Privacy International

Cyber-Crime

News

EU Forum on Data Retention.
The European Commission held a forum on November 27 on requiring Internet Service Providers and other telecommunications companies to retain transactional information about users' activites. EU Working Paper. Online Discussion on Data Retention. PI submission to the committee.

COE Cyber-crime Treaty Opens for Signature.
The COE held a signing ceremony on 22-23 November in Hungary where over 30 countries including the US, Canada and Japan signed the treaty. The COE is now begining work on an optional protocall on "criminalization of acts of a racist or xenophobic nature committed through computer networks."

COE Ministers Approve Cyber-crime Treaty.
The Deputy Minsters of the COE approved the Cybercrime Convention on September 19. COE press release. The COE will be holding a signing ceremony on 22-23 November in Hungary.

European Parliament Committee Votes on Spam and Data Retention, Directive Delayed
The European Parliament's Citizens' Rights and Freedoms, Justice and Home Affairs Committee voted 22-12 with 5 abstentions on June 11 on changes to the directive on telecommunications privacy to allow for spam and to limit ISPs retaining data for law enforcement purposes. under the new changes, article 15 on data retention now requires that any surveillance must be "necessary, appropriate, proportionate and limited in time measure within a democratic society" and "These measures must be entirely exceptional, based on a specific law which is comprehensible to the general public and be authorised by the judicial or competent authorities for individual cases. Under the European Convention on Human Rights and pursuant to rulings issued by the Court of Human Rights, any form of wide-scale general or exploratory electronic surveillance is prohibited." The changes were proposed by Marco Cappato a Radical MEP from Italy. He said:

"The Civil liberties committee expressed itself in favour of a strict regulation of law enforcement authorities' access to personal data of citizens, such as communication traffic and location data. This decision is fundamental because in this way the EP blocks EU States' efforts underway in the Council to put their citizens under generalised and pervasive surveillance, following the Echelon model. The decision of leaving to Member States the choice between opt-in and opt-out systems on electronic commercial communications is a liberal approach that respects subsidiarity, and that takes into consideration freedom of expression (prohibiting "hidden" spamming) and the different experiences of the Member States."

In October, the commitee voted again approving amendments on Spam and data retention which allow for opt-out for spam and limits on data retention.

The Telecommunications Privacy Directive has been delayed due to the conflict between the Parliament and the Council over the spam and data retention provisions. It is expected to be heard in Spring 2002.

EU Votes to Require ISP Data Surveillance Requirements
The European Union Telecommunications Council voted on 28 June on proposals by the UK to modify the new telecommunications directive to require that telecommunications providers retain information on their users for law enforcement purposes. Letter from the chair of the EU Data Protection Commissioners Committee opposing the requirements. See the S.O.S. Europe - Statewatch Observatory on Surveillance in Europe report for more details.

COE Committee Approves Cyber-crime Treaty.
The European Committee on Crime Problems (CDPC) of the COE approved the Cybercrime Convention and final Explanatory Memorandum on June 22. It will be submitted to the Committee of Ministers for adoption in September. See the "COE Section " page for more information.

New COE Cyber-crime Convention Draft Released.
The COE Released Draft 27 (Word doc) of the Cyber-crime treaty on May 25. The new draft is decribed as the "final activitiy report" and includes a revised explanatory memorandum. However, it generally is unchanged from previous drafts. It will be submitted to the European Committee on Crime Problems of the COE in mid-June for approval and then will be submitted to the Committee of Ministers for adoption. PI, ACLU and EPIC have written to the US Department of Justice and the COE expressing concerns about the treaty. See the COE Cyber-crime Convention Section for details, analysis and supporting documentation.

COE Parliamentiary Assembly Approves Cyber-crime Treaty.
The Parliamentary Assembly of the Council of Europe approved the controversial cyber-crime treaty on April 24. The assembly recommended including a provision on human rights and agreed to a protocol to ban hate speech. Cyber-rights report on the debates.

Group of 8 (G8)

The Group of 8 (G8) is made up of the heads of state of eight industrialized countries in the world (US, UK, France, Germany, Italy, Japan, Canada & Russia plus the European Union). The leaders have been meeting annually since 1975 to discuss issues of importance, including the information highway, crime and terrorism.

Since 1995, the G8 has become increasing more involved in the issue of cyber crime, and has created working groups and issued a series of communiques from the leaders and actions plans from justice minsters. In addition, a special working group has also been working on the issues almost constantly for several years. The G8 is holding another summit in Japan in June and is expected to issue new recommendations on cyber-crime including an endorsement of the Council of Europe's Cyber-crime Convention.

Review of G7/G8 Activities

In 1995, at the Summit meeting in Halifax, Canada, the G7 (Russian had not yet joined), the heads of state created an Senior Experts Group on Organized Crime known as the "Lyon Group."

The group released a 40 point "recommendations to combat Transnational Organized Crime efficiently" at the G7/P8 (G7 with Russian participating but not yet a member) Summit in April in Lyon, France. These included:

States should review their laws in order to ensure that abuses of modern technology that are deserving of criminal sanctions are criminalized and that problems with respect to jurisdiction, enforcement powers, investigation, training, crime prevention and international cooperation in respect of such abuses are effectively addressed. Liaison between law enforcement and prosecution personnel of different States should be improved, including the sharing of experience in addressing these problems. States should promote study in this area and negotiate arrangements and agreements to address the problem of technological crime and investigation.
We emphasize the relevance and effectiveness of techniques such as electronic surveillance, undercover operations and controlled deliveries. We call upon States to review domestic arrangements for those techniques and to facilitate international cooperation in these fields, taking full account of human rights implications. We encourage States to exchange experiences of their use.

Following the Lyon meeting, the Foreign Ministers and their Ministers responsible for security met in Paris, France in July 1996 to discuss terrorism. The Ministers called on states to "Note the risk of terrorists using electronic or wire communications systems and networks to carry out criminal acts and the need to find means, consistent with national law, to prevent such criminality." The states agreed to:

accelerate consultations, in appropriate bilateral or multilateral fora, on the use of encryption that allows, when necessary, lawful government access to data and communications in order to, inter alia, prevent or investigate acts of terrorism, while protecting the privacy of legitimate communications.
Intensify exchange of operation information, especially as regards...the use of communications technologies by terrorist groups.

In January 1997, under the sponsorship of the US Government, which chaired the G7 at the time, a "Subcommittee on High-tech Crime" was created, and chaired by Scott Charney, of the US Department of Justice. The working group meets regularly to discuss issues. Among other things, the working group set up a " 24-Hour-Contact-Group" to faciltiate law enforcement communications for investigations.

At the Denver Summit in June 1997, the issue was raised up to the head of state level. The G8 issued a Communique stating:

We must intensify our efforts to implement the Lyon recommendations. In the coming year we will focus on two areas of critical concern: First, the investigation, prosecution, and punishment of high-tech criminals, such as those tampering with computer and telecommunications technology, across national borders; Second, a system to provide all governments the technical and legal capabilities to respond to high- tech crimes, regardless of where the criminals may be located.

A separate "Foreign Ministers Progress Report" examined issues of high tech crime and recommended greater identification and tracking of users and restrictions on encryption:

The significant growth in computer and telecommunications technologies brings with it new challenges: global networks require new legal and technical mechanisms that allow for a timely and effective international law enforcement response to computer-related crimes. To that end, we will work together to enhance abilities to locate, identify, and prosecute criminals; cooperate with and assist one another in the collection of evidence; and continue to develop training for law enforcement personnel to fight high- technology and computer-related crime. ...
To counter, inter alia, the use of strong encryption by terrorists, we have endorsed acceleration of consultations and adoption of the OECD guidelines for cryptography policy and invited all states to develop national policies on encryption, including key, management, which may allow, consistent with these guidelines. Lawful government access to prevent and investigate acts of terrorism and to find a mechanism to cooperate internationally in implementing such policies. "

The "Expert Group to G8 Ministers and Chief Advisors of Science and Technology (Carnegie Group)" released a report in October 1997 on "Misuse of International Data Networks". The group recommended a series of legal and technical measures, which were often contradictory.

In December 1997, the Interior and Justice Ministers met in Washington, DC to discuss 'High-Tech Crime." The Ministers agreed to 10 principles and a 10 point action plan. These included:

Review our legal systems to ensure they appropriately criminalise abuses of telecommunications and computer systems and promote the investigation of high-tech crimes.

Consider issues raised by high-tech crimes, where relevant, when negotiating mutual assistance agreements or arrangements.

Continue to examine and develop workable solutions regarding: the preservation of evidence prior to the execution of a request for mutual assistance; transborder searches; and computer searches of data where the location of that data is unknown.

Develop expedited procedures for obtaining traffic data from all communications carriers in the chain of a communication and to study ways to expedite the passing of this data internationally.

Work jointly with industry to ensure that new technologies facilitate our effort to combat high-tech crime by preserving and collecting critical evidence.

Related documents:

Statement by US Attorney General Janet Reno, December 10, 1997.

Statement by Canadian Attorney General, December 10, 1997.

At the Birmingham, England Summit on May 18, 1998, the G8 issued a Comm u nique endorsed the principles released in December. The leaders announced, "We call for close cooperation with industry to reach agreement on a legal framework for obtaining, presenting and preserving electronic data as evidence, while maintaining appropriate privacy protection, and agreements on sharing evidence of those crimes with international partners. This will help us combat a wide range of crime, including abuse of the Internet and other new technologies."

In December 1998, the G8 Justice Ministers held a "Virtual Meeting on Organized Crime and Terrorist Funding." According to the joint release:

The G8 countries have established a 24 hour network of law enforcement experts capable of responding swiftly to requests for help with investigations that cross international borders, including hacking cases. The network, which is now in use, is open to wider membership and a number of non G8 countries have already joined. The Lyon Group is pursuing consultations with industry, including internet service providers, on preventing criminal use of networks and ensuring traceability of their communications. It is also developing proposals for a legal framework for retrieving electronic evidence swiftly in cases that cut across international borders.

Related Documents

G8 MINISTERIAL VIDEO CONFERENCE, December 15, 1998.

Joint Press Release of Ministers, December 15, 1998.

Canadian Govt press release, December 15, 1998.

The G8 leaders at the Cologne Summit in Cologne, Germany in June 1999 did not mention cyber-crime issues in their final communique.

At the Ministerial Conference of the G-8 Countries on Combating Transnational Organized Crime meeting in Moscow in October 1999, the Justice Ministers of the countries released a communiqué which included principles on access to files and identification of users and an extended annex on access to stored data. The annex included:

Each State shall ensure its ability to secure rapid preservation of data that is stored in a computer system, in particular data held by third parties such as service providers, and that is subject to short retention practices or is otherwise particularly vulnerable to loss or modification, for the purpose of seeking its access, search, copying, seizure or disclosure, and ensure that preservation is possible even if necessary only to assist another State.

Related documents:

Government of Canada, G-8 Countries Combat Organized Crime, October 20, 1999.

G-8 Talks Traceback in Moscow, CanCERT™ Bulletin (Vol.2, No.5, Dec. 1999).

The G-8 met in Paris in May 2000 to develop recommendations on cyber crime that will be presented to the leaders of the G-8 at the meeting in Okinawa, Japan in July 2000.

At the start of the conference, French President Jacques Chirac said that he opposes US efforts to create an international criminal force for cyber-crimes. A new French agency for fighting cybercrime was also announced.

Industry officials came out against the COE proposals that would require that ISPs maintain records of users activities for extended purposes.

The final communique noted that "the ability to locate and identify Internet criminals through different systems is critical to deterring, investigating, and prosecuting crime that has an electronic component." It recommended the creation of "faster or novel solutions should be developed and that government and industry must work together to achieve them." The participants also agreed to the following elements for any solution:

ensuring the protection of individuals freedoms and private life,

preserving governments' ability to fight high tech crime,

facilitating appropriate training for all involved,

defining a clear and transparent framework for addressing cybercriminality,

ensuring free and fair activities, the sound development of industry, and supporting effective industry initiated voluntary codes of conduct and standards,

assessing effectiveness and consequences.

The experts from the G-8 members are scheduled to meeting in Tokyo the week of May 21 to discuss further measures leading up to the July Okinawa meeting.

Relevant Documents:

Official French Foreign Ministry web site of the conference (in French)

Another official site in English which says very little

Internet Alliance, An International Policy Framework for International Law Enforcement and Security, May 2000.

Global Internet Project, The Reliability and Security of the Internet, May 2000. Press Release

News Stories on the G-8 Paris Meeting:

Love Letter's last Victim, SecurityFocus.com, May 22, 2000.

World: G-8 Countries Tackle Cybercrime, RFE/RL, May 19, 2000.

Cybercrime forum touted for Canada, The Globe and Mail, May 18, 2000.

Thin Consensus veils Conflict at G8, Security Focus.com, May 17, 2000.

G8 Hems and Haws on Cybercrime, Reuters, May 17, 2000.

G8 agree to reinforce cooperation on cybercrime, infoworld.com, May 17, 2000.

IT-Industrie gegen "Cybercrime"-Gesetze, ORF, May 16, 2000.

France Defends Net Regulation, Reuters, May 16, 2000.

Action on cyber crime 'too slow', BBC, 16 May, 2000.

France makes a first move at G8 Net summit, infoworld.com, May 16, 2000.

Chirac Warns Nations on Cybercrime, AP, May 16, 2000.

Internet Industry Wary About New Cybercrime Rules, Reuters, May 16, 2000.

Cybercrime Fighters Need Geeks With Badges, Newsbytes, 16 May 2000.

Cyber war likened to 'wild West', Canoe, May 16, 2000.

G8-Staaten auf "Hacker"-Jagd, ORF, May 15, 2000.

Cybercrime Internationale, ABCNews, April 15, 2000.

Internet attacks fought on international front, CBC, May 15, 2000.

G8 & cybercriminalité, ZD France, 17 mai 2000. Special section of ZD net France on G-8 Meeting. In French.

G8 : Etats et grandes entreprises partent à la chasse des cyberpirates, Le Monde, 16 mai 2000.

World tackles Cybercrime, Security Focus.com, May 15, 2000.

Les américains prêts à entendre les arguments de l'Europe, Le Monde, 15 Mai 2000.

Paris refuse la cyberpolice planétair, Liberation, 16 Mai 2000.

Lutte contre la cybercriminalité: le nouvel office central démarre "dès cette semaine", AFP, 15 Mai 2000.

"ILOVEYOU" dominiert G8-Treffen, ORF, May 12, 2000.

Older G-8 Stories

Hunt for the log files, Spiegel Online, Ocotber 8, 1999.

"We also want to make a guide for other countries" , Telepolis, June 11, 1999. (interview with Scott Charney, the former chair of the g-8 Lyon Group).

Cybercrime to be combated worldwide, USA Today, January 26, 1999.

G8 summit gets cybercrime briefing, Reuters News Service, May 14, 1998.

G8 wages war on cyber-crime, BBC News, December 11, 1997.

Council of Europe

The Council of Europe is an intergovernmental organization formed in 1949 by West European countries. There are now 41 member countries. Its main role is "to strengthen democracy, human rights and the rule of law throughout its member states." Its description also notes that "it acts as a forum for examining a whole range of social problems, such as social exclusion, intolerance, the integration of migrants, the threat to private life posed by new technology, bioethical issues, terrorism, drug trafficking and criminal activities."

On September 8, 1995, the Council of Europe approved a recommendation to enhance law enforcement access to computers in member states. The Recommendation of the Committee of Ministers to Member States Concerning Problems of Criminal Procedure Law Connected with Information states:

Subject to legal privileges or protection, investigating authorities should have the power to order persons who have data in a computer system under their control to provide all necessary information to enable access to a computer system and the data therein. Criminal procedure law should ensure that a similar order can be given to other persons who have knowledge about the functioning of the computer system or measures applied to secure the data therein.
Specific obligations should be imposed on operators of public and private networks that offer telecommunications services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the investigating authorities.

Measures should be considered to minimize the negative effects of the use of cryptography on the investigation of criminal offenses, without affecting its legitimate use more than is strictly necessary.

The Council created a working group on cybercrime to draft a convention on computer crime in 1997. The draft is being prepared by an ad-hoc group of experts of a "limited number of countries" and chaired by Prof. Kaspersen of the University of Amsterdam. A number of nonmembers are also represented as observers to the ad-hoc group including the US, Canada, Japan, South Africa, the European Commission, the OESO, UNESCO and others.

The Committee of Experts on Crime in Cyberspace of the Council of Europe released its "Draft Convention on Cyber-crime" on April 27, 2000, following more than three years of discussions. Since then, it has released several revised versions and an explanatory memorandum but little has changed in the text since the original draft.

The converntion will require that countries adopt new laws requiring government access to encrypted information, expanding copyrights and criminalizing the possession of common security tools. It also would alter wiretapping laws in all of the countries.

The treaty would also facilitate the collection of information by requiring companies that provide Internet services to collect and maintain information in case it is needed by law enforcement agencies. It would permit international access to such information by governmental authorities in different jurisdictions.

The current draft also contains controversial provisions mandating that every country enact laws that would require an individual to release encryption keys and unencrypted data when requested by government officials. Most countries have rejected adopting these powers over concerns about violating individuals' rights against self-incrimination. EPIC's "Cryptography and Liberty 2000" report found that only Malaysia and Singapore have existing laws mandating such "lawful access."

The treaty will also be intially open to signature by other countries that contributed to the drafting process, including the United States, Canada, Hong Kong and Australia. Later, it will be open to all countries in the world.

The treaty has been strongly criticized by civil liberties group, privacy experts and industry representatives since its release.

The European Committee on Crime Problems (CDPC) of the COE approved the Cybercrime Convention in June 2001 and by the Council of Ministers in November 2001. It was opened for signature in November 2001 and has been signed by over 30 countries
Final version of Convention on Cyber-crime, June 22, 2001.

Explanatory Memorandum, June 22, 2001.
The European Committee on Crime Problems (CDPC) announcement on approval of Convention, June 22, 2001.

Draft 27 of Convention on Cyber-crime and Explantory Memorandum, May 25, 2001.

Letter from PI, ACLU and EPIC expressing concerns over final version of treaty, June 7, 2001.
David Banisar, Privacy International, Endgame for Cybercrime Treaty, in Security Focus.com, June 4, 2001.

The Parliamentary Assembly of the Council of Europe approved the Convention on April 24. The assembly recommended including a provision on human rights and agreed to a protocol to ban hate speech.

COE, Press Release, April 24, 2001.
Cyber-rights report on the debates.

Draft 25 of Convention on Cyber-crime, December 22, 2000.

The World ISPA Forum and European Telecommunications Networks Operators™ Association (ETNO), letter to Professor Kaspersen on Draft COE Convention, 18 April 2001.
ENTO, Press Release, Telecoms Operators concerned by draft Cybercrime Convention, 30 April 2001.

Draft 24(2) of Convention on Cyber-crime, November 19, 2000.

European Union, Article 29 Working Group Opinion 4/2001, On the Council of Europe's Draft Convention on Cyber-crime, 22 March 2001.
Global Internet Liberty Campaign letter, December 2000.

Gus Hosein, Privacy International, Working document on changes between 22, 23 and 24.2, November 2000

David Banisar, Privacy International, Cybercrime treaty still horrible, in Security Focus.com, December 14, 2000.

Draft 22 of Convention on Cyber-crime, October 2, 2000.

David Banisar and Gu s Hosein, Privacy International, Analysis of Ver 22, October 2000.
GILC letter to the Council of Europe, October 2000.

International Working Group on Data Protection in Telecommunications, Common Position on data protection aspects in the Draft Convention on cyber-crime of the Council of Europe, 13./14. September 2000.

Draft 19 of Convention on Cyber-crime, April 2000.

Council of Europe, Press release on convention, April 2000.
David Banisar, Privacy International, Love Letter's last Victim, in Security Focus.com, May 22, 2000.

Council of Europe, Points of Contact for Cyber-crime Convention

European Union, Common Position on the COE Convention, May 1999. (Official Journal L 142, 05/06/1999 p. 0001 - 0002).

News Stories

Council of Europe Signs Draft Cybercrime Treaty, IDG, Jun 22 2001.

Europe: Net Crime-Stoppers , Industry Standard, July 2001.

International cybercrime treaty finalized, CNet, June 22, 2001.

Treaty 'could stifle online privacy', BBC.com, June 11, 2001.

Cyber-crime justifies world government, The Register, May 31, 2001.

Council of Europe wraps up cybercrime treaty, IDG, May 29, 2001.

Cybercrime treaty's a secret policemen's ball, Guardian, May 13, 2001.

Cybercrime treaty moves closer, CNN. com, April 24, 2001.

Lutte contre la cybercriminalité : le Projet de convention du Conseil de l'Europe sur la cybercriminalité, Juriscom.net, April 19, 2001 (FR)

David Banisar, Cybercrime treaty still horrible, in Security Focus.com, December 14, 2000.

Critics Say Cybercrime Treaty Harmful, Interactive Week, December 7, 2000.

Internet business group calls for delay in cybercrime treaty, IDG News, November 07, 2000

David Banisar, Love Letter's last Victim, in Security Focus.com, May 22, 2000.

Cybercrime Solution Has Bugs, Wired News, May 3, 2000.

Other Related Documents

Dr Paul Norman, Institute of Criminal Justice Studies, Policing 'high tech crime' in the global context: the role of transnational policy networks. An excellent review of the policy relationships between the COE, G8 and EU on cyber-crime. The report notes that "a triumvirate of G8, EU and the Council of Europe has in little over one year aligned themselves with the G8's initial concern for hi-tech crime - with each fora ensuring that their strategies are coordinated across the organizations and disseminated to its membership."

U.S. Department of Justice, The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the Internet, March 9, 2000.

Appendices to "The Electronic Frontier: the Challenge of Unlawful Conduct Involving the Use of the Internet " (Includes information on G-8 and COE efforts)