Senate ratifies controversial cybercrime treaty

Tech companies say it can boost copyright protection. Others say it will allow FBI's surveillance apparatus to be misused.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
The first and only international treaty designed exclusively to combat computer crime won approval late Thursday from the U.S. Senate.

The Council of Europe Convention on Cybercrime "will enhance our ability to cooperate with foreign governments in fighting terrorism, computer hacking, money laundering and child pornography, among other crimes," Sen. Richard Lugar, the Indiana Republican who is chairman of the Senate Foreign Relations Committee, said in a statement.

The treaty is intended to harmonize computer crime laws, especially those in smaller or less developed nations that may not have updated their legal framework to reflect the complexities of the Internet. It requires participating countries to target a broad swath of activities, including unauthorized intrusions into networks, fraud, the release of worms and viruses, child pornography and copyright infringement.

"This treaty provides important tools in the battles against terrorism, attacks on computer networks and the sexual exploitation of children over the Internet, by strengthening U.S. cooperation with foreign countries in obtaining electronic evidence," U.S. Attorney General Alberto Gonzales said in a statement Friday.

Because U.S. law already includes much of what the treaty requires, the Senate's consent is in part symbolic.

"Dual criminality" conflict
But one portion, which provoked the most controversy, deals with international cooperation. It says Internet providers must cooperate with electronic searches and seizures without reimbursement; the FBI must conduct electronic surveillance "in real time" on behalf of another government; that U.S. businesses can be slapped with "expedited preservation" orders preventing them from routinely deleting logs or other data.

What's controversial about those requirements is that they don't require "dual criminality"--in other words, Russian security services investigating democracy activists could ask for the FBI's help in uncovering the contents of their Yahoo Mail or Hotmail accounts, or even conducting live wiretaps.

"Our primary concern is that there's no dual criminality within the mutual assistance provisions," said Danny O'Brien, activism coordinator with the Electronic Frontier Foundation in San Francisco. "The U.S. is now obliged to investigate and monitor French Internet crimes, say, and France is obliged to obey America's requests to spy on its citizens, for instance--even if those citizens are under no suspicion for crimes on the statute books of their own country."

The Council of Europe consists of 45 member states, including all of the European Union, and five nonvoting members, of which the United States is one. Negotiations on the treaty began in 1997, and so far, 15 European nations, including Albania, Denmark, France, Norway and Ukraine, have fully ratified the final document.

The Bush administration began pressuring Congress to do the same in 2003. The Senate Foreign Relations Committee approved the treaty last summer.

Longtime technology industry advocates of the treaty hailed the Senate's action, which occurred on its final day in session before a monthlong summer recess. The Business Software Alliance, a lobbying group whose members include Microsoft, Apple Computer, Cisco Systems, IBM and Intel said the treaty "will serve as an important tool in the global fight against cybercriminals and encourage greater cooperation among nations."

The software industry, which has been lobbying for years for action on the treaty, has found it contains much to cheer about, including a requirement that nations enact criminal penalties for copyright infringers.

The ratification marks "an important milestone in the fight against international cybercrime," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, which counts Juniper Networks, McAfee, RSA Security and Symantec among its member companies.

A First Amendment issue
The Senate did not consider an optional separate section dealing with Internet-based hate speech that would have required participating nations to imprison anyone guilty of "insulting publicly, through a computer system" certain groups of people based on characteristics such as race or ethnic origin.

The U.S. Department of Justice had said that such a provision--which would make it a crime to, say, e-mail racist jokes or question conventional wisdom about the Holocaust--was inconsistent with the First Amendment's free-expression guarantees.

"The convention is in full accord with all U.S. constitutional protections, such as free speech and other civil liberties, and will require no change to U.S. laws," Attorney General Gonzales said Friday.

Civil liberties groups have begged to differ, mounting resistance against the international document ever since its inception.

In a letter to senators last summer (click here for PDF), the Electronic Privacy Information Center attacked the treaty for offering only "vague and weak" privacy protections. One section, for example, would force participating nations to have laws forcing individuals to disclose their decryption keys so that law enforcement could seize data for investigations, EPIC wrote.