8/3. The Senate ratified by unanimous consent without amendment
which is titled "Council of Europe Convention on Cybercrime". This convention
requires the nations that are parties to it to enact laws criminalizing certain activity
in the nature of computer hacking, and other cyber crimes.
However, the convention also requires the parties to enact numerous laws related to
criminal procedure, search and seizure, electronic intercepts, and data retention, that
will broadly increase governmental powers.
Also, the use of these powers is not limited to investigation and prosecution in cyber
crime cases. The procedural provisions apply not only to cyber crime matters, but also to
any "criminal offences committed by means of a computer system", and to the
"collection of evidence in electronic form of a criminal offence".
Two other characteristics of the convention are that it requires mutual assistance, and
has no dual criminality provision. Thus, the U.S. is obligated to compel search and seizure,
data retention, and intercept assistance from U.S. service providers, in order to surveil
a person in the U.S., at the demand of a foreign government, when the person's activity
is a crime in that foreign country, but legal conduct in the U.S.
The Council of Europe (COE) maintains a
web page with a table listing the nations that have signed the convention,
those that have ratified it, and those for which it is in effect. The U.S. is
not a member of the COE. However, the U.S., like other nonmembers Japan and
Canada, signed the convention back in 2001.
At present, the threat posed by the lack of a dual criminality restriction in
mitigated by the circumstance that most of the nations that have ratified, or
merely signed, the convention are democracies with mature legal systems, or emerging
democracies. In particular, the People's Republic of China has not signed the convention.
However, many European nations criminalize as hate speech certain conduct
which is Constitutionally protected free speech in the U.S. In addition, the
United Kingdom has an Official Secrets Act which criminalizes some conduct that
is Constitutionally protected in the U.S.
U.S. government officials have
long asserted that the convention will not require the U.S. to change any of its
laws. Attorney General Alberto Gonzales reiterated this assertion on August 3.
Gonzales (at right) stated
in a release
that "The Cybercrime Convention -- the first of its kind -- will be a key
tool for the United States in fighting global, information-age crime. This
treaty provides important tools in the battles against terrorism, attacks on
computer networks, and the sexual exploitation of children over the Internet, by
strengthening U.S. cooperation with foreign countries in obtaining electronic
evidence. The Convention is in full accord with all U.S. constitutional
protections, such as free speech and other civil liberties, and will require no
change to U.S. laws."
Sen. Richard Lugar (R-IN), the Chairman of the
Senate Foreign Relations Committee (SFRC), issued
a release that
states that "American law is already in compliance with the Convention, so no
implementing legislation is required. The United States would be a major beneficiary of the
Convention, because foreign partners would be obligated to raise their capacity to fight
international computer crime to standards already met by the United States."
Sen. Lugar stated in this release that "it will enhance our ability to
cooperate with foreign governments in fighting terrorism, computer hacking,
money laundering, and child pornography, among other crimes. Given the global
nature of the internet, the only way we can combat these problems effectively is
through cooperation with other governments".
The Business Software Alliance (BSA) issued a
release praising the Senate for ratifying this convention, and Sen. Lugar and
Sen. Joe Biden (D-DE), the ranking Democrat on
the SFRC, for their efforts.
The BSA stated that "While the Convention does not change U.S. policy, the
agreement will help domestic agencies in their international efforts by minimizing
obstacles to international cooperation that currently impede U.S. investigations and
prosecutions of computer-related crimes."
The BSA added that "The United States will become the 16th of the 43 signatory
countries to have completed the ratification process and become full participants in the
Similarly, the Information Technology Association of
America (ITAA) praised the ratification in a release.
The drafting of the convention was completed in 2001. The U.S. signed it on November
23, 2001. It was transmitted to the Senate on November 17, 2003. The SFRC held a hearing
on June 17, 2004. The SFRC approved the treaty on July 26, 2005. See, story titled "The
Senate Committee Approves Cybercrime Treaty" in
TLJ Daily E-Mail
Alert No. 1,183, July 27, 2005. The SFRC reported the convention on November
9, 2005, with 6 reservations and 5 declarations. See,
Senate Executive Report No. 109-6 [PDF], published in the Congressional
Record, November 9, 2005, at Page S12606.
One of the declarations in the Senate Executive Report is that "current United
States federal law fulfills the obligations of Chapter II of the Convention for the United
States. Accordingly, the United States does not intend to enact new legislation to fulfill
its obligations under Chapter II." (Chapter II includes both the substantive criminal
law provisions, and the procedural provisions.)
Committee Hearing. The SFRC held one hearing on this treaty, on June
17, 2004. The Committee heard from only government witnesses who support the
convention. There were no representatives of industry, and no privacy or civil
liberties advocates, on the witness panel.
Bruce Swartz, a Deputy Assistant Attorney General in the DOJ's Criminal Division, wrote
prepared testimony [PDF] that this treaty requires the parties "Parties to
criminalize ``classic´´ computer crime offenses – such as unauthorized
intrusions into computer systems; unauthorized interception and monitoring of
computerized communications; attacks on computers and computer systems, such as
denial of service attacks, or attacks using computer viruses or worms; and the
misuse of devices, such as passwords or access codes, to commit offenses
involving computer systems. Parties must further prohibit the carrying out of a
number of more traditional crimes committed by means of a computer system, such
as forgery, fraud, the production, advertisement, and distribution of child
pornography, and copyright piracy."
He added that its also requires the parties "to have the power -- on an expedited
basis -- to preserve and disclose stored computer data, including traffic data, to compel
the production of electronic evidence by ISPs, to search and seize computers and data, and
to collect traffic data and content in real time. These powers and procedures are already
provided for under U.S. law, and have proved invaluable to many investigations."
Samuel Witten of the Department of State added in his
testimony [PDF] that "The Convention would not require implementing legislation
for the United States."
Summary of the Convention. Articles 2 through 13 of the convention require the
parties to enact laws that criminalize various types of activities commonly understood to
be cyber crimes, such as unauthorized access to computers, damaging data on computers,
intercepting data, hindering computer systems, and creating inauthentic data.
It also requires the parties to enact laws related to the protection of
intellectual property rights (at Article 10).
Then, Articles 14 through 21 require the parties to enact laws related to
government powers to conduct searches and seizures of computers and data, compel
data retention, conduct intercepts.
Finally, the convention requires the parties to cooperate and provide mutual
assistance to other governments in the areas of data retention, search and
seizure of data, electronic intercepts, and other procedures.
Data Retention. The convention provides, at Article 16, that "Each
Party shall adopt such legislative and other measures as may be necessary to
enable its competent authorities to order or similarly obtain the expeditious
preservation of specified computer data, including traffic data, that has been
stored by means of a computer system, in particular where there are grounds to
believe that the computer data is particularly vulnerable to loss or modification."
It continues that "the Party shall adopt such legislative and other measures
as may be necessary to oblige that person to preserve and maintain the integrity
of that computer data for a period of time as long as necessary, up to a maximum
of ninety days, to enable the competent authorities to seek its disclosure. A
Party may provide for such an order to be subsequently renewed."
Moreover, the parties shall adopt legislation that requires the custodian of
"the computer data to keep confidential the undertaking of such procedures for
the period of time provided for by its domestic law."
Search and Seizure of Data. The convention requires, at Article 18
that "Each Party shall adopt such legislative and other measures as may be
necessary to empower its competent authorities to order ... a person in its
territory to submit specified computer data in that person's possession or control, which
is stored in a computer system or a computer-data storage medium ..."
It provides at Article 19 that "Each Party shall adopt such legislative and
other measures as may be necessary to empower its competent authorities to
search or similarly access ... a computer system or part of it and computer data
stored therein; and ... a computer-data storage medium in which computer data
may be stored ..."
It also provides that "Each Party shall adopt such legislative and other
measures as may be necessary to empower its competent authorities to seize or
similarly secure computer data accessed according to paragraphs 1 or 2. These
measures shall include the power to ... seize or similarly secure a computer
system or part of it or a computer-data storage medium; ... make and retain a
copy of those computer data ..."
Electronic Intercepts and Other Surveillance. It provides at Article
20 that "Each Party shall adopt such legislative and other measures as may be
necessary to empower its competent authorities to ... compel a service provider
... to collect or record ... traffic data, in real-time, associated with
specified communications in its territory transmitted by means of a computer
It provides, at Article 21, that "Each Party shall adopt such legislative and
other measures as may be necessary ... to empower its competent authorities to
... compel a service provider ... to collect or record through the application
of technical means ... or ... to co-operate and assist the competent authorities
in the collection or recording of ... content data, in real-time, of specified
communications in its territory transmitted by means of a computer system ..."
Moreover, it provides that "Each Party shall adopt such legislative and other
measures as may be necessary to oblige a service provider to keep confidential
the fact of the execution of any power provided for in this article and any
information relating to it ..."
Attorney General Gonzales asserted that all of the above quoted provisions
are "in full accord with all U.S. constitutional protections, such as free
speech and other civil liberties, and will require no change to U.S. laws".
Sen. Lugar stated that "American law is already in compliance". The SFRC's
report states that U.S. law is in compliance. Hence, to the extent that the U.S.
Code and case law may not incorporate all of the above quoted requirements, it
appears unlikely that the Congress would enact any legislation in the near
future to bring U.S. statutory law into compliance.
Criticism of the Convention. Parts of the treaty have long been criticized by
representatives of some groups, such as the Center for
Democracy and Technology (CDT), Electronic Privacy
Information Center (EPIC), and the American Civil Liberties Union (ACLU) for its
language regarding data retention, intercepts, search and seizure and government
surveillance. They have argued that the treaty will harm privacy rights. See, TLJ
"COE Cyber Crime Treaty Debated", December 11, 2000.
On July 26, 2005, Marc Rotenberg and Cedric Laurent of the EPIC wrote a
letter [PDF] to
Sen. Lugar in which they stated that "The treaty would create invasive
investigative techniques while failing to provide meaningful privacy and civil
liberties safeguards, and specifically lacking judicial review and probable
cause determinations required under the Fourth Amendment."
They added that "A significant number of provisions grant sweeping investigative
powers of computer search and seizure and government surveillance of voice, e-mail, and
data communications in the interests of law enforcement agencies, but are not
counterbalanced by accompanying protections of individual rights or limit on governments'
use of these powers."