Wednesday, August 16, 2006

Cybercrime treaty: criticisms

Earlier this month, the Senate finally ratified the Council of Europe's Convention on Cybercrime. Since the United States signed the Convention almost five years ago, this means it has now gone into effect for this country (along with other countries that have ratified it).

As I noted in an earlier post, it took the U.S. a surprising long time (almost five years) to ratify the Convention on Cybercrime. The amount of time it took was surprising given (a) that we helped write it and very much lobbied for its adoption and (b) that because we helped write it, we do not need to adopt any new legislation to implement the treaty. The delay was due to concerns that have been expressed by EFF, EPIC and the ACLU, among others.

Basically, these concerns center on three issues, each of which I am going to address, briefly, in this post. I’m going to address them in the order they crop up in the Convention.

The first issue is the “misuse of devices” issue. Article 5 of the Convention requires countries that sign and ratify it to criminalize “the production, sale, procurement for use, import, distribution or otherwise making available of” either (i) “a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with” Articles 2-5 of the Convention or (ii) “a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed.” A separate provision makes the possession of such items a crime. Articles 2-5 require parties to criminalize, basically, unauthorized access and unauthorized access with damage to a system or the data it contains. All of the provisions of Article 5 require that the item be possessed, imported, distributed, etc., with the intent that it be used in the commission of one of these crimes.

Those who are concerned about this argue that the provision sweeps too broadly, that it could be used to prosecute researchers or simply the average citizen who happens to be in possession of an item encompassed by Article 5. The drafters of the Convention and the U.S. Department of Justice respond that these “innocents” do not need to be concerned because the provision requires not simply possession/distribution/etc. but also that the person have engaged in this conduct with the intent to facilitate the commission of a crime. I think that is a very good point. My concern, there, would be that intent is often inferred in cases like this (which are essentially aiding and abetting cases), and inferences of intent can be expansive and sometimes problematic.

The second issue, which I will only summarize because it would take a LONG time to go through all of its aspects, is that the provisions of the Convention which provide for cooperation among law enforcement officers of various countries (i) threaten privacy and (ii) sweep too broadly. As to (i) I will only say that the Convention clearly reflects the current state of our Fourth Amendment law, which is good and not-so-good. The basic Fourth Amendment requirements are fine in most respects but, I think, inadequate in others (especially when it comes to obtaining traffic data, i.e., non-content data involved in the transmission of email and other electronic communications).

As to (ii), the concern lies with Article 14 which says, essentially, that the provisions establishing mechanisms for reciprocal law enforcement cooperation apply when police are investigating (a) crimes defined under the Convention; (b) “other criminal offences committed by means of a computer system;” and (c) “the collection of evidence in electronic form of a criminal offence.” They therefore can apply to the investigation of ANY crime as long as a computer was involved in its commission. On the one hand, I can see law enforcement’s position: If police are investigating a crime and digital evidence is involved, why should it matter if the crime can be technically defined as a “cybercrime?” Shouldn’t they be able to proceed anyway? On the other hand, I can see the critics’ issue. This is, after all, styles as a “cybercrime” convention, so it seems logical, at least, that it should be limited to cybercrimes, i.e., crimes in which the computer plays a central role in the commission of the offense.

Now to the third issue, which is probably the source of most criticism of the Convention. The argument here is that the procedural provisions facilitating cooperation among law enforcement do not require “double criminality.” As I noted in an earlier post, extradition treaties – treaties that let the U.S. hand Perpetrator X over to Brazil to be prosecuted for a crime committed in that country – require “double criminality,” i.e., require that the act have been a crime in both countries. The premise is that to do otherwise would be unfair. There has, for example, been a gentleman in Nebraska who has for years been putting up pro-Nazi websites. It is a crime to create such a website in Germany, and over the years German authorities asked U.S. authorities to turn this guy over to them for prosecution. U.S. authorities properly refused to do so, because what he is doing is protected speech under our First Amendment. We can’t turn him over to be prosecuted for what he is lawfully doing here.

Critics of the Convention argue that it does not have a “double criminality” provision that acts as a restraint on its law enforcement cooperation measures, and I would agree . . . no such provision is explicitly included in the Convention. (It is in Article 24, which governs extradition.) I do not think, though, that this is a major problem because Article 15 says that each party to the Convention must:

ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

As far as the U.S. is concerned, this imports our Bill of Rights, which guarantees due process which should, aside from anything else, prevent our law enforcement processes from being used to persecute dissidents in other countries. There’s also the fact that if someone in the U.S. is being investigated by a country for being a political dissident, and U.S. authorities assist with the investigation, that person cannot be extradited from the U.S. (even under the Convention) because it requires double criminality for extradition.

There are other issues that arise under the Convention, and maybe I’ll post on them later.

Bottom line: it’s far from perfect but it is, I believe, far from being as horrendous as some claim.

No comments: