Cybercrime Law - Eat In Or Take Away?

When law enforcement goes exterritorial

One thing September 11th has demonstrated is that surveillance systems such as Echelon and Carnivore are not providing European or American intelligence services with anything very useful by way of 'terror'-related information - a fact that makes such systems' incursions on the privacy of ordinary citizens seem even more unwarranted than they were already. So why are EU members about to sign a new ream of legislation granting new powers? And who is behind the creation of a global regime of net laws?

Within ten days of the Great American Catastrophe, the Council of Europe Ministers' Deputies had approved the US-engineered International Convention on Cybercrime. By November 23rd this convention will likely have been signed by 30 interior ministers and law enforcement officials from Europe, South Africa, Canada, the United States and Japan, at their meeting in Budapest. This will advance the surveillance regime over Europe's computer networks still further, requiring signatory states to alter domestic law to grant enforcement authorities - even non-national ones - the power to collect and record net traffic and data from their citizens. This is a provision completely at odds with the EU's own Data Protection Directive and one which will give law enforcement agencies powers of surveillance and investigation that will threaten fundamental human rights, such as the right to privacy and the right to a fair trial, for years to come.

Official justificaions for these extensive violations of our rights are thin on the ground. The one thing we learned from S11 is that systems such as Carnivore and Echelon, whose whole raison d'etre was protecting the public against international terrorism, are not doing their job. What is left, then to justify their aggressive incursions into our personal lives?

But instead of backing off from the pro-surveillance rhetoric, an EU official speaking to Reuters recently was justifying further intrusions on our privacy, arguing that hacking poses potentially mortal risks. 'There was a recent case when someone took control of the computer system at a small U.S. airport and switched off the landing lights,' he said, not-at-all-manipulatively selecting an example close to many people's hearts at the moment. 'This could have killed many people.'

Is it possible that this official was referring to the 1997 case in Worcester, Massachusetts, in which a teen's phreak attack on the local Bell Atlantic telephone system temporarily disabled the phone service in the local area? The attack, infamous at the time, did indeed impact on a local airport, which was served by the affected phone switch. And because the disabled telephone switch prevented its unmanned landing lights from activating, the airport had to be closed.

But note that the whole attack was a local one, possibly independent of the Net and certainly entirely confined to American soil, making it rather bizarre that the official should claim that 'the action at first seemed to have originated from the Middle East,' and that (get this) 'State Department officials were prepared to send warships until it turned out that the hacker was a Californian teenager.' (He was from Massachusetts, actually, but let's not let the facts get in the way of a good story.)

Not less bizarre is the fact that, while what most security-minded folks would probably take away from this minor-catastrophe-in-the-making is that it's probably best not to run critical systems over insecure public phone networks, our trusty EU official concludes that the attack simply proves the necessity of further 'international co-operation' in pursuing the Evil Terrorists (or mid-American teens) responsible for such crimes.

You might be forgiven for thinking that such international co-operation would be a good idea, if it stopped the increasingly pugilistic USA from spewing cruise missiles every time some teenager takes out the local loop or throws a denial of service at the FBI's website. But in fact, that notion of international co-operation, at the heart of much EU policymaking of late, is possibly the treaty's most egregious aspect. By allowing the gathering of evidence from abroad, making it possible to extradite and prosecute foreign nationals for certain computer-related crimes (as the US has already attempted to do with Russian national Dmitri Sklyarov over the infamous Adobe eBook / deCSS case), the convention produces an unheard-of level of extraterritoriality, giving a new supranational reach to signatory states.

In certain cases, this will make it possible for an EU national living in his or her own country to be extradited and prosecuted under US law, and vice versa. And, the convention states, the 'mere fact' that a country's legal system does not recognise an act as illegal 'is not a sufficient ground to refuse to apply the procedure requested by the requesting Party.' All you script-kiddies out there better start genning up on international legislation right now.

That all of this is happening for 'the protection of society against cybercrime' is extremely worrying, especially if the only example the authorities are able to trot out is one from 1997, one which indicates nothing more than bad security practice. What, exactly, is cybercrime? Well, as far as the treaty is concerned, it can be summed up as

- a nicely broad definition. But despite attempts to convince the public that Cybercrime has a direct effect on civic life - by threatening vital infrastructure security provisions and allowing (whisper it) Cyberterrorists to confer in secrecy - it will be obvious to most that the need for exterritoriality in law enforcement is felt most keenly not by members of the general public, but by large corporations wanting to protect their interests and, therefore, the national governments, and governmental organisations like the EU who represent their interests.

As the Council of Europe's own website admits, 'Business is the prime target - but public authorities and even individuals are vulnerable too. A survey of US business firms showed that 85% of those covered had at some time been targeted by hackers...'

Perhaps the Cybercrime convention is simply a means by which international corporations, supported by governments, can protect themselves whilst impinging freely on the civil rights of the individual. If so, The Cybercrime convention is by no means the first step in this process. The Berne convention and TRIPs (Trade-Related Aspects of Intellectual Property Rights) have already initiated attempts to create a unified international intellectual property regime on the global scale, despite the fact that there remains significant disagreement between countries regarding issues such as 'moral rights,' 'fair use,', protection of data, and (see my recent article for Telepolis Security in the First World) circumvention of encryption technologies.

And in 1992, early discussions on the Hague convention on Jurisdiction and Foreign Judgments in Civil and Commercial Matters began. This convention aims to extend the reach of national laws concerning patents, trademarks, copyright, trade secrets, unfair competition, libel, slander and other commercial matters. As with the Cybercrime convention, countries which sign up will agree to follow a set of rules regarding jurisdiction for cross-border litigation. A judgment in one country is enforced in all Hague convention member countries, even if the country has no connection to a copyright particular dispute.

The Cybercrime convention has a special place for copyright in its heart, too. It demands that signatory states make infringement of copyright and intellectual property rights a criminal offence 'where such acts are committed willfully, on a commercial scale and by means of a computer system.' The same goes for infringement of intellectual property rights. That, it seems, would mean no more hacking leaky DVD, eBook, audio or video encryption systems - and perhaps (if the US is allowed to apply its Digital Millenium Copyright laws across borders,) not even being allowed to talk about holes in such encryption systems publically (if you think I'm being paranoid here, think again. Jared Jussim of Sony Pictures, who believes that vigorous international copyright enforcement is needed to keep the movie business health, has openly said that he would be 'ecstatic' to see the DMCA extended 'throughout the world.')

Since it is impossible for an individual to have a comprehensive knowledge of international law, it will be very easy to fall foul of one of the many divergent national laws covered by the Hague and Cybercrime conventions. The consequence may be that people will stop (for example) publishing information that is critical of corporations, or indeed of corporations' security, for fear that somewhere it may be legally construed as defamatory, or parodying a corporation for fear that it be seen as passing off. Or it may be that the people who see it as their right to criticise companies and their practices, and to make fair use under their own national law of the intellectual property of others, will be forced underground - as the Cybercrime convention will, almost certainly, force dissenters underground.

In all of this, it is important to keep in sight the guiding hand of the US government. In the case of the Cybercrime treaty, privacy groups and civil liberties organisations have openly expressed consternation about the instrumentality of the United States Department of Justice and the FBI in its creation. The US is not part of Council of Europe (a 43-nation public body created to promote - ahem - democracy and the rule of law), which makes its role as a primary architect of the convention seem rather bizarre. And many see the Hague convention as little more than U.S. intellectual property law 'going global', extending the rights of large corporate copyright owners (as represented by the august World Intellectual Property Organisation) by allowing them - for the first time - to shop around for a national court favourable to whatever case they wish to bring.

This extension of corporate power even further into the public domain, through the medium of policymakers who are charged with upholding public interest, is nothing short of a disgrace. Furthermore, these attempts to exterritorialise the Rule of Law - a seismic change by any account - with little or no public awareness or discussion seems incredible given the litigious chaos such a shift is likely to cause. Thankfully, it seems people are gradually becoming aware of the dangers posed by such policymaking. For the Cybercrime treaty, it's too late - it has probably been signed by the time you read this. But the Hague convention has already run into too much protest over its copyright provisions and been forced into a rethink. Perhaps with enough public protest at national level, the next round of legislation can be stopped in its tracks.