Lots of countries still haven't updated their laws to cover Internet-based crimes, leaving companies in many parts of the world without legal protections from malicious hackers and other attackers who are looking to steal their data, according to a new report released yesterday by a technology consulting firm based here.
But corporate executives and IT managers may not necessarily like the laws that are starting to emerge in some regions. Of special concern is a proposed cybercrime treaty, being developed by the 41-nation Council of Europe, that some business groups fear could affect corporate data retention policies.
For example, the Global Internet Project, an Arlington, Va.-based organization that's trying to head off government regulation of the Internet, last month claimed that the proposed treaty could actually hamper efforts to stop cybercrime and to track down people who launch computer-related attacks. Those concerns were echoed here yesterday by attendees at a forum on international cyberlaw sponsored by McConnell International LLC, the consulting firm that issued the new report on cybercrime laws.
Privacy advocates are also raising an alarm, arguing that the proposed European treaty may tread on privacy rights. "We are going into an area where the problem is not too little law but too much law," said James Dempsey, senior staff counsel at the Washington-based Center for Democracy and Technology, during yesterday's forum.
The picture painted by Dempsey on the cyberlaw status of various nations stands in sharp contrast to the report prepared by Bruce McConnell, president of McConnell International and former head of the Clinton administration's International Y2K Cooperation Center. McConnell's report looked at 52 countries and found that only nine have substantially updated their laws to cover cybercrimes.
But what's clear in both views is that many countries are beginning to wake up to the issue. "There is competition among countries for leadership and excellence in the digital economy," McConnell said. "There is a kind of a race to see which countries are going to be the leaders in this new way of doing business."
The European cybercrime treaty could be ready for approval by the middle of next year and is then expected to be adopted by the U.S. and other countries outside of Europe. Its intent is to help law enforcement officials track down malicious attackers and child pornographers by easing cooperation among police, said Henrik Kaspersen, who is chairing the Council of Europe's Committee of Experts on Crime in Cyberspace. He added that the treaty also seeks to "prevent data havens" - areas in which laws governing cybercrimes are weak.
However, the treaty has left companies such as WorldCom Inc. uncertain about what its legal requirements or liability risks will ultimately be, said Theresa Swinehart, associate general counsel at the Clinton, Miss.-based telecommunications company. "There is so much gray area," she said.
A key area of concern is data retention. Internet service providers are worried that they may face new obligations to hold onto data in response to requests from law enforcers. For example, WorldCom officials said, the treaty as it now stands could enable countries to demand that companies keep data sought for use in investigations for as long as government officials deem necessary. "Clarification on the data retention issue is going to be needed," Swinehart said.
France appeared on McConnell's list of legal laggards. But Dempsey, citing a recent court ruling in that country requiring Santa Clara, Calif.-based Yahoo Inc. to prevent French citizens from trafficking in Nazi paraphernalia, said the court action illustrates the point that there are too many laws on the books already. "I don't think [France] can be characterized as a hacker haven," he said.