CDR: treaty to fight cybercrime (zdnet)

jeradonah jeradonah at hotbot.com
Mon Sep 25 13:38:29 PDT 2000 

http://www.zdnet.com/zdnn/stories/news/0,4586,2631389,00.html

Nations struggling to fight cybercrime 
 
High-tech industry groups and privacy advocates are considering an international treaty on cybercrime. But, can we all agree on one plan?

By Juliana Gruenwald, Inter at ctive Week 
September 25, 2000 3:49 AM PT 

European and U.S. officials are moving toward a final draft of the world's first international treaty on cybercrime, a broad effort that high-tech industry groups and privacy advocates fear could intrude on personal privacy and hamper e-commerce.

The proposal, which has been in the drafting stage for nearly three years, calls on countries to pass uniform laws that would, among other things, ban hacking devices and require countries to empower their law enforcement officers to conduct computer and network searches and seizures. 

Though slow to react to the proposal, some U.S. industry groups are now scrambling to voice their objections as the Council of Europe, working with the U.S. and other governments, last week held a new round of talks on the treaty. 

The convention is "in part trying to harmonize what may be more appropriately left to individual" countries, said Jeffrey Pryce, a Washington Internet and e-commerce lawyer. 

Some also expressed concern that the Department of Justice, which is playing a leading role for the U.S., may be seeking powers through the treaty that it could not get through Congress. 

"When the U.S. government cannot get a controversial policy adopted domestically, they pressure an international group to adopt it, and then bring it back to the U.S. as an international treaty - which obliges Congress to enact it," wrote David Banisar, a senior fellow at the Electronic Privacy Information Center, in a commentary on the draft treaty for Web site SecurityFocus.com. 

Officially, the convention is a product of the council, a 41-member organization that develops agreements to standardize social and legal practices across Eastern and Western Europe. 

But officials from Canada, Japan, South Africa and the U.S. have been participating in the negotiations. And the council said it will invite other countries to sign the final pact, which it hopes to complete in December. 

"As computer crimes are often international in their nature, national measures need to be supplemented by international cooperation," the council said in releasing its first public draft of the convention in April. The council may release a second public draft of the convention, perhaps as soon as this week. 

The devil is in the details
The council began its work on the convention in April 1997, after determining that a 1995 paper recommending that countries adopt laws covering computer-related crime did not go far enough, and that a legally binding agreement was needed. 

The draft calls on signatories to pass legislation against illegally accessing a computer, intercepting computer data or interfering with computer systems. It also would ban the sale, purchase, import and distribution of devices used for hacking, and requires passage of laws against computer-related fraud or forgery and child pornography. Signatories also would be required to provide law enforcement authorities with the ability to conduct computer searches and seize computer data. 

In addition, the proposed treaty would require those with access to or knowledge of computer data sought by authorities to provide "all necessary information, as is reasonable," for authorities to obtain the data. 

"These computer-specific investigative measures will also imply cooperation by telecom operators and Internet service providers, whose assistance is vital to identify computer criminals and secure evidence of their misdeeds," the council said in releasing the public draft. 


One section deals with the interception of data through networks, but the details were not included in the April text. The section was one of the areas being discussed by the drafting committee last week, according to a U.S. official, who said the U.S. has been pushing for a more updated proposal to be released publicly. 

The final sections of the convention deal with improving cooperation. The draft requires signatories to "cooperate with each other . . . to the widest extent possible." It also calls for cooperation in the extradition of suspects, and outlines procedures for law enforcement authorities to assist one another. 

"What we're trying to do is establish expedited forms of communications . . . not get rid of the checks" and balances, said Jennifer Martin, a trial lawyer at the DOJ's computer crimes and intellectual property section, which is taking the lead for the Clinton administration on the issue. 

Concerns and questions
Most agree that cybercrime cannot be viewed as a national problem alone. But privacy advocates, information security professionals and others worry about the council's approach. 

Gus Hosein, deputy director at Privacy International in London, said one of his biggest concerns is that in harmonizing cybercrime laws, those laws that restrict law enforcement powers the least may prevail. 

For example, Hosein pointed to Britain's Regulation of Investigatory Powers Act, a measure that grants law enforcement officials broad powers to demand access to electronic data. He questioned whether the treaty could be used by U.K. officials to obtain information about a British suspect outside Britain using powers granted by the U.K. law. 

Computer security professionals worry that the prohibitions on devices used for hacking could prevent the legitimate use of such technology and software to test computer security products. 

"Our biggest concern is that people don't understand the technology . . . [that] you have to use the same technology to do both legitimate and illegitimate acts," said Lisa Norton, a Washington lawyer who represents Internet Security Systems. 

Other concerns have been raised about the data storage requirements. Internet service providers worry that they may not have the capacity to store reams of data, and if forced to, they could open themselves up to liability from those who own the data. 

"The intentions behind the treaty are valid, but as the first draft came out, it seemed to raise more problems than it would cure," said Jason Mahler, vice president and general council at the Computer and Communications Industry Association. 

DOJ and council officials said much of the concern over the draft stems from a misunderstanding of the treaty's intent and a need for clarifications in the text. For example, they said, security testing would not be banned, because prosecutors must show there was intent to commit an illegal act. Peter Csonka, deputy head of the council's economic crime division, said there needs to be a better explanation of the language banning the use of such devices "without right." 

When asked about privacy concerns with the treaty, Csonka said: "These concerns may be legitimate, but they could be raised in relation to any international treaty. Harmonization of laws is necessary to avoid a legal jungle on the Net."  




---
------------------------------------------------
krys, you live on in our memories
your life's promise merged with our own dreams 
but when we heard you died we cried
no one could answer the question, "why?"
                       -- jeradonah, Oct 30 '99 




HotBot - Search smarter.
http://www.hotbot.com

More information about the cypherpunks-legacy mailing list