Dempsey said the treaty's provisions apply to all criminal investigations, making it resemble a treaty on international law enforcement cooperation. Europe is trying to take a centralized, top-down set of concepts and apply them to the radically decentralized, user-controlled global medium, and the treaty "at this point doesn't mesh with what the Internet is and where it's heading," he said.
Jeffrey Pryce, special adviser on cyber security for the World Information Technology and Services Alliance (WITSA), a global consortium of IT associations currently led by the Information Technology Association of America, said among the IT companies' concerns are the draft treaty's definition of an ISP, which he said could be interpreted to mean any company or organization that "engages in the normal business of electronic interaction."
Another provision of the treaty that has raised concern addresses access to a computer system "without rights," but Pryce said that could jeopardize the work oof a security company that has been hired to try to hack into a company's system to identify weaknesses. Though such a case may be thrown out quickly, companies would be more comfortable if they didn't have to worry at all about being prosecuted, said Kimberly Claman, executive director of WITSA.
WITSA's criticism of the treaty was already on record. Last week the association expressed concern about some provisions of the draft, saying they could impose burdensome data-preservation requirements on ISPs, make ISPs liable for third-party actions; and restrict legitimate activities on the Internet.
Kaspersen, who met privately Wednesday with U.S. government officials and industry representatives to discuss the treaty, said he could not accept Dempsey's interpretation that the draft treaty's provisions apply to all crimes. The language is limited to "serious crime" and only crimes that involve computers, he said.
Kaspersen also said the committee has taken steps to involve a broad circle of interested parties, including the telecommunications and economics agencies of the various countries involved and industry representatives. Despite those efforts, the treaty's drafters have encountered familiar differences between European and U.S. approaches to government regulation, he said. European companies have expressed some of the same concerns the U.S. companies have expressed, but the European companies have gone directly to the council, whereas U.S. companies have complained more openly.
He said the committee did not wish to leave privacy matters out of the treaty but was forced to because it was impossible to find one international standard for privacy protections. Kaspersen also said it was not the intent of the committee to criminalize the use of security tools that are used with the expressed authorization of the company involved.