I. INTRODUCTION

{1}             Imagine that you wake up one morning, turn on your computer, and open an e-mail message with a catchy phrase in the subject line.  Immediately after opening the e-mail’s attachment, your personal computer is severely damaged. Obviously having a bad day, you head to your job as an attorney for a multinational corporation.  By the time you arrive at work, there has been damage to company computers across the globe. The monetary costs of the damage, coupled with the downtime, are astronomical.  The CEO of your company is furious. You hope to diffuse the situation by informing your boss that the person who released the virus has been apprehended.  Unfortunately, soon after explaining the good news of the perpetrator’s capture, you learn that the individual, who admits involvement with the e-mail virus, will not be prosecuted in his home state because that state had no laws on the books outlawing his behavior at the time of the incident.  In fact, none of the states where damage occurred will be able to prosecute because of lack of jurisdiction. The damage is done and the perpetrator is free.

{2}             Although the situation may sound far fetched, this is the basic story of the events surrounding the dissemination of the I LOVE YOU virus.  The perpetrator was allowed to go free because the Philippines did not have appropriate cybercrime laws instituted at the time the virus was released. [1] This high-profile case is a superb introduction to the difficult issues arising from the existence of cyberspace.[2]

{3}             In this "Age of the Internet,"[3] access to information is unprecedented. This access can be positively used to contact friends and businesses around the world or can be negatively used to gain unauthorized access to information or to steal profitable data. With the threat of sinister uses for access comes the need for protection – protection from attacks such as the I LOVE YOU virus[4] and protection from prying eyes.[5]  Even though protection from these threats is hampered because of the international scope of the threat, this same scope assists the cybercriminal. No longer must a criminal be located physically in the proximity of his crime.  Instead, through the same technology that makes the Internet such a popular personal and business instrument, the criminal is able to cause damage regardless of national borders.  The ability of the cybercriminal to cross national borders without effort, coupled with the relative ease of his causing harm, present problems for states that want to crack down on cybercrime. These states must determine effective ways to investigate activity that occurs outside of their national boundaries, including investigations in states that may not outlaw the activity. In addition, the states investigating these crimes must employ individuals with the appropriate technical training who can devote long hours to tracing the electronic trails of cybercriminals.

{4}             In an effort to address the difficulties of investigating cybercriminals, the Council of Europe put forward a cybercrime treaty to harmonize definitions of cybercrime in states that become parties to the treaty.[6]  To assist law enforcement with investigation of these crimes, the treaty provides for procedures to assist law enforcement in the search and seizure of computer data and facilitates cooperative investigations by states affected in specific cybercrime incidents.[7]  The increase in police power that would result from the treaty concerns many privacy advocates.[8]  The basis for this concern is the limited protection available to support privacy of information pertaining to individuals.[9]

{5}             To examine the privacy issues at stake, this paper will first explore the increase in police power granted by the treaty.  The paper will follow this assessment by looking at the concerns raised by the formulation of the treaty itself.  It will then end by exploring the opportunity missed by the treaty drafters to address fundamental privacy concerns.  Part I will analyze the concept of cybercrime in an effort to define the evil that the treaty is intended to address.  As part of this discussion, Part I will examine the new ‘tools’ available to criminals in the Internet Age and, conversely, the new dilemmas that these ‘tools’ create for law enforcement.  Part II will discuss  the recently proposed cybercrime treaty.  It will examine the provisions of the first publicly-released draft, the list of complaints that flooded into the Council of Europe after the release of the draft, and the revisions that resulted from the complaints.  Part III will use two hypotheticals to study the impact of the treaty.  In the hypotheticals, three Southeast Asian states – with privacy protection levels spanning from low to high – will interact with a European state in a cybercrime investigation.  The paper will assert that the interaction that ensues, the very interaction contemplated by the treaty, will have the potential to lower privacy protections for the states involved.  Part IV will explore the concept of privacy at the international level, paying particular attention to the definitions of privacy provided by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.  It will compare the traditional international understandings of privacy – privacy of communication, freedom of expression, and criminal procedure protections – with the revolutionary change needed for the concept of privacy in the Internet Age.  Part IV will end by arguing that this new conception of privacy should account for intrusions by governments, businesses, and rogue individuals.  Part V will conclude by arguing that the increase in police power required by the treaty necessitates an offsetting increase in privacy protection for individuals.  It will contend that the treaty should have included a privacy provision that required parties to enact, through domestic legislation, protection of informational privacy from unwanted violations by governments, businesses, or rogue individuals.  In the absence of such a provision, there can only be a hope that governments will adopt such legislation on their own and that reinterpretations of international treaties will include protections for informational privacy.    

II. THE PROBLEM OF CYBERCRIME

A. Cybercrime and the Cybercriminal

{6}             In this Age of the Internet, ‘cybercrime’ has become a household word, but its definition is seldom explained.  Books and articles written on the subject often assume that the reader understands the many facets of cybercrime.  For many, however, computer hacking[10] and computer viruses[11] are the main images conveyed by the term.  While these crimes comprise two important categories of cybercrime, many other crimes can be committed or facilitated utilizing computer networks.  A non-exhaustive list of cybercrimes includes: fraud, forgery, counterfeiting, gambling, transmission of child pornography, transmission of threats, transmission of harassing communications, interception of communications, copyright infringement, and theft of trade secrets.[12] 

{7}             The motivations of those who commit cybercrimes may be as varied as the nature of the cybercrime itself.  Juveniles may be drawn by the prestige of outwitting adults.[13]  Insiders may be seeking retribution for a perceived wrong by a business or a former employer.[14]  Hackers may simply want bragging rights associated with compromising a particular computer system.[15]  Virus writers may be motivated by prestige, as well as by malicious feelings towards others.[16]  Criminal groups functioning on the Internet may seek monetary gain.[17]  Foreign terrorists may seek foreign intelligence.[18]  Even with these various motivators, there is at least one common characteristic of the people who commit cybercrimes.  Yesterday’s street criminal had “street smarts;" today’s cybercriminal has “computer smarts.”  In order to be successful at their craft, cybercriminals need to possess a knowledge of computers that is far superior to the average user’s amateur skills.  This knowledge allows the criminal to mask his criminal activity and to divert the efforts of law enforcement officials.[19]

B. The New Tools of the Cybercriminal

{8}             Technology provides the cybercriminal with a new bag of ‘tools’ that make him more effective at his craft.  In this Internet Age, the ‘tools’ are not physical implements, but instead are advantages for those who commit cybercrime.  The first such ‘tool’ is the ability to hide evidence pertaining to the cybercrime.  The evidence is virtually hidden because of the instantaneous transfer of data through computer systems.[20]  The cybercriminal has the capacity to act at one site in cyberspace and then, taking the evidence of the crime with him, to leave instantaneously.  The second ‘tool’ is the cybercriminal’s ability to hide his identity.  In effect, a skilled cybercriminal is able to attack computer systems leaving few, if any, clues as to his identity.  His identity is further concealed because he can easily commit the cybercrime without being physically present in a jurisdiction.[21]  The third ‘tool’ is the cybercriminal’s ability to increase his cybercriminal activity with minimal effort.  The cybercriminal can ignore international boundaries[22] by simultaneously targeting multiple victims in multiple states.[23]  Ultimately, these ‘tools’ provide the cybercriminal with an international forum for cybercrime in a world where laws criminalizing his behavior are limited to domestic borders. 

C. Challenges for Law Enforcement

{9}             With each of the cybercriminal’s new ‘tools,’ law enforcement officials face new challenges.[24]  The cybercriminal’s first ‘tool,’ his instantaneous ability to hide data in computer systems, creates a host of problems for law enforcement.[25]  In domestic investigations, law enforcement officials may discover that critical data is stored on a networked computer that is located in another state.  Law enforcement must then determine if their domestic court order is sufficient to search the storage facility outside the state’s territory or if mutual assistance must be sought with law enforcement in the other state.[26]  Even in the instance of information stored with ISPs, the procedures that law enforcement need to follow are not uniform from state to state, meaning that the task of obtaining the information may be quite time consuming.[27]  If the evidence is encrypted, there is a question as to whether a witness can be compelled to provide a printout of encrypted data when questioned by law enforcement authorities or interrogated in court.  This situation becomes particularly daunting when an encryption key[28] is held by a second person who is located outside the state’s territory.[29]  All of these inquiries take time and may provide the cybercriminal the time frame needed to further conceal the incriminating data.

{10}         The second ‘tool’ to which law enforcement must respond is the cybercriminal’s ability to hide his identity.  By skillfully using a computer system, the cybercriminal has the ability to mask his identity or remain anonymous.[30]  If the law enforcement cannot identify the cybercriminal by the clues left in cyberspace, it may be extremely difficult to track the criminal.[31]  Because the cybercriminal can commit a crime without being present in a jurisdiction, the cybercrime scene has no physical boundaries[32] and leaves law enforcement with few, if any, physical leads as to the identity of the cybercriminal. Unlike the situation where a criminal’s location can be approximated by the distance that he could possibly have traveled since the crime occurred, cybercriminals have no effective limitation on their distance from the crime scene – even a second after the crime was committed.

{11}         The cybercriminal’s third ‘tool,’ his ability to increase criminal activity by striking multiple victims in multiple states, creates several problems.  Law enforcement must first determine whether domestic criminal laws are applicable to crimes committed by utilizing international data networks.[33]  If the domestic court system makes a determination that the laws are not applicable, an investigation may be inappropriate, as no domestic laws have been violated.  Even if the domestic criminal law applies, jurisdictional issues must still be addressed.[34]  If a perpetrator has committed crimes in more than one state, the home state must make a determination concerning extradition.  In a crime involving multiple victim states, a home state that is willing to extradite the accused must decide on one state to which to send the accused.  Conversely, a home state may be unable to extradite because the laws regarding cybercrimes vary substantially in the two states.[35]  In the case where extradition is not possible, the home state may have the option of prosecuting the accused if jurisdiction can be established by the presence of the accused in the home state.  This solution may not satisfy the victim, as the penalties for the cybercrime may be different in the home state and the victim state.  In addition, the victim may not believe that the same diligence will be used in the prosecution of the accused in the home state as would be used in the victim state.  The possibility also exists that the accused committed no crime according to the laws of the home state; thus, he would face no penalty for his activity.[36] 

{12}         While the term ‘cybercrime’ did not exist twenty years ago, today the number of attacks is increasing and the monetary damage from the crimes is staggering.  Cybercriminals are able to benefit from the use of their new ‘tools,’ while law enforcement is plagued with a host of new cyberproblems.  To even the playing field, law enforcement officials need increased police powers to combat the new ‘tools’ of cybercriminals.

III. TREATY ON CYBERCRIME

A. Draft 19: The First Publicly-Released Version of the Cybercrime Treaty[37]

{13}         Although no treaty is likely to address the full scope of the problems created by cybercriminals’ new ‘tools,’ the treaty drafted by the Council of Europe[38] endeavors to address several of the basic problems.  The Council of Europe first examined the problems associated with the international nature of cybercrimes when it drafted a 1995 paper recommending that states adopt laws regarding cybercrime.[39]  Realizing the need for a legally binding instrument, the Council of Europe began deliberations on the cybercrime treaty in 1997.[40]  The Council invited observers from Canada, Israel, Japan, South Africa, and the United States[41] to take part in the negotiations in the hopes that the resulting treaty would have international impact.[42]  The goal of these discussions was to create a cybercrime treaty which would “harmonize laws against hacking, fraud, computer viruses, child pornography and other Internet crimes”[43] as well as “make criminal investigations and proceedings concerning criminal offences related to computer systems and data more effective and to enable the collection of electronic evidence of a criminal offense.”[44]

{14}         In April 2000, after nearly three years of negotiations, the Council posted to its website the first publicly-released version of the proposed treaty.[45]  The proposed treaty addressed four principal areas: cybercrime, search and seizure, jurisdiction, and international cooperation.[46]  In the area of cybercrime, this draft of the treaty criminalized four categories of crime: access crimes, data crimes, systems crimes, and crimes involving “illegal devices.”[47]  The first category, access crimes, outlawed unauthorized access to data contained in a computer system and access to the computer system itself.[48]  Under this provision of the treaty, it would be possible for a cybercriminal to be convicted of both gaining access to a computer system where desired data was stored and obtaining the desired data.[49]  Data crimes, a second category of crime outlined in the treaty, made illegal the interception of data and interference with data.[50]  The definitions of the two data crimes provided in the draft make it unclear whether data theft,[51] the outright taking or copying for the cybercriminal’s use, was outlawed.  The third category, systems crimes, outlawed actions that intentionally hindered the functionality of a computer system.[52]  A clear example of such a violation is a denial of service attack.[53]  Less clear is whether the dissemination of a computer virus[54] or computer worm[55] would constitute a violation.  The final category of crime, “illegal devices,” made it a crime to produce, sell, or obtain for use any device created or changed to facilitate the commission of any of the crimes enumerated in the treaty.[56]  The illegal device provision raised the question as to how an individual who possessed a device could establish innocence.  The provision was written with the presumption that an individual who possessed a device had the intent to use the device to engage in a cybercrime.  Because the same devices are used by cybercriminals and by those employed to check the security of business systems, the presumed criminal intent was unfounded.[57] 

{15}         The cybercrime articles included in the draft shared several common characteristics.  First, the illegality of each crime was to be executed through the adoption of domestic legislation in each of the signator states.[58]  Second, the definition of each cybercrime was to include the requirements of  “intentionally” and “without right.”[59]  With the foregoing provisions, the treaty provided a framework to outlaw four categories of cybercrimes.

{16}         As the preamble of the proposed cybercrime treaty envisioned that one of the purposes of the instrument was as “an international agreement to regulate trans-border search and seizure,”[60] this draft of the treaty also addressed search and seizure issues.  The proposed treaty empowered law enforcement officials with the authority to search and seize data stored on computer systems, when such actions were taken as part of an investigation of cybercrime.[61]  As part of this search and seizure power, the treaty authorized the officials to retain copies of the data.[62]  Another power granted to law enforcement was the authority to order persons in its territory to produce specific computer data.[63]  In investigations where a lapse of time could lead to a loss of computer-stored evidence, the proposed treaty authorized law enforcement officials to expedite the preservation of stored data and of traffic data.[64]  As to stored data, expediting referred to shortening the time required to obtain a search and seizure warrant or a production order.  With traffic data, the draft authorized law enforcement officials to require that ISPs retain traffic related to a suspect.  In addition, the service provider was required to reveal enough of the traffic so that law enforcement officials could track the path by which the communication was transmitted. 

{17}         As was the case with the categories of cybercrime, the search and seizure articles shared several characteristics.  First, according to the proposed treaty, the provisions were to be implemented through domestic legislation in each of the signatory states.  Second, in an effort to address privacy concerns, each of the articles specifically provided that “the powers and procedures referred to in the present article shall be subject to conditions and safeguards as provided for under national law.”[65]  Third, conspicuously absent from the search and seizure provisions was any mention of a requirement for judicial review for particular applications of the new law enforcement authority.[66]  Without a judicial check on the power granted to law enforcement officials, individuals would have no guaranteed protection against abuses.  As such, the foregoing provisions outlined the search and seizure powers granted under the treaty.

{18}         Jurisdiction was the third area addressed by the treaty.[67]  According to the proposed treaty, jurisdiction was based either on territory or on the nationality of the accused.  The draft skirted the issue of whether the term “territory” applied to the state where the harm occurred or to the state where the perpetrator was located at the time that the cybercrime was committed. Instead of settling this issue, the treaty provided that disputes over jurisdiction should be decided between the states involved.  With the foregoing provisions, the drafters espoused a structure for jurisdictional concerns.

{19}         The fourth and final area addressed by the proposed treaty was international cooperation.[68]  Mutual cooperation for investigation of crimes was expected of states that became parties to the treaty.  The mutual cooperation article was vague as to the procedures that would be necessary to carry out the assisted investigation.  As to extradition, the draft ensured that either an existing instrument or this treaty could be used as the basis for extradition of a cybercriminal.  The foregoing provisions thus provided a skeletal plan for international cooperation.  As outlined in this section, the proposed treaty attempted to address the new 'tools' of cybercriminals by providing law enforcement with new powers to investigate the international nature of cybercrime.  The inadequacies of the proposed treaty, which have been suggested in this section, did not pass unnoticed for long.

B. The Outcry

{20}         Until the public release of the proposed treaty in April 2000, member delegations had worked in virtual secrecy on the negotiations.[69]  The Internet release of the treaty triggered angered outcries from more than 400 e-mailers[70] and garnered the condemnation of a coalition of 29 international cyber-rights organizations, which represented the views of privacy experts, data protection officials, and technical experts.[71]  In a letter to the Council of Europe, the Global Internet Liberty Campaign ("GILC")[72] outlined its concerns with the proposed treaty.[73]  Technical experts complained that the treaty’s broad provision concerning illegal devices[74] would criminalize possession of devises used by security practitioners, educators, and researchers to increase the security of computer systems.[75]  The concern centered on the fact that the devices used to ensure security within a system are the same ones utilized by hackers to gain unauthorized access to computer systems.[76]  Those involved in securing systems worried that the provision of the treaty outlawed possession of such devices without regard to their intended use.[77]  The coalition asserted that procedures for international investigations[78] had been omitted from the proposed treaty, and that such procedures should be agreed upon in order to ensure that a consistently high level of individual rights was maintained.[79]  As to search and seizure,[80] the coalition stated that the treaty lacked any assurance of an independent judicial review in particular instances were the search and seizure powers would be utilized.[81]  The treaty’s provisions pertaining to the preservation of Internet traffic and the review of the content of communications relating to an individual under investigation[82] raised a host of concerns.  For the ISPs, the requirement to preserve communications meant an increase in operating costs. Additional costs incurred by the ISPs would include the personnel hours and the storage space necessary to execute the requests of law enforcement.[83]  For the cyber-rights organizations involved in the coalition, the requirement that traffic and content information be made available to law enforcement raised substantial privacy concerns.  The coalition asserted that the treaty would encourage “inappropriate monitoring of private communications,”[84] which would violate accepted privacy norms.[85]  One of the specific worries was that inappropriate monitoring would lead to persecution of dissidents and minorities.[86]  In summing up their position, the coalition stated that the treaty improperly extended police power while failing to protect privacy of communication, freedom of expression, or criminal procedure protections, all of which are considered rights under the Universal Declaration of Human Rights.[87]

C. Draft 27: The Final Revision to the Treaty[88]

{21}         The criticism stunned the Council of Europe.[89]  Peter Csonka, deputy head of the Council of Europe’s economic crime division,[90] said, “We were surprised by the violence of these comments, . . . . We have learned we have to explain what we mean in plain language because legal terms are sometimes not clear.”[91]  Through a series of drafts, the Council worked to address the issues raised concerning illegal devices, procedural safeguards, and ISP retention of traffic[92] and content data.[93]  The drafters responded to the concern expressed by security personnel that the treaty criminalized the mere use of certain devises by adding a provision, which provided that those who possessed the devises without the intent of committing cybercrimes had not acted illegally.[94]  In an effort to avoid the increased criminalization feared by GILC, the drafters required that two types of intent be established for an individual to be convicted of the crime of misuse of devises.  The first type of intent was a general intent to engage in illegal activity.  Second, the specific intent to use the devise to commit one of four crimes outlined in the treaty – illegal access, illegal interception, data interference, or system interference – had to be established.[95]

{22}         With regards to criminal procedure issues, the drafters inserted an article requiring minimum safeguards to adequately protect human rights and liberties.[96]  The treaty required each state to ensure, through domestic legislation, independent supervision of the treaty power in question, justification of the use of the power, and a limitation on the scope and duration of the power.[97]  The decision as to which treaty powers are sufficiently intrusive to require the safeguards set out in the article was left to the respective states.[98]

{23}         To address the concerns pertaining to ISP retention of Internet traffic and content data, the drafters clarified the requirements by stipulating that the ISPs would only be asked to store specific data related to suspected crimes.[99]  In these provisions, however, the drafters did not limit the time period for which the ISPs would be required to retain traffic and content data concerning alleged crimes.  Although the drafters restricted the scope of the data to be maintained,[100] without a limitation concerning the time period for retention of data, ISPs could still incur significant business costs in adhering to the provisions of the treaty.[101]  In addition, when law enforcement officials engaged service providers to collect data, the requirement that the providers keep confidential the fact that data was being collected[102] put the ISPs at odds with the privacy interests of their customers.[103]

{24}         While three of the revisions made by the drafters addressed specific concerns regarding illegal devices, procedural safeguards, and ISPs’ retention of data, additional modifications to the treaty raised new issues.  The treaty itself unnecessarily created four sets of problems concerning sovereignty, jurisdiction, search and seizure of computer data, and international investigation.  In the arena of sovereignty, both the article concerning search and seizure and the article pertaining to trans-border access to data without consent[104] permit law enforcement officials to cross state boundaries without notifying or gaining permission from the intruded state.[105]  Although some experts argue, “[i]t may be legitimate and important for law enforcement to be allowed to conduct a remote search of computers in a foreign country,”[106] it is unclear why the drafters have allowed these intrusions of sovereignty when the treaty provides for mutual assistance between states and provides for expedited mutual assistance when necessary.

{25}         In the area of jurisdiction, the drafters failed to address the problems raised by the existence of cyberspace.[107]  No state has jurisdiction over cyberspace.[108]  Thus, jurisdiction cannot simply be based on the place where the cybercrime took place.  According to the treaty, jurisdiction was based primarily on territory and secondarily on nationality.[109]  In an instance where more than one state claimed jurisdiction over an alleged offense, the treaty provided for the states involved to decide the “most appropriate jurisdiction for prosecution.”[110]  The “most appropriate jurisdiction” clause will likely be much invoked because of the ambiguity in the meaning of territory-based jurisdiction.  The provision could be interpreted to provide jurisdiction to the state in which the perpetrator was located, as happened in the case of the I LOVE YOU virus where the Philippine government investigated the individual who released the virus from that state.[111]  Unfortunately, this provision could just as easily be interpreted to give jurisdiction to the state in which the damage from the attack occurred.  Alternatively, the provision could be construed to grant jurisdiction in either the host state or the victim state, with place of jurisdiction depending on the particular cybercrime at issue.[112]  The drafters made no attempt to solve this predicament.[113]  It is unclear why the drafters simply did not choose one of the above-mentioned meanings of the term ‘territory.’

{26}         In search and seizure of computer data, the drafters clarified those who are subject to orders that require production of specified computer data for use in law enforcement investigations.[114]  Under the newly crafted provision, any person physically located in the state or any service provider offering services within the state would be required to submit data requested by means of a production order.[115]  According to this language, production could be required from a computer outside the state so long as it belonged to an individual who was physically present in the state or to a service provider that provided services within the state.  A complimentary provision provided for search and seizure of stored computer data.[116]  The draft empowered competent authorities to search and seize computer data within the state.  Reading the two provisions together would allow for data produced from outside the state, pursuant to a production order, to be seized once in the state.

{27}         Generally speaking, the problems created by the treaty are unnecessary.  The treaty is intended to encourage uniform definitions of cybercrime and through such uniformity to enhance the ability of law enforcement to investigate these cybercrimes.  A carefully written treaty with well-defined provisions could have avoided much unnecessary confusion.  The question remains as to whether overall privacy concerns have been adequately addressed by the revisions to the treaty.  In international investigations, the drafters omitted any clear procedures that could have ensured high levels of protection for individual rights.[117]  In an effort to address broad privacy concerns, the “powers and procedures” provision of the articles on expedited preservation of stored computer data, expedited preservation and partial disclosure of traffic data, production orders, search and seizure of stored computer data, real-time collection of traffic data, and interception of content data are all “subject to Article 14 and 15.”[118]  These two articles provide that the powers and procedures are subject to the safeguards provided under domestic law and under applicable international human rights treaties.[119]  Thus, critical to an understanding of the privacy protections afforded by the treaty is knowledge of the safeguards provided by domestic law and by pertinent international human rights treaties.

IV. EXAMPLES OF PRIVACY PROTECTIONS PROVIDED UNDER DOMESTIC LAWS

A. Treaty Expected to Become International Standard

{28}         While the focus of the treaty is to increase police power to allow law enforcement officials to effectively battle the new ‘tools’ of cybercriminals, there is a concern that the increase in police power will not be properly rebalanced with the privacy rights of individuals.[120]  In an attempt to rebalance the scales between police power and privacy, the treaty protects privacy through safeguards provided under domestic laws and under applicable human rights treaties.  Because the first set of safeguards provided under the treaty are those found in domestic laws,[121] the first part of the answer to the question of whether the treaty adequately addresses Internet-Age privacy concerns must be found by examining domestic protections of privacy.

{29}         The key to understanding the privacy protections afforded by current domestic laws is two-fold, meaning that a recognition of the policies enacted in the states is needed as well as a grasp of the impact of each state’s policies when two or more states interact.  The policies adopted by states will first be examined to determine the goals that the state desires to further with its Internet crime control policy in addition to exploring the ability of the government to prosecute the crime and the capacity of the victim to recover for his losses.  The outcomes of interactions between states with differing levels of privacy protection will then be explored.

B. Three Examples of Southeast Asian States with Differing Levels of Privacy Protection

{30}         As it is not possible to examine every state, several states in Southeast Asia have been chosen to illustrate the overall approach to privacy protection afforded by the treaty.[122]  Three Southeast Asian states were selected to illustrate the first prong of the approach, privacy protection afforded by domestic laws.  Southeast Asian states were selected because their history of colonialism, which they subsequently replaced with emerging capitalist economies, represents the experience of many of the states that exist outside of Europe.[123]  Singapore, Thailand, and the Special Administrative Region of Hong Kong have been specifically chosen because each provides an example of a differing level of privacy protection.  For each of these three, Internet crime control policies will be examined.  The second prong of the approach, which examines the outcomes of the interactions between states with differing levels of privacy protection, will be illustrated with two hypothetical interactions between a European state and the three Southeast Asian states.

1. Singapore: An Example of a Low Level of Privacy Protection

{31}         The kind of society that a state supports determines the goals concerning privacy protection that underlie the Internet crime control policy of that state.[124]  Totalitarian states oppose privacy rights while liberal democratic systems support individual privacy rights and freedoms.[125]  These two abstract kinds of societies lie on opposite poles of the political spectrum.[126]  Singapore is known for its near totalitarian regime.  In support of the doctrine that the kind of society determines the level of privacy protection, Singapore has a reputation for aggressively using surveillance for social control.[127]  In its approach to Internet crime control, the goal of the government is to shield its citizens from any undesirable influences.[128]  In an effort to ensure government supervision of Internet usage, all ISPs are government-owned or government-controlled companies.[129]  The Telecommunications Authority of Singapore has extensive authority to monitor any activity considered to be a threat to national security.[130]  The Authority routinely monitors phone conversations and Internet use.[131]

{32}         Singapore has no constitutionally protected right to privacy against government acts.[132]  Although government officials are normally required to obtain court-issued search warrants, exceptions exist to this general warrant rule.  Law enforcement may search without a warrant if they believe the intrusion is necessary to preserve evidence and warrantless searches are permitted in drug-related and organized-crime-related incidents.[133]  Specific to Internet-related crime, the police do not need a warrant to search computers under the Electronic Transactions Act ("ETA").[134]

{33}         Singapore has passed criminal laws that enable the prosecution of perpetrators of Internet crime.  The Computer Misuse Act ("CMA")[135] prohibits unauthorized access to computer data, unauthorized modification of computer data, unauthorized obstruction of the use of computers, and unauthorized disclosure of access codes.[136]  The ETA imposes a duty of confidentiality on individuals who possess data obtained under the act and imposes sanctions for disclosing such data without authorization. [137] 

{34}         As to whether Singapore has jurisdiction over such crimes, the policy of Singapore is to extend the territorial principle[138] in cases where there is some nexus between the territory and the crime.[139]  In particular, the CMA grants to courts jurisdiction over anyone who commits a crime under the act.  Regardless of citizenship, the accused is treated as if he was in Singapore at the time of the incident or as if the computer, the program, or the data was in Singapore at the time of the incident.[140]

{35}         As to recovery of losses by the victim, no general data protection or privacy laws exist in Singapore.[141]  However, in association with criminal prosecution against businesses and rogue individuals, the CMA requires the perpetrator to pay compensation, which the victim can recover through civil debt procedures.[142]  Even in cases where a criminal prosecution was not achieved, the victim can sue the business or rogue individual based on tort law, in an action for breach of confidence.[143]  To be successful, the victim must establish that the data is not trivial, that he had a legitimate expectation of privacy in the data, and that the use of the data was unauthorized.[144] In Singapore, the government can prosecute cybercrime and the victim has a means to recover damages that result from the cybercrime.  As the goal of the Internet crime control policy is social control, Singapore is an example of a low level of privacy protection.

2. Thailand: An Example of a Intermediate Level of Privacy Protection

{36}         On the totalitarian/liberal democracy spectrum, Thailand falls into the middle of the range.  The government’s concerns over national security and public morals drive its privacy policies.[145]   On the privacy-of-communications front, Thailand’s Constitution provides for the protection of privacy.[146]  Specifically, the constitution stipulates a protection of communication. Although the state guarantees privacy by law, in reality privacy is not protected.  Activities such as illegal wiretapping are commonplace in Thailand.[147] As for protection against unreasonable government intrusion, in most instances, law enforcement officers are required to obtain a warrant prior to a search.  A major exception to this protection however allows police to issue warrants; such warrants are not subject to judicial review.[148]

{37}         Thailand is one of the world’s many countries that has no specific legislation on cybercrime.  This means that it would be difficult, if not impossible, to prosecute a perpetrator of cybercrime who was located in Thailand.[149]  Thailand has no specific laws that protect personal information.  This means that currently the victim could not recover for losses.  Realizing the need to “prevent misuse of information and give rights to data owners,” Thailand officials are finalizing a data protection law.[150]  In Thailand, the government has no means to prosecute cybercrime and the victim has no avenue to recover damages that result from the cybercrime. Because the goal of the Internet crime control policy is driven by concerns over morals but does not rise to the level of social control, Thailand is an example of an intermediate level of privacy protection.

3. Hong Kong: An Example of a High Level of Privacy Protection

{38}         On the political spectrum that ranges from totalitarian to liberal democracy, the Special Administrative Region of Hong Kong falls near the liberal democratic end.  Until 1997, Hong Kong was part of the British Commonwealth, mirroring many British traditions including democratically elected government officials and trial by jury.[151]  According to the Basic Law of Hong Kong, the agreement hammered out between Great Britain and China before the 1997 handover to China, Hong Kong’s form of government will remain unchanged until 2047.[152]  Hong Kong remains a party to the International Covenant on Civil and Political Rights; this treaty creates an international obligation for the government to protect privacy.[153]  Although there is some concern that the Chinese government will modify the policy,[154] Hong Kong’s general Internet policy is based on self-regulation and a concern for economic well-being.[155]  As to privacy of communications, the Basic Law of Hong Kong provides for privacy of communications.[156]  The law stipulates that this privacy can only be compromised through means of legal procedures that allow for protection of public security or investigation of criminal activity.[157]  With regard to government intrusion, police are required to obtain court-issued warrants before obtaining evidence.[158]

{39}         In the realm of Internet crime control policy, Hong Kong has enacted the Personal Data Privacy Act ("PDPA") that regulates the collection, use, and security of personal data.[159] The PDPA covers “any data relating directly or indirectly to a living individual” if from the data it is possible to ascertain the individual’s identity and if the data “is in a form in which access of processing is practicable.”[160]  The PDPA applies to any person who directs the collection, processing, or use of personal data.[161]  The PDPA applies to both public and private sectors, although many of the exceptions to the act apply primarily to the public sector.[162]  Under the PDPA, the government can prosecute cybercrime[163] and the victim has the ability to recover damages that result from the cybercrime.[164]  As the goal of Internet crime control is to root out crime without impinging on privacy protections, Hong Kong is an example of a high level of privacy protection.  In Southeast Asia, Hong Kong provides significant protections for individual privacy while Singapore and, to a more limited degree, Thailand support state control to the detriment of individual privacy protections.  As the Internet enables access across borders, there is a concern about how states with differing levels of privacy protections will interact under the cybercrime treaty.

C.  Interactions between Southeast Asian States and a European State

{40}         The critical question to determine in deciding if the cybercrime treaty adequately protects privacy through domestic laws is whether the outcomes from interactions between states enhance or at least maintain the protections currently afforded in the states involved.  In the following two hypotheticals, three Southeast Asian states will be examined in interaction with a European state.[165]  In each hypothetical, the relevant questions to be answered are whether the evidence can be gathered, whether the accused can be prosecuted in the state, and whether the victim can recover damages.  If the outcomes of these interactions enhance or at least maintain the protections currently afforded to privacy in the states involved, then the treaty has successfully increased police power while maintaining guarantees of privacy.

1. Hypothetical One: European Perpetrator and Southeast Asian Victims

{41}         In this first hypothetical, a European perpetrator has instigated a denial-of-service attack[166] affecting computer systems in Singapore, Thailand, and Hong Kong.  All three Southeast Asian states investigate with the aim of prosecuting the perpetrator.  Each state must determine if access to evidence is possible and subsequently if prosecution is possible.  In addition, a determination needs to be made as to whether the victim can recover for his losses.  Because the attack did not commence in Singapore, Thailand, or Hong Kong, under the cybercrime treaty the states can explore avenues to access information that both require[167] and do not require mutual assistance[168] from the European state.  As to those provisions that do not require mutual assistance, the production order provision of the treaty[169] provides that law enforcement may gain access to data that is outside their territory if the person who owns the computer is in their territory or if the ISP concerned provides service in their territory.  In this hypothetical, it is unlikely that the European perpetrator will travel to any of the effected Southeast Asian states.  The provision concerning ISPs,[170] however, may be helpful in certain states.  Singapore substantially restricts those who can operate ISPs in the state’s territory,[171] so it is unlikely that the European perpetrator utilized an ISP from which the Singapore authorities can obtain assistance.  The laws concerning ISPs in Thailand and Hong Kong are not so restrictive, so it is possible that the perpetrator will have utilized an ISP operating both in the victim state and in the European state.  Noting the likely sophistication of the cybercriminal, odds favor the fact that he will have used more than one ISP to instigate the attack.  If this is the case, then the authorities in Thailand and Hong Kong may be able to trace part of the path of the perpetrator, but will likely be frustrated once the perpetrator’s path switches to a second ISP.  Under the trans-border access provision of the treaty,[172] any of the three victim states can access information if it is publicly available on the Internet or if the perpetrator gives consent for the authorities to access the information.  It is unlikely that either of these conditions will be met.

{42}         Because it is unlikely that the above mentioned treaty articles will provide access to critical evidence, Singapore, Thailand, and Hong Kong may utilize the mutual assistance articles of the treaty.[173]  Singapore, Thailand, and Hong Kong will be required to satisfy the conditions provided for by the law of the European state, the state from whom the information is requested.[174]  The laws of the European state require a warrant for search and seizure.  Hong Kong easily meets this standard, as their domestic laws require court-issued warrants.[175]  It is unclear whether Thailand’s normal procedure in search and seizure cases would meet the requirement of the European state. Thailand’s laws require a warrant before the search and seizure is undertaken, but in many cases the police issue the warrant.[176]  Thai officials may be required to secure a warrant from a judge – a process not provided for under their domestic law.  The Singapore situation is also complicated.  Under the ETA,[177] no warrant is required in Internet cases.  Regardless of this domestic law, Singapore officials may be required to secure a warrant from a judge in order to benefit from mutual assistance.

{43}         As to collecting evidence, it is likely that Thailand and Hong Kong could retrieve data from an ISP, but less likely that the ISP used by the European perpetrator would have been one who operated in Singapore – thus decreasing the likelihood that Singapore authorities would obtain useful information from a Singapore-affiliated ISP.  As for mutual assistance, Hong Kong could easily obtain mutual assistance from the European state, while Thailand and Singapore could face potentially irreconcilable complications. 

{44}         If the investigations were successful, each of the victim states would desire to prosecute the European perpetrator.  To do so, the individual state must have a domestic law that outlaws the specific activity in question.  Thus, Thailand could not prosecute until after such time as it adopted cybercrime legislation.  Because Thailand has no laws under which to prosecute, it would have to request that the European state prosecute and argue that jurisdiction was proper for the European state because the perpetrator was physically located there.[178]  In contrast, Hong Kong could prosecute under the PPDA[179] and Singapore could prosecute the perpetrator under the CMA.[180]  To proceed with prosecution, Hong Kong and Singapore would need to establish jurisdiction over the European perpetrator.  Under the cybercrime treaty, jurisdiction is conferred by territory,[181] among other provisions.  Hong Kong would have to argue that this provision refers to the territory where the damage occurred.[182]  Singapore would site the CMA,[183] which clarifies any jurisdictional confusion by stating that jurisdiction extends to anyone who commits a crime under the act.  As to prosecution, Thailand could not prosecute while Hong Kong and Singapore could prosecute, if they could establish jurisdiction.

{45}         Regarding recovery of damages by the victim, the victim could not currently recover in Thailand because the state has no laws concerning recover for damages incurred as a result of Internet crimes. In Hong Kong, the victim has the ability to recover damages under the PDPA.[184]  In Singapore, the victim could recover under the CMA.[185] Thus, the victim in Thailand could not recover for damages while a victim in Hong Kong or Singapore likely could recover.  As is demonstrated by this hypothetical, the outcomes under the treaty would vary greatly based on the domestic laws in the states.

2. Hypothetical Two: Southeast Asian Perpetrators and European Victim

{46}         In the second hypothetical, a European person has been the victim of cybertheft at the hands of three Southeast Asian perpetrators – one from Singapore, one from Thailand, and one from Hong Kong.  The European state wants to investigate with the aim of prosecuting the perpetrator.  First, the European state must determine if access to evidence is possible.  Next, the state must decide if prosecution is viable.  In addition, a determination needs to be made as to whether the victim can recover damages.

{47}         While the European state faces the same basic problems as those faced by the victim states in first hypothetical, the mutual assistance request sheds light on a particularly illuminating result that arises under the treaty.  When requesting mutual assistance, the European state will be required to satisfy the conditions provided for by the law of the state from which it is requesting assistance.[186]  The European state will successful meet the requirements of Hong Kong’s domestic laws because both the European state and Hong Kong require court-issued warrants.[187]  In requesting information from Thailand and Singapore, the European state will encounter a troublesome situation for privacy advocates.  Thailand does not require a court-issued warrant[188] and Singapore requires no search warrant.[189]  Thus, the European state would not be required to procure a search warrant to obtain information from Thailand or Singapore.

{48}         This second hypothetical highlights the problems associated with the treaty utilizing safeguards provided under domestic laws.  As privacy advocates have lamented, the treaty lacks necessary search and seizure procedural safeguards.[190]  By requiring no specified procedures in trans-border search and seizure, the treaty allows the European state to benefit from investigations undertaken without protections that would be required if the search were undertaken in the European state.  The lack of required search and seizure procedures may allow a ‘race to the bottom’ in regards to protection of privacy.  Because the outcome of an interaction between states with differing levels of domestic privacy protection likely decreases the currently provided protection in at least some of the states involved, the treaty has not successfully maintained, much less increased, guarantees of privacy while increasing police power.

V. WHY THE OUTCRY OVER PRIVACY AND WHY IT IS LIKELY TO CONTINUE

A. Current International Concept of Privacy

{49}         Because the treaty affords the protections found in domestic laws as well as the protections found in international treaties, the second set of safeguards examined are provided by relevant human rights treaties.  To appreciate the protections provided by international treaties, one must grasp the meaning of the term privacy and understand the specific aspects of privacy granted protection under international law.  Alan Westin, one of the world’s foremost authorities on privacy, explains privacy as “the voluntary and temporary withdrawal of a person from the general society through physical or psychological means . . .”[191]  In the legal realm, this equates to “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”[192]  Due to the multi-faceted nature of the legal term, privacy has been divided into four general categories: privacy of association, privacy in making intimate decisions, privacy from unwanted intrusions, and privacy of personal information.[193]  Associational privacy is freedom from interference of relationships with individuals or groups.[194]  Decisional privacy involves freedom from interference in intimate personal decisions.[195]  Privacy from unwanted intrusions relates to physical and electronic invasion.[196]  Privacy of personal information concerns “the rights of individuals to control information about themselves.”[197]

{50}         The current international understanding of privacy encompasses the protections secured in the Universal Declaration of Human Rights ("UDHR") and in the International Covenant on Civil and Political Rights ("ICCPR").[198]  Under the UDHR, privacy of communication, freedom of expression, and criminal procedure protections are secured.[199]  Privacy of communication is protected from arbitrary government interference.[200]  As to freedom of expression, the UDHR protects an individual’s right to hold a belief and to exchange information and ideas through any media.[201]  In the area of criminal procedure protections, the UDHR protects individuals from arbitrary arrest and detention.[202]  The ICCPR clarifies the general guidelines of privacy put forth in the UDHR.[203]  In the ICCPR, communications are protected primarily from divulgence to anyone but the intended recipient and against interruption or interference.[204]  The safeguards only apply to “arbitrary or unlawful” interference.[205]  According to the ICCPR, freedom of expression is protected “regardless of frontiers.”[206]  However, special responsibilities are attached to the rights associated with freedom of expression, meaning that the rights may be restricted under certain circumstances.[207]  Approved justifications for governments to implement laws to restrict freedom of expression include protection of national security or public order and respect for the rights of others.[208]  In the criminal procedure arena, pertinent protections in the ICCPR pertain to lawful arrests, judicial control for criminal procedures concerning arrests, and judicial review of the legality of arrests.[209] This means judicial review ensures privacy protection against unreasonable intrusions by government actors engaged in investigation or arrest activities.  The General Assembly of the United Nations made the provisions of the ICCPR applicable to violations by governments, businesses, and rogue individuals.[210]

{51}            When examined in light of the categories of privacy introduced at the beginning of the section, the international understanding of privacy touches all the categories but does not provide full coverage to the ideas encompassed in the categories.  Both privacy of communication and freedom of expression provide some protection in the area of associational privacy by allowing an individual to maintain secret communications with groups or individuals disfavored by governments.  Decisional privacy is peripherally guarded by freedom of expression because this protection allows an individual to receive or impart information concerning a sensitive decision.  Privacy of communication provides some protection in the area of privacy of personal information by guarding communications from interruption or interference as well as keeping the communications from anyone except the intended recipient.  Criminal procedure protections provide defense from unwanted intrusions and protect personal information by limiting a government’s ability to intrude upon personal information. (See Chart 1.)

B. Privacy Concept in the Internet Age

{52}         In revisions to the treaty, the drafters added a provision that would guard human rights in accordance with currently existing protections provided in international treaties.[211] Those involved with GILC envisioned a “forward-looking” interpretation[212] of these international instruments, arguing the privacy of communication, freedom of expression, and criminal procedure protections extend to cyberspace.[213]  The problem with this “forward-looking” assessment by members of GILC is that the philosophers and diplomats whose ideas shaped the current international standard did not and could not consider the vast privacy concerns associated with the Internet. 

{53}         These privacy concerns center on the collection and possible misuse of data.[214]  The potential opportunities to exploit data are growing exponentially because technological developments are lowering the cost of data collection and surveillance while increasing the quality and quantity of the data.[215]  In this Age of the Internet, consumers are concerned that governments are selling personal information – ranging from driver’s license data, to health records, to tax documents – to make a profit[216] and that e-companies are using consumer preferences for business advantages.  In essence, the all-seeing eye from George Orwell’s 1984 “need not necessarily belong to the government, as many in the private sector find it valuable to conduct various forms of surveillance or to ‘mine’ data collected by others.”[217]  Today’s privacy concerns encompass violations from governments, businesses, and rogue individuals.[218]

^{54}              The drafters of this treaty had the opportunity to address this monumental development in the privacy arena by requiring signatory states to adopt new domestic laws guaranteeing privacy rights against governments, businesses, and rogue individuals.  Although the rights would vary from state to state, this could have been a major step in protecting informational privacy,[219] which is as critically important in the Internet Age as the ability to prosecute cybercrimes.

VI. SOLUTIONS FOR BALANCING THE SCALES BETWEEN POLICE POWER AND PRIVACY

{55}         The cybercrime treaty addresses the need to expand police power in an age when one individual in the Philippines unleashed a computer virus[220] that succeeded in creating $8 billion worth of damage to computer systems around the world.[221]  The treaty, however, creates an imbalance in the scales that weigh police power and privacy by introducing new procedural powers for police to search and seize computer data, to investigate cybercrimes outside their state, and to receive mutual assistance in cross-border investigations, without increasing protection for personal privacy.[222]  Although the drafters of the treaty were “mindful of the need to ensure a proper balance between the interests of law enforcement and respect for fundamental human rights,”[223] the treaty largely sidesteps this balancing act by failing to address protection of privacy in the Age of the Internet.

A. The Theoretical Answer

{56}         To understand the missed opportunity to increase privacy protection, it is necessary to examine an Internet-Age concept of privacy – informational privacy.  While the general concept of privacy encompasses associational privacy,[224] decisional privacy,[225] privacy from unwanted intrusions,[226] and privacy of personal information,[227] informational privacy focuses only on the last two of these classifications.  Today’s most talked about privacy violations are those where

{57}         e-mails are obtained by governments and where clickstreams[228] are tracked by businesses.  These are violations related to how information was obtained; in these examples, information was obtained by means of unwanted electronic intrusions.  In most instances, the person whose privacy was violated generated the data that was later captured.  In the government invasion, the person had written the e-mails.  When the business intruded, the person had created a clickstream as he viewed numerous webpages.  These unwanted electronic invasions are one type of violation of a person’s privacy.  Violations related to privacy of personal information are a second type common in the Internet Age; these violations pertain to a person’s ability to control how information about him is used.  In this category, the information may or may not have been generated by the person.  An example of personal information not generated by the individual is a social security number.  The number is assigned by the government, yet is considered to be personal information that helps to verify the identification of the individual.  In this category of privacy, the information may or may not be physically controlled by the individual.  An example of information not held by the person is the record of an individual’s bank account, which is stored on the bank’s computer system.  These foregoing examples sketch an outline of aspects of informational privacy that could have been protected by the treaty.

{58}         Because informational privacy may be violated by governments as well as by businesses and rogue individuals, the concept may be divided into four categories – privacy from unwanted intrusions by governments, privacy of personal information against governments, privacy from unwanted intrusions by businesses and rogue individuals, and privacy of personal information against businesses and rogue individuals.  (See Chart 2.)  For each of these categories, a prominent U.S. legal scholar has written a forward-looking account that provides insight into the concept of informational privacy in the Internet Age.[229]

{59}         Justice Louis Brandeis addressed the issue of privacy from unwanted government intrusion in a U.S. Supreme Court case concerning whether such privacy protection extended to invasions that were not physical in nature.[230]  Arguing in his famous 1928 Olmstead dissent[231] that the protection did indeed extend to non-physical invasions, Brandeis asserted, “It is not . . the rummaging of his drawers that constitutes the offense, but it is the invasion of his indefeasible right of personal security, personal liberty and private property . . .”[232] Brandeis contended that the individual should be protected from any form of unreasonable government intrusion because the privacy protection stemmed from a person’s most basic right, the right to be left alone.[233]  He argued that government violated this fundamental right of privacy with every unjustified intrusion, regardless of the means that might be developed to effectuate the invasion.[234]  In the dissent, Brandeis’ foreshadowed government invasion of e-mail messages by suggesting that, in the future, the government would be able to reproduce personal information in court without removing the papers from the person’s house.[235]  Brandeis’ forward-looking legal thinking laid the groundwork for the assertion that individuals have a right against unreasonable electronic intrusion by government.[236]

{60}         A second category of informational privacy focuses on yet another right against unreasonable government imposition.  Justice William Brennan discussed this second category, privacy of personal information against government, in his dissent in the 1976 U.S. Supreme Court case of United States v. Miller.[237]  The case centered on whether the defendant had a right of privacy in personal information that was not under his physical control; in this case the data had been technologically captured[238] in bank records.[239]  Even though the individual had physically released the information from his control, Brennan argued that the defendant had a reasonable expectation that the data would remain confidential between the bank and him,[240] unless the government provided sufficient documentation to garner a warrant or subpoena.[241]  Brennan warned that the door had been opened for abuse of government power because the Court had affirmed the government’s obtaining the information at issue without first demonstrating to a judicial official the need for such information.[242]  His concern was that unfettered government access to personal information could be used to create a “virtual . . . biography,” which could reveal “many aspects of . . . [a person’s] affairs, opinions, habits, and associations.”[243]  Brennan advocated for a right against unreasonable invasion of personal information by government.

{61}         While forward-looking discussions of the two categories of informational privacy that address government violations arose in U.S. Supreme Court cases, discussions of these categories of informational privacy in relation to violations by businesses and rogue individuals appeared in two preeminent journal articles.  In an influential piece on privacy, William Prosser[244] explained the tort of unwanted intrusion by businesses and rogue individuals.[245] Prosser agreed with Brandeis’ assertion that the invasion need not be physical in nature[246] and outlined a two-part test for violation of the tort.  First, he asserted that there must be prying, meaning that the intrusion must be of a nature that would be offensive to a reasonable person.[247]  The second requirement explained by Prosser was that the information at issue must be entitled to be private, meaning that there be no legal requirement that it be public and that it not be public information.[248]  Prosser’s work advocated for the torts of privacy, particularly the tort of unwanted intrusion by businesses and rogue individuals.

{62}         Louis Brandeis and Samuel Warren wrote the seminal article on the issue of privacy in 1890.[249]  Brandeis and Warren spoke of the right to keep information about oneself out of the public eye.[250]  Although much of the focus was on publicity afforded to the creations of an author,[251] Brandeis and Warren stepped beyond this narrow focus.  The two declared that protection should be afforded to information that concerns the “private life, habits, acts, and relations of an individual.”[252]  Their advocacy was for the protection of privacy of personal information against businesses and rogue individuals.  In their scheme, recovery from businesses and rogue individuals would be provided through tort law.[253]  The outcome of the tort action would be driven by the facts of the specific case[254] and would be balanced against the demands of public welfare and private justice.[255]  As in the case of unwanted invasion by government, Brandeis envisioned privacy of personal information as part of “the more general right of the individual to be let alone.”[256] 

{63}         While Brandeis linked the differing aspects of privacy under the umbrella term of the right “to be let alone,”[257] this section has laid out the aspects of another umbrella term, informational privacy.  In the preceding paragraphs, protection of informational privacy from violation by government has been explored as a right[258] while tort law[259] has been examined as a means to address violations by businesses and rogue individuals.  Unfortunately, the drafters of the treaty simply failed to address any protection of informational privacy.

B. The Practical Balancing Act

{64}         The particular increase in government police power provided for under the treaty will result in the loss of particular types of privacy for all individuals.  Under the treaty, an individual’s expectation of privately storing data in computer systems will be lessened because such data will be available for search and seizure in criminal investigations.[260]  Anonymity of communications will also likely be compromised.  To rebalance the scales between police power and privacy, a guaranteed protection of individual privacy needs to offset the increase in police power.  As additional police power was called for because of the nature of the Internet, an increase in privacy protection is warranted in Internet-related activity to rebalance the police power/privacy scales.  Particularly, the offsetting measure should involve increased informational privacy protection for individuals against unwanted invasion, whether by governments, businesses, or rogue individuals.

{65}         While the ideal solution to the issue of informational privacy would be for all states to adopt domestic legislation that protected individuals from unreasonable invasions by governments, businesses, and rogue individuals, it is impractical to believe that every state would currently adopt such a policy.[261]  The best alternative available would have been for the drafters to have advocated for increased privacy protections in those states that were willing to adopt an informational privacy system while assuring that at least some minimal protections were guaranteed in all states that become parties to the cybercrime treaty.

{66}         In those states that are interested in protecting informational privacy, a system that provides a remedy for invasion would best protect the individual.  While some argue that the content of cyberspace should be regulated,[262] it makes little sense to argue for such a scheme when discussing personal data.  Personal data may be used in as many ways that may benefit the individual as that may harm the individual.  Thus, to require that personal data be removed from cyberspace would create an unmanageable system.  Instead, the individual should be guaranteed the right to pursue legal action against governments, businesses, and rogue individuals when personal information is used in unacceptable ways.[263]  The particulars of this system would be developed through domestic law.

{67}         For those states that are not willing to guarantee this level of informational privacy, the treaty should have, nonetheless, required some level of protection.  Henrik Kaspersen, chairman of the Committee on Experts on Crime in Cyber-Space for the Council of Europe, explained that the drafters did not want to leave privacy out of the treaty but found it impossible to include one international standard for privacy protection.[264]  As such, the goal should not been one world standard but an incremental increase from the level of informational privacy protection currently provided by each state.  This increase in informational privacy would have been an important step in rebalancing the police power and privacy scales of justice.

VII. CONCLUSION

{68}         Today, cyberspace allows for many of the same activities as Main Street.  Individuals can engage in cybershopping, cyberdating, and cyberlearning.  As with Main Street, however, there is also a sinister element at work that is engaged in cybertheft, cyberfraud, and cyberdamage.  To deal with these new cybercrimes, law enforcement officials require increased powers to investigate crimes involving computers systems.  The cybercrime treaty will provide law enforcement with these needed powers.  Such an increase in police power raises concerns about privacy protections.  A treaty provision that ensured an incremental increase in informational privacy would have been an important step in allaying privacy concerns.  As the treaty stands, individuals must rely on domestic laws and international treaties for protection. Without new domestic laws and revitalized interpretations of old international human rights treaties, the provided protections may prove to be paltry.