Europe's cyber crime treaty criticized
THE CHAIRMAN OF the committee drafting the Council of Europe's proposal for fighting cybercrime faced renewed questions and criticism of the draft treaty on Thursday from a representative of U.S. IT companies and a privacy advocate.
The draft treaty is meant to addresses a need for basic cooperation on the approach to computer-crime laws in the 41 nations that belong to the Strasbourg, France-based council, along with the U.S., Canada and Japan, which also have worked on the treaty as observers. The goal is to ensure that governments will be able to investigate and prosecute computer-related crimes across borders, including attacks on computer systems and crimes that involve the use of computer systems.
But U.S. companies, especially Internet service providers (ISPs), telecommunications carriers and security companies, are worried that the treaty is too vague and could result in cases such as the 1997 prosecution of a CompuServe Deutschland executive in Munich, Germany, over pornography sites hosted by the ISP. They also worry that it could create cost burdens and violate individual countries' due-process laws.
Speaking at a panel discussion on global cyber crime, Prof. Henrik Kaspersen, chairman of the Council of Europe's Committee of Experts on Crime in Cyberspace, said the council was trying to find a "flexible and dynamic way" to write the treaty, which is designed to "approximate" the essence of the countries' laws rather than change the laws to harmonize them.
Efforts have been made to ensure that the treaty includes language to prevent data havens, a guarantee that signatories will have effective sanctions in place for punishing cyber criminals and assurances that countries will assist each other in the investigation of suspected cyber crimes, Kaspersen said during the discussion, which was sponsored by the Washington consulting company McConnell International.
Despite these efforts, James Dempsey, senior staff counsel for the Center of Democracy and Technology, criticized the draft treaty for failing to address privacy and representing creeping government authority over the flow of information.
"A lot of this treaty is being looked at in the United States as a backdrop of what many of us see as ongoing government efforts to control the design of this new technology and to control the government power," Dempsey said. "This treaty is viewed as another step in the effort of our government to extend... surveillance mandates to the Internet."
Dempsey said the treaty's provisions apply to all criminal investigations, making it resemble a treaty on international law enforcement cooperation. Europe is trying to take a centralized, top-down set of concepts and apply them to the radically decentralized, user-controlled global medium, and the treaty "at this point doesn't mesh with what the Internet is and where it's heading," he said.
Jeffrey Pryce, special adviser on cyber security for the World Information Technology and Services Alliance (WITSA), a global consortium of IT associations currently led by the Information Technology Association of America, said among the IT companies' concerns are the draft treaty's definition of an ISP, which he said could be interpreted to mean any company or organization that "engages in the normal business of electronic interaction."
Another provision of the treaty that has raised concern addresses access to a computer system "without rights," but Pryce said that could jeopardize the work oof a security company that has been hired to try to hack into a company's system to identify weaknesses. Though such a case may be thrown out quickly, companies would be more comfortable if they didn't have to worry at all about being prosecuted, said Kimberly Claman, executive director of WITSA.
WITSA's criticism of the treaty was already on record. Last week the association expressed concern about some provisions of the draft, saying they could impose burdensome data-preservation requirements on ISPs, make ISPs liable for third-party actions; and restrict legitimate activities on the Internet.
Kaspersen, who met privately Wednesday with U.S. government officials and industry representatives to discuss the treaty, said he could not accept Dempsey's interpretation that the draft treaty's provisions apply to all crimes. The language is limited to "serious crime" and only crimes that involve computers, he said.
Kaspersen also said the committee has taken steps to involve a broad circle of interested parties, including the telecommunications and economics agencies of the various countries involved and industry representatives. Despite those efforts, the treaty's drafters have encountered familiar differences between European and U.S. approaches to government regulation, he said. European companies have expressed some of the same concerns the U.S. companies have expressed, but the European companies have gone directly to the council, whereas U.S. companies have complained more openly.
He said the committee did not wish to leave privacy matters out of the treaty but was forced to because it was impossible to find one international standard for privacy protections. Kaspersen also said it was not the intent of the committee to criminalize the use of security tools that are used with the expressed authorization of the company involved.
The latest version of the treaty was released in October. The council is working toward approving it in July, then sending it to member countries and the observer countries for signing or legislative approval.
Margret Johnston is a Washington correspondent for the IDG News Service, an InfoWorld affiliate.