SCN: Convention on Cybercrime
Steve
steve at advocate.net
Mon Dec 3 00:41:19 PST 2001
x-no-archive: yes
==================
(Thomas E. Weber, Wall Street Journal)---Surely you've been
following the activities at the Council of Europe. No? Well, you
aren't the only one. But earlier this year the council completed a
broad international accord known as the Convention on
Cybercrime. The U.S. just signed it, along with more than two
dozen other nations.
If you or your company use the Internet, you should know about
this treaty. If you operate any kind of computer network, you may
find yourself fielding a subpoena or subject to corporate liability
because of it. And if you communicate with others online, your data
could be monitored as part of an international investigation.
For nations that sign it, the accord mandates the criminalization of
a long list of computer activities -- everything from breaking into a
computer to the "deterioration" of computer data, whatever that
means. It also requires countries to make sure they can snoop
through Internet data in real time. And it obliges nations to assist
each other's investigations by monitoring Net communications.
The overarching goal -- clamping down on computer-related crime -
- is laudable. But the cybercrime convention is a broad document,
with plenty of room for interpretation. Will law-enforcement officials
around the globe use it responsibly? Or will Internet users and the
companies that service them find themselves needlessly spied
upon because of far-flung investigations?
The actual document is 25 pages long, and can be found online
(http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.htm).
As for the council, it dates back to 1949 and has negotiated
international accords on human rights, crime and other issues.
During the accord's development, it drew criticism from high-tech
companies and privacy advocates alike. Companies feared they
would be inundated with subpoenas for computer data as
investigators in other countries made use of the accord. Dealing
with those requests would cost money, and, depending on the kind
of surveillance involved, could strain network systems.
Some concerns were addressed as the treaty was revised.
Originally, Internet-service providers fretted that the treaty might
somehow require them to redesign their systems to build in new
surveillance capabilities. But the convention's final version
modified the surveillance requirements to include only the "existing
technical capability" of service providers.
Even so, the global nature of the accord raises questions,
especially for U.S. companies. The U.S. remains the center of the
Internet. Because of the way the network is designed, it isn't
unusual for an Internet conversation between two parties in other
countries to pass through computers in the U.S. That raises the
possibility that U.S. companies will field surveillance requests
related to all sorts of international investigations.
Opposition from high-tech companies has quieted, partly because
the now-completed convention can no longer be altered, and partly
because it has become much more difficult to criticize law-and-
order measures in the era after Sept. 11. AT&T, which was active
in critiquing the convention while it was being drafted, declined to
discuss it last week.
Senate ratification in the U.S. seems assured, especially in the
current climate. "That has clearly changed the political dynamic,"
says James J. Halpert, an attorney and partner at Piper Marbury
Rudnick & Wolfe who has tracked the treaty's evolution. Also, the
Justice Department has said it doesn't anticipate that new laws
would be needed to meet the convention's requirements because
existing laws already cover the relevant areas.
While privacy advocates have expressed concern that abuse of
the convention could infringe on civil liberties, the treaty has also
produced some general anxiety among programmers.
Read the discussions on Slashdot (slashdot.org) or other high-tech
forums and you'll find that these programmers are hardly in favor of
computer crime. But when it comes to computer-security issues,
the line between research and crime is often blurry, and
programmers don't necessarily trust the courts to decide where
that line should be. Princeton University Prof. Edward Felten, for
instance, has found himself entangled in copyright laws over
research into the security of copy-protection systems.
None of these concerns should undermine the basic thrust of the
cybercrime convention. To combat crime on global networks,
investigators need global tools. Attacks in cyberspace can come
from practically anywhere in the real world, as we saw in the case
of the so-called Love Bug computer virus last year. It apparently
originated in the Philippines, which had no law against malicious
computer software.
But what is perhaps most remarkable is how little attention this
accord attracted as it was being created. "A lot of people's eyes
glaze over when there's a technical issue, and the same goes for a
legal issue," says Mike Godwin, an attorney and longtime activist
on technology issues. "This has got both."
Copyright 2001 Dow Jones & Company, Inc.
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list