Cybercrime Treaty Could Be Used to Go After Cyberespionage

By Emilio Godoy Reprint | | Print | |En español

New technologies make it easier than ever for spy agencies to invade privacy. In the photo, students at the Campus Tecnológico in Guatemala. Credit: Danilo Valladares/IPS

MEXICO CITY, Oct 3 2013 (IPS) - Governments of countries that engage in large-scale electronic espionage, like the United States, and companies that develop spying software could theoretically face legal action for violating the Convention on Cybercrime.

The Convention, adopted in Budapest in 2001 and in force since 2004, is the first international treaty seeking to address Internet and computer crime, and has a provision that aims to protect the right of privacy of data communication from unauthorised interception.

The treaty, also known as the Budapest Convention, requires member states to criminalise four kinds of conduct against confidentiality or the integrity and availability of computer systems or data: illegal access, illegal interception, data and system interference, and misuse of devices for the purpose of committing these offences.

These are precisely the practices engaged in by the U.S., British and other governments, according to documents leaked to the media in June by former U.S. National Security Agency (NSA) contractor Edward Snowden.

Cyber surveillance “violates the Convention, and perpetrators can be sued” under the Cybercrime Convention Committee, Lorena Pichardo, a law school professor at the National Autonomous University of Mexico (UNAM), told IPS.

The Convention was adopted by the Council of Europe, which was set up to promote democracy and protect human rights and the rule of law in Europe. But the treaty has also been signed by non-member states, like Canada, the United States and Japan. The United States ratified it in 2006.

So far, 51 states have signed the Convention and 40 have ratified it.

It is possible to file a complaint with the Cybercrime Convention Committee, but any action taken is based on the national laws that its members must approve in order to live up to the Convention. Complainants can also turn to the European Court of Human Rights.

A complaint “can be successful, but it would be partial, because among the countries that are party to the Convention, there are interests at stake. The law can be bent and accommodated to national legislation,” Enoc Gutiérrez, a professor of information and communications technology (ICT) at the Autonomous University of the State of Mexico, told IPS.

In a 2012 study that analysed Mexican, U.S. and EU laws, Gutiérrez and his colleagues Lucio Ordóñez and Víctor Saucedo argued the need for special legislation and a special court on computer crime.

The problem is that the Convention does not take into account that cybercrimes can include espionage by a state. The general impression is that when a government seeks cross-border access to computer data, it is doing so to investigate crimes and pursue criminals.

Article 32b of the Budapest Convention introduced an exception to the principle of territorial sovereignty:

“A Party may, without the authorisation of another Party [..] access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.”

The Cybercrimes Convention Committee held its ninth full session Jun. 4-5 – one day before the Guardian and the Washington Post published the first leaks by Snowden. In the meeting, the Committee did not debate anything related to cyber espionage.

But in a recent report, the Committee’s ad hoc sub-group on jurisdiction and transborder access to data said that new developments, such as cloud storage of data and the activities of law enforcement authorities, made it necessary to revise the reach of article 32b.

“Current practices regarding direct law enforcement access to data as well as access via Internet service providers and other private sector entities…illustrate that law enforcement authorities of many States access data stored on computers in other States in order to secure electronic evidence. Such practices frequently go beyond the limited possibilities foreseen in Article 32b and the Budapest Convention in general,” the sub-group says.

This poses risks to human rights, they warn.

“Personal data are increasingly stored by private entities, including cloud service providers. Access by law enforcement to, or the disclosure to law enforcement authorities of personal data stored in a foreign jurisdiction by such private sector entities may violate data protection regulations,” they add.

The NSA and other intelligence agencies use software that enables them to intercept private communications around the world.

Mexico, for example, acquired software from U.S. and European companies to monitor telephone calls, email, chats, Internet browsing histories and social networks.

Of the at least 95 corporations that develop and distribute this kind of software worldwide, 32 are in the U.S., 17 are British and the rest come from some two dozen other nations, according to confidential documents from intelligence contractors published by Wikileaks in December 2011.

The list mentions 78 different products, including Trojan viruses, audio transmitters, audio and video recorders, and tracking tools.

“Any technology with such a huge potential for the violation of fundamental rights should be the focus of the highest level of legal protection, especially if it’s in the hands of private corporations that operate according to purely business objectives,” two officials from Spain’s Interior Ministry, Miguel Ángel Castellano and Pedro David Santamaría, wrote in a December 2012 article, “El control del ciberespacio por parte de gobiernos y empresas” (“Control of cyberspace by governments and companies”).

Pichardo, the law professor, said national legislation tends to take precedence in cases that invoke international principles.

“If we already have a charge of espionage, the serious problem of asking for data from other states is redundant,” she said.

Gutiérrez believes the existing international legal frameworks do not protect citizens, and specific laws are necessary. His studies focus on how to move from ICTs to technologies of learning and communication.

“When citizens are active in a social network like Facebook, by the simple act of accepting the terms of the contract they are saying their information can be shared with banks or government institutions,” he said. “They steal information from us and we don’t even realise it.”