[Senate Treaty Document 108-11]
[From the U.S. Government Publishing Office]



108th Congress                                              Treaty Doc.
                                 SENATE                     
 1st Session                                                     108-11
_______________________________________________________________________

                                     

 
                        CONVENTION ON CYBERCRIME

                               __________

                                MESSAGE

                                  from

                   THE PRESIDENT OF THE UNITED STATES

                              transmitting

     COUNCIL OF EUROPE CONVENTION ON CYBERCRIME (THE ``CYBERCRIME 
  CONVENTION'' OR THE ``CONVENTION''), WHICH WAS SIGNED BY THE UNITED 
                      STATES ON NOVEMBER 23, 2001




 November 17, 2003.--Convention was read the first time, and together 
  with the accompanying papers, referred to the Committee on Foreign 
     Relations and ordered to be printed for the use of the Senate
                         LETTER OF TRANSMITTAL

                              ----------                              

                                           The White House,
                                                 November 17, 2003.
To the Senate of the United States:
    With a view to receiving the advice and consent of the 
Senate to ratification, I transmit herewith the Council of 
Europe Convention on Cybercrime (the ``Cybercrime Convention'' 
or the ``Convention''), which was signed by the United States 
on November 23, 2001. In addition, for the information of the 
Senate, I transmit the report of the Department of State with 
respect to the Convention and the Convention's official 
Explanatory Report.
    The United States, in its capacity as an observer at the 
Council of Europe, participated actively in the elaboration of 
the Convention, which is the only multilateral treaty to 
address the problems of computer-related crime and electronic 
evidence gathering. An overview of the Convention's provisions 
is provided in the report of the Department of State. The 
report also sets forth proposed reservations and declarations 
that would be deposited by the United States with its 
instrument of ratification. With these reservations and 
declarations, the Convention would not require implementing 
legislation for the United States.
    The Convention promises to be an effective tool in the 
global effort to combat computer-related crime. It requires 
Parties to criminalize, if they have not already done so, 
certain conduct that is committed through, against, or related 
to computer systems. Such substantive crime include offenses 
against the ``confidentiality, integrity and availability'' of 
computer data and systems, as well as using computer systems to 
engage in conduct that would be criminal if committed outside 
the cyber-realm, i.e., forgery, fraud, child pornography, and 
certain copyright-related offenses. The Convention also 
requires Parties to have the ability to investigate computer-
related crime effectively and to obtain electronic evidence in 
all types of criminal investigations and proceedings.
    By providing for broad international cooperation in the 
form of extradition and mutual legal assistance, the Cybercrime 
Convention would remove or minimize legal obstacles to 
international cooperation that delay or endanger U.S. 
investigations and prosecutions of computer-related crime. As 
such, it would help deny ``safe havens'' to criminals, 
including terrorists, who can cause damage to U.S. interests 
from abroad using computer systems. At the same time, the 
Convention contains safeguards that protect civil liberties and 
other legitimate interests.
    I recommend that the Senate give early and favorable 
consideration to the Cybercrime Convention, and that it give 
its advice and consent to ratification, subject to the 
reservations, declarations, and understanding described in the 
accompanying report of the Department of State.

                                                    George W. Bush.
                          LETTER OF SUBMITTAL

                              ----------                              

                                       Department of State,
                                    Washington, September 11, 2003.
The President,
The White House.
    The President: I have the honor to submit to you, with a 
view to its transmittal to the Senate for advice and consent to 
ratification, the Council of Europe (``COE'') Convention on 
Cybercrime (``the Cybercrime Convention'' or ``the 
Convention''), which was adopted by the COE's Committee of 
Ministers on November 8, 2001. On November 23, 2001, the United 
States, which actively participated in the negotiations in its 
capacity as an observer state at the COE, signed the Convention 
at Budapest. I recommend that the Convention be transmitted to 
the Senate for its advice and consent to ratification.
    Accompanying the Convention is its official Explanatory 
Report, which was also adopted by the COE's Committee of 
Ministers on November 8, 2001. The Explanatory Report, which 
was drafted by the Secretariat of the COE and the delegations 
participating in the negotiations, provides a thorough analysis 
of the Convention. It is customary for the COE to prepare such 
reports in connection with its conventions. Under established 
COE practice, such reports reflect the understanding of the 
Parties in drafting convention provisions and, as such, are 
accepted as fundamental bases for interpretation of COE 
conventions. The Explanatory Report would be provided to the 
Senate for its information.
    The Cybercrime Convention is the first multilateral treaty 
to address specifically the problem of computer-related crime 
and electronic evidence gathering. With the growth of the 
Internet, attacks on computer networks have caused large 
economic losses and created great risks for critical 
infrastructure systems. Examples of such cybercrime activities 
include the deliberate transmission of ``viruses,'' ``denial of 
service'' attacks, and ``hacking'' into government and 
financial institution computer systems. Criminals around the 
world are also using computers to commit traditional crimes, 
such as fraud, child pornography and copyright piracy. In 
addition, computer networks provide organized crime syndicates 
and terrorists means with which to plan, support, coordinate, 
and commit their criminal activities.
    In response to this growing problem of computer-related 
crime, the COE established in 1997 the Committee of Experts on 
Crime in Cyber-space (``PC-CY'') to undertake negotiation of 
the Cybercrime Convention. States participating in the work of 
the PC-CY included the United States, COE member states, 
Canada, Japan, and South Africa. Beginning in April 2000, 
drafts of the Convention were made public by the COE, so that 
interested members of the public could review and provide 
comments to the PC-CY. In addition, U.S. Government officials 
sought to make information about the Convention available to 
interested members of the public. Since its adoption, 37 states 
have signed the Convention, including three COE member states 
that have also ratified it.
    The Convention establishes a treaty-based framework that 
requires Parties to criminalize certain conduct related to 
computer systems and to ensure that certain investigative 
procedures are available to enable their domestic law 
enforcement authorities to investigate cybercrime offenses 
effectively and obtain electronic evidence (such as computer 
data) of crime. In a manner analogous to other law enforcement 
treaties to which the United States is a party, the Convention 
also requires Parties to provide broad international 
cooperation in investigating computer-related crime and 
obtaining electronic evidence.
    By requiring Parties to establish certain substantive 
offenses, the Convention will help deny ``safe havens'' to 
criminals, including terrorists, who can cause damage to U.S. 
interests from abroad using computer systems. Similarly, by 
requiring Parties to have certain procedural authorities, the 
Convention will enhance the ability of foreign law enforcement 
authorities to investigate crimes effectively and 
expeditiously, including those committed by local criminals 
against U.S. individuals, institutions and interests. Since 
cybercrimes are often committed via transmissions routed 
through foreign Internet Service Providers (``ISPs'') and 
criminals increasingly seek to hide evidence of their crimes 
abroad, the Convention would also provide mechanisms for U.S. 
law enforcement authorities to work cooperatively with their 
foreign counterparts to trace the source of a computer attack 
and to obtain electronic evidence stored outside the United 
States. Thus, the Convention's obligations on Parties to 
establish domestic law enforcement frameworks and create a 
regime of international cooperation would enhance the United 
States' ability to receive, as well as render, international 
cooperation in preventing, investigating and prosecuting 
computer-related crime.
    The Convention would not require implementing legislation 
for the United States. As discussed below, existing U.S. 
federal law, coupled with six reservations and four 
declarations, would be adequate to satisfy the Convention's 
requirements for legislation. All of these reservations and 
declarations are envisaged by the Convention itself. Since 
other provisions contained in the Convention are self-executing 
(e.g., articles relating to extradition and mutual assistance), 
they would not require implementing legislation either.
    The Cybercrime Convention consists of 48 articles divided 
among four chapters: (1) ``Use of terms''; (2) ``Measures to be 
taken at the national level''; (3) ``International co-
operation''; and (4) ``Final provisions.'' A detailed, article-
by-article analysis is contained in the accompanying 
Explanatory Report. In addition, the following is an overview 
of the major Convention obligations and a description of the 
proposed reservations, declarations, and understanding.

                  CHAPTER I--USE OF TERMS (ARTICLE 1)

    Chapter I, Article 1, contains definitions of four key 
terms that are used throughout the Convention: ``computer 
system,'' ``computer data,'' ``service provider,'' and 
``traffic data.'' ``[C]omputer system'' is defined to mean any 
device or group of inter-connected or related devices, where 
one or more of them performs automatic processing of data 
pursuant to a program. As elaborated upon in the Explanatory 
Report (paragraph 23), the Convention's definition of 
``computer system'' may include input, output and storage 
facilities and can be either a ``stand alone'' system or one 
that is networked with similar devices. The term ``service 
provider'' includes public and private entities that provide 
users with the ability to communicate by means of a computer 
system, as well as other entities that process or store 
computer data for such entities or users. The definition of 
``computer data'' encompasses data in electronic or another 
form suitable for processing by a computer system. As defined 
in Article 1, ``traffic data'' does not relate to the content 
of a communication but instead is data generated by computers 
in a communication chain that relates to the communication's 
origin, destination, route, time, date, size, duration, or type 
of underlying service. As such, traffic data can provide 
information about the source of a computer-related crime as 
well as other evidence of the crime. The Explanatory Report 
(paragraph 22) explains that it is not necessary for Parties to 
copy verbatim these definitions into their laws provided the 
concepts are covered, as they are under existing U.S. domestic 
law.

 CHAPTER II--MEASURES TO BE TAKEN AT THE NATIONAL LEVEL (ARTICLES 2-22)

    Chapter II consists of three parts, covering substantive 
criminal offenses that Parties are to establish; procedural 
mechanisms that Parties must have under their respective laws; 
and provisions requiring Parties to establish jurisdiction over 
the offences to be established. As discussed further in 
connection with Article 41 (``Federal clause''), a federal 
state may reserve the right to assume obligations under Chapter 
II ``consistent with its fundamental principles governing the 
relationship between its central government and constituent 
States or other similar territorial entities.'' In explaining 
this provision, the Explanatory Report (paragraph 317) makes 
clear that the United States could therefore implement its 
obligations under Chapter II through its federal criminal law, 
which ``generally regulates conduct based on its effects on 
interstate or foreign commerce, while matters of minimal or 
purely local concern are traditionally regulated by constituent 
States.'' Thus, provided it invokes the Federal clause 
reservation provided for in Article 41, the United States would 
be able to rely on its existing federal laws, which, because of 
the architecture of the Internet and computer networks, provide 
for broad coverage of the obligations contained in Chapter II. 
The United States would not be obligated to criminalize 
activity that otherwise would not merit an exercise of federal 
jurisdiction. Similarly, whether or not constituent State laws 
conform to the Convention would not be an issue since the 
United States, having invoked the federal clause reservation, 
would not be required to implement the Convention's obligations 
at that level.

Substantive criminal law (Articles 2-13):

    Articles 2-10 of the Convention require Parties to 
criminalize domestically, if they have not already done so, 
certain conduct that is committed through, against or related 
to computer systems. Included in these substantive crimes are 
the following offenses against the ``confidentiality, integrity 
and availability'' of computer data and systems: ``Illegal 
access'' (Article 2), ``Illegal interception'' (Article 3), 
``Data interference'' (Article 4), ``System interference'' 
(Article 5), and ``Misuse of devices'' (Article 6). Also 
included are offenses involving the use of computer systems to 
engage in conduct that is presently criminalized outside the 
cyber-realm, i.e., ``Computerrelated forgery'' (Article 7), 
``Computer-related fraud'' (Article 8), ``Offences related to 
child pornography'' (Article 9), and ``Offences related to 
infringements of copyright and related rights'' (Article 10).
    For criminal liability to attach under the offenses to be 
established pursuant to Articles 2-10, the conduct in question 
must be committed intentionally. As the Explanatory Report 
(paragraph 113) notes, ``wilfully'' was used in lieu of 
``intentionally'' in the context of Article 10 infringements so 
as to conform with Article 61 of the Agreement on Trade-Related 
Aspects of Intellectual Property Rights (``TRIPS''), which 
employs the term ``wilful.'' In addition, the Report (paragraph 
39) explains that determinations of what constitutes the 
necessary criminal intent are left to each Party's 
interpretation under its laws.
    The obligation to establish offenses under the Convention 
extends only to acts committed ``without right.'' This concept 
recognizes that in certain instances conduct may be legal or 
justified by established legal defenses, such as consent, or by 
other principles or interests that preclude criminal liability. 
Thus, as explained in the Explanatory Report (paragraph 38), 
the Convention does not require the criminalization of actions 
undertaken pursuant to lawful government authority (e.g., steps 
taken by a Party's government to investigate criminal offenses 
or to protect national security). Additional guidance regarding 
the contours of ``without right'' is provided in the 
Explanatory Report (e.g., paragraphs 43, 47, 48, 58, 62, 68, 
76, 77, 89, 103) in the context of the various offenses to be 
established. Such guidance makes it clear that authorized 
transmissions, legitimate and common activities inherent in the 
design of computer networks, and legitimate and common 
operating or commercial practices should not be criminalized. 
The condition that conduct be committed ``without right'' is 
explicitly stated in all but one of the enumerated offenses. 
The one exception is Article 10 (``Offences related to 
infringement of copyright and related rights''), where it was 
determined that the term ``infringement'' already captured the 
concept of ``without right'' (Explanatory Report, paragraph 
115).
    The requisite elements for the various offenses are set 
forth in Articles 2-10. Except for Article 5 (``System 
interference'') and Article 8 (``Computer-related fraud''), 
these articles also provide that a Party may require certain 
additional criminalization elements or may otherwise limit 
application of a criminalization obligation, provided a 
permitted declaration or reservation is made in accordance with 
Articles 40 and 42. This approach seeks to promote uniform 
application of the Convention while recognizing that permitting 
Parties to maintain established concepts in their domestic law 
will broaden acceptance of the Convention. As discussed below, 
in order to implement the Convention's substantive criminal law 
obligations under existing federal criminal law, the United 
States would avail itself of declarations and reservations 
provided for in Articles 2, 4, 6, 7, 9, 10, and 41.
    In terms of the specific offenses against the 
confidentiality, integrity and availability of computer data 
and systems, Article 2 (``Illegal access'') requires a Party to 
criminalize unauthorized intrusions into computer systems 
(often referred to as ``hacking,'' ``cracking'' or ``computer 
trespass''). Such intrusions can result in damage to computer 
systems and data, and compromise the confidentiality of data. 
Under Article 2, a Party may require certain additional 
elements for there to be criminal liability, including that the 
offense must be committed with an intent to obtain computer 
data. In order to correspond with the requirement contained in 
existing U.S. computer crime law, 18 U.S.C. Sec. 1030(a)(2) & 
(b), I recommend that the following declaration be included in 
the U.S. instrument of ratification:
          The Government of the United States of America 
        declares, pursuant to Articles 2 and 40, that under 
        United States law, the offense set forth in Article 2 
        (``Illegal access'') includes an additional requirement 
        of intent to obtain computer data.
    Article 3 (``Illegal interception'') seeks to protect the 
privacy of non-public computer data transmissions from 
activities such as monitoring and recording through technical 
means (Explanatory Report, paragraph 54).
    Article 4 (``Data interference'') requires a Party to 
criminalize ``the damaging, deletion, deterioration, alteration 
or suppression of computer data,'' which the Explanatory Report 
(paragraphs 60 and 61) makes clear would include the inputting 
of malicious codes, such as viruses, that can threaten the 
integrity, functioning or use of computer data and programs. 
Under Article 4(2), a Party may reserve the right to require 
that such conduct result in serious harm. In order to maintain 
federal jurisdictional damage thresholds, e.g., 18 U.S.C. 
Sec. 1030(a)(5)(B), I recommend that the following reservation 
be included in the U.S. instrument of ratification:
          The Government of the United States of America, 
        pursuant to Articles 4 and 42, reserves the right to 
        require that the conduct result in serious harm, which 
        shall be determined in accordance with applicable 
        United States federal law.
    Article 5 (``System interference'') requires a Party to 
criminalize acts with respect to data which seriously hinder 
the functioning of a computer system. Examples of such acts are 
provided by the Explanatory Report (paragraph 67) and include 
using programs to generate denial of service attacks and 
transmitting malicious code, such as viruses, to stop or slow 
the functioning of a computer system.
    The offenses to be established under Articles 2-5 are 
frequently committed using computer programs or access tools, 
such as stolen passwords or access codes. To deter their use 
for the purpose of committing Article 2-5 offenses, Article 6 
(``Misuse of devices'') requires a Party to criminalize the 
possession, production, sale, procurement for use, import, 
distribution, or making available of such items. As recognized 
in the Explanatory Report (paragraph 73), however, devices such 
as computer programs can be used for either criminal or non-
criminal purposes (so-called ``dual use'' devices). To avoid 
criminalizing activities related to devices intended for 
legitimate purposes, the Article provides that devices must be 
``designed or adapted primarily for the purpose of committing'' 
an Article 2-5 offense. Moreover, Article 6 provides that 
activities in relation to devices, passwords or access codes, 
including their production and distribution, must be done with 
the intent that such devices, passwords or access codes be used 
for the purpose of committing an Article 2-5 offense. The 
Article also makes clear that it ``shall not be interpreted'' 
to impose criminal liability on the authorized testing or 
protection of a computer system.
    With respect to the possession offense, Article 6(1)(b) 
provides that a Party may require that a number of items be 
possessed before criminal liability attaches. United States 
law, 18 U.S.C. Sec. 1029(a)(3), requires that a person possess 
fifteen or more access devices in order for there to be federal 
jurisdiction. I therefore recommend that the following 
declaration be included in the U.S. instrument of ratification:
          The Government of the United States of America 
        declares, pursuant to Articles 6 and 40, that under 
        United States law, the offense set forth in paragraph 
        (1)(b) of Article 6 (``Misuse of devices'') includes a 
        requirement that a minimum number of items be 
        possessed. The minimum number shall be the same as that 
        provided for by applicable United States federal law.
    Article 6(3) provides that a Party may reserve the right 
not to apply the criminalization requirement for the misuse of 
items, so long as the reservation does not concern the sale, 
distribution or making available of passwords, access codes or 
similar data with the intent that they be used for committing 
an Article 2-5 offense. United States law does not directly 
criminalize the possession or distribution of data interference 
and system interference devices. Therefore, I recommend that 
the United States limit its obligations accordingly by 
including the following reservation in its instrument of 
ratification:
          The Government of the United States of America, 
        pursuant to Articles 6 and 42, reserves the right not 
        to apply paragraph (1)(a)(i) and (1)(b) of Article 6 
        (``Misuse of devices'') with respect to devices 
        designed or adapted primarily for the purpose of 
        committing the offenses established in Article 4 
        (``Data interference'') and Article 5 (``System 
        interference'').
    With respect to the substantive crimes to be established 
which involve the use of computer systems to commit acts that 
would normally be considered criminal if committed outside the 
cyber-realm, Article 7 (``Computer-related forgery'') seeks to 
protect the security and reliability of data by creating an 
offense akin to the forgery of tangible documents. The Article 
requires a Party to criminalize the input, alteration, 
deletion, or suppression of computer data, resulting in 
inauthentic data with the intent that it be considered or acted 
upon for legal purposes as if it were authentic, regardless of 
whether the data is directly readable and intelligible. It also 
allows a Party to require intent to defraud, or similar 
dishonest intent, before criminal liability attaches. In order 
to enable the offense to be covered under applicable U.S. fraud 
statutes, I recommend that the following declaration be 
included in the U.S. instrument of ratification:
          The Government of the United States of America 
        declares, pursuant to Articles 7 and 40, that under 
        United States law, the offense set forth in Article 7 
        (``Computer-related forgery'') includes a requirement 
        of intent to defraud.
    Article 8 (``Computer-related fraud'') requires a Party to 
criminalize manipulations of data that are done with fraudulent 
intent and to procure an unlawful economic benefit. As 
indicated in the Explanatory Report (paragraph 86), an example 
of an activity that would be encompassed by the Article 8 
offense is the serious problem of on-line credit card fraud.
    Articles 9 and 10 deal with content-related offenses. 
Article 9. (``Offences related to child pornography'') requires 
a Party to criminalize various aspects of the production, 
possession, procurement, and distribution of child pornography 
through computer systems. The Explanatory Report (paragraph 93) 
notes that it was believed important to include Article 9 
because of the increasing use of the Internet to distribute 
materials created through sexual exploitation of children. In 
addition to covering visual depictions of an actual minor 
engaged in sexually explicit conduct, the Article covers images 
of a person appearing to be a minor engaged in such conduct as 
well as realistic images representing a minor engaged in such 
conduct (so-called ``virtual'' child pornography). Article 
9(4), however, provides that a Party may reserve the right not 
to criminalize cases of a person appearing to be a minor or 
realistic images representing a minor engaged in such conduct. 
These categories were covered under U.S. law by 18 U.S.C. 
Sec. 2256(8)(B), (C) & (D), and to the extent that such images 
are obscene, certain conduct relating to such obscene images is 
also covered by federal obscenity law. In light of the U.S. 
Supreme Court's decision in Ashcroft v. Free Speech Coalition, 
535 U.S. 234 (2002), ruling Sec. 2256(8)(B) & (D) 
unconstitutional, I recommend that the following reservation be 
included in the U.S. instrument of ratification:
          The Government of the United States of America, 
        pursuant to Articles 9 and 42, reserves the right to 
        apply paragraphs (2)(b) and (c) of Article 9 only to 
        the extent consistent with the Constitution of the 
        United States as interpreted by the United States andas 
provided for under its federal law, which includes, for example, crimes 
of distribution of material considered to be obscene under applicable 
United States standards.
    Article 10 (``Offences related to infringement of copyright 
and related rights'') is directed at infringements of 
intellectual property rights, i.e., copyright and related 
rights, by means of a computer system and on a commercial 
scale. Its approach differs from the other articles requiring 
the establishment of offenses in that it defines the offenses 
by reference to other international agreements, which are set 
forth in the Article. Specifically, a Party is required under 
Article 10 to establish as criminal offenses acts that are 
committed ``wilfully, on a commercial scale and by means of a 
computer system'' and that are defined as infringements of 
copyright or related rights, under its domestic law, pursuant 
to obligations it has undertaken in the referenced agreements. 
As indicated in the Explanatory Report (paragraphs 110 and 
111), a Party's obligations under this Article are framed only 
by those agreements that have entered into force and to which 
it is party. Moreover, a Party's obligations under Article 10 
may be limited by reservations or declarations it has made with 
respect to the referenced agreements. For the purpose of 
determining the United States' obligations under Article 10, 
the relevant referenced agreements are the four to which the 
United States is party, i.e., the Paris Act of 24 July 1971 of 
the Bern Convention for the Protection of Literary and Artistic 
Works, the Agreement on the Trade-Related Aspects of 
Intellectual Property Rights, the WIPO Copyright Treaty, and 
the WIPO Performances and Phonograms Treaty. Of these, the 
latter two entered into force after the Cybercrime Convention 
was opened for signature.
    Because, among the referenced agreements, only TRIPS 
requires criminal sanctions, Article 10 permits a Party to 
reserve the right not to impose criminal liability in limited 
circumstances provided other ``effective remedies'' are 
available and the reservation does not derogate from its 
minimum obligations under applicable international instruments, 
which the Explanatory Report (paragraph 116) makes clear refers 
to TRIPS. Because U.S. law provides for other effective 
remedies but not criminal liability for infringements of 
certain rental rights, I recommend that the following 
reservation be included in the U.S. instrument of ratification:
          The Government of the United States of America, 
        pursuant to Articles 10 and 42, reserves the right to 
        impose other effective remedies in lieu of criminal 
        liability under paragraphs 1 and 2 of Article 10 
        (``Offenses related to infringement of copyright and 
        related rights'') with respect to infringements of 
        certain rental rights to the extent the criminalization 
        of such infringements is not required pursuant to the 
        obligations the United States has undertaken under the 
        agreements referenced in paragraphs 1 and 2.
    Article 11 (``Attempt and aiding or abetting'') provides 
that aiding or abetting the commission of any of the offenses 
set forth in Articles 2-10 shall also be made criminal. 
Similarly, a Party is required to criminalize an attempt to 
commit certain of these offenses, to the extent specified in 
paragraph 2 of the Article. As with the Article 2-10 offenses, 
aiding or abetting or an attempt must be committed 
intentionally. Thus, as indicated in the Explanatory Report 
(paragraph 119), the fact that an ISP is a mere conduit for 
criminal activity, such as the transmission of child 
pornography or a computer virus, does not give rise to criminal 
liability for the ISP, because it would not share the criminal 
intent required for aiding and abetting liability. Further, the 
Explanatory Report (paragraph 119) makes clear the Parties' 
understanding that ``there is no duty on a service provider to 
actively monitor content to avoid criminal liability under this 
provision.''
    Article 12 (``Corporate liability'') requires the adoption 
of criminal, civil or administrative measures to ensure that a 
corporation or similar legal person can be held liable for the 
offenses to be established in accordance with the Convention, 
where such offenses are committed for its benefit by a natural 
person who has a leading position in the corporation or legal 
person. The Article also provides for liability where a lack of 
supervision or control by a leading person makes possible the 
commission of one of the criminal offenses for the benefit of 
the legal person by a natural person acting under its 
authority. Per the Explanatory Report (paragraph 125), a 
``natural person acting under its authority'' is understood to 
be an employee or agent acting within the scope of their 
authority. Further, the Explanatory Report (paragraph 125) 
notes that a ``failure to supervise should be interpreted to 
include the failure to take appropriate and reasonable measures 
to prevent employees or agents from committing criminal 
activities on behalf of the legal person.'' The Explanatory 
Report (paragraph 125) also makes clear, however, that such 
appropriate and reasonable measures ``should not be interpreted 
as requiring a general surveillance regime over employee 
communications.'' The concepts set forth in Article 12 are 
already reflected in U.S. law.
    Under Article 13 (``Sanctions and measures''), each Party 
is to ensure that Articles 2-11 offenses committed by natural 
persons are subject to ``effective, proportionate and 
dissuasive sanctions, which include deprivation of liberty.'' 
As elucidated in the Explanatory Report (paragraph 130), the 
Article leaves open the possibility of other sanctions or 
measures, such as forfeiture, for these offenses. Consistent 
with the approach set forth in Article 12 (``Corporate 
liability''), sanctions to be imposed against legal persons may 
be criminal, civil or administrative in nature.

Procedural law (Articles 14-21):

    As recognized by the Explanatory Report (paragraph 133), 
evidence in electronic form can be difficult to secure, as it 
may be flowing swiftly in the process of communication and can 
be quickly altered, moved or deleted. In an effort to ensure 
that Parties are able to investigate effectively the offenses 
established under the Convention and other criminal offenses 
committed by means of a computer system, as well as to collect 
evidence in electronic form of a criminal offense, the 
Convention requires each Party to ensure that its competent 
authorities have certain powers and procedures for use in 
specific criminal investigations or proceedings. These powers 
and procedures are set forth in articles on: ``Expedited 
preservation of stored computer data'' (Article 16), 
``Expedited preservation and partial disclosure of traffic 
data'' (Article 17), ``Production order'' (Article 18), 
``Search and seizure of stored computer data'' (Article 19), 
``Real-time collection of traffic data'' (Article 20), and 
``Interception of content data'' (Article 21). All of these 
powers and procedures are already provided for under U.S. law.
    A number of important limitations on the powers and 
procedures to be established pursuant to Articles 16-21 are set 
forth throughout the procedural law articles. Under Article 14 
(``Scope of procedural provisions''), for example, the powers 
and procedures are to be invoked to obtain or collect data in 
connection with ``specific'' criminal investigations or 
proceedings. Thus, as the Explanatory Report explains 
(paragraphs 151 and 152), the Convention does not impose a 
general obligation on service providers to collect and retain 
data on a routine basis simply because such data might one day 
be useful to some yet-to-be determined criminal investigation 
or proceeding. The preservation measures apply to data already 
stored by means of a computer system, thus presupposing that 
the data already exists, has been collected and is being 
stored. Further, Article 15 (``Conditions and safeguards'') 
provides that the establishment, implementation and application 
of the powers and procedures called for by the Convention are 
to be subject to conditions and safeguards provided for under a 
Party's domestic law, which law shall provide for the adequate 
protection of human rights and liberties, including rights 
arising in accordance with obligations a Party has undertaken 
under applicable human rights instruments. This Article depends 
on implementation through a Party's domestic law. For the 
United States, no implementing legislation would be required as 
the U.S. Constitution and U.S. law already provide for adequate 
conditions and safeguards.
    Article 15 and its accompanying text in the Explanatory 
Report (paragraph 147) recognize that, depending on the power 
or procedure, different conditions and safeguards under 
domestic law may be appropriate. For example, the Explanatory 
Report (paragraph 215) notes that, due to its high degree of 
intrusiveness, interception of content data pursuant to Article 
21 merits more stringent safeguards, such as judicial or other 
independent supervision, as well as limitations on its 
duration. Article 15 also requires a Party, to the extent 
consistent with the public interest, to consider the impact of 
the powers and procedures upon the rights, responsibilities and 
legitimate interests of third parties. In this regard, the 
Explanatory Report (paragraph 148) indicates that a Party 
should consider mitigating the impact of such powers and 
procedures through such steps as minimizing disruption of 
consumer services, protecting service providers from liability 
for disclosing or facilitating the disclosure of data, or 
protecting proprietary interests.
    The preservation regime to be established pursuant to 
Article 16 (``Expedited preservation of stored computer data'') 
and Article 17 (``Expedited preservation and partial disclosure 
of traffic data'') requires a Party to enable its competent 
authorities to order or similarly obtain the expedited 
preservation of specified computer data, including traffic 
data, for use in a specific investigation or proceeding. This 
power, which already exists in U.S. law, is important to 
ensuring that evidence is not moved, altered or deleted while 
further processes for obtaining a search warrant or subpoena 
for its disclosure are pursued.
    As indicated in the Explanatory Report (paragraph 160), 
preservation under Article 16 may be accomplished by different 
legal means, including by ordering a person, including a 
service provider, not to destroy or delete computer data within 
that person's possession or control. The person may be required 
to preserve that data for a period of up to 90 days to allow 
the competent authorities to seek its disclosure. (A Party may 
provide for renewal of the preservation order.) The person who 
is to preserve the data may also be required to keep 
confidential for a period of time the undertaking of the 
preservation. With respect to traffic data, Article 17 provides 
that a sufficient amount of data must be able to be disclosed 
expeditiously in order to enable a Party to identify other 
service providers and the path through which a communication 
was transmitted. Such expedited disclosure is intended to 
enable authorities to take steps to preserve additional 
computer data that otherwise might be lost, which can be 
critical to tracing a communication back to the source of a 
computer-related crime (Explanatory Report, paragraphs 166-
168). The U.S. Government would comply with this requirement by 
moving expeditiously, using existing preservation and 
disclosure procedures provided for under U.S. law.
    As stated in the Explanatory Report (paragraphs 151 and 
152), the data preservation measures contained in Articles 16 
and 17 are distinguishable from so-called ``data retention'' 
measures in that they ``do not mandate the collection of all, 
or even some, data collected by a service provider or other 
entity in the course of its activities.'' Instead, as indicated 
above, data preservation measures apply only to data that 
already exists, is being stored, and is specified by competent 
authorities as being sought in connection with a specific 
criminal investigation or proceeding.
    Article 18 (``Production order'') and Article 19 (``Search 
and seizure of stored computer data'') require Parties to 
establish additional measures by which their competent 
authorities can obtain stored computer data. Under Article 18, 
authorities must be able to order a person, including third 
party custodian of data, such as an ISP, to produce data, 
including subscriber information, that is in that person's 
possession or control. The Explanatory Report (paragraph 177) 
makes clear that such subscriber information, which includes 
various types of information about the use and user of a 
service, may be in computer data form as well as in other forms 
(e.g., paper records). The Article, however, does not impose an 
obligation on service providers to compile and maintain such 
subscriber information in the normal course of their business. 
Instead, as the Explanatory Report (paragraph 181) describes, 
it requires a Party to be able to order a service provider to 
produce subscriber information that it does in fact keep. For 
its part, Article 19 is intended to enable authorities 
themselves to search and seize a computer system, data stored 
in a computer system and data contained in storage mediums, 
such as diskettes (Explanatory Report, paragraphs 187-189).
    Article 20 (``Real time collection of traffic data'') and 
Article 21 (``Interception of content data'') require Parties 
to establish measures to enable their competent authorities to 
collect data associated with specified communications in their 
territory at the time of the data's communication (i.e., in 
``real time''). ``Traffic data'' is defined in Article 1, while 
guidance in the Explanatory Report (paragraph 209) indicates 
that ``content data'' refers to ``the meaning or purport of the 
communication, or the message or information being conveyed by 
the communication (other than traffic data).'' Under Article 
20, a Party is required to enable its authorities to collect 
traffic data with respect to any offense, although under 
Article 14(3)(a), a Party may take a reservation limiting the 
types of crimes to which Article 20 must be applied. This 
reservation would not be needed by the United States as federal 
law already makes this mechanism generally available for 
criminal investigations and prosecutions. With regard to 
Article 21, the Explanatory Report (paragraphs 210 and 212) 
recognizes that interception of content data is considered an 
intrusive measure and, therefore, that Article only requires a 
Party to provide for such measures in relation to a range of 
serious offenses to be determined by its domestic law, which is 
the approach taken by U.S. federal law.
    Under both Articles 20 and 21, a Party is generally 
required to adopt measures enabling its competent authorities: 
(a) to collect or record data themselves through application of 
technical means on the territory of that Party, and (b) to 
compel a service provider, within its existing technical 
capability, either to collect or record data through the 
application of technical means or to cooperate and assist 
competent authorities in the collection or recording of such 
data. The Explanatory Report (paragraph 224) explains that in 
certain states, such as Germany, due to ``established legal 
principles'', law enforcement is not able to intercept 
communications directly and must rely on service providers to 
have the capability to collect content or traffic data in real 
time on its behalf. Accordingly, pursuant to Article 20(2), 
Parties may therefore adopt other measures to ensure the 
collection or recording of data, including by requiring service 
providers to provide technical facilities. This exception does 
not apply to the United States as its authorities are empowered 
to collect and record data directly through technical means. In 
states, such as the United States, in which this exception 
would not be invoked, the obligation on a service provider to 
assist law enforcement under Articles 20 and 21 is subject to 
``its existing technical capability.'' As more fully described 
in the Explanatory Report (paragraph 221), this means there is 
no obligation to impose a duty on service providers to obtain 
or deploy new equipment or engage in costly reconfiguration of 
their systems in order to assist law enforcement.

Jurisdiction (Article 22):

    Article 22 requires a Party to establish jurisdiction over 
the offenses specified in the Convention where committed in the 
Party's territory, on board a ship flying its flag, on board an 
aircraft registered under its laws, or, in certain 
circumstances, by one of its nationals. Except with respect to 
offenses committed in its territory, Article 22(2) permits a 
Party to enter a reservation as to these jurisdictional bases. 
Because U.S. criminal law does not provide for plenary criminal 
jurisdiction over offenses involving its nationals and 
selectively provides for maritime or aircraft jurisdiction, I 
recommend that the following reservation be included in the 
U.S. instrument of ratification:
          The Government of the United States of America, 
        pursuant to Articles 22 and 42, reserves the right not 
        to apply in part paragraphs (1)(b), (c) and (d) of 
        Article 22 (``Jurisdiction''). The United States does 
        not provide for plenary jurisdiction over offenses that 
        are committed outside its territory by its citizens or 
        on board ships flying its flag or aircraft registered 
        under its laws. However, United States law does provide 
        for jurisdiction over a number of offenses to be 
        established under the Convention that are committed 
        abroad by United States nationals in circumstances 
        implicating particular federal interests, as well as 
        over a number of such offenses committed on board 
        United States-flagged ships or aircraft registered 
        under United States law. Accordingly, the United States 
        shall implement paragraphs 1(b), (c) and (d) to the 
        extent provided for under its federal law.
    Under Article 22(3), a Party is also required to establish 
jurisdiction over the criminal offenses established in 
accordance with Articles 2-11 of the Convention in the event it 
does not extradite an alleged offender solely on the basis of 
nationality. As explained in the Explanatory Report (paragraph 
237), establishing such jurisdiction is necessary to ensure 
that such a Party has the ability to undertake investigations 
and proceedings against the alleged offender domestically. 
United States law permits extradition of nationals; 
accordingly, this paragraph does not give rise to a need for 
implementing legislation.
    As indicated in the Explanatory Report (paragraph 239), 
offenses committed through the use of the Internet may target 
victims in many states, giving rise to instances in which more 
than one Party has jurisdiction. Accordingly, Article 22(5) 
provides that when more than one Party claims jurisdiction over 
an alleged offense established in accordance with the 
Convention, they shall, where appropriate, consult with a view 
to determining the most appropriate jurisdiction for 
prosecution.

        CHAPTER III--INTERNATIONAL CO-OPERATION (ARTICLES 23-35)

    Chapter III, Article 23 (``General principles relating to 
international co-operation'') provides that Parties are to 
provide international cooperation to one another to the 
``widest extent possible'' for investigations and proceedings 
concerning criminal offenses related to computer systems and 
data, or for the collection of evidence in electronic form of a 
criminal offense. The Chapter contains extradition and mutual 
legal assistance provisions typical of many multilateral law 
enforcement conventions to which the United States is already a 
party, and, as such, is compatible with existing U.S. law. As 
provided in the Chapter and as recognized in the Explanatory 
Report (paragraph 244), the general approach is to supplement 
existing international cooperation agreements and provide a 
basis for such cooperation where no such framework exists.
    Extradition is covered in Article 24 (``Extradition''), 
which provides that the offenses established in accordance with 
Articles 2-11 of the Convention shall be deemed to be included 
as extraditable offenses in extradition treaties between or 
among the Parties provided the offenses are subject to minimum 
penalties as described in the Article. The Article provides 
that extradition is subject to the conditions provided by the 
law or applicable treaties of the requested Party, including 
the grounds on which it may refuse extradition. Any Party that 
refuses an extradition request solely because the person sought 
is one of its nationals is obliged at the request of the 
requesting Party to submit the case to its competent 
authorities for the purpose of prosecution.
    Article 24 also provides that a Party that conditions 
extradition on the existence of a treaty may use the Convention 
itself as a treaty basis, although it is not obligated to do 
so. For situations in which there is no separate extradition 
treaty in existence, Article 24(7) provides that a Party is to 
notify the COE of the name and address of its authority for 
receiving requests for extradition or provisional arrest under 
the Convention. The United States would not invoke Article 24 
as a separate basis for extradition, but, instead, would 
continue to conduct extradition pursuant to applicable 
bilateral treaties, supplemented where appropriate by relevant 
international law enforcement conventions. Thus, the principal 
legal effect of Article 24 for the United States would be to 
incorporate by reference the offenses provided for in the 
Convention as extraditable offenses under U.S. bilateral 
extradition treaties. Further, because the United States would 
continue to rely on bilateral extradition treaties, it would 
notify the COE that it is not designating an authority under 
Article 24(7) and that the authority responsible for making or 
receiving extradition requests on behalf of the United States 
is set forth in the applicable bilateral extradition treaties.
    The provisions relating to mutual legal assistance are set 
forth in Articles 25-35. Article 25 sets forth ``General 
principles relating to mutual assistance,'' where the duty to 
provide cooperation is not limited to the offenses to be 
established pursuant to Articles 2-11 of the Convention. As the 
Explanatory Report (paragraph 253) notes, the need for 
``streamlined mechanisms of international co-operation'' 
extends beyond such offenses and, thus, Article 25 obliges the 
Parties to afford mutual assistance ``to the widest extent 
possible for the purposes of investigations or proceedings 
concerning criminal offences related to computer systems and 
data, or for the collection of evidence in electronic form of a 
criminal offence.'' Article 25 provides that in urgent 
circumstances a Party may make a request for assistance by 
expedited means of communication (e.g., fax or e-mail) and that 
the requested Party shall be obliged to respond to the request 
by expedited means of communication as well. Article 25(4) sets 
forth the general rule that, except as otherwise specifically 
provided for in Chapter III, mutual assistance shall be subject 
to conditions provided for by applicable mutual legal 
assistance treaties or by the law of the requested Party. 
Article 25(4) itself provides for an exception to this general 
rule in that it precludes a Party from denying assistance with 
respect to the offenses set forth in Articles 2-11 on the 
ground that the request concerns a fiscal (i.e., tax) offense.
    Article 26 (``Spontaneous information'') provides that, 
without receiving an assistance request, a Party may forward to 
another Party information it obtains in one of its own 
investigations where it believes such information might assist 
the other Party in initiating or carrying out an investigation 
or proceeding. Per the Explanatory Report (paragraph 260), such 
a provision was thought useful because some states require a 
positive grant of legal authority to provide such assistance, 
which would be satisfied by inclusion of this provision in the 
Convention. Before providing such information, a Party may 
require that it be used subject to conditions, such as that it 
be kept confidential.
    Article 27 (``Procedures pertaining to mutual assistance 
requests in the absence of applicable international 
agreements'') and Article 28 (``Confidentiality and limitations 
on use'') provide a framework for assistance where there is no 
mutual legal assistance treaty or arrangement on the basis of 
uniform or reciprocal legislation in force between the 
requesting Party and the requested Party. Article 27 provides 
procedures for handling assistance requests as well as grounds 
for refusal, which include where the request concerns a 
political offence or is ``likely to prejudice [a requested 
Party's] sovereignty, security, ordre public or other essential 
interests.'' The Article also provides for the designation by 
each Party of a central authority or authorities, which is to 
be responsible for handling requests for mutual assistance. In 
the event of urgency, Article 27(9) allows for requests to be 
sent directly to judicial authorities. A Party may declare, 
however, that for reasons of efficiency, such requests are to 
be addressed to its designated central authority. In this 
regard, I recommend that the following declaration be included 
in the U.S. instrument of ratification:
          The Government of the United States of America 
        declares, pursuant to Articles 27 and 40, that requests 
        made to the United States of America under paragraph 
        9(e) of Article 27 (``Procedures pertaining to mutual 
        assistance requests in the absence of applicable 
        international agreements'') are to be addressed to its 
        central authority for mutual assistance.
    Article 28 provides that the requested Party may condition 
the provision of information on confidentiality and certain use 
limitations. The Article only applies, however, where there is 
no mutual assistance treaty or arrangement on the basis of 
uniform or reciprocal legislation in force as between the 
requested and requesting Parties, unless the Parties concerned 
agree to its application in whole or in part.
    Articles 29-35 contain specific provisions on mutual 
assistance that apply regardless of whether assistance is being 
requested or provided pursuant to an existing mutual legal 
assistance treaty or arrangement.
    Article 29 (``Expedited preservation of stored computer 
data'') and Article 30 (``Expedited disclosure of preserved 
traffic data'') address the preservation and disclosure of 
data. As indicated in the Explanatory Report (paragraphs 282 
and 290), these articles make available for the purposes of 
international cooperation the mechanisms provided for use at 
the domestic level in Articles 16 and 17. Under Article 29, a 
requesting Party may obtain advance, expedited preservation of 
stored data that is located in the territory of the requested 
Party provided it intends to submit a subsequent, formal mutual 
assistance request for disclosure of the data. Upon 
preservation, the requesting Party shall then have at least 
sixty days to submit its mutual assistance request. A requested 
Party may refuse preservation on the ground that the request 
concerns a political offense or that its execution would be 
``likely to prejudice its sovereignty, security, ordre public, 
or other essential interests.'' For the purposes of obtaining 
the initial preservation, Article 29 does not as a rule require 
dual criminality. As explained in the Explanatory Report 
(paragraph 285), once preserved, the data is generally not 
subject to disclosure to government officials until the formal 
mutual assistance request is executed. A determination with 
respect to any dual criminality requirement can be made in the 
context of that request. However, a requested Party that 
requires dual criminality as a condition under its applicable 
mutual legal assistance framework may enter a reservation that 
would enable it to refuse a preservation request if it has 
reason to believe that at the time of the disclosure dual 
criminality would not be met. Because the United States 
generally seeks, as a policy matter, to minimize the 
application of dual criminality as a ground for refusing 
international mutual assistance, and, especially since 
preservation in and of itself does not result in disclosure of 
data to government officials, the United States would not 
exercise this reservation. Under Article 30, if the requested 
Party determines in executing an Article 29 request for 
expedited preservation concerning a specific communication that 
a service provider in another state was involved in that 
communication, then it is under an obligation to disclose to 
the requesting Party such traffic data as necessary to identify 
the foreign service provider and the communication path. As in 
Article 29, such disclosure may only be withheld by the 
requested Party on political offense grounds or on the grounds 
that it ``is likely to prejudice its sovereignty, security, 
ordre public or other essential interests.''
    Article 31 (``Mutual assistance regarding accessing of 
stored computer data'') is the international cooperation 
counterpart to Article 19 (``Search and seizure of stored 
computer data'') in the procedural law chapter. It requires a 
requested Party to be able to ``search or similarly access, 
seize or similarly secure, and disclose'' stored data in 
response to a request for mutual assistance. Where the data is 
``particularly vulnerable to loss or modification,'' the 
requested Party is required to expedite its response.
    Article 32 (``Trans-border access to stored computer data 
with consent or where publicly available'') is not a mutual 
assistance provision per se. Rather, as discussed in the 
Explanatory Report (paragraphs 293 and 294), it reflects the 
general agreement that an accessing Party need not seek the 
prior authorization of another Party to access data stored in 
that other Party's territory where the data is publicly 
available or obtained through a computer system located in the 
accessing Party's territory with the lawful and voluntary 
consent of a person who has lawful authority to disclose that 
data through that system.
    Article 33 (``Mutual assistance in the real-time collection 
of traffic data'') and Article 34 (``Mutual assistance 
regarding the interception of content data'') are the 
counterparts in the international cooperation chapter to 
Articles 20 and 21. Under Article 33, a Party is required to 
provide mutual assistance in the real-time collection of 
traffic data at least with respect to offences for which such 
real-time collection would be permitted under its domestic law. 
Similarly, Article 34 obligates a Party to provide mutual 
assistance in the interception of content data, but only to the 
extent permitted under its applicable treaties and domestic 
law.
    Article 35 (``24/7 Network'') requires each Party to 
designate a point of contact that will be available 24 hours a 
day, seven days a week to ensure the provision of immediate 
assistance for the purposes of investigations or proceedings 
concerning criminal offenses related to computer systems and 
data, or for the collection of evidence in electronic form. 
This shall include an obligation to facilitate or, if permitted 
by its domestic law and practice, direct the carrying out of 
immediate assistance in the provision of technical advice, the 
expedited preservation of stored computer data, the expedited 
disclosure of preserved traffic data, the collection of 
evidence, the provision of legal information, and the locating 
of suspects. As indicated in the Explanatory Report (paragraph 
298), this channel draws its inspiration from a network created 
by the G8 countries in 1998. The 24/7 point of contact for the 
United States would be the same point of contact used for the 
G8 network: the Department of Justice, Criminal Division, 
Computer Crime and Intellectual Property Section.

Chapter IV--Final provisions (Articles 36-48):

    As indicated in the Explanatory Report (paragraph 303), the 
provisions contained in Chapter IV (``Final provisions'') are 
generally based on standard model clauses used by the COE. 
Article 36 (``Signature and entry into force'') provides that 
the Convention is open for signature by COE member states and 
by non-member states that have participated in its elaboration, 
i.e., the United States, Canada, Japan, and South Africa. Five 
states, including at least three COE member states, must 
express their consent to be bound by the Convention for it to 
enter into force. After entry into force, states subsequently 
expressing their consent to be bound shall become party to it 
on the first day of the month following a three month period 
from the date of that state's expression of consent. Article 37 
(``Accession to the Convention'') details a procedure for 
accession by other states after the Convention enters into 
force. Reflecting past practice in this area within the COE, 
accession by a state requires the unanimous consent of the 
Parties to the Convention. Article 38 (``Territorial 
application'') enables states to specify the extent of their 
territory to which the Convention will apply.
    Article 39 (``Effects of the Convention'') addresses the 
relationship of the Cybercrime Convention to other 
international instruments. It makes clear that the Convention 
is intended to supplement applicable treaties or arrangements 
between the Parties in the area of international cooperation. 
As set forth in the Article and as explained in the Explanatory 
Report (paragraph 312), Parties are free to enter into new 
agreements with one another regarding matters dealt with in the 
Convention provided they do not undermine its objectives and 
principles. Article 39 also contains a ``savings'' clause to 
the effect that the Convention does not affect other rights and 
obligations that are not addressed in the Convention.
    Article 40 (``Declarations''), Article 41 (``Federal 
clause'') and Article 42 (``Reservations'') permit Parties to 
modify or derogate from specified Convention obligations. Under 
Article 40, a Party may declare that it avails itself of 
various additional elements provided for in specified articles 
at the time it consents to be bound by the Convention. As set 
forth above, in order to meet its Convention obligations 
without having to seek new implementing legislation, the United 
States would make declarations under Articles 2, 6(1)(b), 7, 
and 27(9)(e).
    Article 41 (``Federal clause'') permits a federal state to 
enter a reservation allowing for minor variations in coverage 
of its Chapter II obligations (``Measures to be taken at the 
national level''). As stated in the Explanatory Report 
(paragraph 316), this reservation takes into account that 
variations in coverage may occur due to ``well-established 
domestic law and practice'' of a federal state based on the 
federal state's ``Constitution or other fundamental principles 
concerning the division of powers in criminal justice matters'' 
between its central government and its constituent entities. 
The reservation was inserted to make clear that the United 
States could meet its Convention obligations through 
application of existing federal law and would not be obligated 
to criminalize activity that does not implicate a foreign, 
interstate or other federal interest meriting the exercise of 
federal jurisdiction. In the absence of the reservation, there 
would be a narrow category of conduct regulated by U.S. State, 
but not federal, law that the United States would be obligated 
to criminalize under the Convention (e.g., an attack on a 
stand-alone personal computer that does not take place through 
the Internet). Article 41 makes clear that this reservation is 
available only where the federal state is still able to meet 
its international cooperation obligations and where application 
of the reservation would not be so broad as to exclude entirely 
or substantially diminish its obligations to criminalize 
conduct and provide for procedural measures. Such a restriction 
is not an obstacle for the United States because the 
Convention's international cooperation provisions are 
implemented at the federal level and because federal 
substantive criminal law provides for broad overall coverage of 
the illegal conduct addressed by the Convention. In invoking 
the reservation, the U.S. Government would be obliged to bring 
the Convention's provisions to the attention of its constituent 
States and entities, with a ``favourable opinion'' encouraging 
them to take appropriate action to give effect to such 
provisions, even though, as a result of the reservation, there 
would be no obligation for them to do so. This step would be 
accomplished through an outreach effort on the part of the 
federal government. Accordingly, I recommend that the following 
reservation be included in the U.S. instrument of ratification:
          The Government of the United States of America, 
        pursuant to Articles 41 and 42, reserves the right to 
        assume obligations under Chapter II of the Convention 
        in a manner consistent with its fundamental principles 
        of federalism. Furthermore, in connection with this 
        reservation, I recommend that the Senate include the 
        following understanding in its resolution of advice and 
        consent:
    The United States understands that, in view of its 
reservation pursuant to Article 41, Chapter II of the 
Convention does not warrant the enactment of any legislative or 
other measures; instead, the United States will rely on 
existing federal law to meet its obligations under Chapter II 
of the Convention.
    Article 42 (``Reservations'') enumerates those provisions 
by which a Party can exclude or modify its obligations with 
respect to specified articles at the time it consents to be 
bound by the Convention. Consistent with COE treaty practice, 
the Article provides that no other reservations may be made. 
Article 43 (``Status and withdrawal of reservations'') provides 
a mechanism for Parties to withdraw their reservations as soon 
as circumstances permit. As set forth above, to meet its 
obligations without the need for additional implementing 
legislation, the United States would make permitted 
reservations under Articles 4(2), 6(3), 9(4), 10(3), 22(2), and 
41.
    The procedure for amending the Convention is set forth in 
Article 44 (``Amendments'') and provides that amendments do not 
come into force until they have been accepted by all Parties to 
the Convention. Article 45 (``Settlement of disputes'') 
obligates Parties to seek to settle disputes as to the 
interpretation or application of the Convention through 
peaceful means of their choosing. Resort to binding arbitration 
or to the International Court of Justice is possible if the 
Parties concerned agree. Article 46 (``Consultations of the 
Parties'') establishes a flexible framework for Parties to 
consult regarding implementation of the Convention, including 
the effect on implementation of significant legal, policy or 
technological developments. As appropriate, such consultations 
are to be facilitated by the COE, including specifically by the 
European Committee on Crime Problems. The Explanatory Report 
(paragraph 328) encourages Parties, in the context of these 
consultations, to seek the views of non-governmental and 
private sector organizations on privacy, business and other 
related issues.
    Article 47 (``Denunciation'') sets out the procedure for a 
Party to denounce the Convention with three months advance 
notice, and Article 48 (``Notification'') empowers the COE's 
Secretary General to act as the notifying authority in relation 
to the Convention.
    It is my belief that the Convention would be advantageous 
to the United States and, subject to the reservations and 
declarations proposed in this Report, would be consistent with 
existing United States legislation. The Departments of Justice 
and Commerce join me in recommending that the Convention be 
transmitted to the Senate at an early date for its advice and 
consent to ratification, subject to the reservations and 
declarations described above.
    Respectfully submitted.
                                                   Colin L. Powell.


