Information technology industry groups expressed concern about provisions in a Council of Europe draft proposal for fighting cybercrime.
The World Information Technology and Services Alliance (WITSA), a global consortium of IT associations, said in a statement that "the draft convention could impose burdensome data-preservation requirements on Internet service providers (ISPs); make ISPs liable for third party actions; and restrict legitimate activities on the Internet."
Seeing a need for harmony among nations' computer-crime laws and improved cooperation between police across borders, a Council of Europe committee proposed a treaty at its October meeting. The council, which has 41 member countries, expects the treaty to be finalized by a group of experts this month. The council's Committee of Ministers could adopt the text and open it for signature in mid-to-late 2001, according to a council statement.
This bill, if adopted by the Council of Europe, has the weight of a treaty to the signatories. That means it has the weight of law. The U.S. Congress must ratify treaties, as do some other countries.
While some members of the council, such as Italy and the Netherlands, automatically adopt Council treaties once they are passed, opposition to the measure in other countries' national legislatures could make the treaty a waste of time, said Harris Miller, president of the Information Technology Association of America. Individual nations blocking adoption of the treaty's measures would provide legal safe havens for people looking to work around the international law.
"Part of the problem is that it's been such a closed process," he said. "They didn't make the document public until it had been through many, many iterations, after officials had basically made up their mind."
The Council of Europe released the 24th version of the draft proposal for public comment on November 17.
As it stands now, computer law varies widely from country to country. A recent ruling in France gives e-mail the same privacy protection as postal mail, while in Britain a boss can read employee e-mail with impunity, and under the Regulation of Investigatory Powers Act, the British government can track ISP traffic without a warrant.
A French judge ruled that Yahoo Inc. must install filters to prevent French users from accessing Nazi memorabilia for sale on its U.S. auction site, but the material is legal in the U.S. Yahoo Deutschland, its German subsidiary, is under investigation for selling Adolph Hitler's "Mein Kampf" online in Germany, where it is banned.
A German judge ruled that ISPs in Germany are responsible for any illegally-copied music on their systems, but 50-year-old German laws allow Internet broadcasters to play copyrighted music with impunity -- as long as artists are paid, record companies are out of luck. A Spanish judge ruled in April that copying of software programs is not illegal provided they are not sold for profit. But copyright is strictly enforced in other countries.
The draft calls for minimum standards for penalty on the illegal interception of data and interference with computer systems, computer-related fraud and forgery. It also prohibits online child pornography, including the possession of such material after downloading, as well the reproduction and distribution of copyright-protected material.
The ITAA doesn't oppose creating international legal standards, but Miller said he wants the council to slow down, build consensus and work with industry. "It would be helpful if there was more conformity in the laws ... setting up best practices makes sense," he said. "But when you get down to the nitty-gritty in this document, it gets tough."
Article 17 of the measure, for example, requires ISPs to log data traffic, and to keep the logs for government agencies to use for investigating cybercrimes. "It sets the stage for very heavy data-preservation requirements for ISPs," Miller said. The draft treaty would also expose ISPs to criminal liability for facilitating illegal activities like transmitting pirated software, which goes against existing practices in many countries.
Elements of the draft treaty also provide for the co-ordinated criminalization of computer hacking and hacking devices, which may impact legitimate uses of the same devices and methods by security personnel, said Miller.
Other groups have lined up against the measure. A letter signed in October by 29 human rights and information freedom organizations from several countries -- including the U.S. American Civil Liberties Union, the U.K. group Cyber-Rights and Cyber-Liberties, France's IRIS (Imaginons un réseau Internet solidaire), and Spain's Kriptopolis said the pact threatens individual liberties.
"We believe that the draft treaty is contrary to well-established norms for the protection of the individual, that it improperly extends the police authority of national governments, that it will undermine the development of network security techniques, and that it will reduce government accountability in future law enforcement conduct," the letter stated.
The text of the draft can be read at: http://conventions.coe.int/treaty/EN/projets/cybercrime22.htm