Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Maybe you’re a civil libertarian, and maybe you’re not. Maybe you worry about how the United States exercises its vast investigative and prosecutorial powers, and maybe you don’t. But if you counsel U.S. corporations on computer-related issues, you should be concerned about a new proposed treaty known as the “Convention on Cybercrime.” The Council of Europe, a 43-nation public body created to promote democracy and the rule of law, is nominally drafting the treaty. Curiously, however, the primary architect is the U.S. Department of Justice. The Department of Justice and Federal Bureau of Investigation are using a foreign forum to create an international law-enforcement regime that favors the interests of the feds over those of ordinary citizens and businesses. Their goal is to make it easier to get evidence from abroad and to extradite and prosecute foreign nationals for certain kinds of crimes. Maybe you trust the law-enforcement chiefs in D.C. to do the right thing. But here’s the catch. The same new powers given to the United States will also be handed over to Bulgaria, Romania, Azerbaijan, and other Council of Europe nations that — although officially democratic now — don’t have a strong tradition of checks and balances on police power. Do you want investigators rummaging around your clients’ computer systems on warrants issued by former Soviet-bloc nations? That’s the prospect that has pushed AT&T Corporation and other high-technology companies into feverishly trying to stop, or at least soften, the treaty. The U.S. Chamber of Commerce and the Information Technology Association of America also oppose it. Stewart Baker, a partner at Washington, D.C.’s Steptoe & Johnson, is one of the chief lobbyists for the treaty’s opponents. As a former general counsel of the National Security Agency and recipient of the U.S. Department of Defense Medal for Meritorious Civilian Service, he’s got street credentials on these issues in corporate America. What worries Baker and his colleagues? Consider the following hypothetical: A Los Angeles screenwriter corresponds by e-mail with a neo-Nazi in Germany while researching a script. Shortly after, the screenwriter finds federal agents examining the files on his home computer. The agents also visit AOL Time Warner to retrieve records of the screenwriter’s AOL usage. The agents are fulfilling a warrant issued by German authorities allowing them to search for Nazi propaganda. Such material is unlawful in Germany but not in the United States. They framed their warrant in terms of “suspected terrorist activity.” Maybe the screenwriter should have anticipated this scenario, given the vigor with which German and other European authorities pursue hate crime on the Internet. Maybe he’s willing to run that risk and bear the burden of this kind of search. But what about AOL? AOL already gets dozens of search warrants and subpoenas every month. What would change under this treaty is that, in addition to getting those submitted by U.S. law-enforcement officials, they’d also have to respond to warrants and court orders from dozens of nations. All Internet service providers and phone companies — and perhaps other businesses — would have to cooperate with these investigations. They worry that they would also have to foot the bill for compliance. Maybe AOL and AT&T should expect this sort of intrusion as a cost of doing business in the Internet era. But what about the rest of us? The treaty would likely apply to any business or individual operating a computer connected to a network, according to Marilyn Cade, AT&T’s director of Internet and e-commerce policy. If you cable together two computers, you could be forced to comply with investigations that originated in Sofia or Riga. Foes acknowledge that there might be a need for a limited treaty harmonizing laws globally. Last year, for example, the Philippines was unable to prosecute the creator of the “love bug” virus. Its laws did not fit his deeds. But this proposal, they say, goes too far. D�J� VU The treaty has supporters, of course. The Motion Picture Association of America, the Recording Industry of America Association, and the Business Software Alliance all favor the treaty’s requirement that certain large-scale copyright infringements be handled under criminal law. In general, such “attacks” are now handled under civil law in most countries. “Our members, of course, constantly face problems connected to the unauthorized transmission of their copyrighted materials,” the three organizations stated in a joint letter. “Thus, we believe that ensuring a greater number of countries make such attacks illegal and actionable under national law is a high priority.” Critics sometimes compare the cybercrime treaty to the intellectual property treaty promulgated by the World Intellectual Property Organization in 1996. That treaty was designed to update laws for the Internet era. It was largely the handiwork of the Clinton administration’s Bruce Lehman, the head of the U.S. Patent and Trade Office. After the United States and other nations signed and ratified the WIPO treaty, Congress crafted the Digital Millennium Copyright Act as implementing legislation. Congress did not seriously debate the most controversial aspects in part because of the perceived need to implement the treaty. One of those made it unlawful to tamper with anti-copying devices and software. For these critics, the analogy between the WIPO treaty and the Convention on Cybercrime is clear. “The [cybercrime] treaty was written by government bureaucrats for government bureaucrats,” says Steptoe’s Baker. “The process was entirely dominated by one viewpoint — criminal enforcement.” WHAT IT DOES If the treaty is so bad, why has it gotten so little attention — a wire service report here, a trade publication article there? The answer, it seems, is that it is not easy to explain. But let’s try. The treaty has three primary sets of provisions. All three are aimed at setting basic computer-related criminal-law standards for signatory nations. First, it would require nations to outlaw such things as unauthorized computer intrusion; the release of viruses; and the use of a computer to commit acts that are already crimes, such as fraud and the distribution of child pornography. This part is relatively uncontroversial. The exceptions are the move to bring copyright under criminal law and the expansion of child-pornography statutes to so-called virtual child porn. A similar U.S. law is now under constitutional challenge in the United States. Second, the treaty requires nations to develop standard procedures to capture and retrieve online and other forms of information. Nations would have to be able to issue “retention orders” that would “freeze” data on any computer. Governments would also need the ability to capture in real time the time and origin of all traffic on a network, including telephone networks. For serious crimes, they would be required to intercept the actual content of the communications. Third, national governments would have to cooperate with other nations in sharing electronic evidence across borders. And this cooperation requirement would apply to all crimes: not just the cybercrimes laid out in the first section of the treaty or actions unlawful under U.S. law, but crimes in every signatory country. BONES OF CONTENTION The second and third parts of the treaty — individually and together — are the hot buttons. Phone companies and Internet providers are worried that they will spend their days meeting the demands of foreign investigative authorities. They won’t get reimbursed for compliance with foreign evidence orders in their non�U.S. branches and subsidiaries. And they worry that coping with unlimited compliance orders will disrupt their businesses, or those of their clients, according to James Halpert, a partner in the Washington, D.C., office of Piper, Marbury, Rudnick & Wolfe. One moment, an Internet provider might be turning over all Bulgarian folk songs on its system to an investigator. The next moment, it might be searching for e-mail traffic between customers in Latvia and the Ukraine. All companies will have to pay closer attention to their employees’ computer habits. The treaty imposes criminal liability on businesses if they fail to supervise users who commit potentially illegal acts. If the treaty is taken to its extreme, “companies will have to survey every single thing that users are doing on their computers,” says Halpert, who represents a coalition of Internet portal companies. How radically will the treaty affect U.S. law? The Justice Department says hardly at all. It may be possible to sign the treaty without adopting implementing legislation. Other nations, however, will have to strengthen and extend their criminal laws substantially. Lawyers get paid to worry about what-if scenarios, and there’s a huge one lurking here. What if signatory nations pass laws that create crimes broader than those described in the treaty? Normally, this would not be a huge cause for concern. In this context, though it might mean that U.S. law-enforcement agents would be enforcing criminal process against American citizens for acts that are not crimes in the United States. The Internet sometimes makes strange bedfellows, as when industry and civil liberties groups coalesced to oppose and overturn the Communications Decency Act, which regulated indecency on the net. And now “industry and civil liberties groups are remarkably aligned” in their opposition to the treaty, especially in the areas of due process protection, says partner Jeffrey Pryce of Steptoe & Johnson in Washington, D.C. In the eyes of the critics, the treaty is an open invitation for regulatory mischief. For example, newly democratic nations without traditional due process and other safeguards could require providers to build in monitoring technologies or could outlaw anonymous or untraceable Internet use. Those battles have been fought in the United States, but they might play out differently, and with worse consequences, in other nations. In one likely scenario, the treaty could emerge as the Internet version of the Communications Assistance for Law Enforcement Act, known colloquially as CALEA. That 1994 law, highly controversial at the time, required U.S. telephone companies to make sure that authorities could both trace and tap calls carried over their networks. Internet services are not currently included under that law, but the Federal Bureau of Investigation and the Department of Justice have long sought to expand CALEA to reach computer-based communications. “It’s as if the FBI, having failed to expand CALEA to computer networks here in the U.S., is trying to do so abroad, and import that expansion home as a treaty provision,” says one industry representative. That last concept is what is known as “policy laundering.” Dave Banisar of Privacy International, a privacy-rights watchdog group, says that the Justice Department and the FBI are pursuing their law-enforcement agendas overseas with the goal of bringing the resulting treaty back to Congress. They will then say, Banisar contends, “Well, other nations are doing it, so we should too.” Justice and FBI officials decline to comment on this contention. In private meetings with industry and public policy groups, however, Justice officials have sought to mollify the treaty’s critics. So has the Council of Europe. In a memo released in February, the Council of Europe suggested ways that countries could limit their implementing laws. But while this memo may be a kind of legislative history, it isn’t binding. THE TREATY PROCESS The treaty has been developed under the aegis of the Council of Europe, an organization created after World War II. Although the United States is not a member, the Department of Justice is what Steptoe’s Baker calls a “leading force” in the process. The drafting process was secret until draft 19 was publicly released in April 2000. Even now, Justice officials won’t comment publicly on their role in drafting the terms of the treaty. The department does defend the treaty on an FAQ on its Web site: “The United States has much to gain from a strong, well-crafted multi-lateral instrument that removes or minimizes the many procedural and jurisdictional obstacles” that endanger investigations. Still, critics don’t like that the treaty was kept under wraps until it was well along the way to final form. “A lot of the provisions were largely locked in” by the time the treaty was publicly released, Baker says. The Justice Department responds by noting that, since last April, it has made numerous presentations and met repeatedly with business and other private-sector interests. It is “about as open a process as I can think of,” says Betty Shave of Justice’s computer crime and intellectual property section, who has represented the department in negotiations. STOP IT OR FIX IT? Industry groups say that the best strategy is to try to improve the treaty rather than kill it. Even if it switched its position, the United States alone “couldn’t stand downhill in front of the snowball and expect to stop it,” Baker adds. There are no indications that the Bush administration will stop this initiative begun during the Clinton era. But even if the United States doesn’t sign the treaty, it will likely affect U.S. companies doing business internationally, their business partners, and their clients. “Just backing away from it is not the right answer,” AT&T’s Cade says. U.S. businesses are now starting to appeal to their counterparts overseas, including the International Chamber of Commerce, in hopes of turning sentiment against the treaty. Perhaps, if the United States’ role in shaping the treaty becomes better known, European policymakers will oppose it. Even many Europeans familiar with the treaty don’t know what it says precisely — only English and French translations are available. (English and French are the official languages of the Council of Europe.) “Neither the U.S. Department of Justice, nor the U.S. alone, will be able to achieve the kinds of changes that the coalition is seeking in the treaty without help from the other countries who are their trading partners and allies,” Cade says. Short of an international backlash, treaty watchers are uncertain how the U.S. Congress will respond to the treaty if the United States signs it. Whether senators decide that the need to combat cybercrime trumps concerns about submitting U.S. citizens and companies to foreign criminal process remains an open question. Mike Godwin is chief correspondent of IP Worldwide. His e-mail address is [email protected]

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.