Senate Ratifies Convention on Cybercrime, 8/3/2006.

Senate Ratifies Convention on Cybercrime

August 3, 2006. The Senate ratified by unanimous consent without amendment Treaty 108-11, which is titled "Council of Europe Convention on Cybercrime". This convention requires the nations that are parties to it to enact laws criminalizing certain activity in the nature of computer hacking, and other cyber crimes.

However, the convention also requires the parties to enact numerous laws related to criminal procedure, search and seizure, electronic intercepts, and data retention, that will broadly increase governmental powers.

Also, the use of these powers is not limited to investigation and prosecution in cyber crime cases. The procedural provisions apply not only to cyber crime matters, but also to any "criminal offences committed by means of a computer system", and to the "collection of evidence in electronic form of a criminal offence".

Two other characteristics of the convention are that it requires mutual assistance, and has no dual criminality provision. Thus, the U.S. is obligated to compel search and seizure, data retention, and intercept assistance from U.S. service providers, in order to surveil a person in the U.S., at the demand of a foreign government, when the person's activity is a crime in that foreign country, but legal conduct in the U.S.

The Council of Europe (COE) maintains a web page with a table listing the nations that have signed the conventions, those that have ratified it, and those for which it is in effect. The U.S. is not a member of the COE. However, the U.S., like other nonmembers Japan and Canada, signed the convention back in 2001.

At present, the threat posed by the lack of a dual criminality restriction in mitigated by the circumstance that most of the nations that have ratified, or merely signed, the convention are democracies with mature legal systems, or emerging democracies. In particular, the People's Republic of China has not signed the convention.

However, many European nations criminalize as hate speech certain conduct which is Constitutionally protected free speech in the U.S. In addition, the United Kingdom has an Official Secrets Act which criminalizes some conduct that is Constitutionally protected in the U.S.

U.S. government officials have long asserted that the convention will not require the U.S. to change any of its laws. Attorney General Alberto Gonzales reiterated this assertion on August 3.

Alberto Gonzales Gonzales (at right) stated in a release that "The Cybercrime Convention -- the first of its kind -- will be a key tool for the United States in fighting global, information-age crime. This treaty provides important tools in the battles against terrorism, attacks on computer networks, and the sexual exploitation of children over the Internet, by strengthening U.S. cooperation with foreign countries in obtaining electronic evidence. The Convention is in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws."

Sen. Richard Lugar (R-IN), the Chairman of the Senate Foreign Relations Committee (SFRC), issued a release that states that "American law is already in compliance with the Convention, so no implementing legislation is required. The United States would be a major beneficiary of the Convention, because foreign partners would be obligated to raise their capacity to fight international computer crime to standards already met by the United States."

Sen. Lugar stated in this release that "it will enhance our ability to cooperate with foreign governments in fighting terrorism, computer hacking, money laundering, and child pornography, among other crimes. Given the global nature of the internet, the only way we can combat these problems effectively is through cooperation with other governments".

The Business Software Alliance (BSA) issued a release praising the Senate for ratifying this convention, and Sen. Lugar and Sen. Joe Biden (D-DE), the ranking Democrat on the SFRC, for their efforts.

The BSA stated that "While the Convention does not change U.S. policy, the agreement will help domestic agencies in their international efforts by minimizing obstacles to international cooperation that currently impede U.S. investigations and prosecutions of computer-related crimes."

The BSA added that "The United States will become the 16th of the 43 signatory countries to have completed the ratification process and become full participants in the Convention."

Similarly, the Information Technology Association of America (ITAA) praised the ratification in a release.

The drafting of the convention was completed in 2001. The U.S. signed it on November 23, 2001. It was transmitted to the Senate on November 17, 2003. The SFRC held a hearing on June 17, 2004. The SFRC approved the treaty on July 26, 2005. See, story titled "The Senate Committee Approves Cybercrime Treaty" in TLJ Daily E-Mail Alert No. 1,183, July 27, 2005. The SFRC reported the convention on November 9, 2005, with 6 reservations and 5 declarations. See, Senate Executive Report No. 109-6 [PDF], published in the Congressional Record, November 9, 2005, at Page S12606.

One of the declarations in the Senate Executive Report is that "current United States federal law fulfills the obligations of Chapter II of the Convention for the United States. Accordingly, the United States does not intend to enact new legislation to fulfill its obligations under Chapter II." (Chapter II includes both the substantive criminal law provisions, and the procedural provisions.)

Committee Hearing. The SFRC held one hearing on this treaty, on June 17, 2004. The Committee heard from only government witnesses who support the convention. There were no representatives of industry, and no privacy or civil liberties advocates, on the witness panel.

Bruce Swartz, a Deputy Assistant Attorney General in the DOJ's Criminal Division, wrote in his prepared testimony [PDF] that this treaty requires the parties "Parties to criminalize ``classic´´ computer crime offenses – such as unauthorized intrusions into computer systems; unauthorized interception and monitoring of computerized communications; attacks on computers and computer systems, such as denial of service attacks, or attacks using computer viruses or worms; and the misuse of devices, such as passwords or access codes, to commit offenses involving computer systems. Parties must further prohibit the carrying out of a number of more traditional crimes committed by means of a computer system, such as forgery, fraud, the production, advertisement, and distribution of child pornography, and copyright piracy."

He added that its also requires the parties "to have the power -- on an expedited basis -- to preserve and disclose stored computer data, including traffic data, to compel the production of electronic evidence by ISPs, to search and seize computers and data, and to collect traffic data and content in real time. These powers and procedures are already provided for under U.S. law, and have proved invaluable to many investigations."

Samuel Witten of the Department of State added in his prepared testimony [PDF] that "The Convention would not require implementing legislation for the United States."

Summary of the Convention. Articles 2 through 13 of the convention require the parties to enact laws that criminalize various types of activities commonly understood to be cyber crimes, such as unauthorized access to computers, damaging data on computers, intercepting data, hindering computer systems, and creating inauthentic data.

It also requires the parties to enact laws related to the protection of intellectual property rights (at Article 10).

Then, Articles 14 through 21 require the parties to enact laws related to government powers to conduct searches and seizures of computers and data, compel data retention, conduct intercepts.

Finally, the convention requires the parties to cooperate and provide mutual assistance to other governments in the areas of data retention, search and seizure of data, electronic intercepts, and other procedures.

Data Retention. The convention provides, at Article 16, that "Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification."

It continues that "the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed."

Moreover, the parties shall adopt legislation that requires the custodian of "the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law."

Search and Seizure of Data. The convention requires, at Article 18 that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order ... a person in its territory to submit specified computer data in that person's possession or control, which is stored in a computer system or a computer-data storage medium ..."

It provides at Article 19 that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access ... a computer system or part of it and computer data stored therein; and ... a computer-data storage medium in which computer data may be stored ..."

It also provides that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to ... seize or similarly secure a computer system or part of it or a computer-data storage medium; ... make and retain a copy of those computer data ..."

Electronic Intercepts and Other Surveillance. It provides at Article 20 that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to ... compel a service provider ... to collect or record ... traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system ..."

It provides, at Article 21, that "Each Party shall adopt such legislative and other measures as may be necessary ... to empower its competent authorities to ... compel a service provider ... to collect or record through the application of technical means ... or ... to co-operate and assist the competent authorities in the collection or recording of ... content data, in real-time, of specified communications in its territory transmitted by means of a computer system ..."

Moreover, it provides that "Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it ..."

Attorney General Gonzales asserted that all of the above quoted provisions are "in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws". Sen. Lugar stated that "American law is already in compliance". The SFRC's report states that U.S. law is in compliance. Hence, to the extent that the U.S. Code and case law may not incorporate all of the above quoted requirements, it appears unlikely that the Congress would enact any legislation in the near future to bring U.S. statutory law into compliance.

Criticism of the Convention. Parts of the treaty have long been criticized by representatives of some groups, such as the Center for Democracy and Technology (CDT), Electronic Privacy Information Center (EPIC), and the American Civil Liberties Union (ACLU) for its language regarding data retention, intercepts, search and seizure and government surveillance. They have argued that the treaty will harm privacy rights. See, TLJ story titled "COE Cyber Crime Treaty Debated", December 11, 2000.

On July 26, 2005, Marc Rotenberg and Cedric Laurent of the EPIC wrote a letter [PDF] to Sen. Lugar in which they stated that "The treaty would create invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards, and specifically lacking judicial review and probable cause determinations required under the Fourth Amendment."

They added that "A significant number of provisions grant sweeping investigative powers of computer search and seizure and government surveillance of voice, e-mail, and data communications in the interests of law enforcement agencies, but are not counterbalanced by accompanying protections of individual rights or limit on governments' use of these powers."