This week, the Council of Europe (CoE) Experts Group on Crime in Cyberspace is meeting in Strasbourg, France to finalize the international Cybercrime Convention. The experts should be proud of themselves. They have managed during the past eight months to resist the pernicious influence of hundreds if not thousands of individual computer users, security experts, civil liberties groups, ISPs, computer companies and others outside of their select circle of law enforcement representatives who wrote, faxed and e-mailed their concerns about the treaty.
Last month, the CoE released a new draft of their long-standing effort, which includes a few minor changes and some lip service to human rights, but remains substantially unchanged from previous drafts.
The main gap is a lack of limits on cyber crimes, surveillance powers, and assistance that are created in the convention. The sections on searches still force individuals to disclose encryption keys and other data at the direction of law enforcement officials, in violation of protections against self-incrimination guaranteed by US, Canadian and European laws; wiretap powers remain broadly defined and cover all computer devices down to the smallest local area network (and perhaps even smaller); provisions on real-time data collection remain Carnivore-friendly; and local authorities will still be required to assist law enforcement agencies from other countries, even when investigating actions that are not crimes under local law.
There are a few improvements. The section on illegal devices, which in previous drafts threatened to outright criminalize common security tools, now includes a new paragraph stating that it should not impose criminal liability when the program in question was not created or transferred "for the purpose of committing an offence, such as for testing or the protection of a computer system."
Does that solve all the problems with regulating hacking tools? I don't know, because it all depends on how the law will be implemented by each country.
Human rights gets mentioned once or twice and national governments can resist some requests for assistance when they think the case is political (not to say that could ever happen, but Germany announced this week that anyone anywhere in the world who promotes Holocaust denial is liable under German law, and the Malaysian government announced that anyone who insults Islam online will be punished).
In contrast to these modest changes, the opposition to the entire treaty has been overwhelming. Every cyber-rights group in the world with a pulse has come out against it. On the industry side, it's being opposed by the US Chamber of Commerce, the International Chamber of Commerce, all the ISP associations and a ton of other companies, security groups and so on. About the only one left who isn't calling the draft convention the sign of the devil is the Pope, and he probably would if consulted.
We've not seen this kind of united public interest and industry opposition to a dumb government proposal since the good old days of the Clipper chip. And not coincidentally, the meetings on the subject are filled with the same people.
This is not so say that the CoE committee has not heard or read these complaints.
Last week, Henrik Kaspersen, a Dutch government representative who chairs the committee, and Peter Csonka, the head of Economic Crimes division for the CoE, visited Washington -- reportedly to meet with US Attorney General Janet Reno. At a public meeting on Thursday, Kaspersen acknowledged receiving a flood of complaints on the draft conventions, but dismissed them as coming either from American lawyers who did not understand European law, or, worse, "from the Internet," which his tone suggested could only mean the clueless and uninformed.
None of the kinds of outrageous cases like the French holding Yahoo liable or the Germans arresting a high CompuServe official, could even be conceived by Kaspersen, much less ever happen as a result of the treaty he travelled to America to peddle.
When asked publicly why the treaty did not include any procedural safeguards for limiting surveillance powers, Kaspersen said that determining privacy standards was too hard and controversial for the committee, and had to be left to the national governments of the CoE and signatory countries. I'm sure that those highly democratic countries in the CoE like Russia, Ukraine, and Romania will do a fine job of implementing those rights.
There is a small chance that the committee will finally make real changes to the treaty before the new draft comes out sometime next week. But don't count on it. After three years, it seems they made up their minds a long time ago -- and free speech, privacy, real security on the Net, and all of us be dammed. The next hope is lobbying the national governments to refuse to sign the treaty, or to make changes before it is approved. Perhaps they will not think your comments are just "from the Internet."
© 2000 SecurityFocus.com. All rights reserved.
David Banisar is an attorney and writer in the Washington, DC area. He is co-author of "The Electronic Privacy Papers" (Wiley, 1997) and several other books on privacy, and is deputy director of Privacy International.