21 March 2001

Date: Wed, 21 Mar 2001 16:05:54 -0500
From: Mike Godwin <mnemonic@WELL.COM>
Subject: Here Comes the Cybercrime Treaty


An International Treaty on Cybercrime Sounds Like A Great Idea, Until You Read The Fine Print

By Mike Godwin

IP Worldwide, April 2001

Maybe you're a civil libertarian, and maybe you're not. Maybe you worry about how the United States exercises its vast investigative and prosecutorial powers, and maybe you don't.

But if you counsel U.S. corporations on computer-related issues, you should be concerned about a new proposed treaty known as the "Convention on Cybercrime." The Council of Europe, a 43-nation public body created to promote democracy and the rule of law, is nominally drafting the treaty. Curiously, however, the primary architect is the United States Department of Justice.

The Department of Justice and Federal Bureau of Investigation are using a foreign forum to create an international law-enforcement regime that favors the interests of the feds over those of ordinary citizens and businesses. Their goal is to make it easier to get evidence from abroad and to extradite and prosecute foreign nationals for certain kinds of crimes.

Maybe you trust the law-enforcement chiefs in D.C. to do the right thing. But here's the catch. The same new powers given to the United States will also handed over to Bulgaria, Romania, Azerbaijan, and other Council of Europe nations that-although officially democratic now-don't have a strong traditions of checks and balances on police power.

Do you want investigators rummaging around your clients' computer systems on warrants issued by former Soviet bloc nations?

That's the prospect that has pushed AT&T Corporation and other high-technology companies into feverishly trying to stop or at least soften the treaty. The U.S. Chamber of Commerce and Information Technology Association of America also oppose it.

Stewart Baker is one of the chief lobbyists for the treaty opponents. As a former general counsel of the National Security Agency and recipient of the Department of Defense Medal for Meritorious Civilian Service, he's got street cred on these issues in corporate America.

What worries Baker and his colleagues? Consider the following hypothetical: A Los Angeles screenwriter corresponds by e-mail with a neo-Nazi in Germany while researching a script. Shortly after, he finds federal agents examining the files on his home computer. The agents also visit America Online Inc. to retrieve records of the screenwriter's AOL usage.

The agents are fulfilling a warrant issued by German authorities allowing them to search for Nazi propaganda. Such material is unlawful in Germany but not in the U.S. They framed their warrant in terms of "suspected terrorist activity."

Maybe the screenwriter should have anticipated this scenario, given the vigor with which German and other European authorities pursue hate crime on the Internet. Maybe he's willing to run that risk and bear the burden of this kind of search.  But what about AOL?

AOL already handles dozens of search warrants and subpoenas every month. What would change under this treaty is that, in addition to getting those submitted by U.S. law-enforcement officials, they'd also have to respond warrants and court orders from 43 additional nations. All Internet service providers and phone companies-and perhaps other businesses besides-would have to cooperate with these types of investigations. They worry they would also have to foot the bill for complying with them.

Maybe AOL and AT&T should expect this sort of intrusion as a cost of doing business in the Internet era. But what about the rest of us? The treaty would likely apply to any business or individual operating a computer connected to a network, according to Marilyn Cade, AT&T's director of Internet and e-commerce policy. If you cable together two computers, you could be forced to comply with investigations that originated in Sofia or Riga.

Even foes say that there might a need for a limited treaty harmonizing laws globally. Last year, for example, the Philippines was unable to prosecute the creator of the love bug virus. Its laws did not fit his deeds.

Déjà Vu

The treaty has supporters, of course. The Motion Picture Association of America, the Recording Industry of America Association, and the Business Software Alliance all favor the treaty's requirement that certain copyright infringements be handled under criminal law. "Our members, of course, constantly face problems connected to the unauthorized transmission of their copyrighted materials," the three organizations stated in a joint letter regarding Draft 25. "Thus, we believe that ensuring that a greater number of countries make such attacks illegal and actionable under national law is a high priority." In general, such "attacks" are now handled under civil law in most countries. The copyright industry hopes the treaty will extend the United States's increasing use of criminal sanctions to
deter infringement to the Council of Europe's member states, and ultimately to the rest of the world.

Critics sometimes compare the cybercrime treaty to the intellectual property treaty promulgated by the World Intellectual Property Organization in 1996. That treaty was designed to update laws for the Internet era. It was largely the handiwork of the Clinton Administration's Bruce Lehman, the head of the Patent and Trade Office.

After the United States and other nations signed and ratified the WIPO treaty, Congress crafted the Digital Millennium Copyright Act to implement the treaty. Congress did not seriously debate the most controversial in part because of the perceived need to implement the treaty. One of those made it unlawful to tamper with anticopying devices and software.

For these critics, the analogy between the WIPO treaty and the Convention on Cybercrime is clear. "The [cybercrime] treaty was written by government bureaucrats for government bureaucrats," says Baker, a partner at Washington, D.C.'s Steptoe & Johnson. "The process was entirely dominated by one viewpoint-criminal enforcement."

What It Does

If the treaty is so bad, why has it gotten so little attention -- a wire service report here, a trade publication article there? The answer, it seems, is that it is not easy to explain. But let's try.

The treaty has three primary sets of provisions. All three are aimed at setting basic computer-related criminal-law standards for signatory nations.

First, it would require nations to outlaw such things as unauthorized computer intrusion; the release of viruses; and the use of a computer to commit acts that are already crimes, such as fraud and distribution of child pornography.

This part is relatively uncontroversial. The exceptions are the move to bring copyright under criminal law and the expansion of child-pornography statutes to so-called "virtual child porn." A similar U.S. law is now under constitutional challenge in the United States.

Second, it requires nations to develop standard procedures to capture and retrieve online and other information. Nations would have to be able to issue "retention orders" that would "freeze" data on any computer. Governments would also need the ability to capture in real time the time and origin of all traffic on a networks, including telephone networks. For serious crimes, they would be required to intercept the actual content of the communications.

Third, nations would have to cooperate with other nations in sharing electronic evidence across borders. And this cooperation requirement would apply to all crimes. They don't have to be the cybercrimes laid out in the first section of the treaty or even actions unlawful under U.S. law.

Bones of Contention

The second and third parts of the treaty -- individually and together -- are the hot buttons. Phone companies and Internet providers are worried that they will spend their days meeting the demands of foreign investigative authorities. They won't get reimbursed for compliance with foreign evidence orders in their non-U.S. branches
and subsidiaries. And they worry that coping with unlimited compliance orders will disrupt their businesses, or those of their clients, according to James Halpert, a partner in the Washington, D.C., office of Piper, Marbury, Rudnick & Wolfe.

One moment, an Internet provider might be turning over all Bulgarian folk songs to an investigator. The next moment, it might be searching for e-mail traffic between customers in Latvia and the Ukraine.

All companies will have to pay closer attention to their employees' computer habits. The treaty imposes criminal liability on businesses if they fail to supervise users who commit bad acts. If the treaty is taken to its extreme, "companies will have to surveil every single thing that users are doing on their computers," says Halpert, who represents a coalition of Internet portal companies.

How radically will the treaty affect U.S. law? The Justice Department says hardly at all. It may be possible to sign the treaty without adopting implementing legislation. Other nations, however, will have to strengthen and extend their criminal laws substantially.

Lawyers get paid to worry about what-if scenarios. There's a huge one lurking here. What if signatory nations pass laws that creates crimes broader than those described in the treaty? Normally, this would not be a huge cause for concern. But in this context, it might mean that U.S. law-enforcement agents would be enforcing criminal process against American citizens for acts that are not crimes in the United States.

The Internet sometimes makes strange bedfellows. As when they coalesced to oppose the Communications Decency Act regulating indecency on the net, industry and civil liberties groups are rallying to oppose the treaty. "Industry and civil liberties groups are remarkably aligned" in their opposition to the treaty, especially in the areas of due process protection, says partner Jeffrey Pryce of
Steptoe & Johnson.

In the eyes of the critics, the treaty is an open invitation to regulatory mischief. For example, newly democratic nations without traditional due process and other safeguards could require providers to build in monitoring technologies or could outlaw anonymous or untraceable Internet use. Those battles have been fought in the U.S., but they might play out differently, and worse, in other nations.

In one likely scenario, the treaty could emerge as the Internet version of the Communications Assistance for Law Enforcement Act, known colloquially as CALEA. That 1994 law, highly controversial at the time, required U.S. telephone companies to make sure that authorities could both trace and tap calls carried over their networks.

Internet services are not currently included under that law, but the Federal Bureau of Investigation and the Department of Justice have long sought to expand CALEA to reach computer-based communications. "It's as if the FBI, having failed to expand CALEA to computer networks here in the U.S., are trying to do so abroad, and import that expansion home as a treaty provision," says one industry representative.

That last concept is what is known as "policy laundering." Dave Banisar of Privacy International, a privacy-rights watchdog group, says that the Justice Department and FBI are pursuing their law-enforcement agendas overseas with the goal of bringing the resulting treaty back to Congress. They will then say, Banisar contends, "Well, other nations are doing it, so we should too."

Justice and FBI officials decline to comment on this contention. In private meetings with industry/public policy groups, however, Justice officials have sought to mollify the treaty's critics. So has the Council of Europe. In a memo released in February, the Council of Europe suggested ways that countries could limit their implementing laws. But while this memo may be a kind of legislative history, it isn't binding.

The Treaty Process

The treaty has been developed under the aegis of the Council of Europe, an organization created after World War II. Although the U.S. is not a member, the Department of Justice is what Baker calls a "leading force" in the process.

The drafting process was secret until draft 19 was publicly released in April 2000. Even now Justice officials won't comment publicly on their role in drafting the terms of the treaty.

American don't like that the treaty was kept under wraps until it was well along the way to final form. "A lot of the provisions were largely locked in" by the time the treaty was publicly released, Baker says.

The Justice Department responds by noting that, since last April, it has made numerous presentations and met repeatedly with business and other private-sector interests. It is "about as open a process as I can think of," says Betty Shave of Justice's Computer Crime and Intellectual Property Section, who has represented DOJ in the treaty negotiations.

Stop It Or Fix It?

Industry groups believe that the best strategy is to try to improve the treaty rather than kill it. Even if it switched position, the United States alone "couldn't stand downhill in front of the snowball and expect to stop it," Baker adds.

There are no indications that the Bush Administration will stop this initiative begun during the Clinton era. But even if the United States doesn't sign the treaty, it will likely affect U.S. companies doing business internationally, their business partners, and clients. "Just backing away from it is not the right answer," Cade says.

U.S. businesses are now starting to appeal to their counterparts overseas, including the International Chamber of Commerce, in hopes of turning sentiment against the treaty. Perhaps, if the United States's role in shaping the treaty becomes better known, European policymakers will turn away from it. Even many Europeans familiar with the treaty don't know what it says precisely -- only English and French translations are available. (English and French are the official languages of the Council of Europe.)

"Neither the U.S. Department of Justice nor the U.S. alone will be able to achieve the kinds of changes that the coalition is seeking in the treaty without help from the other countries who are their trading partners and allies," Cade says.

Short of an international backlash against it, treaty watchers are uncertain how the U.S. Congress will respond to the treaty if the United States signs it. Whether senators decide that the need to combat cybercrimes trumps concerns about submitting U.S. citizens and companies to foreign criminal process remains an open question.

"I speak the password primeval .... I give the sign of democracy ...."
            --Walt Whitman
Mike Godwin can be reached by phone at 202-637-9800
His book, CYBER RIGHTS, can be ordered at
        http://www.panix.com/~mnemonic .

For Listserv Instructions, see http://www.lawlists.net/cyberia
Off-Topic threads: http://www.lawlists.net/mailman/listinfo/cyberia-ot
Need more help? Send mail to: Cyberia-L-Request@listserv.aol.com