A few feel-good touches can't redeem the COE treaty, or the closed-door process that produced it.

A few weeks ago, the Council of Europe's (COE) Committee of Experts on Cyber-crime working group met in a closed meeting in Rome to put the finishing touches on the ever-troubling "Draft Convention on Cyber-crime". The touches were light: little more than a feather dusting with a couple of feel-good changes thrown in for good measure. The working group has now been at this since 1997, so they probably feel a profound sense of boredom trying to find a few more words to move around without really changing anything. They made up their minds on what they wanted sometime around 1999, and have just been toying with us since then to ensure they could get the treaty approved. The draft retains all of the controversial provisions from before, including the requirement that users can be forced to cough up information about the "measures applied to protect the computer data" of a system (read 'crypto keys'); mandates on surveillance of traffic data and content and the bans on developing and using security auditing tools, except by those who are "legitimate". In an attached "Explanatory Memorandum" there are only two things that the COE treats as so deplorable that even linking to it will be a crime: child pornography, and hacking tools. A modest improvement in the draft convention is the inclusion of a requirement that countries that implement the treaty follow whatever human rights protections exist in their domestic law, and under human rights treaties that the country has already signed. The signing nations must also be "proportional" in implementing the treaty -- a vague cost-benefit analysis where citizens' civil rights will undoubtedly be weighed against calls to "Protect the children." Nations may also consider the impact on third parties, such as the ISPs which have to pay for all of this, and there's new language requiring "independent supervision" -- from a judge, for example -- of online governmental spying. What remains most striking in the treaty is the utter absence of concepts like 'privacy' and 'data protection.' They sound good, but these changes are little more than window dressing: the U.S., the UK, and many other countries, already don't follow the requirements of many human rights treaties. And as for "independent supervision," just remember how many wiretap requests have been turned down in the last ten years in the U.S. -- three out of over 10,000. What remains most striking in the treaty is the utter absence of concepts like "privacy" and "data protection" and any kind of meaningful limitations of surveillance in all the of very detailed sections that mandate them. It apparently was easy to tell law enforcement the procedures on how to invade privacy, but too difficult to tell them what their limits are.