Privacy Law and Policy Reporter
This paper was first presented at the UNSW CLE Seminar ‘E-security and e-crime’ in Sydney on 19 July 2001. It is reproduced here by kind permission of the author and the UNSW CLE Program.
This article examines the Council of Europe (CoE) Convention from a human rights and civil liberties point of view. It addresses only those parts of the Convention that have been the most controversial internationally since the draft was publicly released in April 2000. It is postulated that the draft Convention fails to address privacy rights and focuses almost completely on law enforcement demands. The article examines concerns over the adequacy of privacy and data protection, surveillance proposals, international co-operation in the absence of dual criminality, and removal of the common law privilege against self-incrimination. Recent Australian developments which have incorporated elements of the Convention in draft legislation currently before the Parliament are also discussed. Finally, proposals that have been put forward for implementation of controversial data surveillance proposals in Australian law are discussed.
Electronic Frontiers Australia Inc (EFA) is a non-profit national organisation representing internet users concerned with online freedoms and rights. EFA was formed in January 1994 and incorporated under South Australian law in May 1994. EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties. EFA’s major goals are to protect and promote the civil liberties of users and operators of computer based communications systems, to advocate the amendment of laws and regulations in Australia and elsewhere (both current and proposed) which restrict free speech, and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.
EFA is a founding member of the Global Internet Liberty Campaign (GILC), an international coalition of online civil liberties groups. GILC has made representations over the last 12 months to the CoE working group which was drafting the Convention, and EFA was a party to these representations.
The Council of Europe consists of 43 member states, including all of the members of the European Union. It was established in 1949 primarily as a forum to uphold and strengthen human rights, and to promote democracy and the rule of law in Europe. Based in Strasbourg in France, its work program includes legal co-operation, social and economic questions, health, education and culture. It provides a forum for both EU and non-EU European nations to agree on harmonising conventions. Some nations from outside Europe have been admitted as observers to the Council, including Canada, Japan and the US.
The CoE has been working since 1989 to address threats posed by hacking and other computer related crimes. In 1995 it published a report concerning the adequacy of criminal procedural laws in this area and followed this up in 1997 by establishing a Committee of Experts on Crime in Cyberspace (PC-CY) to begin drafting a binding convention to facilitate international co-operation in the investigation and prosecution of computer crimes. The US, represented by the Department of Justice, played a key role in the drafting stages, even though the US was only an observer member of the Committee.
The first publicly released draft of the convention was Draft 19, which was made available for public comment in April 2000. Several more drafts have been released since then, culminating in the final draft released on 29 June 2001. The Convention will now be submitted to the Council of Ministers for adoption and will be open for signature late in 2001. It is the intention of the CoE that non-member states will also be invited to sign on.
The Convention is divided into four chapters. The first chapter deals with substantive law issues: illegal access, illegal interception, data interference, system interference, misuse of devices, computer related forgery, computer related fraud, offences related to child pornography and offences related to copyright. The second chapter deals with law enforcement issues, including preservation of stored data, preservation and partial disclosure of traffic data, production order, search and seizure of computer data, real time collection of traffic data and interception of content data. Chapter III contains provisions concerning traditional and computer crime related mutual assistance between states as well as extradition rules. Chapter IV contains the final clauses, which deal with standard provisions in CoE treaties.
When the first public draft was released in April 2000, it attracted a storm of criticism from civil liberties organisations as well as from computer industry organisations.
The treaty is fundamentally imbalanced. It includes very detailed and sweeping powers of computer search and seizure and government surveillance of voice, email and data communications, but no correspondingly detailed standards to protect privacy and limit government use of such powers. This is despite the fact that privacy is the major concern of internet users worldwide.
EFA has been involved in commenting on the Convention since the first publicly released draft. Through the GILC, of which we are members, two letters were submitted to the CoE outlining our concerns with certain provisions. While some changes have been made as a result of these representations, the concerns still stand in respect of the final version.
The manner in which this Convention has been developed is a major concern. Law enforcement interests have dominated the drafting process from the outset, and 19 drafts were completed before it was released for public comment. The CoE has made little effort to address the concerns of other stakeholders in the process.
While some minor accommodations have been made to appease privacy and civil liberties concerns, these have been token in nature. Even after the publication of Draft 19 and subsequent drafts, we have seen little effort on the part of the CoE working group to incorporate the views and concerns of the non-government organisation (NGO) community on the issues of privacy and civil liberties. In addition, the makeup of the working party has remained one sided, with law enforcement at the table but no industry or NGO participation. This is contrary to similar efforts at the OECD and the G-8 where NGOs and industry were asked to participate (albeit in a very limited capacity) and a more balanced outcome has emerged.
Draft 19 left open the matter of adequate balance by leaving the question ‘subject to conditions and safeguards as provided for under national law’ — a most unsatisfactory response.
Following objections from NGOs, art 15 (Conditions and safeguards) was added, but this did little more than put more words around the same phrasing. It failed to adequately address the significant requirements for privacy invasive techniques in the rest of the Convention.
Article 16 (Expedited preservation of stored computer data) and art 17 (Expedited preservation and partial disclosure of traffic data) set out very specific requirements for privacy invasive law enforcement techniques. Each of those sections should have included limitations on the use of the techniques. A vague reference to proportionality will not be adequate to ensure that civil liberties are protected. It is recognised that countries have varying methods for protection of civil liberties, but as a CoE Convention drafted in consultation with other democratic nations, this document missed an important opportunity to ensure that minimum standards consistent with the European Convention on Human Rights and other international human rights instruments were actually implemented. This failure is, in part, a result of the non-transparency of the process. It is also unfortunate that the section does not specifically address the issue of privacy and data protection. The CoE Convention 108 on Data Protection is an important safeguard for protecting citizens’ rights and the implementation of the Cybercrime Convention should be adopted in a manner that is consistent with those requirements. Other related efforts such as the 1997 OECD cryptography guidelines specifically recognise the fundamental right of privacy:
Article 5. The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods. 
The issue of costs is also a problem. Under art 15.3, countries are not required to pay the costs imposed on third parties for their demands for surveillance. This both significantly lowers to barriers to law enforcement surveillance by removing any limits on how much surveillance can be afforded and is grossly unfair to the providers. Industry commentators have consistently asked for the inclusion of a reimbursement requirement, and those requests have been supported by the privacy community. Requiring that law enforcement pay for their surveillance provides an important level of account-ability and acts as a constraint against overzealous use of law enforcement powers.
In the last few years, after considerable international debate over surveillance, privacy and electronic commerce, the use of encryption has been liberalised, except in a few authoritarian countries such as China and Russia. Clause 4 of art 19 (Search and seizure of stored computer data) is a step backwards, as it seems to require that countries adopt laws that can force users to provide their encryption keys and the plaintext of the encrypted files. So far only a few countries, such as Singapore, Malaysia, India and the UK, have implemented such provisions in their laws. In those countries, police have the power to fine and imprison users who do not provide the keys or the plaintext of files or communications to police. It should be noted that the UK Government faced significant opposition over its initiative. Such approaches raise issues involving the right against self-incrimination, which is respected in many countries worldwide.
Article 20 (Real time collection of traffic data) and art 21 (Interception of content data) mandate that the parties have domestic laws requiring service providers to co-operate in both the collection of traffic data and the content of communications. Without sufficient privacy and due process protections, these provisions threaten human rights.
Allowing law enforcement direct access to a service provider’s network to conduct surveillance, for example the US Carnivore program, provides police with the ability to conduct broad sweeps of network communications with nothing but their unsupervised assurance that they will only collect that data which they are lawfully entitled to collect. It invites abuse of the most invasive investigative powers. It also represents a threat to the integrity of providers’ networks.
Curiously, the Convention involves itself in two issues, content and copyright, which appear out of step with the rest of the document. The content provisions (art 9, Offences related to child porno-graphy) deal with an offence that is undoubtedly abhorrent. However, distribution and possession of child pornography are already offences in most countries. It is not clear why this article was included in the Convention. The definitions used in relation to child pornography are also overbroad, since they criminalise the possession of images whose production does not involve real children.
Although sensibly omitted from the final draft, earlier versions included reference to an optional protocol concerning hate speech, a matter about which there are significant cultural differences. Such a protocol would inevitably threaten recognised free expression rights in many nations. This illustrates the problem with attempts to criminalise content when there is no universal agreement about criminality.
Article 10 (Offences related to infringement of copyright and related rights) also appears to be out of place here. Intellectual property protection is a complicated issue that touches upon both free expression and privacy issues and in which the law is still developing. Furthermore, there are other international fora in which such matters are more appropriately addressed.
The draft treaty fails to consistently require dual criminality as a condition for mutual assistance between countries. No nation should ask another to interfere with the privacy of its citizens or to impose onerous requirements on its service providers to investigate acts which are not a crime in the requested nation. Governments should not investigate a citizen who is acting lawfully, regardless of whatever mutual assistance conventions are in place.
Article 34 (Mutual assistance regarding the interception of content data) allows interception to the extent permitted by other treaties and domestic law. An acceptable condition would have been that requests for interception can only take place if it is permitted under the relevant criminal law as an offence that merits interception in both countries. Requests should also have a specified level of authorisation, that is, where warrants are only acted upon if they are received from a judicial authority in the requested country.
It would be far more acceptable and sensible if the convention dealt only with harmonising laws for core offences for hacking, viruses and other attacks on computer networks, plus international co-operation in investigating those crimes, without the controversial and fundamentally imbalanced provisions on search and seizure, data access and wiretapping. Specific privacy protections need to be included to offset the one sided emphasis on increased surveillance powers for law enforcement.
The Convention should focus on those offences unique to computer networks, and not address forgery, copyright and other offences that are already the subject of laws equally applicable online and off-line; nor should it include content offences.
The Cybercrime Bill 2001 was tabled in the House of Representatives on 27 June 2001 by the Attorney General. It was subsequently referred to a Senate Committee Inquiry, to which public submissions were invited.
The offence provisions in the Bill implement the Model Criminal Code s 4.2 (Computer offences), which was made public in January 2001. The Model Criminal Code Officers Committee (MCOCC), which is developing the Code, relied heavily on recent drafts of the CoE Convention in drafting s 4.2. The offences covered in the Code are as follows:
These offences are implemented in the Cybercrime Bill 2001 Div 477.1 to 478.4 as additions to the Criminal Code Act 1995 (Cth).
At the time of writing, EFA was still considering its response to the Cybercrime Bill. EFA’s concerns about the substantive offences are likely to centre around issues of overcriminalisation and the risk of criminalising innocent behaviour. The Bill as a whole is seen as premature, and an inappropriate response to problems that are seen by many in the industry as resulting from poor security in software design or implementation.
There are, however, substantial concerns about the law enforcement provisions in the Bill. While the Model Criminal Code makes no provision for enforcement, the Bill (in Sch 2) implements controversial changes to the Crimes Act s 3LA and the Customs Act 1901 (Cth) s 201A, which require persons with knowledge of a computer system to provide assistance in decryption or recovery of data and other measures to facilitate search of computer systems for evidence of crime. This potentially overrides the common law privilege against self-incrimination.
The Parliamentary Joint Committee on the National Crime Authority is currently conducting an Inquiry into the Law Enforcement Implications of New Technology and is due to report in August 2001 (the committee reported on August 27 —Ed). It remains to be seen what the Committee may recommend, or indeed whether the Committee’s recommend-ations will ever find their way into legislation, but there will be major concerns amongst the internet community and the internet industry if the demands of law enforcement agencies are given serious consideration. These demands closely resemble the more contentious aspects of the CoE Convention’s law enforcement provisions.
Proposals have been put to the Committee for mandatory retention of transaction log records by internet service providers (ISPs). Such a proposal, if adopted by the Committee, raises concerns that it may become lawful for public authorities to obtain a vast wealth of communications data without a ministerial or judicial warrant. Any proposal for ISP logging or monitoring would be tantamount to the sanctioning of mass surveillance. Such a measure, combined with the use of sophisticated analytical techniques such as data mining, triangulation of data, ‘friendship trees’ and ‘interest profiling’, would be another step towards a totalitarian society.
No compelling case has been made to justify mandatory recordkeeping by ISPs. Instead, submissions made to the Committee have relied on anecdotes, with no supporting data or statistics on the prospects for improvement in crime clear up rates, the nature of any crimes likely to be detected, the additional evidence expected to be obtained or the increased probability of successful prosecutions.
The potential for infringement of the Privacy Act 1988 (Cth) (as amended in 2000) must also be considered, in particular the National Privacy Principle (NPP) 1 (collection), which includes the following principles:
1.2 An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way ... 1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.
It is acknowledged that the Privacy Act seeks to balance the right to privacy with other public interests such as law enforcement objectives. In particular, NPP 2.1(h) allows personal information to be disclosed in defined circumstances for the secondary purpose of law enforcement.
However, it is contended that a proposal for compulsory logging of communications traffic does not give rise to a secondary purpose within the meaning of the Act. Rather, the primary purpose of such recordkeeping is the acquisition of mass surveillance data without consent, in case the data is required at some future time to incriminate a particular user. The law enforcement provisions of the Act are clearly intended to allow law enforcement agencies to access specific records collected by an organisation for some other legitimate purpose.
Furthermore, it is questionable whether the disclosure of information from communications logs for data matching purposes is a permitted purpose under the Act if it involves disclosure of information about large numbers of individuals who are of no interest to the relevant agency.
EFA contends that any system which monitors the communications of internet users, without their consent and without a judicial warrant, would be contrary to the Government’s intent in expanding the coverage of the Privacy Act.
It was recently revealed before a Senate Estimates Committee that almost one million disclosures of information or documents by carriers, or carriage service providers, under the provisions of Pt 13 of the Telecommunications Act 1997 (Cth), had been made in 1999/00. This was a substantial increase over the figures for previous years. The level of disclosure, and the rate of increase, is illustrative of the manner in which surveillance is overused once the facility is put in place.
Logging and monitoring of internet communications is more invasive than telephone records because the information can be used not only to determine the parties to a communication but may also be used to draw up interest profiles of users. This is clearly an infringement of an individual’s right to privacy in terms of basic human rights.
Unlike telephone call records, most ISP logs, apart from those used to determine customer log-in durations and traffic volumes, are not intrinsic to the operation of the business. Email and web proxy logs are an ephemeral byproduct of server operations, useful in the short term to diagnose technical problems, but otherwise routinely discarded. It is necessary to embark on a data mining and data matching exercise in order to turn the raw log data into information about user behaviour. This factor is mentioned because it increases the risk that ISPs may hand over complete logs of all user transactions to law enforcement authorities rather than undertake the costly exercise of extracting and matching information about a particular individual of interest.
Measures to bring serious criminals to justice deserve widespread support. However, a balanced approach must be used in the sensitive area of communications interception such that law enforcement agencies recognise the necessity of protecting fundamental human rights.
Vigilance is needed to ensure that any proposals put forward in Australia as an outcome of current or future policy development processes take a balanced approach, not only in respect of the creation of new offences, but more particularly in relation to proposals for increased surveillance of all citizens.
Greg Taylor, Electronic Frontiers Australia <www.efa.org.au>.
The author acknowledges contributions to the discussion presented here by members of the GILC, in particular David Banisar (Privacy International), Barry Steinhardt (ACLU), Mark Rotenberg (Electronic Privacy Information Center) and Jim Dempsey (Center for Democracy and Technology).
 For information about the Council of Europe, see the CoE internet portal at <www.coe.int>.
 See European Committee on Crime Problems (CDPC) Draft Convention on Cybercrime Final activity report 29 June 2001 at <conventions.coe.int/Treaty/EN/projects/FinalCybercrime.htm>.
 Council of Europe Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data ETS No 108 at <conventions.coe.int/Treaty/en/Treaties/Html/108.htm>.
 OECD Cryptography Policy Guidelines (1997) at <www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm>.
 See for example, the British Chambers of Commerce The Economic Impact of the Regulation of Investigatory Powers Bill June 2000 at <www.britishchambers.org.uk/newsandpolicy/ict/ripbillsummary.htm>.
 Senate Legal and Constitutional Legislation Committee Inquiry into the Provisions of the Cybercrime Bill 2001 at <www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cybercrime.htm>.
 Officers Committee of the Standing Committee of Attorneys-General Model Criminal Code. Chapter 4: ‘Damage and computer offences — report’ January 2001 at <www.law.gov.au/publications/Model_Criminal_Code/DamageReport.pdf>.
 As above.
 Joint Committee on the National Crime Authority Inquiry into The Law Enforcement Implications of New Technology at <www.aph.gov.au/senate/committee/nca_ctte/index.htm>.
 See National Privacy Principles at <www.privacy.gov.au/publications/npps01.html>.
 ‘Anger at plundered phone records’ The Age 4 February 2001 at <www.theage.com.au/news/2001/02/04/FFX73146QIC.html>.