[Infowarrior] - Cybercrime Treaty: What it Means to You

Tue Mar 6 23:07:16 EST 2007

Cybercrime Treaty: What it Means to You
March 6, 2007
By Larry Downes

http://www.cioinsight.com/print_article2/0,1217,a=202430,00.asp

Cybercrime is getting cheaper all the time, as shady characters sell tools
to help criminals spam, phish, hack and crash. And a new treaty ratified by
the U.S. Senate could wind up passing the costs of combating cybercrime
directly to American businesses.

>From an economic standpoint, when the cost of crime goes down, frequency
goes up. How does the legal system fight back? One way is to increase
enforcement and catch more people. But when it comes to cybercrime, no one
really expects law enforcement to keep up technologically with
criminals‹it's an arms race the criminals keep winning. An alternative is to
raise the penalties, in hopes of deterring criminals who weigh the benefits
of committing their crimes against the risk of getting caught.

In that vein, in August the Senate ratified the Convention on Cybercrime,
drafted by the Council of Europe with considerable input from the United
States. So far, 43 nations have signed on. The Convention includes many
sensible provisions aimed at unifying global computer-crime laws, and closes
loopholes that make it possible for criminals to escape prosecution by
locating their activities offshore.

But civil libertarians, along with leading telecommunications companies,
strongly oppose the treaty. Civil libertarians are especially concerned
about the sweeping authority given to participating countries to seize
information from private parties as they investigate cybercrimes, even when
the activity being investigated isn't a crime in the country where the data
is located. If France is investigating a sale of Nazi memorabilia on eBay,
the U.S. must cooperate, even though such transactions are not illegal in
the U.S.

Telecommunications companies object to provisions that require member
countries to establish and enforce potent data-retention policies for
network traffic, and require any operator of a computer network to respond
to requests for information from any participating country without
compensation of any kind.

These are potentially serious problems, especially given that the Convention
is open to any country that wants to join. But there are more practical
reasons U.S. businesses should be concerned. The provisions for data
retention and production apply to any operator of a computer network, not
just telecoms. Worse, Article 12 attaches liability to businesses for "lack
of supervision or control" of employees who commit criminal offenses covered
by the Convention. Businesses must worry about employee activities that may
be legal here, but illegal elsewhere, risking administrative, civil, or even
criminal penalties.

These investigative and supervision costs will invariably be imposed on
businesses without any real controls. Worldwide law-enforcement agencies, in
other words, may now avail themselves of the opportunity to outsource their
most expensive problems to you.

The Convention may improve the cybercrime-and-punishment equation in favor
of deterrence. But it's also added some new variables and possibly
irrational numbers. Of the economic, not mathematical, kind.
Copyright (c) 2007 Ziff Davis Media Inc. All Rights Reserved. 