http://www.cdt.org/international/cybercrime/001207acp.shtmlAs we described in detail in our November 15, 2000 letter to you, ACP is committed to several principles that should guide governmental decision-making with respect to cybercrime and critical information infrastructure protection (CIIP). Two of the principles most relevant to the convention are that computer security and CIIP are best accomplished through private-sector, market-driven, and industry-led solutions, and that governments must not dictate to industry the choice of technologies or mandate technical standards or business processes.
Given the time urgency arising from the advanced stage of the negotiations, we offered certain specific comments in our November 15th letter. Based on our reading of draft no. 24, ACP remains concerned that the convention will not fully reflect the changes suggested in our November 15th letter. With the next round of Council of Europe negotiations rapidly approaching, ACP now offers the following additional specific comments based on the discussions during our November 30th meeting, the December 1st general industry-government meeting, and the December 6th meeting between industry and Henrik Kaspersen, Chairman of the Council of Europe's Committee of Experts on Crime in Cyberspace, and Peter Csonka of the Council of Europe's Directorate General I (Legal Affairs).
ACP regards the issues raised by the convention to be of great importance and directly within the purview of its principles. ACP will continue to follow closely the course of the negotiations here and in Europe to ensure that the whole draft strikes the proper balance among industry, government, and privacy considerations.
Data Preservation (Articles 16 and 17)
The convention text needs to state that it does not impose a data retention requirement. We appreciate your clarification that the convention does not mandate data retention. We also note that the last sentence of footnote 23 states this point explicitly. However, ACP believes that this statement is of such critical importance that it should be elevated to the text of the convention itself, specifically at the end of Article 16.1. Furthermore, ACP recommends that the sentence be altered in order to state clearly that the convention does not mandate retention of any data. Accordingly, the following sentence should be removed from footnote 23 and added to the end of Article 16.1:
It This convention does not mandate retention of all any data collected by a service provider or other entity in the course of its activities.
The convention text needs to state that it only applies to information that a company normally preserves in the ordinary course of business. We reiterate our comment from our November 15th letter that the data preservation requirement should specifically state that it applies only to information that a company normally preserves in the ordinary course of business. The restriction of data preservation to data preserved in the ordinary course of business comports with the spirit of Mr. Kaspersen's comment regarding Articles 20 and 21 (as discussed in Section III below), that the convention is not intended to require governments to mandate that companies develop any capabilities or technology that they do not already possess.
Specific textual changes. In sum, the text of Article 16 should read as follows:
1. Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities, in connection with a specific criminal matter, to order or similarly obtain the expeditious preservation of data that has been stored by means of a computer system in the ordinary course of business, in particular where there are grounds to believe that the data is particularly vulnerable22 to loss or modification23. This convention does not mandate retention of any data collected by a service provider or other entity in the course of its activities.
2. Where a Party gives effect to paragraph 1 above by means of an order to a person to preserve specified stored data in the person's possession or control that the person has stored in the ordinary course of business, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that data for an adequate period of time to enable the competent authority to seek its disclosure.
ACP is quite specific on the way they want this treaty to be written..