[Senate Executive Report 109-6]
[From the U.S. Government Publishing Office]
109th Congress Exec. Rept.
SENATE
1st Session 109-6
======================================================================
COUNCIL OF EUROPE CONVENTION ON CYBERCRIME
(TREATY DOC. 108-11).
_______
November 8, 2005.--Ordered to be printed
_______
Mr. Lugar, from the Committee on Foreign Relations,
submitted the following
R E P O R T
[To accompany Treaty Doc. 108-11]
The Committee on Foreign Relations, to which was referred
the Council of Europe Convention on Cybercrime (Treaty Doc.
108-11) (hereafter ``the Convention''), signed by the United
States at Budapest on November 23, 2001, having considered the
same, reports favorably thereon with six reservations and five
declarations as indicated in the resolution of advice and
consent, and recommends that the Senate give its advice and
consent to ratification thereof, as set forth in this report
and the accompanying resolution of advice and consent.
CONTENTS
Page
I. Purpose..........................................................1
II. Background.......................................................2
III. Summary of Key Provisions of the Convention......................2
IV. Implementing Legislation.........................................6
V. Committee Action.................................................6
VI. Committee Recommendation and Comments............................6
VII. Text of Resolution of Advice and Consent to Ratification.........8
I. Purpose
The Convention is the only multilateral treaty to
specifically address computer-related crime and the gathering
of electronic evidence. It is designed to enhance the
investigation and prosecution of cross-border computer-related
crimes by eliminating or reducing procedural and jurisdictional
obstacles to international cooperation.
II. Background
The growth of the Internet has brought with it a rising
number of attacks on computer networks. The United States is
heavily dependent on computer networks to support its critical
infrastructure, including the military, satellite networks,
transportation and communications systems, and large utilities.
Attacks on these systems, as well as on U.S. Government
networks, constitute a threat to U.S. economic and national
security. Major U.S. financial institutions have also been the
target of such attacks, resulting in significant financial
losses. In addition to the threat to computer networks,
computers increasingly have been used to conduct more
traditional crimes, such as fraud, copyright piracy, and child
pornography. Moreover, organized crime syndicates and terrorist
groups have been known to use the Internet to facilitate
planning and communications.
In 1997, the Council of Europe (``COE'') responded to these
problems by establishing the Committee of Experts on Crime in
Cyber-space to negotiate a convention on cybercrime. This
committee was composed of representatives of COE member states
and four non-COE ``observer'' states (the United States,
Canada, Japan, and South Africa). The United States expects the
Convention to have significant law enforcement benefits and was
a leading participant in the negotiations. The Council of
Europe, at the urging of the United States and other countries,
made several drafts publicly available and distributed comments
it received to all negotiators for consideration. U.S.
negotiators also received input directly from interested
groups, including through several meetings they held with U.S.
industry and other interested groups, such as privacy and civil
liberties organizations.
The Committee of Experts finished its work in May 2001, and
the Convention was adopted by the COE Committee of Ministers on
November 8th of that year. On November 23, 2001, the Convention
was opened for signature to all COE member states and the four
observer states that participated in the negotiations, and was
signed by 30 states, including the four observer states. The
Convention entered into force on July 1, 2004, and now has 11
parties. Thirty-one other states have signed but not yet
ratified the instrument. The Convention permits other non-COE
member states to accede to the Convention, but only with the
unanimous consent of all of its parties.
III. Summary of Key Provisions of the Convention
A detailed article-by-article discussion of the Convention
may be found in the Letter of Submittal from the Secretary of
State to the President, which is reprinted in full in Treaty
Document 108-11. A summary of the key provisions of the
Convention is set forth below.
The Convention requires parties to prohibit certain
computer-related crimes under their domestic laws, to develop
certain investigative methods with respect to computer-related
crimes and electronic evidence of other crimes, and to
cooperate with other parties to investigate and prosecute such
crimes.
Articles 2 through 6 of the Convention require parties to
criminalize unauthorized access to a computer system;
unauthorized interception of data from a computer system;
unauthorized damage to or deletion of computer data;
unauthorized interference with the operation of a computer
system; and the possession, production, sale, procurement for
use, import, distribution, or otherwise making available of
devices designed to commit any of these offenses or of computer
access information, such as passwords, with the intent that
they be used to commit such offenses. In addition to these
offenses related to computer security, articles 7 through 10 of
the Convention obligate parties to establish the offenses of
computer-related forgery and computer-related fraud, as well as
various aspects of the production, possession, procurement, and
distribution of child pornography using computers, and
infringement of copyright and related rights by means of a
computer and on a commercial scale. U.S. law already prohibits
such conduct, and the reservations and declarations proposed by
the committee (see Section VI below) would ensure that the
United States may implement these obligations consistent with
existing U.S. law.
Under articles 16 through 21 of the Convention, parties
must develop and be prepared to use certain investigative
techniques designed to improve the effective investigation of
the crimes set forth under the Convention and other criminal
offenses committed by means of computer systems, as well as the
collection of electronic evidence of criminal offenses. These
techniques include the ability to preserve, search, and seize
stored computer data; the ability to collect in real time and
preserve ``traffic data'' being communicated between computers;
and the ability to intercept certain content of the data. It
bears emphasis that all of these investigative tools are
already provided for under U.S. domestic law. Therefore, the
Convention will not establish new police powers in the United
States or otherwise alter U.S. civil liberties protections.
Article 15 of the Convention requires each party to ensure that
the establishment, implementation and application of these
powers and procedures are subject to conditions and safeguards
to be provided for under its domestic law that adequately
protect human rights and liberties. For the United States, the
conditions and safeguards that would apply may be found in the
U.S. Constitution, including particularly the Fourth and Fifth
Amendments, and various federal statutes, such as those set
forth in the Federal Rules of Criminal Procedure and Title 18
of the U.S. Code, which require, among other things, judicial
supervision of any requests for interception or disclosure of
electronic communications.
Article 15, paragraph 3 requires each Party, to the extent
consistent with the public interest, to consider the impact of
these powers and procedures on the rights, responsibilities and
legitimate interests of third parties. In this regard, the
committee notes that paragraph 148 of the explanatory report
accompanying the Convention reflects the understanding of the
Parties that such third parties include internet service
providers. It states that ``initial consideration is given to
the sound administration of justice and other public interests
(e.g. public safety and public health and other interests,
including the interests of victims and the respect for private
life). To the extent consistent with the public interest,
consideration would ordinarily also be given to such issues as
minimising disruption of consumer services, protection from
liability for disclosure or facilitating disclosure under this
chapter, or protection of proprietary interests.''
Chapter Three of the Convention addresses international
cooperation, including extradition and mutual legal assistance
among the parties. Article 24 of the Convention adds the crimes
established under the Convention to those offenses for which
extradition may be sought under extradition treaties in force
among parties to the Convention, and permits, but does not
require, parties to use the Convention as a basis for
extradition in the absence of such treaties. For the United
States, the Convention will not provide an independent legal
basis for extradition, which will continue to be based on U.S.
domestic law and applicable bilateral treaties. It will,
however, effectively expand the scope of offenses covered under
certain existing bilateral extradition treaties (those that
specifically list the offenses for which extradition may be
granted).
Articles 25 through 35 of the Convention relate to mutual
legal assistance among the parties. Article 25 provides a
general obligation that parties shall afford each other mutual
assistance ``to the widest extent possible for the purpose of
investigations or proceedings concerning criminal offenses
related to computer systems and data, or for the collection of
evidence in electronic form.'' Articles 29 through 31, and 33
provide specific obligations for such assistance, including
assistance that would involve the use of the investigative
techniques for collection of computerized evidence that
articles 16 through 21 of the Convention oblige parties to
establish under their domestic law. It should be noted that
although article 34 permits parties to request assistance in
the interception of content data, it is narrowly drawn; indeed,
there is no general obligation to provide this form of
cooperation, as assistance is available ``only to the extent''
already permitted by applicable mutual legal assistance
treaties and domestic law. In the United States, that law is
subject to close judicial supervision, and in no case will a
foreign authority be able to obtain information on terms that
are less restrictive than for U.S. law enforcement. Currently,
there is no authority to intercept communications based solely
on the request of a foreign government; the only instance in
which the United States would be in a position to accommodate
such a request would be if the interception of the
communications were independently authorized as part of a
related or parallel investigation in the United States, and
disclosing the contents of the intercepted communications were
otherwise appropriate (see 18 U.S.C. sec. 2517(7)). Under U.S.
law, a search warrant is insufficient authority to intercept
the content of communications in transmission, as that
collection is governed by the wiretap and interception statutes
(18 U.S.C. sec. 2510, et seq.), as noted above. Although a
search warrant may be used to obtain stored data, it must
involve a crime recognized under U.S. law.
Notably, assistance in collecting electronic evidence is
not limited to the crimes established in the Convention, and
the Convention does not require, as a precondition to
assistance, that the offense being investigated also constitute
a crime in the state receiving the request (``dual
criminality''). This lack of a dual criminality requirement is
hardly a novelty. In the last two decades, the Senate has
approved, and the President has ratified, 43 bilateral mutual
legal assistance treaties that do not contain such a
requirement for all types of cooperation. This is in the
interest of U.S. law enforcement, which aggressively utilizes
these treaties to gain evidence abroad and would be hamstrung
by a rigid dual criminality provision in all cases. Therefore,
the United States will be able to use this Convention to obtain
electronic evidence in cases involving money laundering,
conspiracy, racketeering, and other offenses under U.S. law
that may not have been criminalized in all other countries.
At the same time, the Convention contains sufficient
safeguards to ensure that the lack of a ``dual criminality''
requirement will not result in the provision of assistance by
the United States in any inappropriate situations. The
Convention provides the same high standard of protection of
U.S. Constitutional interests that is contained in U.S.
bilateral MLATs. Assistance is to be provided in accordance
with the provisions of mutual legal assistance treaties between
the parties where they exist. Where no such treaties exist
between parties, article 27 of the Convention provides a
procedural mechanism for cooperation to be applied between
them, including the grounds for refusal of such requests (in
addition to any grounds provided under the law of the requested
party). The grounds for refusal contained in paragraph 4 of
article 27 are analogous to those contained in U.S. bilateral
MLATs. A requested party may refuse any request concerning a
political offense or that is likely to prejudice its
sovereignty, security, ordre public or other essential
interests. In response to questions from the committee,
executive branch officials confirmed that this provision
authorizes the United States to deny a request where providing
the assistance would impinge on U.S. Constitutional
protections, such as free speech, and that the executive branch
intends to deny assistance in such situations. In addition,
they committed that ``[T]he Department of Justice will
carefully review each request, regardless of the country from
which it comes, to ensure that compliance with it would not
impinge on U.S. fundamental principles and policy, and that
U.S. implementation of foreign requests would not be
inconsistent with Constitutional protections.''
The committee also wishes to emphasize that the United
States will not rely upon authorities created in the USA
PATRIOT Act to meet its obligations under the Convention. The
Convention was substantially drafted prior to the enactment of
the USA PATRIOT Act, and is entirely consistent with United
States law as it existed at that time. Accordingly, for
example, the Convention does not require, and the United States
does not contemplate, the use of the delayed notice search
warrants authorized by Title 18, United States Code, Section
3103a for implementation of the Convention. Similarly, because
the Convention will be implemented consistent with existing
procedures for mutual legal assistance, the United States does
not and will not use tools authorized under Foreign
Intelligence Surveillance Act procedures or administrative
subpoenas to meet its treaty obligations. Instead, longstanding
statutory and mutual legal assistance treaty and agreement
procedures will be used consistently with the judicial
oversight provided under those treaties and laws, in full
compliance with the rights guaranteed under the United States
Constitution. For example, as with domestic cases, U.S.
execution of foreign government requests for collection or
disclosure of electronic evidence would require judicial
oversight.
The Convention is expected to improve computer security
without creating an undue burden on internet service providers
(``ISPs''). The Convention does not impose any general
requirement on ISPs to collect or retain data. Rather, in
specific cases, they may be required to collect, preserve, or
disclose specified data, just as they are under existing U.S.
procedural law. In response to questions posed by the
committee, executive branch officials indicated that the
Department of Justice will continue its current practice under
other mutual legal assistance instruments of reviewing requests
for assistance and alerting the ISPs as to the appropriate
urgency of such requests. They also confirmed that the
Convention will have no effect on existing U.S. law or policy
governing reimbursement of costs incurred by ISPs in responding
to such requests.
The committee notes that articles 24, 25, 27 through 31,
and 33 of the Convention, on extradition and mutual legal
assistance, are intended to operate in the same way as similar
provisions contained in bilateral extradition and mutual legal
assistance treaties. As with such provisions in bilateral
treaties, these provisions are self-executing. They will be
implemented by the United States in conjunction with applicable
federal statutes. Additionally, the executive branch has
indicated that they are not intended to create any private
rights of action. The committee notes that the lack of a
private right of action does not affect the ability of a person
whose extradition is sought to raise any available defense in
the context of the extradition proceeding.
IV. Implementing Legislation
No new implementing legislation is required for the
Convention. An existing body of federal laws will suffice to
implement the obligations of the Convention, although some
minor reservations and declarations are needed, as discussed
below.
V. Committee Action
The Committee on Foreign Relations held a public hearing on
the Convention on June 17, 2004, at which it heard testimony
from representatives of the Departments of State and Justice
(S. Hrg. 108-721). On July 26, 2005, the committee considered
the Convention and ordered it favorably reported by voice vote,
with the recommendation that the Senate give its advice and
consent to its ratification, subject to the reservations and
declarations contained in the resolution of advice and consent.
VI. Committee Recommendation and Comments
The Committee on Foreign Relations believes that the
proposed Convention is in the interest of the United States and
urges the Senate to act promptly to give advice and consent to
its ratification, subject to the reservations and declarations
contained in the resolution of advice and consent.
The committee has included a number of reservations and
declarations in the resolution of advice and consent. Section
two of the resolution contains six reservations. The first four
reservations relate to the obligations under articles 4 (data
interference), 6 (misuse of devices), 9 (offenses related to
child pornography) and 10 (offenses related to infringements of
copyright and related rights) of the Convention to criminalize
certain conduct. Consistent with the recommendations of the
executive branch, the committee has included these four
technical reservations permitted by the Convention in order to
ensure that the United States may implement these obligations
consistent with existing U.S. law.
The fifth reservation concerns the scope of the Convention.
Article 22 of the Convention requires each party to establish
jurisdiction in respect of the offenses established under the
Convention when committed in its territory or on board a vessel
flying its flag or an aircraft registered under its laws. U.S.
law does not expressly extend U.S. jurisdiction over these
particular crimes when committed on board U.S. vessels and
aircraft outside of U.S. territory, although in certain cases
U.S. jurisdiction may exist on other jurisdictional bases.
Because the United States cannot ensure its ability to exercise
jurisdiction in all such cases, the committee concurs with an
executive branch recommendation that the United States enter a
reservation limiting the obligation of the United States
consistent with the reach of U.S. law, as permitted by the
Convention.
The sixth reservation relates to the federal system in the
United States. Although U.S. federal law prohibits the conduct
proscribed by the Convention, federal criminal law generally
covers conduct involving interstate or foreign commerce or
another important federal interest. Because U.S. state, not
federal law, would apply to a narrow category of conduct that
does not implicate a foreign, interstate, or other federal
interest (e.g., an attack on a stand-alone computer), the
executive branch recommended that the United States reserve
against these obligations in these narrow circumstances, as
permitted by the Convention. The committee agrees with this
recommendation.
Section three of the resolution contains five declarations.
The first three declarations relate to the obligations under
articles 2 (illegal access), 6 (misuse of devices) and 7
(computer-related forgery) of the Convention to criminalize
certain conduct. Consistent with the recommendations of the
executive branch, the committee has included these three
technical declarations permitted by the Convention in order to
ensure that the United States may implement these obligations
consistent with existing U.S. law.
The fourth declaration relates to procedures to be followed
in the case of urgent requests for mutual legal assistance.
Article 27, paragraph 9(a) of the Convention permits urgent
requests to be made directly to the judicial authorities of a
party unless, for efficiency reasons, that party declares at
the time of ratification that such requests should instead be
sent to its central authority. The committee concurs with the
executive branch recommendation that the United States make
such a declaration.
The last declaration relates to U.S. implementation of the
Convention under existing U.S. law. The executive branch
recommended that the United States include an understanding to
clarify that the United States intends to comply with the
Convention based on existing law. The committee has included
such a statement in the resolution, formulated as a declaration
in accordance with recent committee practice.
Under article 37, any State not a member of the Council of
Europe and which has not participated in the formulation of the
Convention may accede to it, but it may only do so upon
invitation. Such invitation requires the unanimous consent of
the parties to the Convention. The United States would
therefore have a voice in the accession of any state. While the
committee believes that broad adherence to the Convention among
both members and non-members of the Council of Europe could be
beneficial to U.S. law enforcement interests, it has concerns
about potential mutual legal assistance relationships with
authoritarian states. The Convention provides a broad framework
for sharing of electronic evidence--not merely that involving
cyber-crime--and is thus a significant legal assistance tool.
The committee believes that, given the nature of the evidence-
sharing requirements in the Convention, it is important that
the United States, in consultation with other parties, work to
ensure that all parties ``accept the principles of the rule of
law,'' as the Council of Europe requires of its own members.
VII. Text of Resolution of Advice and Consent to Ratification
Resolved (two-thirds of the Senators present concurring
therein),
SECTION 1. SENATE ADVICE AND CONSENT SUBJECT TO RESERVATIONS AND
DECLARATIONS
The Senate advises and consents to the ratification of the
Council of Europe Convention on Cybercrime (``the
Convention''), signed by the United States on November 23, 2001
(T. Doc. 108-11), subject to the reservations of section 2, and
the declarations of section 3.
SECTION 2. RESERVATIONS
The advice and consent of the Senate under section 1 is
subject to the following reservations, which shall be included
in the United States instrument of ratification:
(1) The United States of America, pursuant to Articles 4
and 42, reserves the right to require that the conduct result
in serious harm, which shall be determined in accordance with
applicable United States federal law.
(2) The United States of America, pursuant to Articles 6
and 42, reserves the right not to apply paragraphs (1)(a)(i)
and (1)(b) of Article 6 (``Misuse of devices'') with respect to
devices designed or adapted primarily for the purpose of
committing the offenses established in Article 4 (``Data
interference'') and Article 5 (``System interference'').
(3) The United States of America, pursuant to Articles 9
and 42, reserves the right to apply paragraphs (2)(b) and (c)
of Article 9 only to the extent consistent with the
Constitution of the United States as interpreted by the United
States and as provided for under its federal law, which
includes, for example, crimes of distribution of material
considered to be obscene under applicable United States
standards.
(4) The United States of America, pursuant to Articles 10
and 42, reserves the right to impose other effective remedies
in lieu of criminal liability under paragraphs 1 and 2 of
Article 10 (``Offenses related to infringement of copyright and
related rights'') with respect to infringements of certain
rental rights to the extent the criminalization of such
infringements is not required pursuant to the obligations the
United States has undertaken under the agreements referenced in
paragraphs 1 and 2.
(5) The United States of America, pursuant to Articles 22
and 42, reserves the right not to apply in part paragraphs
(1)(b), (c) and (d) of Article 22 (``Jurisdiction''). The
United States does not provide for plenary jurisdiction over
offenses that are committed outside its territory by its
citizens or on board ships flying its flag or aircraft
registered under its laws. However, United States law does
provide for jurisdiction over a number of offenses to be
established under the Convention that are committed abroad by
United States nationals in circumstances implicating particular
federal interests, as well as over a number of such offenses
committed on board United States-flagged ships or aircraft
registered under United States law. Accordingly, the United
States will implement paragraphs (1)(b), (c) and (d) to the
extent provided for under its federal law.
(6) The United States of America, pursuant to Articles 41
and 42, reserves the right to assume obligations under Chapter
II of the Convention in a manner consistent with its
fundamental principles of federalism.
SECTION 3. DECLARATIONS
(1) The advice and consent of the Senate under section 1 is
subject to the following declarations, which shall be included
in the United States instrument of ratification:
(a) The United States of America declares, pursuant
to Articles 2 and 40, that under United States law, the
offense set forth in Article 2 (``Illegal access'')
includes an additional requirement of intent to obtain
computer data.
(b) The United States of America declares, pursuant
to Articles 6 and 40, that under United States law, the
offense set forth in paragraph (1)(b) of Article 6
(``Misuse of devices'') includes a requirement that a
minimum number of items be possessed. The minimum
number shall be the same as that provided for by
applicable United States federal law.
(c) The United States of America declares, pursuant
to Articles 7 and 40, that under United States law, the
offense set forth in Article 7 (``Computer-related
forgery'') includes a requirement of intent to defraud.
(d) The United States of America declares, pursuant
to Articles 27 and 40, that requests made to the United
States of America under paragraph 9(e) of Article 27
(``Procedures pertaining to mutual assistance requests
in the absence of applicable international
agreements'') are to be addressed to its central
authority for mutual assistance.
(2) The advice and consent of the Senate under section 1 is
also subject to the following declaration:
The United States of America declares that, in view of its
reservation pursuant to Article 41 of the Convention, current
United States federal law fulfills the obligations of Chapter
II of the Convention for the United States. Accordingly, the
United States does not intend to enact new legislation to
fulfill its obligations under Chapter II.
�