Industry group still concerned by draft Cybercrime Convention

WITSA, whose members include the Computing Services & Software Association (CSSA) in the UK and the Information Technology Association of America (ITAA) in the US, supported the objectives of improving international law enforcement among the 41 member states of the Council and other non-member countries that could decide to sign the Cybercrime Convention. The US Department of Justice has indicated on its web site that the US will consider joining the Convention when it has seen the final version proposed by the Council of Europe.

In its statement to the Council, WITSA expressed concerns with a number of provisions in the new draft version of the Convention. The group says that, in its present form, the Convention could impose burdensome data preservation requirements on ISPs, make ISPs liable for third party actions and restrict legitimate activities on the internet. It described many of the changes to previous drafts as being “largely cosmetic” and falling short of addressing the concerns of the IT industry. WITSA’s Public Policy Chairman, David Olive, said, “often the most effective way to counter cyber crime is through technical innovation, not burdensome legislation.”

WITSA is concerned with provisions in the draft Convention that would mean ISPs being required to “preserve and maintain the integrity” of traffic data for internet transmissions. However, the treaty clarifies that this is not a blanket requirement. The relevant authorities in member states are only required to order ISPs to take such measures in connection with “a specific criminal matter.” WITSA says that the requirement is burdensome and intrusive for ISPs and raises privacy concerns.

WITSA also attacks provisions in the Convention that would create a crime of aiding and abetting the commission of certain acts, such as on-line forgery and child pornography. It is concerned that, because these crimes are committed via ISPs’ systems, ISPs could inadvertently find themselves guilty of having aided and abetted the crime. However, the notes to the Article in question state that it “contemplates liability for aiding and abetting where the person who commits [such a crime] is aided by another person who shares the mental state required for the commission of the crime. Individuals or legal persons (including service providers) that do not share the objective of committing the crime cannot incur liability through unknowing incidental assistance provided to a criminal actor.”

The notes go on to explain that an ISP could incur liability if it intentionally fails to remove criminal material from a site after having been duly notified. WITSA’s concern appears to be an ISP being found liable after receiving “a vague notice from a content provider that somewhere in the ISP’s service” some infringing material exists.

WITSA’s final criticism is targeted at an anti-hacking provision of the Convention that prohibits intentional access to a computer system “without right.” WITSA questions whether this would prohibit the use of cookies or third party testing and evaluation of software, security systems, reverse engineering or search engine bots. The article states that a member state “may require that the offence be committed either by infringing security measures or with the intent of obtaining computer data or other dishonest intent.”

The notes to the article state that it is “not intended to criminalise regular and common activities inherent in the design of the network” such as accessing a web page “that has been configured for public access.”

WITSA concludes that it is committed “to reaching a consensus on carefully tailored measures that will both support effective international law enforcement and foster continued growth and innovation in the information sector.”

Another body representing industry, the Global Internet Project, criticised a previous version of the draft Convention. It has not made public its comments on the latest draft.