Playing By Europe's Rules

Computerworld |

Information technology managers fear that the Council of Europe's final draft of a controversial cybercrime treaty, which was approved by the council's European Committee on Crime Problems last month, will affect their businesses from both a liability and a security perspective.

But before getting all worked up over liability issues, American IT leaders need to remember that European nation-states are behind the U.S. in terms of cyberlegislation and law enforcement, explains Martha Stansell-Gamm, chief of the Computer Crime and Intellectual Property Section at the U.S. Department of Justice (DOJ). Stansell-Gamm was the DOJ's representative in the drafting of the treaty. The U.S. participated because it has observer status within the Council of Europe.

"We already have many treaties—bilateral and multilateral—on law enforcement matters like extradition, mutual assistance, money laundering and corruption," she says. "An awful lot of what's going into this treaty is not new; this just combines technology and criminal law and international law."

Just as in other international law enforcement pacts, the primary objective of the treaty is to break the bottlenecks in international cyberinvestigations, says Stansell-Gamm.

For example, if the Philippines had the laws in place to become a signatory to the treaty, the creators of the "I Love You" virus may have been brought to trial there. But at the time, the Philippines had no laws addressing computer crime, and the U.S. had no treaty agreement with Philippine authorities to continue the investigation, so the virus writers were never charged.

"We want to avoid the situation where U.S. networks are being pounded from overseas and we can't do anything about it," Stansell-Gamm says.

Until now, domestic law enforcement agencies have been in a quandary over international cyberinvestigations. They've tried everything from training foreign authorities to luring a cracker from Russia to the U.S. and then tracing his cybertracks back to his server lair and downloading the contents of that server.

Yet despite the hope that the treaty will improve the ability of U.S. corporations to press criminal charges against foreign attackers, the American business community is concerned about a number of substantive laws that treaty participants must enact if they want to be signatories. In particular, U.S. firms are concerned about the following potential problems:

Increased corporate liability.
Granting too many investigative powers, to the detriment of corporate privacy.
Making the distribution and sale of hacking tools illegal.

Among these concerns, the one voiced loudest by corporate managers is the potential impact for businesses that use hacking tools to test the stealth of their networks. "Ping could be a hacking tool. TraceRoute [a tool used for IP tracking] could be a hacking tool. How do you define a hacking tool?" asks Frank Clark, network operations manager at Thaumaturgix Inc., a hosting and IT services firm in New York. "The people making these laws don't know what a hacking tool is. And to outlaw the wrong tools could make it impossible for me to do my job testing my network."

Mark Rasch, vice president of cyberlaw at Predictive Systems Inc., a tech consultancy in New York, says such restrictions could also violate First Amendment rights to free speech.

This particular concern isn't being driven by the language in the treaty document itself, but in a preamble press release published when the draft first went online in April 2000. The release stated, "The draft provides for the co-ordinated criminalisation of computer hacking and hacking devices," without going into further detail.

"The real problem we have is the document doesn't address intent," says Lisa Norton, an attorney for Internet Security Systems Inc. (ISS) in Atlanta. Norton lobbied against the outlawing of hacking tools because such laws could put tools vendors such as ISS out of business.

Fortunately, both the April and December 2000 treaty drafts clearly state that hacking tools are illegal only if used "for the purpose of committing offences established in Articles 2-5" (see list at right). The December treaty draft includes additional provisions allowing legitimate use of hacking tools.

Other IT professionals who have carefully read the document say they feel that the treaty clearly addresses the issue of intent and the legitimate use of hacking tools. "I spent 15 years as an attorney, and I do know ambiguous language. This [treaty draft] is something we're comfortable with," says Mitch Demblin, program director for the cyberattack team at Exodus Communications Inc. in Santa Clara, Calif.

For Web resources on this topic, head to our Cybercrime Research Links page.

The European Cybercrime Treaty

The 29-page Draft Convention on Cyber-crime is an international law enforcement treaty draft spearheaded by the Council of Europe that attempts to define cybercrime and attach substantive criminal penalties. As a potential signatory to the treaty, the U.S. has participated in its drafting through the Commerce and Justice departments. U.S. corporate interests have been represented in treaty development by meeting with the U.S. contingent over the past year.

Facts About the Treaty

As of May, there were 25 versions of the draft.

European legislative work in the area of cybercrime actually began back in the mid-'80s.

The treaty should be ready to ratify by the end of this year.

The U.S., along with eight other nations, including Japan, Canada and South Africa, has been invited to be a signatory to the treaty once it's ratified.

To be a signatory, a country must first apply its own "substantive" (i.e., criminal) laws.

Articles would regulate:

1. Illegal access	6. Computer-related forgery
2. Illegal interception of electronic communications	7. Computer-related fraud
3. Data interference	8. Child pornography
4. System interference	9. Copyright
5. Misuse of devices	10. Aiding or abetting
	11. Corporate liability

The rest of the document covers procedural, investigative and mutual assistance, jurisdiction, extradition and information-sharing issues.

This is the first time the Council of Europe has opened legislative development to public scrutiny by posting it on the Web.

On June 22, the cybercrime treaty was adopted by the standing committee that drafted it. It's now being conveyed to the 43 member nation-states of the Council of Europe, which will decide on ratification by the end of the year.

Article 6 — Misuse of Devices

1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a. the production, sale, procurement for use, import, distribution or otherwise making available of:

1. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Article 2 – 5;

b. the possession of an item referred to in paragraphs (a)(1) or (2) along with intent that it be used for the purpose of committing any of the offences established in Articles 2-5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2. This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this Article is not for the purpose of committing an offence established in accordance with articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3. Each Party may reserve the right not to apply paragraph 1 of this Article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 (a) (2).

Security Risk and Reward

Stories in this report:

Security

Bing’s AI chatbot came to work for me. I had to fire it.