WikiLeaks Document Release http://wikileaks.org/wiki/CRS-RS21208 February 2, 2009 Congressional Research Service Report RS21208 Cybercrime: The Council of Europe Convention Kristin Archick, Consultant, Foreign Affairs, Defense, and Trade Division Updated September 28, 2006 Abstract. Forty-three countries, including the United States, have signed the Council of Europe's Convention on Cybercrime of November 2001. The U.S. Senate ratified the Convention on August 3, 2006. The Convention seeks to better combat cybercrime by harmonizing national laws, improving investigative abilities, and boosting international cooperation. Supporters argue that the Convention will enhance deterrence, while critics counter it will have little effect without participation by countries in which cybercriminals operate freely. Others warn it will endanger privacy and civil liberties. Order Code RS21208 Updated September 28, 2006 CRS Report for Congress Received through the CRS Web Cybercrime: The Council of Europe Convention Kristin Archick Specialist in European Affairs Foreign Affairs, Defense, and Trade Division Summary http://wikileaks.org/wiki/CRS-RS21208 Forty-three countries, including the United States, have signed the Council of Europe's Convention on Cybercrime of November 2001. The U.S. Senate ratified the Convention on August 3, 2006. The Convention seeks to better combat cybercrime by harmonizing national laws, improving investigative abilities, and boosting international cooperation. Supporters argue that the Convention will enhance deterrence, while critics counter it will have little effect without participation by countries in which cybercriminals operate freely. Others warn it will endanger privacy and civil liberties. This report will be updated as events warrant. Background The Council of Europe's Convention on Cybercrime was opened for signature on November 23, 2001.1 The Convention is the first international treaty designed to address several categories of crimes committed via the Internet and other computer networks. Negotiations on the Convention began in 1997, following a determination by the Council that the transnational character of cybercrime could only be tackled at the global level. Since then, the increase in hacking incidents, the spread of destructive computer viruses, and the minimal prosecution of such crimes in many states, have spurred on the Council's efforts. The September 11, 2001 terrorist attacks provided further momentum by raising the specter of cyber attacks on critical infrastructure facilities, financial institutions, or government systems, and by highlighting the way terrorists use computers and the Internet to communicate, raise money, recruit, and spread propaganda. To date, the Convention has been signed by 38 Council of Europe members and five non-members (the United 1 The Council of Europe has 46 members, including all 25 members of the European Union, and seeks to promote and protect human rights and the rule of law throughout Europe. Congressional Research Service ~ The Library of Congress CRS-2 States, Canada, Japan, Montenegro, and South Africa) that also participated in the negotiations.2 The Convention's main goal is to establish a "common criminal policy" to better combat computer-related crimes worldwide through harmonizing national legislation, enhancing law enforcement and judicial capabilities, and improving international cooperation. To these ends, the Convention requires signatories to ! Define criminal offenses and sanctions under their domestic laws for four categories of computer-related crimes: fraud and forgery, child pornography, copyright infringements, and security breaches such as hacking, illegal data interception, and system interferences that compromise network integrity and availability. Signatories must also enact laws establishing jurisdiction over such offenses committed on their territories, registered ships or aircraft, or by their nationals abroad. ! Establish domestic procedures for detecting, investigating, and prosecuting computer crimes, and collecting electronic evidence of any http://wikileaks.org/wiki/CRS-RS21208 criminal offense. Such procedures include the expedited preservation of computer-stored data and electronic communications ("traffic" data), system search and seizure, and real-time interception of data. Parties to the Convention must guarantee the conditions and safeguards necessary to protect human rights and the principle of proportionality. ! Establish a rapid and effective system for international cooperation. The Convention deems cybercrimes to be extraditable offenses, and permits law enforcement authorities in one country to collect computer-based evidence for those in another. It also calls for establishing a 24-hour, seven-days-a-week contact network to provide immediate assistance with cross-border investigations. Current Status President George W. Bush transmitted the Convention to the Senate for U.S. ratification on November 17, 2003 (Treaty 108-11). The Senate's Committee on Foreign Relations held a hearing on the Convention on June 17, 2004.3 On July 26, 2005, the committee ordered the Convention favorably reported by voice vote, with the recommendation that the Senate give its advice and consent to its ratification, subject to several reservations and declarations. The Committee published a report on the 2 The 38 Council of Europe member state signatories are Albania, Armenia, Austria, Belgium, Bosnia-Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Moldova, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, the Former Yugoslav Republic of Macedonia, Ukraine, and the United Kingdom. 3 See Senate Committee on Foreign Relations, "Law Enforcement Treaties," 108th Congress, 2nd Session, June 17, 2004. CRS-3 Convention on November 8, 2005.4 The Senate ratified the Convention by division vote on August 3, 2006. The Convention will enter into force for the United States approximately three months after the instrument of ratification is deposited with the Council of Europe. In addition to the United States, 15 other states have ratified the Convention to date. The United States has not signed an additional "hate speech" protocol to the Convention, and the Bush Administration stresses that it will not do so because it views the protocol as conflicting with freedom of speech rights. This additional protocol, approved in November 2002, defines racist or xenophobic acts committed through computer networks as criminal offenses and prohibits distributing racist material via the Internet; the protocol was opened for signature in January 2003. The original draft of the Convention text contained language, supported by several European countries, criminalizing racist websites, but this provision was dropped when the United States resisted. As a result, negotiators agreed to address computer-related hate speech in a separate protocol, which the United States and others could choose not to sign. To date, 29 members of the Council plus Canada and Montenegro have signed the Protocol, and seven signatories have ratified it; the Protocol entered into force on March 1, 2006. http://wikileaks.org/wiki/CRS-RS21208 Possible Benefits and Risks Convention supporters argue that it represents a significant step forward in tackling cybercrime because it commits signatories to prosecute computer-related crimes vigorously -- which many countries fail to do currently. Council of Europe officials say that the Convention will end cybercriminals' "feeling of impunity."5 They claim that by mandating sanctions and making cybercrimes extraditable offenses, the Convention will improve deterrence and reduce the number of countries in which criminals can avoid prosecution. Advocates also argue that the Convention's procedures for collecting evidence will assist law enforcement authorities in the fight against terrorism. In general, the information technology industry in the United States supports the Convention, viewing it as helping to raise international legal standards against cybercrime to those already in existence in the United States.6 Skeptics, however, point out that in order to serve as a deterrent, more states will have to sign the Convention and abide by its mandates. They note that states that participated in the Convention's negotiations are not the "problem countries" in which cyber criminals operate relatively freely. Hackers frequently route cyber attacks through portals in Yemen or North Korea, neither of which are part of the Convention. In addition, some analysts criticize the Convention for not permitting police authorities 4 See Senate Committee on Foreign Relations, "Council of Europe Convention on Cybercrime," Exec. Rept. 109-6, 109th Congress, 1st Session, Nov. 8, 2005. 5 "European Cybercrime Pact Aims to Set Global Benchmark," Agence France Presse, Nov. 22, 2001. 6 Declan McCullagh, "Global Cybercrime Treaty Gets Senate Nod," Silicon.com, Aug. 7, 2006. CRS-4 direct cross-border access to computer data, which they argue creates an extra, time- wasting step.7 The Convention has also come under fire from civil liberties groups concerned that it undermines individual privacy rights and expands surveillance powers too far. The American Civil Liberties Union claims that U.S. authorities will use the Convention to conduct surveillance and searches that would not be permitted under current U.S. law. Others fear that the Convention lacks a dual criminality provision, making it possible for foreign governments to request that the United States investigate crimes not considered offenses under U.S. law; the U.S. Justice Department counters that it may deny any assistance to a foreign government that contravenes U.S. sovereignty, security, or other interests.8 European critics also worry that the Convention allows the transfer of personal data to countries outside Europe, such as the United States, that they believe have less protective laws regarding the use of such information. Council of Europe officials dismiss such fears, arguing that the Convention provides adequate civil liberty safeguards and limits information transfers to specific criminal investigations. Meanwhile, some business and consumer groups are concerned that the Convention's provisions could increase costs to service providers, impede the development of security technologies and http://wikileaks.org/wiki/CRS-RS21208 sale of encryption programs, and negatively affect consumer confidence in e-commerce. U.S. Policy Both the Clinton and Bush Administrations worked closely with the Council of Europe on the Convention. U.S. officials believe that it "removes or minimizes the many procedural and jurisdictional obstacles that can delay or endanger international investigations and prosecutions of computer-related crimes."9 The Bush Administration was pleased with the Convention's data preservation approach, which requires the storage of specified data -- relevant to a particular criminal investigation and already in a service provider's possession -- for a limited period of time. It views this provision, currently lacking in many national laws, as key to improving the counter-terrorist capabilities of law enforcement officials worldwide.10 As noted above, the Bush Administration submitted the Convention to the Senate for ratification in November 2003, and the Senate ratified it on August 3, 2006. The United States will comply with the Convention based on existing U.S. federal law; no new implementing legislation will be required. Legal analysts say that U.S. negotiators 7 William New, "Privacy agenda in 2002 has international flavor," National Journal Technology Daily, Jan. 23, 2002; "Under Antiterror Law, Government Can Use U.S. Standards to Nab Foreign Hackers," Associated Press, Nov. 21, 2001. 8 "Senate Ratifies Cybercrime Treaty," Washington Internet Daily, Aug. 7, 2006. 9 U.S. Department of Justice, "Frequently Asked Questions About the Council of Europe Convention on Cybercrime" [http://www.usdoj.gov/criminal/cybercrime/coefaqs.html]. 10 The United States draws a distinction between data preservation and data retention. The latter requires service providers to routinely collect and keep all or a large portion of traffic. The United States largely opposes broad data retention regimes, but views preservation as striking a good balance between the needs of law enforcement, business interests, and privacy rights. CRS-5 succeeded in scrapping most objectionable provisions, thereby ensuring that the Convention tracks closely with existing U.S. laws. Proponents assert that many of the Convention's provisions reflect the spirit of some congressional actions related to cybercrime, cyberterrorism and cybersecurity, including the following two laws. ! The USA PATRIOT Act (P.L. 107-56, introduced as H.R. 3162 by Representative James Sensenbrenner in October 2001) authorizes the interception of electronic communications for the collection of evidence related to terrorism, computer fraud, and abuse (Sections 201 and 202). It also clarifies the definition of protected computers and increases fines and prison terms for damage (Section 814). ! The Homeland Security Act (P.L. 107-296 introduced as H.R. 5005 by Representative Richard Armey in June 2002) directs the U.S. Sentencing Commission to reevaluate federal sentencing guidelines for crimes involving computer-related fraud and hacking offenses, especially against http://wikileaks.org/wiki/CRS-RS21208 restricted federal government systems (Section 225, the Cyber Security Enhancement Act of 2002).