Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the world, and senior figures from companies like Facebook, Microsoft, Apple and Cloudflare—it’s easy to imagine a covert machination or two.
As it happens, Octopus is one of the more open and transparent elements in the world of global law enforcement and cybersecurity. Civil society like EFF and EDRI were invited to speak, and this year it was our primary chance to comment on a new initiative by the event’s organizers, the Council of Europe—an additional protocol to their Cybercrime Convention (also known as the Budapest Convention on Cybercrime), which will dictate how Parties of the Convention from around the world can cooperate across borders to fight Internet crime.
Our conclusion: the Council of Europe (CoE) needs to stand more firmly against a global trend to undermine everyone’s privacy in the pursuit of faster and easier investigations. As conversations at Octopus showed, the many long arms of the world’s law-enforcers are coming for user data, and the CoE needs to stand firm that they obey international human rights, in particular article 15 of the Budapest Convention, when they reach across borders.
The CoE is an international organization that grew out of a post-World War II initiative to build human rights into European decision-making. It’s older and has more members states than the European Union (EU), with which it is often confused (you can blame this confusion on the EU because they poached the original CoE logo for their flag, and even named one of their major institutions “The European Council”).
Nowadays, the CoE (among other roles) acts as a forum for developing international treaties. The organization recently celebrated an update to Convention 108, its 1981 treaty on data protection that was the forerunner of the GDPR.
Currently, the CoE Cybercrime Committee (TC-Y), comprised of State Parties, Observers, and international governmental representatives from around the world, are working on a second additional protocol to the Budapest Convention in order to spell out practices of countries when allowing cross-border law enforcement access to subscriber data held by big tech companies like Google and Facebook, as well as smaller companies and startups. The TC-Y's CoE proposal is part of a general push by governments around the world to speed up and widen access in international criminal investigations to online data held in other countries, most recently seen in the United States’ passing of the CLOUD Act, as well as an E-Evidence draft proposals by the European Union.
We, along with civil liberties groups across Europe and Canada, have been strong critics of the EU and U.S. initiatives, saying that rather than create judicial short-cuts for law enforcement, as these laws would do, countries should seek to put more resources to make the existing mutual legal assistance treaty (MLAT) system, which has built-in protections for privacy, run more effectively.
Some of the proposals introduced at July’s Octopus conference, unfortunately, fit some of these same patterns, such as allowing “direct cooperation with providers across jurisdictions and extending searches to access evidence in the cloud with the necessary rule of law safeguards.” Before Octopus, we, along with EDRi, Access, CIPPIC, IFEX, and a coalition of global civil society organization from around the world, had already expressed our concern with CoE’s TC-Y direction, but it’s been hard to hammer out the details, primarily because civil society is excluded from the CoE’s drafting meetings, which take place a few days before Octopus assembles.
If we’d been in those meetings, we would have highlighted the same problems that have weakened all of these attempts so far:
First, as mentioned before, we continue to question whether such drastic reforms are truly necessary. The existing system of mutual legal assistance among countries certainly needs to be improved—but bypassing MLATs by going directly to service providers for electronic data, as all these new initiatives offer, is not the answer. Considerable procedural and human rights safeguards would be lost in such a move. Instead, civil society from around the world including EFF and EDRI have consistently recommended: offering technical training for law enforcement authorities; simplifying and standardizing data request forms; creating single points of contact for data requests; and most importantly, increasing resources, especially in the United States, where the bulk of the requests end up. We’ve seen this work first-hand: thanks to a recent U.S. MLAT reform program, which increased its resources to handle MLATs, the U.S. Department of Justice has already reduced the amount of pending cases by a third.
Second, if you are going to circumvent MLATs, the replacement protocol needs to cope with some major difficulties in protecting human rights between states. One of the biggest challenges in the CoE TC-Y drafting process—a challenge that was evident in the initial Cybercrime convention itself—is a presumption that signatory parties share (and will continue to share) a common baseline of understanding with respect to the scope and nature of human rights protections, including privacy.
Unfortunately, there is not yet a harmonized legal framework among the countries participating in the negotiations and, more importantly, not a shared human rights understanding.
Experience shows there is a need for countries to bridge the gap between national legal frameworks and practices on the one hand, and human rights standards established by case law of the highest courts on the other. That’s especially true in the digital domain, where key human rights decisions have still not completely propagated globally—or even within their own jurisdictions. For example, the Court of Justice of the European Union (CJEU) human rights held that blanket data retention is illegal under EU law on several occasions. Yet, several EU Member States still have blanket data retention laws, which is a basis for accessing data. Other states involved in the protocol negotiations have implemented precisely the type of sweeping, unchecked, and indiscriminate data retention regime that the CJEU ruled out as well, such as Australia, Mexico or Colombia.
Because the Cybercrime Convention’s Parties lack a harmonized human rights and legal safeguards standard, we think the forthcoming protocol proposals risk:
- bypassing those critical human rights vetting mechanisms inherent in the current MLAT system that are currently used to, among other things, navigate conflicts in fundamental human rights and legal safeguards that inevitably arise between countries;
- seeking to encode practices that fall below minimum standards being established in various jurisdictions by ignoring human rights safeguards established primarily by the case law of the European Court of Human Rights, the Court of Justice of the European Union, the Inter-American Commission on Human Rights, the Inter-American Court on Human Rights, among others; and
- including few substantial limits and instead relying on the legal systems of signatories to include enough safeguards to ensure human rights are not violated in cross-border access situations and a general and non-specific requirement that signatories ensure adequate safeguards (see Article 15 of the Cybercrime Convention).
Finally, we would urge the authors of the forthcoming protocol not to create a mandatory or voluntary direct access mechanism to obtain data from companies directly. While the CoE’s current proposals seem to be limited to subscriber data, there are serious risks that interpretation of what constitutes subscriber data might be expanded to include metadata, such as IP address.
Maryant Fernandez, EDRI’s Senior Policy Analyst and Katitza Rodriguez, EFF International Rights Director, who spoke up at Octopus, made all of these points and more. But speaking up isn’t enough. It’s imperative that civil society be present for the drafting meetings themselves, so we can fix and correct these problems as they arise. Without civil society participation, we’re concerned the proposed Protocol will lack strong data protections and critical human rights vetting mechanisms that are embedded in the current MLAT system. There are some places the long arm of the law—even the many arms of the global law enforcement Octopus—just shouldn’t reach without real oversight and meaningful safeguards.