SCN: Convention on Cybercrime

[Steve]

x-no-archive: yes

==================


(Thomas E. Weber, Wall Street Journal)---Surely you've been 
following the activities at the Council of Europe. No? Well, you 
aren't the only one. But earlier this year the council completed a 
broad international accord known as the Convention on 
Cybercrime. The U.S. just signed it, along with more than two 
dozen other nations.   

If you or your company use the Internet, you should know about 
this treaty. If you operate any kind of computer network, you may 
find yourself fielding a subpoena or subject to corporate liability 
because of it. And if you communicate with others online, your data 
could be monitored as part of an international investigation.   

For nations that sign it, the accord mandates the criminalization of 
a long list of computer activities -- everything from breaking into a 
computer to the "deterioration" of computer data, whatever that 
means. It also requires countries to make sure they can snoop 
through Internet data in real time. And it obliges nations to assist 
each other's investigations by monitoring Net communications.   

The overarching goal -- clamping down on computer-related crime -
- is laudable. But the cybercrime convention is a broad document, 
with plenty of room for interpretation. Will law-enforcement officials 
around the globe use it responsibly? Or will Internet users and the 
companies that service them find themselves needlessly spied 
upon because of far-flung investigations?   

The actual document is 25 pages long, and can be found online 
(http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.htm). 
As for the council, it dates back to 1949 and has negotiated 
international accords on human rights, crime and other issues.   

During the accord's development, it drew criticism from high-tech 
companies and privacy advocates alike. Companies feared they 
would be inundated with subpoenas for computer data as 
investigators in other countries made use of the accord. Dealing 
with those requests would cost money, and, depending on the kind 
of surveillance involved, could strain network systems.   

Some concerns were addressed as the treaty was revised. 
Originally, Internet-service providers fretted that the treaty might 
somehow require them to redesign their systems to build in new 
surveillance capabilities. But the convention's final version 
modified the surveillance requirements to include only the "existing 
technical capability" of service providers.   

Even so, the global nature of the accord raises questions, 
especially for U.S. companies. The U.S. remains the center of the 
Internet. Because of the way the network is designed, it isn't 
unusual for an Internet conversation between two parties in other 
countries to pass through computers in the U.S. That raises the 
possibility that U.S. companies will field surveillance requests 
related to all sorts of international investigations.   

Opposition from high-tech companies has quieted, partly because 
the now-completed convention can no longer be altered, and partly 
because it has become much more difficult to criticize law-and-
order measures in the era after Sept. 11. AT&T, which was active 
in critiquing the convention while it was being drafted, declined to 
discuss it last week.   

Senate ratification in the U.S. seems assured, especially in the 
current climate. "That has clearly changed the political dynamic," 
says James J. Halpert, an attorney and partner at Piper Marbury 
Rudnick & Wolfe who has tracked the treaty's evolution. Also, the 
Justice Department has said it doesn't anticipate that new laws 
would be needed to meet the convention's requirements because 
existing laws already cover the relevant areas.   

While privacy advocates have expressed concern that abuse of 
the convention could infringe on civil liberties, the treaty has also 
produced some general anxiety among programmers.   

Read the discussions on Slashdot (slashdot.org) or other high-tech 
forums and you'll find that these programmers are hardly in favor of 
computer crime. But when it comes to computer-security issues, 
the line between research and crime is often blurry, and 
programmers don't necessarily trust the courts to decide where 
that line should be. Princeton University Prof. Edward Felten, for 
instance, has found himself entangled in copyright laws over 
research into the security of copy-protection systems.   

None of these concerns should undermine the basic thrust of the 
cybercrime convention. To combat crime on global networks, 
investigators need global tools. Attacks in cyberspace can come 
from practically anywhere in the real world, as we saw in the case 
of the so-called Love Bug computer virus last year. It apparently 
originated in the Philippines, which had no law against malicious 
computer software.   

But what is perhaps most remarkable is how little attention this 
accord attracted as it was being created. "A lot of people's eyes 
glaze over when there's a technical issue, and the same goes for a 
legal issue," says Mike Godwin, an attorney and longtime activist 
on technology issues. "This has got both."  


Copyright 2001 Dow Jones & Company, Inc.





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *