Computer Crime Research Center

The Council of Europe Cybercrime Convention

Date: April 26, 2004
Source: Computer Crime Research Center

... This both significantly lowers to barriers to law
enforcement surveillance by removing any limits on how much surveillance
can be afforded and is grossly unfair to the providers. Industry
commenters have consistently asked for the inclusion of a reimbursement
requirement, and those requests have been supported by the privacy
community. Requiring that law enforcement pay for their surveillance
provides an important level of accountability and acts as a constraint
against over-zealous use of law enforcement powers.

In the last few years, after considerable international debate over
surveillance, privacy and electronic commerce, the use of encryption has
been liberalized, except in a few authoritarian governments such as China
and Russia. Clause 4 of Article 19
(Search and Seizure of Stored Computer Data)
is a step backwards by seemingly
requiring that countries adopt laws that can force users to provide their
encryption keys and the plain text of the encrypted files.
So far, only a few countries, such as Singapore, Malaysia, India and the
UK, have implemented such provisions in their laws. In those countries,
police have the power to fine and imprison users who do not provide the
keys or the plaintext of files or communications to police. It
should be noted that the UK Government faced significant opposition over its
Such approaches raise issues involving the right against
self-incrimination, which is respected in many countries worldwide.

Article 20 (Real-time collection of traffic data) and Article 21
(Interception of content data) mandate that the parties have domestic
laws requiring service providers to cooperate in both the collection of
traffic data and the content of communications. Without sufficient
privacy and due process protections, these provisions threaten human rights.

Allowing law enforcement direct access to a service provider’s network to
conduct surveillance, e.g., the U.S. Carnivore program, provides police
with the ability to conduct broad sweeps of network communications with
only their unsupervised assurance that they will only collect that data
which they are lawfully entitled to collect. It invites abuse of the most
invasive investigative powers. It also represents a threat to the
integrity of providers’ networks.

Curiously, the Convention involves itself in two issues, content and copyright, which appear out of step with the rest of the document. The content provisions (Article 9, Offences related to
child pornography) deal with an offence that is undoubtedly abhorrent. However, distribution
and possession of child pornography are already offences in most countries. It is not
clear why this Article was included in the Convention. The definitions used in relation to
child pornography are also over-broad, since they criminalize
the possession of images whose production does not involve real children.

Although sensibly omitted from the final draft, earlier versions
included reference to an optional protocol concerning hate-speech, a matter about
which there are significant cultural differences. Such a protocol would inevitably threaten
recognized free expression rights in many nations.
This illustrates the problem with
attempts to criminalize content when there is no universal agreement about criminality.

Article 10 (Offences related to infringement of copyright and related rights) also appears to
be out of place here. Intellectual property protection is a complicated issue that touches upon both free expression and privacy issues and in which the law is still developing.
Furthermore, there are
other international fora in which such matters are more appropriately addressed.

The draft treaty fails to consistently require dual criminality as a condition for mutual
assistance between countries. No nation should ask another to interfere with the
privacy of its citizens or to impose onerous requirements on its service
providers to investigate acts which are not a crime in the requested
nation. Governments should not investigate a citizen who is acting
lawfully, regardless of whatever mutual assistance conventions are in

Article 34 (Mutual assistance regarding the interception of content data)
allows interception
to the extent permitted by other treaties and domestic law.
An acceptable condition would have been that
requests for interception can only take place if it is
permitted under the relevant criminal law as an offence that merits
interception in both countries. Requests should also have a specified level of
authorisation, i.e. where warrants are only acted upon if they are received from a
judicial authority in the requested country.

It would be far more acceptable and sensible if the convention dealt only with harmonizing laws
for core offences for hacking, viruses and other attacks on computer networks, plus international cooperation in investigating those crimes, without the controversial and fundamentally
imbalanced provisions on search and seizure, data access and wiretapping.
Specific privacy protections need to be included to offset the one-sided emphasis on
increased surveillance powers for law enforcement.

The convention should focus on those offences unique to computer networks, and not address forgery, copyright and other offences that are already the subject of laws equally applicable online and offline, nor should it include content offences.

The Cybercrime Bill 2001 was tabled in the House of Representatives on 27 June 2001
by the Attorney-General. It was subsequently referred to a Senate Committee Inquiry,
to which public submissions were invited.

The offence provisions in the Bill implement the Model Criminal Code section 4.2 (Computer Offences), which was made public in January 2001. The Model Criminal Code Officers Committee (MCOCC),
which is developing the Code, relied heavily on recent drafts of the CoE Convention in
drafting section 4.2.The offences covered in the Code are:

These offences are implemented in the Cybercrime Bill 2001
Division 477.1 to 478.4 (as additions to the Criminal Code Act 1995)

At the time of writing, EFA was still considering its response to the
Cybercrime Bill. EFA's concerns about the substantive offences
are likely to centre around issues of over-criminalization and the risk
of criminalizing innocent behaviour. The Bill as a whole is seen as premature, and an inappropriate response to problems that are seen by many in the industry as resulting from poor security in software design or implementation.

There are however, substantial concerns about the law enforcement provisions
in the Bill. While the Model Criminal Code makes no provision for enforcement,
the Bill (in Schedule 2) implements controversial changes to the Crimes Act
(s.3LA) and the Customs Act (s.201A), which require persons with knowledge of a computer system to provide assistance in decryption or recovery of data and other measures to facilitate search of computer systems for evidence of crime. This potentially over-rides the common law privilege against self-crimination.

The Parliamentary Joint Committee On The National Crime Authority
is currently conducting an Inquiry into The Law Enforcement Implications of New Technology and
is due to report in August 2001. It remains to be seen what the Committee may recommend,
or indeed whether the Committee's recommendations will ever find their way into legislation,
but there will be major concerns amongst the Internet community and the Internet industry
if the demands of law enforcement agencies are given serious consideration. These demands
closely resemble the more contentious aspects of the CoE Convention's law enforcement

Proposals have been put to the Committee for mandatory retention of
transaction log records by Internet Service Providers (ISPs).
Such a proposal, if adopted...

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo