European cybercrime treaty draws concern

Council of Europe Draft Treaty

By BRYAN BRUMLEY, Associated Press

LONDON (October 27, 2000 4:58 p.m. EDT http://www.nandotimes.com) - Critics of a proposed international cybercrime pact voiced fears Friday that it might enable governments to "wire tap" information passing along the Internet and hamper companies from testing their own security systems.

"There are serious concerns about rights of privacy and the cost of doing business on the Internet," said Alan Davidson, staff council at the Center for Democracy, a private group specializing in human rights issues in cyberspace.

The treaty, drafted by the representatives of the 41-nation Council of Europe in Strasbourg, France, was debated Thursday in meetings at the White House and among representatives of the Group of Eight industrialized countries in Berlin.

Davidson, who attended the White House meeting, described the discussion there as "heated."

The Draft Convention on Cybercrime covers the destruction of data or hardware, such as the havoc ravaged by the Love Bug virus last May. It also deals with the distribution of child pornography, theft of copyright and intellectual property and other crimes that could be carried out over the Internet.

More broadly, it provides law enforcement authorities with the basis to investigate "any crime for which there is evidence that might be stored on computers."

That would leave it to the governments of member states to define those crimes, said Peter Csonka, an attorney at the council's Strasbourg office who has helped draft the document.

The convention is far from approval and could face further amendment, said Csonka. It must pass through several committees before being considered by the council, and must be ratified by member states being taking effect, a process that likely will stretch over one or two years.

Because of the global nature of the Internet, even those countries that are not members of the council such as the United States, China or other nations in the Americas or Europe, would find their companies entangled in its provisions, said Davidson.

Criticism of the treaty falls into three broad categories:

- The requirement that Internet companies provide real-time data to law enforcement authorities, which could be prohibitively expensive.

- Broad powers that governments might use to collect information about citizens.

- Potential restrictions on companies "hacking" or testing their own security systems.

"We are concerned that some portions of the proposed treaty may inadvertently result in criminalizing techniques and software commonly used to make computer systems resistant to attack," read a letter posted on the Web by a group of 80 Internet specialists, including university professors and researchers from high-powered companies like Sun Microsystems and AT&T.

"The primary concern that I have is the definition of a 'hacking tool,'" said one of the signers, David Mann, of BindView, a computer security firm that develops software to allow companies to test the security of their information systems.

"It all depends on the intent," said Mann, interviewed by phone at his Boston office.

U.S. officials said they were discussing the convention with members of the Council of Europe, but said it was too early to define the American position.

"We are in the process of developing this with other countries and the industry," said Chris Watney, a spokeswoman for the Department of Justice in Washington.

Csonka, the attorney for the council, said that critics "did not read the treaty correctly" and that their fears were the result of misunderstandings.

He added that the most recent draft of the convention, released on Oct. 9, "says clearly that there must be criminal intent" in the use of a hacking tool.

http://www.nandotimes.com/noframes/story/0,2107,500273524-500427045-502673484-0,00.html

-- Martin Thompson (mthom1927@aol.com), October 27, 2000