library Email this page members only
about uscib global network what's new
    Search      
Home Policy Advocacy: USCIB Committees and Working Groups Dispute Resolution: USCIB and ICC Arbitration Calendar of Events: USCIB and Partner Events Trade Services: USCIB Services to Facilitate U.S. Exports/Imports ATA Carnet: USCIB's Duty-Free and Tax-Free Temporary Exports/Imports
USCIB

Committee Officers

Arbitration

Banking

Biotechnology

China

Competition

Corporate Responsibility

Customs & Trade Facilitation

Emerging Markets

Energy

Environment

European Union

Financial Services

Food & Agriculture

Health Care

Information, Communications & Technology

Intellectual Property

Labor & Employment

Manhattan India Investment Roundtable

Marketing & Advertising

Nanotechnology

Product Policy

Taxation

Trade and Investment

Transportation
contact us
membership info
membership info

Positions and Statements

 

 

COMMENTS OF THE U.S. COUNCIL FOR INTERNATIONAL BUSINESS

ON

THE COUNCIL OF EUROPE DRAFT CONVENTION ON CYBER CRIMES

 

September 1, 2000

 

The U.S. Council for International Business (USCIB) appreciates the opportunity to comment on the Council of Europe Draft Convention on Cyber Crimes.  The USCIB advances the global interests of American business both at home and abroad.  The USCIB has a membership of over 300 global corporations, professional firms, and business associations.   It is the American affiliate of the International Chamber of Commerce (ICC), the Business and Industry Advisory Committee (BIAC) to the OECD, and the International Organisation of Employers (IOE).  As such, it officially represents U.S. business positions in the main intergovernmental bodies, and vis-à-vis foreign business communities and their governments.

 

USCIB members welcome the current discussions between governments and industry regarding cyber crime and security.  Business has and is continuing to ensure the security of its networks and the content residing on these networks to protect them from attack.  However, government action may also be needed to ensure that the necessary laws are in place to make such attacks illegal.  Many states already have such laws, others are in the process of revising their laws to address these issues. 

 

The Council of Europe, on 27 April 2000 issued its Draft Convention on Crimes in Cyberspace. We recognize that the U.S. Department of Justice assisted the Council in developing its language.  The Convention is an important initiative and an admirable attempt to reach an international agreement on how international industry and law enforcement agencies need to cooperate in combating cyber-crime.

 

However, industry has several concerns with the current Draft.  These concerns include the following:

 

1.       There is not a consensus among USCIB members that the Council of Europe is the appropriate forum to negotiate an international convention on cyber crimes.  The Council of Europe is not a global forum but rather a regional forum.  The issue of cyber crimes is a global issue and the negotiations of such a convention, notwithstanding all of the obstacles of achieving a consensus when attempting to harmonize certain areas of substantive law, should include representatives from all regions to ensure that the convention is consistent with different legal regimes both within Europe and beyond.  Moreover, Non-European states may be hesitant to negotiate an international instrument in a forum in which they have no official standing.  Notwithstanding the above, we are offering comments on the text of the Draft Convention to demonstrate business' concerns with the substance of it.

 

2.       Article 1.a.  The definition of the term Computer System is overly broad and could be interpreted to cover multi-purpose digital wireless devices and services that are unlicensed and not traceable through a network operator or service provider. For example palm pilots operating at high frequencies are not licensed services but are readily on the market and available for use.  The range of these devices is likely to increase over time.  Moreover, given the existence of prepaid wireless services, where the customer is anonymous, service providers will not have customer details to enable them to comply with all of the conditions set forth in the Draft Convention.  None of this is to suggest, however, that such devices cannot and will not be used to commit criminal offenses, such as copyright infringement. Criminal offenses committed through the use of such devices may require the development of more tailored enforcement mechanisms that balance the interests of all stakeholders, including content providers, service providers and users and take into consideration the technological capabilities of the particular device and service being used.

 

3.       Article 1.c.  The definition of service provider is unclear as to the scope of business entities and private individuals that may be covered.  The clarification of this definition must be considered carefully in light of existing international treaties and international and domestic legislation that already contain definitions of "service provider" that may conflict with the definition as set forth in this Draft Convention, giving due regard to the fact that this is in the context of criminal liability. 

 

4.       Article 2 states that "Each party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law when committed intentionally, the access to the whole or any part of a computer without right."  First the purpose of this article needs to be clarified.  This clarification should clearly recognize that there is a difference between the intent to transfer information and the intent to commit a substantive offense.   In addition, "without right" is ambiguous and needs to be defined.  For instance, unsolicited e-mail could be construed to be without right.  In the U.S. and other countries, "intent" can be a very low standard.  Even something is done intentionally, i.e., knowing that you are doing it, does not necessarily mean that it should be a criminal act. 

 

5.       In some areas, it may be very difficult, if not impossible, to harmonize laws on what conduct should be criminalized. Article 9, for example, proposes measures for criminalizing online child pornography.  In some countries a photo of a child in a bathtub may be considered child pornography and in other countries it is not.  This also may confront issues relating to the freedom of speech and expression embodied, for instance, in the European Convention on Human Rights.  Given this obstacle, perhaps it might be more appropriate for the convention to be restricted to preventative measures, security measures, investigative measures, international cooperation, criminal procedure and enforcement mechanisms, rather than trying to address underlying substantive law issues that should remain within the sovereignty of the member states.

 

6.       The Draft Convention does not define the term "security measures" (used in Article 2).  Would this term include all forms of encryption and water marking technology and other technical protection measures?  USCIB members believe that the definition should be consistent with a similar concept, "standard technical measure," from the U.S. Digital Millenium Copyright Act (DMCA).  The DMCA ensures that such measures are applicable only if, among other things, they "… have been developed pursuant to a broad consensus of copyright owners and service providers in an open, fair, voluntary, multi-industry standards process."  Again, due regard should be given to the fact that this is in the context of criminal liability.  It should also be clear that this term is not limited to network protection, like firewalls, but should also include technical protection measures embedded in content.

 

7.       Article 4 Data Interference should include a catch-all phrase such as "… or other unlawful use of computer data without right." In fact, we suggest that this language be added wherever it appears in the context of content.  Moreover, in both Articles 4 and 5 the issue of service provider liability could arise. This article should not be read to impose liability on service providers for acts (e.g. overriding or deleting of data) done in the normal course of their business.  In this context, receipt by a service provider of a subpoena rendered by a competent authority that follows appropriate due process should be complied with expeditiously, notwithstanding any other provision of law.

 

8.       Article 6 on Illegal Devices would presumably cover many of the same circumvention devices covered by the DMCA in the U.S. and the proposed E.U. Copyright Directive (ECD) and to this extent should be consistent.  Article 6.a. for instance should cover marketing and promotion of such devices as well. 

 

9.       Article 8 on Computer Related Fraud should more clearly define the meaning of the term "property." Our members believe that the term "property" should include intellectual property.  With the inclusion of intellectual property, "misappropriate or unlawful" use should be added to Article 8.

 

10.   Article 9, Generally, the language is quite broad and includes "possessing child pornography in a computer system or on a data carrier without right and with intent."  Businesses, including ISPs, do not have the capability of monitoring for this. The recently adopted E.U. Directive on Certain Legal Aspects of Electronic Commerce (E-Commerce Directive) generally relieves service providers from an obligation to monitor the information they transmit.  In fact, the E.U Data Protection and Telecommunications Directive makes general monitoring illegal.  Additionally, the definitions for child pornography can be broadly interpreted.  Given the extraterritorial nature of the conditions being imposed, this may create significant liabilities.  Liability for Service Providers is imposed for "distributing and transmitting" -- which is their line of business.  Moreover, as mentioned above, the definition of "child pornography" is overly broad and would most likely be held unconstitutional in the U.S. and in conflict with existing laws elsewhere.  Again, perhaps it is best to leave the substantive law issue to the Member States, with the Convention addressing prevention and enforcement.  The European attempt to create a harmonized content rating program is a clear example of the difficulty in harmonizing substantive law in this area-- no two countries agree on what constitutes pornography.  Therefore, in this area it would be best to defer to the substantive law of the appropriate member state.

 

11.   Article 10 on Copyright, USCIB members recommend that the scope of an offense pursuant to this article be consistent with the terms and conditions that are widely accepted by international copyright treaties and therefore recommend that the brackets be removed.  The following language should be added to the end of the bracketed clause: "giving due regard to the fact that this article establishes criminal offenses for copyright infringements."  Also the language "by means of a computer system" should be clarified in a manner consistent with international treaty law.  In Article 10, the Council specifically defers to the national laws of the Party.  Our members also believe that such protections should be afforded to other intellectual property such as trademarks and software patents, which are also capable of being infringed on the Internet.  Finally, limiting these provisions to acts that are committed "on a commercial scale" ignores the ripple effect of a single violation.  For example, putting one music performance or software code on the Internet can destroy an entire market and lead to the sharing, sale or distribution of a million copies within minutes.  Would one music performance or software code be on a "commercial scale"?  Our members suggest that this language be replaced with "on a substantial or commercial scale."

 

12.   Article 11 regarding aiding and abetting could be construed to include liability of service providers resulting from the provision of its network services.  Please refer to the comments regarding this issue in Article 12.

 

13.   Article 12 on Corporate Liability must be subject to existing substantive law, i.e. the DMCA in the U.S. and the recently adopted E-Commerce Directive, etc.  The DMCA relates to copyright infringement only, but the E-Commerce Directive is horizontal.  Both address the issue of liability for service providers.  Any framework for criminal liability for copyright infringements must balance the interests of all stakeholders, including content providers, service providers and users.  More generally, the attachment of corporate criminal liability is overly broad, including liability for acts of a person in a "leading position" within a corporation.  "Leading position" is defined as an individual who has the power of representation of the legal person; or an authority to take decisions on behalf of the legal person; or an authority to exercise control within the legal person; as well as for involvement of such a natural person as aider or abettor."  It does not clearly limit corporate criminal liability to acts for which the leading person was actually acting under such authority (what if the act is ultra vires?).  This should be clarified.  Corporations should not be held liable for the acts of their employees when the employee, though a "leading person" as defined by the Draft Convention, acts beyond the scope of such authority.

 

14.   Subscriber data information obligations would be difficult to comply with.  A standard for legal interception of communications does not exist for the Internet, wireless pre-paid subscribers are typically anonymous in Europe.  The convention's definition of "data" as including "time, date, size and duration of a communication" is not typically tracked in the world of Internet transmissions.

 

15.   Article 14 allows for the remote seizure of stored computer data.  There is no definition of "competent authority" and the provision is not subject to necessary due process requirements.  There is no requirement of a court order or subpoena.  Section 14(2) could subject service providers to search and seizure requests from around the globe.  It could, as a practical matter, turn the service provider into being on-call for law enforcement requests from all over the globe at all times, severely disrupting or shutting down the business of the service provider.  They not only have the right to "seize" but "secure a computer system," make the provider "retain copies," "maintain the integrity of data," and "render inaccessible or remove data."  Section 14(5) seems to allow worldwide authorities to compel any third party who "has knowledge about the computer system" to secure data.  Articles 15 and 16 also impose a data storage requirement on ISPs and other businesses with no consideration of the practical effects on their business, systems or costs.  The storage of such voluminous data could simply overload a business' network.  Finally, Section 14(7) subjects this article to the conditions and safe guards under national law.  Such national laws may not be sufficient to ensure due process according to the provisions of other states.  This issue should be addressed in any such convention.

 

16.   Article 17 calls for the expeditious preservation of traffic data and assistance in identifying service providers. There is no safe harbor or minimum or maximum requirements for assistance that must be offered. Article 17 also seems to require that all service providers preserve data traffic "regardless of whether one or more service providers were involved in the transmission of that communication."  Our members do not know if this is technically feasible.  This article would also require each service provider to keep a log of the complete worldwide transmission path of all Internet transmissions.  Path recording of Internet Protocol transmissions is not possible, and in fact, portions of any given transmission may take different paths to the ultimate destination.  Any such requirement that is technically feasible should only become applicable after the receipt by a service provider of a subpoena rendered by a competent authority that follows appropriate due process and is conducted in an expedited way.

 

17.   Article 21 language balances out the language in Article 2.   The extradition language is overly broad and could lead to jurisdictional disagreements.  For example, an offense is extraditable if the access without right "impairs the integrity or availability of data or a computer system."  In Germany, an AOL manager was originally sentenced to jail for permitting a link on its system to a hate site.  Germany could potentially call for the extradition of U.S. service providers. No other regulated industry has this requirement and the information is already freely available from public sources.

 

18.   Article 24 requires parties notified and requested to preserve data to disclose to the requesting party a sufficient amount of traffic data in order to identify service providers through which the data was transmitted.  This seems broad reaching and does not provide details as to what happens to those that do not fully disclose the necessary information.  Is this considered aiding and abetting? It is not clear what is meant by "expedited" preservation. If service providers fail to act expeditiously enough (and without a legislative safe harbor) would they be held criminally liable? Any such requirement that is technically feasible should only become applicable after the receipt by a service provider of a subpoena rendered by a competent authority that follows appropriate due process and is conducted in an expedited way.  The same comment applies to Article 25.

 

We hope that these comments are helpful.  We would be happy to discuss them with you in more detail if you have any questions.

 

Cc:       Peter Swire, Chief Counsellor for Privacy, Office of Management and Budget, The White House

Adrienne Lavallee, Senior Advisor to the Chief Counsellor for Privacy, Office of Management and Budget, The White House

Mary Street, Acting General Counsel, Department of Commerce   

Elliot Maxwell, Special Advisor to the Secretary on the Digital Economy, Department of Commerce

Richard Visek, Attorney, Office of the Legal Advisor, Law Enforcement and Intelligence, Department of State

Betty-Ellen Shave, Associate Chief for International Matters, Computer Crimes and Intellectual Property Section, Department of Justice

           

 

 




ALL RIGHTS RESERVED 2013 | PRIVACY POLICY STATEMENT | CONTACT US