Technology

Endgame for COE Treaty


By David Banisar A few weeks ago, the Council of Europe's (COE) Committee of Experts on

Cyber-crime working group met in a closed meeting in Rome to put the

finishing touches on the ever-troubling "Draft Convention on Cyber-crime".

The touches were light: little more than a feather dusting with a couple

of feel-good changes thrown in for good measure.

The working group has now been at this since 1997, so they probably feel a

profound sense of boredom trying to find a few more words to move around

without really changing anything. They made up their minds on what they

wanted sometime around 1999, and have just been toying with us since then

to ensure they could get the treaty approved.

The draft retains all of the controversial provisions from before,

including the requirement that users can be forced to cough up information

about the "measures applied to protect the computer data" of a system

(read 'crypto keys'); mandates on surveillance of traffic data and content

and the bans on developing and using security auditing tools, except by

those who are "legitimate".

In an attached "Explanatory Memorandum" there are only two things that the

COE treats as so deplorable that even linking to it will be a crime: child

pornography, and hacking tools.

A modest improvement in the draft convention is the inclusion of a

requirement that countries that implement the treaty follow whatever human

rights protections exist in their domestic law, and under human rights

treaties that the country has already signed. The signing nations must

also be "proportional" in implementing the treaty -- a vague cost-benefit

analysis where citizens' civil rights will undoubtedly be weighed against

calls to "Protect the children." Nations may also consider the impact on

third parties, such as the ISPs which have to pay for all of this, and

there's new language requiring "independent supervision" -- from a judge,

for example -- of online governmental spying.

What remains most striking in the treaty is the utter absence of concepts

like 'privacy' and 'data protection.'

They sound good, but these changes are little more than window dressing:

the U.S., the UK, and many other countries, already don't follow the

requirements of many human rights treaties. And as for "independent

supervision," just remember how many wiretap requests have been turned

down in the last ten years in the U.S. -- three out of over 10,000.

What remains most striking in the treaty is the utter absence of concepts

like "privacy" and "data protection" and any kind of meaningful

limitations of surveillance in all the of very detailed sections that

mandate them. It apparently was easy to tell law enforcement the

procedures on how to invade privacy, but too difficult to tell them what

their limits are.

By contrast, a few days after the closed-door Rome meeting, we saw a

striking example of how things work when you open international meetings

up.

The G-8 meeting in Japan allowed tech industry representatives and the

American Civil Liberties Union (ACLU) to sound off on a proposal to force

ISPs to capture and retain traffic data on their users. Prior to the

meeting, the G-8 issued a draft final document and a press release

championing the requirement, but by the end of the meeting, the proposal

was dead in the water and no one except a few law enforcement types were

still talking about it.

The Council of Europe draft convention would have benefited from that kind

of openness. Instead, it is now climbing the chain of command. It will be

voted on next week by a higher committee, and in September by the

Committee of Ministers, the highest body in the COE, where it's likely to

be approved. It will then be open for signature and only needs signatures

from only five countries, including two outside the COE, to put it into

force.

The convention's future in the U.S. is less certain. It is unclear what

the Bush Administration will do, and Senate ratification may provide to be

difficult with liberal Democrats and conservative Republicans both likely

to give it a serious going over. Or perhaps E-Bay or CERT will be attacked

again the day before the vote and the panic would push it through. Nahhhh.

That never happens in Washington. David Banisar is an attorney and writer in the Washington, D.C. area. He

is the co-author of 'The Electronic Privacy Papers' (Wiley, 1997) and is

Deputy Director of Privacy International, a UK-based human rights group.


Burger King's Young Buns
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus