The Council of Europe released the draft of the treaty, formally called the Convention on Cyber Crime, for public discussion in April 2000. The Council of Europe is made up of 41 European nations and also includes the US, Canada and Japan. Some of its members, including Italy and the Netherlands, automatically adopt Council treaties once they are approved. Others would have to pass their own legislation to conform with the treaty.
The development process for the treaty has been a "complete joke," according to David Banisar, deputy director of the international human rights group Privacy International. Approximately 23 meetings took place before its release and panellists said little public input was allowed during its development, resulting in a document that is heavy on law enforcement considerations and light on privacy and human-rights protections.
"Everything in the law is slanted toward law enforcement," Banisar said.
At the time it released the draft, the Council said in a statement that the document would be the first international treaty "... to address criminal law and procedural aspects of various types of offending behaviour directed against computer systems, networks or data as well as other similar abuses." The treaty's goal would be to "... harmonise national legislation in this field, facilitate investigations and allow efficient levels of cooperation between the authorities of different states," the Council said.
Much of Wednesday's discussion touched on what panellists consider is lacking in the Council of Europe's draft cyber-crime treaty. The treaty proposal touches on basic cyber crimes, investigatory rights and collaboration among countries on investigations, Banisar said. But it is thin on details about protecting privacy and it largely will leave it up to laws of individual nations, he said.
This was the result of a development process that was not that open, said panellist Jim Halpert, an attorney with the law firm of Piper Marbury Rudnick & Wolfe. One of the flawed areas he sees is in how crimes are defined. For example, Halpert said the term "hacking" in the law means "intentionally accessing part of a computer system without right."
This could easily be broadly interpreted by law enforcement and some countries could legally go after computer users for actions currently not defined as crimes, he said. The treaty idea is not bad thing, in general, but the current version needs to be slimmed down and refined, Halpert said.
Another concern is liability of ISPs (Internet Service Providers). The draft treaty asks ISPs to retain records regarding the activities of their members. This flies in the face of privacy and human rights provisions, panellists said. Banisar and Gus Hosein, a researcher from the Department of Information Services at the London School of Economics and an expert on the Council of Europe's cyber-crime efforts, assisted with writing a letter about this and other concerns to the Council of Europe in October 2000. (See: http://www.gilc.org/privacy/coe-letter-1000.html).
The Council of Europe is expected to wrap up its work on the treaty in April.
The draft treaty can be viewed at http://conventions.coe.int/treaty/en/projets/cybercrime.htm/.