|“||Convinced that the present Convention is necessary to deter actions directed against the confidentiality, integrity and availability of computer systems, networks and computer data, as well as the misuse of such systems, networks and data, by providing for the criminalisation of such conduct, as discribed in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating the detection, investigation and prosecution of such criminal offences at both the domestic and international level, and by providing arrangements for fast and reliable international co-operation.||”|
- -- Preamble
The Convention on Cybercrime (CETS No. 185) (2002) was adopted in 2001 by the Council of Europe, a consultative assembly of 43 countries, based in Strasbourg. The Convention, effective July 2004, is the first and only international treaty to deal with breaches of law "over the internet or other information networks." The Convention requires participating countries to update and harmonize their criminal laws against hacking, copyright infringement, computer-facilitated fraud, child pornography, and other illicit cyber-activities.
Negotiations on the Convention began in 1997, following a determination by the Council that the transnational character of cybercrime could only be tackled at the global level. Since then, the increase in hacking incidents, the spread of destructive computer viruses, and the minimal prosecution of such crimes in many states, have spurred on the Council’s efforts. The September 11, 2001 terrorist attacks provided further momentum by raising the specter of cyberattacks on critical infrastructure facilities, financial institutions, or government systems, and by highlighting the way terrorists use computers and the Internet to communicate, raise money, recruit, and spread propaganda. To date, the Convention has been signed by 47 countries and 31 of these — including the United States—have ratified it.
Requirements on signatories
The Convention's main goal is to establish a "common criminal policy" to better combat computer-related crimes worldwide through harmonizing national legislation, enhancing law enforcement and judicial capabilities, and improving international cooperation. To these ends, the Convention requires signatories to
- Define criminal offenses and sanctions under their domestic laws for four categories of computer-related crimes: fraud and forgery, child pornography, copyright infringements, and security breaches such as hacking, illegal data interception, and system interferences that compromise network integrity and availability. Signatories must also enact laws establishing jurisdiction over such offenses committed on their territories, registered ships or aircraft, or by their nationals abroad.
- Establish domestic procedures for detecting, investigating, and prosecuting computer crimes, and collecting electronic evidence of any criminal offense. Such procedures include the expedited preservation of computer-stored data and electronic communications ("traffic" data), system search and seizure, and real-time interception of data. Parties to the Convention must guarantee the conditions and safeguards necessary to protect human rights and the principle of proportionality.
- Establish a rapid and effective system for international cooperation. The Convention deems cybercrimes to be extraditable offenses, and permits law enforcement authorities in one country to collect computer-based evidence for those in another. It also calls for establishing a 24-hour, seven-days-a-week contact network to provide immediate assistance with cross-border investigations.
Express limitations and assumptions
The Convention contains several express limitations and assumptions that:
- limits the scope of procedural powers by requiring that such powers are "for the purpose of specific criminal investigations and proceedings" (Article 14.1). The Explanatory Report to the European Convention reminds States parties that the power and procedures of the European Convention are limited to use for "an investigation in a particular case";
- permits States parties to limit the range of offences for which assistance is to be given to a foreign country to ensure such measures are proportionate and do not unnecessarily intrude into personal privacy. For example, a country may limit mutual assistance to serious offences rather than all offences (Article 33);
- requires that all powers and procedures must be subject to conditions and safeguards to ensure the protection of human rights (Article 15). This includes judicial or other independent supervision, the need for grounds to justify an application under the Convention, and a limitation of the scope and the duration of the particular power or procedure under the Convention (Article 15.1);
- requires States parties to adhere to common standards or minimum safeguards, including those pursuant to obligations under the European Convention for the Protection of Human Rights and Fundamental Freedoms. States parties from other regions of the world are to adhere to applicable human rights instruments (such as the International Covenant on Civil and Political Rights); and
- requires that powers and procedures shall "incorporate the principle of proportionality", and, among other things, the right against self-incrimination, access to legal privileges, and the specificity of individuals or places which are the object of the Convention's measures.
United States policy
President George W. Bush transmitted the Convention to the U.S. Senate for ratification on November 17, 2003 (Treaty 108-11). The Senate Committee on Foreign Relations held a hearing on the Convention on June 17, 2004. On July 26, 2005, the committee ordered the Convention favorably reported by voice vote, with the recommendation that the Senate give its advice and consent to its ratification, subject to several reservations and declarations. The Committee published a report on the Convention on November 8, 2005.
On August 3, 2006, the U.S. Senate passed a resolution of ratification for the Convention. The U.S. became a full party on September 29, 2006. The United States will comply with the Convention based on existing U.S. federal law; and no new implementing legislation is expected to be required. Legal analysts say that U.S. negotiators succeeded in scrapping most of the objectionable provisions, thereby ensuring that the Convention tracks closely with existing U.S. laws.
Although the United States has signed and ratified the Convention, it did not sign a separate protocol that contained provisions to criminalize xenophobia and racism on the Internet, which would raise constitutional issues in the United States. The separate protocol could be interpreted as requiring nations to imprison anyone guilty of "insulting publicly, through a computer system" certain groups of people based on characteristics such as race or ethnic origin, a requirement that could make it a crime to e-mail jokes about ethnic groups or question whether the Holocaust occurred. The Department of Justice said that it would be unconstitutional for the United States to sign that additional protocol because of the First Amendment's guarantee of freedom of expression.
- The USA PATRIOT Act of 2001 authorizes the interception of electronic communications for the collection of evidence related to terrorism, computer fraud, and abuse (Sections 201 and 202). It also clarifies the definition of protected computers and increases fines and prison terms for damage (Section 814).
- The Homeland Security Act of 2002 directs the U.S. Sentencing Commission to reevaluate federal sentencing guidelines for crimes involving computer-related fraud and hacking offenses, especially against restricted federal government systems.
Possible benefits and risks
Convention supporters argue that it represents a significant step forward in tackling cybercrime because it commits signatories to prosecute computer-related crimes vigorously — which many countries fail to do currently. Council of Europe officials say that the Convention will end cybercriminals' "feeling of impunity." They claim that by mandating sanctions and making cybercrimes extraditable offenses, the Convention will improve deterrence and reduce the number of countries in which criminals can avoid prosecution. Advocates also argue that the Convention's procedures for collecting evidence will assist law enforcement authorities in the fight against terrorism. In general, the information technology industry in the United States supports the Convention, viewing it as helping to raise international legal standards against cybercrime to those already in existence in the United States.
Skeptics, however, point out that to serve as a deterrent, more states will have to sign the Convention and abide by its mandates. They note that states that participated in the Convention's negotiations are not the "problem countries" in which cybercriminals operate relatively freely. Hackers frequently route cyberattacks through portals in Yemen or North Korea, neither of which are part of the Convention. In addition, some analysts criticize the Convention for not permitting police authorities direct cross-border access to computer data, which they argue creates an extra, time-wasting step.
The Convention has also come under fire from civil liberties groups concerned that it undermines individual privacy rights and expands surveillance powers too far. The American Civil Liberties Union claims that U.S. authorities will use the Convention to conduct surveillance and searches that would not be permitted under current U.S. law. Others fear that the Convention lacks a dual criminality provision, making it possible for foreign governments to request that the United States investigate crimes not considered offenses under U.S. law; the U.S. Justice Department counters that it may deny any assistance to a foreign government that contravenes U.S. sovereignty, security, or other interests.
European critics also worry that the Convention allows the transfer of personal data to countries outside Europe, such as the United States, that they believe have less protective laws regarding the use of such information. Council of Europe officials dismiss such fears, arguing that the Convention provides adequate civil liberty safeguards and limits information transfers to specific criminal investigations. Meanwhile, some business and consumer groups are concerned that the Convention's provisions could increase costs to service providers, impede the development of security technologies and sale of encryption programs, and negatively affect consumer confidence in e-commerce.
- The full text for the Convention on CyberCrime is available here.
- See Senate Comm. on Foreign Relations, "Law Enforcement Treaties," 108th Cong., 2d Sess. (June 17, 2004).
- See Senate Comm. on Foreign Relations, "Council of Europe Convention on Cybercrime," Exec. Rep. 109-6, 109th Cong., 1st Sess. (Nov. 8, 2005).
- The U.S. Senate Committee on Foreign Relations held a hearing on the Convention on June 17, 2004.
- Pub. L. No. 107-56, introduced as H.R. 3162 by Representative James Sensenbrenner in October 2001.
- Pub. L. No. 107-296 introduced as H.R. 5005 by Representative Richard Armey in June 2002.
- Section 225, the Cyber Security Enhancement Act of 2002.
- "European Cybercrime Pact Aims to Set Global Benchmark," Agence France Presse (Nov. 22, 2001).
- Declan McCullagh, "Global Cybercrime Treaty Gets Senate Nod," Silicon.com (Aug. 7, 2006).
- William New, "Privacy Agenda in 2002 has International Flavor," Nat'l J. Technology Daily (Jan. 23, 2002); "Under Antiterror Law, Government Can Use U.S. Standards to Nab Foreign Hackers," Associated Press (Nov. 21, 2001).
- "Senate Ratifies Cybercrime Treaty," Wash. Internet Daily (Aug. 7, 2006).