Comments of the American Civil Liberties Union, the Electronic Privacy Information Center and Privacy International on Draft 27 of the Proposed CoE Convention on Cybercrime

June 7, 2001

We are offering this letter of comments to the U.S. Department of Justice and the CDPC of the Council of Europe in order to voice our continuing concerns regarding the development and form of the draft Convention on Cybercrime. While we were advised to reserve our comments to optional text and footnotes in order to conform with the interests of the CDPC, we also present our continuing concerns generally in the hope of promoting democratic debate. We represent Non-Governmental Organizations, which are members of the Global Internet Liberty Campaign. This letter addresses only certain portions of the draft Convention and individual signatories may have additional concerns.

We have been actively offering our thoughts on the Convention since the drafts were made public. Through the Global Internet Liberty Campaign, of which we are members, two letters were submitted to the Council of Europe outlining our concerns; these concerns still stand. We have also worked with industry actors under an ad-hoc group in order to communicate our concerns to the U.S. Department of Justice, which reports back that the Committee of Experts on Crime in Cyber-Space continues to resist our recommendations. We ask that this letter be taken with more consideration than past submissions, while bearing in mind our previously articulated concerns.

A. Process

We must again object to the non-transparent manner in which this Convention has been developed. The CoE has made little effort to address the concerns of other stakeholders in the process. Even after the publication of Draft 19 and subsequent drafts, we have seen little effort on the part of the Council of Europe working group to directly and substantially incorporate the views and concerns of the NGO community on the issues of privacy and civil liberties. There has been limited public input on the convention, while CoE staffers have publicly dismissed any critical commentary.

In addition, the makeup of the working party has remained one-sided, with law enforcement at the table and no industry or NGO participation. This is contrary to similar efforts at the OECD and the G-8 where NGOs (albeit in a very limited capacity) and industry were asked to participate and a more balanced effort has emerged.

B. Article 15 is Not Adequate

We recognize that the legal protections have been modestly improved in Article 15 by the reference to various other international instruments, but we still believe that the protections it affords are not adequate to address the significant demands and requirements for privacy- invasive techniques in the rest of the Convention.

Title II sets out very specific requirements for privacy invasive law enforcement techniques. We believe and have consistently stated publicly that each of those sections should have included limitations on the use of the techniques. A vague reference to proportionality will not be adequate to ensure that civil liberties are protected. We recognize that countries have varying methods for protection of civil liberties, but as a Council of Europe Convention drafted in consultation with other democratic nations, this document missed an important opportunity to ensure that minimum standards consistent with the European Convention on Human Rights and other international human rights accords were actually implemented. This failure is, in part, a result of the non-transparency of the process.

It is also unfortunate the section does not specifically address the issue of privacy and data protection. The COE Convention 108 on Data Protection is an important safeguard for protecting citizen's rights and the implementation of this Convention should be adopted in a manner that is consistent with its requirements.

Other related efforts such as the 1997 OECD cryptography guidelines specifically recognize the fundamental right of privacy:

Article 5. The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.

Even the recent G8 Tokyo-round documents noted privacy as a right that needs to be protected by the democratic nations and fully incorporated into procedures for law enforcement investigations.

Similarly, the requirements in 15.2 are vague and unlikely to create any significant procedural protections and do not provide for adequate independent supervision by judicial or other authorities. Independent supervision varies greatly across nations. 15.2 does not set any standards for independence, while the Explanatory Memorandum (par.138) even notes that a competent authorisation across nations differs from "judicial, administrative, or other law enforcement authority" (emphasis added). We would expect that minimal, yet adequate protections be discussed specifically and that the treaty should require scrutiny independent from law enforcement itself.

The issue of costs is also troublesome. Under 15.3, countries are not required to pay the costs imposed on third parties for their demands for surveillance. This both significantly lowers to barriers to law enforcement surveillance by removing any limits on how much surveillance can be afforded and is grossly unfair to the providers. Industry commenters have consistently asked for the inclusion of a reimbursement requirement, and those requests have been supported by the privacy community. Requiring that law enforcement pay for their surveillance provides an important level of accountability through the budget process each year.

C. Encryption and Article 19.4

In the last few years, after considerable international debate over surveillance, privacy and electronic commerce, the use of encryption has been liberalized, except in a few authoritarian governments such as China and Russia. Article 19.4 is a step backwards by seemingly requiring that countries adopt laws that can force users to provide their encryption keys and the plain text of the encrypted files.

So far, only a few countries, such as Singapore, Malaysia, India and the UK, have implemented such provisions in their laws. In those countries, police have the power to fine and imprison users who do not provide the keys or the plaintext of files or communications to police. It is worth noting that the UK Government faced significant opposition over its initiative; including an ambiguous paragraph within an internationally-binding convention is in conflict with democratic principles.

Such approaches raise issues involving the right against self-incrimination, which is respected in many countries worldwide. The privilege against self-incrimination forbids a government official from compelling a person to testify against himself. It has a long history, originally developing from Roman and Canon law and has subsequently been adopted in the Common law of many countries. Many European legal scholars also believe that requiring such disclosures violates the European Convention on Human Rights.

The proposed treaty should unambiguously provide that there is no requirement that parties have domestic legislation that forces users to provide encryption keys or to decrypt documents.

D. Interception and Real-time Traffic Data

Articles 20 (Real-time collection of traffic data) and Article 21 (Interception of content data) mandate that the parties have domestic laws requiring service providers to cooperate in both the collection of traffic data and the content of communications. Without sufficient privacy and due process protections, which are noticeably lacking in the Treaty, these provisions threaten human rights.

Both Articles also mandate in their respective Sections A that the parties shall adopt such legislative and other measures to empower their law enforcement authorities to directly collect or record such content and traffic data without the participation of the service provider.

Allowing law enforcement direct access to a service provider's network to conduct surveillance, e.g., the U.S. Carnivore program, provides police with the ability to conduct broad sweeps of network communications with only their unsupervised assurance that they will only collect that data which they are lawfully entitled to collect. It invites abuse of the most invasive investigative powers. It also represents a threat to the integrity of providers' networks. For example, the use of Carnivore in the US compromised the network integrity of a major ISP.

E. Data Protection

We would urge the CoE to adopt the sections under discussion in Article 29 and footnote 9 on data protection. Opposition to this section seems to come from a misunderstanding on the part of some countries about the issue of data protection. In this case, it is a requirement that the information is only used by governments for appropriate means. It is not a requirement that countries such as the US adopt legislation governing the use of personal information in the private sector. Many countries around the world already have legislation of this nature including the US Privacy Act.

It should also be noted that other international agreements on the transfer of information between law enforcement agencies including the Interpol, Europol and Schengen agreements all include sections on the use of information.

F. On Mutual Assistance and Dual-Criminality

We remain deeply concerned with the draft treaty's failure to consistently require dual criminality as a condition for mutual assistance. No nation should ask another to interfere with the privacy of its citizens or to impose onerous requirements on its service providers to investigate acts, which are not a crime in the requested nation. Governments should not investigate a citizen who is acting lawfully, regardless of whatever mutual assistance conventions are in place.

At a minimum, if the CoE insists on not requiring dual criminality, then we recommend the addition of an article that has reporting requirements regarding such investigations of lawful activity. Such an article should include reporting of each case of mutual assistance that did not involve dual criminality , as well as an accounting of all investigative 'product' of lawful activity that involved personal data that was shared with another country, and should require notification to the individual.

Moreover, we believe that the CoE must explain with much greater specificity the situations and scenarios where parties are permitted to use the articulated reservations of political offences and prejudicing essential interests, and must differentiate these from general cases of investigations of an innocent individual for lawful acts. Importantly, the CoE also needs to explain why in Article 31 the draft provides for neither a dual criminality constraint, nor even a 'political offence' and 'essential interest' exemption, as do other articles.

Finally, the interception article provides that interception is allowed to the extent permitted by other treaties and domestic law. Article 18.5.b of the European Convention on Mutual Assistance in Criminal Matters, for example, allows the requested Member State to make its consent subject to any conditions, which would have to be observed in a similar national case. We recommend clarifying that within the CoE convention, requests for interception can only take place if it is permitted under the given criminal law as an offence that merits interception in both countries. We also favor a minimum-authorization request, where warrants are only acted upon if they are received from a judicial authority in the requested country.

G. Additional Protocol on Speech Crimes

In Footnote 3. the PC-CY Committee discussed the possibility of including content-related offences other than those defined in Article 9, such as the distribution of racist propaganda through computer systems. [..]

We would oppose the CoE taking forward a second protocol on other content-related crimes. Such a protocol will inevitably threaten recognized free expression rights in many nations. This treaty should be confined to offences where there is universal agreement about criminality. We are particularly concerned with the CoE as an organisation discussing these issues, if it is going to employ as closed a process as it has for its deliberations on this convention.

H. On Brackets and Footnotes

(i) Preamble: [Mindful also of [the need to reconcile the interests of international mutual assistance and] the protection of personal data, as conferred e.g. by the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data];

We support the outside brackets being removed, but recommend removing the internal clause regarding mutual assistance. We also support the inclusion of the further data protection instruments into the preamble.

(ii) Footnotes 4 and 5, relating to "where such acts are committed wilfully, [at least] on a commercial scale and by means of a computer system":[...] Meanwhile, another delegation proposed the following alternative formulation: "Parties shall consider establishing as criminal offences conduct described in paragraphs 1 and 2 in situations other than those which involve a commercial scale."

We oppose the inclusion of the "[at least]", as it increases the scope of applicability. We also disagree with the inclusion of the alternative formulation proposed by the 'other delegation' mentioned in footnote 4.

(iii) Footnote 6. Two delegations requested that a reservation clause be included to Articles 20 and 21 to the extent these provisions under their domestic laws cannot apply to certain types of service providers.

We support this reservation clause, and recommend tightening the definition of traffic data within article 20 particularly considering the various types of service providers that could arguably be covered.

(iv) Footnote 9.

See our discussion above under "Data Protection".

(v) Footnote 10: It was suggested by several delegations that "may" be replaced by "shall" with regard to paragraph b). One delegation proposed to replace "may" by "shall" in both paragraphs a) and b).

We support replacing "may" with "shall", particularly in the light of our discussion above under "Data Protection".

Conclusion

We thank you for this latest opportunity to respond to the convention. We feel that without due consideration to civil liberties, privacy, and due process this convention will continue to threaten fundamental human rights. We look forward to further discussing the matter with you.

David Banisar and
Gus Hosein
Privacy International

Barry Steinhardt
American Civil Liberties Union

David Sobel
Electronic Privacy Information Center