[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) FC: Privacy groups try to rally opposition to "cybercrim




------- Forwarded message follows -------
Date sent:      	Sat, 9 Jun 2001 13:13:39 -0400
From:           	Declan McCullagh <declan@well.com>
To:             	politech@politechbot.com
Subject:        	FC: Privacy groups try to rally opposition to "cybercrime" treaty
Send reply to:  	declan@well.com

Background on Council of Europe "cybercrime" treaty:
http://www.politechbot.com/p-01136.html
http://www.politechbot.com/p-01558.html
http://www.politechbot.com/p-01553.html

********

Date: Fri, 08 Jun 2001 14:59:23 -0400
To: Declan McCullagh <declan@well.com>
From: Barry Steinhardt <Barrys@aclu.org>
Subject: Council Of Europe Cybercrime Treaty

Declan,

ACLU, EPIC and Privacy International have sent a letter to the US
Government and to the Council of Europe on the latest and purportedly
final version #27 of the Council of Europe Convention of Cybercrime.

It can be found at http://www.gilc.org/privacy/coe-letter-0601.html .

The draft convention continues to pose a threat to civil liberties.

Among other things;

1.      The Convention would require parties to have the capacity and
legal authority to install Carnivore like surveillance devices,

2.      Seemingly requires parties to enact laws requiring the
disclosure of decryption keys and, or plain text,

3.      In many circumstances requires parties to provide mutual
assistance, in the form of  intrusive searches and surveillance, even
when the act being investigated by one nation is not a crime in the
nation that is being asked to conduct the search and,

4.      Has very few procedural or due process protections for human
rights.


The Convention is rapidly moving to a conclusion and may go the COE
Council of Ministers and be open for signatures as early as this fall.

Barry Steinhardt

********

http://www.gilc.org/privacy/coe-letter-0601.html


Comments of the American Civil Liberties Union, the Electronic Privacy
Information Center and Privacy International on Draft 27 of the
Proposed CoE Convention on Cybercrime

   June 7, 2001

   We are offering this letter of comments to the U.S. Department of
   Justice and the CDPC of the Council of Europe in order to voice our
   continuing concerns regarding the development and form of the draft
   Convention on Cybercrime. While we were advised to reserve our
   comments to optional text and footnotes in order to conform with
   the interests of the CDPC, we also present our continuing concerns
   generally in the hope of promoting democratic debate. We represent
   Non-Governmental Organizations, which are members of the Global
   Internet Liberty Campaign. This letter addresses only certain
   portions of the draft Convention and individual signatories may
   have additional concerns.

   We have been actively offering our thoughts on the Convention since
   the drafts were made public. Through the Global Internet Liberty
   Campaign, of which we are members, two letters were submitted to
   the Council of Europe outlining our concerns; these concerns still
   stand. We have also worked with industry actors under an ad-hoc
   group in order to communicate our concerns to the U.S. Department
   of Justice, which reports back that the Committee of Experts on
   Crime in Cyber-Space continues to resist our recommendations. We
   ask that this letter be taken with more consideration than past
   submissions, while bearing in mind our previously articulated
   concerns.

A. Process

   We must again object to the non-transparent manner in which this
   Convention has been developed. The CoE has made little effort to
   address the concerns of other stakeholders in the process. Even
   after the publication of Draft 19 and subsequent drafts, we have
   seen little effort on the part of the Council of Europe working
   group to directly and substantially incorporate the views and
   concerns of the NGO community on the issues of privacy and civil
   liberties. There has been limited public input on the convention,
   while CoE staffers have publicly dismissed any critical commentary.

   In addition, the makeup of the working party has remained
   one-sided, with law enforcement at the table and no industry or NGO
   participation. This is contrary to similar efforts at the OECD and
   the G-8 where NGOs (albeit in a very limited capacity) and industry
   were asked to participate and a more balanced effort has emerged.

B. Article 15 is Not Adequate

   We recognize that the legal protections have been modestly improved
   in Article 15 by the reference to various other international
   instruments, but we still believe that the protections it affords
   are not adequate to address the significant demands and
   requirements for privacy- invasive techniques in the rest of the
   Convention.

   Title II sets out very specific requirements for privacy invasive
   law enforcement techniques. We believe and have consistently stated
   publicly that each of those sections should have included
   limitations on the use of the techniques. A vague reference to
   proportionality will not be adequate to ensure that civil liberties
   are protected. We recognize that countries have varying methods for
   protection of civil liberties, but as a Council of Europe
   Convention drafted in consultation with other democratic nations,
   this document missed an important opportunity to ensure that
   minimum standards consistent with the European Convention on Human
   Rights and other international human rights accords were actually
   implemented. This failure is, in part, a result of the
   non-transparency of the process.

   It is also unfortunate the section does not specifically address
   the issue of privacy and data protection. The COE Convention 108 on
   Data Protection is an important safeguard for protecting citizen's
   rights and the implementation of this Convention should be adopted
   in a manner that is consistent with its requirements.

   Other related efforts such as the 1997 OECD cryptography guidelines
   specifically recognize the fundamental right of privacy:

   Article 5. The fundamental rights of individuals to privacy,
   including secrecy of communications and protection of personal
   data, should be respected in national cryptography policies and in
   the implementation and use of cryptographic methods.

   Even the recent G8 Tokyo-round documents noted privacy as a right
   that needs to be protected by the democratic nations and fully
   incorporated into procedures for law enforcement investigations.

   Similarly, the requirements in 15.2 are vague and unlikely to
   create any significant procedural protections and do not provide
   for adequate independent supervision by judicial or other
   authorities. Independent supervision varies greatly across nations.
   15.2 does not set any standards for independence, while the
   Explanatory Memorandum (par.138) even notes that a competent
   authorisation across nations differs from "judicial,
   administrative, or other law enforcement authority" (emphasis
   added). We would expect that minimal, yet adequate protections be
   discussed specifically and that the treaty should require scrutiny
   independent from law enforcement itself.

   The issue of costs is also troublesome. Under 15.3, countries are
   not required to pay the costs imposed on third parties for their
   demands for surveillance. This both significantly lowers to
   barriers to law enforcement surveillance by removing any limits on
   how much surveillance can be afforded and is grossly unfair to the
   providers. Industry commenters have consistently asked for the
   inclusion of a reimbursement requirement, and those requests have
   been supported by the privacy community. Requiring that law
   enforcement pay for their surveillance provides an important level
   of accountability through the budget process each year.

C. Encryption and Article 19.4

   In the last few years, after considerable international debate over
   surveillance, privacy and electronic commerce, the use of
   encryption has been liberalized, except in a few authoritarian
   governments such as China and Russia. Article 19.4 is a step
   backwards by seemingly requiring that countries adopt laws that can
   force users to provide their encryption keys and the plain text of
   the encrypted files.

   So far, only a few countries, such as Singapore, Malaysia, India
   and the UK, have implemented such provisions in their laws. In
   those countries, police have the power to fine and imprison users
   who do not provide the keys or the plaintext of files or
   communications to police. It is worth noting that the UK Government
   faced significant opposition over its initiative; including an
   ambiguous paragraph within an internationally-binding convention is
   in conflict with democratic principles.

   Such approaches raise issues involving the right against
   self-incrimination, which is respected in many countries worldwide.
   The privilege against self-incrimination forbids a government
   official from compelling a person to testify against himself. It
   has a long history, originally developing from Roman and Canon law
   and has subsequently been adopted in the Common law of many
   countries. Many European legal scholars also believe that requiring
   such disclosures violates the European Convention on Human Rights.

   The proposed treaty should unambiguously provide that there is no
   requirement that parties have domestic legislation that forces
   users to provide encryption keys or to decrypt documents.

D. Interception and Real-time Traffic Data

   Articles 20 (Real-time collection of traffic data) and Article 21
   (Interception of content data) mandate that the parties have
   domestic laws requiring service providers to cooperate in both the
   collection of traffic data and the content of communications.
   Without sufficient privacy and due process protections, which are
   noticeably lacking in the Treaty, these provisions threaten human
   rights.

   Both Articles also mandate in their respective Sections A that the
   parties shall adopt such legislative and other measures to empower
   their law enforcement authorities to directly collect or record
   such content and traffic data without the participation of the
   service provider.

   Allowing law enforcement direct access to a service provider's
   network to conduct surveillance, e.g., the U.S. Carnivore program,
   provides police with the ability to conduct broad sweeps of network
   communications with only their unsupervised assurance that they
   will only collect that data which they are lawfully entitled to
   collect. It invites abuse of the most invasive investigative
   powers. It also represents a threat to the integrity of providers'
   networks. For example, the use of Carnivore in the US compromised
   the network integrity of a major ISP.

E. Data Protection

   We would urge the CoE to adopt the sections under discussion in
   Article 29 and footnote 9 on data protection. Opposition to this
   section seems to come from a misunderstanding on the part of some
   countries about the issue of data protection. In this case, it is a
   requirement that the information is only used by governments for
   appropriate means. It is not a requirement that countries such as
   the US adopt legislation governing the use of personal information
   in the private sector. Many countries around the world already have
   legislation of this nature including the US Privacy Act.

   It should also be noted that other international agreements on the
   transfer of information between law enforcement agencies including
   the Interpol, Europol and Schengen agreements all include sections
   on the use of information.

F. On Mutual Assistance and Dual-Criminality

   We remain deeply concerned with the draft treaty's failure to
   consistently require dual criminality as a condition for mutual
   assistance. No nation should ask another to interfere with the
   privacy of its citizens or to impose onerous requirements on its
   service providers to investigate acts, which are not a crime in the
   requested nation. Governments should not investigate a citizen who
   is acting lawfully, regardless of whatever mutual assistance
   conventions are in place.

   At a minimum, if the CoE insists on not requiring dual criminality,
   then we recommend the addition of an article that has reporting
   requirements regarding such investigations of lawful activity. Such
   an article should include reporting of each case of mutual
   assistance that did not involve dual criminality , as well as an
   accounting of all investigative `product' of lawful activity that
   involved personal data that was shared with another country, and
   should require notification to the individual.

   Moreover, we believe that the CoE must explain with much greater
   specificity the situations and scenarios where parties are
   permitted to use the articulated reservations of political offences
   and prejudicing essential interests, and must differentiate these
   from general cases of investigations of an innocent individual for
   lawful acts. Importantly, the CoE also needsto explain why in
   Article 33 (Real Time Collection of Traffic Data), the draft
   provides for neither a dual criminality constraint, nor even a
   `political offence' and `essential interest' exemption, as do other
   articles.

   Finally, the interception article provides that interception is
   allowed to the extent permitted by other treaties and domestic law.
   Article 18.5.b of the European Convention on Mutual Assistance in
   Criminal Matters, for example, allows the requested Member State to
   make its consent subject to any conditions, which would have to be
   observed in a similar national case. We recommend clarifying that
   within the CoE convention, requests for interception can only take
   place if it is permitted under the given criminal law as an offence
   that merits interception in both countries. We also favor a
   minimum-authorization request, where warrants are only acted upon
   if they are received from a judicial authority in the requested
   country.

   Additional Protocol on Speech Crimes

   In Footnote 3. the PC-CY Committee discussed the possibility of
   including content-related offences other than those defined in
   Article 9, such as the distribution of racist propaganda through
   computer systems. [..]

   We would oppose the CoE taking forward a second protocol on other
   content-related crimes. Such a protocol will inevitably threaten
   recognized free expression rights in many nations. This treaty
   should be confined to offences where there is universal agreement
   about criminality. We are particularly concerned with the CoE as an
   organisation discussing these issues, if it is going to employ as
   closed a process as it has for its deliberations on this
   convention.

H. Other Brackets and Footnotes

   (i) Preamble: [Mindful also of [the need to reconcile the interests
   of international mutual assistance and] the protection of personal
   data, as conferred e.g. by the 1981 Council of Europe Convention
   for the Protection of Individuals with Regard to Automatic
   Processing of Personal Data];

   We support the outside brackets being removed, but recommend
   removing the internal clause regarding mutual assistance. We also
   support the inclusion of the further data protection instruments
   into the preamble.

   (ii) Footnotes 4 and 5, relating to "where such acts are committed
   wilfully, [at least] on a commercial scale and by means of a
   computer system":[...] Meanwhile, another delegation proposed the
   following alternative formulation: "Parties shall consider
   establishing as criminal offences conduct described in paragraphs 1
   and 2 in situations other than those which involve a commercial
   scale."

   We oppose the inclusion of the "[at least]", as it increases the
   scope of applicability. We also disagree with the inclusion of the
   alternative formulation proposed by the 'other delegation'
   mentioned in footnote 4.

   (iii) Footnote 6. Two delegations requested that a reservation
   clause be included to Articles 20 and 21 to the extent these
   provisions under their domestic laws cannot apply to certain types
   of service providers.

   We support this reservation clause, and recommend tightening the
   definition of traffic data within article 20 particularly
   considering the various types of service providers that could
   arguably be covered.

   (iv) Footnote 9. See our discussion above under "Data Protection".

   (v) Footnote 10: It was suggested by several delegations that "may"
   be replaced by "shall" with regard to paragraph b). One delegation
   proposed to replace "may" by "shall" in both paragraphs a) and b).

   We support replacing "may" with "shall", particularly in the light
   of our discussion above under "Data Protection".

Conclusion

   We thank you for this latest opportunity to respond to the
   convention. We feel that without due consideration to civil
   liberties, privacy, and due process this convention will continue
   to threaten fundamental human rights. We look forward to further
   discussing the matter with you.

   David Banisar and Gus Hosein
   Privacy International

   Barry Steinhardt
   American Civil Liberties Union

   David Sobel
   Electronic Privacy Information Center



----------------------------------------------------------------------
--- POLITECH -- Declan McCullagh's politics and technology mailing
list You may redistribute this message freely if you include this
notice. To subscribe, visit
http://www.politechbot.com/info/subscribe.html This message is
archived at http://www.politechbot.com/
----------------------------------------------------------------------
---

------- End of forwarded message -------