Cyber-Crime Laws Hurt More Than They Help

The Council of Europe's Convention on Cybercrime is too far-reaching.

A developer arrested for writing software to read electronic books; third-party product vendors hauled into court for providing product interoperability; a popular and highly effective security product for stopping worms pulled from the Internet due to fear that the developer is breaking a state law; users unable to back up or transfer content they legally purchased: All have been direct consequences of laws such as the federal Digital Millennium Copyright Act and similar state laws known as Super DMCAs, laws that were ostensibly intended solely to protect intellectual property and copyright. These laws have had a negative effect on innovation, product interoperability and consumer fairuse, but at least the effect has been limited mainly to the United States.

But what if these laws, or something even broader and less focused, applied to the international community? What if the entities misusing these laws werent simply corporations and IP holders but were countries with little respect for personal rights and freedoms?

Unfortunately, that is what we are facing. The Council of Europes Convention on Cybercrime, which the Bush administration has asked the U.S. Senate to ratify, makes these very things possible.

On the surface, the convention has a laudable goal: promoting international cooperation in the fight against computer-related crime. Making it possible for governments to work together to stop cyber-crime is something we could all benefit from.

But the Convention on Cybercrime is so broad and sweeping that it goes well beyond simple cooperation and information sharing. It could be used in unintended ways and cause even worse damage than the DMCA has.

One of the most problematic features is the lack of dual criminality. That means a given country would have to help another country investigate one of its citizens, even if the crime being investigated isnt a crime in the citizens country.

This strips political dissidents of protection and undermines freedom of speech. But corporations should also beware. Would Macys online catalog of swimsuits violate decency laws in some nations? Are vendors, OEMs and customers of network security tools participating in the trafficking of hacker tools?

Also disturbing is that the convention would require ISPs to store and provide user usage data to requesting authorities. This has threatening implications for personal privacy, but, again, businesses should not ignore it, either. Does your business compete with a state-sponsored foreign company? Could that nation request your Internet logs and records for an "investigation" and have the data end up in the hands of your rival?

Even the best, most narrowly focused law may have unintended consequences. When it is as far-reaching as the Council of Europes Convention on Cybercrime, abuse is virtually certain. eWEEK recommends contacting your senators and letting them know the Council of Europes Convention on Cybercrime is bad for Americans and bad for U.S. business.

eWEEK is interested in your opinion. Send your comments to

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: