A controversial international treaty to combat online crime is ready for adoption by participating countries after foreign ministers of the Council of Europe approved the final draft on 8 November.

The cybercrime treaty will be opened for countries to sign at an international conference on cybercrime in Budapest on 23 November, the Council said in a statement.

Privacy and human rights groups have been harshly critical of the accord, saying it gives police overly broad powers and has been drafted in a process that has excluded democratic controls.

"Now it will be signed by most countries and will even be signed with a greater sense of urgency since 11 September," when terrorist attacks struck the USA, said Maurice Wessling, director of the Amsterdam-based privacy group Bits of Freedom.

Simon Davies, director of the London-based group Privacy International, said that since 11 September there is a worldwide push for conventions on subjects such as international financial transactions, with the USA, which formerly shied away from such treaties, now taking the lead. As these treaties converge, he said, there's an added threat to personal privacy.

"The question of lack of accountability, lack of transparency, lack of due process, lack of democratic oversight, these are problems that will be exacerbated in coming months as more of these conventions are developed," he said. "Cybercrime was originally seen as a one-off; now we see it as part of a larger tapestry of global conventions."

ISPs (Internet service providers) are also unhappy with the measures, which they say include vague definitions, and could impose heavy burdens on providers who will not necessarily be reimbursed for their expenses when meeting law enforcement demands.

"The key issue is what data ISPs will be forced to either retain or preserve, and cost recovery for that," said Joe McNamee, regulatory affairs manager for EuroISPA, an industry group representing European ISPs. "Without an adequate cost recovery for both retention and retrieval of the information, ISPs will be open to open-ended requirements. [If ISPs were able to claim their costs] a certain degree of reflection is needed on behalf of law enforcement, to ensure that they're using their budget reasonably."

Along with the 43 member states of the CoE, which is not affiliated with the European Union, other countries including the USA, Canada, Japan and South Africa have been involved in drafting the treaty. The treaty will come into effect when five states, including at least three CoE member states, ratify it.

Privacy activists are hopeful the debate will now move to national level as signatory states move to enact the treaty provisions in their own law.

"The good thing is that the way the cybercrime treaty is formulated leaves room for interpretation, and that is partly because a lot of the articles are compromises between different countries," said Wessling. "So there is a lot of room for privacy groups, for civil liberties groups to pressure, to ask for a way of interpreting the treaty that doesn't damage privacy and civil liberties too much."

The Council of Europe in Strasbourg: www.coe.int.
EuroISPA: www.euroispa.org.
Bits of Freedom, in Amsterdam: www.bof.nl.
Privacy International: www.privacyinternational.org.