The Council of Europe Cybercrime Convention

Date: April 26, 2004
Source: Computer Crime Research Center


... Providers (ISPs).
Such a proposal, if adopted by the Committee,
raises concerns that it may become lawful for public authorities to
obtain a vast wealth of communications data without a ministerial or
judicial warrant.
Any proposal for ISP logging or monitoring would be tantamount to
the sanctioning of mass surveillance. Such a measure,
combined with the use of sophisticated analytical techniques such as
data-mining, triangulation of data, "friendship trees", and "interest
profiling", would be another step towards a totalitarian society.

No compelling case has been made to justify
mandatory record keeping by ISPs. Instead, submissions made to the
Committee have relied on anecdotes, with no supporting data
or statistics on the prospects for improvement in crime clear-up
rates, the nature of any crimes likely to be detected, the
additional evidence expected to be obtained, or the
increased probability of successful prosecutions.

The potential for infringement of the Privacy
Act (Cth) (as amended 2000) must also be considered, in particular
the National Privacy Principles (NPPs), Section 1 (Collection), which includes
the following principles:

1.2 An organisation must collect personal information only by lawful and fair
means and not in an unreasonably intrusive way.

1.4 If it is reasonable and practicable to do so, an organisation must
collect personal information about an individual only from that individual.

It is acknowledged that the Privacy Act seeks to balance the right to
privacy with other public interests such as law enforcement objectives.
In particular, NPP 2.1(h) allows personal information to be disclosed
in defined circumstances for the secondary purpose of law enforcement.

However, it is contended that a proposal
for compulsory logging of communications traffic does not give rise
to a secondary purpose within the meaning of the Act. Rather, the primary purpose
of such record-keeping is the acquisition of mass surveillance data without consent,
in case the data is required at some future time to incriminate a particular
user. The law enforcement provisions of the Act are clearly intended only to
allow law enforcement agencies to access specific records collected by an organisation
for some other legitimate purpose.

Furthermore, it is questionable whether the disclosure of information from communications logs
for data-matching purposes is a permitted purpose under the Act if it involves disclosure
of information about large numbers of individuals who are of no interest to the
relevant agency.

We contend that any system which monitors the communications of Internet
users, without their consent and without a judicial warrant, would
be contrary to the government's intent in expanding the coverage of the
Privacy Act.

It was recently revealed, before a Senate
Estimates Committee, that almost one million disclosures of
information or documents by carriers, or carriage service providers,
under the provisions of Part 13 of the
Telecommunications Act 1997 (Cth), had been made in the 1999/00 year.This was a substantial increase over the figures for previous years.
The level of disclosure, and the rate of increase, is illustrative of
the manner in which surveillance is overused once the facility is put
in place.

Logging and monitoring of Internet communications is more invasive
than telephone records because the information can be used not only
to determine the parties to a communication but may also
be used to draw up interest profiles of users. This is clearly
an infringement of an individual's right to privacy in terms of
basic human rights.

Unlike telephone call records, most ISP logs, apart from those used to
determine customer log-in durations and traffic volumes, are not intrinsic
to the operation of the business.
E-mail and web proxy logs are an ephemeral by-product of server operations,
useful in the short term to diagnose technical problems, but otherwise
routinely discarded. It is necessary to embark on a data-mining and data matching
exercise in order to turn the raw log data into information about user
behaviour. This factor is mentioned because it increases the risk that ISPs
may hand over complete logs of all user transactions to law enforcement
authorities rather than undertake the costly exercise of extracting
and matching information about a particular individual of interest.

Measures to bring serious criminals to justice deserve widespread support.
However, a balanced approach must be used in the
sensitive area of communications interception such that law enforcement
agencies recognise the necessity of protecting fundamental human rights.

Vigilance is needed to ensure that any proposals put forward in Australia
as an outcome of current or future policy development processes take a
balanced approach, not only in respect of the creation of new offences, but
more particularly in relation to proposals for increased surveillance
of all citizens.

The author acknowledges contributions to the discussion presented here by
members of the Global Internet Liberty Campaign (GILC), in particular David Banisar
(Privacy International), Barry Steinhardt (ACLU), Mark Rotenberg (Electronic
Privacy Information Center) and Jim Dempsey (Center for Democracy and Technology).

Banisar D. Endgame for Cybercrime treaty.
Security Focus, June 4, 2001

http://www.securityfocus.com/news/213

Banisar D. Love Letter's last Victim.
Security Focus, May 22, 2000

http://www.securityfocus.com/news/39

British Chambers of Commerce. The Economic Impact of the Regulation of Investigatory Powers Bill, June 2000.

http://www.britishchambers.org.uk/newsandpolicy/ict/ripbillsummary.htm

Council of Europe, Internet Portal

http://www.coe.int

Comments of the Center for Democracy and Technology
on the Council of Europe Draft "Convention on Cyber-crime" (Draft No. 25), Feb 2001.

http://www.cdt.org/international/cybercrime/010206cdt.shtml

Council of Europe. Convention for the Protection of Individuals with Regard
to Automatic Processing of Personal Data. ETS No. 108

http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

ENTO, Press Release, Telecoms Operators concerned by draft Cybercrime Convention, 30 April 2001.
http://www.etno.belbone.be/site/press_releases/Cybercrime.html

European Committee on Crime Problems (CDPC),
Final Activity Report, 29 June 2001.
Draft Convention on Cyber-Crime.

http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.htm

European Committee on Crime Problems (CDPC)
Final Activity Report, 29 June 2001.
Draft Convention on Cyber-Crime.
Explanatory Memorandum.

http://conventions.coe.int/Treaty/EN/projets/FinalCyberRapex.htm

Global Internet Liberty Campaign.
Member Letter on Council of Europe Convention on Cyber-Crime
October 18, 2000

http://www.gilc.org/privacy/coe-letter-1000.html

Global Internet Liberty Campaign Member Letter on Council of Europe Convention on Cyber-Crime Version 24.2, December 12, 2000

http://www.gilc.org/privacy/coe-letter-1200.html

International Covenant on Civil and Political Rights

http://www.unhchr.ch/html/menu3/b/a_ccpr.htm

Joint Committee on the National Crime Authority
Inquiry into The Law Enforcement Implications of New Technology

http://www.aph.gov.au/senate/committee/nca_ctte/index.htm

Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General.
Model Criminal Code. Chapter 4 - Damage and Computer Offences - Report. January 2001 (885 Kb PDF)

http://www.law.gov.au/publications/Model_Criminal_Code/index.htm

National Privacy Principles

http://www.privacy.gov.au/publications/npps01.html

OECD Cryptography Policy Guidelines (1997)

http://www.oecd.org//dsti/sti/it/secur/prod/e-crypto.htm

Privacy International: Cybercrime

http://www.privacyinternational.org/issues/cybercrime/index.html#coe

OECD Guidelines for the Security of Information Systems (1992)
http://www.oecd.org//dsti/sti/it/secur/prod/e_secur.htm

The Age, Sunday 4 February 2001. Anger at plundered phone records.

http://www.theage.com.au/news/2001/02/04/FFX73146QIC.html

Senate Environment, Communications, Information Technology &the Arts
Legislation Committee. Supplementary Budget Estimates 2000-2001 (30 Nov 2000).
Australian Communications Authority, Answers to Questions on Notice,
Question No. 57, Managed Regulation of Telecommunications.

http://www.aph.gov.au/senate/committee/ecita_ctte/quest_answers/04aca.pdf

Senate Legal and Constitutional Legislation Committee.
Inquiry into the Provisions of the Cybercrime Bill 2001.

...

---

Add comment  Email to a Friend