It’s no accident that among the multifarious “justifications” contained in the DOJ’s 2006 Legal Authorities Supporting the Activities of the National Security Agency, the following paragraph - seemingly unrelated to the principal arguments attempting to support warrantless wiretapping - was tucked away on page 30:
… it is clear that some presidential authorities in this context [the Supremacy Clause] are beyond Congress’s ability to regulate. For example, as the Supreme Court explained in Curtiss-Wright, the President “makes treaties with the advice and consent of the Senate; but he alone negotiates. Into the field of negotiation the Senate cannot intrude; and Congress itself is powerless to invade it.” 299 U.S. at 319. Similarly, President Washington established early in the history of the Republic the Executive’s absolute authority to maintain the secrecy of negotiations with foreign powers, even against congressional efforts to secure information. See id. at 320-21.
Convoluted as the justifications were, the example still hardly seems germane to the topic of domestic surveillance - yet its inclusion was not irrelevant. As it happens, along with defending warrantless wiretapping, DOJ was providing a cudgel for George Bush to wield over a somewhat reluctant Senate with which Bush had long been embattled, attempting to convince them to ratify a treaty he had signed two months after September 11, 2001. After protracted efforts, Bush prevailed and, on August 3, 2006, the Senate voted to allow ratification of the treaty which privacy and human rights advocates, worldwide, abhorred and that, ultimately, could be used to provide a back door to obtain surveillance intelligence on the public.
HISTORICAL NOTES ON THE TREATY
::
The treaty, whether by design or good fortune for Bush, took force in the U.S. on January 1, 2007, just as warrantless wiretapping was being curtailed. It appears under the category “Computer Crime” as the Convention on Cybercrime on page 339 of the U.S. State Department’s List of Treaties in Force. The treaty is also otherwise known as the “Council of Europe Convention on Cybercrime” and the “Budapest Convention” for the place where the treaty was first opened for signatures. Briefly, a treaty, like a contract, legally binds all parties to its terms. Under the U.S. Constitution, the Supremacy Clause declares treaties to be the “supreme Law of the Land,” just like federal statutes and the Constitution itself.
While originally conceived in the mid-90’s, when drafting began, as a means to facilitate global cooperation in pursuing hackers, child pornography purveyors, copyright offenders and various other electronic fraudsters, the treaty’s imperatives evolved to include much more, primarily because the U.S., which was granted “observer status” in the Council of Europe in 1995 was, by all accounts, instrumental in drafting the treaty – or, as the Council expressed it, “participating in its elaboration.“ To that end, the U.S. relied in later negotiations partially upon the input of the DHS Critical Infrastructure Partnership Advisory Council, whose membership is wide and varied, but not so much so that it would include human rights or privacy advocates. That’s part of the reason it took Bush five years, instead of the customary two-to-three years, to get the treaty ratified. On the whole, though, draft participants were primarily from various of the Council-member governments’ law enforcement agencies, including the U.S. Department of Justice.
The first draft to be published in late 2000 was actually the 19th draft of the treaty because the drafting process was clandestine until it was opened for public remarks. Objections to the draft were immediate and strident, but because of events occurring shortly thereafter, such as 9/11, general fear-mongering, and the wars, they didn’t gain prominence in the media.
A three-page letter sent to the Council in late 2000 by the worldwide consortium of electronic and human rights advocates known as the Global Internet Liberty Campaign (GILC) succinctly addressed major concerns with the treaty:
We believe that the draft treaty is contrary to well established norms for the protection of the individual, that it improperly extends the police authority of national governments, that it will undermine the development of network security techniques, and that it will reduce government accountability in future law enforcement conduct.
...the Universal Declaration of Human Rights speaks directly to the obligations of government to protect the privacy of communication and to preserve freedom of expression in new media.
In the U.S., GILC included the American Civil Liberties Union, Center for Democracy and Technology, Computer Professionals for Social Responsibility, Derechos Human Rights, Digital Freedom Network, Electronic Frontier Foundation, Electronic Privacy Information Center, NetAction and CryptoRights Foundation.
The Electronic Privacy Information Center further commented:
...the treaty seems more like a law enforcement "wish list" than an international instrument truly respectful of human rights already enshrined in many international conventions, such as the 1948 Declaration of Human Rights and the 1950 European Convention of Human Rights....The US government's support for the ratification of the Convention on Cybercrime - a treaty very controversial in Europe - appears like an attempt to obtain more powers than what it could obtain with the USA PATRIOT Act after September 11, 2001.
John Naughton's May 12, 2001 column in The Guardian expressed a representative European view:
Unsubstantiated assertions about online crime are also the basis for a much more sweeping curtailment of civil liberties now in the legislative pipeline - the European Treaty on Cybercrime. It reads like a secret policeman's wish list. Among other things, it gives sweeping powers to security services to monitor everything people do online, and it places incredible burdens on ISPs.
It was cooked up behind closed doors at the Council of Europe...
Two months after 9/11 happened, thirty-eight nations signed the treaty along with Bush in a show of solidarity and “preventing terrorism” was added to the list of enticements for all signatories to ratify the treaty in their countries. In a letter dated eight months after the invasion of Iraq, Bush urged the Senate to give advice and consent for ratification, saying it would "help deny 'safe havens' to criminals, including terrorists, who can cause damage to U.S. interests from abroad, using computer systems."
There was a surprising event in 2005 that amply demonstrated the diversity of the opposition, here related by a writer in Human Events, an online conservative journal:
An internationalist assault on the sovereignty of the United States and the privacy of U.S. citizens is currently awaiting action by the full Senate.
Fortunately, one heroic, albeit currently anonymous, conservative senator has placed a "hold" on this Cybercrime Convention, a procedural maneuver that prevents an immediate, unannounced vote on the floor of the whole Senate. Conservatives concerned with sovereignty and the Bill of Rights need to both become aware and raise others' awareness of the dangers posed [by the treaty].
That the writer railed in xenophobic fashion (Communists, Eurocrats, internationalists!) doesn’t negate the incredible fact that it was a Republican who had the good sense to place a hold on Bush’s treaty (in fact, it appears that Bush had the most difficulty with his own party) or that the writer was appalled that only one pro forma hearing on the matter was the only hearing ever held - with three supporters from the State and Justice Departments as witnesses. Various letters from opponents and supporters alike were made part of the record at that hearing and can be found at the link. Public supporters were primarily from software companies, like Microsoft, with powerful lobbyists.
A letter from the Electronic Privacy Information Center (at the link on the hearing) is especially instructive as to the critical concerns for privacy and civil liberties that were at the forefront, all of which, in the finality, were ignored. In part, it reads:
In summary, the Cybercrime Convention threatens core legal rights established by the United States Constitution. It constructs a sweeping structure of vast and invasive law enforcement activity without a corresponding means of oversight and accountability.
Among the criticisms made by the Electronic Frontier Foundation was that the treaty cultivates a culture of secrecy.
The Convention’s most systemic flaw is that it seeks to impose detailed invasive surveillance powers without legal protections. Aside from failing to specify detailed adequate safeguards, it also leaves out the types of oversight mechanisms necessary to ensure its broad powers are not abused. Worse, the Convention takes active steps to reduce oversight and transparency by calling for limitations on when individuals can and cannot be notified that they are being surveilled upon.
Dick Lugar, then chairman of the Foreign Relations Committee, pushed hard and in November, 2005, he published the
Foreign Relations Committee Report on the treaty in which he assured Senators that "the United States will not rely upon authorities created in the USA PATRIOT Act to meet its obligations under the Convention….Similarly...the United States does not and will not use tools authorized under FISA procedures or administrative subpoenas to meet its treaty obligations." Certainly, these are odd statements, since what is left to rely upon are statutory laws that wouldn’t nearly authorize all that the treaty mandates, but it was
the position Alberto Gonzales was promoting.
Apparently, that was sufficient to placate reluctant Senators and, on the evening before their summer recess, August 3, 2006, the U.S. Senate of the 109th Congress gave their advice and consent to ratify the treaty. The treaty was considered by the Senate by unanimous consent and the vote on ratification was by Division Vote, a seldom-used mechanism whereby Senators express their votes by standing. Among those Democrats in the Senate at the time were our former Secretary of State, Hillary Clinton; our current Secretary of State, John Kerry; our current Senate leader, Harry Reid; the current President pro tempore, Patrick Leahy; all of the current members of the Intelligence Committee except King (Feinstein, Rockefeller, Wyden, Mikulski, Udall, Warner, Heinrich) – and our current President and Vice-President, Barack Obama and Joe Biden.
On July 30, 2008, Bush amended the 1981 Executive Order 12333 - United States Intelligence Activities, which describes the duties and activities of the national intelligence agencies, ostensibly to strengthen the role of the Director of National Intelligence. The next president would consequently inherit a DNI with immense power. Curiously, among the many amendments in Bush’s replacement Executive Order 13470, is a change to Section 1(b) of the Preamble where it cites the President’s authority for setting forth the provisions in the Executive Order. Bush struck the word “statutes” in the prior Executive Order and replaced it with the more inclusive term “laws.” The pertinent passage now reads, “…by virtue of the authority vested in me by the Constitution and laws of the United States of America…it is hereby ordered….” The change appears to be an acknowledgement and clarification that Bush was relying not only on the Constitution and federal statutes for his authority, but on authority under treaties, as well, in connection with intelligence activities.
::
A BRIEF NOTE ON THE PRESENT
::
President Obama has made it abundantly clear that he fully endorses the cybercrime treaty, despite its abysmal failure to protect privacy and civil rights. In the publication, International Strategy for Cyberspace, President Obama states:
The United States and our allies regularly depend upon cooperation and assistance from other countries when investigating and prosecuting cybercrime cases. This cooperation is most effective and meaningful when the countries have common cybercrime laws, which facilitates evidence-sharing, extradition, and other types of coordination. The Budapest Convention on Cybercrime provides countries with a model for drafting and updating their current laws, and it has proven to be an effective mechanism for enhancing international cooperation in cybercrime cases. The United States will continue to encourage other countries to become parties to the Convention and will help current non-parties use the Convention as a basis for their own laws, easing bilateral cooperation in the short term, and preparing them for the possibility of accession to the Convention in the long term.
Howard Schmidt, appointed in 2009 by Obama to oversee U.S. cyber-security efforts, is quoted in a Bloomberg article, U.S. Plans 'Tough' Global Talks on Cyber-Crime Fight:
Schmidt said the U.S. would urge more countries to sign a 10-year-old treaty called the Cybercrime Convention that calls for cooperation in probing crimes committed via the Internet and other computer networks.
In fact, during Obama’s presidency, the following countries have ratified the treaty: Austria, Azerbaijan, Belgium, Georgia, Germany, Malta, Moldova, Montenegro, Portugal, Serbia, Spain, Switzerland and the United Kingdom (in 2011 during an Obama visit).
Russia has resisted the Administration's efforts to convince them to sign onto the treaty.
Russia says it won’t sign because it doesn’t want to give foreign law-enforcement agents trying to investigate crimes unfettered access to its Web data, which the convention requires.
::
DETAILS OF THE CONVENTION ON CYBERCRIME
::
The treaty is the first and only multilateral law governing computer crime, electronic surveillance, and evidence sharing. While it has been signed by fifty-one countries to date, it is currently in force in thirty-nine of those signatories’ countries where the Treaty has been ratified.
The treaty has four main parts, the first of which discusses certain criminal offenses and the type of legislation that each Party (country) to the treaty must adopt regarding each category. In the U.S., criminal statutes already exist in connection with each of the specific computer crimes mentioned in Articles 2 through 15, but this section is not wholly without controversy. For instance, an infraction of these laws must be committed intentionally, but the definition of “intent” is left to each Party to decide – an oddity when one of the expressed goals of the treaty is to conform computer crime laws globally. James Dempsey, Senior Staff Counsel for the Center for Democracy and Technology also condemned the language pertaining to illegal access, which provides that access is illegal unless permitted. He stated that this is just the opposite of the fundamental legal principal that all activity is legal, unless prohibited. Finally, Article 14(b) includes the overly broad statement that the treaty applies not only to the crimes specifically enumerated, but to “other criminal offences committed by means of a computer system.”
The second section, Articles 16 through 22, compels each Party to grant new powers of search and seizure to its law enforcement authorities. Dempsey maintains that these Articles pertain to any crime where the evidence could be in computerized form. Consequently, the treaty’s aim isn’t only at hackers or pornographers or even terrorists, but at the whole fabric of society.
Specifically, the powers must include the ability to
- force ISPs to preserve internet usage records, including traffic data, or other data, including a user’s identity, postal or geographic address, telephone and other access number, billing and payment information;
- enable its law enforcement authorities to search and seize i) a computer system or part of it and data stored therein or ii) a computer-data storage medium;
- enable its law enforcement authorities to make and retain a copy of any data seized or to render inaccessible or remove data in an accessed system;
- enable its law enforcement authorities to monitor and collect online activities in real time;
- apply these laws to the Party’s territory, a ship flying the Party’s flag, an aircraft registered under the laws of a Party, or its nationals, even outside the Party’s territorial jurisdiction.
The third section, Articles 23 through 35, requires each Party to provide mutual assistance “to the widest extent possible” and to establish a 24/7/365 law enforcement contact capable of providing such assistance. (The contact in the U.S. is the U.S. Department of Justice, Computer Crime and Intellectual Property Section). There is no “dual criminality” requirement, meaning that one Party could compel another Party to provide assistance with regard to persons who aren’t committing a crime in their own home territory. There are extradition provisions.
Article 32 addresses trans-border access and allows certain access by a Party even without the authorization of another Party. A Party may, without mutual assistance or authorization i) access open source data regardless of the geographic location of the data or ii) “access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.” The treaty does not define “person,” but the Cybercrime Convention Committee issued guidance notes on this Article which indicate that “person” may be construed to mean “a legal person,” including an ISP or cloud service provider.
The fourth section is on “housekeeping” matters.
Notably, the treaty contains absolutely no provisions or mechanisms to protect citizens’ privacy. In fact, the word “privacy” does not appear anywhere in any of the treaty’s Articles.
::