sign in sign up
<<
Home , International Cybercrime

A CRITIQUE OF THE INTERNATIONAL TREATY

Ryan M.F. Baron

Crime is on the rise in cyberspace, and it is have stirred Western nations into a state of alarm. threatening the economic and social institutions Second, it will explore the origins and early drafts that have begun to settle there. Cybercrime is of the treaty. Third, it will scrutinize the language quick to occur and difficult to prosecute.' Net- of the treaty, examining its criminal law impact on work intrusions and "hacks" can take place in a cyberspace. Finally, this comment concludes that matter of seconds with complete anonymity. And cybercrime's state of alarm is 's state of those that do leave criminal trails do so through a emergency and that the U.S. should not sign the maze of computer infrastructure, often far be- present treaty as drafted. yond the reach of a nation's laws. Several Western nations have come together in an attempt to deter hackers and limit cyber at- I. THE INTERNATIONAL EXIGENCY OF tacks. The ("CoE") along with CYBERCRIME the U.S. Department ofJustice ("DOJ") have been actively meeting since 1997 in the drafting of an Globally, the amount of damages from network international treaty whereby signatory countries intrusions causes more than $15 billion in dam- are required to create and strengthen their do- ages annually.2 From hacks into credit card com- mestic laws. This treaty in effect will create new panies to to terrorism 3 such attacks , extend the interception and surveil- have become so common that the newspaper lance abilities of law enforcement and coordinate headlines do not generally report these intrusions such enforcement so that authorities can commu- as primetime news. 4 Many of these attacks go un- nicate with one another and exchange informa- reported as companies fear negative publicity and 5 tion when investigating cyber "incidents." And lack confidence in their information practices. given the unique nature of the , increased In 2000, the United States alone accounted for 6 power over surveillance and data interception over $20 billion in e-commerce retail revenues. may lead to intrusions into the personal lives of Large amounts of online transactions have inevi- those that utilize and maintain that technology. tably become a target for criminal activities. Con- This comment serves as a critique of the inter- gress has taken a number of statements from vari- national cybercrime treaty, from its shrouded ori- ous law enforcement officials concerning the gins to its final draft. First, this comment will growth of cybercrime. The FBI reported opening briefly explore the exigencies of cybercrime that 547 computer intrusion cases in 1998 that had

I See Martin Stone, Cybercrime Growing Harder to Prosecute - and Transportation, 107th Cong. (2001) (statement of Bruce Report, NEWSBYTES, at http://www.infowar.com/law/00/ Schneier, Chief Technical Officer of Counterpane Internet law_012400aj.shtml (Jan. 21, 2000). Security, Inc.), available at http://commerce.senate.gov/ 2 Steve Gold, Security Breaches Cost $15 Bil. Yearly, NEW- hearings/071601Schneier.pdf (last visited July 24, 2002). SBsrEs, at http://www.newsbytes.com/news/00/158197.html 5 Sylvia Dennis, Internet FraudEscalating in UK, Says Exper- (Nov. 15, 2000). E-security white paper and allied report is ian, NEWSBYTES, at http://www.infowar.com/survey/00/sur- available at E-Security: Removing the Roadblock to E-Business, THE vey_091500a j.shtml (Sept. 14, 2000); see also Council of Eu- DATAMONITOR GROUP, at http://www.datamonitor.com. rope, CYBER-CRIME - THE TARGET IT HITS, THE DAMAGE IT There is a charge to access copies of this report. DOES, at http://press.coe.int/press2/press.asp?B= 3 Michelle Delio, The Greatest Hacks of All Time, WIRED 54,0,0,107,0&M=http://press.coe.int/dossiers/1 07/E/e- NEWS, at http://www.wired.com/news/print/0,1294,41630, cibles.htm (last modified Sept. 17, 2001). 00.html (Feb. 6, 2001). 6 U.S. CENSUS BuREAu, Department of Commerce, U.S. 4 Internet Security: Hearing Before the Subcomm. on Science, DEPT. OF COMMERCE NEWS, at http://www.census.gov/mrts/ Technology, and Space of the Senate Comm. on Commerce, Science, www/current.html (Aug. 30, 2001). COMMLAW CONSPECTUS [Vol. 10

doubled by 1999. 7 The agency stated that al- amount hacking attempts that originate outside though it had closed several of these cases, threats the country. Because of the continued growth of were growing at disproportionate rates.8 Broad international crime, the FBI has established sev- spectrums of groups are posing serious threats to eral programs designed to initiate and empower the Internet, including so-called "insiders,""' hack- enforcement efforts.13 The FBI, though, is not the ers, virus writers, terrorists and other criminal only executive entity active about cybercrime. groups.10 Criminal misuse of computers has also affected The United States has been hailed a "major im- government systems. The Central Intelligence porter of crime""II due to the large amount of bus- Agency ("CIA") reported that the major challenge iness transactions that occur within it its borders concerning cybercrime is to "find ways to defend and its increasing reliance on the Internet as plat- our infrastructure and protect our commerce form for commerce. U.S. law enforcement of- while maintaining an open society." 14 A recent in- ficers not only deal with cybercrime in this coun- cident occurred where U.S. military systems were try, but have been actively implementing interna- subjected to an "electronic assault" termed Solar tional programs that coordinate access to infor- Sunrise. Two teenage hackers in California mation with other national law enforcement hacked into U.S. military systems while under the groups and train other international law enforce- direction of a teenage hacker in Israel. The in- ment officers to combat international crime. truders went undetected at first as they hid their Thousands of foreign law enforcement officers "tracks" through networks of routers and servers. from over forty countries are trained by U.S. of- Computer crime affecting commercial and mili- ficers. 12 Such initiatives train foreign officers in tary computer systems has not gone unnoticed. computer related skills, such as tracking and sur- Hacking and network intrusions have spawned an veillance methods. international effort in the U.S. and other Western The U.S. has strict enforcement techniques, in- nations to implement model laws outlawing com- cluding customs programs and national monitor- puter misconduct. With extensive help from the ing of communications traffic due to the large

7 Cybercrime: Before the Subcomm. for the Dept's of Commerce, 11 See The Threat of InternationalCrime and Global Terrorism Justice, State, the Judiciary, and Related Agencies of the Senate and the InternationalLaw Enforcement Programs of the Federal Bu- Comm. on Appropriations, 106th Cong. (2000) [hereinafter reau of Investigation: Before the House Int'l Relations Comm., Freeh Statement on Cybercrime] (statement of LouisJ. Freeh, Di- 105th Cong. (1997) (statement of LouisJ. Freeh, Director of rector of the Federal Bureau of Investigation), available at the Federal Bureau of Investigation), [hereinafter Freeh State- http://www.fbi.gov/pressrm/congress/congressOO/ ment on International Crime], available at http://www.fbi.gov/ cyber021600.htm (last visited July 24, 2002). The FBI re- pressrm/congress/congress97/initiatives-int.htm. ported that 1154 cases had been opened in 1999. These 12 Id. figures do not include crimes such as or on- 13 International Crime: Before the Subcomm. on Foreign Opera- line child pornography. tions of the Senate Comm. on Appropriations, 105th Cong. (1998) 8 See generally Marc C. Goodman, Why the Police Don't Care (statement for the record of Louis J. Freeh, Director of the about Computer Crime, 10 HARV. J.L. & TECH. 465 (1997) (stat- Federal Bureau of Investigation), available at http:// ing five reasons as to how and why police have problems con- www.fbi.gov/pressrm/congress/congress98/intrcrime.htm. fronting and investigating cybercrime: cybercrime is outside First, the FBI must have an active overseas presence that the job description, difficulty of policing the Internet, lack of fosters the establishment of effective working relation- resources, police need additional technical help and a lack of ships with foreign law enforcement agencies ...Second, public outcry); id. at 477-490. The author states that these training foreign law enforcement officers in both basic institutional factors deter the police from even investigating and advanced investigative techniques and principles is a cybercrime. Id. at 494. powerful tool for promoting cooperation . . .Third, in- 9 These cases involve unauthorized access by disgruntled stitution building is necessary to help establish and fos- employees with inside information on their company. ter the rule of law in newly democratic republics. Id. 10 Cybercrime: Before a Special Field Hearing Before the Sub- 14 Cyber Threats and the U.S. Economy: Before the Joint Econ. comm. on Tech., Terrorism, and Gov't Info. of the Senate Comm. on Comm., 106th Cong. (2000) (statement by John A. Serabian, theJudiciay, 106th Cong. (2000) (statement for the Record of Jr., Information Operations Issue Manager for the Central Guadalupe Gonzalez, Special Agent in Charge, Phoenix Field Intelligence Agency), available at http://www.cia.gov/cia/ Division, Federal Bureau of Investigation), available at http:/ public -affairs/speeches/archives/2000/cyberth reats_ /www.fbi.gov/pressrm/congress/congressOO/ 022300.html. The statement covered four threats: foreign en- gonza042100.htm. An example of this category is an interna- tities could perform cyber reconnaissance of U.S. computers; tional group who penetrated the computer systems of MCI, an attacker could conceal points of origin by hopping Sprint, AT&T, Equifax and the National Crime Information through several intermediate way stations in cyberspace; an Center of the FBI. Convictions were based on the theft of attacker could conceal his origin and erase cyber footprints thousands of Sprint calling card numbers. from victim computers; cyber tools are readily available. 2002] The International Cybercrime Treaty

U.S., Europe has been actively discussing and has procedures for criminal law concerning issues drafted a treaty that would do just that. such as search and seizure, surveillance and inter- national cooperation.18 II. HISTORY OF THE DRAFT TREATY Although the Council issued specific recom- mendations, no formal process had been initiated that would coordinate the laws of member Euro- A. The Rise of International Law pean states. But in 1997, a Committee of Experts European discussions of cybercrime have been on Crime in Cyber-Space (PC-CY) 19 was formed to ongoing for several years. Although the general examine problems related to computer crime and public may have had trouble obtaining such infor- to implement criminal procedures dealing with mation, European directives have provided some this new and growing form of crime. 20 The PC-CY indication that national legislation in the Commu- was to use the previous two recommendations as a nity was beginning to address its share of the foundation for examining the growing threat of 15 growing problem. The Council of Europe computer crime and the appropriate legal struc- ("CoE") has been the leading multi-lateral organi- ture to implement. PC-CY was charged with draft- zation concerned with cybercrime thus far. In ing "a binding legal document" that would even- 6 1989, the CoE's Committee of Ministers' tually evolve into the present-day cybercrime adopted Recommendation No. R. (89) 9 stating treaty. The PC-CY's legal conclusions addressed that Member States need to consider computer- five issues: cyber offenses through telecommuni- related crime when reviewing national legisla- cation networks, harmonization of substantive tion. 17 The Recommendation also listed imple- criminal law,21 the investigative powers of law en- mentation guidelines for legislators that would forcement, conflict of laws issues and questions of criminalize certain criminal acts. Procedural poli- international cooperation.2 2 The terms of refer- cies were subsequently drafted in 1995. Recom- ence specified that participating countries ap- mendation No. R. (95) 13 was adopted to provide point expert members, 23 and also provided the

15 The CoE is a "multinational organization that includes Ministers to Member States on Computer-related Crime, both European Union member states and several non-demo- 1989, available at http://www.cm.coe.int/ta/rec/1989/ cratic countries." Comments of NetCoalition.com, The Cyber- 89r9.htm [hereinafter Recommendation No. R (89)]. crime Convention Will Harm U.S. Internet Users and Business, 18 Recommendation No. R. (95) 13 of the Committee of NETCOALITION [hereinafter Comments of NetCoalition], at Ministers to Member States Concerning Problems of Crimi- http://www.cdt.org/international/cybercrime/ nal Procedure Law Connected with Information Technology, 010100netcoalition.shtml (Jan. 2001). The Council of Eu- 1995, available at http://www.coe.fr/cm/ta/rec/1995/ rope consists of 43 member states. COUNCIL OF EUROPE, THE 95r13.htm [hereinafter Recommendation No. R. (95)]. The COUNCIL OF EUROPE'S MEMBER STATES, at http://www.coe. Recommendation also implemented procedures for elec- int/portal.asp?strScreenType=100&L=E&M=$t/1-1-1-1//por- tronic evidence, use of , cooperation obligations tal.asp?L=E&M=$t/001-00-00-2/02/EMB,1,0,0,2,Map.stm and research, statistics and training. (last modified Sept. 17, 2001) (listing Member States and the 19 The Committee of Experts on Crime in Cyber-Space year these states joined the CoE). It was established in 1949 (PC-CY) is a form of "subcommittee" housed in the CoE's as an organization dedicated to strengthening human rights European Committee on Crime Problems (CDPC). by promoting democracy and the rule of law in Europe. The 20 Specific Terms of Reference of the Committee of Experts on U.S. Department ofJustice notes that it is the negotiating fo- Crime in Cyber-Space, Council of Europe's Fight Against Cor- rum for conventions on criminal issues. DEPARTMENT OFJUS- ruption and Organised Crime, §4(a)-(b), 583rd Meeting TICE, Frequently Asked Questions and Answers About the Council of [hereinafter Specific Terms of Reference], available at http:// Europe (Draft 24REV2), at http://www. www.cm.coe.int/dec/1997/583/583.a13.html (Feb. 4, 1997). usdoj.gov/criminal/cybercrime/COEFAQs.htm (last up- The terms of reference are the recommendations and re- dated Dec. 1, 2000). Although the United States is not a ports that PC-CY was to build upon when reviewing problems member, it does maintain "observer" status at CoE delibera- of computer-related crime. tions. Id. For more information, see generally the CoE's website 21 The issues under this subject involved international at http://www.coe.int. cooperation approaches relating to "definition, sanctions 16 The Committee of Ministers is the decision-making and responsibility of the actors in cyber-space, including In- body of the Council of Europe. The Committee is also re- ternet service providers." Id. at §4(c) (ii). sponsible for directly representing the governments of the 22 Id. at §4(c) (iv) and (v). The PC-CY did not give exam- member States. See Council of Europe, Introduction to the Com- ples of international cooperation, but such efforts would in- mittee of Ministers, at http://cm.coe.int/intro/intro.O.html. clude coordination of intergovernmental enforcement agen- The Council of Ministers "is the main source of EU legisla- cies, the international interconnection of police computer tion." FIONA HAYES-RENSHAW& HELEN WALLACE, THE COUNCIL databanks and 24/7 cybercrime hotlines. See generally Freeh OF MINISTERS 1 (1997). Statement on International Crime, supra note 11. 17 Recommendation No. R. (89) 9 Of the Committee of 23 Membership of the Committee included "one expert COMMLAW CONSPECTUS [Vol. 10

"desired" qualifications to look for in the process USENET29 reports began circulating that Euro- of appointing these experts. 24 In addition, the pean officials had been meeting in secret to dis- 30 U.S., Canada and Japan had been named as "ob- cuss the drafting of a world cybercrime treaty. server" countries. The observers may send a repre- Although the reports were not yet being posted by 25 sentative, but do not have the right to vote. the more traditional sources of Internet news,3 1 These terms of reference were to expire originally the word was that European officials had been on December 31, 1999,26 but were later extended holding discussions "that would try and ban hack- to December 2000. ing and Internet eavesdropping utilities." 32 It was Most of this information was minimally availa- reported that the U.S. government, along with Ja- ble to the general public. 27 At most, one could pan, Canada and South Africa, had been partici- find an occasional passing reference to the PC-CY pating in the talks. The primary source for the in European government materials.28 The CoE's USENET reports was a letter from the Dutch Min- press release in February 1997 called for a legally ister of Justice written to the Dutch Parliament, binding document to be drafted in which the PC- which mentioned basic details of the treaty discus- CY met in relative obscurity up until the early sions and its objectives for increased eavesdrop- 33 months of 2000. At this time, USENET groups be- ping and surveillance of the Internet. gan to report that a cybercrime treaty was in the These early reports were generally uncon- works. firmed, with European press officers declining to In the early weeks of the new millennium,

appointed by the government of the following member "I" Steve Gold, World Cybercrime Treaty May Be Underway, states: Belgium, Bulgaria, Czech Republic, Estonia, Finland, NEWSBYTES, at http://www.newsbytes.com/news/00/ France, Germany, Greece, Italy, Latvia, Netherlands, Portu- 142185.html (Jan. 14, 2000) [hereinafter Gold]. The article gal, Sweden, 'the former Yugoslav republic of Macedonia,' as stated that reports of the treaty had been circulating on a well as two scientific experts appointed by the Secretariat." Dutch USENET, which may be viewed at http://www.bof.nl. Id. at §5 (a). A user of landfield.com posted a similar article in the news 24 The qualifications included "prosecutors or judges archives of Internet Security News. [ISN] US-Europe Cybercrime dealing with computer crime cases, experts in the field of Treaty Happening in Secret, LANDFIELD.COM, at http://www. substantive and procedural law aspects of computer crime, landfield.com/isn/mail-archive/2000/Jan/0019.html (Jan. experts having carried out research in this field; persons ap- 13, 2000). Internet Security News is a part of Land- pointed should also have international experience and suffi- field.com's USENET service where users can post informa- cient knowledge of the technical aspects of computer crime. tion related to the specific subject matter. Members of previous Council of Europe expert committees 31 I refer to traditional sources of Internet news as on computer-related crime would be preferable." Id. at §5(c). CNN.com, ABCnews.com, WashingtonPost.com, etc. 25 The observer countries were also required to pay their 32 Gold, supra note 30. Many news websites began using own expenses. Except for the Netherlands and Portugal, the the USENET post and the Newsbytes article as their sources participating countries could defray costs. Id. at §5(b), (d). for their own reports on the treaty discussions. 26 Some sources, though, reported that PC-CY was to 33 Press Release, Dutch Minister ofJustice, Crime in Cyber- complete the document by the end of 2000 and not 1999. See, space Convention: InternationalMeasures to Tackle Internet Crime, e.g.,Michael A. Sussmann, The Citical Challengesfrom Interna- at http://www.minjust.nl:8080/c-actual/persber/ tional High-Tech and Computer-Related Crime at the Millennium, 9 pb0549.htm (Dec. 24, 1999) [hereinafter First Draft Press Re- DuEJ. COMP. & INT'L L. 451, 478 (1999). lease]. The letter was stated to have been translated from 27 In general, it is the policy of the CoE to not release Dutch to English and then posted on the USENET group. drafts while negotiations are ongoing. It is not until negotia- Interested parties may find an English translation of the let- tions have begun to close that the text of a draft treaty would ter at the above website. M. Wessling, US-Europe Cybercrime normally be released. Interview with John Lynch, U.S. Attor- Treaty Happening in Secret, F OLIrECHBOT.COM, at http://www. ney, Computer Crime and Intellectual Property Section, U.S. politechbot.com/p-00849.html (Jan. 13, 2000) [hereinafter Department ofJustice (Mar. 10, 2001) [hereinafter Interview Wessling]. The author of the post translated and discussed with John Lynch]. In this case, the text of the draft treaty has the context of the Dutch letter. only been released online. Protection against so-called CIA-crimes (confidentiality, 28 Specific Terms of Reference, supra note 20. It is the policy integrity and availability) of public and closed networks of the CoE to conduct its meetings in private. Rules of Proce- and systems: computer hacking, unauthorized eaves- dure of the Council, art. 4(1), 1996 O.J. (Dec. 10, 1996). dropping, unauthorized changing or destroying of data 29 Webopedia, an online encyclopedia, defines a USENET (either stored or in transport). In discussion are also de- as "[a] worldwide bulletin board system that can be accessed nial of service attacks to public and private networks and through the Internet or through many online services. The systems. This will probably not cover spam. The treaty USENET contains more than 14,000 forums, called new- will outlaw the production, making available or distribu- sgroups, that cover every imaginable interest group. It is used tion of hardware and software tools to do the above- daily by millions of people around the world." WEBOPEDIA, mentioned (hacking, denial of service, eavesdropping, INTERNE-r.cOM, at http://webopedia.internet.com/TERM/ etc.). The letter does not mention the possession of U/USENET.html. these tools. Id. 2002] The International Cybercrime Treaty comment on the subject. 34 One source did state An official of the U.S. DOJ mentioned the that a draft treaty would need considerable public treaty as early as February 1999,42 and then Attor- debate and that all countries would need to be in ney General Janet Reno also made a passing refer- agreement before becoming signatories. 35 Cyber- ence in September 1999, but in reference to crime enforcement had been underway for sev- trans-border searches. 43 In December 2000, the eral years, and the CoE was answering any specific U.S. DOJ officially acknowledged on its website questions concerning the draft convention or a that it had been participating in the negotiations 36 possible treaty. of the draft convention for a few years prior to the In April of 2000, a "first" draft3 7 of the treaty first public draft and stated that it "has had a real 44 was finally made available to the public as well as a voice in the [current] drafting process." The press release 38 that described the basic legal ele- President of Silicon Defense, Stuart Staniford, ments and philosophies behind the draft conven- while appearing on a panel about the draft treaty tion.39 The press release officially declassified the at the European Conference, draft convention and called for "businesses and stated that even though the U.S. is an observer at the CoE, it "has apparently been heavily involved associations" to comment "before the final adop- 45 tion of the text."40 It also stated that the CoE was in the drafting." focusing on the harmonization and the imple- While the first public release of the draft treaty mentation of procedural and substantive criminal was in its 19th version,46 several drafts have subse- law with regards to cybercrime. One of the main quently been released. In June 2001, the final goals was the coordination and cooperation of in- draft was approved by the European Committee ternational law enforcement. The U.S., Canada, on Crime Problems. 47 It has since been finalized South Africa and Japan were named as actively by the Committee of Ministers and opened up for 41 48 participating in the treaty negotiations. signature.

34 Gold, supra note 30. hosts this web page answering some "frequently asked ques- 35 Id. tions" regarding the CoE Convention on Cybercrime. The 36 Id. A law journal article by Michael Sussman, attorney DOJ stated that it had been invited to participate as an "ob- with the DOJ, references a telephone interview with the server" in the development of the Convention. The DOJ has Counselor for Criminal Justice Matters with the European a history of being an "observer," both times in the Recom- Union concerning the draft convention. See Michael A. Suss- mendations addressing the need for laws concerning crime mann, The Critical Challenges from International High-Tech and over computer networks published in 1989 and again in Computer-Related Crime at the Millennium, 9 DUKE J. COMP. & 1995. Id. INT'L L. 451, 459 n.29, 478 n. 103 (1999). 45 Stuart Saniford, Common Vulnerabilities and Exposures: 37 The press release called the draft treaty the "[flirst The Key to Information Sharing, Panel on Cybercrime Treaty, at draft of international convention released for public discus- http://www.cve.mitre.org/board/archives/2000-10/ sion." While this was the first draft released to the public, the msg0007.html (Oct. 5, 2000) [hereinafter Saniford]. CVE is draft treaty was in its 19th revision. First Draft Press Release, a collaborative effort including "representatives from numer- supra note 33. ous security-related organizations such as security tool ven- 38 Early news reports on the treaty had mistakenly re- dors, academic institutions, and government as well as other ported the European Union as negotiating the treaty. The prominent security experts," which "aims to standardize the European Union is a distinct entity separate from the CoE. names of all publicly known vulnerabilities and security expo- See EUROPEAN UNION, THE ABC OF THE EUROPEAN UNION, at sures." COMMON VULNERABILITIES AND EXPOSURES, ABOUT http://europa.eu.int/abc-en.htm (last visited Dec. 23, 2001). CVE, at http://www.cve.mitre.org/about Uan. 22, 2001). 39 First Draft Press Release, supra note 33. 46 EUROPEAN COMM. ON CRIME PROBLEMS, DRAFT CONVEN- 40 Id. TION ON CYBER-CRIME (DRAFT No. 19) OP THE COMMITrEE OF 41 These countries are named as "observers" and may EXPERTS ON CRIME IN CYBER-SPACE, at http://conven- participate, but may not have a vote in the PC-CY. Id. at tions.coe.int/treaty/en/projets/cybercrime.htm (Apr. 25, §5(e). 2000) [hereinafter Cybercrime Treaty Draft 19]. 42 Interview with John Lynch, supra note 27. 47 EUROPEAN COMM. ON CRIME PROBLEMS, DRAFT CONVEN- 43 Janet Reno, Speech Before the High Technology TION ON CYBER-CRIME OF THE COMMITTEE OF EXPERTS ON Crime Investigation Association 1999 International Training CRIME IN CYBER-SPACE, at http://conventions.coe.int/Treaty/ Conference, at http://www.cybercrime.gov/agsandie.htm EN/projets/FinalCybercrime.htm (June 29, 2001) [hereinaf- (Sept. 20, 1999). ter Cybercrime Treaty FinalDraft]. Drafts No. 19 through 24 can 44 DEPARTMENT OF JUSTICE, FREQUENTLY ASKED QUES- also be accessed through the CoE website. TIONS AND ANSWERS ABOUT THE COUNCIL OF EUROPE CONVEN- 48 Committee of Ministers, Convention on Cybercrime ETS TION ON CYBERCRIME (DRAFT24REV2), at http://www.usdoj. no.: 185, at http://conventions.coe.int/Treaty/EN/ gov/criminal/cybercrime/newCOEFAQs.html (July 10, WhatYouWant.asp?NT=185&CM=8&DF=12/12/01 (last vis- 2001) (alteration in original). The Department of Justice ited Dec. 23, 2001). COMMLAW CONSPECTUS [Vol. 10

III. THE TREATY EXPLAINED against cybercrime. 53 Other elements of the treaty address deterrence as a necessary function of the Since its initial release in April 2000, the treaty draft convention. 54 The preamble states that facil- has been revised several times in response to itation of "detection, investigation and prosecu- much criticism over its language and the potential tion" will protect the "confidentiality, integrity problems with its procedural implementation. and availability of computer systems." Groups have called the treaty "alarming and quite disturbing,"49 with criticism stemming from the While the primary themes of the treaty focus on U.S. and within Europe. Many organizations have the prevention of criminal acts and the coordina- come together to protest and comment on the tion of international law enforcement, a large part treaty's backseat treatment of privacy rights. 50 The of the preamble attempts to devote a theme to the 55 following analysis will show that these apprehen- issue of "fundamental human rights." "Mindful" sions are rightfully appropriate. of the rights of individuals, the draft treaty states that it balances this against the interests of law en- forcement. The preamble "enshrines" itself within A. The Preamble the major international human rights documents 5 6 The treaty contains 48 articles,51 categorized drafted by the Council of Europe. Unfortu- under lengthy chapters, tides and subsections. Its nately, this rhetoric of rights ends as quickly as it beginning starts with a preamble stating the docu- begins. It should be noted that the first release of ment's intent. The intent is to foster a "common the public draft failed to mention the need for in- criminal policy aimed at the protection of society dividual rights. 57 The provisions dealing with against cyber-crime." 52 To foster protection, it rights have only come about in subsequent drafts promotes cooperation between governments and showing, quite possibly, that human rights were industry. As cybercrime can happen abruptly and never of importance to the committee drafters. without detection, the drafters find it crucial that More examples of law enforcement's truncated law enforcement be able to mobilize swiftly and balance are evident with a reading of the terms of efficiently. This would require "increased, rapid, reference, listed toward the end of the preamble. and well-functioning international co-operation" The original terms of reference, as explained ear-

49 Jason Wallace, Council of Europe Cybercrme Treaty Analy- data, as well as the misuse of such systems, networks and data, sis, at http://www.ithell.com/Opinion/Cybercrime Treaty/ by providing for the criminalisation of such conduct, as de- body-cybercrime-treaty.html (November 2, 2000) [hereinaf- scribed in this Convention, and the adoption of powers suffi- ter Wallace]. The author argues that the vague nature of the cient for effectively combating such criminal offences, by fa- treaty will trammel civil rights and that privacy procedures cilitating the detection, investigation and prosecution of such should be of first concern. Id. Ithell.com hails itself as criminal offences at both the domestic and international "Where IT Professionals Vent!" level, and by providing arrangements for fast and reliable in- 50 See, eg., CENTER FOR DEMOCRACY & TECHNOLOGY, COM- ternational cooperation. Id. MENTS OF THE CENTER FOR DEMOCRACY AND TECHNOLOGY ON 55 Cybercrime Treaty FinalDraft, supra note 47, at preamble. THE COUNCIL OF EUROPE DRAr "CONVENTION ON CYBER- 56 The CRIME" (DRAFT No. 25), at http://www.cdt.org/interna- preamble lists the applicable human rights docu- tional/cybercrime/010206cdt.shtml (Feb. 6, 2001) [hereinaf- ments that the draft treaty is "enshrined" within. These in- ter CDT Comments]. STATEMENT OF CONCERNS, TREAT)( LETTER clude: the 1950 Council of Europe Convention for the Pro- BY INDIVIDUAL SIGNERS, at http://www.cerias.purdue.edu/ tection of Human Rights and Fundamental Freedoms; the homes/spaf/coe/TREATYLETI'ER.html; see also SIGNERS OF 1966 United Nations International Covenant on Civil and Po- THE CONCERNS LETTER, at http://www.cerias.purdue.edu/ litical Rights; the 1981 Council of Europe Convention for the homes/spaf/coe/TREATY SIGNATURES.html; GLOBAL IN- Protection of Individuals With Regard to Automatic Process- TERNET LIBERTY CAMPAIGN, GLOBAL INTERNET LIBERTY CAM- ing of Personal Data; the 1989 United Nations Convention PAIGN MEMBER LETTER ON COUNCIL OF EUROPE CONVENTION on the Rights of the Child; and the 1999 International La- ON CYBER-CRIME, at http://www.gilc.org/privacy/coe-letter- bour Organization Worst Forms of Child Labour Conven- 1200.html (Oct. 18, 2000) [hereinafter Global Internet Liberty tion. Id. Much of the draft treaty's rhetoric may pay lip ser- Campaign]. These organizations are just a few of the many vice to these great documents, but nowhere does the draft groups against the current draft treaty. treaty specifically answer how the principles of these great 51 For this paper, all references to a particular section of documents are incorporated on a practical level. This as- the treaty will be by article number. sumption of my analysis may be naive, but a draft treaty that 52 Cybercrime Treaty FinalDraft, supra note 47, at preamble. articulates the practical concerns of law enforcement, yet 53 Id. only crafts theoretical notions of human rights with abso- 54 Convinced that the present Convention is necessary to lutely no practical implementation of such should be deter actions directed against the confidentiality, integrity deemed as "hollow rhetoric." Id. at art. 15. and availability of computer systems, networks and computer 57 Cybercrime Treaty Draft 19, supra note 46. 20021 The International Cybercrime Treaty

lier, included Recommendations No. R. (89) 9 cedural measures to be implemented at the na- and No. R. (95) 13, which dealt with guidelines tional level. Chapter three concerns international for considering computer crime and related cooperation efforts, with chapter four left for the problems in criminal procedure law, respec- final provisions and other miscellaneous treaty tively.58 Additional Recommendations have been components. added, including those dealing with the intercep- Chapter two is split into two sections that deal 59 tion of telecommunications, copyright infringe- with the specific laws and procedures to be en- 6° ment and piracy and "regulating the use of per- acted by each signatory country through its do- 6 1 sonal data in the police sector." While these sub- mestic laws. Section one of the chapter covers sub- 62 jects were to be examined by the committee, ad- stantive criminal law while section two examines ditional recommendations concerning law en- measures at the procedural level. forcement have been added by the committee, The most controversial arguments against the thereby loading the language of the draft treaty treaty concern the debate over what sort of laws with enforcement references. will be enacted domestically. This section has pro- duced some of the most fervor because it allows B. Language of the Treaty countries to enact new criminal regulations with- out guidance or prediction as to how these regula- The preamble states the general philosophical tions will impact the general population of com- foundations of the treaty. A working paper written puter users. by the Center for Democracy and Technology Articles 2 through 10 discuss the first aspect of states that the draft is actually "a combination of the treaty: the enactment of substantive criminal three treaties. '63 First, signatory countries must laws, broken up into five titles. The first four deal implement substantive criminal provisions to with types of criminal offences: (1) those against unify the scattered state of Western cyber laws. the "confidentiality, integrity and availability of Second, unilateral procedures must be adopted computer data and systems, ' 64 (2) "computer-re- 65 ''66 that allow for increased government power in lated offences", (3) "content-related offences cyber-criminal investigations. Finally, the treaty re- and (4) "copyright offences." 67 Tide five covers quires the institution of international cooperation ancillary liability and sanctions. efforts in collecting evidence and intercepting These nine articles appear as an entire treaty in communications. themselves. 6 Although nine offenses are listed, The treaty is composed of four main chapters. the draft convention actually enacts only four new Chapter one deals with the use of terms and defi- cybercrimes 69 and mandates that new and addi- nitions. Chapter two calls for substantive and pro- tional and fraud laws be added for com-

58 Recommendation No. R. (89), supra note 17. Recom- and is dealt with exclusively under a separate international mendation No. R. (95), supra note 18. treaty. It is the brief opinion of this article that new laws re- 59 Recommendation No. R. (85) 10 of the Committee of lated to copyright are duplicative, and already quite contro- Ministers Concerning the Practical Application of the Euro- versial, and therefore, should be rethought in both a na- pean Convention on Mutual Assistance in Criminal Matters tional and international context. See generally Gaylen Duncan, in Respect of Letters Rogatory for the Interception of Tele- Letter Regarding the Draft Council of Europe Convention on Cyber- communications, available at http://cm.coe.int/ta/rec/ Crime, at http://www.cdt.org/international/cybercrime/ 1985/85r10.htm (June 28, 1985). 001023itac.shtml. CDT Comments, supra note 50 (stating that 60 Recommendation No. R. (88) 2 of the Committee of intellectual property protection is an extremely complicated Ministers on Measures to Combat Piracy in the Field of Copy- issue that touches upon both free expression and privacy is- right and Neighbouring Rights, available at http:// sues and that is still in flux"); Global Internet Liberty Campaign, cm.coe.int/ta/rec/1988/88r2.htm (Jan. 18, 1988). supra note 50 (arguing that "new criminal penalties should 61 Cybercrime Treaty Final Draft, supra note 47, at pream- not be established by international convention in an area ble. where national law is so unsettled"). 62 '1Specific Terms of Reference, supra note 20. 68 CDT Comments, supra note 50 (noting that arts. 2-10 63 CDT Comments, supra note 50. create a criminal law treaty). 64 Cybercrime Treaty Final Draft, supra note 47, at arts. 2-6. 69 Articles 2 through 5 include illegal access, illegal inter- Id. 65 at arts. 7-8. ception, data interference and system interference, respec- 66 Id. at art. 9. tively. "Offences against the confidentiality, integrity and 67 Id. at art. 10. The discussion on copyright will not be availability of computer data and systems." Cybercrime Treaty developed because it is outside the scope of privacy rights Final Draft, supra note 58, at title 1. COMMIAW CONSPECTUS [Vol. 10 puter crime. 70 A separate substantive offense for nology has argued persuasively against this the misuse of devices also appears in this sec- endnote saying: 7 1 tion. "that what is not permitted is prohibited. In addition, the treaty would make violations of a service provider's terms of service into a criminal offense. The ISP sub- 72 1. New Cybercrimes scriber who uses the service for a purpose prohibited by the terms of service is accessing the computer of the McConnell International reported that many ISP 'without fight.' The student who uploads or 7 3 downloads a single music file in violation of the univer- countries do not prohibit cybercrimes. Crimes sity's policy for granting students Internet access is com- concerning illegal access, interference and inter- mitting a crime. If an employer tells its employees that ception are being slowly implemented and are they cannot use the Internet at work for personal pur- sparsely recognized. The treaty would correct this poses, the employee who logs on and checks a stock quote is committing an offense. Conversely, even trend and require enactment of legislation to though the treaty establishes a separate crime of 'illegal help combat cybercrime by allowing the height- interception,' the phrase 'without right' appears there ened enforcement and prosecution of hacking. also, and would protect the ISP or service provider whose terms of service reserve the fight to randomly or systematically read the communications of its subscrib- 76 a. Article 2 and Illegal Access ers." One should not be able to access another's Article 2 states that it shall be unlawful to inten- computer system in whole or in part without a tionally access in whole or in part another's com- right do so. This is clear. However, this prohibi- 74 puter system without right. This provision, in ef- tion involves designating and defining who has fect, allows a nation to prosecute those that tam- the right to access and who does not. Some "hack- per with the means to enter a network or an- ers" are genuine security professionals that pos- other's computer even if not actually entered. For sess the right to access and may be performing example, a hacker that merely accesses a part of "routine Internet functions such as security test- that system, such as a security program that allows ing, price comparisons and automatic data collec- entry, could be charged under a country's laws for tion."7 7 Therefore, there are concerns over what access without right. sort of access is allowed and what would be prose- An endnote in the treaty defines "without right" cuted. Does the language of Article 2 allow a na- 78 stating that the expression should derive from its tion to outlaw security testing and security tools? context under principles of the signatory coun- The drafters have attempted to clarify this point try's laws. Essentially, (criminal) behavior con- in their explanatory memorandum citing specific ducted without the authority to do so. Countries types of activity that constitute acceptable access are permitted to define what is "without right" and those that are unacceptable.7 9 The memoran- based on their abilities to "maintain public order, dum attempts to draw a dividing line between ac- protect national security or investigate criminal ceptable and unacceptable access. It states that ar- offences. '7 5 The Center for Democracy and Tech-

70 Id. at title 2. 76 CIJT Comments, supra note 50. 71 Id. at art 6. (covering "[o] ffences against the confiden- 77 Comments of NetCoalition, supra note 15. tiality, integrity and availability of computer data and sys- 78 An early concern was that security testing could be tems"). criminalized. See Wessling, supra note 33 (stating that such 72 This comment only covers the controversial argu- laws for those that test security "will make your job a lot more ments of Chapter Two, which include illegal access and the difficult," referencing a website forim for security profession- misuse of devices. als). This statement was made when the draft treaty was not 73 Cyber Crime... and Punishment? Archaic Laws Threaten yet released. Global Information, MCCONNELL INTERNATIONAL, at http:// 79 Explanatory Memorandum, supra note 75, at 62. www.mcconnellinternational.com/services/CyberCrime.htm This question raises larger concerns over whether a govern- (Dec. 2000) [hereinafter Archaic Laws] (arguing that the ment should have oversight over this profession by imple- growing danger of cybercrime and the minimal protection menting licensing and certification schemes similar to those offered by nations mandate that a model approach to law is that apply to attorneys, physicians or even to hairstylists. See needed to promote a secure environment for e-commerce). Stevan D. Mitchell & Elizabeth A. Banker, PrivateIntrusion Re- 74 Cybercrime Treaty Final Draft, supra note 47, at art. 2. sponse, 11 HARV. J.L. & TECH. 699, 716-719 (1998) [hereinaf- 75 Explanatory Memorandum Related Thereto, Eur. ter Mitchell & Barker] (advocating licensing as "a novel Comm. on Crime Problems, at http://conventions.coe.int/ venue for cooperation and compromise" for both govern- treaty/en/projets/FinalCyberRapex.htm (June 29, 2001) ment and industry oversight to deal with crimes of intru- [hereinafter Explanatory Memorandum]. sion). 20021 The International Cybercrime Treaty ticles 2 through 5 should not be construed to if the purpose is to test for security reasons.8 4 criminalize common Internet activities and those Other critics fear that the article's language has a activities "inherent in the design of the networks potential for over-inclusive definitions as to what or common operating or commercial practices."80 operational methods constitute an illegal misuse Examples of acceptable activities include: of a device. sending electronic mail without it having been first Article 6(1) (a) states that one cannot produce, solicited by the recipient; accessing a web page or ftp sell or make available a device designed to com- ("file transfer protocol") server that has been con- figured for public access; using hypertext links, includ- mit one of the previous five offenses. The scenario ing deep-links; or employing programs such as "cook- is that a person could not sell or distribute a de- ies" or "bots" to locate and retrieve information where vice that could "hack" or be used to help another such programs can be filtered or rejected by the receiv- 8 1 device "hack" into an unauthorized and unowned ing server. computer system. Software that could access se- These paragraphs are a good beginning to a clear curity or hardware that can be used to physically set of guidelines, but the treaty soon becomes less connect to another computer could potentially be specific with regard to the limitations of law en- outlawed as a "misuse of a device." A parallel ex- forcement and more specific with which laws ample of outlawing the tools of a criminal intru- should be enacted. sion is a law that forbids the possession or use of a "Slim Jim" used to open locked vehicles. The key b. Article 6 and the Misuse of Devices is that possession, use, sales or any sort of distribu- tion of such tools would be a criminal act subject Controversy surrounds Article 6. Each signatory to penalty. Article 6 also applies to the production country would be required to outlaw the use of and distribution of such tools, including their any device used in the commission of the previous manufacture and retail. One would be prohibited five offenses. That is, one that used a cyber-device from sharing with another if such device came to access or interfere with another's network under the legal definition of "adapted primarily would be guilty of misusing the device and guilty for the purpose of committing any of the offences 8 2 of possession. Possession or use of computer [previously] established ... "s5 8 3 passwords or access codes also carries a penalty Critics also fear that the vague language of Arti- for such items are the keys to the virtual door. cle 6 could lead to the banning of various devices, This article in effect outlaws the misuse of hack- prohibiting their positive uses if a nation so de- ing devices or any devices used to gain access to sired. The treaty drafters have provided an excep- another's system. Security analysts responding to tion to help quell these fears, stating that security Article 6 fear that such language could be con- analysis will not be outlawed.8 6 As drafted, the strued as outlawing all attempts of hacking, even

80 Id. Party may require by law that a number of such items be 81 Id. at 48. possessed before criminal liability attaches. Id. 82 Cybercrime Treaty Final Draft, supra note 58, at art. 6, 83 It should be noted that the treaty calls for outlawing sec. 1. certain cyber activities and does not institute penalization or Each Party shall adopt such legislative and other mea- sentencing guidelines. sures as may be necessary to establish as criminal of- 84 See Wessling, supra note 33. See Saniford, supra note 45. fences under its domestic law when committed inten- See SLASHDOT GENERAL DISCUSSION, EUROPEAN CYBERCRIME tionally and without right: (a) the production, sale, pro- TREATY 1.1, at http://slashdot.org/yro/00/l1/13/ curement for use, import, distribution or otherwise mak- 1828213.shtml (Nov. 13, 2000); see Brian Krebs, Tech Groups ing available of: (1) a device, including a computer pro- Still Wary of International Cyber-Crime Treaty, NEWSBYrES, at gram, designed or adapted primarily for the purpose of http://www.computeruser.com/clickit/printout/news/ committing any of the offences established in accor- 303039360003353920.html (Dec. 1, 2000). 85 Cybercrime Treaty Final Draft, supra note 47, at art. dance with Article 2-5; (2) a computer password, access 6(1)(a)(1). Article 6(1)(b) specifies that a nation may, but code, or similar data by which the whole or any part of a does not have to, make possession with intent a separate of- computer system is capable of being accessed with intent fense. that it be used for the purpose of committing any of the 86 Id. at art. 6(2). "This article shall not be interpreted as offences established in Articles 2-5; and (b) the posses- imposing criminal liability where the production, sale, pro- sion of an item referred to in paragraphs (a) (1) or (2) curement for use, import, distribution or otherwise making above, with intent that it be used for the purpose of com- available or possession referred to in paragraph 1 of this Arti- mitting any of the offences established in Articles 2-5. A cle is not for the purpose of committing an offence estab- COMMLAW CONSPECTUS [Vol. 10 treaty states that nothing should be interpreted as us secure systems. Of course, we would love some imposing criminal liability on "authorized testing more enforcement power to use against potential 92 or protection of a computer system. 8 7 Another crackers, but not if it is a trade off for our tools." section reserves the right for signatories not to Despite this, other commentators argue that gov- pass legislation criminalizing the distribution of ernments have the right to protect their citizens offending devices. 88 against the growing problem of cybercrime. The underlying problem with this exception is defining and correctly understanding who has the 2. Intrusion, Surveillance and Privacy Rights right to possess and to use the "tool." The lan- guage of the treaty suggests that devices used pri- Privacy concerns are at their zenith.93 As easily marily to commit cyber offenses would be banned as technology allows a hacker to intrude upon an- from the general public except those used by se- other's network so too does the treaty permit a curity professionals (including law enforcement). law enforcement officer to use the same technolo- But a counter argument is that security profes- gies and employ the same methods of intrusion, sionals use these devices primarily to test their own but for different purposes. Thus, privacy and pro- systems.89 The security professional would be au- cedural laws are inextricably linked. For instance, thorized to do this, but access to the device that American law once held that wiretapping was not helps him or her test the defending system may be tantamount to a search and seizure under the unavailable in the territory of a signatory country. Fourth Amendment.9 4 The opposite is true to- The problem is that even the most offensive of day,9 5 but notions of search and seizure, wiretap- hacking devices are used and created by those ping and surveillance have become more com- that are not authorized to use them.90 Common monplace.9 6 household users wishing to protect their systems Section 2 of the treaty deals with the procedural privately, but not wanting to intrude upon others, laws to be enacted by each signatory country. The could face the possibility of not having access to provisions deal with issues ranging from the scope these devices in defense of their own networks. and safeguards of the laws to the actual allowance Although certain legal scholarship has begun to of search and seizure and data interception. opt for licensing measures that would certify those able to use security tools, 91 those that actually use a. Article 14 and the Scope of Procedure the devices are skeptical. A website discussion on the treaty revealed that many security profession- Article 14 of the draft treaty provides that signa- als believe that "it simply makes no sense to draft tories create or modify their prior procedural laws an international law banning the tools that help for the purpose of "specific criminal investiga- lished in accordance with articles 2 through 5 of this Conven- 92 lamsure (web pseudonym), European Cybercrime Treaty tion, such as for the authorised testing or protection of a 1.1, SLASHDOT, at http://slashdot.org/yro/O0/11/13/ computer system.- 1828213_-F.shtml (Nov. 13, 2000). This posting came from an 87 Id. unofficial discussion concerning the treaty at Slashdot.org. 88 But, a nation may not reserve the right to exclude de- Slashdot.org holds itself out as "News for Nerds. Stuff that vices that make available "a computer password, access code, matters." or similar data by which the whole or any part of a computer 93 See Simon Davies, Re-engineeringthe Right to Privacy: How system is capable of being accessed." Id. at art. 6(1) (a) (2). In Privacy Has Been Transformed from a Right to a Commodity, in essence, a country may criminalize devices designed to com- TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE 143 (Philip mit cyber offences, but must criminalize devices that produce E. Agre & Marc Rotenberg eds., 1997) (stating that opinion or distribute passwords or access codes. polls show that privacy concerns are greater now than any 89 Wallace, supra note 49. other time in history). 90 Wallace's example of this is where a company arranges 94 Olmstead v. United States, 277 U.S. 438, 464 (1928) legitimate hacking efforts where "wargames" are held. "War- (stating that a search under the Fourth Amendment was to games" invite hackers to crack the company's system to test be of material things). that system. Cash rewards are given for successful attempts. 95 See Katz v. United States, 389 U.S. 347, 358-59 (1967) "This could no longer be possible if the tools used in these (holding that the electronic listening and recording of a con- wargames were made illegal to the every day user." Id. versation in a telephone booth constituted a search and 91 Mitchell & Barker, supra note 79, at 716-719. This arti- seizure under the Fourth Amendment). cle discusses the future of effective cyber crime enforcement 96 See INFO-SEC, THE EUROPEAN POLICE STATE, at http:// through coordinated efforts of both the public and private www.info-sec.com/law/law_- 020298a.html-ssi (1998) (arguing sectors. The authors advocate licensing as "a novel venue for that Europol not only keeps intelligence files, but stores in- cooperation and compromise." Id at 732. formation concerning "gossip and slanderous allegations"). 2002] The International Cybercrime Treaty tions''9 7 so that law enforcement officers may util- dures are needed to safeguard human rights?103 ize certain techniques similar to other communi- Here, the draft treaty does not specify and ap- cations investigations. Article 14(2) states that pears cursory and indifferent. Nations are man- procedures are to apply to three aspects of cyber- dated to enact specific procedural provisions, but crime: those offenses dealt with in the substantive are only generally instructed as how to balance 104 portion of the draft,98 other potential cyber-re- such procedures against issues of privacy. What lated crimes not yet specified 9 9 and the electronic if a signatory has a poor record of privacy protec- collection of evidence.1 00 In a nutshell, this article tion?105 Are they now to enact new criminal pro- provides a broad scope as to the purpose of the cedure legislation without revising outdated pri- later procedural provisions. vacy techniques? If so, then Article 15 is out of alignment with the "proper balance between the interests of law enforcement and human b. Article 15 and General Safeguards rights"'1 6 for a signatory can specify what law en- Article 15101 is also stated broadly, but takes a forcement may do, but it does not need to specify 10 7 rhetorical step in the right direction. This article what law enforcement may not do. functions as a general protection provision stating Article 15108 states that the 1950 European Con- that all implementation and procedures listed vention for the Protection of Human Rights and under Section 2 are safeguarded "with due regard Fundamental Freedoms and the 1966 Interna- for the adequate protection of human tional Covenant on Civil and Political Rights are rights... as provided in applicable international to be reflected in any procedural legislation. Pri- human rights instruments." 10 2 Enactment of do- vacy, though, is not mentioned in the first interna- mestic laws under the treaty should align with the tional treaty and is scantily referenced in the lat- 109 letter of other prior treaties protecting civil and ter. A "General Comment" to the privacy refer- criminal rights. ence states that privacy measures require that na- The language used in this article appears to tional legislation be enacted to prohibit procedu- protect certain rights, but what particular proce-

97 Cybercrime Treaty FinalDraft, supra note 47, at art. 14(1). rTY REPORT OF THE COMMITTEE OF THE COMMITTEE OF EXPERTS ("Each Party shall adopt such legislative and other measures ON CRIME IN- CYBER-SPACE, at http://conventions.coe.int/ as may be necessary to establish the powers and procedures Treaty/EN/projects/FinalCybercrime.htm (June 29, 2001) provided for in this Section for the purpose of specific crimi- [hereinafter FINAL AcTiTv REPORT]. Paragraph 145 of the nal investigations or proceedings."). Final Activity Report declares that while signatory countries 98 Id. at art. 14(2)(a). shall establish procedural safeguards protecting civil rights, 99 Id. at art. 14(2)(b). each country is free to implement such rights according to its 100 Id.at art. 14(2)(c). laws and procedure. Id. at 145. This provision allows for 101 Id.at art. 15 ("Conditions and Safeguards"). countries not to implement such rights according to its "do- Each Party shall ensure the establishment, implementa- mestic law and procedures of each Party." tion and application of the powers and procedures pro- 105 Amnesty International, an organization dedicated to vided for in this Section are subject to the conditions promoting international human rights, has reported that po- and safeguards provided for under its domestic law, lice abuse is common in many European countries, including which shall provide for the adequate protection of the United Kingdom, France, Bulgaria and Moldova. EU- human rights and liberties, including rights arising pur- ROPE - HIGHLIGHTS OF AMNESTY INTERNATIONAL REPORT suant to obligations it has undertaken under the 1950 2000, at http://www.web.amnesty.org/web/ar2000web.nsf/ Council of Europe Convention for the Protection of reg/0f2a063182768575802568f2005a59da. Human Rights and Fundamental Freedoms, the 1966 106 Cybercrime Treaty Final Draft, supra note 47, at pream- United Nations International Covenant on Civil and Po- ble. litical Rights, and other applicable international human 107 Only one safeguard is specified. Signatories are given rights instruments, and which shall incorporate the prin- the option of weighing the economic impacts of burdening ciple of proportionality. Id. innocent third parties before intrusive procedures imple- 102 Footnote 29 in the text specifies the international in- mented. Id. at n.30, art 15. This footnote merely states that a struments as the 1950 European Convention for the Protec- country may consider such an impact, but a nation is not re- tion of Human Rights and Fundamental Freedoms and its quired to do so. Protocols and the 1966 International Covenant on Civil and 108 FINAL ACTIVITY REPORT, supra note 104, at 145. Political Rights. Explanatory Memorandum, supra note 75, at 109 "No one shall be subjected to arbitrary or unlawful 145. interference with his privacy, family, home or correspon- 103 There is also nothing explicit in the preamble to clar- dence, nor to unlawful attacks on his honour and reputa- ifythese safeguards. Cybercrime Treaty Final Draft, supra note tion." 1966 INTERNATIONAL COVENANT ON CIVIL AND POLITI- 47, at preamble. CAL RIGHTS, Article 17(1), available at http://www.unhchr. 104 EUROPEAN COMM. ON CRIME PROBLEMS, FINAL AcTIv- ch/html/menu3/b/accpr.htm. COMMLAW CONSPECTUS [Vol. 10 ral abuse." 0 While this Comment may provide a have caused a need to update international crimi- signatory some direction in which to enact proce- nal law, then privacy protections enacted before dural safeguards, the treaty makes only passing these technologies emerged should be equally up- reference to such an important protection for it dated. The treaty must further explain and pro- does not specifically state what privacy rights are. vide for procedural safeguards that protect the Article 15's concern for safeguarding human public from intrusive enforcement mechanisms, rights was never a consideration in the original such as what constitutes excessive surveillance or public release of the draft treaty as it was not men- by what judicial standards should a court deter- tioned until public outcry surfaced."I And al- mine a proper police search and seizure was con- though the drafters have now included privacy as ducted. The treaty should declare specific human a concern, the "experts" are still unable to agree rights standards as laid out in other CoE trea- on an acceptable standard because European case ties."1 6 Given the nature of digital information, law concerning privacy varies." 2 In other words, privacy rights need clarifying before international experts representing over forty countries, includ- implementation. ing the U.S. DOJ, can agree upon a cybercrime enforcement standard, but cannot and will not c. Articles 16, 17 & 18 - Expedited Preservation agree upon a standard of enforcement for pri- 3 of Stored Computer Data & Production Orders vacy. 11 But if a cybercrime treaty is to deal with "the The legal status of privacy is less than other profound changes brought about by the digitalisa- comparable rights. "Privacy can be defined as a tion, convergence and continuing globalisation of fundamental, though not absolute, human computer networks,"' ' 14 it needs to provide a di- right."" 7 A reading of Articles 16 through 23 adds rection for procedural protections as well as the strength to this statement for the articles call for permissions it allows. The treaty references international legislation of criminal procedure human rights documents that do reflect the dif- laws. The procedural mandates range from per- fering problems of the information age. As one mitting law enforcement to search and seize com- organization succinctly said, "A great deal has puter data'" to mandating that ISPs comply with changed since 1950. If there is a need for a treaty criminal investigation efforts. 19 These procedural requiring countries to adopt certain surveillance requirements make the safeguard provisions in laws, then there is also a need for an updated in- Article 15 seem like a castle made of sand.' 20 ternational standard on privacy protections for Articles 16 and 17 require countries to adopt 5 government surveillance."' 1 laws instructing individuals or businesses to pre- Traditional lawmaking often emphasizes en- serve data when ordered to do so by law enforce- forcement before privacy. If digital technologies ment officers.' 21 For instance, ISPs allow informa-

110 GENERAL COMMENT TO ARTICLE 17, available at http:/ l16 See Will Knight, Cybercrime Treaty May Conflict with UN /www.unhchr.ch/tbs/doc.nsf/ (symbol) /CCPR+Gener- Declaration, ZDNET.COM, at http://news.zdnet.co.uk/story/ alcomment+1 6.En?OpenDocument. 0,,t269-s2083139,00.html (Dec. 12, 2000) (reporting that civil 111 Cybercrime Treaty Draft 19, supra note 46. liberty groups have actively criticized the draft treaty for not 112 Declan McCullagh, Privacy a Likely Loser in Treaty, developing a framework more aligned with the United Na- WIRED NEWS, at http://www.wired.com/news/print/ tions Declaration on Human Rights). 0,1294,40576,00.html (Dec. 7, 2000). CoE officials have ex- 117 David Banisar & Simon Davies, Global Trends in Pri- pressly stated that privacy laws across Europe are too diverse vacy Protection: An International Survey of Privacy, Data Protec- to agree upon a set standard of procedural guidelines. Yet, tion, and Surveillance Laws and Developments, 18 J. MAR.J. COM- the same diversity regarding computer crimes can be harmo- PUTER & INFO L. 1, 8 (1999). nized and coordinated. 118 Cybercrime Treaty Final Draft, supra note 47, at art. 19. 113 To allow for some credit, paragraph 148 discusses the ("Search and Seizure of Stored Computer Data"). need for signatories to consider the public interest of propri- 119 Id. at arts. 16-18. etary interests and the rights and interests of third parties 120 And we all know that "castles made of sand melt into when considering "the sound administration of justice." Ex- the sea, eventually." Jimi Hendrix, Castles Made of Sand, on planatory Memorandum, supra note 75. The specificity of what Axis: BOLD As LovE (Reprise Records 1967). is just and in the public interest is left for each country to 121 "Each Party shall adopt such legislative and other determine. measures as may be necessary to enable its competent au- 114 Cybercrime Treaty Final Draft, supra note 47, at pream- thorities to order or similarly obtain the expeditious preser- ble. vation of [specified] computer data, including traffic data, 115 CDT Comments, supra note 50. that has been stored by means of a computer system, in par- 20021 The International Cybercrime Treaty tion to be transferred and stored through their so that government officers could begin immedi- services for the purposes of e-mail and user web ately tracing the transmission of data and identify- pages. Law enforcement officers could get a court ing all the appropriate service providers involved. order forcing an ISP to preserve all data related to Articles 16 and 17, as worded, storm past the any investigation. If the FBI were to examine on- fine line between criminal investigation and pri- 127 line child pornography rings, the agency could re- vacy. For example, the Internet Alliance has ar- quire companies such as AOL or Earthlink to pre- gued that the draft treaty is at odds with the pro- serve data related to the investigation. Such data tection principles of the Data Protection Directive could include bank records, credit cards or any of the European Union ("EU").128 This Directive 1 22 other various financial or informational items. was an enactment of the EU community in Octo- Article 16(2) specifies that an individual or bus- ber 1995 asserting that data processing systems iness would be required to preserve such data should be used to respect "fundamental rights 129 transmissions for an "adequate period of time," and freedoms, notably the right to privacy." presumably as long as a law enforcement investi- The ease of processing and exchanging data was gation is being conducted. 123 The article further recognized as a fundamental threat to privacy mandates that legislation shall be adopted to or- since technologies could readily transport infor- der those preserving the data to keep such proce- mation and be susceptible to the interference of dures confidential. '2 4 In other words, an ISP pre- others. The argument is that without the proper serving data at the requirement of law enforce- procedural safeguards in place, a country could ment must do so within a certain timeframe and use the treaty as a means to enforce government must not make public any information with re- policies unrelated to actual network intrusions, spect to the investigation. such as the identification and location of political 31° Article 17 goes one step further by ensuring dissidents. A signatory country lacking proce- that data is preserved regardless of the involve- dural limitations could target more than cyber- ment of multiple service providers. 125 The article criminals. A signatory could track, investigate and also ensures "expeditious disclosure" to a coun- seize information in the investigation of other un- 31 try's "competent authority,"1126 whereby all infor- favorable policy decisions. The Internet cur- mation would be turned over to law enforcement rently provides anonymity for the politically perse- ticular where there are grounds to believe that the computer dential the undertaking of such procedures for the period of data is particularly vulnerable to loss or modification." Cyber- time provided for by its domestic law." Id. at art 16(3). crime Treaty Final Draft, supra note 47, at art. 16(1). 125 Id. at art. 17(1)(a). 122 CDT Comments, supra note 50. 126 Id. at art. 17(1) (b) ("Each Party shall adopt such leg- This provision applies to any evidence the government islative or other measures as may be necessary to "ensure the may want about any crime. It is not limited to communi- expeditious disclosure to the Party's competent authority, or cations. It applies to any data that has been stored in a a person designated by that authority, of a sufficient amount computer system. Thus, any business of any kind that of traffic data to enable the Party to identify the service prov- uses a computer can be ordered under this provision to iders and the path through which the communication was store any data that the government might want: Bank transmitted."). records, credit card data, inventory data, invoices, word 127 "The Internet Alliance (IA) is [an] organization of processing, Web surfing data. A business that has a video Internet policy professionals representing the Internet on- camera can be told to preserve the tapes. The operator line industry on the state, federal and international levels." of an intelligent highway system or a passkey system can INTERNET ALLIANCE, THE INTERNET ALLIANCE: WHO WE ARE, be required to preserve the data on the comings and go- at http://www.internetalliance.org/aboutisa/whoweare. ings of vehicles and people. Id. html. 123 Cybercrime Treaty Final Draft, supra note 47, at art. 128 INTERNET ALLIANCE, Internet Alliance Comments on 16(2). Council of Europe's Draft Convention on Cyber-Crime No. 19, at Where a Party gives effect to paragraph 1 above by http://www.cdt.org/international/cybercrime/ means of an order to a person to preserve specified 001000ia.shtml (Oct. 18, 2000) [hereinafter Internet Alliance stored computer data in the person's possession or con- Comments]. trol, the Party shall adopt such legislative and other mea- 129 Directive 95/46/EC of the European Parliament and sures as may be necessary to oblige that person to pre- of the Council of 24 October 1995 on the Protection of Indi- serve and maintain the integrity of that computer data viduals with Regard to the Processing of Personal Data and for an adequate period of time, as necessary, to enable on the Free Movement of Such Data, 1995 O.J. (L 281), 31 at the competent authorities to seek its disclosure. Id. 2, available at http://europa.eu.int/eur-lex/en/lif/dat/ 124 "Each Party shall adopt such legislative or other mea- 1995/en_395L0046.html. sures as may be necessary to oblige the custodian or other 130 Internet Alliance Comments, supra note 128. REUTERS, at http:// person who is to preserve the computer data to keep confi- 131 See AOL Removes 'Offensive' Website, COMMLAW CONSPECTUS [Vol. 10 cuted, as many can express political and religious forcement may, and will, be able to preserve beliefs safely without fear of government sanction. stored computer data and force ISPs to submit to Government by itself cannot regulate and en- the authorities all information regarding their force. Nations need the help of those private enti- customers. Three more articles also intrude upon ties that maintain the cyber architectures. Article privacy by allowing law enforcement and ISPs to 18 of the treaty concerns production orders and gather and collect information on suspected requires countries to order persons within their cyber offenses. national boundaries to produce any computer Articles 19 through 21 are the heart and soul of data or information under that person's con- the treaty enforcement provisions. These articles trol. 132 The article also mandates that ISPs submit allow for the search and seizure of stored com- all subscriber information that pertains to citizens puter data,138 the collection and recording of within a particular nation's territory.1 33 The last computer traffic 39 and the interception of con- section of Article 18 clearly defines subscriber in- tent data.140 These articles develop procedural formation as any and all information that an ISP standards for law enforcement that increase com- may possess. 13 4 This includes technical parame- munications monitoring without increasing pri- ters of a person's system, 135 personal identifiers vacy protections. such as telephone numbers and billing informa- Article 19 reflects traditional search and seizure tion 13 6 and all information relating to an ISP's ser- laws. A signatory must enact legislation that would vice agreement. - 7 An ISP maintains certain li- allow law enforcement officials the ability to ac- censing requirements that retain the right to cess any information within its territory.14 1 If it is keeping records on customer activity. In the event suspected that the same information lies on multi- of a court production order, the ISP must provide ple computer systems, the draft treaty allows those assistance to law enforcement. systems likewise to be searched and seized.' 42 The search and seizure ability includes the power to secure a computer system,143 retain copies of any d. Article 19 through 21 - Search, Seizure and 44 Interception data information, maintain the data so that it is not altered 145 and block accessibility or remove 46 So far, this paper has established that law en- the data entirely.' www.abcnews.go.com/sections/tech/DailyNews/ 137 Id. at art. 18(3) (iii) ("[Any other information on the aol-site980624.html (June 24, 1998). AOL closed down one site of the installation of communication equipment availa- of its websites that parodied the Koran and other Islamic cus- ble on the basis of the service agreement or arrangement."). toms. The country of Egypt protested, stating that the site was 138 Id. at art. 19. offensive to Muslims. ]39 Id. at art. 20. 132 Cybercime Treaty Final Draft, supra note 47, at art. 140 Id. at art. 21. 18(1) ("Each Party shall adopt such legislative and other 141 Id. at art. 19(1) ("Each Party shall adopt such legisla- measures as may be necessary to empower its competent au- tive and other measures as may be necessary to empower its thorities to order: (a) a person in its territory to submit speci- competent authorities to search or similarly access: (a) a fied computer data under this person's control, which is computer system or part of it and computer data stored stored in a computer system or a computer-data storage me- therein; and (b) computer-data storage medium in which dium."). computer data may be stored, in its territory."). 133 Id. at art. 18(1) ("Each Party shall adopt such legisla- 142 Id. at art. 19(2) ("Each Party shall adopt such legisla_-. tive and other measures as may be necessary to empower its tive and other measures as may be necessary to ensure that competent authorities to order: (b) a service provider offer- where its authorities search or similarly access a specific com- ing its services in its territory to submit subscriber informa- puter system or part of it, pursuant to paragraph 1(a), and tion under that service provider's possession or control."). have grounds to believe that the data sought is stored in an- 134 Id. at art. 18(3) ("For the purpose of this article, 'sub- other computer system or part of it in its territory, and such scriber information' means any information, contained in data is lawfully accessible from or available to the initial sys- the form of computer data or any other form, that is held by tem, such authorities shall be able to expeditiously extend a service provider, relating to users of its service, other than the search or similar accessing to the other system."). traffic or content data."). 143 Id. at art. 19(2) (a) ("These measures shall include 135 Id. at art. 18(3)(i) ("[T]he type of the communica- the power to (a) seize or similarly secure a computer system tion service used, the technical provisions taken thereto and or part of it or a computer-data storage medium."). the period of service."). 144 Id. at art. 19(2) (b) ("make and retain a copy of those 136 Id. at art. 18(3)(ii) ("[T]he user's identity, postal or computer data"). geographic address, telephone and other access number, 145 Id. at 19(2)(c) ("maintain the integrity of the rele- billing and payment information, available on the basis of vant stored computer data"). the service agreement or arrangement."). 146 Id. at 19(2) (c) ("render inaccessible or remove those 2002] The International Cybercrime Treaty

53 Article 19 specifies how law enforcement may content, such as hate speech, would have a spe- monitor data transmissions, but it leaves open cific article to empower the interception of such possibilities for cumbersome intrusion into per- transmissions. In addition, nothing in the treaty sonal lives and business operations. 147 The draft states why "content data" differs from "traffic treaty does not issue any constraining standards data" and why it requires its own separate article, upon law enforcement. A suggestion would be to even though the language of the two articles are add a footnote explaining these standards so that the same. A clear definition of "content data" is businesses and individuals are not intruded upon needed so that it can be differentiated from "traf- 8 unnecessarily. 14 fic data" so that law enforcement has access to specific guidelines when intercepting or record- As previously noted, Articles 20 and 21 provide 5 4 ing data transmissions. for domestic laws that allow law enforcement to The linguistic problems of Articles 20 and 21 monitor, collect and intercept data transmissions. appear small, but when law enforcement is given These articles are analogous to wiretapping and significant surveillance and interception powers surveillance procedures that are already used by without being given sufficient guidelines concern- law enforcement. 1 49 Article 20 provides that signa- ing the intrusiveness of these powers, then defini- tories empower their enforcement authorities to tional arguments are key. Definitions are funda- collect and record traffic data through "technical mental, for the law uses definitions to separate is- means." 150 Traffic data is defined under Article 1 sues of fact from issues of law.1 55 One cannot le- as "any computer data relating to a communica- gally state that content data is of the type that law tion by means of a computer system, generated by enforcement may have power over if one does not system that formed a part in the the computer know what content data is. And more importantly, indicating the commu- chain of communication, if one cannot define the item that one has power nication's origin, destination, route, time, date, over, then power becomes more centralized and ser- size, duration or type of underlying [network] general and abuse becomes harder to temper. 151 vice." This appears to be an all-encompassing Summarily, Articles 19 through 21 threaten pri- definition. vacy because they lack specific guidelines as to the Article 21 is similar in that authorities will have limits of interception and monitoring. Terms like the same powers over content data, as well as traf- "traffic data" suggest that all data may be inter- 15 2 fic data. The two articles are virtually identical cepted so long as the purpose is to investigate besides their different references to types of data. cybercrime. Terms without definitions simply lack The treaty does not differentiate between the two credibility for they are vague, over-empowering types of data, for it fails to define what "content and do not provide a bright line between issues of data" is. The term "content data" implies that it is fact and issues of law. a subset of "traffic data." Countries that outlaw the transmission or display of certain forms of computer data in the accessed computer system"). to empower its competent authorities to (a) collect or record 147 CDT Comments, supra note 50. through application of technical means on the territory of 148 Id. CDT argues that a government without restraint that Party . . . [of] content data, in real-time, of specified by means of a may shut down an ISP or web portal that contains any "seize- communications in its territory transmitted able" records. Id. computer system."). 153 France, Germany and Austria all have laws restricting 149 See Herman Schwartz, The Legitimization of Electronic hate speech and any display of such, especially that relating Order," 67 MICH. L. REV. Eavesdropping: The Politics of "Law and to the Holocaust. See Kathleen E. Mahoney, Hate Speech: Affir- critique of electronic monitor- 455 (1969) (outlining an early mation or Contradictionof Freedom of Expression, 1996 U. ILL. L. ing). REV. 789, 801 (1996); Kenneth Lasson, Holocaust Denial and 150 Cybercrime Treaty Final Draft, supra note 47, at art. the First Amendment: The Quest for Truth in a Free Society, 6 CEo. 20(1) (a) ("Each Party shall adopt such legislative and other MASON L. REV. 35, 72, n. 286 (1997). measures as may be necessary to empower its competent au- 154 See Global Internet Liberty Campaign, supra note 50 (ar- thorities to (a) collect or record through application of tech- guing for more precise definitions of what constitutes "con- nical means on the territory of that Party."). tent data" and "traffic data"). 151 Id. at art. 1(d). 155 Gerard A. Hauser, INTRODUCTION TO RHETORICAL 152 Id. at art. 21(1) ("Each Party shall adopt such legisla- THEORY 82-83 (1986). tive and other measures as may be necessary, in relation to a range of serious offences to be determined by domestic law, COMMLAW CONSPECTUS [Vol. 10

IV. CONCLUSION: THE DRAFT TREATY treaty.' 58 In other words, European privacy laws CANNOT BE SIGNED are so diverse that a common ground upon which to agree is difficult. The cybercrime treaty was first Lawrence Lessig states "that there is a decision implemented because the cyber laws across Eu- to be made about the architecture that cyberspace rope are so different. will become, and the question is how that decision Without specific protections for privacy rights, will be made. Or better, where will the decision be nations may well enforce new standards of en- 15 6 made." This question is being answered all too forcement with little concern for outdated stan- quickly, and the resounding response is being met dards on privacy. The Council of Europe and the with widespread difficulty. Government officials Department of Justice need to clarify the vague are concerned with the threats of cybercrime and items that remain.' 59 Although the U.S. has 57 a the rising costs of investigation.' Privacy is not signed the treaty as written, it has not ratified the strong concern. treaty into law and should not do so without fur- The chairman of the PC-CY has baldly asserted, ther revision. "We cannot find an acceptable international stan- dard in terms of privacy as it applies to this

156 Lawrence Lessig, The Zones of Cyberspace, 48 STAN. L. tional). Henrik Kaspersen has stated that those protesting REv. 1403, 1411 (1996) (posing several questions about the the treaty either are American lawyers who do not under- current unregulation of cyberspace and what the potential stand European law or "Internet users." It can be assumed bordering of cyberspace may become). that this reference to "Internet users" may mean those peo- 157 Freeh Statement on Cybercrime, supra note 7. ple who use sophisticated communications but have sub-par 158 Declan McCullagh & Nicholas Morehead, Privacy a understanding of international issues. This is an interesting Likely Loser in Treaty, WIRED NEWS, at http://www.wired.com/ comment from a party that is receiving tremendous legal ad- news/print/0,1294,40576,00.html (Dec. 7, 2000) (quoting vice from the U.S. DOJ. Henrik Kaspersen of the Council of Europe and chair of PC- 159 The DOJ needs to also explain the treaty's impact on CY stated at a panel debate hosted by McConnell Interna- U.S. law.