A United Nations background paper on fighting online criminals calls cyberspace “the fifth common space — after land, sea, air, and outer space.” It’s a stirring achievement of the human imagination, not only to build an entire “space” where people can live and socialize, manage their finances and play “World of Warcraft,” but also to run into so much trouble that the space requires international regulation.
In my lead column on cyberwarfare, I came out against international treaties modeled on, say, chemical-weapons accords that would pretend to establish cyberpeace among highly wired nations like Russia and the United States. The reasons were simple: Those treaties would do little to control smart hackers, and they might give convenient cover to governments looking to spy on their own citizens.
Now I need to cut my arguments a little finer. The lead column was about cyberwarfare, an easily bloated and ill-understood threat.
But cyberwarfare bleeds into cybercrime — which includes identity theft and child pornography — and to fight cybercrime, an international protocol would, in fact, be useful. The treaty most Western countries have signed, drafted by the Council of Europe, is even a model of minimal but effective control.
The CoE’s “Convention on Cybercrime,” introduced in 2001, sets up guidelines for sharing data between governments in cross-border cases of bank fraud, identity theft, child porn, phishing and other online manifestations of organized crime. Since a single criminal can have so many “presences” online — a physical address, a server location and a victim or victims who might be on the other side of the globe — these agreements are important to gather evidence and break the crime rings.
The European treaty has been criticized from several directions. Some U.S. conservatives consider it a step toward world government because it blurs the lines of national sovereignty. Their main complaint is that it would commit the FBI to chasing down evidence of crimes that are not crimes in the United States. The German government might need help shutting down a neo-Nazi site using servers in America, where free speech laws are more liberal; or — worse — China might demand information on dissidents blogging in American exile.
But as Ars Technica has pointed out, the convention has safeguards that would let a member government reject requests for information. So the FBI can choose which battles to fight. And a so-called Stanford draft of the treaty would set up a formal group called the Agency for Information Infrastructure Protection where member nations could hammer out from year to year how, exactly, they want to cooperate.
Michael Scott Moore complements his standing feature in Miller-McCune magazine with frequent posts on the policy challenges and solutions popping up on the other side of the pond.
The more governments around the world that join the European agreement, perhaps, the better — precisely because there would then be a lot of bickering over what to share. That could lead to a healthy whittling process. An international agreement should focus on nothing but the most dangerous and essential online criminal behavior, rather than indulging each nation’s idiosyncratic laws.
In any case the European agreement isn’t the same as an Internet arms treaty, which is roughly what Russia hoped to forge with the U.S. last year. Washington was properly skeptical. The Americans think organized crime fighting, combined with national-defense measures against a “cyberattack,” is the way to go. The Russian approach — a mutual agreement to crack down on malicious hackers – could serve as an excuse to arrest or spy on dissidents.
“We really believe it’s defense, defense, defense,” is how one State Department official put it to The New York Times last summer. “[The Russians] want to constrain offense.”
In the meantime, Washington and Moscow have found common ground, but the basic principles haven’t changed. Limited international cooperation on cybercrime makes sense; military treaties restricting Internet freedom and privacy to prevent a catastrophic cyberwar (which, by the way, would probably not rain down from the public Internet) don’t.
