Seven Reasons the US Should Reject the International Cybercrime Treaty

Document Date: December 18, 2003

The Seven Reasons Why The Senate Should Reject The International Cybercrime Treaty

The International Cybercrime Convention: What It Is

President Bush has asked the United States Senate to ratify an extraordinarily broad new treaty that dramatically increases the power of law enforcement agencies worldwide. This “”Cybercrime Convention”” was drafted by the 43-member Council of Europe, with the U.S., Canada, Japan, and other countries participating as “”observers.””

The Cybercrime Convention does three major things:

  1. It includes a list of crimes that each member country must have on its books. The treaty requires criminalization of offenses such as hacking, the production, sale or distribution of hacking tools, and an expansion of criminal liability for intellectual property violations (Articles 2-11).
  2. It requires each participating nation to grant new powers of search and seizure to its law enforcement authorities. They include the power to force an Internet Service Provider (ISP) to preserve a citizen’s internet usage records or other data, and the power to monitor a citizen’s online activities in real time (Articles 16-22).
  3. It requires law enforcement in every participating country to assist police from other participating countries. US police would be required to cooperate “”mutual assistance requests”” from police in other participating nations “”to the widest extent possible”” (Articles 23-35).

The 7 reasons this treaty should be rejected

The ACLU believes that this is a bad agreement, and that the Senate should not ratify it. There are 7 main problems with it:

Reason #1: The treaty lacks privacy and civil liberties protections
The surveillance powers that this treaty would hand to police are not balanced out by meaningful privacy or civil liberties restraints. For example, unlike other international law enforcement agreements (including the Interpol, Europol and Schengen agreements), this treaty includes no provisions to protect citizens’ privacy. In fact, the word “”privacy”” doesn’t appear once in any of the convention’s articles.[1]

The treaty also requires ISPs to cooperate with searches and seizures of data without requiring police to reimburse them for the costs of that cooperation[2]. Not only is that an unfair burden on the ISPs, but by making searches free for the police, it encourages them to use that power indiscriminately. That undermines one of the most important checks and balances of a democratic system: the control over law enforcement that Congress and other legislatures maintain through their budgetary “”power of the purse.””

Reason #2: The treaty is far too broad
The treaty has vastly outgrown its original mission of helping coordinate enforcement of cross-border cybercrimes. Now the treaty covers not only computer-related crimes, but any crime where the evidence could be in computerized form.[3] As computers become more and more intertwined with modern life, this treaty’s problems will apply to a larger and larger proportion of all crimes. Someday even muggers will all have Internet-ready handheld computers. Foreign police can’t require the FBI to tap the phone of someone who hasn’t violated any U.S. laws; why should they be able to order a search of his computer records? The Convention’s broad reach means that despite the treaty’s name, all its flaws would soon apply not just to a few specialist hackers, but to the whole fabric of American society.

Reason #3: The treaty lacks a “”dual criminality”” requirement for U.S. cooperation with foreign police
Under this treaty, American law enforcement would be forced to cooperate with investigations of activities that are illegal abroad but perfectly legal in the U.S. That is because the treaty lacks a “”dual criminality”” provision that would require an activity to be a crime in both countries before one nation could enlist the police in another to help investigate. The outrageous result: American law enforcement agencies would be forced to cooperate with foreign authorities in conducting surveillance on American citizens who have committed no crime under U.S. law.

Worse, some of those mutual assistance requests will come from countries that have minimal civil liberties protections. The Convention includes not only Council of Europe members like Ukraine and Bulgaria, but will also over time be opened to China and other non-democratic nations – additions that the United States would have no right to veto. And even Western European countries have much different views on civil liberties than the U.S. – the U.K., for example, has much different free speech standards than the U.S. (most notably very broad standards for defamation and libel).

Reason #4: Protection for political activities is too weak
The absence of a dual criminality requirement will inevitably result in the treaty being used to force one nation to cooperate in politically inspired investigations by another. While there are some exceptions in the treaty that allow a signatory to refuse to cooperate because the offense being investigated is “political,” these exceptions are far too limited and won’t even apply to many of the most significant requests.

For example, an exemption to the mutual assistance requirement for offenses that are “”political”” in nature was not included in the section requiring real-time data monitoring.[4] That means that the FBI could be required under this treaty to order AOL or Earthlink to spy on a Ukrainian political dissenter, a Latin American union organizer, or a U.S. veteran who sold a Nazi helmet over eBay.

In addition, the term “”political offenses”” is not defined – a huge omission since an offense that is considered political in the U.S. might be a criminal matter in another country. And who gets to decide what is “”political””? Under the treaty, U.S. assistance could be authorized in many cases solely by law enforcement without any judicial approval or oversight.[5] And since the treaty doesn’t even have a reporting requirement (requiring instances of cooperation with other countries on foreign crimes to be made public), law enforcement decisions on this sensitive issue may never be subject to civilian check or oversight.

Reason #5: The treaty threatens to further unbalance U.S. intellectual property law
The treaty’s vague and obscure intellectual property provisions could significantly expand criminal liability for intellectual property violations and further tilt copyright law away from the public interest. It also appears to make copyright violations into extradictable offenses. The US has taken only the most minimal of steps to narrow this provision (by taking only one small “”reservation”” on the treaty declaring that it will not criminalize one area of the law, called as “”rental rights,”” that exists in European but not US intellectual property law). But a much more significant issue – fair use – has been completely ignored. U.S. intellectual property law contains a delicate balance between the privileges of intellectual propertyholders and the rights of the public through the First Amendment, and the law of “”fair use”” of copyrighted materials (which permits copyrighted material to be used for parodies, criticism, and so on) is crucial to maintaining that balance. But this treaty simply declares that copyright infringement would be criminalized,[6] with no mention of fair use.

Reason #6: The treaty would give police invasive new surveillance powers
The treaty would require the U.S. to authorize the use of devices like Carnivore, the FBI’s “”Internet-tapping”” surveillance system for intercepting the content of communications.[7] Unlike telephone wiretaps, which are set up by the telephone company on behalf the authorities to listen to one line, Carnivore allows law enforcement agents direct access to ISPs’ entire networks for surveillance, with only their unsupervised self-restraint preventing them from inspecting the vast flow of other data in the network. Unfortunately, the history of the FBI and other government agencies on respecting privacy is not good, and Carnivore has been opposed by organizations from across the political spectrum.

The legal authority for Carnivore is still murky. Its use to collect addressing information (the source and destination of Internet traffic) has arguably been authorized by Congress in the USA Patriot Act, but its use for eavesdropping on actual content has not been authorized.

By mandating authorization of Carnivore, the Cybercrime Convention would short-circuit the debate over the role of Carnivore in America, and impose a policy that further undercuts U.S. law, including the Constitution’s Fourth Amendment with its guarantee against “”unreasonable searches and seizures”” without probable cause.

Reason #7: The treaty was drafted in a closed and secretive manner
The drafting process was closed, secretive and undemocratic. The drafting committee was dominated by law enforcement, while industry and public-interest groups didn’t have a seat at the table. Even after the publication of treaty drafts, the authors made little effort to incorporate the views and concerns of privacy and civil liberties groups. The result is a “”wish list”” for law enforcement that lacks the balance that other viewpoints would have brought to the treaty – and the balance that the U.S. Constitution requires.

[1] There is one platitude about privacy in the preamble.
[2] Article 15.3.
[3] Article 23.
[4] Article 33.
[5] Article 27.2.b.
[6] Article 10.1.

Every month, you'll receive regular roundups of the most important civil rights and civil liberties developments. Remember: a well-informed citizenry is the best defense against tyranny.