22. Cybercrime and anti-terrorism legislation |
 |
| |
- 22.1. International legislative frameworks
- 22.2. The War on Terrorism
- 22.3. The implications for civil society groups
Following the attacks on the World
Trade Centre and The Pentagon on September 11th 2001, many states
enacted laws to tackle the perceived threat of terrorism. At
the same time, there was an increase in the dialogue and cooperation
between the operators of the Internet and electronic networks,
and the security services of many states. Although these measures
were promoted as an essential part of the so-called ‘war
on terrorism’, in fact many had been already in preparation
before September 11th. The attacks merely led to faster implementation
of technical and legal measures for the surveillance of individuals
and organisations. September 11th also provided a perfect excuse
to introduce measures that previously would have met more resistance
from those concerned about how these new measures might erode
essential civil liberties.
Most of these measures are aimed at tackling terrorism and serious
crime, but at the same time many states have redefined the boundaries
of these terms. There is a thin dividing line between everyday
protest activities and what can be defined as ‘organised
crime’. This is typified by, for example, the UK’s ‘common
purpose principle’. This new principle was created as part
of the laws that gives investigative powers to police forces
and the security services. It states:
"Conduct
which constitutes one or more offences shall be regarded as
serious crime where it involves conduct by a large number of
persons in pursuit of a common purpose” 1
This principle has allowed the widespread surveillance of many protest groups
in the UK. Whilst the offences these groups carry out are very minor (such
as trespass and obstruction of the highway), the fact that they are carried
out by many people working together allows them to be investigated with
the same powers reserved for organised criminals.
When considering how the state has taken new powers to enable the surveillance
of groups in society we must take note of this semantic re-definition. Terms
such as ‘cybercrime’, ‘terrorism’ and ‘organised
crime’ can be used under these new procedures to allow the surveillance
of groups that oppose many aspects of government policy, as well as developments
which may affect the economic well-being of large corporations. Organisations
that may be affected by this redrafting of legislation, must consider these
implications as part of their planning for future work and campaigns.
22.1. International legislative frameworks
The Cold War enabled the development of global networks of
surveillance as part of military systems. Little information
was thus publicly available about the functioning of these
systems. In the post-Cold War era, these systems have been
given legitimacy as ‘security measures’ to facilitate
fight against international terrorism or criminal activity.
Global surveillance systems that were developed out of the
Cold War, such as the Echelon System2 (a
signals intelligence network developed the USA, UK, Canada,
Australia and New Zealand), have pioneered new ideas for global
surveillance networks.
In
recent years, certain international bodies, such as the Council or Europe,
the Organisation for Economic Co-operation and Development (OECD), or the
G8 Conference, have begun to consider these issues as part of their policy
agenda 3 .Whilst
this has included extending co-op-eration on terrorism and security, an equally
important strand in these discussions has been the development of policies
on ‘information systems’. The purpose of these policy discussions
was to develop a common global standard for the retention of telecommunications
and internet traffic data. For example, during the G8 conference in 1998
a set of principles, and a ten point action plan, were adopted, to ‘preserve
electronic data’ for sharing between ‘international partners’.
This was followed-up in 2001 with a further conference workshop devoted to
the preservation of data.4 .
Initiatives such as this have in turn created an impetus for national legislation
on the monitoring of electronic networks.
Within
Europe, a significant development has been the adoption of the Cybercrime
Convention 5by the
Council of Europe (CoE). The Council of Europe is an intergovernmental body
formed from the 43 nations of Europe. Other states, such as the USA, also
participate in the Council as observers. The CoE first proposed a convention
to tackle cybercrime in 1995, which was finalised in September 2001. The
Convention has three parts: the first proposes that all states criminalise
certain on-line activities; the second that states require the operators
of telecommunications networks or internet service providers to institute
more detailed surveillance of network traffic, including where possible real-time
analysis; and part three requires that states co-operate in the investigation
of cybercrime by allowing data to be shared between them
– even if the crime being investigated in one state is not a crime
in the state from where information is requested.
As observers, the USA, Japan and Canada have co-signed the Convention. States
in other regions are looking at the Cybercrime Convention as the basis for
drawing up treaties on the sharing of communications data. Other states that
are not members of the CoE are also free to sign-up to the Convention and
co-operate with other states.
| TreatyWatch: Eight Reasons the International Cybercrime Treaty Should be Rejected
“In November 2001, the members of the Council
of Europe signed an extraordinarily broad new treaty
to increase cooperation among law enforcement officials
of different nations. Officially, this Cybercrime
Convention was drafted by the 43-member Council
of Europe, with the U.S., Canada, Japan and other
countries participating as “observers.” In
reality, American law enforcement officials have
been among the primary drivers behind the treaty.
The
Cybercrime Convention does three major things:
- It
includes a list of crimes that each member
country must have on its books. The treaty
requires criminalization of offenses such
as hacking, the production, sale or distribution
of hacking tools, and child pornography,
and an expansion of criminal liability for
intellectual property violations (Articles
2-11).
- It
requires each participating nation to grant
new powers of search and seizure to its
law enforcement authorities, including the
power to force an ISP (Internet Service Provider)
to preserve a citizen's Internet usage
records or other data, and the power to monitor
a citizen's online activities in real time
(Articles 16-22).
- It
requires law enforcement in every participating
country to assist police from other participating
countries by cooperating with "mutual
assistance requests" from police in
other participating nations "to the
widest extent possible" (Articles
23-35).
This is a bad treaty, and nations should not
sign or ratify it. There are 8 main problems
with the agreement:
Reason #1: The treaty lacks privacy and civil
liberties protections
Reason #2: The treaty is far too broad
Reason #3: The treaty lacks a “dual criminality” requirement
for cooperation with the police of other nations
Reason #4: Protection for political activities
is too weak
Reason #5: The treaty threatens to further unbalance
intellectual property law
Reason #6: The treaty would give police invasive
new surveillance powers
Reason #7: The treaty contains an overly broad
criminalization of hacking tools
Reason #8: The treaty was drafted in a closed
and secretive manner
Source: http://www.treatywatch.org/TreatyProblems.html (justifies these arguments)
|
|
What all these policies, such as the G8's action plan or the CoE's Cybercrime Convention, lack is a common definition of what is 'serious crime' or 'cybercrime'. There is also no requirement that before the data collected by a country is released it should be shown that the alleged actions would have been a crime if committed there. This means that there can exist wide differences in legal interpretation of the important terms, such as 'terrorism', 'serious crime' and 'cybercrime' between different states. This has significant implications for trans-national organisations that seek to challenge the actions of governments or corporations, particularly where these actions are primarily co-ordinated over the Internet.
22.2.
The War on Terrorism
More than anything, the events of September 11th
2001 have led to an updating and expansion of ‘terrorism’ legislation
to take it beyond the Cold War. Until recently ‘terrorism’ was
defined as activities motivated by a political ideology for the overthrow of
a government. The re-definition of terrorism by states since September 11th
has stressed motivations other than political ideology, potentially classifying
non-mainstream protest actions, campaigns and organisations as being involved
in supportive of terrorism.
Terrorism, like cybercrime, is defined differently from state to state. In
the USA, evidence given to the US Congress by the Federal Bureau of Investigations
(FBI) stresses that any group that uses or threatens violence or damage against
persons or property “in furtherance of political or social objectives” may
be classified as ‘terrorists’.6 .
In the UK, the interpretation of new terrorism laws given by the government
to local authorities stresses a much lower threshold, covering “acts
that may not in themselves be violent but which nonetheless but have a significant
impact on modern life” 7 .
This supports the approach taken in the Terrorism Act 2000 (enacted a full
year before the September 11th attacks) that redefines terrorism
from some form of paramilitary action to any form of direct action or protest
that “seeks to change the mind of the government” 8 .
The problem with these new laws is that they extend
the definition of terrorism into areas of campaigning by civil society groups.
Those engaging in mass protests, or taking direct action to disrupt trade conferences,
the development of infrastructure projects, or the operation of private enterprises,
risk being classified as ‘terrorists’. In practical terms, these
new laws will not allow the banning of most protest groups or the prosecution
of their members as terrorists (although that could happen in the case of a
few groups that take extreme action, such as Earth First!). However, those
who associate or work with these groups can be investigated as if they were
terrorists. In turn, the information gathered from such investigations could
be used to restrict or nullify the actions of these groups.
|
Using
Anti-terrorist Laws for other Objectives
“Citing a provision of the Patriot Act, the FBI is sending
letters to journalists telling them to secretly prepare to
turn over their notes, e-mails and sources to the bureau. Should
we throw out the First Amendment to nail a hacker? ... The
demand that journalists preserve their notes is being made
under laws that require ISP’s and other “providers
of electronic communications services” to preserve, for
example, e-mails stored on their service, pending a subpoena,
under a statute modified by the USA-PATRIOT Act. The purpose
of that law was to prevent the inadvertent destruction of ephemeral
electronic records pending a subpoena. For example, you could
tell an ISP that you were investigating a hacking case, and
that they should preserve the audit logs while you ran to the
local magistrate for a subpoena. It was never intended to apply
to journalist’s records.“
Source: Mark Rasch, “The Subpoenas are Coming!”,http://
www.securityfocus.com/columnists/187
|
|
22.3.
The implications for civil society groups
It is important to remember that most new terrorism
legislation, and pretty much all the initiatives in relation to the investigation
of serious crime/cybercrime, are based on the increased surveillance of communications.
Groups that seriously challenge governments or multinational corporations could,
under these legislative framework, come under direct surveillance. It is more
likely though, that governments will use this new system to monitor and retain
communications data in order to map the activities and the membership of campaign
groups. This has implications for the functioning of these groups.
The late 1990s saw a surge in action by campaign groups coordinated via the
internet. Electronic networking has facilitated the development of grassroots
action at the national and international level. At the same time, this has
left organisations that work in this way open to far more intrusive surveillance
than other traditional groups. The membership of these organisations, even
if they have no formal structure, can be mapped. The role of different members
within the organisation can be analysed. From this data, opponents could devise
actions against key individuals, or the network as a whole, to stop it from
func-tioning. This is particularly problematic if the group is campaigning
against the state, but would also affect anti-cor-porations campaigns. For
those who engage in international action, there is also the problem that instruments
such as the Cybercrime Convention would allow the supply of communications
surveillance data from their home state, to another state, even if their actions
were lawful in their home state.
There are two possible responses to the problems created by communications
surveillance and the extension of anti-terrorism powers.
Those involved can practice good communication security. They can encrypt communications,
use ‘privacy enhancing technologies’ (PETs) to restrict the disclosure
of information whilst working on-line. They can also improve their own computer
security to prevent the use of more active surveillance techniques such as
the FBI’s ‘Magic Lantern’ virus. The problem with this approach
is that, at the public level, the organisation will take on the same pattern
of activity as that practised by a terrorist group. This will make it easier
for those who wish to restrict the activities of that group to take action,
using the secrecy practised by the organisation as a justification.
The alternative to the good security option is the opposite in terms of tactics – not
only does the organisation take no steps to restrict the disclosure of information
via its communications, it actively seeks to be open. In addition, it uses
every opportunity to enforce the rights of the organisation, or the individuals
within that organisation, to have respect for the privacy of their communications,
using legal opportunities to complain about the disclosure of information.
An important part of this process is turning the network of mass surveillance
into a campaign in itself. In this way, not only would it be difficult to characterise
the organisation as a ‘secretive’ terrorist group, the organisation
would be able to maintain an accessible public profile in order to build support
for its work.
In practical terms, the solution for most organisations will be somewhere between
these two options. Most of the time, being open is not a problem. But where
the activities of the group involve working with those living under more repressive
regimes, or where a group deals with sensitive information sources or whistle-blowers,
the need to protect the identities of those individuals must be recognised.
4See
http://www.mofa.go.jp/policy/i_crime/high_tec/conf0105-5.html
|
