Octopus and fish|

Council of Europe cooperation against cybercrime — human rights Octopus or fishy deals?

This week, Access Now, together with European Digital Rights (EDRi) and the Electronic Frontier Foundation (EFF), will attend the Council of Europe’s Octopus Conference to promote human rights protections in the process of reforming the Budapest Convention on Cybercrime.

Law enforcement commonly seeks access to data stored by tech companies as a part of their criminal investigations. However, that data is not always stored in the jurisdiction where law enforcement is located and that complicates which rules apply for the request and the transfer of information. Sometimes this is because the law enforcement agency is seeking to exercise its authority overseas or they are uncertain of the location of the data, or simply because the company chose to store the data elsewhere. This cross-border exchange of data has significant implications for human rights, in particular privacy.

While we’ve blogged about the CLOUD Act in the U.S. and e-evidence proposal in the E.U., another ongoing effort to expand law enforcement’s reach is underway: The Council of Europe (a non-E.U. body and includes members such as Russia, Azerbaijan, and Turkey) is seeking to reform the Budapest Convention on Cybercrime to increase and simplify cross-border access to data by law enforcement.

The Convention on Cybercrime, known as the Budapest Convention, has been around since 2004, and it requires states to address “cybercrime” through substantive and procedural laws. The Convention has limited protections for human rights, with references to the International Covenant on Civil and Political Rights (ICCPR) and the European Convention on Human Rights (ECHR), but those protections are not spelled out nor do they address the particular problems that arise with accessing data stored overseas, like the risk that states won’t apply human rights protections for users outside their borders.

Nonetheless, with 60 state parties from all over the world including the United States, using the Budapest Convention as a vehicle for bypassing human rights standards for law enforcement access between parties would have considerable repercussions for users. What would the changes do? So far the committee responsible for drafting the additional protocol, which is the method to reform the Convention, has released several documents indicating the priorities to be examined between now and December 2019.

These documents indicate that the committee is looking at alternatives to the traditional legal mechanism between law enforcement and judicial authorities (Mutual Legal Assistance Treaties, or MLATs) with an eye for expedited processes for subscriber information, international production orders, joint investigations, and more. They are also looking at provisions on direct cooperation between providers (think Facebook, Skype, and the like) and the state parties, to be used for certain more “urgent” requests. Data protection requirements and other safeguards are under debate too, a pressing issue from the perspective of civil society as the direct cooperation between any signatory member and service providers raises a nearly endless number of concerns.

Access Now has published principles to guide any new attempt to enable cross-border law enforcement requests, including potential changes to the Budapest Convention:

  • improve efficiency for lawful government requests,
  • reduce incentives for government interference with private-sector platforms and networks,
  • provide clarity for users, governments, and companies on the treatment of user data, and
  • ensure the system for cross-border data requests protects user rights.

In addition, Access Now has joined 27 other civil society organizations to urge the Council of Europe to proceed with any reform only while prioritizing human rights and the protection of users. Together, we recommend:

  • The convention’s deliberations prioritize refinement of the MLAT system for bilaterally handling cross-border data requests, rather than creating a compromised universal standard for convention signatories;
  • The necessity of “dual data privacy protection,” according to which requests for data must be legal by national laws in both the requesting and receiving country;
  • That a narrow and time-bound definition of any “emergency” standards that may be adopted is critical. We would emphasize the recommendation to limit this to direct and immediate threat of serious harm to life, rather than much lower thresholds such as potential harm or the protection of state interests;
  • That states that are party to Convention 185 should also sign, ratify, and properly implement Convention 108+, which provides for comprehensive and detailed data protection in the use and transfer of data that Convention 185 does not;
  • That extremely robust transparency and accountability mechanisms must be built into the final agreement, with yearly public reporting and as much transparency to those whose data is shared as possible.

The Council of Europe has an opportunity to prioritize the reform of the existing system for cross border data exchange — the MLAT system — over new shortcuts for government access to data that undermine rights. The Council of Europe is undertaking work on an important issue, one that we have highlighted numerous times on this blog. However, the risks to human rights are considerable if any new system is built without the appropriate consideration for the impact on users. We look forward to the conference and the lively discussions which are sure to follow.