A European human rights watchdog says companies are being pressured into acting as the internet’s unofficial cops.
Nils Muižnieks – the Council of Europe's Commissioner for Human Rights – has published an "issue paper", raising alarm bells about “privatised law enforcement, suspicion-less mass data retention, cross-border pulling of data by law enforcement and global surveillance”.
Muižnieks said there “should be limits on the extraterritorial exercise of national jurisdiction in relation to transnational cybercrimes”. In other words, the US shouldn’t be able to access your private data in Europe just because it wants to.
He goes on to say:
The fact that the internet and the global digital environment is largely controlled by private entities - especially, but not only, US corporations - poses a threat to the rule of law. Such private entities can impose, and be 'encouraged' to impose, restrictions on access to information without being subject to the constitutional or international law constraints that apply to state limitations of the right to freedom of expression.
Muižnieks also took aim at not only the US laws that allow the Feds to force companies to “pull” data from their servers and hand it over to Uncle Sam – even if the servers are outside the US and relate to companies and individuals in another country – but also the rules that apply a gagging order on such activities.
In reference to the controversial Microsoft warrant case, he added that countries should not investigate crimes or arrest suspects in the territory of another state without that other state’s consent: “It has been a long-standing practice that states wanting to obtain evidence must do so under mutual legal assistance treaties (MLATs).”
That Microsoft case involves the Feds ordering the US software giant to hand over customers' files stored on the company's servers in Ireland. Microsoft argues it can't be compelled to disclose to the FBI data held beyond America's borders.
The Council of Europe (CoE) is not an EU institution, and has little real power to enforce its opinions. However it is responsible for the international Cybercrime Convention (aka the Budapest Convention) drawn up in 2004. 44 countries have ratified the convention, while a further nine states have signed up, but not ratified it.
Muižnieks says signatories should fully accept their obligations to use MLATs – rather than using a simple phone call to request or the courts to force disclosure of people's personal information. The US ratified the convention in 2006.
The CoE’s human rights chief is worried Articles 26 and 32 of the convention have been interpreted in a way that supports “the tendency of law-enforcement agencies to resort to 'informal' means of information-gathering across borders, without laying down clear safeguards” as well as the growing habit of authorities to “pull data directly from servers in other countries, or to demand that companies within their jurisdiction, in particular the main internet giants, do this for them”. ®