‘The Cybercrime Convention risks becoming a tool for global surveillance and cross-border human rights violations’
CIVICUS discusses the recently approved United Nations (UN) Cybercrime Convention with Deborah Brown, deputy director of the Technology, Rights and Investigations division of Human Rights Watch, who took part in the negotiations.
After three years of negotiations, on 8 August UN member states agreed by consensus a draft Convention on Cybercrime, which now goes to the UN General Assembly for adoption. Civil society and technology companies warn that the convention’s broad scope and lack of human rights safeguards could expand surveillance, threaten privacy, restrict freedom of expression and enable government repression. Many in civil society see the convention as the result of concerted Russian efforts to shift global online norms in a more authoritarian direction, while the convention’s supporters believe it will harmonise global efforts and align the cybercrime laws and investigatory police powers of states.
How does the new Cybercrime Convention define cybercrime and what types of crimes does it cover?
The new UN Cybercrime Convention doesn’t explicitly define cybercrime, but it covers much more than attacks against computer systems.
It includes a chapter that covers crimes against computer systems, networks and data, such as malicious hacking or ransomware, as well as limited number of cyber-enabled crimes, such as child sexual abuse material and the non-consensual distribution of intimate images. But the convention’s scope goes far beyond its criminalisation chapter. It also requires states to establish broad electronic surveillance powers to investigate and cooperate on a wide range of crimes, even those that don’t involve information and communication systems.
What is the convention’s expected impact?
The convention’s impact will only become clear once the UN General Assembly has adopted it and we see which governments ratify it and how they implement it. But we are already concerned it will expand government surveillance powers and facilitate international cooperation on a wide range of crimes without sufficient safeguards.
The convention will allow governments to collect electronic evidence and share it with foreign authorities for any ‘serious’ domestic crime, defined as an offence that carries a sentence of four years or more. This could include activities protected by international human rights law that some states criminalise, such as same-sex relationships, criticism of the government, investigative journalism, protest and whistleblowing.
Greater surveillance powers should be accompanied by stronger safeguards against abuse, but the convention largely leaves it to domestic law to provide human rights safeguards. As a result, people would be subject to national laws instead of benefiting from international standards such as the principles of necessity and legality or the right to be notified of surveillance to be able to challenge it. Even key safeguards such as the requirement for an independent court to authorise surveillance are left optional. While some governments may argue that the convention provides grounds for refusing requests that could lead to persecution based on gender, race, religion, nationality or political opinion, these are discretionary and could easily become the exception rather than the rule.
As a result, the convention risks becoming a global surveillance treaty and a tool for cross-border human rights violations. We are also concerned that governments could use it to justify problematic domestic cybercrime laws.
Who were the most influential states or groups, and what were the main areas of disagreement?
Russia was the driving force behind this convention, so it’s not surprising it played a major role in shaping it. But with about two and a half years of negotiations, it’s fair to say that a wide range of governments helped shape the convention – even those that voted against it in 2019.
All UN member states were able to participate in the ad hoc committee tasked with negotiating the text. It was chaired by Algeria and included vice-chairs from each geographical region. In the later stages of negotiations, the chair also established informal groups, led by a state or group of states, to deal with difficult issues. For example, Australia and Jamaica led discussions on the scope of the convention, Japan chaired the group focusing on human rights safeguards and Nigeria facilitated informal negotiations on child sexual abuse material and the non-consensual distribution of intimate images.
Major areas of disagreement included which crimes should be covered: whether the convention should address crimes that rely solely on computer systems, a limited number of cyber-enabled crimes, or a broader range of crimes facilitated by such systems. There was also considerable debate about the extent of domestic investigative powers and international cooperation, particularly in relation to potential privacy and security risks.
Negotiators disagreed on whether to include human rights safeguards and the degree to which they were needed to prevent the convention being misused to undermine human rights. Finally, there was considerable debate about how to prevent it from being abused against the groups it was intended to protect, including children and survivors of non-consensual dissemination of intimate images.
The convention includes provisions to protect children and women, but these could end up being used to undermine their rights because of how they are drafted. The activities of security researchers, journalists and whistleblowers also risk being criminalised because of the content of some provisions, such as those on unauthorised access to computer systems.
How did civil society contribute to the process?
It was a relatively open negotiation process. Civil society organisations that registered with the ad hoc committee were able to make written submissions, attend face-to-face and remote meetings, make oral interventions and participate in intersessional consultations. The chair also organised informal consultations with civil society and other stakeholders.
We actively participated by providing detailed analysis of draft texts, delivering oral statements, collaborating with partners on joint letters and statements and publishing op-eds. Our main concern was that the purpose of the convention was never clear. Was it intended to deal specifically with cybercrime or a general convention to enable international cooperation on electronic evidence? We also feared it would criminalise a wide range of protected speech, as has happened with cybercrime laws around the world, and create sweeping surveillance powers that would undermine privacy, chill expression and facilitate transnational repression.
Unfortunately, many of the issues we raised even before negotiations began were not addressed in the final text.
However, we were able to secure some improvements. For example, the final text includes an expanded article on human rights, with references to fundamental rights such as freedoms of association, expression and peaceful assembly. The right to an effective remedy was also added to the article on conditions and safeguards. But while these are positive developments, they fall short of providing specific and enforceable human rights protections.
The final text also excluded some of the more dangerous proposals that would have criminalised protected expression, which civil society opposed. Unfortunately, these proposals are likely to be back on the table in future negotiations on a protocol to the convention.
The modest improvements achieved are akin to sticking a band aid on a bullet wound. They don’t mean the final draft of the convention is acceptable from a human rights perspective.
What are the next steps?
The convention will be presented to the UN General Assembly later this year. If adopted, states will then have to ratify it at national level. It will enter into force 90 days after 40 states have ratified it. In addition, negotiations on a protocol to cover additional crimes are expected to begin within two years of the convention’s adoption and can be completed once 60 states have ratified it.
We will continue to encourage governments to reject the convention and advocate for a human rights-based approach to cybercrime. We will focus on highlighting how both domestic laws and the convention can be misused to undermine human rights. We will also continue to work with partners to produce analysis based on international human rights standards, and to urge states and the private sector to ensure their cybercrime strategies are consistent with these standards.
Get in touch with Human Rights Watch through its website or Instagram and Facebook pages, and follow @hrw and @deblebrown on Twitter.