To date, the U.S. Department of Justice has been supportive of the Cybercrime Convention as a means to better address the global dimension of cybercrime. If deliberations can be concluded by June 2001 as planned, then the international treaty will be open to ratification by all countries, including the United States.

The DoJ is not alone in calling for legislation to tame the Internet. At a conference on cybercrime at January's World Economic Forum in Davos, Switzerland, Dr. Alexander V. Galitsky, founder of network security company TrustWorks Systems, voiced the widely held view that new international laws on cybercrime are needed. But opponents of the Cybercrime Convention argue that bringing the legal system up to speed needn't mean shooting everyone else in the foot. "Holes in the law . . . could be addressed by a much narrower treaty that applies only to a few specific crimes involving fraud and malice, the destruction of property and of networks," says Barry Steinhardt, associate director of the ACLU.

According to James X. Dempsey, senior staff counsel for the CDT, "Consumers and businesses should be worried because the treaty promotes wiretapping and e-mail interception without strong privacy protections. Businesses have the additional ground to be worried that they will be subject to criminal liability for things that are not criminal under U.S. law." Yahoo's sale of Nazi memorabilia, illegal in France but not in America, is cited by the ACLU's Steinhardt. Under the terms of the convention, he says, "the United States might be asked to enforce 'the French' criminal judgment."

The CDT's analysis of the convention reads like a nightmare scenario for individuals and businesses alike. For example, Article 11 "could render a service provider criminally liable for unlawful material placed on its service by a third party based merely on failing to remove it." Article 8, dealing with computer related fraud, "is drafted so broadly that it could criminalize virtually any use of the Internet that causes economic harm to a competitor, as well as routine activities such as blocking unsolicited e-mail (spam)." The articles dealing with real-time data collection (20 and 21) "'encourage' signatory nations to require service providers to engage in Carnivore-type data collection . . . 'regardless of the cost'."

While the DoJ declined to comment, its negotiators and Council of Europe officials reportedly have tried to allay fears by asserting that the ambiguities of the treaty will be clarified by an explanatory memorandum that will accompany the final treaty. That's inadequate, says Steinhardt. Such explanatory notes, he explains, do not have the force of law and are not binding.

Peter Harter, vice president of Internet protection and policy at e-security services provider Securify, sees tough times ahead for the convention, recalling the FBI's failed battle to secure access to encrypted data through key escrow. "I think once the Council of Europe treaty is really understood for what it is," he says, "the privacy community—the privacy data protection commissioners in government and industry—and consumers will say this is just unworkable, and it will fall of its own weight."

For TrustWorks' Galitsky, the answer lies in updating our culture as well as our laws. "We are living in an age when technology develops very quickly but the culture to use the technology doesn't exist," he says. "We teach children not to break windows, but we don't teach them not to break networks."