[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] (Fwd) FC: Privacy groups try to rally opposition to "cybercrim
- To: debate@fitug.de
- Subject: [FYI] (Fwd) FC: Privacy groups try to rally opposition to "cybercrim
- From: "Axel H Horns" <horns@ipjur.com>
- Date: Sun, 10 Jun 2001 19:31:40 +0200
- Comment: This message comes from the debate mailing list.
- Organization: NONE
- Sender: owner-debate@fitug.de
------- Forwarded message follows -------
Date sent: Sat, 9 Jun 2001 13:13:39 -0400
From: Declan McCullagh <declan@well.com>
To: politech@politechbot.com
Subject: FC: Privacy groups try to rally opposition to "cybercrime" treaty
Send reply to: declan@well.com
Background on Council of Europe "cybercrime" treaty:
http://www.politechbot.com/p-01136.html
http://www.politechbot.com/p-01558.html
http://www.politechbot.com/p-01553.html
********
Date: Fri, 08 Jun 2001 14:59:23 -0400
To: Declan McCullagh <declan@well.com>
From: Barry Steinhardt <Barrys@aclu.org>
Subject: Council Of Europe Cybercrime Treaty
Declan,
ACLU, EPIC and Privacy International have sent a letter to the US
Government and to the Council of Europe on the latest and purportedly
final version #27 of the Council of Europe Convention of Cybercrime.
It can be found at http://www.gilc.org/privacy/coe-letter-0601.html .
The draft convention continues to pose a threat to civil liberties.
Among other things;
1. The Convention would require parties to have the capacity and
legal authority to install Carnivore like surveillance devices,
2. Seemingly requires parties to enact laws requiring the
disclosure of decryption keys and, or plain text,
3. In many circumstances requires parties to provide mutual
assistance, in the form of intrusive searches and surveillance, even
when the act being investigated by one nation is not a crime in the
nation that is being asked to conduct the search and,
4. Has very few procedural or due process protections for human
rights.
The Convention is rapidly moving to a conclusion and may go the COE
Council of Ministers and be open for signatures as early as this fall.
Barry Steinhardt
********
http://www.gilc.org/privacy/coe-letter-0601.html
Comments of the American Civil Liberties Union, the Electronic Privacy
Information Center and Privacy International on Draft 27 of the
Proposed CoE Convention on Cybercrime
June 7, 2001
We are offering this letter of comments to the U.S. Department of
Justice and the CDPC of the Council of Europe in order to voice our
continuing concerns regarding the development and form of the draft
Convention on Cybercrime. While we were advised to reserve our
comments to optional text and footnotes in order to conform with
the interests of the CDPC, we also present our continuing concerns
generally in the hope of promoting democratic debate. We represent
Non-Governmental Organizations, which are members of the Global
Internet Liberty Campaign. This letter addresses only certain
portions of the draft Convention and individual signatories may
have additional concerns.
We have been actively offering our thoughts on the Convention since
the drafts were made public. Through the Global Internet Liberty
Campaign, of which we are members, two letters were submitted to
the Council of Europe outlining our concerns; these concerns still
stand. We have also worked with industry actors under an ad-hoc
group in order to communicate our concerns to the U.S. Department
of Justice, which reports back that the Committee of Experts on
Crime in Cyber-Space continues to resist our recommendations. We
ask that this letter be taken with more consideration than past
submissions, while bearing in mind our previously articulated
concerns.
A. Process
We must again object to the non-transparent manner in which this
Convention has been developed. The CoE has made little effort to
address the concerns of other stakeholders in the process. Even
after the publication of Draft 19 and subsequent drafts, we have
seen little effort on the part of the Council of Europe working
group to directly and substantially incorporate the views and
concerns of the NGO community on the issues of privacy and civil
liberties. There has been limited public input on the convention,
while CoE staffers have publicly dismissed any critical commentary.
In addition, the makeup of the working party has remained
one-sided, with law enforcement at the table and no industry or NGO
participation. This is contrary to similar efforts at the OECD and
the G-8 where NGOs (albeit in a very limited capacity) and industry
were asked to participate and a more balanced effort has emerged.
B. Article 15 is Not Adequate
We recognize that the legal protections have been modestly improved
in Article 15 by the reference to various other international
instruments, but we still believe that the protections it affords
are not adequate to address the significant demands and
requirements for privacy- invasive techniques in the rest of the
Convention.
Title II sets out very specific requirements for privacy invasive
law enforcement techniques. We believe and have consistently stated
publicly that each of those sections should have included
limitations on the use of the techniques. A vague reference to
proportionality will not be adequate to ensure that civil liberties
are protected. We recognize that countries have varying methods for
protection of civil liberties, but as a Council of Europe
Convention drafted in consultation with other democratic nations,
this document missed an important opportunity to ensure that
minimum standards consistent with the European Convention on Human
Rights and other international human rights accords were actually
implemented. This failure is, in part, a result of the
non-transparency of the process.
It is also unfortunate the section does not specifically address
the issue of privacy and data protection. The COE Convention 108 on
Data Protection is an important safeguard for protecting citizen's
rights and the implementation of this Convention should be adopted
in a manner that is consistent with its requirements.
Other related efforts such as the 1997 OECD cryptography guidelines
specifically recognize the fundamental right of privacy:
Article 5. The fundamental rights of individuals to privacy,
including secrecy of communications and protection of personal
data, should be respected in national cryptography policies and in
the implementation and use of cryptographic methods.
Even the recent G8 Tokyo-round documents noted privacy as a right
that needs to be protected by the democratic nations and fully
incorporated into procedures for law enforcement investigations.
Similarly, the requirements in 15.2 are vague and unlikely to
create any significant procedural protections and do not provide
for adequate independent supervision by judicial or other
authorities. Independent supervision varies greatly across nations.
15.2 does not set any standards for independence, while the
Explanatory Memorandum (par.138) even notes that a competent
authorisation across nations differs from "judicial,
administrative, or other law enforcement authority" (emphasis
added). We would expect that minimal, yet adequate protections be
discussed specifically and that the treaty should require scrutiny
independent from law enforcement itself.
The issue of costs is also troublesome. Under 15.3, countries are
not required to pay the costs imposed on third parties for their
demands for surveillance. This both significantly lowers to
barriers to law enforcement surveillance by removing any limits on
how much surveillance can be afforded and is grossly unfair to the
providers. Industry commenters have consistently asked for the
inclusion of a reimbursement requirement, and those requests have
been supported by the privacy community. Requiring that law
enforcement pay for their surveillance provides an important level
of accountability through the budget process each year.
C. Encryption and Article 19.4
In the last few years, after considerable international debate over
surveillance, privacy and electronic commerce, the use of
encryption has been liberalized, except in a few authoritarian
governments such as China and Russia. Article 19.4 is a step
backwards by seemingly requiring that countries adopt laws that can
force users to provide their encryption keys and the plain text of
the encrypted files.
So far, only a few countries, such as Singapore, Malaysia, India
and the UK, have implemented such provisions in their laws. In
those countries, police have the power to fine and imprison users
who do not provide the keys or the plaintext of files or
communications to police. It is worth noting that the UK Government
faced significant opposition over its initiative; including an
ambiguous paragraph within an internationally-binding convention is
in conflict with democratic principles.
Such approaches raise issues involving the right against
self-incrimination, which is respected in many countries worldwide.
The privilege against self-incrimination forbids a government
official from compelling a person to testify against himself. It
has a long history, originally developing from Roman and Canon law
and has subsequently been adopted in the Common law of many
countries. Many European legal scholars also believe that requiring
such disclosures violates the European Convention on Human Rights.
The proposed treaty should unambiguously provide that there is no
requirement that parties have domestic legislation that forces
users to provide encryption keys or to decrypt documents.
D. Interception and Real-time Traffic Data
Articles 20 (Real-time collection of traffic data) and Article 21
(Interception of content data) mandate that the parties have
domestic laws requiring service providers to cooperate in both the
collection of traffic data and the content of communications.
Without sufficient privacy and due process protections, which are
noticeably lacking in the Treaty, these provisions threaten human
rights.
Both Articles also mandate in their respective Sections A that the
parties shall adopt such legislative and other measures to empower
their law enforcement authorities to directly collect or record
such content and traffic data without the participation of the
service provider.
Allowing law enforcement direct access to a service provider's
network to conduct surveillance, e.g., the U.S. Carnivore program,
provides police with the ability to conduct broad sweeps of network
communications with only their unsupervised assurance that they
will only collect that data which they are lawfully entitled to
collect. It invites abuse of the most invasive investigative
powers. It also represents a threat to the integrity of providers'
networks. For example, the use of Carnivore in the US compromised
the network integrity of a major ISP.
E. Data Protection
We would urge the CoE to adopt the sections under discussion in
Article 29 and footnote 9 on data protection. Opposition to this
section seems to come from a misunderstanding on the part of some
countries about the issue of data protection. In this case, it is a
requirement that the information is only used by governments for
appropriate means. It is not a requirement that countries such as
the US adopt legislation governing the use of personal information
in the private sector. Many countries around the world already have
legislation of this nature including the US Privacy Act.
It should also be noted that other international agreements on the
transfer of information between law enforcement agencies including
the Interpol, Europol and Schengen agreements all include sections
on the use of information.
F. On Mutual Assistance and Dual-Criminality
We remain deeply concerned with the draft treaty's failure to
consistently require dual criminality as a condition for mutual
assistance. No nation should ask another to interfere with the
privacy of its citizens or to impose onerous requirements on its
service providers to investigate acts, which are not a crime in the
requested nation. Governments should not investigate a citizen who
is acting lawfully, regardless of whatever mutual assistance
conventions are in place.
At a minimum, if the CoE insists on not requiring dual criminality,
then we recommend the addition of an article that has reporting
requirements regarding such investigations of lawful activity. Such
an article should include reporting of each case of mutual
assistance that did not involve dual criminality , as well as an
accounting of all investigative `product' of lawful activity that
involved personal data that was shared with another country, and
should require notification to the individual.
Moreover, we believe that the CoE must explain with much greater
specificity the situations and scenarios where parties are
permitted to use the articulated reservations of political offences
and prejudicing essential interests, and must differentiate these
from general cases of investigations of an innocent individual for
lawful acts. Importantly, the CoE also needsto explain why in
Article 33 (Real Time Collection of Traffic Data), the draft
provides for neither a dual criminality constraint, nor even a
`political offence' and `essential interest' exemption, as do other
articles.
Finally, the interception article provides that interception is
allowed to the extent permitted by other treaties and domestic law.
Article 18.5.b of the European Convention on Mutual Assistance in
Criminal Matters, for example, allows the requested Member State to
make its consent subject to any conditions, which would have to be
observed in a similar national case. We recommend clarifying that
within the CoE convention, requests for interception can only take
place if it is permitted under the given criminal law as an offence
that merits interception in both countries. We also favor a
minimum-authorization request, where warrants are only acted upon
if they are received from a judicial authority in the requested
country.
Additional Protocol on Speech Crimes
In Footnote 3. the PC-CY Committee discussed the possibility of
including content-related offences other than those defined in
Article 9, such as the distribution of racist propaganda through
computer systems. [..]
We would oppose the CoE taking forward a second protocol on other
content-related crimes. Such a protocol will inevitably threaten
recognized free expression rights in many nations. This treaty
should be confined to offences where there is universal agreement
about criminality. We are particularly concerned with the CoE as an
organisation discussing these issues, if it is going to employ as
closed a process as it has for its deliberations on this
convention.
H. Other Brackets and Footnotes
(i) Preamble: [Mindful also of [the need to reconcile the interests
of international mutual assistance and] the protection of personal
data, as conferred e.g. by the 1981 Council of Europe Convention
for the Protection of Individuals with Regard to Automatic
Processing of Personal Data];
We support the outside brackets being removed, but recommend
removing the internal clause regarding mutual assistance. We also
support the inclusion of the further data protection instruments
into the preamble.
(ii) Footnotes 4 and 5, relating to "where such acts are committed
wilfully, [at least] on a commercial scale and by means of a
computer system":[...] Meanwhile, another delegation proposed the
following alternative formulation: "Parties shall consider
establishing as criminal offences conduct described in paragraphs 1
and 2 in situations other than those which involve a commercial
scale."
We oppose the inclusion of the "[at least]", as it increases the
scope of applicability. We also disagree with the inclusion of the
alternative formulation proposed by the 'other delegation'
mentioned in footnote 4.
(iii) Footnote 6. Two delegations requested that a reservation
clause be included to Articles 20 and 21 to the extent these
provisions under their domestic laws cannot apply to certain types
of service providers.
We support this reservation clause, and recommend tightening the
definition of traffic data within article 20 particularly
considering the various types of service providers that could
arguably be covered.
(iv) Footnote 9. See our discussion above under "Data Protection".
(v) Footnote 10: It was suggested by several delegations that "may"
be replaced by "shall" with regard to paragraph b). One delegation
proposed to replace "may" by "shall" in both paragraphs a) and b).
We support replacing "may" with "shall", particularly in the light
of our discussion above under "Data Protection".
Conclusion
We thank you for this latest opportunity to respond to the
convention. We feel that without due consideration to civil
liberties, privacy, and due process this convention will continue
to threaten fundamental human rights. We look forward to further
discussing the matter with you.
David Banisar and Gus Hosein
Privacy International
Barry Steinhardt
American Civil Liberties Union
David Sobel
Electronic Privacy Information Center
----------------------------------------------------------------------
--- POLITECH -- Declan McCullagh's politics and technology mailing
list You may redistribute this message freely if you include this
notice. To subscribe, visit
http://www.politechbot.com/info/subscribe.html This message is
archived at http://www.politechbot.com/
----------------------------------------------------------------------
---
------- End of forwarded message -------