parties are permitted
   to use the articulated reservations of political offences and
   prejudicing essential interests, and must differentiate these from
   general cases of investigations of an innocent individual for lawful
   acts. Importantly, the CoE also needsto explain why in Article 33
   (Real Time Collection of Traffic Data), the draft provides for neither
   a dual criminality constraint, nor even a `political offence' and
   `essential interest' exemption, as do other articles.
   
   Finally, the interception article provides that interception is
   allowed to the extent permitted by other treaties and domestic law.
   Article 18.5.b of the European Convention on Mutual Assistance in
   Criminal Matters, for example, allows the requested Member State to
   make its consent subject to any conditions, which would have to be
   observed in a similar national case. We recommend clarifying that
   within the CoE convention, requests for interception can only take
   place if it is permitted under the given criminal law as an offence
   that merits interception in both countries. We also favor a
   minimum-authorization request, where warrants are only acted upon if
   they are received from a judicial authority in the requested country.
   
   Additional Protocol on Speech Crimes
   
   In Footnote 3. the PC-CY Committee discussed the possibility of
   including content-related offences other than those defined in Article
   9, such as the distribution of racist propaganda through computer
   systems. [..]
   
   We would oppose the CoE taking forward a second protocol on other
   content-related crimes. Such a protocol will inevitably threaten
   recognized free expression rights in many nations. This treaty should
   be confined to offences where there is universal agreement about
   criminality. We are particularly concerned with the CoE as an
   organisation discussing these issues, if it is going to employ as
   closed a process as it has for its deliberations on this convention.
   
H. Other Brackets and Footnotes

   (i) Preamble: [Mindful also of [the need to reconcile the interests of
   international mutual assistance and] the protection of personal data,
   as conferred e.g. by the 1981 Council of Europe Convention for the
   Protection of Individuals with Regard to Automatic Processing of
   Personal Data];
   
   We support the outside brackets being removed, but recommend removing
   the internal clause regarding mutual assistance. We also support the
   inclusion of the further data protection instruments into the
   preamble.
   
   (ii) Footnotes 4 and 5, relating to "where such acts are committed
   wilfully, [at least] on a commercial scale and by means of a computer
   system":[...] Meanwhile, another delegation proposed the following
   alternative formulation: "Parties shall consider establishing as
   criminal offences conduct described in paragraphs 1 and 2 in
   situations other than those which involve a commercial scale."
   
   We oppose the inclusion of the "[at least]", as it increases the scope
   of applicability. We also disagree with the inclusion of the
   alternative formulation proposed by the 'other delegation' mentioned
   in footnote 4.
   
   (iii) Footnote 6. Two delegations requested that a reservation clause
   be included to Articles 20 and 21 to the extent these provisions under
   their domestic laws cannot apply to certain types of service
   providers.
   
   We support this reservation clause, and recommend tightening the
   definition of traffic data within article 20 particularly considering
   the various types of service providers that could arguably be covered.
   
   (iv) Footnote 9. See our discussion above under "Data Protection".
   
   (v) Footnote 10: It was suggested by several delegations that "may" be
   replaced by "shall" with regard to paragraph b). One delegation
   proposed to replace "may" by "shall" in both paragraphs a) and b).
   
   We support replacing "may" with "shall", particularly in the light of
   our discussion above under "Data Protection".
   
Conclusion

   We thank you for this latest opportunity to respond to the convention.
   We feel that without due consideration to civil liberties, privacy,
   and due process this convention will continue to threaten fundamental
   human rights. We look forward to further discussing the matter with
   you.
   
   David Banisar and Gus Hosein
   Privacy International
   
   Barry Steinhardt
   American Civil Liberties Union
   
   David Sobel
   Electronic Privacy Information Center



-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------