GLOBAL INTERNET LIBERTY
CAMPAIGN
NEWS
ISSUES
RESOURCES
ABOUT
GILC
Global Internet Liberty Campaign Member Letter on Council of Europe Convention on Cyber-Crime Version 24.2
[en francais] [auf deutsch] [en espanol]
December 12, 2000
Dear Council of Europe Secretary General Walter Schwimmer and COE Committee of Experts on Cyber Crime,
On October 18, 2000 we wrote a letter on behalf of a wide range of civil society organizations to indicate our opposition to the proposed Convention on Cyber-Crime. In that letter we raised our opposition to issues surrounding criminalisation of tools, the issue of liability, sanctions on copyright, enhancing mutual legal assistance, and increased investigative powers. We argued that version 22 of the convention represented the interests of law enforcement, and lacked accountability. As a result, its lack of consideration towards civil liberties was appalling.
To our dismay and alarm, the convention continues to be a document that threatens the rights of the individual while extending the powers of police authorities, creates a low-barrier protection of rights uniformly across borders, and ignores highly-regarded data protection principles.
Although some changes have been made in version 24-2, we remain dissatisfied with the substance of the convention. The convention subcommittee did give our previous letter attention, but we maintain that protections of individual rights have not been attended to adequately. We question the validity of the process that still endures a closed environment and secrecy. As a result, we are following up with this subsequent letter to reiterate our past concerns, address some of the changes, and shed more light on a subset of these concerns.
Exceptions indicate a larger problem
One thematic shift in the convention is the increased number of exceptions and caveats in the current draft. While, these exceptions are still quite weak, it appears as though there is rising concern within the CoE as to the powers granted within the convention.
- The effect of the deletion of Article 37.2 (from version 22), that once limited the amount of flexibility signatory states are allowed to exercise, appears as though there is an arising opposition among the drafters and plenary member states over this issue.
- In Section 2 on Investigative Techniques, article 14.2 was added to assure "adequate protection of human rights and, where applicable, the proportionality of the measures to the nature and circumstances of the offence." While the CoE considered allowing signatory states to restrict the situations for using the new investigatory powers, even from using them in the crimes established in the convention, this was not included in version 24-2. The convention still promotes use of invasive techniques for any crime, except the use of interception, which according to 21.1 can only be used for "serious offences to be determined by domestic law". Even this limitation serves little effect, for the definition of serious crime is left to domestic law, and some countries in the CoE have an extremely broad definition of serious crime for content interception purposes.
- An additional exception was appended to Articles 29 and 30, for consistency with a previous article, that a signatory state may refuse mutual assistance to pursue an offence only if the state in question considers the offence to be political. Despite that this option existed in another article in version 22, and is consistent with previous CoE documents, it does appear that the CoE is aware of the differences in regimes and qualitative nature of 'offences' in the prospective-signatory states. This exception arises because of the failure to require dual-criminality.
- The addition of sub-article 35(bis).4 states that a transferring party may require the receiving party to explain the use made of information that is shared between states. This after-the-fact reporting is desirable, but not sufficient. The interests of proportionality and specificity must also be addressed in requirements applicable to the initial requests for assistance, sufficient to allow the requested party to verify the reason for the investigation by the requesting party.
- When a state makes such 'reservations', article 43 contains new sub-articles to place pressure on these states to conform to the full powers of the convention. Subarticle 43.2 claims that signatory states are expected to withdraw reservations "as soon as circumstances permit", while subarticle 43.3 allows the Secretary General to approach these states periodically to discuss the withdrawal of their reservations. The CoE appears to assume that human rights are negotiable, periodically.
Recommendations on Exceptions
- We continue to argue that the use of invasive powers must applied only for serious crimes.
- Proportionality is a concept that must be defined at the international level, uniformly and unilaterally agreed or by reference to the jurisprudence of the European Court of Human Rights.
- The current draft's approach of allowing for exceptions and reservations by individual countries is faulty and hazardous to human rights for it fails to set a mutually agreed upon limit to the privacy intrusions that will be within the scope of the treaty.
- We urge dual criminality as a pre-requisite to all forms of mutual assistance, and these crimes must be stated explicitly.
- We also urge the addition of a consistent regime of civil liberties protections in investigative powers.
We urge that the provisions of the draft Convention be consistent with international human rights instruments:
- Universal Declaration of Human Rights, article 12, article 19;
- International Covenant on Civil and Political Rights, article 17, and article 19;
- European Convention on Human Rights, article 8, and article 10.
Influencing Development and Distribution
We also note the addition of a preamble statement regarding the interests in the use and development of information technologies. We oppose the creation of a situation where technologies that are proportionate with regards to authentication are dismissed in favour of technologies of full traceability. We recommend that this clause be removed.
Powers for Invasiveness
We continue to oppose powers of interception and preservation of data without sufficient constraints.
- Article 19.4 continues to allow for self-incrimination by ordering an individual who has knowledge of the security methods applied to the data of interest, to provide all necessary information to enable search and seizure. We remain concerned that this may be a prompt for government access to decryption keys and could breach Article 6 of the European Convention on Human Rights.
- Article 20 on access to traffic data fails to acknowledge the invasive qualities of such data, and the shifting division between content and traffic data. Likewise, there is no definition for 'content data'.
- The addition of article 20.2 for real-time collection and recording of traffic data through technical means appears to be a prompt to allow for systems such as Carnivore.
- The addition of article 21.2 allows similarly for "real-time collection and recording of content data through technical means."
Recommendations on Powers
- We urge clear limits to the powers involving situations where civil liberties are compromised. Particularly, we expect that invasive techniques are used only in the case of serious crimes and allow for clear prevention of self-incrimination and other inalienable rights, such as privacy and freedom of expression as outlined in the European Convention on Human Rights, the Universal Declaration of Human Rights, and the International Covenant on Civil and Political Rights.
- We view traffic data collection as invasive and urge sufficient uniform constraint prior to collection.
- We urge a clear definition of 'content data' and the differentiation with 'traffic data'.
- We require limitations on the powers of interception and data gathering devices so as to absolutely limit the invasiveness. We recommend that 20.2 and 21.2 are replaced in favour of a protective article ensuring that if technical means are used, these means must separate out the traffic of the specific user under investigation, gather only the legally permitted amount of data, disallow tampering, and respect the shifting division between content and traffic data. If this can not be guaranteed through independent audit, these techniques must be deemed illegal (similar to Article 3) and no data access or sharing can occur.
- Interception of communications is an invasive technique often used against dissidents and human rights workers around the world. We continue to urge you not to establish this requirement in a modern communication network particularly as these networks are still being developed and shaped.
- The CoE has stated publiclya the difference between retention and preservation of data. However considering discussion at the G8 and recently within the UKb, we believe that this distinction requires explicit protections. We want to see international respect for data protection as in the 1981 CoE Convention on Data Protection and the EU Data Protection Directive 1995, and apply these instruments to traffic data.
In increasing powers the convention must also establish a maximum threshold of investigative techniques that are acceptable; unjudicious access and data warehousing are gross invasions of civil liberties.
Accession without Rights
It has been stated that the signing of this convention is intended to eventually include non-member states of the Council of Europe. It is our hope that any state that is invited to sign this convention have sufficient respect for human rights and democratic accountability. In particular, these invited states are not signatories to the European Convention on Human Rights and have not necessarily enacted into national law the principles of protection of these rights. As a result, we would consider this invitation to be an attack on the integrity of the convention. We require at the very least to see in Article 37 a sufficient requirement and evaluation to the adequacy of human rights protection prior to allowing their accession.
Un-due Extraterritoriality
The convention contains numerous extraterritoriality claims, particularly embodied within two statements.
- Article 23 creates supra-national reach for signatory states. Although there is an exception under subarticle 23.2, which the US admits that it will have to pursuec, as we have stated earlier, if an exception exists, it is often because the measure is too far-reaching.
- Footnote 29, which relates to mutual assistance under article 27, specifies "that the mere fact that the requested Party’s legal system knows no such procedure is not a sufficient ground to refuse to apply the procedure requested by the requesting Party." As a result, signatory states can be forced to act beyond their means.
Recommendations on Extraterritoriality: We find all indications of extraterritoriality to be gross invasions on the sovereignty of nations with respect to the protection of the rights of the individual.
- We urge that footnote 29 be withdrawn and the philosophy supporting it be regarded as undemocratic.
- We require that states must only be permitted to act in manners for which they have legal, democratically agreed procedure as in the European Convention of Human Rights; otherwise this will allow for the extraterritoriality of extreme powers, such as the UK Government's contentious access to decryption keys under the recently enacted RIP Act 2000.
- We recommend a clause be included under mutual assistance that states that when Party A requests assistance from Party B, Party B may not act using powers greater than those allowed for under Party A's jurisdiction, and Party B can only act based on the rule of law within Party B under due process.
We do not want mutual assistance to appear as arbitrage between states where negotiations take place to find increased powers and lowest levels of protections.
Continuing Opposition
We remain concerned with the original objections stated in our October 18 2000 letter; please consider this as a complementary statement of opposition.
We continue to await progress on our previous requirement for judicial review to invasions of privacy. The Council of Europe should clarify these provisions as Section 2 is riddled with access to data without stating a unilateral minimal-level of review and due process. We are also concerned that the convention fails to uphold the privacy rights within the European Convention on Human Rights, to protect them for the digital age. We recommend reference to the Universal Declaration of Human Rights, particularly article 12 that states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence." As a result of its lack of regard to human rights, the convention is currently unsupportable.
The CoE is granting states the terminology and impetus to act against cyber-crime; we hope the CoE will take this opportunity to give the signatory states the terminology and impetus to act in the interests of the rights of the individual. Therefore we urge that limits to action be stated explicitly, such as in requiring judicial review, assuring against self-incrimination, ensuring data is gathered for specific reasons, using proportionate means at all occasions, and upholding data protection principles; to name a few.
We continue to believe this convention development process violates requirements of transparency and is at odds with democratic decision making. We only hope that even at this late stage the CoE may learn and practice responsiveness to consultation by incorporating and protecting human rights.
We call on the member-states of the CoE not to sign the treaty in its current format at this time. We also call the Committee of Ministers of the CoE to reject the Convention in its current format in that it does not provide equal protection to fundamental human rights while trying to prevent and detect cybercrimes.
We, the undersigned, continue to make our offer to support the CoE with experts in the area to provide a better version of the convention, aimed not only at punishing, but also at preventing computer crimes and protecting fundamental human rights.
Signed,
American Civil Liberties Union (US)
http://www.aclu.org/Associazione per la Libertà nella Comunicazione Elettronica Interattiva (IT)
http://www.alcei.it/Bits of Freedom (NL)
http://www.bof.nl/Center for Democracy and Technology (US)
http://www.cdt.org/Computer Professional for Social Responsibility (US)
http://www.cpsr.org/Cyber-Rights & Cyber-Liberties (UK)
http://www.cyber-rights.org/Digital Freedom Network (US)
http://www.dfn.orgElectronic Frontiers Australia (AU)
http://www.efa.org.au/Electronic Frontier Foundation (US)
http://www.eff.org/Electronic Privacy Information Center (US)
http://www.epic.org/Feminists Against Censorship (UK)
http://fiawol.demon.co.uk/FAC/FITUG e.V. (DE)
http://www.fitug.de/IRIS - Imaginons un réseau Internet solidaire (FR)
http://www.iris.sgdg.org/Kriptopolis (ES)
http://www.kriptopolis.com/The Link Centre, Wits University, Johannesburg (ZA)
http://link.wits.ac.za/NetAction (US)
http://www.netaction.org/Netwokers against Surveillance Taskforce (JP)
http://www.jca.apc.org/Opennet
http://www.opennet.org/Privacy International (UK)
http://www.privacyinternational.orgPrivacy Ukraine (UA)
http://www.ukrnet.net/quintessenz (AT)
http://www.quintessenz.at/Verein für Internet Benutzer (AT)
http://www.vibe.at/
[If your organization would like to help stop the Council of Europe Convention on Cyber-Crime, please send an email to gilc@gilc.org stating your support for this statement. Your organization will be added to the following list.]
Other Signatories
Foundation for Information Policy Research (UK)
http://www.fipr.org/
Footnotes
a. Speech of John Fennel, member of the drafting committee, at EPING meeting in Brussels, December 5, 2000.
b. See: A.C.P.O. and A.C.P.O (S), H.M. Customs & Excise, Security Service, Secret Intelligence Service, And G.C.H.Q., NCIS Submission On Communications Data Retention Law, 21st August 2000.
c. US Department of Justice, Frequently Asked Questions and Answers About the Council of Europe Convention on Cybercrime (Draft 24REV2) , December 1, 2000. Available at http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm.
Reference Documents
COE Convention on Cyber-Crime (draft ver 24-2)
http://conventions.coe.int/treaty/EN/projets/cybercrime24.htmCOE Convention for the Protection of Human Rights and Fundamental Freedoms
http://www.coe.fr/eng/legaltxt/5e.htmCOE Conventions - Background
http://conventions.coe.int/treaty/EN/cadreintro.htmGlobal Internet Liberty Campaign Member Letter on Council of Europe Convention on Cyber-Crime -- October 18 2000
http://www.gilc.org/privacy/coe-letter-1000.htmlComments of the Center for Democracy and Technology on the Council of Europe Draft "Convention on Cyber-crime" (Draft No. 24)
http://www.cdt.org/international/cybercrime/001211cdt.shtmlIAB/IESG Statement on Wassenaar Arrangement
http://www.iab.org/iab/121898.txtIETF Policy on Wiretapping (RFC 2804)
ftp://ftp.isi.edu/in-notes/rfc2804.txtIRIS Dossier cybercriminalité
http://www.iris.sgdg.org/actions/cybercrime/OECD Cryptography Policy Guidelines (1997)
http://www.oecd.org//dsti/sti/it/secur/prod/e-crypto.htmOECD Guidelines for the Security of Information
Systems (1992) http://www.oecd.org//dsti/sti/it/secur/prod/e_secur.htmPrivacy International Cyber-Crime Page
http://www.privacyinternational.org/issues/cybercrime/Statement of Concern from Technology Professionals on Proposed COE Convention on Cyber-Crime
http://www.cerias.purdue.edu/homes/spaf/coe/TREATY_LETTER.htmlUniversal Declaration of Human Rights
http://www.un.org/Overview/rights.html
