Cybercrime treaty flawed, but needed, 2001-07-23
It may be controversial, but the COE treaty is desperately needed to battle global cybercrime.
“
The Cybercrime treaty could allow international law enforcement to be as organized and cooperative as the hackers they fight.
”
The treaty, if ratified and adopted by member nations, is not self-enforcing. It would require each member nation to pass domestic implementing legislation to effectuate its purposes. In some cases, the provisions of the treaty may be in contravention of local law, policy or even constitutional protections, and it can be assumed that the version of the law passed by Great Britain may differ markedly from that passed by, for example, Greece.
Nevertheless, the basic principles espoused in the law should be reflected in the implementing legislation in all nations. These principles relate to (1) substantive law of cybercrime; (2) procedural law related to cybercrime; and (3) law enforcement and investigative powers for investigating cybercrime.
The first problem confronting legislatures dealing with cybercrime is a definitional one. Computer related offenses, more so than other offenses, seem to resist definition. Even such mundane terms as "computer" or "access" or "authorization" or "virus" resist the type of precise definition essential to the formulation of criminal proscription. Defined too narrowly, a range of criminal conduct may go unpunished. Defined too broadly protected activity is chilled.
Legislatures faced with this problem have erred both ways. The COE Cybercrime treaty is an effort to take the experiences of the various legislatures that have attempted to define the problem of cybercrime and harmonize international laws so that a hacker who attacks a computer system from Wales may not escape prosecution because the conduct is not an offense in Warsaw.
Harmonization of law is particularly important in this arena because of the trans-national scope of cybercrime.
When a hacker from Singapore launched a computer worm called the "Love Bug" that infected and affected computers across the globe, he was spared punishment because of the lack of effective domestic legislation in Singapore. Similarly, Jose Ardita from Argentina escaped serious punishment in the mid 1990s for hacking through computers at Harvard University in Cambridge, Massachusetts.
Harmonization of computer crime laws both protects potential victims of cyber attacks, as well as potential perpetrators who may face the risk of being hauled into a remote court to face charges for conduct that may not be a crime in the country in which he resides.
To the extent that all member nations (and possibly non-member nations) harmonize their laws on computer related crime, the certainty provided will help combat computer crimes.
The EU cybercrime treaty generally adopts the approaches taken by the United States in the Computer Fraud and Abuse Act of 1986, Title 18 United States Code Section 1030, and the U.K. Computer Misuse Act and the laws. It calls on member states to adopt laws to punish unauthorized access to computers, unauthorized damage to, alteration of information in, or disruption of service to computers or computer systems, and the unauthorized interception of electronic communications.
While the principles are straightforward, the specific legislation may not be free from controversy, with debates likely to continue on definitions of authorization, exceeding scopes of authorization (e.g., violating corporate or governmental policies on the use of computers), and rights of employers, ISPs, governments or others to monitor electronic communications with or without consent. These debates are likely to rage not in the respective legislatures, but in the courts for years to come.
One provision likely to cause controversy is the provision that calls on member states to outlaw the trafficking and possession of devices primarily designed for unauthorized access to computer systems. This provision -- the so called "burglar's tools" provision, has no analogue in the computer crime legislation in the United States or Great Britain. Similar efforts to insert a hacker's tools provision in the Digital Millennium Copyright Act of 1998, which implemented the World Intellectual Property Organization (WIPO) IP regulations, were successfully fought in the U.S. Congress.
Such legislation, if inartfully drafted or zealously enforced, could preclude the manufacture, distribution, or use of tools, which, while designed by hackers, could effectively be used by system administrators to test the security of their own systems. It is the intent of the developer, transferor or user of the tool that should govern the criminality, not the design of the tool itself.
To combat this problem, a new section was added providing that there would be no criminal liability where the tools are possessed or manufactured "not for the purpose of committing an offence" "such as for the authorized testing or protection of a computer system" and a provision that permits member states to "opt out" of the burglar's tools section.
Another controversial provision in the treaty requires that member states criminalize the electronic distribution of child pornography, including "realistic images representing a minor engaged in sexually explicit conduct." This "virtual child pornography" provision, a feature of U.S. law since 1996, may conflict with constitutional free speech protections as it applies to the distribution of non-obscene, protected expression of non-minors who simply appear to be minors. At least one U.S. court has found such application unconstitutional. Because treaties are the supreme law of the land, it is possible that, if the United States were to adopt this provision in its entirety, it could restrict what might otherwise be considered free speech.
The treaty also explicitly provides for liability for conspiracy, aiding and abetting and corporate criminal liability for computer offenses -- long established in common law and in the United States, but not universally accepted among civil law nations in Europe.
The Cybercrime treaty also contains a series of procedural components that are intended to streamline the process of obtaining evidence related to computer crime. Because of the trans-national nature of the offenses, the ephemeral nature of electronic evidence, and the fact that such evidence is likely to be in the custody of victims, ISPs, and governments as well as perpetrators of cybercrime, the EU Parliament felt it necessary to streamline the process for obtaining evidence across sovereign boundaries.
The old method of obtaining evidence across borders was for the "competent authority" of one nation -- usually the ministry of Justice -- to make a request under a "letters rogatory" of the competent authority of the requested nation (frequently a court or quasi-judicial body) for assistance with subpoenas, interviews, documents, or other compulsory process.
The process, slow and cumbersome in the best of circumstances, could delay an ongoing investigation by months or years -- an eternity in cybercrime cases. While the more streamlined M-LAT process -- a request from one law enforcement agency to a sister agency for Mutual Assistance in Legal Affairs, was faster and more efficient, not all nations have adopted such bilateral treaties, particularly with respect to the relatively new problem of cybercrime.
The treaty attempts to deal with this by permitting the extradition of suspects from one nation to another, and by permitting one nation to request that relevant evidence be secured and protected in a foreign country. It also permits law enforcement agencies to request that ISPs preserve the generally ephemeral electronic evidence, and produce such evidence in response to an appropriate demand or request, such as a judicial subpoena.
The treaty would also mandate that ISPs turn over subscriber information such as real name, address, billing or other information in response to an appropriate demand or order, and provides for searching and seizing computers that contain information relevant to a criminal investigation. The search and seizure provisions make no accommodation for the expeditious return of such seized computers, or permit the interpolation of defenses, such as legal privileges to resist such seizure. It also permits real time interception (wiretap) of both content information and traffic information, again upon an appropriate order.
The trans-national nature of computer crimes makes it imperative that there be some harmony in defining the offenses, and expediting the investigation of these offenses. To that end, the COE Cybercrime treaty reflects existing law, particularly in the United States, concerning the nature of computer crime and the ability of law enforcement to combat it.
Were the U.S. a signatory, the treaty would create virtually no new criminal offenses, nor empower law enforcement to do anything more than it can already do. With the exception of potentially creating a treaty-based virtual child pornography offense, and a new offense of possession of hacker tools, both provisions of which are optional, the treaty breaks little new ground
But the Cybercrime treaty could allow international law enforcement to be as organized and cooperative as the hackers they fight. Whether this is a good idea, it seems, depends on your opinions of law enforcement.
