, special to SecurityFocus 2001-06-04
A few feel-good touches can't redeem the COE treaty, or the closed-door process that produced it.
What remains most striking in the treaty is the utter absence of concepts like 'privacy' and 'data protection.'
The working group has now been at this since 1997, so they probably feel a profound sense of boredom trying to find a few more words to move around without really changing anything. They made up their minds on what they wanted sometime around 1999, and have just been toying with us since then to ensure they could get the treaty approved.
In an attached "Explanatory Memorandum" there are only two things that the COE treats as so deplorable that even linking to it will be a crime: child pornography, and hacking tools.
A modest improvement in the draft convention is the inclusion of a requirement that countries that implement the treaty follow whatever human rights protections exist in their domestic law, and under human rights treaties that the country has already signed. The signing nations must also be "proportional" in implementing the treaty -- a vague cost-benefit analysis where citizens' civil rights will undoubtedly be weighed against calls to "Protect the children." Nations may also consider the impact on third parties, such as the ISPs which have to pay for all of this, and there's new language requiring "independent supervision" -- from a judge, for example -- of online governmental spying.
They sound good, but these changes are little more than window dressing: the U.S., the UK, and many other countries, already don't follow the requirements of many human rights treaties. And as for "independent supervision," just remember how many wiretap requests have been turned down in the last ten years in the U.S. -- three out of over 10,000.
What remains most striking in the treaty is the utter absence of concepts like "privacy" and "data protection" and any kind of meaningful limitations of surveillance in all the of very detailed sections that mandate them. It apparently was easy to tell law enforcement the procedures on how to invade privacy, but too difficult to tell them what their limits are.
By contrast, a few days after the closed-door Rome meeting, we saw a striking example of how things work when you open international meetings up.
The G-8 meeting in Japan allowed tech industry representatives and the American Civil Liberties Union (ACLU) to sound off on a proposal to force ISPs to capture and retain traffic data on their users. Prior to the meeting, the G-8 issued a draft final document and a press release championing the requirement, but by the end of the meeting, the proposal was dead in the water and no one except a few law enforcement types were still talking about it.
The Council of Europe draft convention would have benefited from that kind of openness. Instead, it is now climbing the chain of command. It will be voted on next week by a higher committee, and in September by the Committee of Ministers, the highest body in the COE, where it's likely to be approved. It will then be open for signature and only needs signatures from only five countries, including two outside the COE, to put it into force.
The convention's future in the U.S. is less certain. It is unclear what the Bush Administration will do, and Senate ratification may provide to be difficult with liberal Democrats and conservative Republicans both likely to give it a serious going over. Or perhaps E-Bay or CERT will be attacked again the day before the vote and the panic would push it through. Nahhhh. That never happens in Washington.