(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The Council of Europe (CoE) has definitely highly prioritised the broad ratification, all over the world, of its Convention on Cybercrime, opened to signatures since November 2001 and entered into force on 1 July 2004. As part of its efforts to achieve this goal, a conference on "Cooperation against cybercrime" was held in Strasbourg on 11-12 June 2007, to which EDRI was invited to participate with a presentation (some of the participants presentations are available on the conference website).
This conference was organized in the framework of the CoE Octopus programme against corruption and organised crime in Europe, three years after the 2004 venue on "The challenge of cybercrime" and two years after the joint CoE-OAS (Organisation of American States) conference on "Cybercrime: a global challenge, a global response". The CoE has also been promoting this Convention in many international fora, including the World Summit on the Information Society and its following-up Internet Governance Forum. Finally, it has held numerous regional meetings and training events for member States and third States to help them implement Convention -ready or -compatible provisions in their legislations.
Almost 140 participants attended the conference (list available on the conference website). They were mainly law enforcement authorities (LEAs) from all over the world (representing 49 countries from the 5 continents), plus 12 intergovernmental organisations (among them EUROPOL, INTERPOL, and ENISA - the European network and information security agency), 3 non governmental organisations (EDRI, ICMEC - the International Centre for Missing and exploited children, and the French Human Rights League), 3 international multi-stakeholders forums (the Inhope association of Internet hotlines, the Anti-Phishing forum and the London Action Plan against spam) and 3 private sector (Microsoft, NASSCOM - India's national association for software and service companies, and RSA).
Surprisingly, no representative from ISPs attended, and none of them was invited to make a presentation, although the Convention on Cybercrime puts a severe burden on them since most of its procedural provisions (articles 16 to 21) are directly requiring the cooperation of ISPs in order to achieve preservation, production, search and seizure of stored computer data, real-time collection of traffic data and interception of content data.
However, Microsoft was well represented and obviously given an important role in the conference with no less than 3 presentations in plenary sessions. A presentation by Alexander Seger, Head of Technical Cooperation in the Department of Crime Problems (CoE DG of Legal Affairs) gave a clue to understand this special treatment: the CoE has launched a new project against cybercrime, "a global project to support European and non-European countries to accede and implement the Convention on cybercrime or its Protocol on xenophobia and racism", (details on the project available on the conference website), which started on September 2006 for a duration of 30 months. The overall budget is 1.7 million euros, of which only 550,000 euros are currently available: 290,000 euros from the CoE own funding and 260,000 euros from Microsoft contribution.
It has to be noted that this private funding is new practice to the CoE, to the extent that Microsoft funding had to be approved by the CoE Council of Ministers. As Alexander Seger suggested in his presentation, "other donors (public and private) are invited to join this project" and "beyond this project, CoE may now seek stronger cooperation with the private sector". If such extension is indeed realised in the future, one may wonder whether the CoE will be able to remain the reference it currently represents in terms of respect for human rights, democracy and the rule of law. Interestingly enough, this trend in having CoE projects funded by the private sector starts with this very Convention on cybercrime, probably the only one among the current 200 CoE Treaties which have been so criticized by human rights NGOs, as EDRI reminded in its presentation. While Alexander Seger and Microsoft representatives insisted on the fact that "no specific condition has been attached to the financial contribution from Microsoft", it would be quite naive to find this "guarantee" satisfactory: agenda -setting and -pushing is certainly already worth the money spent.
The interest of companies like Microsoft in such a project is directly linked to the substantive provisions of the Convention (articles 2 to 13), which aim at harmonizing the criminalisation of the commission of "offences against the confidentiality, integrity and availability of computer data and systems" (art. 2-6), "computer related offences" (forgery and fraud, art. 7-8), "content-related offences" (Internet child pornography, art. 9), "offences related to infringements of copyright and related rights" (art. 10) or attempting, aiding or abetting the commission of such offences (art. 11).
Copyright infringement was almost not evoked during the 2007 conference. The fight against Internet child pornography served as the consensual vehicle to promote such tools as both the Convention and private hotlines: concerns regarding the respect for the rule of law, as raised by EDRI, were received, as usual, with suspicion of laxity. EDRI was the only participant pointing to the fact that the additional Protocol against racism and xenophobia could only be ratified by countries that already criminalise in their national laws the dissemination of such content, as well as insults and threats based on racism and xenophobia. Thus, it would never solve cases such as the famous Yahoo! case between France and the USA, simply because, as EDRI noted, the Convention and its Protocol fail to address the major issue of the competence of jurisdictions.
The real big issues for LEAs during this conference were the most prevalent threats as well as the new trends they perceive in current cybercrime activities: spamming, phishing and its many variants using SMS (SMSishing), VoIP (Vishing), DNS redirections (pharming), the use of botnets, the use of P2P networks and instant messaging systems, were among the many identified aspects of a proteiform cybercrime. Although all the presentations on these trends (specially from Europol and from French LEAs) acknowledged the lack of statistics and the difficulty to gather data on this kind of crime, they were able to agree on its current volume and its broadening, and to conclude on the increased need to limit - if not forbid - anonymity and encryption of exchanges, to better control the Internet use from cybercafes and other public places, and, last but not least, to further extend cooperation with private sector (telecom operators and ISPs) and communication and exchange of data among LEAs for mutual assistance purposes.
International cooperation between LEAs is exactly the subject of the numerous remaining provisions of the Convention (articles 23 to 35). In summary, these provisions allow any State party to the Convention to request from any other party the communication of data collected under the provisions of articles 16 to 21, without any dual criminality requirement (except if relevant reservation has been made upon ratification) and with very limited possibility of refusal: actually, as Henrik Kaspersen, professor at the Free university of Amsterdam and chair of the committee of the CoE Convention on cybercrime, analysed, the current 43 signatories (among them 21 having ratified the text) made a quite moderate use of reservations. Moreover, the Convention conditions and safeguards (article 15) are far from being adequate and harmonised among the State parties to the Treaty: although the EU Article 29 working group warned against this and other failures of the Convention when the text was still being drafted, its opinion was not taken into account. With the extension of the Convention to States with far less privacy safeguards than the CoE member States - which are bound by the European Convention on Human Rights -, starting with the USA, this threat is becoming to realise the worst fears of the Global Internet Liberty Campaign (GILC) international coalition of NGOs - among them future EDRI founders - when it published in 2001 its "Eight Reasons the International Cybercrime Treaty Should be Rejected", after a long campaign against the eventually signed Convention.
Furthermore, although one can argue that, since 2001, the situation has become even worse with laws adopted all over the world, including at the European Union level, it has to be acknowledged that "the CoE Convention on cybercrime opened the way to more and more invasive laws", as EDRI concluded at the end of its presentation at this conference, leading to have "on-line activities and behaviours more criminalised than their off-line equivalent and citizens benefit from less protections and safeguards on-line than off-line". In order to limit the risk that, six years after its signature, the CoE Convention on cybercrime becomes more dangerous than ever, EDRI advocated, "before any further extension in scope and/or ratification/accession, (the) need for an assessment of the Convention and its national implementations with regards to human rights, democracy and the rule of law". Finally, in the same way as EDRI considers that, at the EU level, data protection under third pillar is a prerequisite to any broadening of information systems in criminal matters, EDRI recommended that the Council of Europe "devotes an equivalent energy to extend ratifications/accessions to Convention no.108 for the protection of individuals with regard to automatic processing of personal data". But such a goal does not seem to be on CoE agenda.
CoE Octopus Conference 2007 (11-12.06.2007)
http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_econ...
CoE Octopus Conference 2004 (15-17.09.2004)
http://www.coe.int/t/e/legal_affairs/legal_co-operation/combating_econ...
Joint COE-OAS Conference 2005 (12-13.10.2005)
http://www.coe.int/T/E/Legal_Affairs/About_us/Cooperation/5Madrid(cyber)_OAS.asp
EU Article 29 WP Opinion on the CoE Draft Convention on Cybercrime
(22.03.2001)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2001/wp41en.p...
GILC coalition "Treaty Watch" website
http://www.treatywatch.org
IRIS dossier of the campaign against the Convention and its Protocol (only
in French)
http://www.iris.sgdg.org/actions/cybercrime
EDRI-gram: From Schengen To Prüm: Data Protection Under 3Rd Pillar A
Prerequisite (28.02.2007)
http://www.edri.org/edrigram/number5.4/prum
CoE Convention no.108 on data ptrotection (28.01.1981)
http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=108&...
(Contribution by Meryem Marzouki, EDRI-member IRIS - France)