The Council of Europe Cybercrime Convention
A civil liberties perspective
Electronic Frontiers Australia
This paper examines the Council of Europe ("CoE") Convention from a human rights and civil liberties point of view. It addresses only those parts of the Convention that have been the most controversial internationally in the time since the draft was publicly released in April 2000. It is postulated that the draft Convention fails to address privacy rights and focuses almost completely on law enforcement demands. The paper examines concerns over the adequacy of privacy and data protection, surveillance proposals, international cooperation in the absence of dual criminality, and removal of the common law privilege against self-incrimination. Recent Australian developments which have incorporated elements of the Convention in draft legislation currently before the Parliament are also discussed. Finally, proposals that have been put forward for implementation of controversial data surveillance proposals in Australian law are discussed.
Electronic Frontiers Australia Inc. is a non-profit national organisation representing Internet users concerned with on-line freedoms and rights. EFA was formed in January 1994 and incorporated under South Australian law in May 1994. EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties. EFA's major goals are to protect and promote the civil liberties of users and operators of computer based communications systems, to advocate the amendment of laws and regulations in Australia and elsewhere (both current and proposed) which restrict free speech, and to educate the community at large about the social, political, and civil liberties issues involved in the use of computer based communications systems.
EFA is a founding member of the Global Internet Liberty Campaign (GILC), an international coalition of online civil liberties groups. GILC has made representations over the last 12 months to the CoE working group which was drafting the convention and EFA was a party to these representations.
1. The CoE Convention
The Council of Europe consists of 43 member states, including all of the members of the European Union. It was established in 1949 primarily as a forum to uphold and strengthen human rights, and to promote democracy and the rule of law in Europe. Based in Strasbourg in France, its work programme includes legal co-operation, social and economic questions, health, education and culture. It provides a forum for both EU and non-EU European nations to agree on harmonizing conventions. Some nations from outside Europe have been admitted as observers to the Council, including Canada, Japan and the USA.
The CoE has been working since 1989 to address threats posed by hacking and other computer-related crimes. In 1995 it published a report concerning the adequacy of criminal procedural laws in this area and followed this up in 1997 by establishing a Committee of Experts on Crime in Cyberspace (PC-CY) to begin drafting a binding convention to facilitate international cooperation in the investigation and prosecution of computer crimes. The United States, represented by the Department of Justice, played a key role in the drafting stages, even though the USA was only an observer member of the Committee.
The first publicly-released draft of the convention was Draft 19, which was made available for public comment in April 2000. Several more drafts have been released since then, culminating in the final draft released on 29 June 2001. The Convention will now be submitted to the Council of Ministers for adoption and will be open for signature late in 2001. It is the intention of the CoE that non-member states will also be invited to sign on.
The convention is divided into 4 Chapters. The first chapter deals with substantive law issues: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offences related to child pornography and offences related to copyright. The second chapter deals with law enforcement issues, including preservation of stored data, preservation and partial disclosure of traffic data, production order, search and seizure of computer data, real-time collection of traffic data and interception of content data. Chapter III contains provisions concerning traditional and computer crime-related mutual assistance between states as well as extradition rules. Chapter IV contains the final clauses, which deal with standard provisions in Council of Europe treaties.
1.2 Problems with the Convention
When the first public draft was released in April 2000, it attracted a storm of criticism from both civil liberties organisations as well as from computer industry organisations.
The treaty is fundamentally imbalanced. It includes very detailed and sweeping powers of computer search and seizure and government surveillance of voice, email and data communications, but no correspondingly detailed standards to protect privacy and limit government use of such powers. This is despite the fact that privacy is the major concern of Internet users worldwide.
EFA has been involved in commenting on the Convention since the first publicly-released draft. Through the Global Internet Liberty Campaign, of which we are members, two letters were submitted to the Council of Europe outlining our concerns with certain provisions. While some changes have been made as a result of these representations, the concerns still stand in respect of the final version.
1.3 Non-transparent drafting Process
The manner in which this Convention has been developed is a major concern. Law enforcement interests have dominated the drafting process from the outset, and nineteen drafts were completed before it was released for public comment. The CoE has made little effort to address the concerns of other stakeholders in the process.
While some minor accommodations have been made to appease privacy and civil liberties concerns, these have been token in nature. Even after the publication of Draft 19 and subsequent drafts, we have seen little effort on the part of the Council of Europe working group to incorporate the views and concerns of the NGO community on the issues of privacy and civil liberties. In addition, the makeup of the working party has remained one-sided, with law enforcement at the table and no industry or NGO participation. This is contrary to similar efforts at the OECD and the G-8 where NGOs (albeit in a very limited capacity) and industry were asked to participate and a more balanced outcome has emerged.
1.4 Safeguards Not Adequate
Draft 19 left open the matter of adequate balance by leaving the question "subject to conditions and safeguards as provided for under national law", a most unsatisfactory response.
Following objections from NGOs, Article 15 (Conditions and Safeguards) was added, but this did little more than put more words around the same phrasing. It failed to adequately address the significant requirements for privacy-invasive techniques in the rest of the Convention.
Article 16 (Expedited Preservation of Stored Computer Data) and Article 17 (Expedited Preservation and Partial Disclosure of Traffic Data) set out very specific requirements for privacy invasive law enforcement techniques. Each of those sections should have included limitations on the use of the techniques. A vague reference to proportionality will not be adequate to ensure that civil liberties are protected. It is recognized that countries have varying methods for protection of civil liberties, but as a Council of Europe Convention drafted in consultation with other democratic nations, this document missed an important opportunity to ensure that minimum standards consistent with the European Convention on Human Rights and other international human rights instruments were actually implemented. This failure is, in part, a result of the non-transparency of the process. It is also unfortunate the section does not specifically address the issue of privacy and data protection. The CoE Convention 108 on Data Protection is an important safeguard for protecting citizen’s rights and the implementation of the Cybercrime Convention should be adopted in a manner that is consistent with those requirements. Other related efforts such as the 1997 OECD cryptography guidelines specifically recognize the fundamental right of privacy:
The fundamental rights of individuals to privacy, including
secrecy of communications and protection of personal data, should be
respected in national cryptography policies and in the implementation and
use of cryptographic methods.
The issue of costs is also a problem. Under Article 15.3, countries are not required to pay the costs imposed on third parties for their demands for surveillance. This both significantly lowers to barriers to law enforcement surveillance by removing any limits on how much surveillance can be afforded and is grossly unfair to the providers. Industry commenters have consistently asked for the inclusion of a reimbursement requirement, and those requests have been supported by the privacy community. Requiring that law enforcement pay for their surveillance provides an important level of accountability and acts as a constraint against over-zealous use of law enforcement powers.
1.5 Access to Encryption Keys
In the last few years, after considerable international debate over surveillance, privacy and electronic commerce, the use of encryption has been liberalized, except in a few authoritarian governments such as China and Russia. Clause 4 of Article 19 (Search and Seizure of Stored Computer Data) is a step backwards by seemingly requiring that countries adopt laws that can force users to provide their encryption keys and the plain text of the encrypted files. So far, only a few countries, such as Singapore, Malaysia, India and the UK, have implemented such provisions in their laws. In those countries, police have the power to fine and imprison users who do not provide the keys or the plaintext of files or communications to police. It should be noted that the UK Government faced significant opposition over its initiative. Such approaches raise issues involving the right against self-incrimination, which is respected in many countries worldwide.
1.6 Interception and Real-time Traffic Data
Article 20 (Real-time collection of traffic data) and Article 21 (Interception of content data) mandate that the parties have domestic laws requiring service providers to cooperate in both the collection of traffic data and the content of communications. Without sufficient privacy and due process protections, these provisions threaten human rights.
Allowing law enforcement direct access to a service provider’s network to conduct surveillance, e.g., the U.S. Carnivore program, provides police with the ability to conduct broad sweeps of network communications with only their unsupervised assurance that they will only collect that data which they are lawfully entitled to collect. It invites abuse of the most invasive investigative powers. It also represents a threat to the integrity of providers’ networks.
1.7 Content and Copyright Issues
Curiously, the Convention involves itself in two issues, content and copyright, which appear out of step with the rest of the document. The content provisions (Article 9, Offences related to child pornography) deal with an offence that is undoubtedly abhorrent. However, distribution and possession of child pornography are already offences in most countries. It is not clear why this Article was included in the Convention. The definitions used in relation to child pornography are also over-broad, since they criminalize the possession of images whose production does not involve real children.
Although sensibly omitted from the final draft, earlier versions included reference to an optional protocol concerning hate-speech, a matter about which there are significant cultural differences. Such a protocol would inevitably threaten recognized free expression rights in many nations. This illustrates the problem with attempts to criminalize content when there is no universal agreement about criminality.
Article 10 (Offences related to infringement of copyright and related rights) also appears to be out of place here. Intellectual property protection is a complicated issue that touches upon both free expression and privacy issues and in which the law is still developing. Furthermore, there are other international fora in which such matters are more appropriately addressed.
1.8 Mutual Assistance and Dual-Criminality
The draft treaty fails to consistently require dual criminality as a condition for mutual assistance between countries. No nation should ask another to interfere with the privacy of its citizens or to impose onerous requirements on its service providers to investigate acts which are not a crime in the requested nation. Governments should not investigate a citizen who is acting lawfully, regardless of whatever mutual assistance conventions are in place.
Article 34 (Mutual assistance regarding the interception of content data) allows interception to the extent permitted by other treaties and domestic law. An acceptable condition would have been that requests for interception can only take place if it is permitted under the relevant criminal law as an offence that merits interception in both countries. Requests should also have a specified level of authorisation, i.e. where warrants are only acted upon if they are received from a judicial authority in the requested country.
It would be far more acceptable and sensible if the convention dealt only with harmonizing laws for core offences for hacking, viruses and other attacks on computer networks, plus international cooperation in investigating those crimes, without the controversial and fundamentally imbalanced provisions on search and seizure, data access and wiretapping. Specific privacy protections need to be included to offset the one-sided emphasis on increased surveillance powers for law enforcement.
The convention should focus on those offences unique to computer networks, and not address forgery, copyright and other offences that are already the subject of laws equally applicable online and offline, nor should it include content offences.
2. Implications for Australia
2.1 The Cybercrime Bill 2001
The Cybercrime Bill 2001 was tabled in the House of Representatives on 27 June 2001 by the Attorney-General. It was subsequently referred to a Senate Committee Inquiry, to which public submissions were invited.
The offence provisions in the Bill implement the Model Criminal Code section 4.2 (Computer Offences), which was made public in January 2001. The Model Criminal Code Officers Committee (MCOCC), which is developing the Code, relied heavily on recent drafts of the CoE Convention in drafting section 4.2. The offences covered in the Code are:
- 4.2.4 - Unauthorised access, modification or impairment to commit a serious offence: A preparatory offence, penalising individuals who engage in unauthorised misuse of computer data with the object of committing another offence^;
- 4.2.5 - Unauthorised modification of data to cause impairment: The offence prohibits unauthorised alteration or erasure of computer data.
- 4.2.6 - Unauthorised impairment of electronic communications. The prohibition is aimed at denial of service attacks.
- 4.2.7 Possession of data with intent to commit computer offence: A preparatory offence, akin to the more familiar offences of “going equipped for stealing” or possession of an offensive weapon.
- 4.2.8 Supply of data with intent to commit a computer offence: A preparatory offence, aimed at those who devise or traffic in programs which enable damage or unauthorised access to computer networks.
- Summary offence: Unauthorised access to restricted data.
- Summary offence: Unauthorised impairment of data held in a
computer disk, credit card, etc.
(Source: Model Criminal Code)
These offences are implemented in the Cybercrime Bill 2001 Division 477.1 to 478.4 (as additions to the Criminal Code Act 1995)
At the time of writing, EFA was still considering its response to the Cybercrime Bill. EFA's concerns about the substantive offences are likely to centre around issues of over-criminalization and the risk of criminalizing innocent behaviour. The Bill as a whole is seen as premature, and an inappropriate response to problems that are seen by many in the industry as resulting from poor security in software design or implementation.
There are however, substantial concerns about the law enforcement provisions in the Bill. While the Model Criminal Code makes no provision for enforcement, the Bill (in Schedule 2) implements controversial changes to the Crimes Act (s.3LA) and the Customs Act (s.201A), which require persons with knowledge of a computer system to provide assistance in decryption or recovery of data and other measures to facilitate search of computer systems for evidence of crime. This potentially over-rides the common law privilege against self-crimination.
2.2 The NCA Inquiry
The Parliamentary Joint Committee On The National Crime Authority is currently conducting an Inquiry into The Law Enforcement Implications of New Technology and is due to report in August 2001. It remains to be seen what the Committee may recommend, or indeed whether the Committee's recommendations will ever find their way into legislation, but there will be major concerns amongst the Internet community and the Internet industry if the demands of law enforcement agencies are given serious consideration. These demands closely resemble the more contentious aspects of the CoE Convention's law enforcement provisions.
Proposals have been put to the Committee for mandatory retention of transaction log records by Internet Service Providers (ISPs). Such a proposal, if adopted by the Committee, raises concerns that it may become lawful for public authorities to obtain a vast wealth of communications data without a ministerial or judicial warrant. Any proposal for ISP logging or monitoring would be tantamount to the sanctioning of mass surveillance. Such a measure, combined with the use of sophisticated analytical techniques such as data-mining, triangulation of data, "friendship trees", and "interest profiling", would be another step towards a totalitarian society.
No compelling case has been made to justify mandatory record keeping by ISPs. Instead, submissions made to the Committee have relied on anecdotes, with no supporting data or statistics on the prospects for improvement in crime clear-up rates, the nature of any crimes likely to be detected, the additional evidence expected to be obtained, or the increased probability of successful prosecutions.
The potential for infringement of the Privacy Act (Cth) (as amended 2000) must also be considered, in particular the National Privacy Principles (NPPs), Section 1 (Collection), which includes the following principles:
1.2 An organisation must collect personal information only by lawful and fair
means and not in an unreasonably intrusive way.
1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.
It is acknowledged that the Privacy Act seeks to balance the right to privacy with other public interests such as law enforcement objectives. In particular, NPP 2.1(h) allows personal information to be disclosed in defined circumstances for the secondary purpose of law enforcement.
However, it is contended that a proposal for compulsory logging of communications traffic does not give rise to a secondary purpose within the meaning of the Act. Rather, the primary purpose of such record-keeping is the acquisition of mass surveillance data without consent, in case the data is required at some future time to incriminate a particular user. The law enforcement provisions of the Act are clearly intended only to allow law enforcement agencies to access specific records collected by an organisation for some other legitimate purpose.
Furthermore, it is questionable whether the disclosure of information from communications logs for data-matching purposes is a permitted purpose under the Act if it involves disclosure of information about large numbers of individuals who are of no interest to the relevant agency.
We contend that any system which monitors the communications of Internet users, without their consent and without a judicial warrant, would be contrary to the government's intent in expanding the coverage of the Privacy Act.
It was recently revealed, before a Senate Estimates Committee, that almost one million disclosures of information or documents by carriers, or carriage service providers, under the provisions of Part 13 of the Telecommunications Act 1997 (Cth), had been made in the 1999/00 year. This was a substantial increase over the figures for previous years. The level of disclosure, and the rate of increase, is illustrative of the manner in which surveillance is overused once the facility is put in place.
Logging and monitoring of Internet communications is more invasive than telephone records because the information can be used not only to determine the parties to a communication but may also be used to draw up interest profiles of users. This is clearly an infringement of an individual's right to privacy in terms of basic human rights.
Unlike telephone call records, most ISP logs, apart from those used to determine customer log-in durations and traffic volumes, are not intrinsic to the operation of the business. E-mail and web proxy logs are an ephemeral by-product of server operations, useful in the short term to diagnose technical problems, but otherwise routinely discarded. It is necessary to embark on a data-mining and data matching exercise in order to turn the raw log data into information about user behaviour. This factor is mentioned because it increases the risk that ISPs may hand over complete logs of all user transactions to law enforcement authorities rather than undertake the costly exercise of extracting and matching information about a particular individual of interest.
Measures to bring serious criminals to justice deserve widespread support. However, a balanced approach must be used in the sensitive area of communications interception such that law enforcement agencies recognise the necessity of protecting fundamental human rights.
Vigilance is needed to ensure that any proposals put forward in Australia as an outcome of current or future policy development processes take a balanced approach, not only in respect of the creation of new offences, but more particularly in relation to proposals for increased surveillance of all citizens.
The author acknowledges contributions to the discussion presented here by members of the Global Internet Liberty Campaign (GILC), in particular David Banisar (Privacy International), Barry Steinhardt (ACLU), Mark Rotenberg (Electronic Privacy Information Center) and Jim Dempsey (Center for Democracy and Technology).
Banisar D. Endgame for Cybercrime treaty.
Security Focus, June 4, 2001
Banisar D. Love Letter's last Victim.
Security Focus, May 22, 2000
British Chambers of Commerce. The Economic Impact of the Regulation of Investigatory Powers Bill, June 2000.
Council of Europe, Internet Portal
Comments of the Center for Democracy and Technology
on the Council of Europe Draft "Convention on Cyber-crime" (Draft No. 25), Feb 2001.
Council of Europe. Convention for the Protection of Individuals with Regard
to Automatic Processing of Personal Data. ETS No. 108
ENTO, Press Release, Telecoms Operators concerned by draft Cybercrime Convention, 30 April 2001. http://www.etno.belbone.be/site/press_releases/Cybercrime.html
European Committee on Crime Problems (CDPC),
Final Activity Report, 29 June 2001.
Draft Convention on Cyber-Crime.
European Committee on Crime Problems (CDPC)
Final Activity Report, 29 June 2001.
Draft Convention on Cyber-Crime.
Global Internet Liberty Campaign.
Member Letter on Council of Europe Convention on Cyber-Crime
October 18, 2000
Global Internet Liberty Campaign Member Letter on Council of Europe Convention on Cyber-Crime Version 24.2, December 12, 2000
International Covenant on Civil and Political Rights
Joint Committee on the National Crime Authority
Inquiry into The Law Enforcement Implications of New Technology
Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General.
Model Criminal Code. Chapter 4 - Damage and Computer Offences - Report. January 2001 (885 Kb PDF)
National Privacy Principles
OECD Cryptography Policy Guidelines (1997)
Privacy International: Cybercrime
OECD Guidelines for the Security of Information Systems (1992)
The Age, Sunday 4 February 2001. Anger at plundered phone records.
Senate Environment, Communications, Information Technology & the Arts
Legislation Committee. Supplementary Budget Estimates 2000-2001 (30 Nov 2000).
Australian Communications Authority, Answers to Questions on Notice,
Question No. 57, Managed Regulation of Telecommunications.
Senate Legal and Constitutional Legislation Committee.
Inquiry into the Provisions of the Cybercrime Bill 2001.
Statement of Concern from Technology Professionals on proposed COE Convention on Cyber-Crime
Universal Declaration of Human Rights
US Department of Justice, Frequently Asked Questions and Answers About the Council of Europe
Convention on Cybercrime (Draft 24REV2), December 1, 2000.
The World ISPA Forum and European Telecommunications Networks Operators Association (ETNO),
letter to Professor Kaspersen on Draft COE Convention, 18 April 2001.
^macro[showdigestcomments;^uri;The Council of Europe Cybercrime Convention]