Global cyber-crime treaty gets Senate nod

The first and only international treaty designed exclusively to combat computer crime won approval late on Thursday from the US Senate.

The Council of Europe Convention on Cybercrime "will enhance our ability to co-operate with foreign governments in fighting terrorism, computer hacking, money laundering and child pornography, among other crimes," senator Richard Lugar, the Indiana Republican who is chairman of the Senate Foreign Relations Committee, said in a statement.

The treaty is intended to harmonise computer crime laws, especially those in smaller or less developed nations that may not have updated their legal framework to reflect the complexities of the internet. It requires participating countries to target a broad swath of activities, including unauthorised intrusions into networks, fraud, the release of worms and viruses, child pornography and copyright infringement.

US attorney general Alberto Gonzales said in a statement on Friday: "This treaty provides important tools in the battles against terrorism, attacks on computer networks and the sexual exploitation of children over the internet, by strengthening US co-operation with foreign countries in obtaining electronic evidence."

Because US law already includes much of what the treaty requires, the Senate's consent is in part symbolic.

But one portion, which provoked the most controversy, deals with international co-operation. It says internet providers must co-operate with electronic searches and seizures without reimbursement; the FBI must conduct electronic surveillance "in real time" on behalf of another government; that US businesses can be slapped with "expedited preservation" orders preventing them from routinely deleting logs or other data.

What's controversial about those requirements is that they don't require "dual criminality" - in other words, Russian security services investigating democracy activists could ask for the FBI's help in uncovering the contents of their Yahoo! Mail or Hotmail accounts, or even conducting live wiretaps.

Danny O'Brien, activism co-ordinator with the Electronic Frontier Foundation in San Francisco, said: "Our primary concern is that there's no dual criminality within the mutual assistance provisions. The US is now obliged to investigate and monitor French internet crimes, say, and France is obliged to obey America's requests to spy on its citizens, for instance - even if those citizens are under no suspicion for crimes on the statute books of their own country."

The Council of Europe consists of 45 member states, including all of the European Union, and five non-voting members, of which the US is one. Negotiations on the treaty began in 1997, and so far, 15 European nations, including Albania, Denmark, France, Norway and Ukraine, have fully ratified the final document.

The Bush administration began pressuring Congress to do the same in 2003. The Senate Foreign Relations Committee approved the treaty last summer.

Long-time technology industry advocates of the treaty hailed the Senate's action, which occurred on its final day in session before a month-long summer recess. The Business Software Alliance, a lobbying group whose members include Apple, Cisco Systems, IBM, Intel and Microsoft, said the treaty "will serve as an important tool in the global fight against cyber criminals and encourage greater co-operation among nations".

The software industry, which has been lobbying for years for action on the treaty, has found it contains much to cheer about, including a requirement that nations enact criminal penalties for copyright infringers.

The ratification marks "an important milestone in the fight against international cyber crime," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, which counts Juniper Networks, McAfee, RSA Security and Symantec among its member companies.

The Senate did not consider an optional separate section dealing with internet-based hate speech that would have required participating nations to imprison anyone guilty of "insulting publicly, through a computer system" certain groups of people based on characteristics such as race or ethnic origin.

The US Department of Justice had said that such a provision - which would make it a crime to, say, email racist jokes or question conventional wisdom about the Holocaust - was inconsistent with the First Amendment's free-expression guarantees.

Attorney general Gonzales said on Friday: "The convention is in full accord with all US constitutional protections, such as free speech and other civil liberties, and will require no change to US laws."

Civil liberties groups have begged to differ, mounting resistance against the international document ever since its inception.

In a letter to senators last summer, the Electronic Privacy Information Center (Epic) attacked the treaty for offering only "vague and weak" privacy protections. One section, for example, would force participating nations to have laws forcing individuals to disclose their decryption keys so that law enforcement could seize data for investigations, Epic wrote.

Declan McCullagh writes for CNET News.com