Computer Crime Research Center

The Council of Europe Cybercrime Convention

Date: April 26, 2004
Source: Computer Crime Research Center

The Council of Europe Cybercrime Convention

A civil liberties perspective

Greg Taylor
Electronic Frontiers Australia

This paper examines the Council of Europe ("CoE") Convention from a
human rights and civil liberties point of view. It addresses only
those parts of the Convention that have been the most controversial
internationally in the time since the draft was publicly released
in April 2000. It is postulated that the draft Convention fails
to address privacy rights and focuses almost completely on law
enforcement demands. The paper examines concerns over the
adequacy of privacy and data protection, surveillance proposals, international
cooperation in the absence of dual criminality, and removal of the
common law privilege against self-incrimination. Recent Australian
developments which have incorporated elements of the Convention
in draft legislation currently before the Parliament are also
discussed. Finally, proposals that have been put forward for implementation of
controversial data surveillance proposals in Australian law are discussed.

Electronic Frontiers Australia Inc. is a non-profit national organisation representing Internet users concerned with on-line freedoms and rights. EFA was formed in January 1994 and incorporated under South Australian law in May 1994. EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties.
EFA's major goals are to protect and promote the civil liberties of users and operators of computer based communications systems, to advocate the amendment of laws and regulations in Australia and elsewhere (both current and proposed) which restrict free speech, and to educate the community at large about the social, political, and civil liberties issues involved in the use of computer based communications systems.

EFA is a founding member of the Global Internet Liberty Campaign (GILC), an international coalition
of online civil liberties groups. GILC has made representations over the last 12 months to the
CoE working group which was drafting the convention and EFA was a party to these representations.

The Council of Europe consists of 43 member states, including all of the members of the European Union. It was established in 1949 primarily as a forum to uphold and strengthen human rights, and to promote democracy and the rule of law in Europe. Based in Strasbourg in France, its work programme includes legal co-operation, social and economic questions, health, education and culture. It provides a forum for both EU and non-EU European nations to agree on harmonizing conventions. Some nations from outside Europe have been admitted as observers to the Council, including Canada, Japan and the USA.

The CoE has been working since 1989 to address threats posed by hacking and other computer-related crimes.
In 1995 it published a report concerning the adequacy of criminal procedural laws in this area and followed
this up in 1997 by establishing a Committee of Experts on Crime in Cyberspace (PC-CY) to begin drafting a binding convention to facilitate international cooperation in the investigation and prosecution of computer crimes. The United States, represented by the Department of Justice, played a key role in the drafting
stages, even though the USA was only an observer member of the Committee.

The first publicly-released draft of the convention was Draft 19, which was made available for
public comment in April 2000. Several more drafts have been released since then, culminating in the
final draft released on 29 June 2001. The Convention will now be submitted to the Council of Ministers
for adoption and will be open for signature late in 2001. It is the intention of the CoE that
non-member states will also be invited to sign on.

The convention is divided into 4 Chapters. The first chapter
deals with substantive law issues: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright.
The second chapter deals with law enforcement issues, including preservation of stored data, preservation
and partial disclosure of traffic data, production order, search and seizure of computer data, real-time collection of traffic data and interception of content data. Chapter III contains provisions concerning traditional and computer crime-related mutual assistance between states as well as extradition rules.
Chapter IV contains the final clauses, which deal with standard provisions in Council of Europe treaties.

When the first public draft was released in April 2000, it attracted a storm of criticism from both
civil liberties organisations as well as from computer industry organisations.

The treaty is fundamentally imbalanced. It includes very detailed and sweeping powers of computer search and seizure and government surveillance of voice, email and data communications, but no correspondingly detailed standards to protect privacy and limit government use of such powers.
This is despite the fact that privacy is the major concern of Internet users worldwide.

EFA has been involved in commenting on the Convention since the
first publicly-released draft. Through the Global Internet Liberty Campaign,
of which we are members, two letters were submitted to the Council of Europe
outlining our concerns with certain provisions. While some changes have been made
as a result of these representations, the concerns still
stand in respect of the final version.

The manner in which this Convention has been developed
is a major concern. Law enforcement interests have dominated the
drafting process from the outset, and nineteen drafts were completed
before it was released for public comment.
The CoE has made little effort to address
the concerns of other stakeholders in the process.

While some minor accommodations have been made to appease privacy and
civil liberties concerns, these have been token in nature.
Even after the
publication of Draft 19 and subsequent drafts, we have seen little effort
on the part of the Council of Europe working group to
incorporate the views and concerns of the NGO community on
the issues of privacy and civil liberties.In addition, the makeup of the working party has remained one-sided, with
law enforcement at the table and no industry or NGO participation. This
is contrary to similar efforts at the OECD and the G-8 where NGOs (albeit
in a very limited capacity) and industry were asked to participate and a
more balanced outcome has emerged.

Draft 19 left open the matter of adequate balance by
leaving the question "subject to conditions and safeguards as provided
for under national law", a most unsatisfactory response.

Following objections from NGOs, Article 15 (Conditions and Safeguards)
was added, but this did little more than put more words around the
same phrasing. It failed to
adequately address the significant requirements for
privacy-invasive techniques in the rest of the Convention.

Article 16 (Expedited Preservation of Stored Computer Data) and
Article 17 (Expedited Preservation and Partial Disclosure of Traffic Data)
set out very specific requirements for privacy invasive law
enforcement techniques. Each of those sections should have included limitations on the use
of the techniques. A vague reference to proportionality will not be
adequate to ensure that civil liberties are protected. It is recognized that
countries have varying methods for protection of civil liberties, but as
a Council of Europe Convention drafted in consultation with other
democratic nations, this document missed an important opportunity to
ensure that minimum standards consistent with the European Convention on
Human Rights and other international human rights instruments were actually
implemented. This failure is, in part, a result of the non-transparency
of the process.
It is also unfortunate the section does not specifically address the
issue of privacy and data protection. The CoE Convention 108 on Data
Protection is an important safeguard for protecting citizen’s rights and
the implementation of the Cybercrime Convention should be adopted in a manner that
is consistent with those requirements.
Other related efforts such as the 1997 OECD cryptography guidelines
specifically recognize the fundamental right of privacy:

The issue of costs is also a problem. Under Article 15.3, countries are not
required to pay the costs imposed on third parties for their demands for
surveillance. This both significantly lowers to barriers to law

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo