Controversial cyber convention ratified

The first and only international treaty designed exclusively to combat computer crime won approval from the US Senate on Aug. 3. The Convention on Cybercrime was nominally drafted by The Council of Europe, a 43-nation public body, though the US Department of Justice (DoJ) was a primary architect. According to Attorney General Alberto Gonzales, the convention "provides important tools in the battles against terrorism, attacks on computer networks and the sexual exploitation of children over the internet, by strengthening US cooperation with foreign countries in obtaining electronic evidence." Critics, however, have accused the DoJ of "using a foreign forum to create an international law-enforcement regime that favors the interests of the feds over those of ordinary citizens and businesses." The treaty is intended to harmonize computer crime laws, especially those in smaller or less developed nations that may not have updated their legal framework to reflect the complexities of the internet. It requires participating countries to target a broad swath of activities, including unauthorized intrusions into networks, fraud, the release of worms and viruses, child pornography and copyright infringement. 'Dual criminality' conflict Because US law already includes much of what the treaty requires, the Senate's consent is in part symbolic, but one portion, which provoked the most controversy, deals with international cooperation. It says internet providers must cooperate with electronic searches and seizures without reimbursement, the FBI must conduct electronic surveillance "in real time" on behalf of foreign governments, and that US businesses can be slapped with "expedited preservation" orders preventing them from routinely deleting logs or other data. What's controversial about those requirements is that they don't require "dual criminality"–in other words, Russian security services investigating democracy activists could ask for the FBI's help in uncovering the contents of their Yahoo Mail or Hotmail accounts, or even conducting live wiretaps. "Our primary concern is that there's no dual criminality within the mutual assistance provisions," said Danny O'Brien, activism coordinator with the Electronic Frontier Foundation (EFF) in San Francisco. "The US is now obliged to investigate and monitor French Internet crimes, say, and France is obliged to obey America's requests to spy on its citizens, for instance–even if those citizens are under no suspicion for crimes on the statute books of their own country." Negotiations on the treaty began in 1997, and so far, 15 European nations, including Albania, Denmark, France, Norway and Ukraine, have fully ratified the final document. The Bush administration began pressuring Congress to do the same in 2003. The Senate Foreign Relations Committee approved the treaty last summer. A victory for bureaucracy Longtime technology industry advocates of the treaty hailed the Senate's action, which occurred on its final day in session before a month long summer recess. The Motion Picture Association of America, the Recording Industry of America Association, and the Business Software Alliance all favor the treaty's requirement that certain copyright infringements be handled under criminal law. "Our members, of course, constantly face problems connected to the unauthorized transmission of their copyrighted materials," the three organizations stated in a joint letter regarding Draft 25. "Thus, we believe that ensuring that a greater number of countries make such attacks illegal and actionable under national law is a high priority." In general, such "attacks" are now handled under civil law in most countries. The copyright industry hopes the treaty will extend the United States' increasing use of criminal sanctions to deter infringement to the Council of Europe's member states, and ultimately to the rest of the world. Critics sometimes compare the cybercrime treaty to the intellectual property treaty promulgated by the World Intellectual Property Organization (WIPO) in 1996. That treaty was designed to update laws for the Internet era. It was largely the handiwork of the Clinton Administration's Bruce Lehman, the head of the Patent and Trade Office. After the United States and other nations signed and ratified the WIPO treaty, Congress crafted the Digital Millennium Copyright Act to implement the treaty. Congress did not seriously debate the most controversial sections in part because of the perceived need to implement the treaty. One of those made it unlawful to tamper with anti-copying devices and software. For these critics, the analogy between the WIPO treaty and the Convention on Cybercrime is clear. "The [cybercrime] treaty was written by government bureaucrats for government bureaucrats," says Baker, a partner at Washington, DC's Steptoe & Johnson. "The process was entirely dominated by one viewpoint– criminal enforcement." "The convention is in full accord with all US constitutional protections, such as free speech and other civil liberties, and will require no change to US laws," Attorney General Gonzales said on Aug. 4. Civil liberties groups have begged to differ, mounting resistance against the international document ever since its inception. In a letter to senators last summer, the Electronic Privacy Information Center (EPIC) attacked the treaty for offering only "vague and weak" privacy protections. One section, for example, would force participating nations to have laws forcing individuals to disclose their decryption keys so that law enforcement could seize data for investigations, EPIC wrote.