But, what can one really do if, for example, your top search results include an out of date, hopelessly inaccurate and embarrassing article from your hometown newspaper? As much guff as Facebook gets for its poor record on privacy protection, an average Facebook user has a relatively powerful set of tools at his or her disposal: you can delete or untag yourself from embarrassing photos, limit who can view your profile, and even delete your profile completely. But, is there anything you can do about embarrassing search results?

In 2010, Hugo Guidotti Russo, a Spanish plastic surgeon, filed a legal complaint with Spain’s privacy regulator, the Agency for Data Protection, asking them to order Google to remove a 1991 article about a malpractice complaint from his top search results. Russo insisted that because he was cleared of wrongdoing and the article did not mention this, it was within his right to privacy to have the search results removed. The agency agreed. Google is fighting the ruling which was recently referred to the European Court of Justice in Luxembourg on the issue of whether the ruling clashed with EU freedom of expression laws.

The case of the Mr. Russo is connected to the larger issue of whether governments should—or could—guarantee individuals a so-called “right to be forgotten.” Though, like most newly recognized rights, the contours are hazy and the terms ambiguous, the right to be forgotten is catching on. In 2009, the French secretary of state launched a campaign for le Doit a l’Oubli (the right to oblivion, though no English translation is quite adequate) that culminated in the adoption of so-called “codes of good practice” by several trade associations, social networks and search engines.  The provisions are themselves broad but somewhat vague: adoptees are obligated to give notice to users about how to exercise their privacy rights, respect an individual’s right to consent to data processing, to receive prior notice of procession and to object to the use of their data. The European Union is currently tossing around some proposed legislation which would give people the right, any time to have all personal information online deleted—though it’s hard to see how this would work in practice. Even in the United States, where courts have been much less willing to allow individuals to assert a general right of privacy against search engines and social networks, the FTC has issued a working paper called “Safeguarding Consumer Privacy in an Era of Fast Transform” which recommends, among other things, that individuals have the right to have inaccurate information about themselves removed from databases.

Critics of the “right to privacy” argue that, in its extreme form, it’s tantamount to suppression of speech—censorship. Most facts and opinions worth writing about–and reading about– are facts and opinions about people.  Individuals have always been able to fight others who publish false information using libel and defamation law, but falsity is not a requirement for a privacy claim. If individuals are empowered to suppress true or arguably true information written about them by third parties under the guise of privacy, the argument goes, our freedom of expression is significantly burdened.  In one infamous case, Wikipedia was sued by two German murderers  demanding that their names be removed from an article about their victim. German law allows criminals’ names to be withheld from association with their crimes after their sentences are over.  The case of German murderers points to another criticism of the right to privacy: practicability. If a German court orders the removal of the names from the article, does it only apply to the German language version of Wikipedia or with a .de web url? Does it apply to any article accessible from Germany? Or only if the servers which host the article are located in Germany? Moreover, does Wikipedia, which can be edited by anyone, have an ongoing obligation to ensure that the ex-con’s names are kept of the site? For a website like Wikipedia, which relies heavily on user donations, and which relies on a relatively small number of editors to maintain their pages, an ongoing obligation to monitor for information about individuals is a heavy burden.

From the perspective of someone with a rare name—say for example, the author of this post (but three out of the first four results are not me!)—the right to delete whatever search results I wanted from Google would certainly be a blessing. That being said, there is a thin and hazy line between what information is truly private—which should be protected—and what information is merely embarrassing or inconvenient, but a legitimate part of the public discourse.

The issue of international cooperation in the fight against cybercrime will be on the table at the Twelfth United Nations Congress on Crime Prevention and Criminal Justice, due to take place in Salvador, Brazil, from April 12-19, 2010 (see introduction and draft agenda here). The main theme of the Congress will be “comprehensive strategies for global challenges: crime prevention and criminal justice systems and their development in a changing world.” The Secretariat of the United Nations Office on Drugs and Crime (UNODC), in a working paper prepared in anticipation of the Congress, has suggested that “the development of a global convention against cybercrime should be given careful and favourable consideration” (see report by heise.de (in German),  Google translation here). Four regional preparatory meetings were held in advance of the Congress and, as the UNODC’s working paper notes, calls were made at all four for the development of an international convention to tackle cybercrime. The Latin American and Caribbean countries were strongly in favor, noting “the imperative need to develop an international convention on cybercrime” (see Latin American and Caribbean Regional Meeting Report, at para. 41). Will 2010 see the launch of negotiations for a UN Convention on Cybercrime?

A Transnational Problem

In its working paper, the UNODC notes that cybercrime is to a large degree transnational in nature. Issues of national sovereignty can impede criminal investigations in the absence of active cooperation between law enforcement agencies of the jurisdictions involved. The speed at which cybercriminals can inflict harm and move on to evade detection also puts enforcement agencies under heavy time pressures, making the need for international cooperation all the more pressing. The UNODC identifies legislative convergence as crucial to effective cooperation. This is because many countries base mutual legal assistance on the principle of dual criminality, which requires that the offense in question be punishable in both jurisdictions. Divergence in legislation can therefore undermine effective enforcement. Where a particular jurisdiction lacks comprehensive cybercrime legislation or enforces it poorly, it may turn into a safe haven for cybercriminals. This kind of divergence can only be tackled by concerted efforts to harmonize legal standards and enhance cooperation between jurisdictions.

Already On the Job: the Council of Europe’s Convention on Cybercrime

Currently, the leading international convention on cybercrime is the Council of Europe‘s Convention on Cybercrime, which was signed in Budapest in 2001 and entered into force in 2004. The Council of Europe, which is not an organ of the European Union, was founded in 1949 to promote human rights, democracy and the rule of law in Europe (see Wikipedia entry here). It current has forty-seven members, including the twenty-seven members of the European Union and Russia. As at December 2009, the Convention on Cybercrime had been signed by forty-six states and ratified by twenty-six (i.e. approved in accordance with domestic constitutional requirements and thus rendered enforceable). Though the Convention was drafted under the aegis of the Council of Europe, it is open to signature by non-members. Four non-members participated in the negotiations of the treaty and signed it (the United States, Canada, Japan and South Africa), and one non-member has ratified it (the United States). The Convention is not, therefore, strictly a regional agreement. Yet the fact that it has only been ratified by one non-European state suggests that it cannot at present be described as a global convention.

The Convention lists a number of crimes which signatories are required to implement in their domestic law, including hacking, child pornography offenses, and certain offenses related to intellectual property violations. It also sets out a number of procedural mechanisms which signatories must put in place, including granting the power to law enforcement authorities to compel Internet Service Providers to monitor a person’s online activities. Chapter III calls upon signatories to cooperate to the widest extent possible in the investigation and prosecution of cybercrime offenses (see the Electronic Privacy Information Center’s summary of the Convention and other resources here).

The Convention on Cybercrime: Can it Become a Global Standard?

The Council of Europe’s Convention on Cybercrime has now been in force for more than five years and has the widest coverage of any international agreement dealing with cybercrime (estimated to cover one third of current internet users). As we have seen, signature is open to countries which are not members of the Council of Europe, and four non-European countries have signed it already. Could the existing Convention on Cybercrime provide a global standard? If so, should the upcoming conference focus on generating the momentum for wider signature and ratification of the Council of Europe Convention?

In his Contribution to the upcoming Congress, the Secretary General of the Council of Europe, Thorbjørn Jagland, notes that the Convention on Cybercrime provides a “clear and comprehensive solution” and has received strong support from the Asia-Pacific Economic Cooperation, the European Union, Interpol and the Organization of American States, among others. Mr. Jagland concedes that it is understandable that, for political reasons, countries may be reluctant to accede to a treaty which they have not participated in drafting. He notes, however, that accession to the Convention guarantees a signatory membership of the Cybercrime Convention Committee and thus involvement in any further development of the treaty. Another downside of launching negotiations on a new, global convention is that it could have the effect of suspending the implementation of legislative reform already underway. Mr. Jagland further questions whether consensus could be reached within the framework of the UN on the kind of procedural law and cooperation measures which the current Convention provides.

Criticism

The Secretary General of the International Telecommunication Union (a branch of the UN), Hamadoun Touré, is reported to be critical of proposals to adopt the Convention as a global standard. The Convention was drafted mostly by and for European states, and is also now somewhat outdated  (see heise.de report here (in German), and Google translation here). Russia, which is a member of the Council of Europe but has not signed the Convention, reportedly backs Mr. Touré’s position. Brazil considered signing the Convention, but then declined to do so, voicing reservations about certain aspects of the Convention, including the provisions relating to the criminalization of intellectual property infringements (see here).

These reservations about the Convention on Cybercrime suggest that negotiating a new UN Convention could prove difficult: globally, there is clearly a divergence of views regarding the appropriate global standards. Furthermore, the procedural and cooperation commitments under the Convention could be difficult to scale up to a global level. The issues these commitments can give rise to are illustrated by the domestic criticisms directed at the government of the United States when it adopted the Convention. For example, it was alleged that the Convention could have the effect of requiring the United States to enforce foreign laws curbing free speech or to monitor the communications of political dissidents on behalf of foreign governments (see Ars Technica report here). Spurious as some of the criticisms may have been, it can be anticipated that attempting to reach a consensus on these matters in a global forum would be fraught with difficulty. Can crucial players such as the Russian Federation or the People’s Republic of China, which are widely suspected of sponsoring various forms of cyberattack for political purposes, be expected to agree to high standards of international cooperation in investigating and prosecution cybercrime? (See, e.g., the 2007 distributed denial of service attacks on Estonia, or the China-based attacks on Google). The UN has a long history of divisions between developed and developing countries, and the Brazilian reservations regarding intellectual property offenses suggest that these divisions could play out once again in negotiations on cybercrime.

A Global Solution Is Needed

Cybercrime does not only affect developed economies: there are now more internet users in developing countries than in developing countries, and one study suggests that emerging economies may be particularly at risk from cybercrime (see here). It is clear that effectively combating cybercrime will require global cooperation, involving a much broader group of countries than the current signatories of the Council of Europe’s Convention on Cybercrime. This will undoubtedly prove a challenge: going back to the drawing board to draft a global convention from scratch could involve years of diplomatic wrangling that may never bear fruit. Given that the existing Convention has proven reasonably effective and that signatories have gained valuable experience in implementing it, it seems wasteful to ignore it. Yet seeking to make the Council of Europe Convention a global standard in its current form is likely to prove no less controversial, as it would likely be seen as being thrust upon countries which have had no say in drafting it. But the Council of Europe has recognized that the nearly ten-year-old treaty could do with being updated, and it is already open to signature to non-members. Perhaps the upcoming Congress could provide an opportunity to suggest updating the Convention on Cybercrime with a view to extending its membership, building on what it has already achieved while addressing the concerns of non-members.