GLOBAL INTERNET LIBERTY
CAMPAIGN
NEWS
ISSUES
RESOURCES
ABOUT
GILC
Global Internet Liberty Campaign Member Letter
on Council of Europe Convention on Cyber-Crime[en francais] [en espanol] [auf deutsch] [in italiano]
October 18, 2000
Dear Council of Europe Secretary General Walter Schwimmer and COE Committee of Experts on Cyber Crime,
We write to you on behalf of a wide range of civil society organizations from around the world to object to the proposed Convention on Cyber-Crime. We believe that the draft treaty is contrary to well established norms for the protection of the individual, that it improperly extends the police authority of national governments, that it will undermine the development of network security techniques, and that it will reduce government accountability in future law enforcement conduct.
Specifically, we object to provisions that will require Internet Service Providers to retain records regarding the activities of their customers. (Articles 17, 18, 24, 25). These provisions pose a significant risk to the privacy and human rights of Internet users and are at odds with well established principles of data protection such as the Data Protection Directive of the European Union. Similar communications transaction information has been used in the past to identify dissidents and to persecute minorities. We urge you not to establish this requirement in a modern communication network. In our view the whole of Article 18 is incompatible with Article 8 of the ECHR and with the jurisprudence of the European Court of Human Rights.
We further object to the conception of "Illegal Devices" set out in Article 6. We believe that this concept lacks sufficient specificity to ensure that it will not become an all-purpose basis to investigate individuals engaged in computer-related activity that is completely lawful. As technical experts have made clear, this provision will also discourage the development of new security tools and give government an improper role in policing scientific innovation.
We also object to the dramatic extension of copyright crimes in the proposed Article 10. It is hardly a settled matter that criminal penalties are the appropriate remedy for copyright infringement, nor do the underlying treaties referenced impose such requirements. New criminal penalties should not be established by international convention in an area where national law is so unsettled. More generally, we disagree with initiatives that allow for mutual assistance without dual-criminality. This requirement is central to preserving the sovereign authority of nations.
Additionally, we believe that clear procedures must be agreed upon in international investigations, and that no law enforcement agency within a different jurisdiction should act on behalf of another nation without clear investigative procedures within its own jurisdiction. Different countries have different procedures, admittedly, but now is the opportunity to harmonize them, on the condition that we assure a high level of consistency on individual rights protections.
The criminal provisions of Articles 9 and 11 could lead to a chilling effect on the free flow of information and ideas. Imposing liability on Internet Service Providers for third party content places an unreasonable burden on providers of new network services and will encourage inappropriate monitoring of private communications.
Article 14 setting out the requirements for search and seizure of stored computer data lacks necessary procedural safeguards to safeguard the rights of the individual and to ensure due process of law. In particular, there is no effort to ensure that an independent judicial review, ensuring the respect of basic freedoms and liberties, occurs before a search by the state is undertaken. Such searches would constitute an "arbitrary interference" under international legal norms.
Articles 14 and 15 could establish a requirement for government access to encryption keys that would compel individuals to incriminate themselves which may well be incompatible with Article 6 of the European Convention on Human Rights and with the jurisprudence of the European Court of Human Rights. We also question the ambiguity that arises within this same article on government access to decryption keys. The Council of Europe should clarify this provision so that member countries do not take the convention to be a mandate for passing legislation allowing for self-incrimination.
We also object in very strong terms to the manner under which this proposal was developed. Police agencies and powerful private interests acting outside of the democratic means of accountability have sought to use a closed process to establish rules that will have the effect of binding legislation. We believe this process violates requirements of transparency and is at odds with democratic decisionmaking.
Privacy experts have made clear their opposition to this proposal. One expert warned that efforts to develop an international convention on "Cyber crime" would lead to "fundamental restrictions on privacy, anonymity and encryption."
Data Protection officials have made clear their opposition to this proposal. The International Working Group on Data Protection in Telecommunications earlier criticized attempts to require maintaining traffic data and recommended improvements in security over new criminal laws.
Technical experts have made clear their opposition to this proposal. A letter from leading security practitioners, educators, and vendors states that "the proposed treaty may inadvertently result in criminalizing techniques and software commonly used to make computer systems resistant to attack" and that the proposed treaty "would adversely impact security practitioners, researchers, and educators."
Now a wide range of organizations representing civil society across the world make clear our opposition to this proposal.
We believe that any proposal to create new investigative and prosecutorial authority should include a careful consideration of articles 8 and 10 of the European Convention on Human Rights and the related jurisprudence of the European Court of Human Rights. We do not believe that these instruments were given adequate consideration in the development of this proposal. Further, we believe that the OECD Cryptography Policy Guidelines and the OECD Guidelines for the Security of Information Systems reflect a more balanced, forward-looking view of the need to promote strong security techniques to reduce the risk of computer crime than the proposal now under consideration.
Finally, the Universal Declaration of Human Rights speaks directly to the obligations of government to protect the privacy of communication and to preserve freedom of expression in new media. Article 12 states that "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence." Article 19 further states that "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."
We urge you not to approve the treaty proposal at this time. We, the undersigned, are ready to support the CoE with experts in the area to provide a better version of the document, aimed not only at punishing, but also at preventing computer crimes.
Signed,
American Civil Liberties Union (US)
http://www.aclu.org/Associazione per la Libertà nella Comunicazione Elettronica Interattiva (IT)
http://www.alcei.it/Bits of Freedom (NL)
http://www.bof.nl/Canadian Journalists for Free Expression (CA)
http://www.cjfe.org/Center for Democracy and Technology (US)
http://www.cdt.org/Computer Professional for Social Responsibility (US)
http://www.cpsr.org/Cyber-Rights & Cyber-Liberties (UK)
http://www.cyber-rights.org/Derechos Human Rights (US)
http://www.derechos.org/Digital Freedom Network (US)
http://www.dfn.org/Electronic Frontier Foundation (US)
http://www.eff.org/Electronic Frontiers Australia (AU)
http://www.efa.org.au/Electronic Privacy Information Center (US)
http://www.epic.org/Equipo Nizkor (ES)
http://www.derechos.org/nizkor/Feminists Against Censorship (UK)
http://fiawol.demon.co.uk/FAC/FITUG e.V. (DE)
http://www.fitug.de/Human Rights Network (RU)
http://www.hro.org/Internet Freedom (UK)
http://www.netfreedom.org/Internet Society - Bulgaria (BG)
http://www.isoc.bg/Internet Society
http://www.isoc.org/IRIS - Imaginons un réseau Internet solidaire (FR)
http://www.iris.sgdg.org/Kriptopolis (ES)
http://www.kriptopolis.com/Liberty (UK)
http://www.liberty-human-rights.org.uk/The Link Centre, Wits University, Johannesburg (ZA)
http://link.wits.ac.za/NetAction (US)
http://www.netaction.org/Netwokers against Surveillance Taskforce (JP)
http://www.jca.apc.org/Opennet
http://www.opennet.org/Privacy International (UK)
http://www.privacyinternational.org/quintessenz (AT)
http://www.quintessenz.at/Verein für Internet Benutzer (AT)
http://www.vibe.at/XS4ALL (NL)
http://www.xs4all.nl/
[If your organization would like to help stop the Council of Europe Convention on Cyber-Crime, please send an email to gilc@gilc.org stating your support for this statement. Your organization will be added to the following list.]
Other Signatories
Association for Computing Machinery (International)
http://www.acm.org/CryptoRights Foundation (US)
http://www.cryptorights.org/Digital Rights (DK)
http://www.digitalrights.dkFoundation for Information Policy Research (UK)
http://www.fipr.org/PGP en Français (FR)
http://www.geocities.com/SiliconValley/Bay/9648/Also see: Liste des signatures d'organisations françaises http://www.iris.sgdg.org/actions/cybercrime/sign-coe.html
Reference Documents
COE Convention on Cyber-Crime (draft)
http://conventions.coe.int/treaty/EN/projets/cybercrime.docCOE Convention for the Protection of Human Rights and Fundamental Freedoms
http://www.coe.fr/eng/legaltxt/5e.htmCOE Conventions - Background
http://conventions.coe.int/treaty/EN/cadreintro.htmIAB/IESG Statement on Wassenaar Arrangement
http://www.iab.org/iab/121898.txtIETF Policy on Wiretapping (RFC 2804)
ftp://ftp.isi.edu/in-notes/rfc2804.txtIRIS Dossier cybercriminalité
http://www.iris.sgdg.org/actions/cybercrime/OECD Cryptography Policy Guidelines (1997)
http://www.oecd.org//dsti/sti/it/secur/prod/e-crypto.htmOECD Guidelines for the Security of Information Systems (1992) http://www.oecd.org//dsti/sti/it/secur/prod/e_secur.htm
Privacy International Cyber-Crime Page
http://www.privacyinternational.org/issues/cybercrime/Security Focus Commentary on COE Convention
http://www.securityfocus.com/news/39Statement of Concern from Technology Professionals on Proposed COE Convention on Cyber-Crime
http://www.cerias.purdue.edu/homes/spaf/coe/TREATY_LETTER.htmlUniversal Declaration of Human Rights
http://www.un.org/Overview/rights.html
News Coverage
"Police Treaty a Global Invasion?", Wired News, 17 Oct 2000.
"Coalition slams cybercrime treaty", ZDNet, 18 Oct 2000.
"GILC Urge Europe Over Cybercrime Treaty", Newsbytes, 18 Oct 2000.
"Human rights groups slam cyber crime pact", IDG News Service Berlin, 18 Oct 2000.
"Computer crime treaty threatens human rights", ZDNet UK, 19 Oct 2000.
"Pas touche à mon disque dur!", Libération, 19 Oct 2000.
"Mobilisation générale autour d'un projet de traité de lutte contre la cyber criminalité", Internet Actu Flash, 20 Oct 2000.
"Traité cybercrime: les ONG font de la résistance", ZDNet France, 20 Oct 2000.
"www.gilc.org", Le Monde Interactif, 20 Oct 2000.
"Cybercriminalité: Le G8 de Berlin sous le feu des associations Internet", 01net, 23 Oct 2000.
"European council moves Net crime treaty forward", CNET, 20 November 2000.