WITSA, whose members include the Computing Services &
Software Association (CSSA) in the UK and the Information
Technology Association of America (ITAA) in the US, supported the
objectives of improving international law enforcement among the 41
member states of the Council and other non-member countries that
could decide to sign the Cybercrime Convention. The US Department
of Justice has indicated on its web site that the US will consider
joining the Convention when it has seen the final version proposed
by the Council of Europe.
In its statement to the Council, WITSA expressed concerns with a
number of provisions in the new draft version of the Convention.
The group says that, in its present form, the Convention could
impose burdensome data preservation requirements on ISPs, make ISPs
liable for third party actions and restrict legitimate activities
on the internet. It described many of the changes to previous
drafts as being “largely cosmetic” and falling short of addressing
the concerns of the IT industry. WITSA’s Public Policy Chairman,
David Olive, said, “often the most effective way to counter cyber
crime is through technical innovation, not burdensome
legislation.”
WITSA is concerned with provisions in the draft Convention that
would mean ISPs being required to “preserve and maintain the
integrity” of traffic data for internet transmissions. However, the
treaty clarifies that this is not a blanket requirement. The
relevant authorities in member states are only required to order
ISPs to take such measures in connection with “a specific criminal
matter.” WITSA says that the requirement is burdensome and
intrusive for ISPs and raises privacy concerns.
WITSA also attacks provisions in the Convention that would
create a crime of aiding and abetting the commission of certain
acts, such as on-line forgery and child pornography. It is
concerned that, because these crimes are committed via ISPs’
systems, ISPs could inadvertently find themselves guilty of having
aided and abetted the crime. However, the notes to the Article in
question state that it “contemplates liability for aiding and
abetting where the person who commits [such a crime] is aided by
another person who shares the mental state required for the
commission of the crime. Individuals or legal persons (including
service providers) that do not share the objective of committing
the crime cannot incur liability through unknowing incidental
assistance provided to a criminal actor.”
The notes go on to explain that an ISP could incur liability if
it intentionally fails to remove criminal material from a site
after having been duly notified. WITSA’s concern appears to be an
ISP being found liable after receiving “a vague notice from a
content provider that somewhere in the ISP’s service” some
infringing material exists.
WITSA’s final criticism is targeted at an anti-hacking provision
of the Convention that prohibits intentional access to a computer
system “without right.” WITSA questions whether this would prohibit
the use of cookies or third party testing and evaluation of
software, security systems, reverse engineering or search engine
bots. The article states that a member state “may require that the
offence be committed either by infringing security measures or with
the intent of obtaining computer data or other dishonest
intent.”
The notes to the article state that it is “not intended to
criminalise regular and common activities inherent in the design of
the network” such as accessing a web page “that has been configured
for public access.”
WITSA concludes that it is committed “to reaching a consensus on
carefully tailored measures that will both support effective
international law enforcement and foster continued growth and
innovation in the information sector.”
Another body representing industry, the Global Internet Project,
criticised a previous version of the draft Convention. It has not
made public its comments on the latest draft.
