Big Brother Awards
quintessenz search  /  subscribe  /  upload  /  contact  
/q/depesche *
Linuxwochen Österreich Tour
RSS-Feed Depeschen RSS
Hosted by AKIS
<<   ^   >>
Date: 2001-06-13

Cybercrime vor Absegnung durch Europarat

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-.

q/depesche 01.5.13/1

Cybercrime vor Absegnung durch Europarat

Und Last Minute hat man im Europarat plötzlich bemerkt, dass es
auch eine andere Seite als "Law Enforcement"und Argumente
gegen die Überwachungstollwut gibt. Ob irgendetwas davon [siehe
unten] berücksichtig wurde, ist völlig ungewiss. Mehr dazu morgen

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Barry Steinhardt

Comments of the American Civil Liberties Union, the Electronic
Privacy Information Center and Privacy International on Draft 27 of
the Proposed CoE Convention on Cybercrime

June 7, 2001

We are offering this letter of comments to the U.S. Department of
Justice and the CDPC of the Council of Europe in order to voice our
continuing concerns regarding the development and form of the
draft Convention on Cybercrime. While we were advised to reserve
our comments to optional text and footnotes in order to conform
with the interests of the CDPC, we also present our continuing
concerns generally in the hope of promoting democratic debate.
We represent Non-Governmental Organizations, which are
members of the Global Internet Liberty Campaign. This letter
addresses only certain portions of the draft Convention and
individual signatories may have additional concerns.

We have been actively offering our thoughts on the Convention
since the drafts were made public. Through the Global Internet
Liberty Campaign, of which we are members, two letters were
submitted to the Council of Europe outlining our concerns; these
concerns still stand. We have also worked with industry actors
under an ad-hoc group in order to communicate our concerns to
the U.S. Department of Justice, which reports back that the
Committee of Experts on Crime in Cyber-Space continues to resist
our recommendations. We ask that this letter be taken with more
consideration than past submissions, while bearing in mind our
previously articulated concerns. A. Process We must again object
to the non-transparent manner in which this Convention has been
developed. The CoE has made little effort to address the concerns
of other stakeholders in the process. Even after the publication of
Draft 19 and subsequent drafts, we have seen little effort on the
part of the Council of Europe working group to directly and
substantially incorporate the views and concerns of the NGO
community on the issues of privacy and civil liberties. There has
been limited public input on the convention, while CoE staffers have
publicly dismissed any critical commentary.

In addition, the makeup of the working party has remained one-
sided, with law enforcement at the table and no industry or NGO
participation. This is contrary to similar efforts at the OECD and the
G-8 where NGOs (albeit in a very limited capacity) and industry
were asked to participate and a more balanced effort has emerged.
B. Article 15 is Not Adequate We recognize that the legal
protections have been modestly improved in Article 15 by the
reference to various other international instruments, but we still
believe that the protections it affords are not adequate to address
the significant demands and requirements for privacy- invasive
techniques in the rest of the Convention.

Title II sets out very specific requirements for privacy invasive law
enforcement techniques. We believe and have consistently stated
publicly that each of those sections should have included
limitations on the use of the techniques. A vague reference to
proportionality will not be
adequate to ensure that civil liberties are protected. We recognize
that countries have varying methods for protection of civil liberties,
but as a Council of Europe Convention drafted in consultation with
other democratic nations, this document missed an important
opportunity to ensure that minimum standards consistent with the
European Convention on Human Rights and other international
human rights accords were actually implemented. This failure is, in
part, a result of the non-transparency of the process.

It is also unfortunate the section does not specifically address the
issue of privacy and data protection. The COE Convention 108 on
Data Protection is an important safeguard for protecting citizen's
rights and the implementation of this Convention should be adopted
in a manner that is consistent with its requirements.

Other related efforts such as the 1997 OECD cryptography
guidelines specifically recognize the fundamental right of privacy:

Article 5. The fundamental rights of individuals to privacy, including
secrecy of communications and protection of personal data, should
be respected in national cryptography policies and in the
implementation and use of cryptographic methods.

Even the recent G8 Tokyo-round documents noted privacy as a
right that needs to be protected by the democratic nations and fully
incorporated into procedures for law enforcement investigations.

Similarly, the requirements in 15.2 are vague and unlikely to create
any significant procedural protections and do not provide for
adequate independent supervision by judicial or other authorities.
Independent supervision varies greatly across nations. 15.2 does
not set any standards for independence, while the Explanatory
Memorandum (par.138) even notes that a competent authorisation
across nations differs from "judicial, administrative, or other law
enforcement authority" (emphasis added). We would expect that
minimal, yet adequate protections be discussed specifically and
that the treaty should require scrutiny independent from law
enforcement itself.

The issue of costs is also troublesome. Under 15.3, countries are
not required to pay the costs imposed on third parties for their
demands for surveillance. This both significantly lowers to barriers
to law enforcement surveillance by removing any limits on how
much surveillance can be afforded and is grossly unfair to the
providers. Industry commenters have consistently asked for the
inclusion of a reimbursement requirement, and those requests have
been supported by the privacy community. Requiring that law
enforcement pay for their surveillance provides an important level of
accountability through the budget process each year. C.
Encryption and Article 19.4 In the last few years, after considerable
international debate over surveillance, privacy and electronic
commerce, the use of encryption has been liberalized, except in a
few authoritarian governments such as China and Russia. Article
19.4 is a step backwards by seemingly requiring that countries
adopt laws that can force users to provide their encryption keys
and the plain text of the encrypted files.

So far, only a few countries, such as Singapore, Malaysia, India
and the UK, have implemented such provisions in their laws. In
those countries, police have the power to fine and imprison users
who do not provide the keys or the plaintext of files or
communications to police. It is worth noting that the UK
Government faced significant opposition over its initiative; including
an ambiguous paragraph within an internationally-binding
convention is in conflict with democratic principles.

Such approaches raise issues involving the right against self-
incrimination, which is respected in many countries worldwide. The
privilege against self-incrimination forbids a government official from
compelling a person to testify against himself. It has a long history,
originally developing from Roman and Canon law and has
subsequently been adopted in the Common law of many countries.
Many European legal scholars also believe that requiring such
disclosures violates the European Convention on Human Rights.

The proposed treaty should unambiguously provide that there is no
requirement that parties have domestic legislation that forces users
to provide encryption keys or to decrypt documents.

D. Interception and Real-time Traffic Data Articles 20 (Real-time
collection of traffic data) and Article 21 (Interception of content
data) mandate that the parties have domestic laws requiring service
providers to cooperate in both the collection of traffic data and the
content of communications. Without sufficient privacy and due
process protections, which are noticeably lacking in the Treaty,
these provisions threaten human rights.

Both Articles also mandate in their respective Sections A that the
parties shall adopt such legislative and other measures to empower
their law enforcement authorities to directly collect or record such
content and traffic data without the participation of the service

Allowing law enforcement direct access to a service provider's
network to conduct surveillance, e.g., the U.S. Carnivore program,
provides police with the ability to conduct broad sweeps of network
communications with only their unsupervised assurance that they
will only collect that data which they are lawfully entitled to collect.
It invites abuse of the most invasive investigative powers. It also
represents a threat to the integrity of providers' networks. For
example, the use of Carnivore in the US compromised the network
integrity of a major ISP.

E. Data Protection We would urge the CoE to adopt the sections
under discussion in Article 29 and footnote 9 on data protection.
Opposition to this section seems to come from a misunderstanding
on the part of some countries about the issue of data protection. In
this case, it is a requirement that the information is only used by
governments for appropriate means. It is not a requirement that
countries such as the US adopt legislation governing the use of
personal information in the private sector. Many countries around
the world already have legislation of this nature including the US
Privacy Act.

It should also be noted that other international agreements on the
transfer of information between law enforcement agencies including
the Interpol, Europol and Schengen agreements all include
sections on the use of information.

F. On Mutual Assistance and Dual-Criminality We remain deeply
concerned with the draft treaty's failure to consistently require dual
criminality as a condition for mutual assistance. No nation should
ask another to interfere with the privacy of its citizens or to impose
onerous requirements on its service providers to investigate acts,
which are not a crime in the requested nation. Governments
should not investigate a citizen who is acting lawfully, regardless of
whatever mutual assistance conventions are in place.

At a minimum, if the CoE insists on not requiring dual criminality,
then we recommend the addition of an article that has reporting
requirements regarding such investigations of lawful activity. Such
an article should include reporting of each case of mutual
assistance that did not involve dual criminality , as well as an
accounting of all investigative 'product' of lawful activity that involved
personal data that was shared with another country, and should
require notification to the individual.

Moreover, we believe that the CoE must explain with much greater
specificity the situations and scenarios where parties are permitted
to use the articulated reservations of political offences and
prejudicing essential interests, and must differentiate these from
general cases of investigations of an innocent individual for lawful
acts. Importantly, the CoE also needs to explain why in Article 33
(Real Time Collection of Traffic Data), the draft provides for neither a
dual criminality constraint, nor even a 'political offence' and
'essential interest' exemption, as do other articles.

Finally, the interception article provides that interception is allowed
to the extent permitted by other treaties and domestic law. Article
18.5.b of the European Convention on Mutual Assistance in
Criminal Matters, for example, allows the requested Member State
to make its consent subject to any conditions, which would have to
be observed in a similar national case. We recommend clarifying
that within the CoE convention, requests for interception can only
take place if it is permitted under the given criminal law as an
offence that merits interception in both countries. We also favor a
minimum-authorization request, where warrants are only acted
upon if they are received from a judicial authority in the requested
country. G. Additional Protocol on Speech Crimes In Footnote 3.
the PC-CY Committee discussed the possibility of including
content-related offences other than those defined in Article 9, such
as the distribution of racist propaganda through computer systems.

We would oppose the CoE taking forward a second protocol on
other content-related crimes. Such a protocol will inevitably
threaten recognized free expression rights in many nations. This
treaty should be confined to offences where there is universal
agreement about criminality. We are particularly concerned with
the CoE as an organisation discussing these issues, if it is going
to employ as closed a process as it has for its deliberations on this

H. Other Brackets and Footnotes

(i) Preamble: [Mindful also of [the need to reconcile the interests of
international mutual assistance and] the protection of personal
data, as conferred e.g. by the 1981 Council of Europe Convention
for the Protection of Individuals with Regard to Automatic
Processing of Personal Data];

We support the outside brackets being removed, but recommend
removing the internal clause regarding mutual assistance. We also
support the inclusion of the further data protection instruments into
the preamble.

(ii) Footnotes 4 and 5, relating to "where such acts are committed
wilfully, [at least] on a commercial scale and by means of a
computer system":[...] Meanwhile, another delegation proposed the
following alternative formulation: "Parties shall consider
establishing as criminal offences conduct described in paragraphs
1 and 2 in situations other than those which involve a commercial

We oppose the inclusion of the "[at least]", as it increases the
scope of applicability. We also disagree with the inclusion of the
alternative formulation proposed by the 'other delegation' mentioned
in footnote 4.

(iii) Footnote 6. Two delegations requested that a reservation
clause be included to Articles 20 and 21 to the extent these
provisions under their domestic laws cannot apply to certain types
of service providers.

We support this reservation clause, and recommend tightening the
definition of traffic data within article 20 particularly considering the
various types of service providers that could arguably be covered.

(iv) Footnote 9. See our discussion above under "Data Protection".

(v) Footnote 10: It was suggested by several delegations that
"may" be replaced by "shall" with regard to paragraph b). One
delegation proposed to replace "may" by "shall" in both paragraphs
a) and b).

We support replacing "may" with "shall", particularly in the light of
our discussion above under "Data Protection". Conclusion We
thank you for this latest opportunity to respond to the convention.
We feel that without due consideration to civil liberties, privacy, and
due process this convention will continue to threaten fundamental
human rights. We look forward to further discussing the matter with

David Banisar and Gus Hossein Privacy International

Barry Steinhardt American Civil Liberties Union

David Sobel Electronic Privacy Information Center

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-.
edited by Harkank
published on: 2001-06-13
comments to
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-.
<<   ^   >>
Druck mich
Linuxwochen Austria

meet q/uintessenz every friday


25. Oktober 2017
freier Eintritt
Big Brother Awards Austria

bits4free 18. Jan. 2012: Ihre Meinung zählt
Liquid Democracy - direkte Demokratie durch Online-Partizipation?
q/Talk, Di 29. Nov: Es gilt die unSchuldsvermutung!
Bürger unter Generalverdacht und stundenlange Einvernahme von Chattern