COMMENTS OF THE U.S. COUNCIL FOR INTERNATIONAL BUSINESS
THE COUNCIL OF EUROPE DRAFT CONVENTION ON CYBER CRIMES
September 1, 2000
Council for International Business (USCIB) appreciates the opportunity to
comment on the Council of Europe Draft Convention on Cyber Crimes. The USCIB advances the global
interests of American business both at home and abroad. The USCIB has a membership of over
300 global corporations, professional firms, and business associations. It is the American affiliate of
the International Chamber of Commerce (ICC), the Business and Industry
Advisory Committee (BIAC) to the OECD, and the International Organisation of
Employers (IOE). As such, it
officially represents U.S. business positions in the main intergovernmental
bodies, and vis-à-vis foreign business communities and their governments.
members welcome the current discussions between governments and industry
regarding cyber crime and security.
Business has and is continuing to ensure the security of its networks
and the content residing on these networks to protect them from attack. However, government action may also
be needed to ensure that the necessary laws are in place to make such attacks
illegal. Many states already
have such laws, others are in the process of revising their laws to address
The Council of Europe, on 27 April 2000 issued its Draft
Convention on Crimes in Cyberspace. We recognize that the U.S. Department of Justice assisted the
Council in developing its language.
The Convention is an important initiative and an admirable attempt to
reach an international agreement on how international industry and law
enforcement agencies need to cooperate in combating cyber-crime.
However, industry has several
concerns with the current Draft.
These concerns include the following:
1. There is not a consensus among USCIB members that the
Council of Europe is the appropriate forum to negotiate an international
convention on cyber crimes. The
Council of Europe is not a global forum but rather a regional forum. The issue of cyber crimes is a global
issue and the negotiations of such a convention, notwithstanding all of the
obstacles of achieving a consensus when attempting to harmonize certain areas
of substantive law, should include representatives from all regions to ensure
that the convention is consistent with different legal regimes both within
Europe and beyond. Moreover,
Non-European states may be hesitant to negotiate an international instrument
in a forum in which they have no official standing. Notwithstanding the above, we are offering comments on the
text of the Draft Convention to demonstrate business' concerns with the
substance of it.
2. Article 1.a.
The definition of the term Computer System is overly broad and could
be interpreted to cover multi-purpose digital wireless devices and services
that are unlicensed and not traceable through a network operator or service
provider. For example palm pilots operating at high frequencies are not
licensed services but are readily on the market and available for use. The range of these devices is likely
to increase over time. Moreover,
given the existence of prepaid wireless services, where the customer is
anonymous, service providers will not have customer details to enable them to
comply with all of the conditions set forth in the Draft Convention. None of this is to suggest, however,
that such devices cannot and will not be used to commit criminal offenses,
such as copyright infringement. Criminal offenses committed through the use
of such devices may require the development of more tailored enforcement
mechanisms that balance the interests of all stakeholders, including content
providers, service providers and users and take into consideration the
technological capabilities of the particular device and service being used.
3. Article 1.c. The definition of service provider is
unclear as to the scope of business entities and private individuals that may
be covered. The clarification of
this definition must be considered carefully in light of existing
international treaties and international and domestic legislation that
already contain definitions of "service provider" that may conflict
with the definition as set forth in this Draft Convention, giving due regard
to the fact that this is in the context of criminal liability.
4. Article 2 states that "Each
party shall adopt such legislative and other measures as may be necessary to
establish as criminal offenses under its domestic law when committed
intentionally, the access to the whole or any part of a computer without
right." First the purpose
of this article needs to be clarified.
This clarification should clearly recognize that there is a difference
between the intent to transfer information and the intent to commit a
substantive offense. In
addition, "without right" is ambiguous and needs to be defined. For instance, unsolicited e-mail
could be construed to be without right.
In the U.S. and other countries, "intent" can be a very low
standard. Even something is done
intentionally, i.e., knowing that you are doing it, does not necessarily mean
that it should be a criminal act.
5. In some areas, it may be very difficult, if not
impossible, to harmonize laws on what conduct should be criminalized. Article
9, for example, proposes measures for criminalizing online child
pornography. In some countries a
photo of a child in a bathtub may be considered child pornography and in
other countries it is not. This
also may confront issues relating to the freedom of speech and expression
embodied, for instance, in the European Convention on Human Rights. Given this obstacle, perhaps it might
be more appropriate for the convention to be restricted to preventative
measures, security measures, investigative measures, international
cooperation, criminal procedure and enforcement mechanisms, rather than
trying to address underlying substantive law issues that should remain within
the sovereignty of the member states.
6. The Draft Convention does not define the term
"security measures" (used in Article 2). Would this term include all forms of encryption and water
marking technology and other technical protection measures? USCIB members believe that the definition
should be consistent with a similar concept, "standard technical
measure," from the U.S. Digital Millenium Copyright Act (DMCA). The DMCA ensures that such measures
are applicable only if, among other things, they "… have been developed
pursuant to a broad consensus of copyright owners and service providers in an
open, fair, voluntary, multi-industry standards process." Again, due regard should be given to the fact that this is in the context of
criminal liability. It
should also be clear that this term is not limited to network protection,
like firewalls, but should also include technical protection measures
embedded in content.
7. Article 4 Data Interference should include a catch-all
phrase such as "… or other unlawful use of computer data without right."
In fact, we suggest that this language be added wherever it appears in the
context of content. Moreover, in
both Articles 4 and 5 the issue of service provider liability could arise.
This article should not be read to impose liability on service providers for
acts (e.g. overriding or deleting of data) done in the normal course of their
business. In this context, receipt by a service provider of a subpoena
rendered by a competent authority that follows appropriate due process should
be complied with expeditiously, notwithstanding any other provision of law.
8. Article 6 on Illegal Devices would presumably cover many
of the same circumvention devices covered by the DMCA in the U.S. and the
proposed E.U. Copyright Directive (ECD) and to this extent should be
consistent. Article 6.a. for
instance should cover marketing and promotion of such devices as well.
9. Article 8 on Computer Related Fraud should more clearly
define the meaning of the term "property." Our members believe that
the term "property" should include intellectual property. With the inclusion of intellectual
property, "misappropriate or unlawful" use should be added to
10. Article 9, Generally, the language is quite broad and includes "possessing child pornography
in a computer system or on a data carrier without right and with
including ISPs, do not have the capability of monitoring for this. The
recently adopted E.U. Directive on Certain Legal Aspects of Electronic
Commerce (E-Commerce Directive) generally relieves service providers from an
obligation to monitor the information they transmit. In fact, the E.U Data Protection and
Telecommunications Directive makes general monitoring illegal. Additionally, the definitions for
child pornography can be broadly interpreted. Given the extraterritorial nature of the conditions being
imposed, this may create significant liabilities. Liability for Service Providers is imposed for
"distributing and transmitting" -- which is their line of
business. Moreover, as
mentioned above, the definition of "child pornography" is overly
broad and would most likely be held unconstitutional in the U.S. and in
conflict with existing laws elsewhere.
Again, perhaps it is best to leave the substantive law issue to the
Member States, with the Convention addressing prevention and
enforcement. The European
attempt to create a harmonized content rating program is a clear example of
the difficulty in harmonizing substantive law in this area-- no two countries
agree on what constitutes pornography.
Therefore, in this area it would be best to defer to the substantive
law of the appropriate member state.
11. Article 10 on Copyright, USCIB members recommend that the
scope of an offense pursuant to this article be consistent with the terms and
conditions that are widely accepted by international copyright treaties and
therefore recommend that the brackets be removed. The following language should be added to the end of the
bracketed clause: "giving due regard to the fact that this article
establishes criminal offenses for copyright infringements." Also the language "by means of a
computer system" should be clarified in a manner consistent with
international treaty law. In
Article 10, the Council specifically defers to the national laws of the Party. Our members also believe that such
protections should be afforded to other intellectual property such as
trademarks and software patents, which are also capable of being infringed on
the Internet. Finally, limiting
these provisions to acts that are committed "on a commercial scale"
ignores the ripple effect of a single violation. For example, putting one music performance or software
code on the Internet can destroy an entire market and lead to the sharing,
sale or distribution of a million copies within minutes. Would one music performance or
software code be on a "commercial scale"? Our members suggest that this language be replaced with
"on a substantial or commercial scale."
12. Article 11 regarding aiding and
abetting could be construed to include liability of service providers
resulting from the provision of its network services. Please refer to the comments
regarding this issue in Article 12.
12 on Corporate Liability must be subject to existing substantive law, i.e.
the DMCA in the U.S. and the recently adopted E-Commerce Directive, etc. The DMCA relates to copyright
infringement only, but the E-Commerce Directive is horizontal. Both address the issue of liability
for service providers. Any
framework for criminal liability for copyright infringements must balance the
interests of all stakeholders, including content providers, service providers
and users. More generally, the
attachment of corporate criminal liability is overly broad, including
liability for acts of a person in a "leading position" within a
position" is defined as an individual who has the power of
representation of the legal person; or an authority to take decisions on
behalf of the legal person; or an authority to exercise control within the legal
person; as well as for involvement of such a natural person as aider or
abettor." It does not
clearly limit corporate criminal liability to acts for which the leading
person was actually acting under such authority (what if the act is ultra
vires?). This should
be clarified. Corporations
should not be held liable for the acts of their employees when the employee,
though a "leading person" as defined by the Draft Convention, acts
beyond the scope of such authority.
Subscriber data information obligations would be
difficult to comply with. A
standard for legal interception of communications does not exist for the
Internet, wireless pre-paid subscribers are typically anonymous in Europe. The convention's definition of
"data" as including "time, date, size and duration of a
communication" is not typically tracked in the world of Internet
Article 14 allows for the remote seizure of stored
computer data. There is no
definition of "competent authority" and the provision is not
subject to necessary due process requirements. There is no requirement of a court order or subpoena. Section 14(2) could subject service
providers to search and seizure requests from around the globe. It could, as a practical matter, turn
the service provider into being on-call for law enforcement requests from all
over the globe at all times, severely disrupting or shutting down the
business of the service provider.
They not only have the right to "seize" but "secure a
computer system," make the provider "retain copies,"
"maintain the integrity of data," and "render inaccessible or
remove data." Section 14(5)
seems to allow worldwide authorities to compel any third party who "has
knowledge about the computer system" to secure data. Articles 15 and 16 also impose a data
storage requirement on ISPs and other businesses with no consideration of the
practical effects on their business, systems or costs. The storage of such voluminous data
could simply overload a business' network. Finally, Section 14(7) subjects this article to the
conditions and safe guards under national law. Such national laws may not be sufficient to ensure due
process according to the provisions of other states. This issue should be addressed in any
16. Article 17 calls for the expeditious
preservation of traffic data and assistance in identifying service providers.
There is no safe harbor or minimum or maximum requirements for assistance
that must be offered. Article 17 also seems to require that all service
providers preserve data traffic "regardless of whether one or more
service providers were involved in the transmission of that
communication." Our members
do not know if this is technically feasible. This article would also require each service provider to
keep a log of the complete worldwide transmission path of all Internet
transmissions. Path recording of
Internet Protocol transmissions is not possible, and in fact, portions of any
given transmission may take different paths to the ultimate destination. Any such requirement that is
technically feasible should only become applicable after the receipt by a
service provider of a subpoena rendered by a competent authority that follows
appropriate due process and is conducted in an expedited way.
21 language balances out the language in Article 2. The extradition language is overly broad and could
lead to jurisdictional disagreements.
For example, an offense is extraditable if the access without right
"impairs the integrity or availability of data or a computer system." In Germany, an AOL manager was
originally sentenced to jail for permitting a link on its system to a hate
site. Germany could potentially
call for the extradition of U.S. service providers. No other regulated
industry has this requirement and the information is already freely available
from public sources.
Article 24 requires parties notified and requested to
preserve data to disclose to the requesting party a sufficient amount of
traffic data in order to identify service providers through which the data
was transmitted. This seems
broad reaching and does not provide details as to what happens to those that
do not fully disclose the necessary information. Is this considered aiding and abetting? It is not clear
what is meant by "expedited" preservation. If service providers
fail to act expeditiously enough (and without a legislative safe harbor)
would they be held criminally liable? Any such requirement that is
technically feasible should only become applicable after the receipt by a
service provider of a subpoena rendered by a competent authority that follows
appropriate due process and is conducted in an expedited way. The same comment applies to Article 25.
We hope that these comments are helpful. We would be happy to discuss them
with you in more detail if you have any questions.
Counsellor for Privacy, Office of Management and Budget, The White House
Adrienne Lavallee, Senior
Advisor to the Chief Counsellor for Privacy, Office of Management and Budget,
The White House
Mary Street, Acting General Counsel, Department of
Elliot Maxwell, Special Advisor to the Secretary on
the Digital Economy, Department of Commerce
Richard Visek, Attorney, Office of the Legal
Advisor, Law Enforcement and Intelligence, Department of State
Betty-Ellen Shave, Associate
Chief for International Matters, Computer Crimes and Intellectual Property
Section, Department of Justice