[Senate Executive Report 109-6]
[From the U.S. Government Publishing Office]



109th Congress                                              Exec. Rept.
                                 SENATE
 1st Session                                                      109-6

======================================================================



 
               COUNCIL OF EUROPE CONVENTION ON CYBERCRIME
                         (TREATY DOC. 108-11).

                                _______
                                

                November 8, 2005.--Ordered to be printed

                                _______
                                

          Mr. Lugar, from the Committee on Foreign Relations,
                        submitted the following

                              R E P O R T

                   [To accompany Treaty Doc. 108-11]

    The Committee on Foreign Relations, to which was referred 
the Council of Europe Convention on Cybercrime (Treaty Doc. 
108-11) (hereafter ``the Convention''), signed by the United 
States at Budapest on November 23, 2001, having considered the 
same, reports favorably thereon with six reservations and five 
declarations as indicated in the resolution of advice and 
consent, and recommends that the Senate give its advice and 
consent to ratification thereof, as set forth in this report 
and the accompanying resolution of advice and consent.

                                CONTENTS

                                                                   Page

  I. Purpose..........................................................1
 II. Background.......................................................2
III. Summary of Key Provisions of the Convention......................2
 IV. Implementing Legislation.........................................6
  V. Committee Action.................................................6
 VI. Committee Recommendation and Comments............................6
VII. Text of Resolution of Advice and Consent to Ratification.........8

                               I. Purpose

    The Convention is the only multilateral treaty to 
specifically address computer-related crime and the gathering 
of electronic evidence. It is designed to enhance the 
investigation and prosecution of cross-border computer-related 
crimes by eliminating or reducing procedural and jurisdictional 
obstacles to international cooperation.

                             II. Background

    The growth of the Internet has brought with it a rising 
number of attacks on computer networks. The United States is 
heavily dependent on computer networks to support its critical 
infrastructure, including the military, satellite networks, 
transportation and communications systems, and large utilities. 
Attacks on these systems, as well as on U.S. Government 
networks, constitute a threat to U.S. economic and national 
security. Major U.S. financial institutions have also been the 
target of such attacks, resulting in significant financial 
losses. In addition to the threat to computer networks, 
computers increasingly have been used to conduct more 
traditional crimes, such as fraud, copyright piracy, and child 
pornography. Moreover, organized crime syndicates and terrorist 
groups have been known to use the Internet to facilitate 
planning and communications.
    In 1997, the Council of Europe (``COE'') responded to these 
problems by establishing the Committee of Experts on Crime in 
Cyber-space to negotiate a convention on cybercrime. This 
committee was composed of representatives of COE member states 
and four non-COE ``observer'' states (the United States, 
Canada, Japan, and South Africa). The United States expects the 
Convention to have significant law enforcement benefits and was 
a leading participant in the negotiations. The Council of 
Europe, at the urging of the United States and other countries, 
made several drafts publicly available and distributed comments 
it received to all negotiators for consideration. U.S. 
negotiators also received input directly from interested 
groups, including through several meetings they held with U.S. 
industry and other interested groups, such as privacy and civil 
liberties organizations.
    The Committee of Experts finished its work in May 2001, and 
the Convention was adopted by the COE Committee of Ministers on 
November 8th of that year. On November 23, 2001, the Convention 
was opened for signature to all COE member states and the four 
observer states that participated in the negotiations, and was 
signed by 30 states, including the four observer states. The 
Convention entered into force on July 1, 2004, and now has 11 
parties. Thirty-one other states have signed but not yet 
ratified the instrument. The Convention permits other non-COE 
member states to accede to the Convention, but only with the 
unanimous consent of all of its parties.

            III. Summary of Key Provisions of the Convention

    A detailed article-by-article discussion of the Convention 
may be found in the Letter of Submittal from the Secretary of 
State to the President, which is reprinted in full in Treaty 
Document 108-11. A summary of the key provisions of the 
Convention is set forth below.
    The Convention requires parties to prohibit certain 
computer-related crimes under their domestic laws, to develop 
certain investigative methods with respect to computer-related 
crimes and electronic evidence of other crimes, and to 
cooperate with other parties to investigate and prosecute such 
crimes.
    Articles 2 through 6 of the Convention require parties to 
criminalize unauthorized access to a computer system; 
unauthorized interception of data from a computer system; 
unauthorized damage to or deletion of computer data; 
unauthorized interference with the operation of a computer 
system; and the possession, production, sale, procurement for 
use, import, distribution, or otherwise making available of 
devices designed to commit any of these offenses or of computer 
access information, such as passwords, with the intent that 
they be used to commit such offenses. In addition to these 
offenses related to computer security, articles 7 through 10 of 
the Convention obligate parties to establish the offenses of 
computer-related forgery and computer-related fraud, as well as 
various aspects of the production, possession, procurement, and 
distribution of child pornography using computers, and 
infringement of copyright and related rights by means of a 
computer and on a commercial scale. U.S. law already prohibits 
such conduct, and the reservations and declarations proposed by 
the committee (see Section VI below) would ensure that the 
United States may implement these obligations consistent with 
existing U.S. law.
    Under articles 16 through 21 of the Convention, parties 
must develop and be prepared to use certain investigative 
techniques designed to improve the effective investigation of 
the crimes set forth under the Convention and other criminal 
offenses committed by means of computer systems, as well as the 
collection of electronic evidence of criminal offenses. These 
techniques include the ability to preserve, search, and seize 
stored computer data; the ability to collect in real time and 
preserve ``traffic data'' being communicated between computers; 
and the ability to intercept certain content of the data. It 
bears emphasis that all of these investigative tools are 
already provided for under U.S. domestic law. Therefore, the 
Convention will not establish new police powers in the United 
States or otherwise alter U.S. civil liberties protections. 
Article 15 of the Convention requires each party to ensure that 
the establishment, implementation and application of these 
powers and procedures are subject to conditions and safeguards 
to be provided for under its domestic law that adequately 
protect human rights and liberties. For the United States, the 
conditions and safeguards that would apply may be found in the 
U.S. Constitution, including particularly the Fourth and Fifth 
Amendments, and various federal statutes, such as those set 
forth in the Federal Rules of Criminal Procedure and Title 18 
of the U.S. Code, which require, among other things, judicial 
supervision of any requests for interception or disclosure of 
electronic communications.
    Article 15, paragraph 3 requires each Party, to the extent 
consistent with the public interest, to consider the impact of 
these powers and procedures on the rights, responsibilities and 
legitimate interests of third parties. In this regard, the 
committee notes that paragraph 148 of the explanatory report 
accompanying the Convention reflects the understanding of the 
Parties that such third parties include internet service 
providers. It states that ``initial consideration is given to 
the sound administration of justice and other public interests 
(e.g. public safety and public health and other interests, 
including the interests of victims and the respect for private 
life). To the extent consistent with the public interest, 
consideration would ordinarily also be given to such issues as 
minimising disruption of consumer services, protection from 
liability for disclosure or facilitating disclosure under this 
chapter, or protection of proprietary interests.''
    Chapter Three of the Convention addresses international 
cooperation, including extradition and mutual legal assistance 
among the parties. Article 24 of the Convention adds the crimes 
established under the Convention to those offenses for which 
extradition may be sought under extradition treaties in force 
among parties to the Convention, and permits, but does not 
require, parties to use the Convention as a basis for 
extradition in the absence of such treaties. For the United 
States, the Convention will not provide an independent legal 
basis for extradition, which will continue to be based on U.S. 
domestic law and applicable bilateral treaties. It will, 
however, effectively expand the scope of offenses covered under 
certain existing bilateral extradition treaties (those that 
specifically list the offenses for which extradition may be 
granted).
    Articles 25 through 35 of the Convention relate to mutual 
legal assistance among the parties. Article 25 provides a 
general obligation that parties shall afford each other mutual 
assistance ``to the widest extent possible for the purpose of 
investigations or proceedings concerning criminal offenses 
related to computer systems and data, or for the collection of 
evidence in electronic form.'' Articles 29 through 31, and 33 
provide specific obligations for such assistance, including 
assistance that would involve the use of the investigative 
techniques for collection of computerized evidence that 
articles 16 through 21 of the Convention oblige parties to 
establish under their domestic law. It should be noted that 
although article 34 permits parties to request assistance in 
the interception of content data, it is narrowly drawn; indeed, 
there is no general obligation to provide this form of 
cooperation, as assistance is available ``only to the extent'' 
already permitted by applicable mutual legal assistance 
treaties and domestic law. In the United States, that law is 
subject to close judicial supervision, and in no case will a 
foreign authority be able to obtain information on terms that 
are less restrictive than for U.S. law enforcement. Currently, 
there is no authority to intercept communications based solely 
on the request of a foreign government; the only instance in 
which the United States would be in a position to accommodate 
such a request would be if the interception of the 
communications were independently authorized as part of a 
related or parallel investigation in the United States, and 
disclosing the contents of the intercepted communications were 
otherwise appropriate (see 18 U.S.C. sec. 2517(7)). Under U.S. 
law, a search warrant is insufficient authority to intercept 
the content of communications in transmission, as that 
collection is governed by the wiretap and interception statutes 
(18 U.S.C. sec. 2510, et seq.), as noted above. Although a 
search warrant may be used to obtain stored data, it must 
involve a crime recognized under U.S. law.
    Notably, assistance in collecting electronic evidence is 
not limited to the crimes established in the Convention, and 
the Convention does not require, as a precondition to 
assistance, that the offense being investigated also constitute 
a crime in the state receiving the request (``dual 
criminality''). This lack of a dual criminality requirement is 
hardly a novelty. In the last two decades, the Senate has 
approved, and the President has ratified, 43 bilateral mutual 
legal assistance treaties that do not contain such a 
requirement for all types of cooperation. This is in the 
interest of U.S. law enforcement, which aggressively utilizes 
these treaties to gain evidence abroad and would be hamstrung 
by a rigid dual criminality provision in all cases. Therefore, 
the United States will be able to use this Convention to obtain 
electronic evidence in cases involving money laundering, 
conspiracy, racketeering, and other offenses under U.S. law 
that may not have been criminalized in all other countries.
    At the same time, the Convention contains sufficient 
safeguards to ensure that the lack of a ``dual criminality'' 
requirement will not result in the provision of assistance by 
the United States in any inappropriate situations. The 
Convention provides the same high standard of protection of 
U.S. Constitutional interests that is contained in U.S. 
bilateral MLATs. Assistance is to be provided in accordance 
with the provisions of mutual legal assistance treaties between 
the parties where they exist. Where no such treaties exist 
between parties, article 27 of the Convention provides a 
procedural mechanism for cooperation to be applied between 
them, including the grounds for refusal of such requests (in 
addition to any grounds provided under the law of the requested 
party). The grounds for refusal contained in paragraph 4 of 
article 27 are analogous to those contained in U.S. bilateral 
MLATs. A requested party may refuse any request concerning a 
political offense or that is likely to prejudice its 
sovereignty, security, ordre public or other essential 
interests. In response to questions from the committee, 
executive branch officials confirmed that this provision 
authorizes the United States to deny a request where providing 
the assistance would impinge on U.S. Constitutional 
protections, such as free speech, and that the executive branch 
intends to deny assistance in such situations. In addition, 
they committed that ``[T]he Department of Justice will 
carefully review each request, regardless of the country from 
which it comes, to ensure that compliance with it would not 
impinge on U.S. fundamental principles and policy, and that 
U.S. implementation of foreign requests would not be 
inconsistent with Constitutional protections.''
    The committee also wishes to emphasize that the United 
States will not rely upon authorities created in the USA 
PATRIOT Act to meet its obligations under the Convention. The 
Convention was substantially drafted prior to the enactment of 
the USA PATRIOT Act, and is entirely consistent with United 
States law as it existed at that time. Accordingly, for 
example, the Convention does not require, and the United States 
does not contemplate, the use of the delayed notice search 
warrants authorized by Title 18, United States Code, Section 
3103a for implementation of the Convention. Similarly, because 
the Convention will be implemented consistent with existing 
procedures for mutual legal assistance, the United States does 
not and will not use tools authorized under Foreign 
Intelligence Surveillance Act procedures or administrative 
subpoenas to meet its treaty obligations. Instead, longstanding 
statutory and mutual legal assistance treaty and agreement 
procedures will be used consistently with the judicial 
oversight provided under those treaties and laws, in full 
compliance with the rights guaranteed under the United States 
Constitution. For example, as with domestic cases, U.S. 
execution of foreign government requests for collection or 
disclosure of electronic evidence would require judicial 
oversight.
    The Convention is expected to improve computer security 
without creating an undue burden on internet service providers 
(``ISPs''). The Convention does not impose any general 
requirement on ISPs to collect or retain data. Rather, in 
specific cases, they may be required to collect, preserve, or 
disclose specified data, just as they are under existing U.S. 
procedural law. In response to questions posed by the 
committee, executive branch officials indicated that the 
Department of Justice will continue its current practice under 
other mutual legal assistance instruments of reviewing requests 
for assistance and alerting the ISPs as to the appropriate 
urgency of such requests. They also confirmed that the 
Convention will have no effect on existing U.S. law or policy 
governing reimbursement of costs incurred by ISPs in responding 
to such requests.
    The committee notes that articles 24, 25, 27 through 31, 
and 33 of the Convention, on extradition and mutual legal 
assistance, are intended to operate in the same way as similar 
provisions contained in bilateral extradition and mutual legal 
assistance treaties. As with such provisions in bilateral 
treaties, these provisions are self-executing. They will be 
implemented by the United States in conjunction with applicable 
federal statutes. Additionally, the executive branch has 
indicated that they are not intended to create any private 
rights of action. The committee notes that the lack of a 
private right of action does not affect the ability of a person 
whose extradition is sought to raise any available defense in 
the context of the extradition proceeding.

                      IV. Implementing Legislation

    No new implementing legislation is required for the 
Convention. An existing body of federal laws will suffice to 
implement the obligations of the Convention, although some 
minor reservations and declarations are needed, as discussed 
below.

                          V. Committee Action

    The Committee on Foreign Relations held a public hearing on 
the Convention on June 17, 2004, at which it heard testimony 
from representatives of the Departments of State and Justice 
(S. Hrg. 108-721). On July 26, 2005, the committee considered 
the Convention and ordered it favorably reported by voice vote, 
with the recommendation that the Senate give its advice and 
consent to its ratification, subject to the reservations and 
declarations contained in the resolution of advice and consent.

               VI. Committee Recommendation and Comments

    The Committee on Foreign Relations believes that the 
proposed Convention is in the interest of the United States and 
urges the Senate to act promptly to give advice and consent to 
its ratification, subject to the reservations and declarations 
contained in the resolution of advice and consent.
    The committee has included a number of reservations and 
declarations in the resolution of advice and consent. Section 
two of the resolution contains six reservations. The first four 
reservations relate to the obligations under articles 4 (data 
interference), 6 (misuse of devices), 9 (offenses related to 
child pornography) and 10 (offenses related to infringements of 
copyright and related rights) of the Convention to criminalize 
certain conduct. Consistent with the recommendations of the 
executive branch, the committee has included these four 
technical reservations permitted by the Convention in order to 
ensure that the United States may implement these obligations 
consistent with existing U.S. law.
    The fifth reservation concerns the scope of the Convention. 
Article 22 of the Convention requires each party to establish 
jurisdiction in respect of the offenses established under the 
Convention when committed in its territory or on board a vessel 
flying its flag or an aircraft registered under its laws. U.S. 
law does not expressly extend U.S. jurisdiction over these 
particular crimes when committed on board U.S. vessels and 
aircraft outside of U.S. territory, although in certain cases 
U.S. jurisdiction may exist on other jurisdictional bases. 
Because the United States cannot ensure its ability to exercise 
jurisdiction in all such cases, the committee concurs with an 
executive branch recommendation that the United States enter a 
reservation limiting the obligation of the United States 
consistent with the reach of U.S. law, as permitted by the 
Convention.
    The sixth reservation relates to the federal system in the 
United States. Although U.S. federal law prohibits the conduct 
proscribed by the Convention, federal criminal law generally 
covers conduct involving interstate or foreign commerce or 
another important federal interest. Because U.S. state, not 
federal law, would apply to a narrow category of conduct that 
does not implicate a foreign, interstate, or other federal 
interest (e.g., an attack on a stand-alone computer), the 
executive branch recommended that the United States reserve 
against these obligations in these narrow circumstances, as 
permitted by the Convention. The committee agrees with this 
recommendation.
    Section three of the resolution contains five declarations. 
The first three declarations relate to the obligations under 
articles 2 (illegal access), 6 (misuse of devices) and 7 
(computer-related forgery) of the Convention to criminalize 
certain conduct. Consistent with the recommendations of the 
executive branch, the committee has included these three 
technical declarations permitted by the Convention in order to 
ensure that the United States may implement these obligations 
consistent with existing U.S. law.
    The fourth declaration relates to procedures to be followed 
in the case of urgent requests for mutual legal assistance. 
Article 27, paragraph 9(a) of the Convention permits urgent 
requests to be made directly to the judicial authorities of a 
party unless, for efficiency reasons, that party declares at 
the time of ratification that such requests should instead be 
sent to its central authority. The committee concurs with the 
executive branch recommendation that the United States make 
such a declaration.
    The last declaration relates to U.S. implementation of the 
Convention under existing U.S. law. The executive branch 
recommended that the United States include an understanding to 
clarify that the United States intends to comply with the 
Convention based on existing law. The committee has included 
such a statement in the resolution, formulated as a declaration 
in accordance with recent committee practice.
    Under article 37, any State not a member of the Council of 
Europe and which has not participated in the formulation of the 
Convention may accede to it, but it may only do so upon 
invitation. Such invitation requires the unanimous consent of 
the parties to the Convention. The United States would 
therefore have a voice in the accession of any state. While the 
committee believes that broad adherence to the Convention among 
both members and non-members of the Council of Europe could be 
beneficial to U.S. law enforcement interests, it has concerns 
about potential mutual legal assistance relationships with 
authoritarian states. The Convention provides a broad framework 
for sharing of electronic evidence--not merely that involving 
cyber-crime--and is thus a significant legal assistance tool. 
The committee believes that, given the nature of the evidence-
sharing requirements in the Convention, it is important that 
the United States, in consultation with other parties, work to 
ensure that all parties ``accept the principles of the rule of 
law,'' as the Council of Europe requires of its own members.

     VII. Text of Resolution of Advice and Consent to Ratification

    Resolved (two-thirds of the Senators present concurring 
therein),

SECTION 1. SENATE ADVICE AND CONSENT SUBJECT TO RESERVATIONS AND 
                    DECLARATIONS

    The Senate advises and consents to the ratification of the 
Council of Europe Convention on Cybercrime (``the 
Convention''), signed by the United States on November 23, 2001 
(T. Doc. 108-11), subject to the reservations of section 2, and 
the declarations of section 3.

SECTION 2. RESERVATIONS

    The advice and consent of the Senate under section 1 is 
subject to the following reservations, which shall be included 
in the United States instrument of ratification:

    (1) The United States of America, pursuant to Articles 4 
and 42, reserves the right to require that the conduct result 
in serious harm, which shall be determined in accordance with 
applicable United States federal law.

    (2) The United States of America, pursuant to Articles 6 
and 42, reserves the right not to apply paragraphs (1)(a)(i) 
and (1)(b) of Article 6 (``Misuse of devices'') with respect to 
devices designed or adapted primarily for the purpose of 
committing the offenses established in Article 4 (``Data 
interference'') and Article 5 (``System interference'').

    (3) The United States of America, pursuant to Articles 9 
and 42, reserves the right to apply paragraphs (2)(b) and (c) 
of Article 9 only to the extent consistent with the 
Constitution of the United States as interpreted by the United 
States and as provided for under its federal law, which 
includes, for example, crimes of distribution of material 
considered to be obscene under applicable United States 
standards.

    (4) The United States of America, pursuant to Articles 10 
and 42, reserves the right to impose other effective remedies 
in lieu of criminal liability under paragraphs 1 and 2 of 
Article 10 (``Offenses related to infringement of copyright and 
related rights'') with respect to infringements of certain 
rental rights to the extent the criminalization of such 
infringements is not required pursuant to the obligations the 
United States has undertaken under the agreements referenced in 
paragraphs 1 and 2.

    (5) The United States of America, pursuant to Articles 22 
and 42, reserves the right not to apply in part paragraphs 
(1)(b), (c) and (d) of Article 22 (``Jurisdiction''). The 
United States does not provide for plenary jurisdiction over 
offenses that are committed outside its territory by its 
citizens or on board ships flying its flag or aircraft 
registered under its laws. However, United States law does 
provide for jurisdiction over a number of offenses to be 
established under the Convention that are committed abroad by 
United States nationals in circumstances implicating particular 
federal interests, as well as over a number of such offenses 
committed on board United States-flagged ships or aircraft 
registered under United States law. Accordingly, the United 
States will implement paragraphs (1)(b), (c) and (d) to the 
extent provided for under its federal law.

    (6) The United States of America, pursuant to Articles 41 
and 42, reserves the right to assume obligations under Chapter 
II of the Convention in a manner consistent with its 
fundamental principles of federalism.

SECTION 3. DECLARATIONS

    (1) The advice and consent of the Senate under section 1 is 
subject to the following declarations, which shall be included 
in the United States instrument of ratification:

          (a) The United States of America declares, pursuant 
        to Articles 2 and 40, that under United States law, the 
        offense set forth in Article 2 (``Illegal access'') 
        includes an additional requirement of intent to obtain 
        computer data.

          (b) The United States of America declares, pursuant 
        to Articles 6 and 40, that under United States law, the 
        offense set forth in paragraph (1)(b) of Article 6 
        (``Misuse of devices'') includes a requirement that a 
        minimum number of items be possessed. The minimum 
        number shall be the same as that provided for by 
        applicable United States federal law.

          (c) The United States of America declares, pursuant 
        to Articles 7 and 40, that under United States law, the 
        offense set forth in Article 7 (``Computer-related 
        forgery'') includes a requirement of intent to defraud.

          (d) The United States of America declares, pursuant 
        to Articles 27 and 40, that requests made to the United 
        States of America under paragraph 9(e) of Article 27 
        (``Procedures pertaining to mutual assistance requests 
        in the absence of applicable international 
        agreements'') are to be addressed to its central 
        authority for mutual assistance.

    (2) The advice and consent of the Senate under section 1 is 
also subject to the following declaration:

    The United States of America declares that, in view of its 
reservation pursuant to Article 41 of the Convention, current 
United States federal law fulfills the obligations of Chapter 
II of the Convention for the United States. Accordingly, the 
United States does not intend to enact new legislation to 
fulfill its obligations under Chapter II.

                                  
