, SecurityFocus 2000-10-09
The new, improved draft of the international Cybercrime treaty is out, and David Banisar says it's bigger and badder than ever.
Following months of criticism from industry, security and privacy experts, the Council of Europe released aThe new draft fills in a few gaps on issues such as wiretapping and jurisdiction, but most of the controversial provisions on issues such as security tools and access to encrypted data are unchanged, or are even worse than before.
The most significant change in the treaty is the inclusion of two sections on interception of communications and traffic data that had been listed as "under discussion" in the previous draft. The two sections require countries to adopt laws to "compel a service provider" to either capture content themselves by building in surveillance capabilities, or to "cooperate and assist" authorities Carnivore-style.
"Service provider" is broadly defined in the draft as "any public or private entity that provides to users of its services the ability to communication by means of a computer system," a definition that could cover everything from your bedroom's local area network to Worldcom.
Many of the worst provisions of the previous draft remain untouched.
The controversial section criminalizing "illegal devices," i.e. hacking programs, remains the same. The only change to the section is a footnote that states that a future explanatory report will actually define "legitimate purposes" for such tools, and that the burden will lie with the prosecution in a case to prove that the tools were developed or used for illegal purposes. This new language may help those who use such tools for legitimate security work, but it's hard to imagine how it will help those who create them.
When Dan Farmer, being provocative, named his program "SATAN," the furor over it was intense. Will only large "legitimate" companies such as Norton or NAI be allowed to create tools, while the little guys face prosecution if they look too shady? And given the broad definition of computer systems and illegal access, are programs such as DeCSS and the CueCat hacks going to be considered criminal offenses?
To make things more interesting, the draft now allows for extradition for violation of the illegal devices section.
The section on access to data still requires countries to enact laws that would allow government agents to force anyone "who has knowledge about the functioning of the computer system or measures applied to protect the computer data" to cough up "all necessary data."
If that is not enough, two optional sections propose that suspects should be obliged to do the cops' work also and "process" the data. A footnote states that this paragraph is still under discussion and admits, "it may look like being a far-reaching intrusive power". But the draft suggests that forcing someone to do his or her own data matching would be a better protector of privacy. Someone in Strasbourg needs to check the air for contaminants.
I guess this is to help the lazy cops who don't want to have to look through every file on a 20 gig drive for those pics and warez, but when was the last time anyone saw a cop come up to a criminal and say, "I want all your information but I trust you to give me the relevant parts." This is a clear a violation of the Fifth Amendment as you can have in the U.S.
Not content with limiting this monstrosity to Europe, this draft is no longer limited to countries in the Council of Europe and countries that participated in the drafting such as the US and Canada. Now, it specifically opens the treaty to all countries in the world once it goes into effect. I wonder if the next draft will have a death penalty provision on behalf of the Chinese Government.
The previous draft got a pretty good working over from all corners. Security professionals
The COE has yet to hold an open meeting on this treaty and still plans to have the final version by December. The G8 is meeting in a couple of weeks in Berlin, but the invitees are limited to a couple of government and industry representatives from each country. Independent security or privacy experts? Forgetaboutit. I guess it was silly of us to believe that if they heard from people, that they would see the light. It's hard to call this process anything but a pre-determined sham.
You might as well send in your comments to daj@coe.int anyway.