Cybercrime Convention imperils Americans, says privacy group

The Cybercrime Convention is the first international treaty on criminal offences committed against or with the help of computer networks.

In particular, the Convention deals with offences related to infringements of copyright, computer-related fraud, child pornography and offences connected with network security. It also covers a series of procedural powers such as searches of and interception of material on computer networks.

The Convention includes powers to preserve data, to search and seize, to collect traffic data and to intercept communications. These powers faced serious criticism from privacy activists during the drafting process.

The Convention has so far been signed by 30 of the 42 Member States of the Council of Europe, including the UK, France, Germany and Norway. Four non-member states – Canada, Japan, South Africa and the US – have also signed the treaty.

However, for the Convention to have the force of law it must not only be signed, but also ratified, i.e. given effect to in the laws of a participating country, by five of those states - three of which must be members of the Council of Europe.

So far only three Member States, Albania, Croatia and Estonia, have taken this step. France indicated in June this year that it was likely to ratify the treaty, and if the US follows suit then the Convention will come into force.

In a letter to the Senate earlier this week, President Bush urged, "that the Senate give early and favourable consideration to the Cybercrime Convention, and that it give its advice and consent to ratification".

But ratification, warned Privacy International, would create unprecedented dangers for privacy and security in the US, as it would allow all Member States "'on demand' access to the personal information and communications records of any American they may wish to investigate."

This information would include full e-mail logs, phone records and mobile phone location data, together with account and financial records – all of which could be 'cherry picked' by investigation authorities in countries such as Estonia, Serbia and Croatia.

According to Privacy International, the low standard of evidence or authentication demanded for these transfers of personal information creates exceptional dangers to ethnic and minority groups in the US.

The conditions for sharing this information are such that the transfer does not have to involve dual-criminality. In fact the Convention dissuades governments from allowing for dual criminality before data is required to be shared. There are grounds for refusal, but they are limited. This means that an East European investigation authority can demand information on an American even where the suspected activity is not a crime in the US.

Only very basic information as to the reason for the request need be given to US officials, said Privacy International.

The group's Director, Simon Davies, warned, "The President's efforts will put lives and liberty at risk. The Treaty imperils the constitutional and judicial protections that Americans enjoy. Ratification will compromise every safeguard in US law".

"The Treaty is ill considered, regressive and unnecessary and should be rejected by the Senate," he added.