8/3. The Senate ratified by unanimous consent without amendment Treaty 108-11, which is titled "Council of Europe Convention on Cybercrime". This convention requires the nations that are parties to it to enact laws criminalizing certain activity in the nature of computer hacking, and other cyber crimes.

However, the convention also requires the parties to enact numerous laws related to criminal procedure, search and seizure, electronic intercepts, and data retention, that will broadly increase governmental powers.

Also, the use of these powers is not limited to investigation and prosecution in cyber crime cases. The procedural provisions apply not only to cyber crime matters, but also to any "criminal offences committed by means of a computer system", and to the "collection of evidence in electronic form of a criminal offence".

Two other characteristics of the convention are that it requires mutual assistance, and has no dual criminality provision. Thus, the U.S. is obligated to compel search and seizure, data retention, and intercept assistance from U.S. service providers, in order to surveil a person in the U.S., at the demand of a foreign government, when the person's activity is a crime in that foreign country, but legal conduct in the U.S.

The Council of Europe (COE) maintains a web page with a table listing the nations that have signed the convention, those that have ratified it, and those for which it is in effect. The U.S. is not a member of the COE. However, the U.S., like other nonmembers Japan and Canada, signed the convention back in 2001.

At present, the threat posed by the lack of a dual criminality restriction in mitigated by the circumstance that most of the nations that have ratified, or merely signed, the convention are democracies with mature legal systems, or emerging democracies. In particular, the People's Republic of China has not signed the convention.

However, many European nations criminalize as hate speech certain conduct which is Constitutionally protected free speech in the U.S. In addition, the United Kingdom has an Official Secrets Act which criminalizes some conduct that is Constitutionally protected in the U.S.

U.S. government officials have long asserted that the convention will not require the U.S. to change any of its laws. Attorney General Alberto Gonzales reiterated this assertion on August 3.

Gonzales (at right) stated in a release that "The Cybercrime Convention -- the first of its kind -- will be a key tool for the United States in fighting global, information-age crime. This treaty provides important tools in the battles against terrorism, attacks on computer networks, and the sexual exploitation of children over the Internet, by strengthening U.S. cooperation with foreign countries in obtaining electronic evidence. The Convention is in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws."

Sen. Richard Lugar (R-IN), the Chairman of the Senate Foreign Relations Committee (SFRC), issued a release that states that "American law is already in compliance with the Convention, so no implementing legislation is required. The United States would be a major beneficiary of the Convention, because foreign partners would be obligated to raise their capacity to fight international computer crime to standards already met by the United States."

Sen. Lugar stated in this release that "it will enhance our ability to cooperate with foreign governments in fighting terrorism, computer hacking, money laundering, and child pornography, among other crimes. Given the global nature of the internet, the only way we can combat these problems effectively is through cooperation with other governments".

The Business Software Alliance (BSA) issued a release praising the Senate for ratifying this convention, and Sen. Lugar and Sen. Joe Biden (D-DE), the ranking Democrat on the SFRC, for their efforts.

The BSA stated that "While the Convention does not change U.S. policy, the agreement will help domestic agencies in their international efforts by minimizing obstacles to international cooperation that currently impede U.S. investigations and prosecutions of computer-related crimes."

The BSA added that "The United States will become the 16th of the 43 signatory countries to have completed the ratification process and become full participants in the Convention."

Similarly, the Information Technology Association of America (ITAA) praised the ratification in a release.

The drafting of the convention was completed in 2001. The U.S. signed it on November 23, 2001. It was transmitted to the Senate on November 17, 2003. The SFRC held a hearing on June 17, 2004. The SFRC approved the treaty on July 26, 2005. See, story titled "The Senate Committee Approves Cybercrime Treaty" in TLJ Daily E-Mail Alert No. 1,183, July 27, 2005. The SFRC reported the convention on November 9, 2005, with 6 reservations and 5 declarations. See, Senate Executive Report No. 109-6 [PDF], published in the Congressional Record, November 9, 2005, at Page S12606.

One of the declarations in the Senate Executive Report is that "current United States federal law fulfills the obligations of Chapter II of the Convention for the United States. Accordingly, the United States does not intend to enact new legislation to fulfill its obligations under Chapter II." (Chapter II includes both the substantive criminal law provisions, and the procedural provisions.)

Committee Hearing. The SFRC held one hearing on this treaty, on June 17, 2004. The Committee heard from only government witnesses who support the convention. There were no representatives of industry, and no privacy or civil liberties advocates, on the witness panel.

Bruce Swartz, a Deputy Assistant Attorney General in the DOJ's Criminal Division, wrote in his prepared testimony [PDF] that this treaty requires the parties "Parties to criminalize ``classic´´ computer crime offenses – such as unauthorized intrusions into computer systems; unauthorized interception and monitoring of computerized communications; attacks on computers and computer systems, such as denial of service attacks, or attacks using computer viruses or worms; and the misuse of devices, such as passwords or access codes, to commit offenses involving computer systems. Parties must further prohibit the carrying out of a number of more traditional crimes committed by means of a computer system, such as forgery, fraud, the production, advertisement, and distribution of child pornography, and copyright piracy."

He added that its also requires the parties "to have the power -- on an expedited basis -- to preserve and disclose stored computer data, including traffic data, to compel the production of electronic evidence by ISPs, to search and seize computers and data, and to collect traffic data and content in real time. These powers and procedures are already provided for under U.S. law, and have proved invaluable to many investigations."

Samuel Witten of the Department of State added in his prepared testimony [PDF] that "The Convention would not require implementing legislation for the United States."

Summary of the Convention. Articles 2 through 13 of the convention require the parties to enact laws that criminalize various types of activities commonly understood to be cyber crimes, such as unauthorized access to computers, damaging data on computers, intercepting data, hindering computer systems, and creating inauthentic data.

It also requires the parties to enact laws related to the protection of intellectual property rights (at Article 10).

Then, Articles 14 through 21 require the parties to enact laws related to government powers to conduct searches and seizures of computers and data, compel data retention, conduct intercepts.

Finally, the convention requires the parties to cooperate and provide mutual assistance to other governments in the areas of data retention, search and seizure of data, electronic intercepts, and other procedures.

Data Retention. The convention provides, at Article 16, that "Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification."

It continues that "the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed."

Moreover, the parties shall adopt legislation that requires the custodian of "the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law."

Search and Seizure of Data. The convention requires, at Article 18 that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order ... a person in its territory to submit specified computer data in that person's possession or control, which is stored in a computer system or a computer-data storage medium ..."

It provides at Article 19 that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to search or similarly access ... a computer system or part of it and computer data stored therein; and ... a computer-data storage medium in which computer data may be stored ..."

It also provides that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to seize or similarly secure computer data accessed according to paragraphs 1 or 2. These measures shall include the power to ... seize or similarly secure a computer system or part of it or a computer-data storage medium; ... make and retain a copy of those computer data ..."

Electronic Intercepts and Other Surveillance. It provides at Article 20 that "Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to ... compel a service provider ... to collect or record ... traffic data, in real-time, associated with specified communications in its territory transmitted by means of a computer system ..."

It provides, at Article 21, that "Each Party shall adopt such legislative and other measures as may be necessary ... to empower its competent authorities to ... compel a service provider ... to collect or record through the application of technical means ... or ... to co-operate and assist the competent authorities in the collection or recording of ... content data, in real-time, of specified communications in its territory transmitted by means of a computer system ..."

Moreover, it provides that "Each Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information relating to it ..."

Attorney General Gonzales asserted that all of the above quoted provisions are "in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws". Sen. Lugar stated that "American law is already in compliance". The SFRC's report states that U.S. law is in compliance. Hence, to the extent that the U.S. Code and case law may not incorporate all of the above quoted requirements, it appears unlikely that the Congress would enact any legislation in the near future to bring U.S. statutory law into compliance.

Criticism of the Convention. Parts of the treaty have long been criticized by representatives of some groups, such as the Center for Democracy and Technology (CDT), Electronic Privacy Information Center (EPIC), and the American Civil Liberties Union (ACLU) for its language regarding data retention, intercepts, search and seizure and government surveillance. They have argued that the treaty will harm privacy rights. See, TLJ story titled "COE Cyber Crime Treaty Debated", December 11, 2000.

On July 26, 2005, Marc Rotenberg and Cedric Laurent of the EPIC wrote a letter [PDF] to Sen. Lugar in which they stated that "The treaty would create invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards, and specifically lacking judicial review and probable cause determinations required under the Fourth Amendment."

They added that "A significant number of provisions grant sweeping investigative powers of computer search and seizure and government surveillance of voice, e-mail, and data communications in the interests of law enforcement agencies, but are not counterbalanced by accompanying protections of individual rights or limit on governments' use of these powers."

The House will next meet at 2:00 PM on Wednesday, September 6. See, Republican Whip Notice.

The Senate will next meet at 11:00 AM on Tuesday, September 5.

8:30 AM - 12:30 PM. The U.S.-China Economic and Security Review Commission will hold a hearing titled "China's Energy Security". See, notice in the Federal Register, July 20, 2006, Vol. 71, No. 139, at Pages 41316-41317. Location: Room 385, Russell Building, Capitol Hill.

10:00 AM. The U.S. Court of Appeals (FedCir) will hear oral argument in Overstock.com, Inc. v. Furnace Brook, LLC, a patent case involving personal jurisdiction. Furnace Brook bought a patent at a bankruptcy auction. It did not practice it. It sent cease and desist letters to other companies, alleging infringement, and seeking licensing fees. One recipient, Overstock.com, filed a complaint in U.S. District Court (DUtah) seeking a declaration that it did not infringe the patent. The Federal Circuit has held that sending a cease and desist letter into a state does not give rise to personal jurisdiction over the sender in that state. The District Court dismissed for lack of personal jurisdiction. However, the District Court also held that Furnace Brook is a "patent troll". See, opinion [PDF]. This is App. Ct. No. 2006-1121, and D.C. No. 2:05-CV-00679 PGC. Location: Courtroom 201, 717 Madison Place, NW.

2:00 - 4:00 PM. The American Enterprise Institute (AEI) will host a discussion of the book titled "Spoiling for a Fight: The Rise of Eliot Spitzer" [Amazon]. The speakers will be Brooke Masters (author), Michael Greve (AEI), and Judge William Pryor (U.S. Court of Appeals for the 11th Circuit). See, notice. Location: 12th floor, 1150 17th St., NW.

The Federal Communications Commission (FCC) will conduct a mock auction for Auction 66. This is the auction of Advance Wireless Services (AWS) licenses in the 1710-1755 MHz and 2110-2155 MHz (AWS-1) bands. See also, notice in the Federal Register, June 2, 2006, Vol. 71, No. 106, at Pages 32089-32091.

Deadline to submit comments to the National Institute of Standards and Technology (NIST) regarding its Draft Special Publication 800-100 [huge Zipped PDF] titled "Information Security Handbook: A Guide for Managers".

10:00 AM. Federal Communications Commission (FCC) Commissioner Robert McDowell will host an event titled "briefing for members of the media". RSVP to Clyde Ensslin at clyde dot ensslin at fcc dot gov or 202-418-0506. Location: Conference Room 5, 8th Floor, FCC Headquarters, 445 12th St., SW.

Deadline to submit to the Internal Revenue Service (IRS) outlines of topics to be discussed at the IRS's public hearing on August 29, 2006, regarding its notice of proposed rule making pertaining to the application of 26 U.S.C. § 199, which provides a deduction for income attributable to domestic production activities, to certain transactions involving computer software. See, notice in the Federal Register, June 1, 2006, Vol. 71, No. 105, at Pages 31128-31129.

The Federal Communications Commission (FCC) will commence Auction 66. This is the auction of Advance Wireless Services (AWS) licenses in the 1710-1755 MHz and 2110-2155 MHz (AWS-1) bands. See also, notice in the Federal Register, June 2, 2006, Vol. 71, No. 106, at Pages 32089-32091.

Day one of a three day continuing legal education (CLE) seminar hosted by the American Intellectual Property Law Association (AIPLA) titled "Practical Patent Prosecution for New Lawyers". See, notice [PDF]. For more information, call 703-415-0780. Location: Hilton Crystal City, 2399 Jefferson Davis Highway, Arlington, VA.

Day two of a three day continuing legal education (CLE) seminar hosted by the American Intellectual Property Law Association (AIPLA) titled "Practical Patent Prosecution for New Lawyers". See, notice [PDF]. For more information, call 703-415-0780. Location: Hilton Crystal City, 2399 Jefferson Davis Highway, Arlington, VA.

Day three of a three day continuing legal education (CLE) seminar hosted by the American Intellectual Property Law Association (AIPLA) titled "Practical Patent Prosecution for New Lawyers". See, notice [PDF]. For more information, call 703-415-0780. Location: Hilton Crystal City, 2399 Jefferson Davis Highway, Arlington, VA.

8/3. President Bush signed and released a notice titled "Continuation of Emergency Regarding Export Control Regulations". He issues a similar notice every year at about this time to maintain in effect the export regulations of the Bureau of Industry and Security (BIS).

There was once a statute titled the Export Administration Act. It expired in 2001. Some members of the House and Senate worked on enacting replacement legislation several years ago. However, no replacement bill was enacted, and there is little legislative activity now on this subject.

Meanwhile, the BIS, which was formerly named the Bureau of Export Administration (BXA), continues to revise and enforce implementing regulations. These regulations pertain to, among other things, exports and "deemed exports" of dual use items, such as computers, software, and encryption products. These regulations also regulate employment in some situations.

The just released notice states that "On August 17, 2001, consistent with the authority provided me under the International Emergency Economic Powers Act (50 U.S.C. 170l et seq.), I issued Executive Order 13222. In that order, I declared a national emergency with respect to the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States in light of the expiration of the Export Administration Act of 1979, as amended (50 U.S.C. App. 2401 et seq.). Because the Export Administration Act has not been renewed by the Congress, the national emergency declared on August 17, 2001, must continue in effect beyond August 17, 2006. Therefore, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), I am continuing for 1 year the national emergency declared in Executive Order 13222."

See also, President Bush's letter to the Speaker of the House and the President of the Senate.

8/2. President Bush nominated Roslynn Mauskopf to be a Judge of the U.S. District Court for the Eastern District of New York. See, White House release.

8/2. President Bush nominated Liam O'Grady to be a Judge of the U.S. District Court for the Eastern District of Virginia. O'Grady is currently a Magistrate Judge in the Alexandria Division. See, White House release.

8/2. President Bush nominated Lawrence O'Neill to be a Judge of the U.S. District Court for the Eastern District of California. See, White House release.

8/1. The Progress and Freedom Foundation (PFF) released a short paper titled "Saving Online Free Speech: A Voluntary Code of Conduct for Internet Operators". The author is Adam Thierer.

8/1. The National Institute of Standards and Technology's (NIST) Computer Security Division released a draft [ZIP] of Special Publication (SP) 800-69, titled "Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. See also, summary. This document provides guidance to telecommuting employees and those who maintain home offices and use Windows XP Home Edition. The deadline to submit comments is August 31, 2006.

7/28. The National Institute of Standards and Technology's (NIST) Computer Security Division released a draft [11 pages in PDF] of Special Publication 800-96, titled "PIV Card / Reader Interoperability Guidelines". The deadline to submit comments is 5:00 PM on August 11, 2006.

7/26. The National Institute of Standards and Technology's (NIST) Computer Security Division released a draft [159 pages in PDF] of Special Publication 800-53, Revision 1 (Second Public Draft), titled "Recommended Security Controls for Federal Information Systems". The deadline to submit comments is August 25, 2006.

Tech Law Journal publishes a free access web site and subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year. However, there are discounts for subscribers with multiple recipients. Free one month trial subscriptions are available. Also, free subscriptions are available for journalists, federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until one month after writing. See, subscription information page.

Contact: 202-364-8882.
P.O. Box 4851, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998 - 2006 David Carney, dba Tech Law Journal. All rights reserved.