BW Online | July 26, 2001 | Endgame for COE Treaty

BW MAGAZINE Get Four Free Issues Register Subscribe Customer Service

ONLINE FEATURES Book Reviews BW Video Columnists Interactive Gallery Newsletters Past Covers Philanthropy Podcasts Special Reports BLOGS Auto Beat Bangalore Tigers Blogspotting Brand New Day Byte of the Apple Economics Unbound Eye on Asia Fine On Media Green Biz Hot Property Investing Insights Management IQ NEXT: Innovation NussbaumOnDesign Tech Beat Working Parents TECHNOLOGY J.D. Power Ratings Product Reviews Tech Stats Wildstrom: Tech Maven AUTOS Home Page Auto Reviews Classic Cars Car Care & Safety Hybrids INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads

BW EXTRAS BW Digital BW Mobile BW Online Alerts Dashboard Widgets Podcasts RSS

RSS Feeds

Reprints/ Permissions Conferences Research Services

JULY 26, 2001

SECURITY FOCUS
By David Banisar

Endgame for COE Treaty
A few feel-good touches can't redeem the COE treaty, or the closed-door process that produced it

STORY TOOLS

A few weeks ago, the Council of Europe's (COE) Committee of Experts on Cyber-crime working group met in a closed meeting in Rome to put the finishing touches on the ever-troubling "Draft Convention on Cyber-crime". The touches were light: little more than a feather dusting with a couple of feel-good changes thrown in for good measure.

The working group has now been at this since 1997, so they probably feel a profound sense of boredom trying to find a few more words to move around without really changing anything. They made up their minds on what they wanted sometime around 1999, and have just been toying with us since then to ensure they could get the treaty approved.

The draft retains all of the controversial provisions from before, including the requirement that users can be forced to cough up information about the "measures applied to protect the computer data" of a system (read 'crypto keys'); mandates on surveillance of traffic data and content and the bans on developing and using security auditing tools, except by those who are "legitimate".

In an attached "Explanatory Memorandum" there are only two things that the COE treats as so deplorable that even linking to it will be a crime: child pornography, and hacking tools.

A modest improvement in the draft convention is the inclusion of a requirement that countries that implement the treaty follow whatever human rights protections exist in their domestic law, and under human rights treaties that the country has already signed. The signing nations must also be "proportional" in implementing the treaty -- a vague cost-benefit analysis where citizens' civil rights will undoubtedly be weighed against calls to "Protect the children." Nations may also consider the impact on third parties, such as the ISPs which have to pay for all of this, and there's new language requiring "independent supervision" -- from a judge, for example -- of online governmental spying. What remains most striking in the treaty is the utter absence of concepts like 'privacy' and 'data protection.'

They sound good, but these changes are little more than window dressing: the U.S., the UK, and many other countries, already don't follow the requirements of many human rights treaties. And as for "independent supervision," just remember how many wiretap requests have been turned down in the last ten years in the U.S. -- three out of over 10,000.

What remains most striking in the treaty is the utter absence of concepts like "privacy" and "data protection" and any kind of meaningful limitations of surveillance in all the of very detailed sections that mandate them. It apparently was easy to tell law enforcement the procedures on how to invade privacy, but too difficult to tell them what their limits are.

By contrast, a few days after the closed-door Rome meeting, we saw a striking example of how things work when you open international meetings up.

The G-8 meeting in Japan allowed tech industry representatives and the American Civil Liberties Union (ACLU) to sound off on a proposal to force ISPs to capture and retain traffic data on their users. Prior to the meeting, the G-8 issued a draft final document and a press release championing the requirement, but by the end of the meeting, the proposal was dead in the water and no one except a few law enforcement types were still talking about it.

The Council of Europe draft convention would have benefited from that kind of openness. Instead, it is now climbing the chain of command. It will be voted on next week by a higher committee, and in September by the Committee of Ministers, the highest body in the COE, where it's likely to be approved. It will then be open for signature and only needs signatures from only five countries, including two outside the COE, to put it into force.

The convention's future in the U.S. is less certain. It is unclear what the Bush Administration will do, and Senate ratification may provide to be difficult with liberal Democrats and conservative Republicans both likely to give it a serious going over. Or perhaps E-Bay or CERT will be attacked again the day before the vote and the panic would push it through. Nahhhh. That never happens in Washington.

David Banisar is an attorney and writer in the Washington, D.C. area. He is the co-author of 'The Electronic Privacy Papers' (Wiley, 1997) and is Deputy Director of Privacy International, a UK-based human rights group.