Cybercrime treaty still horrible

[rhiannen wyrcat <rhiannen@gw.total-web.net>]

[: hacktivism :]

http://www.securityfocus.com/commentary/124

Cybercrime treaty still horrible

The Council of Europe sees no problems, hears no problems,
knows no problems.
By David Banisar
December 14, 2000 7:00 PM PT

This week, the Council of Europe's Experts Group on Crime in
Cyberspace is meeting in Strasbourg, France to finalize the
international Cybercrime Convention. The experts should be
proud
of themselves. They have managed in the course of the last
eight
months to resist the pernicious influence of hundreds if not
thousands of individual computer users, security experts,
civil
liberties groups, Internet service providers, computer
companies
and others outside of their select circle of law enforcement
representatives who wrote, faxed and emailed their concerns
about
the treaty.

Last month, the CoE released a new draft of their
long-standing effort. The latest draft include some minor
changes and some lip service to human rights, but remains
substantially unchanged from previous drafts.

The main gap is a lack of limits on the new crimes,
surveillance powers, and assistance that are created in the
convention. The sections on searches still force individuals
to disclose encryption keys and other data at the direction
of law enforcement officials, in violation of protections
against self-incrimination guaranteed by U.S., Canadian and
European laws; wiretap powers remain broadly defined and
cover all computer devices down to the smallest local area
network (and perhaps even smaller); provisions on real-time
data collection remain Carnivore friendly; and local
authorities will still be required to assist law enforcement
agencies from other countries, even when investigating
actions that are not crimes under local law.

There are some improvements. The section on illegal devices,
which in previous drafts threatened to outright criminalize
common security tools, now includes a new paragraph stating
that it should not impose criminal liability when the
program in question was not created or transferred "for the
purpose of committing an offense, such as for testing or the
protection of a computer system."

Does that solve all the problems with regulating hacking
tools? I don't know, because it all depends on
implementation of the law by each country.

Human rights gets mentioned once or twice and national
governments can resist some requests for assistance when
they think that the case is political (not to say that could
ever happen, but Germany announced this week that anyone
anywhere in the world who promotes Holocaust denial is
liable under German law, and the Malaysian government
announced that anyone who insults Islam online will be
punished).

Opposed only by Internet Freaks and American Lawyers
In contrast to these modest changes, the opposition to this
entire treaty has been overwhelming. Every cyber-rights
group in the world with a pulse has come out against it. On
the industry side, it's being opposed by the U.S. Chamber of
Commerce, the International Chamber of Commerce, all the ISP
associations and a ton of other companies, security groups
etc. About the only one left who isn't calling the draft
convention the sign of the devil is the Pope. We have not
seen this kind of united public interest and industry
opposition to a dumb government proposal since the good old
days of Clipper. And not coincidentally, the meetings on the
subject are filled with the same people.

This is not so say that the CoE committee has not heard or
read these complaints.

Last week, Henrik Kaspersen, a Dutch government
representative who chairs the committee, and Peter Csonka,
the head of Economic Crimes division for the CoE, visited
Washington-reportedly to meet with attorney general Janet
Reno. At a public meeting on Thursday, Kaspersen
acknowledged receiving a flood of complaints on the draft
conventions. But he dismissed the comments as either coming
from American lawyers who did not understand European law,
or, worse, "from the Internet," which his tone suggested
could only mean clueless and uninformed.

None of those kinds of outrageous cases like the French
holding Yahoo liable or the Germans arresting a high
CompuServe official, could even be conceived by Kaspersen ,
much less ever happen as a result of the treaty he traveled
to America to peddle.

When publicly asked why the treaty did not include any
procedural safeguards for limiting the new surveillance
powers, Kaspersen said that determining privacy standards
was too hard and controversial for the committee, and had to
be left to the national governments of the CoE and signatory
countries. I'm sure that those highly democratic countries
in the CoE like Russia, Ukraine, and Romania will do a fine
job of implementing those rights.

There is a small chance that the committee will finally make
real changes to the treaty before the new draft comes out
sometime next week. But don't count on it. After three
years, it seems they made up their minds a long time ago,
and free speech, privacy, real security on the net, and all
of us be dammed. The next hope is lobbying the national
governments to refuse to sign the treaty, or to make changes
before it is approved. Perhaps they will not think your
comments are just "from the Internet."

David Banisar is an attorney and writer in the Washington,
D.C. area. He is the co-author of "The Electronic Privacy
Papers" (Wiley, 1997) and several other books on privacy,
and is deputy director of Privacy International.


[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]