The International Convention on Cybercrime
Origins
Both the Group
of Eight (G8) meetings (heads of state of Britain, Canada,
France, Germany, Italy, Japan, Russia and the United States)
and the Council of Europe (CoE) have in recent years expressed
their concerns about tackling "cybercrime". G8
developments on the issue were initiated by the UK government.
At the G8 meeting in Birmingham in May 1998, the G8 leaders
were shown a video presentation on cybercrime and the British
Prime Minister, Tony Blair, declared that the fight against
it must be placed high on the political agenda. The British
Home Secretary, Jack Straw, backed Blair up with a speech
about how the Internet now allowed people to commit crimes
in a number of different countries without having to move
from their armchairs. One thing Blair and Straw did not
mention publicly was their conviction, now incorporated
into the UK government's Regulation of Investigatory Powers
(RIP) Act, that one "serious crime" they felt
had to be dealt with by cybercrime legislation was that
of "large numbers of people acting to a common purpose",
a description that undoubtedly fitted the massive demonstration
calling for the cancelling of world debt taking place around
the G8 meeting at the time.
The G8 heads of state came away from the
Birmingham meeting having agreed to include appropriate
punishments against "cybercriminals" in their
national legislation, to develop better techniques against
"hackers" and to look at the issue of data retention
to prevent the destruction of "electronic evidence".
These efforts now came together with and
drove forward already existing moves being made by the CoE,
which had first adopted a recommendation on combating cybercrime
in 1995. In 1997, the CoE had set up the "Committee
of Experts on crime in cyberspace" (PC-CY). According
to Scott Charney, President of the G-8 working group on
Hi-Tech Crime, the G8 working group always
met prior to the working group of the CoE and the results
of the G8 meetings were introduced into the CoE meetings
by those who were present at both. The CoE was seen as the
best place to produce a binding agreement Convention.
Work continued at the CoE on producing
a Convention and involved close collaboration between the
CoE and the US Department of Justice. Besides the 43 CoE
countries, other "partners" (United States, Canada,
Japan and South Africa) were involved in the drafting and
have signed the final Convention.
The first draft of the Convention made
publicly available was Draft 19 in April 2000. Other drafts
were then released at intervals. Draft 26 was submitted
to the CoE's Parliamentary Assembly on April 24, 2001. It
was approved by a large majority, but with the reservation
that "individual freedoms should be guaranteed more
substantially". Draft 27 was released on May 25, 2001,
supposedly addressing the concerns of the Parliamentary
Assembly by making references to individual rights under
the 1950 European Convention on Human Rights and 1966 United
Nations International Covenant on Civil and Political Rights
and including vague references to "proportionality"
being maintained between civil liberties and law enforcement.
Draft 27 was approved by the CoE's European
Committee on Crime Problems (CDPC) on June 22, 2001 and
by the Committee of Ministers shortly afterwards. On November
11th, 2001, it was opened for signing in Budapest.
So far 33 states have signed the Convention. None have yet
ratified it, but as soon as 5 ratifications have taken place
including 3 CoE member states, it will come into force.
It will then be open to other non-member states to also
become parties to the Convention through a process known
as accession.
Civil society responses
The Convention has raised widespread concerns
amongst civil liberties organisations. A major issue has
been that the Convention has been largely drafted behind
closed doors. Whilst law enforcement bodies have actively
participated in the drafting process, there has been no
direct input from civil liberties bodies or NGOs.
On October 18, 2000, a wide range of civil
society organisations from around the world (more than 20)
signed a letter
drafted by the Global Internet Liberty Campaign to the CoE
expressing their concerns over the cybercrime Convention.
On December 12, 2000 the same group of
organisations wrote
again complaining that despite some changes "the
Convention continues to be a document that threatens the
rights of the individual while extending the powers of the
police authorities, creates a low-barrier protection of
rights uniformly across borders, and ignores highly-regarded
data protection principles."
On June 7, 2001 the American Civil Liberties
Union, the Electronic Privacy Information Center and and
Privacy International wrote a letter
expressing "continuing concerns" with the final
draft.
Areas for concern
Major areas of the final Convention which
should be of concern to social NGOs are:
1) The Convention
includes the possibility of "mutual assistance treaties"
between states on criminal matters, including "collection
of evidence in electronic form of a criminal offence"
without requiring dual criminality. Police could assist
with investigations into "crimes" in one state
which are not crimes in their own state. This aspect has
already begun to be implemented in the British RIP Act,
directly referring to the CoE processes. The Act includes
provision for dealing with a situation in which all that
would be required is proof that a request for assistance
comes from the "competent authorities" and does
not concern itself with the nature of the crime involved.
The CoE Convention says it is "permitted"
to make mutual assistance agreements "conditional upon
the existence of dual criminality". This appears to
mean that mutual assistance agreements normally would not
require dual criminality, but that it would be a permitted
part of an agreement if one of the parties wanted to insist
on it. But even if such dual criminality was agreed, the
Convention goes on to restrict its possible scope by stating
that under such circumstances "that condition (dual
criminality) shall be deemed fulfilled, irrespective of
whether its laws place the offence within the same category
of offence". In other words, a distinction could not
be made between something being a minor offence in one country
and a serious one in another.
Although the Convention includes a clause
that says "the requested Party may...refuse assistance
if the request concerns an offence which the requested Party
considers a political offence or an offence connected with
a political offence", this would seem to leave a decision
to refuse assistance on these grounds in the hands of law
enforcement bodies and the foreign office departments of
government. No procedure is layed down for any Parliamentary
body to examine requests to consider whether they are political
or not and, if the British RIP act is anything to go by,
governments are free to frame legislation which specifically
ignores the nature of an offence and simply checks that
the "competent authorities" of another state have
made it.
The implications of this for social movement
NGOs and human rights organisations are clearly enormous.
In many parts of the world, fighting for justice and human
rights are themselves considered criminal acts. What in
some countries are minor acts of civil disobedience carry
draconian penalties in others, although technically they
break the law in both countries.
The Convention can create a situation
where activists in other parts of the world assisting such
"criminals" via the Internet would be open to
investigation and interception of their communications by
police authorities in their own country, even though they
were acting completely lawfully and the "crime"
being investigated was not a crime in that country. Refusal
to assist the police could result in severe penalties, although
helping them could place the "criminal" in the
other country in serious danger, even of losing their life
under some circumstances.
2) Issue 1),
when coupled with the Convention's call for new law enforcement
powers over Internet Service Providers, will particularly
affects ISP members of APC. The Convention calls for other
states to implement legislation similar to the British RIP
Act, requiring ISPs to cooperate in both the collection
of traffic data and the content of communications. It also
calls for measures to empower law enforcement authorities
to have the ability to collect or record traffic data and
content themselves without the participation of the service
provider.
In addition, the Convention endorses a
UK RIP Act policy that has been widely condemned by lawyers
as in breach of the ECHR by calling for countries to adopt
laws forcing users to provide their encryption keys and
plain text of encrypted files. As was argued over the RIP
Act, this breaks the well established legal principle against
an person being forced to incriminate himself.
3) The vague
references to "proportionality" and the European
Convention on Human Rights introduced into the Convention
to satisfy the Parliamentary Assembly's reservations concerning
lack of guarantees of individual freedoms and privacy are
completely inadequate. It shows the one-sided way the document
has been produced, with law enforcement bodies completely
dominating the process. As the letter from ACLU, EPIC and
PI, referred to above says,
Internet Rights: Issues
