As part of an emerging international trend to try to ‘civilize the Internet’, one of the world’s worstInternet law treaties–the highly controversial Council of Europe (CoE) Convention on Cybercrime–is back on the agenda. Canada and Australia are using the Treaty to introduce new invasive, online surveillance laws, many of which go far beyond the Convention’s intended levels of intrusiveness. Negotiated over a decade ago, only 31 of its 47 signatories have ratified it. Many considered the Treaty to be dormant but in recent years a number of countries have been modeling national laws based on the flawed Treaty. Moreover, Azerbaijan, Montenegro, Portugal, Spain, and the United Kingdom are amongst those who have ratified within the last year. However, among non-European countries, only the U.S. has ratified the Treaty to date, making Canada and Australia’s efforts unique. The Treaty has not been harmless, and both Australia and Canada are fast-tracking legislation (Australia’s lower house approved a cybercrime bill last night) that will enable them to ratify the Treaty, at great cost to the civil liberties of their citizens.
Leaving out constitutional safeguards
Australia’s invasive bill highlights one of the fundamental flaws of the Convention on Cybercrime: the Treaty’s failure to specify proper level of privacy protection necessary to limit the over-broad surveillance powers it grants law enforcement agencies. This creates problems in countries like Australia since, as the Australia Privacy Foundation points out, Australia lacks the legal constitutional safeguards afforded to many other democratic countries:
The CoE Convention has to be read within the context that applies in CoE countries – where there are substantial and actionable constitutional protections for human rights. The absence of any such countervailing protection for human rights in Australia makes it completely untenable for the Convention to be implemented in Australia without very substantial additional provisions that achieve a comparable balance.
Bills proposed in Canada (read here and here) are also affected by the Convention’s flaws as they adopt the lowest possible standard of protection against many of the invasive powers they grant. The bills provide law enforcement access to sensitive data on the mere suspicion it might be useful to an investigation. Indeed, at times they leave out the safeguards altogether, as noted in a letter from Canadian privacy scholars and civil society organizations:
[the legislation] will give state agents the power to access …highly sensitive personal information, even where there is no reason to suspect it will assist in the investigation of any offense…What [this] facilitates, simply put, are unjustified and seemingly limitless fishing expeditions for private information of innocent and non‐suspicious Canadians.
Gag orders in place of oversight: Cultivating a culture of secrecy
The Convention’s most systemic flaw is that it seeks to impose invasive surveillance powers without legal protections. Aside from failing to specify adequate safeguards, it also leaves out the types of oversight mechanisms necessary to ensure its broad powers are not abused. Worse, the Convention takes active steps to reduce oversight and transparency by calling for limitations on when individuals can and cannot be notified that they are being surveilled upon.
The Australian bill even criminalizes any attempt to disclose the fact that the powers it grants to law enforcement have been used to spy on an individual. These gag orders will prevent anyone from disclosing the existence and content of interception warrants, all but ensuring innocent individuals will never know their civil liberties have been violated:
…it should be possible for individuals to find out that their communications have been subject to a preservation order or disclosed to law enforcement agencies once there is no longer any prejudice to an ongoing investigation.
Nigel Waters, Australia Privacy Foundation, Parliamentarian hearing on the Cybercrime Bill.
Proposed Canadian legislation also paves the way to blanket and perpetual gag orders that will apply by default to the most invasive of the seizure powers it authorizes. These gag orders can insulate abuses of power –when innocent people are surveilled for no good reason–and they will never find out nor will be able to challenge the abuse of their rights, even in situations where there is no longer any risk to an ongoing investigation.
The far-reaching powers this legislation puts in place, if adopted at all, should be accompanied by equally far-reaching oversight regimes, not gag orders. Instead of preventing abuses from ever seeing the light of day, individuals should be notified when they have been surveilled, and the extent, nature and frequency of such surveillance must be subject to rigorous external oversight.
Tamir Israel, staff attorney, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic.
Blanket gag orders are strongly disfavored under U.S. law, and at least one U.S. court of appeals has found a similar gag order provision partially unconstitutional. A provision of the PATRIOT Act permitted the government to obtain electronic communication transaction records from an Internet Service Providers without a court order. The law imposed a gag order on “National Security Letter” recipients, with extremely limited judicial review that required courts to accept the FBI’s assertions as true and placed the burden on the ISP to challenge the gag order after it had been issued. As EFF argued, such gag orders stifle free expression, and without any judicial oversight, the government was free to do what it wanted. The court agreed that the gag order provision was unconstitutional as written, but it construed the gag rules narrowly so as to pass First Amendment muster. The court found that the U.S. Justice Department could adopt additional procedures to cure the remaining defects—a result that EFF disagrees with because it is Congress’s job to write laws.
Forcing service providers to record your online activity
Countries are also using the Convention to put in place powers aimed at forcing service providers to store customer information for extended periods of time. While the Convention itself foresees targeted preservation orders in scenarios where there is a reason to believe the information would otherwise be vulnerable to loss or modification, Australian and Canadian bills ignore this important limitation. Also, while the Convention envisions a distinction between orders forcing service providers to preserve data they have already collected and orders aimed at forcing service providers to intercept and record data in real time, the misuse of proactive or ‘ongoing’ preservation orders aims to undermine this distinction.
In the U.S. and in Canada, for example, there have been cases where preservation powers have been misused to proactively compel service providers to retain data such as email or text messages that are not yet in their possession or control. Proactive preservation force service providers to record data they would never have otherwise retained, effectively bypassing legal protections in place for real-time electronic interceptions. As the U.S. DOJ notes in its manual on seizing electronic communications:
…should not be used prospectively to order providers to preserve records not yet created. If agents want providers to record information about future electronic communications, they should comply with the electronic surveillance statutes discussed in Chapter 4.
Instead of attempting to avoid such problems, the Australian bill embraces this confusion, and expressly grants law enforcement the right to order ‘ongoing preservation’. This, combined with the complete lack of any obligation to ensure preservation orders are narrowly targeted to capture relevant data at risk of deletion, opens the door to blanket retention orders aimed at real-time interception of communications services on a mass scale:
The Australian law, for example, is phrased in such broad terms that it could be applied indiscriminately, without any assurance that it will only be used to preserve data that is at risk of being destroyed:
The Bill could require an Internet Service Provider to preserve all stored communications (e.g. traffic and content data) for a telecommunications service (e.g. email, text messaging, mobile phone) for a specified period of time. Unless our concerns about the meaning of a ‘service’ are addressed, then under an ongoing domestic preservation notice, a Commonwealth agency could arguably request that a major carrier such as Telstra or Optus, preserve all emails used on its service for a 30 day period.
Australia Privacy Foundation Submission to the Parliament.
The proposed Canadian legislation also fails to ensure preservation demands will be used in a targeted manner and is likely to lead to voluntary retention of personal information that would not otherwise have been kept by telecommunications service providers.
Convention premised on outdated concepts of online data
The flaws inherent in the Convention itself are exacerbated by the fact that it was drafted over ten years ago and much has changed since then. The Convention was premised on the notion that ‘traffic data’ (data generated by computers as a by-product of online interactions) is ‘less sensitive’, and so should be more readily accessible to law enforcement. That was then, and this is now: Today’s ‘traffic data’ can include such sensitive information as your otherwise anonymous online identity or your social network of contacts. Mobile companies and our Internet services providers are now recording our whereabouts at every moment, and we are leaving far more detailed footprints that reveal sensitive information of our daily lives. Sensitive data of this nature warrants stronger protection, not an all-access pass.
Other things have changed in the online environment as well. The ongoing move towards cloud computing means that more and more of our information will be stored online. Nowadays, countless millions are trusting web-based email services such as Google Gmail to store years worth of private correspondence, and cloud services such as Dropbox or Google Docs store your most private documents. The Treaty could not envision this reality when it was drafted in 2001.
Ratifying the Cybercrime treaty would introduce not just one bad Internet law into each country’s lawbook but invite the enforcement of all the world’s worst Internet laws. Australia and Canada should hold this invasive treaty at bay.Governments must now think carefully about what the Treaty’s increased law enforcement powers will mean for citizen rights in this new digital context.