ENDitorial: The 2001 CoE Cybercrime Conv. more dangerous than ever

By EDRi · June 20, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The Council of Europe (CoE) has definitely highly prioritised the broad
ratification, all over the world, of its Convention on Cybercrime, opened to
signatures since November 2001 and entered into force on 1 July 2004. As
part of its efforts to achieve this goal, a conference on “Cooperation
against cybercrime” was held in Strasbourg on 11-12 June 2007, to which EDRI
was invited to participate with a presentation (some of the participants
presentations are available on the conference website).

This conference was organized in the framework of the CoE Octopus programme
against corruption and organised crime in Europe, three years after the 2004
venue on “The challenge of cybercrime” and two years after the joint CoE-OAS
(Organisation of American States) conference on “Cybercrime: a global
challenge, a global response”. The CoE has also been promoting this
Convention in many international fora, including the World Summit on the
Information Society and its following-up Internet Governance Forum. Finally,
it has held numerous regional meetings and training events for member States
and third States to help them implement Convention -ready or -compatible
provisions in their legislations.

Almost 140 participants attended the conference (list available on the
conference website). They were mainly law enforcement authorities (LEAs)
from all over the world (representing 49 countries from the 5 continents),
plus 12 intergovernmental organisations (among them EUROPOL, INTERPOL, and
ENISA – the European network and information security agency), 3 non
governmental organisations (EDRI, ICMEC – the International Centre for
Missing and exploited children, and the French Human Rights League), 3
international multi-stakeholders forums (the Inhope association of Internet
hotlines, the Anti-Phishing forum and the London Action Plan against spam)
and 3 private sector (Microsoft, NASSCOM – India’s national association for
software and service companies, and RSA).

Surprisingly, no representative from ISPs attended, and none of them was
invited to make a presentation, although the Convention on Cybercrime puts a
severe burden on them since most of its procedural provisions (articles 16
to 21) are directly requiring the cooperation of ISPs in order to achieve
preservation, production, search and seizure of stored computer data,
real-time collection of traffic data and interception of content data.

However, Microsoft was well represented and obviously given an important
role in the conference with no less than 3 presentations in plenary
sessions. A presentation by Alexander Seger, Head of Technical Cooperation
in the Department of Crime Problems (CoE DG of Legal Affairs) gave a clue to
understand this special treatment: the CoE has launched a new project
against cybercrime, “a global project to support European and non-European
countries to accede and implement the Convention on cybercrime or its
Protocol on xenophobia and racism”, (details on the project available on the
conference website), which started on September 2006 for a duration of 30
months. The overall budget is 1.7 million euros, of which only 550,000 euros
are currently available: 290,000 euros from the CoE own funding and 260,000
euros from Microsoft contribution.

It has to be noted that this private funding is new practice to the CoE, to
the extent that Microsoft funding had to be approved by the CoE Council of
Ministers. As Alexander Seger suggested in his presentation, “other donors
(public and private) [are] invited to join this project” and “beyond this
project, CoE may now seek stronger cooperation with the private sector”. If
such extension is indeed realised in the future, one may wonder whether the
CoE will be able to remain the reference it currently represents in terms of
respect for human rights, democracy and the rule of law. Interestingly
enough, this trend in having CoE projects funded by the private sector
starts with this very Convention on cybercrime, probably the only one among
the current 200 CoE Treaties which have been so criticized by human rights
NGOs, as EDRI reminded in its presentation. While Alexander Seger and
Microsoft representatives insisted on the fact that “no specific condition
[has been] attached to the financial contribution from Microsoft”, it would
be quite naive to find this “guarantee” satisfactory: agenda -setting
and -pushing is certainly already worth the money spent.

The interest of companies like Microsoft in such a project is directly
linked to the substantive provisions of the Convention (articles 2 to 13),
which aim at harmonizing the criminalisation of the commission of “offences
against the confidentiality, integrity and availability of computer data and
systems” (art. 2-6), “computer related offences” (forgery and fraud, art.
7-8), “content-related offences” (Internet child pornography, art. 9),
“offences related to infringements of copyright and related rights” (art.
10) or attempting, aiding or abetting the commission of such offences (art.
11).

Copyright infringement was almost not evoked during the 2007 conference. The
fight against Internet child pornography served as the consensual vehicle to
promote such tools as both the Convention and private hotlines: concerns
regarding the respect for the rule of law, as raised by EDRI, were received,
as usual, with suspicion of laxity. EDRI was the only participant pointing
to the fact that the additional Protocol against racism and xenophobia could
only be ratified by countries that already criminalise in their national
laws the dissemination of such content, as well as insults and threats based
on racism and xenophobia. Thus, it would never solve cases such as the
famous Yahoo! case between France and the USA, simply because, as EDRI
noted, the Convention and its Protocol fail to address the major issue of
the competence of jurisdictions.

The real big issues for LEAs during this conference were the most prevalent
threats as well as the new trends they perceive in current cybercrime
activities: spamming, phishing and its many variants using SMS (SMSishing),
VoIP (Vishing), DNS redirections (pharming), the use of botnets, the use of
P2P networks and instant messaging systems, were among the many identified
aspects of a proteiform cybercrime. Although all the presentations on these
trends (specially from Europol and from French LEAs) acknowledged the lack
of statistics and the difficulty to gather data on this kind of crime, they
were able to agree on its current volume and its broadening, and to conclude
on the increased need to limit – if not forbid – anonymity and encryption of
exchanges, to better control the Internet use from cybercafes and other
public places, and, last but not least, to further extend cooperation with
private sector (telecom operators and ISPs) and communication and exchange
of data among LEAs for mutual assistance purposes.

International cooperation between LEAs is exactly the subject of the
numerous remaining provisions of the Convention (articles 23 to 35). In
summary, these provisions allow any State party to the Convention to request
from any other party the communication of data collected under the
provisions of articles 16 to 21, without any dual criminality requirement
(except if relevant reservation has been made upon ratification) and with
very limited possibility of refusal: actually, as Henrik Kaspersen,
professor at the Free university of Amsterdam and chair of the committee of
the CoE Convention on cybercrime, analysed, the current 43 signatories
(among them 21 having ratified the text) made a quite moderate use of
reservations. Moreover, the Convention conditions and safeguards (article
15) are far from being adequate and harmonised among the State parties to
the Treaty: although the EU Article 29 working group warned against this and
other failures of the Convention when the text was still being drafted, its
opinion was not taken into account. With the extension of the Convention to
States with far less privacy safeguards than the CoE member States – which
are bound by the European Convention on Human Rights -, starting with the
USA, this threat is becoming to realise the worst fears of the Global
Internet Liberty Campaign (GILC) international coalition of NGOs – among
them future EDRI founders – when it published in 2001 its “Eight Reasons the
International Cybercrime Treaty Should be Rejected”, after a long campaign
against the eventually signed Convention.

Furthermore, although one can argue that, since 2001, the situation has
become even worse with laws adopted all over the world, including at the
European Union level, it has to be acknowledged that “the CoE Convention on
cybercrime opened the way to more and more invasive laws”, as EDRI concluded
at the end of its presentation at this conference, leading to have “on-line
activities and behaviours more criminalised than their off-line equivalent
and citizens benefit from less protections and safeguards on-line than
off-line”. In order to limit the risk that, six years after its signature,
the CoE Convention on cybercrime becomes more dangerous than ever, EDRI
advocated, “before any further extension in scope and/or
ratification/accession, (the) need for an assessment of the Convention and
its national implementations with regards to human rights, democracy and the
rule of law”. Finally, in the same way as EDRI considers that, at the EU
level, data protection under third pillar is a prerequisite to any
broadening of information systems in criminal matters, EDRI recommended that
the Council of Europe “devote[s] an equivalent energy to extend
ratifications/accessions to Convention no.108 for the protection of
individuals with regard to automatic processing of personal data”. But such
a goal does not seem to be on CoE agenda.

CoE Octopus Conference 2007 (11-12.06.2007)
http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_crime/3_technical_cooperation/cyber/Octopus_if_2007.asp

CoE Octopus Conference 2004 (15-17.09.2004)
http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_economic_crime/3_Technical_cooperation/OCTOPUS/2004/Octopus-Interface-2004.asp

Joint COE-OAS Conference 2005 (12-13.10.2005)
http://www.coe.int/T/E/Legal_Affairs/About_us/Cooperation/5Madrid(cyber)_OAS.asp

EU Article 29 WP Opinion on the CoE Draft Convention on Cybercrime
(22.03.2001)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2001/wp41en.pdf

GILC coalition “Treaty Watch” website
http://www.treatywatch.org

IRIS dossier of the campaign against the Convention and its Protocol (only
in French)
http://www.iris.sgdg.org/actions/cybercrime

EDRI-gram: From Schengen To Prüm: Data Protection Under 3Rd Pillar A
Prerequisite (28.02.2007)
http://www.edri.org/edrigram/number5.4/prum

CoE Convention no.108 on data ptrotection (28.01.1981)
http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=108&DF=6/20/2007&CL=ENG

(Contribution by Meryem Marzouki, EDRI-member IRIS – France)