The Cybercrime Convention is the first international treaty on
criminal offences committed against or with the help of computer
networks.
In particular, the Convention deals with offences related to
infringements of copyright, computer-related fraud, child
pornography and offences connected with network security. It also
covers a series of procedural powers such as searches of and
interception of material on computer networks.
The Convention includes powers to preserve data, to search and
seize, to collect traffic data and to intercept communications.
These powers faced serious criticism from privacy activists during
the drafting process.
The Convention has so far been signed by 30 of the 42 Member
States of the Council of Europe, including the UK, France, Germany
and Norway. Four non-member states – Canada, Japan, South Africa
and the US – have also signed the treaty.
However, for the Convention to have the force of law it must not
only be signed, but also ratified, i.e. given effect to in the laws
of a participating country, by five of those states - three of
which must be members of the Council of Europe.
So far only three Member States, Albania, Croatia and Estonia,
have taken this step. France indicated in June this year that it
was likely to ratify the treaty, and if the US follows suit then
the Convention will come into force.
In a letter to the Senate earlier this week, President Bush
urged, "that the Senate give early and favourable consideration to
the Cybercrime Convention, and that it give its advice and consent
to ratification".
But ratification, warned Privacy International, would create
unprecedented dangers for privacy and security in the US, as it
would allow all Member States "'on demand' access to the personal
information and communications records of any American they may
wish to investigate."
This information would include full e-mail logs, phone records
and mobile phone location data, together with account and financial
records – all of which could be 'cherry picked' by investigation
authorities in countries such as Estonia, Serbia and Croatia.
According to Privacy International, the low standard of evidence
or authentication demanded for these transfers of personal
information creates exceptional dangers to ethnic and minority
groups in the US.
The conditions for sharing this information are such that the
transfer does not have to involve dual-criminality. In fact the
Convention dissuades governments from allowing for dual criminality
before data is required to be shared. There are grounds for
refusal, but they are limited. This means that an East European
investigation authority can demand information on an American even
where the suspected activity is not a crime in the US.
Only very basic information as to the reason for the request
need be given to US officials, said Privacy International.
The group's Director, Simon Davies, warned, "The President's
efforts will put lives and liberty at risk. The Treaty imperils the
constitutional and judicial protections that Americans enjoy.
Ratification will compromise every safeguard in US law".
"The Treaty is ill considered, regressive and unnecessary and
should be rejected by the Senate," he added.
