Stanford CIS

(Cyber) Crime and Punishment - Worries about the Convention on Cybercrime

By Larry Downes on

href="http://www.cioinsight.com/article2/0,1540,2100916,00.asp">My column in this month's CIO Insight describes a few of the big concerns I have with the Council of Europe's Convention on Cybercrime, which the U.S. Senate ratified over the summer.

The Justice Department took the unusual step of issuing a press release at the time announcing that, although in theory the treaty could lead to significant free speech and privacy issues, the U.S. wouldn't enforce it that way.

Neither the regular or business press reported at all on ratification, despite considerable objections beforehand from civil liberties groups and the telecommunications industry.

One of the biggest concerns with the Convention is its requirement for signatory countries (any country can sign) to cooperate with each other in investigating cybercrimes, even when the cybercrime in question concerns activities that wouldn't be criminal--may indeed be protected--in the other country.  If Togo, for example (not currently a signatory) had a law that blog entries critical of its government were illegal, Togo could request that the U.S. government subpoena records from any network operator in the U.S. for use in its investigation.

And the definition of network operator is so broad that it includes basically everyone.

Adding insult to injury, the cost of complying with these pass-through requests is to be borne entirely by the subject of the request.

So law enforcement agencies around the world can simply outsource their investigative costs to the private sector, with no controls.

Network operators can try to fight orders that require them to turn over data, but in many cases they won’t bother—-the rights being invaded are those of their customers and users.  Like the USA Patriot Act, law enforcement agencies can not only demand information be turned over but also that the target of the demand not reveal to anyone that they have been served.

There is also a worrisome provision that imposes vicarious liability on employers for cybercrimes committed by employees when the employer fails to adequately control or supervise the employee.  Again, this liability can apply to activities that are criminal in the countries where they take place, meaning employers must be up-to-date on the cybercrime laws of every signatory country, on pain of civil or criminal liability.

The proof of how dangerous these provisions are will be in both the requests from signatory countries and the Justice Department's handling of those requests.  Stay tuned.

But not to the regular media outlets.