Watching the Web: Thoughts on Expanding Police Surveillance Opportunities under the Cyber-Crime Convention

On 23 November 2001, the Council of Europe and non-member states Canada, Japan, South Africa, and the United States signed the Convention on Cybercrime (CC), an agreement that requires participating nations to enact legislation that facilitates investigation and prosecution of crimes committed through the Internet. Among the measures mandated is legislation that grants new powers of search and seizure to law enforcement authorities, including the power to compel Internet service providers (1) (ISPs) to provide intercept technology to ensure "lawful access" to data transmissions, to provide assistance to police in the storage and search of data traffic generated by an investigation target, and to release to police general information (i.e., names and addresses) regarding a service's customers. The CC places obligations upon ISPs that, in effect, convert service providers into integral cogs in the apparatus of online law enforcement. We see this as part of a larger trend in the field of policing as a whole. Western states have begun to recognize the limitations of public police services in effecting crime control in various areas, including the field of telecommunications. To this end, law enforcement and other state agencies have been extending the reach of the state by establishing "policing" networks with elements of the private sector (from local community watch programs to private security companies and insurance agencies) that have the tools and capacity to achieve desired results beyond the state (Ericson and Haggerty 1997; Garland 2000). Both in isolation and in the context of the larger shift towards extending surveillance and policing functions throughout civil society, we see the CC's requirements as representing a substantial threat to Internet users' online privacy while placing onerous obligations on private businesses. The Convention on Cybercrime In this section we would like to explore in further detail those articles of the convention that bear most directly on issues relating to the role of service providers in facilitating Internet data surveillance and the search and seizure of customers' records. The bulk of the concerns addressed here arise in Articles 16 through 21. Article 16 specifies that signatories will adopt legislation or regulatory mechanisms to permit authorities to order the preservation (up to 90 days, though renewable) of computer data, including traffic data, relevant to an investigation. Article 16 also calls for measures to be enacted that lead to the "preservation of specified computer data." As the convention fails to define "preservation," the result has been concerns by users, ISPs, and civil libertarians as to whether governments will actually be seeking to trap the traffic of a targeted user (data preservation) or the network traffic of all users of a service (data retention). These worries appear to be justified: both the United Kingdom (Millar 2002) and Finland (EFFI 2002) have attempted to institute data retention schemes. Article 18 increases privacy concerns: it obliges signatories to adopt legislation or regulations that permit authorities to order computer data from a repository of those data, as well as ISP service subscriber information, including the identity and location of subscribers, their telephone number or other access method, billing and payment information, the type of service used, and the length of service. Article 20 further mandates the adoption of legislation to compel ISPs to provide access capability to law enforcement to monitor real-time traffic data or to assist law enforcement in collecting and recording real-time traffic. This would permit authorities to track the means by which targeted data are travelling. Article 21 calls for legal means to be established through which ISPs could be compelled to intercept and store content data such as e-mail messages, or to assist law enforcement in doing so. Each of the articles described, in effect, casts ISPs in the role of police agents, either by compelling them to function as officially sanctioned surveillants--searching for, collecting, analysing, and turning over data to agents of the state--or by ordering them to assist police in these same activities. …