Gus Hosein
Privacy International
November 2000
Note: this is a working document on the changes in the COE Draft Cybercrime convention between versions 22.2, 23 (a never publicly released draft) and 24.2.
The exclusionary principles: 'each party may' occurs in Articles 6, 9, 15, 27[23], 33[28bis. Meanwhile, in version 22, such exclusions only occurred in article 18quater, 23. But this doesn't cover all the exclusions, as we will show later.
Addition: Recognising the need for co-operation between States and private industry in combating cyber-crime and the need to protect legitimate interests in the use and development of information technologies;
This is a new section.
Deletion: definition of subscriber information.
This has been deleted from the definitions stage, and moved to a later section of the convention, which is an odd drafting method.
With Respect To: In the offering of an exception, they have stated that a party _may_ require that an offence be committed either by infringing security measures with the intent of obtaining computer data or other dishonest intent...
Addition: the additional option of "or in relation to a computer system that is connected to another computer system."
The change may represent the situation of a Distributed Denial of Service attack where you attack one computer system in order to relay an attack on another. The current phrasing of their change may have to be altered in order for this to make more sense.
Addition: the following footnote was added to the notion of intentional access: This article is not intended to criminalise regular and common activities inherent in the design of the network, such as sending electronic mail without it having been first solicited by the recipient or normally accessing a web page or ftp („file transfer protocol‰) server that has been configured for public access.
Addition: the additional option of "or in relation to a computer system that is connected to another computer system."
Same change as in article 2, but I doubt whether it is in continued relation to DDOS's because this article relates to interception.
I have an additional comment here that I am not sure if it was raised in our initial report. Here they state that: "Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law when committed intentionally the serious hindering without right of the functioning of a computer system by inputting, [transmitting,] damaging, deleting, deteriorating, altering or suppressing computer data. " The only change here is that the optional 'transmitting' is now part of the main text in ver 23. But my point is with the term "the functioning of a computer system" (note: this has not changed in ver 2.3). I wonder if they would consider, then, any reverse engineering to be 'system interference'. This would also apply in copyright management systems (and thus relating to article 6.2), and in cases of CyberPatrol and CueCat, and even DeCSS. That is, by reverse engineering a 'system' you can change the properties of an application/server, or its 'functioning', that is. I am just concerned that the copyright industry may take this one to use against 'infringers' as it is now akin to hacking. But I digress.
With Respect To: In 1.a.1, in [22], the original text was:
a device, including a computer program, designed or adapted [specifically] [primarily] [particularly] for the purpose of committing any of the offences established in accordance with Article 2 ˆ 5;
Change: They selected the term of "primarily".
I am not sure what this implies necessarily, but I think it broadens the scope of illegal devices from devices that are designed _specifically_ for circumvention, or devices that _could_ be used for circumvention.
With Respect To: interpretation of article 6
Addition: Article 6.2: "This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with articles 2 through 5 of this Convention, such as for the authorised testing or the protection of a computer system."
They are reacting to criticisms from Spafford and Co. Basically stating within the convention that reverse engineering etc. for good purposes are not a problem. However, the issue with 'authorised testing' is problematic -- bug hunters are not doing so with the permission of the software creators. SATAN seems to be accepted, as are other tools that test network security. So we return now to the idea of intent. I think this would alleviate some of the resistance thus far, but not all. They can't get away with saying that they have listened to opposing voices and changed the article sufficiently.
Addition: Article 6.3 (optional): "Each Party may reserve the right not to apply paragraph 1 of this Article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 (a) (2)."
Amusing set of exclusion: you can exclude yourself so long as you don't exclude the middle. That is, the sale and distribution must be kept illegal although import and use can be permitted by national law.
With Respect To: No changes other than the insertion of a footnote relating to the idea of a "minor engaged in a sexually explicity conduct".
Addition: Footnote 16 states that the Explanatory report (???not sure, but I think it says so -- please read the second word of footnote 16 to verify - the fax is blury???) must indicate that for criminal liability to arise, "it is required that the actor be aware that the material possessed or transmitted is child pornography (this is also a prerequisite for incurring liability for the other forms of conduct described in the article). It is insufficient that, for example, a service provider has unknowingly served as a conduit for, or hosted a website containing such material."
This is a good start to changing the text, but how does one gauge 'awareness' of the user? I am not sure. I am also uncertain what they are saying in the last sentence -- is it an insufficient defence for the provider or insufficient offence by the provider?
Addition: Footnote 11 addendum: "The reference to Œwithout right‚ would also allow, for example, with respect to paragraph (2) b, that a Party may provide that a person is relieved of criminal responsibility if it is established that the person depicted is not a minor."
No comment.
Addition: Article 9.1.d: "procuring child pornography through a computer system for oneself or for another;" is now a crime, where a footnote is given to the term 'procuring': "The term „procuring‰ is intended to cover the downloading of the material referred to in the Article, whether such material will be possessed by the person downloading it or by someone else."
Addition: Article 9.4: "Each Party may reserve the right not to apply, in whole or in part, paragraph 1(d) and 1(e), and 2(b) and 2(c)."
Addition: added subarticle 10.3. They state that "parties may refrain from imposing criminal liability in particular circumstances", provided that the party does not "derogate from its obligations under the Agreement on Trade-Related Aspects of Intellectual Proerty Rights."
Addition: A footnote arises from this, stating: "The US delegation will provide a paper indicating which type of behaviour is referred to in relation to 'particulary circumstances'. "
This shows direct US influence. This also invokes a pre-existing international agreement -- we should then ask if this draft convention is the appropriate place to raise the infringement offences on copyright, or rather such issues should be discussed in a more appropriate forum, such as in the referenced Agreement. Also, our line all along has been to allow for more refined constraints, and more opportunities to opt-out from this convention's articles, unless it involves increasing human rights.
Footnote removed.
Addition: footnote 19. "The Explanatory Memorandum should indicate that Article 11, paragraph 1 contemplates liability for aiding and abetting where the person who commits a crime established in this Convention is aided by another person who shares the mental state required for the commission of the crime. Individuals or legal persons (including service providers) that do not share the objective of committing the crime cannot incur liability through unknowing incidental assistance provided to a criminal actor. The Explanatory Memorandum should also clarify, however, the circumstances under which such individuals or legal persons may be held criminally liable, such as in cases of intentional failure to remove criminal material from a site after having been duly notified."
This appears to give a clearer liability regime.
Addition: footnote 20. "Under Articles 11 and 12, a service provider could be liable for criminal actions undertaken for the provider‚s benefit by agents of the provider, just the same as any other legal person. However, it is important to note that the Article is not intended to impose liability on service providers for the actions of users or customers of their systems. Moreover, this provision does not require or recommend that service providers monitor the transmissions or stored data of users of their systems."
This appears to give a clearer liability regime.
Addition: subarticle 12.3: "Subject to the legal principles of the Party, the liabiliyt of a legal person may be criminal, civil or administrative. "
Addition: subarticle 12.4: "Such liability shall be without prejudice to the criminal liabiliyt of the natural persons who have committed the offence. "
I have no clue what to say here. Also in ver24.
Addition: parties can use sanctions "or measures"
No clue what this means -- why the change?
They have renumbered this, by stealing the article from a subarticle in [22.18].
Addition: adding to [22.18], they create 14.2. This states that when a party signs the convention, they must declare explictly that it reserves its right to apply the interception measures only to specific offences.
Addition: footnote 20 states that the plenary "should decide whether or not the parties to the convention should have the possibility of excluding from teh scope of application of the procedureal powers under Section 2 the very offences which they will establish in accordance with Section 1. "
We appreciate this addition, but we do not like it. We would rather that all intercepts be declared within this convention (without an opt-out regime) as pertaining only to serious crimes, for all signatory states, and thus harmonising the various interception regimes and increasing civil liberties protections. So, we agree with the footnote, and argue rather that interception should not apply to the offences in Section 1, but only to serious crimes. We must push them to accept this footnote.
Addition: .1 includes now the phrase: "in connection with a specific criminal matter".
Alteration: .1 now states "obtain the epeditious preservation of data that has been, while ver22 and ver23 were is.
The first change makes the case more specific, which is a positive move. The second change is that it seems forensic issues are raised.
With Respect To: the notion of data that is 'particularly vulnerable' to loss or modification
Addition: Footnote 21 states that this notion "shall be explained in the Explanatory Memorandum as including data subject to short period of retention."
This is somewhat suspect. I am assuming that this applies to data that gets deleted normally quite quickly, such as virtual RAM, or even cryptographic session keys (and thus doing away with perfect forward secrecy). Some further thought on this is required.
Addition: footnote 23: "The Explanatory Memorandum should clarify that this provision provides only for the power to require preservation pending disclosure of discrete data relating to violations of criminal law upon request in a particular case. It does not mandate retention of all data collected by a service provider or other entity in the course of its activities. "
With Respect To: .3 where they are trying to decide who the notice of preservation should be addressed to.
Addition: they add what is termed as "option 1", which states that the notice can be served to (and thus are required to be gagged) "the custodian of the system", while option 2 remains to be what it was in [22], which is
a person to whom the procedures of preservation referred to in this Article are directed,
What is a 'custodian'? Does this mean, as occurred within the UK after much deliberation with respect to GAK, that notices can be served to Managing Directors as well, so that they are notified of keys being handed over, and thus not forcing employees (who would receive the notice) to act without the knowledge of the MD? I am not sure.
Move: definition of subscriber information was moved from article 1 to this article.
Addition: in subarticle ii: "postal address" and "other access address" are now specified, where they were not before.
Addition: subarticle iii. "any other information on the location of stationary communication equipment, available on the basis of a contract".
With Respect To: In subarticle 5, the same option for 'custodian' was added, as in Article 15.
Again the same comments as in article 15 analysis.
With Respect To: subarticle 5, regarding the informing of individuals about executed measures
Addition: that such informing shall occur "in accordance with domestic law"
While this could be cosmetic, we do enjoy any opportunity that domestic laws are invoked.
Deletion: Dropped footnote stating that "the reference to "criminal investigations and proceedings" means a specific criminal investigation or proceeding undertaken in respect of a specific offence."
Addition: subarticle 2: "Where required by the established principles of its domestic legal system, a Party may adopt other measures as may be necessary to ensure the real-time collection and recording of traffic data through technical means on its territory, provided that such measures ensure the availability of such data for the purpose of criminal investigations and procedings."
Change: The name of the article was changed from "Interception of electronic communications" to "content data".
This shows a shift in the understanding of interception on the Internet. However, they have not yet defined "content data" which I am sure they will. It is time to start invoking lessons learned from Carnivore and RIPA 2000.
Addition: subarticle 2: "Where required by the established principles of its domestic legal system, a Party may adopt other measures as may be necessary to ensure the real-time collection and recording of content data through technical means, provided that such measures ensure the availability of such data for the purpose of criminal investigations and procedings."
Addition: subarticle 1(b) hat a ship can be merely "registered under the laws of that Party";
Deletion: Dropped the jurisdiction of satellites. This follows from the footnote in ver23 referring to this area.
With Respect To: grounds for refusal of MA cooperation.
Addition "The requested Party shall not exercise the right to refuse mutual assistance solely on the ground that teh request concerns an offence which it considers a fiscal offence."
Addition: footnote 31, after the above addition, which states that DG14 expressed "its strong preference for the following text: "A Party may not refuse a request for mutual assistance on the safe ground that the offence is considered to involve also fiscal matters."
I have nothing to say here, as I am not sure of what they are debating about.
Addition: creation of subarticle 6 (looks like "8", see page 18) with two sub-subarticles, (a) and (b). (a) states that Part X may without prior request forward to another party (say Y) information obtained through investigation when X believes that the disclosure of this in formation may assist Y in "initiating or carrying out investigations or proceedings", or might lead to a request for cooperation _by_ Y. (b) states that prior to giving such information to Y, X may request that the information be kept confidential or used subject to conditions.
These are not good, as the constraints of Data Protection principles and more importantly dual criminality are still not invoked. So, if X authorities find information out about someone, and this is not illegal in X, they can forward this information on to Y where such an act may be illegal, and Y can then begin 'investigating' this individual and invoke extradition, etc. if required. Plus, information gathered in one country must be shared only if it meets data protection principles.
Deletion: The deletion of subarticle 6, as introduced in ver23.
Deletion: from subarticle , the clause that stated "but may be required as a condition for disclosure."
Addition: subarticle 4. This subarticle has two _options_. Option 1: a Party may "require dual criminality as a condition to providing prservation under this Article, where it requires dual criminality as a condition for the disclosure of data to the Requesting Party and it has clear grounds to believe that at the time for disclosure the condition of dual criminality cannot be fufilled." Option 2: "Each state that requires dual criminality as a condition for teh disclsorure of data to a requseting Party may, at the time of signature" may declare that it reserves the right to require dual criminality as a condition to providing preservation."
I am not all that sure of the differences between the two options (please verify), but we must argue for dual criminality as mandatory.
Addition: subarticle 5 [was subarticle 22.4] has an additional sub-subarticle (designated 'a'). A request may only be refused if "the request concerns an offence which the requested party considers a political offence or an offence connected with a political offence."
This is an important development. It acknowledges the differing levels of human rights protection in signatory states (say in the situation that China signs) and thus gives additional grounds for refusing mutual assistance. Our argument should be that this situation must not be acknowledged as an 'exception' but rather that dual criminality must be extended to all mutual assistance. Someone in the CoE is listening, but not well enough.
Addition: subarticle 2a, as in 24.5.a for 'political offence'.
Same comments as in 24.5.a.
Addition: subarticle 2, options 1 and 2: "2. Each Party may reserve the right to apply the measure referred to in this article only to specified offences or categories of offences, provided that it may not reserve as to the offences established in accordance with articles 2 - 11 of this Convention, and as to offences or categories of offences to which the measure referred to in article 34 may be applied. OROption 2: Each Party may reserve the right to apply the measure referred to in this article only to specified offences or categories of offences, provided that the range of such offences or categories of offences is not more restricted than that to which the measure referred to in article 34 may be applied. Each Party shall consider restricting its reservation so as to permit application of the measure to the offences established in accordance with articles 2 -11 of this Convention.
Deletion: subarticles 2, 3: removed most importantly (3), i.e. the request that powers be expanded nationally to include traffic data requests for offences relating to computer systems and data.
Change: Interception of Communications" was renamed "content data", as in article 19 above.
Addition: Footnote added stating: "During DG4 it was not further debated but assumed that the scope of applcation of this warticle was the same as determined by domestic law in accordance with the (illegible word ) of section 2 of Chapter II."
See article 19 analysis. Not sure of what the footnote was referring to, however. Footnote seems to apply Article 28-bis (traffic data), but again I am not sure what they are saying.
Addition: a footnote that follows the "Article 23 bis". Footnote states that this is a new provision, discussed at length by DG 14. It is intended to clarify the conditions under which data, including personal data, would be transferred from one party to another.
Again I have to ask why DG14 is involved in this process, and if we are permitted to gain access to their 'discussion', presuming it is in paper form.
Addition: subarticle 1. Where there is no arrangement between countries (treaty for MA, for example), article 23 applies.
No comment.
Addition: subarticle 2. The transferrment of ifnormation must be done only: (a) for investigative purposes stated in the request, (b) for other judicial and administrative proceedings related to investigations, (c) for preventing an immediate and seriuos threat to public security; (d) for any other purpose only with the prior consent of the Party providing the information.
This seems to incorporate some level of data protection principles.
Addition: subarticle 3. Prior to providing said information, the providing party may request that the ifnormation be kept confidential or other such conditions. If the receiving party can not comply with such a request, the providing party can then dtermine whether it "should nevertheless" be provided. BUT, "no conditions shall be imposed for cases mentioned under" subarticle 2 (above).
This will be redrafted due to some confusing references within the subarticle. The 'nevertheless' non-condition is interesting.
Addition: subarticle 4. A transferring party may require the receiving party to explain the use made of such information.
We would argue that this MUST be required prior to its transfer, and again the dual criminality issue. We would also require generally that full data protection principles apply to this data.
Addition: "The purspose of the present convention is to supplement the existing multilateral or bilateral treaties or arrangements as betwen parties, including the provisions of (list: European Convention on Extradition (1957), European Convention on MA in Criminal Matters (1959), Additional Protocol to the ECMA in Criminal Matters (1978))"
This was not there before. It may be worth investigating these conventions. It is worth noting that Yaman has told me this before; it is odd that they only now chose to include this information within the convention.
Addition: Subarticle 3. "Nothing in this convention shall affect other rights, restrictions, obligations and responsibilities of a Party.
This seems thrown in as an afterthought. But note: this does not discuss human rights; it is stating the 'obligations' or a country. This could very well refer to UKUSA, and other such 'arrangements'.
Addition: Subarticle 4 (although numbered '3'). "The exercise by a Party of further measures in respect of the subject matter of this COnvention is not exluded."
Not sure of the implications here, if there are any.
Addition: Footnote added after the title of this article. "The Treaty Office suggests that the use of this language ('notification of options') is contrary to standing Council of Europe practice in treaty-making. In addition, the federal clause is not related to any option. It is therefore suggested to revert to 'declarations'.
Interesting game with terminology: very conformist.
With Respect To: This article deals with exceptions to the convention that signatory states can apply for, as permitted in the flexibility outlined within the convention where there are 'options' for them to pursue.
Addition: subarticle 2.b: "When making a declaration pursuant to sub-paragraph (a) above, a federal State shall provide a statement regarding the nature of tis federal system and of the effect of its federal character on the implementation of the convention."
Addition: Footnote after the term "effect" stating: "The US Delegation will provide a paper indicating which type of behaviour is going to be exclusded from the scope fo this COnvention under US federal law.
This is VERY important -- the US is already talking about the need for additional exceptions. The reason for this is because probably of the federalist structure of government. We would argue that this is indicative of the problems with this treaty (Even the US can't sign it!) and there must be more room for manouvring.
Deletion: Dropped [22.37.2] that stated a limitation upon states on how many 'options' they are allowed to actually exercise.
This was dropped probably to cater for the US. NOTE: this deletion is not marked on the text.
Additions: to the list of paragraphs that parties can declare reservations towards: Articles 6.3, 9.4, 10.3, 29.4, 33.2.
Addition: subarticle 1. A party that has made a reservation may wholly or partially withdraw this reservation.
Addition: subarticle 2. " A party that has made a researvation shall withdraw such reseavation in whole or in part as soon as circumstances permit."
Addition: subarticle 3. "The SecGen may peridically enquire with Parties that have made one ore more reservations [...] as to teh prospects for withdrawing such reservations."
Subarticles 2 and 3 are placing pressure on signatory states to harmonise entirely with the powers and crimes in this convention. This is ridiculous and calls sovereignty into question. I imagine that such period enquiries from the SecGen probably will come every 4 years in some countries.
With Respect To: making amendments to the convention, they can be proposed by any Party, and these amendments will be communicated to the member states of the CoE.
Addition: These amendments will be circulated also to "the non-member States having participated in the elaboration of this convention as well as to any state which has acceded to or has been invited to accede to"
Even if the US does not sign, it will continue to find out about changes and progression.
Addition: Entire new article.
Article outlines how consultation will continue to occur upon acceptance of the convention, with CDPC being key to this process.
With Respect To: Notification of changes, or developments
Addition: The SecGen shall notify to "the non-member states having participated in the elaboration of this convention as well as to any state which has acceded to or has been invited to accede to"
Same as in Article 44 [23.40].