Making up the rules: Interception versus privacy

3. EAVESDROPPERS INTERNATIONAL

Cross-border operational cooperation

Controlling the Internet is, by its very nature, an international affair. The Internet is not restricted by national boundaries, whereas governmental legislative authority is still largely subject to national boundaries. In order to actually monitor and trace on a global level, legal authorities must be in tune with each other. Efficient international cooperation, preferably without too many complicated bureaucratic procedures is also essential. The harmonisation of rules regarding the penalisation of Internet criminals, the regulation of tracking powers and cross-border cooperation are regular topics at international meetings.

Some of the practical negotiations in the international arena on how to bring the Internet under control are held within the context of an European action plan drawn up in 1997 aimed to combat high-tech crime. The Multidisciplinary Group on Organised Crime (MDG), an official working group for the European Council for Justice and Home Affairs (JHA Council) is supervising the implementation of the action plan. Participants in MDG meetings, which discuss combating high tech criminality, include the United States government and the Council of Europe.[1] Both Europol and the Working Group on Police Cooperation have in the course of implementing the action plan, organised meetings on the interception of the Internet.[2]
Judging from documents from the Multidisciplinary Group on Organised Crime, it seems that top officials are primarily seeking ways in which the participating countries can cooperate with each other outside formal judicial routes. The MDG sees formal legal cooperation as it is stipulated in legal treaties as bureaucratic and time-consuming, and expresses a preference for “informal practical arrangements”. In this spirit, the MDG is of the opinion that it should be possible to arrange for the confiscation of evidence in another country (data transmissions for example), via a simple telephone call. Formal requests for legal assistance, which in the eyes of the MDG require bureaucratic, niggling and time-consuming details such as descriptions of the crime, the articles of the law by which it is punishable and the grounds upon which the suspicions are based, can, if necessary, be arranged later on.[3]
The European Commission intends to bring out an action plan against cybercrime in the summer of 2000. The Commissioner for Justice and Home Affairs Antònio Vitorino declared that “computer crime must be fought with all our powers”. He called for a “worldwide treaty to restore law and order to the Internet”. Vitorino claimed to consider privacy very important and promised a series of measures that would increase the protection of privacy as well as the investigation of cybercrime. How he planned to combine such contrasting problems he wisely didn’t say.[4]

European activities against high tech criminality are closely attuned to the activities of the G8, the club of rich, industrialised countries and the Council of Europe in which 45 European countries are represented. In 1997, a special meeting of the Ministers of Justice of the G8 countries was held to discuss high-tech crime. The tone set there was tough and the G8 formulated a number of starting points intended as guidelines for international legislation.
“Legal systems should allow the collection of and quick access to electronic data, seeing that the success of a criminal investigation often depends upon these factors” is one of the first arguments. Information and telecommunications systems must be designed in such a manner as to facilitate the tracing of criminals and gathering of evidence”, announced another starting point.
The ten-point plan of action more or less orders officials to look for “feasible solutions” for “using computers to search for data when it is not known where the data is kept”. “Speeded up procedures must also be developed in order to “obtain data traffic from all communications carriers in a communication chain”. And the means must be devised to “speed up the international transferral of this data”.[5]

During a G8 meeting in Birmingham in May 1988, the G8 leaders were shown a video presentation on high-tech crime. The British Prime Minister Tony Blair had placed the fight against organised crime high up on the political agenda. The video presentation showed how international criminals made increasing use of international e-mail and computer connections to conduct their activities, and the means by which the police and law enforcement strike back.
The G8 countries agreed to include appropriate punishments against cyber-criminals in their national legislation, to use better techniques against hackers and to prevent computer criminals from committing the “perfect crime” by destroying the electronic evidence. After the meeting, the English Home Secretary Jack Straw said that one of the problems that governments had to address was that someone could commit crimes in a number of different countries without having to move out of his armchair. “Computer expertise is also vital in combating old-fashioned crimes such as drug dealing, armed robberies and trafficking in people. At a certain moment, the criminals have to move the proceeds of crime and launder the money. And it’s at this point that old-fashioned crime turns into 21st century crime. The challenge is from moving one step behind these criminals to being one step ahead.”[6]
One of the concrete measures taken by the G8 is the installation of a contact network, through which requested computer data or transmissions data can be delivered within 24 to 48 hours. Scott Charney, president of the G8 working group High-Tech Crime, declared in an interview that the G8 countries wanted to play a pioneering role. Some of the topics discussed by the working group included the problem of anonymous Internet users, the possibilities of keeping customers’ transmissions data for a certain length of time and the harmonisation of legislation. According to Charney, the results booked by G8 are passed on to other bodies such as the Council of Europe where they are subsequently translated into binding agreements there. The G8 working groups always meet prior to the meetings of the working group of the Council of Europe, which is preparing a treaty on cybercrime (see below). The results of the G8 meetings are introduced to the Council of Europe meetings by those present at both meetings.
Charney also pointed out the importance of cooperation with the business world. “It is possible to set technical standards that will support public security. Countries must not only send their technicians and scientists to standardisation bodies, but also their experts in the fields of criminal justice. If penalisation in the 21st century takes place in the arena of the global market, we will need to be plugged into the market players that can influence the results of criminal investigations.”[7]

In October 1999, this theme was once more on the agenda at the G8 meeting in Moscow. The ministers reached an agreement on a proposition by the G8 working group on high tech criminality that would authorise law enforcement authorities to search computers located in another country. The importance of working together with the business community was again emphasised. There were, however differences of opinion between the G8 countries on the subject of encryption. The United Kingdom wanted to devote a separate section on encryption in the final
declaration, but this proposal was opposed by Germany. A compromise was reached by agreeing that encryption would be discussed again by the G8 when the results of research being conducted by the G8 was available.[8]
The international police organisation Interpol has also recently discovered the dangers of cyber space. During the general assembly in Seoul in November 1998, the head of Interpol called for a collective effort in the struggle against cybercrime. “We should not make the Internet a Wild West”, said Toshinori Kanemoto, president of Interpol. He also considered collaboration with the Internet Industry to be of crucial importance. Raymond Kendall, the general secretary of Interpol warned that cyberspace was becoming a breeding ground for crime. “Every terrorist organisation has its own Internet website” he told his audience of 900 police officers from 129 countries. According to Kendall, these websites were used for propaganda, recruiting, the purchase of weapons and even for selling children for sexual purposes.[9]

Cybercrime
The Council of Europe has been occupied with crime and the new technologies since the end of the 1980s. In 1995, the Council of Europe adopted a recommendation on combating cybercrime.[10] The resolution calls for the examination and securing of data from computer systems and networks to be made possible. Anyone with keys to encrypted material would be obliged to hand them over to the investigation services. This obligation would not apply to the suspects themselves.
The Council of Europe has also turned its attention to problems with interception. Technical observation has to be expanded from traditional telecommunication to new means of communication. Telecom providers must help the police and law enforcement to make interception possible in all ways. They must also help in identifying users. Besides this, the Council of Europe is also calling for improved international cooperation.[11]
In 1997, the Council of Europe established the “Committee of Experts on crime in cyberspace” (PC-CY). The “terms of reference” points out the problems presented by the international Internet and the traditional and nationally-orientated police and law enforcement systems. “Given the cross-border nature of information networks, a concerted international effort is needed to deal with these issues”. The committee’s task is to conduct research into cyber criminality, decide which legislation has to be harmonised and to research the interception of telecommunications and the electronic surveillance of information networks. The committee also examines the possibilities of searching Internet sites and confiscating material, the obligations that can be imposed on providers, the problems posed by encryption and different methods of international collaboration can take place. The committee has to draft a convention on these issues that is legally binding for the member states. Both material and formal criminal law are concerned.[12]
An agreement on the convention is expected in the course of 2000. The Dutch government has already made clear in diverse parliamentary debates on law enforcement with respect to the electronic highway that it considers the treaty to be an extremely important instrument in establishing international cooperation and harmonisation of legislation in this area. Recently, the member states of the EU have formulated a so-called “common position” for their part in the negotiations over the treaty. Among other things, the member states argue for the establishment of a permanent and accessible contact point for law enforcement “to facilitate swift cooperation.” Member states must “undertake to provide for an expedited search of data stored in their own territory regarding the investigation of serious criminal offences.”
The possibility that a country could independently introduce a cross-border computer tracing program has been cautiously mentioned. If implemented, such a program would for example, allow the French police to look directly into Dutch computers. This would only be permitted in cases of serious crimes that required urgent action. There must be “specific safeguards in order to enforce the sovereignty, security, public policy or other essential interests of other states”.[13]

Confidential communication
In December 1999, Minister of Justice Korthals explained the state of affairs regarding the treaty
negotiations in a letter to the Dutch parliament. The Council of Europe would like to see the following activities made illegal: the cracking of computer systems, the interception of data transfer, the manipulation or destruction of stored data, the disturbance of computer networks by directed and deliberate e-mail bombardments, the trade in passwords and access codes and the manufacture, the supply and distribution of hardware and software with a view to enabling any of these acts. The last addition means that not only hacking, but also the “supply” of hacking tools would be made illegal.

However, the only instance when an agreement on the penalisation of content-related crime was reached was with respect to child pornography. It seems that it is impossible to reach an agreement on incitement to racial hatred or the distribution of pornography. The First Amendment of the American Constitution opposes penalisation for racial hatred.
There is, in principal, also an agreement not to extend the authorisation for conducting cross-border investigations too drastically. The cooperation of other countries with an investigation with cross-border aspects should be sought via a request for legal assistance. There have been proposals to establish a contact network that can be reached 24 hours a day in order to allow this legal assistance to be given as quickly as possible.
It is more complicated when the police order someone to hand over certain information, part of which is stored in a computer to which that person has authorised access but is located in another country. This could be the case with an employee of a branch of a foreign bank, for example. According to Korthals, the Netherlands is inclined to take the view that in such a scenario, neither the cooperation nor the approval of the other country is necessary. The covenant, however, will probably prohibit authorities from acting alone in order to gain access to computers located in another country.
However, it is possible that the police obtain information from abroad by accident, and that this is not revealed until later. Some member states think that it is acceptable that this information can be used for investigative purposes or as evidence in criminal prosecutions. The Netherlands disagrees, but may be prepared to make a compromise whereby, in such a case, a discussion would take place on what would be done with the information.
A new power that has been proposed is the so-called “seizure order”. This order would oblige the manager of a private or public network, on request from law enforcement, to secure data traffic that otherwise would be immediately or shortly destroyed. The data concerned would indicate who had been communicating with whom, when and for how long
As speed is often crucial in computer investigations, there is also a proposal to make it possible for law enforcement in one country to directly ask a foreign network manager to secure information without the intervention of the judicial authorities of the other country. Although the majority of member states feel that making this an obligation for the foreign network manager would be going too far, they would consider it a feasible compromise if the authority to act in this way were granted. In this way, a director of a network would be able to comply with such a request without the fear of being prosecuted later, as network managers are, in principle, required to destroy information when it is no longer necessary for operational management. Korthals has indicated that this option would also acceptable to the Netherlands.
Furthermore, a number of member states want to see an interception obligation for private networks. The Netherlands is not opposed to this because, according to Korthals, certain provisions in the law on special investigating powers with respect to confidential communication leave this option open. “These provisions do not specify whether they concern confidential communication between people in the same room unaided by technical tools, or between people communicating with each other via a private network, that could even be a WAN (wide area network).” The clause also fails to specify whether it is necessary to gain the network manager’s permission to bug the lines or whether this would be possible without his consent or knowledge. According to Korthals, “all these possibilities are open”. Although he thinks that a general interception obligation for private networks would be taking things too far, an obligation to cooperate would be acceptable.
Lastly, it would be possible to compel someone whose e-mail has been confiscated to keep quiet about this if this was in the interests of the investigation.[14]

Evidence
One last important development is the system of “mutual recognition of legal judgements.” This is a recent trend in legal cooperation within the European Union. The harmonisation of legislation is not in the foreground, due to the enormous problems that it would entail. Instead, the choice has been made to harmonise wherever possible and apply approximation and mutual recognition in the other areas. Roughly speaking, this means that we accept each other’s legal decisions. For example, if the English police should ask the Dutch police to confiscate and hand over evidence, the Dutch police would assume that the English had conducted an investigation that complied with all the demands of a lawful state, and that they had legally sound reasons for requesting the evidence.
On the same note, the English judicial authorities will not check how the Netherlands came by its evidence, assuming that all has been done lawfully. This clause makes it irrelevant as to whether the methods of investigation in one country are unacceptable in another, or whether the matters under investigation are punishable in both countries. In the memorandum “Legislation for the electronic highway” the Dutch government announced that it was considering dropping the requirement for dual crime for a number of cases concerning the Internet. These would have to involve crimes of expression such as racism, child pornography or libel, and the condition would be that there was no mention of extradition, that this would only apply to serious crimes agreed on in advance, that the crime went against public order in the country seeking legal assistance, and that afterwards, the people involved would be notified.
This could have far-reaching consequences. “Radikal”, a magazine that is forbidden in Germany is distributed via a Dutch server. Radikal is not forbidden in The Netherlands. If the requirement for dual criminality is dropped, the German police could ask for an investigation into the Dutch distributors of Radikal, in order, for example, to examine the contacts between the Dutch distributors and the German suspects.
European proposals for such a system of “mutual recognition of legal decisions and judgements” explicitly point to the confiscation and exchange of electronic evidence.[15] During the special European Council on law enforcement and asylum which took place in Tampere in October 1999, the European heads of government approved this approach in principle.


[1] Communication from Ministers of Justice and Home Affairs of the 8, Chair of the MDG 13539/97 CRIMORG 38, Limite, Brussels 19-12-97
[2] Presidency of the Council, Draft on a progress report on organised crime for the European Council in Cardiff, 7303/3/98 Rev 3 CRIMORG 45, Limite, Brussels, 15 May 1998
[3] Sections of the Union’s strategy against high-tech criminality, Chair of Committee K4, 11893/1/98 Rev 1, CRIMORG 157, Brussels 28-10-98. This closely resembles an attempt to whitewash existing illegal practices. In practice concerning international cooperation, it seems to be the rule rather than the exception for police to phone a friendly foreign colleague to ask if suspect X is in their computers or not. If this is so, then a formal request is made. See the findings of the parliamentary enquiry commission on investigative methods, published whole on http://www.xs4all.nl/~respub
[4] Stefan Krempl, EU Kommissar kämpft für Recht und Ordnung im Netz, Telepolis, 4 February 2000
[5] Action plan for combating high-tech criminality, supplement in communication of Ministers of Justice and Home Affairs of the G8, Washington 10-12-97
[6] Reuters, 14-5-98
[7] Interview with Scott Charney, Telepolis, 11 June 1999
[8] German Presidency of the Conference of G8 Ministers of Justice and Home Affairs, Information concerning the meeting on transnational organised crime held on 19 and 20 October in Moscow, document 12615/99, CRIMORG 165 NIS 117 CATS 31, Limite, Brussels 8 November 1999
[9] “Interpol urged to stop the Internet from becoming the Wild West”, Agence France Press, 8 November 1999
[10] A resolution is not legally binding; it only urges the member states to take the conclusions on board and include them in their national legislation
[11] Recommendation No. R (95) 13 of the committee of ministers to member states concerning problems of criminal procedure law connected with information technology, adopted on 11-9-95
[12] European Committee on crime problems, CM (97) 4 Restricted, Straatsburg 10-1-97
[13] Draft joint position on negotiations relating to the Draft Convention on Cyber Crime held in the Council of Europe, Outcome of proceedings from Coreper, 7325/2/99 Rev 2 COR 1 CRIMORG 40 Limite, Brussels 21-5-1999
[14] Letter from Minister of Justice on the cybercrime treaty, parliamentary pieces 23530 nr 40, Den Haag 23 December 1999
[15] “Mutual recognition of judicial decisions and judgements in criminal matters”, United Kingdom Delegation to K.4 Committee, document 7090/99 Crimorg 35 Justpen 18, Limite, Brussels, 29 March 1999
>
<