By Larry Downes of CIO Insight

A new global treaty could put the responsibility—and potentially enormous cost—of fighting cybercriminals squarely on your shoulders.

Cybercrime is getting cheaper all the time, as shady characters sell tools to help criminals spam, phish, hack and crash. And a new treaty ratified by the U.S. Senate could wind up passing the costs of combating cybercrime directly to American businesses.

From an economic standpoint, when the cost of crime goes down, frequency goes up. How does the legal system fight back? One way is to increase enforcement and catch more people. But when it comes to cybercrime, no one really expects law enforcement to keep up technologically with criminals—it's an arms race the criminals keep winning. An alternative is to raise the penalties, in hopes of deterring criminals who weigh the benefits of committing their crimes against the risk of getting caught.
 
In that vein, in August the Senate ratified the Convention on Cybercrime, drafted by the Council of Europe with considerable input from the United States. So far, 43 nations have signed on. The Convention includes many sensible provisions aimed at unifying global computer-crime laws, and closes loopholes that make it possible for criminals to escape prosecution by locating their activities offshore.

But civil libertarians, along with leading telecommunications companies, strongly oppose the treaty. Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located. If France is investigating a sale of Nazi memorabilia on eBay, the U.S. must cooperate, even though such transactions are not illegal in the U.S.

Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind.


These are potentially serious problems, especially given that the Convention is open to any country that wants to join. But there are more practical reasons U.S. businesses should be concerned. The provisions for data retention and production apply to any operator of a computer network, not just telecoms. Worse, Article 12 attaches liability to businesses for "lack of supervision or control" of employees who commit criminal offenses covered by the Convention. Businesses must worry about employee activities that may be legal here, but illegal elsewhere, risking administrative, civil, or even criminal penalties.

These investigative and supervision costs will invariably be imposed on businesses without any real controls. Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you.

The Convention may improve the cybercrime-and-punishment equation in favor of deterrence. But it's also added some new variables and possibly irrational numbers. Of the economic, not mathematical, kind.