An ImperfectCybercrime Treaty

Feb 15, 2002 4 mins

The ambiguous nature of the Internet has historically proved frustrating for companies when it comes to hackers. Since there are no international regulations governing cybercrime, hackers have gotten away with billions of dollars in damage. Now with a new treaty in Europe, governments are finally cooperating to regulate cyberspace. Still, companies looking for straightforward regulations may have to wait a bit longer. Despite the international cooperation, the treaty still raises concerns.

The characteristics that make the Internet so productive for conducting business also make it susceptible to criminal activity. As transactions across borders have become easier, so have crimes. For example, a hacker in the Philippines can access an intranet in France to find competitive information about a business in Brazil. Such competitive proprietary information can be used for illicit purposes including insider stock trading. The hacker might also post the confidential information on the Internet, forcing the Brazilian company to modify an expensive product-marketing campaign. Since there are no international cybercrime treaties currently in place, this hacker cannot be prosecuted by the victimized company.

Last May, the Council of Europe, working with Canada, Japan, South Africa and the United States, approved the 27th draft of the Convention on Cybercrime, the first international treaty on crime in cyberspace. In progress since 1997, the treaty will now be sent to the Council’s Committee of Ministers for ratification, and then it must be accepted by each country individually, a process that will likely take one to two years.

When the treaty is enacted, participating countries will be required to create laws that coincide with the regulations in the treaty regarding issues such as network attacks, digital copyrights, child pornography, computer-related fraud and viruses. The treaty will also allow one country to obtain information such as e-mail logs and hard drive contents from a hacker in another country, possibly leading to the arrest and extradition of the hacker. Police and security officials have been struggling to fight cybercrime, and this treaty is designed to help them by enabling global cooperation.

However, by allowing police access to a hacker’s computer records, the Council of Europe has set off alarms about privacy, free speech and e-commerce. Internet service providers worry about costs incurred by having to essentially start keeping electronic paper trails on anyone who might be under suspicion. Civil liberties groups think the treaty would sacrifice privacy by allowing investigators to track computer information about citizens. Another concern revolves around the extent of cooperation between countries, as some nations have laws prohibiting certain actions that are legal in others. For example, if hate language is illegal in France, should the French police be able to request information about and prosecute the owners of a Nazi website based in the United States?

Other critics contend that law en-forcement officials could interpret the wording of the treaty in a manner that would criminalize some standard techniques that vendors use to test the security of a computer. For example, exploit code, a tool used by security experts to test the integrity of systems, could come into question. Authors of the accord counter that their insertion of the term criminal intent will prevent that problem from occurring.

If nothing else, the treaty has been effective in bringing forth issues about international crime fighting. And with the growth of globalization and the Internet, there is a new set of controversial issues looming just off the horizon. While this treaty has its critics, it’s an improvement over what has come before it. At the moment, the treaty offers businesses the best hope for legal recourse should they become the victim of cybercrime. n